Vous êtes sur la page 1sur 82

CounterACT Installation Guide Version 6.3.4.

Table of Contents
Preface ............................................................................................................................. 5 About this Manual......................................................................................................... 5 About the CounterACT Solution ................................................................................... 5 CounterACT Package Contents ................................................................................... 6 Chapter 1: System Components and Requirements ................................................... 7 CounterACT Components ............................................................................................ 8 CounterACT Appliance ............................................................................................ 8 CounterACT Enterprise Manager ............................................................................ 9 Recovery Enterprise Manager ............................................................................... 10 CounterACT Console............................................................................................. 10 Secure, Encrypted Connections................................................................................. 11 Remote Management Module 2 (RMM2) Integration (RILO) ..................................... 11 High Availability Tools ................................................................................................ 11 Power Outage Handling .............................................................................................11 System Requirements ................................................................................................ 12 CounterACT Console Hardware Requirements..................................................... 12 Network Access Requirements..............................................................................12 Network Deployment Requirements ...................................................................... 15 Appliance Information Requirements..................................................................... 15 Enterprise Manager Information Requirements..................................................... 15 Network Connection Requirements ....................................................................... 16 Chapter 2: Hardware Setup .......................................................................................... 17 About CounterACT Installation................................................................................... 18 Related Documents ............................................................................................... 18 Appliance Interface Connections................................................................................ 18 Management Interface........................................................................................... 18 Monitor Interface.................................................................................................... 19 Response Interface................................................................................................19 Setting Up Switch Connections .................................................................................. 20 Standard Installation: Separate Management, Monitor and Response Ports........ 20 Combined Monitor and Response Port.................................................................. 20 Combined Management and Response Port (Single VLAN Only) ........................ 21 Combined Management, Response and Monitor Port (Single VLAN Only) .......... 22 Switch Setting Guidelines ...................................................................................... 22 Creating an Out-of-Band IP Management Interface................................................... 23

Chapter 3: Appliance Setup, Configuration, Installation and Post-Installation ...... 26 Setting Up an Appliance............................................................................................. 27 Serial Port Setup....................................................................................................27 Installing an Appliance ............................................................................................... 28 Post-Installation Procedures ......................................................................................33 Connect an Appliance to the Network ................................................................... 33 Integrate the Appliance with Remote Management Module 2 (RMM2) ................. 33 Verify the Management Interface Connection ....................................................... 36 Verify Switch/Appliance Connectivity..................................................................... 36 Perform a Ping Test............................................................................................... 38 Generate a Configuration Summary for an Appliance ........................................... 38 Upgrade to the New Version.................................................................................. 39 Installing a High Availability System ........................................................................... 39 Verifying FIPS Compliance ........................................................................................ 39 Enabling FIPS Mode ..................................................................................................40 Additional Installation Tools........................................................................................ 40 Configuring the Interface Speed/Duplex................................................................ 40 Restoring System Settings ....................................................................................41 Chapter 4: Installing the Enterprise Manager............................................................. 44 About the Installation..................................................................................................45 Setting Up the Enterprise Manager ............................................................................ 45 Installing the Enterprise Manager............................................................................... 46 Post-Installation Procedures ......................................................................................48 Connect the Enterprise Manager to the Network................................................... 49 Integrate with an Remote Management Module 2 (RMM2)................................... 49 Upgrade to the New Version.................................................................................. 49 Gradual Upgrade........................................................................................................49 Restoring System Settings .........................................................................................50 Chapter 5: Installing the CounterACT Console.......................................................... 53 About CounterACT Console Installation..................................................................... 54 Logging In................................................................................................................... 57 Using the Initial Setup Wizard at the Console ............................................................ 58 Uninstalling Previous Versions................................................................................... 59 Chapter 6: High Availability Systems.........................................................................60 About High Availability................................................................................................ 61 License Setup Requirements ..................................................................................... 61 Pre-Installation Requirements .................................................................................... 62

Optional Switch Connectivity...................................................................................... 62 Failover.......................................................................................................................63 Criteria ...................................................................................................................63 Node Status ...........................................................................................................64 Connecting to the Network ......................................................................................... 64 High Availability Software Installation......................................................................... 65 Identify Ethernet Ports ........................................................................................... 65 Primary Appliance Setup ....................................................................................... 66 Configuring the CounterACT Appliance................................................................. 69 Secondary Appliance Setup .................................................................................. 70 Moving the Network Location of a High Availability Cluster ....................................... 71 Backup and Restore................................................................................................... 72 High Availability Indicators on the Console ................................................................ 73 Upgrading 6.0 High Availability Systems to the Latest Version.................................. 74 Upgrading to High Availability from CounterACT Versions 4.x and 5.x...................... 74 Uninstalling High Availability Mode ............................................................................ 77 Restoring a Configuration........................................................................................... 77 Installing Software and Restoring Configuration on the Primary Node.................. 77 Configuring the Secondary Node........................................................................... 78 Converting a Single Enterprise Manager/Appliance to High Availability .................... 78 Appendix A - Site Preparation Form ........................................................................... 80

Preface

Preface
This section covers the following topics: About this Manual About the CounterACT Solution CounterACT Package Contents

About this Manual


This manual details the CounterACT software installation/configuration procedures and related information for the following components: Appliance hardware components (CT-Remote CT-100, CT-1000, CT-2000, or CT-4000) Enterprise Manager hardware component Console management application Information regarding Switch setup is also available.

About the CounterACT Solution


CounterACT delivers complete endpoint security and lets you effortlessly apply your business security policies to the IT infrastructure, accurately and automatically. CounterACT effectively: Ensures NAC compliance Combats worms, self-propagating malware and hackers Automatically protects network vulnerabilities Creates a virtual firewall that protects or opens specific network zone. Lets security teams, IT departments and the Help Desk leverage extensive network information via CounterACTs web-based Assets Portal

The CounterACT Console User Manual provides more information about these capabilities.

Preface

The manual contains the following chapters:


Chapter 1: System Components and Requirements Chapter 2: Hardware Setup Chapter 3: Appliance Setup, Configuration, Installation and PostInstallation Chapter 4: Installing the Enterprise Manager Chapter 5: Installing the CounterACT Console Chapter 6: High Availability Systems Appendix A - Site Preparation Form

CounterACT system requirements, including hardware and networking requirements Information about hardware setup options How to install and upgrade the Appliance

How to install and upgrade the Enterprise Manager How to the install the CounterACT Console How to install and configure High Availability CounterACT systems CounterACT site preparation form with required site parameters

CounterACT Package Contents


Your CounterACT package includes the following components: The CounterACT Appliance/Enterprise Manager Quick Installation Guide A CounterACT CD containing the Console software, the CounterACT Console User Manual, and this guide Warranty document Mounting brackets Power cord DB9 Console connecting cable (for serial connections only) If you are working with a High Availability system, you will receive a separate package with another Appliance and/or Enterprise Manager. See Chapter 6: High Availability Systems for more information.

Chapter 1: System Components and Requirements

This chapter includes: CounterACT Components Secure, Encrypted Connections High Availability Power Outage Handling System Requirements

Chapter 1

System Components and Requirements

CounterACT Components
CounterACT components include: CounterACT Appliance CounterACT Enterprise Manager CounterACT Console

CounterACT Appliance
The Appliance is a dedicated device that monitors traffic going through your organizations network. It protects the network against malicious activity, performs NAC extensive protection, lets you create network security zones and handles vulnerabilities.

Multiple Appliance Deployments Multiple CounterACT Appliances are deployed to ensure maximum protection of your organization. Your CounterACT Appliance was installed in order to see vital network traffic.
To handle malware and hackers, the Appliance setup must be:

At the connection point between a protected network area and the rest of the network. This enables protection of a specific network range against infection attempts initiated from the rest of the network and network protection against infection attempts generated from a specific network area (e.g. contractors segment, which might be potentially more dangerous). Behind a VPN concentrator, where encrypted VPN channels are decrypted and malicious traffic enters your network Behind remote access servers, where remote access users are entering your network

Chapter 1

System Components and Requirements

To apply an admission control policy, the Appliance setup must be:

Within broadcast domains, preferably mirroring tagged ports


To work with the Virtual Firewall, the Appliance setup must be:

Between segments/VLANs

CounterACT Enterprise Manager


The Enterprise Manager is an aggregation device that communicates with multiple CounterACT Appliances distributed across an enterprise. It manages the CounterACT activity and policies, and collects information about malicious activity that is detected at each Appliance, including infection attempts, identification, notification, restriction and remediation actions taken by CounterACT. This information is available for display and reporting at the Enterprise Manager.

Chapter 1

System Components and Requirements

Recovery Enterprise Manager


The CounterACT Recovery Enterprise Manager is used as a remote recovery device for an Enterprise Manager that is no longer functioning due to for example, a natural disaster or crisis. This device provides complete and continued management of network Appliances from a remote site. The Recovery Enterprise Manager is installed at the Data Center using the same installation procedure as the Enterprise Manager, and is later added at the Console as you would any CounterACT component. Refer to the CounterACT Console User Manual for more information. See www.forescout.com/kb or use the online Help tools at the Console.

CounterACT Console
The Console is the CounterACT management application used for viewing and managing important information about Network Access Control (NAC) policies, malicious intrusions, vulnerable network hosts, and more. The Console lets you define the conditions under which hosts are identified and handled by CounterACT. The Console also provides a number of tools: Policy tools allow you to define a virtual firewall policy and a policy for handling NAC, security and compliance issues, as well as a policy for handling malicious sources. Sophisticated reporting tools let you generate an extensive range of reports about malicious source activity, NAC activity and vulnerability scanning, as well as CounterACTs response to these activities. Control tools allow you to start and stop Appliances and Enterprise Managers and update the configuration defined during installation, for example, the network range CounterACT is protecting or the time zone setting. Other control tools allow you to communicate with your Network Management application and work with 3rd party plugin applications. Refer to the CounterACT Console User Manual for more information.

10

Chapter 1

System Components and Requirements

Secure, Encrypted Connections


The CounterACT Console connection is encrypted using a proprietary protocol on 13000/TCP. Users are required to enter a user name and password to login to the CounterACT Appliance through the Console. The connection between multiple Appliances and the Enterprise Manager is also encrypted with the same proprietary protocol.

Remote Management Module 2 (RMM2) Integration (RILO)


CounterACT supports Intel Remote Management Module 2 (RMM2) integration with CT1000/2000/4000 components. The Intel RMM2 is an integrated server system solution that gives you locationindependent/ OS-independent remote access over the LAN or Internet to CounterACT Appliances/Enterprise Managers. The module is used to carry out KVM access, power on/off/reset and perform troubleshooting and maintenance tasks. See Integrate the Appliance with Remote Management Module 2 (RMM2) for information about setting up this module.

High Availability Tools


CounterACT High Availability is implemented in clusters with two Appliances or two Enterprise Manager nodes. Redundancy is achieved by one of the nodes serving as the Active node (managing the activities required for effective NAC) while the second node waits in Standby mode to take over in case of Active node failure. See Chapter 6: High Availability Systems.

Power Outage Handling


By default, when there is a power outage, the Appliance and Enterprise Manager are set to the Stay Off mode. You can change this default to Power On mode so that the machine will automatically be powered on after a power outage recovery.
To change the power outage recovery setting to Power On: 1. Reboot the Appliance or Enterprise Manager. 2. While the machine is powering on, select F2. 3. The BIOS Setup Utility screen opens. 4. Select the Server tab. 5. Use the arrow keys to select the Default > Stays Off option. 6. Press Enter and the Down arrow to choose Power On.

11

Chapter 1

System Components and Requirements

System Requirements
Verify that the following requirements are met before you begin installation and that you have a completed Site Preparation Form (Appendix A - Site Preparation Form). CounterACT Console Hardware Requirements Network Access Requirements Network Deployment Requirements Appliance Information Requirements Enterprise Manager Information Requirements Network Connection Requirements

CounterACT Console Hardware Requirements


The computer hosting the CounterACT Console application software is supplied by the customer. Minimum hardware requirements are: Non-dedicated machine, running Windows XP/98/NT/2003/2000/Vista and Linux Pentium 3, 1Ghz 512MB RAM memory. 1GB is recommended if you are working with more than 10,000 devices. Disk Space - 100 MB CD ROM drive

Network Access Requirements


Deploying CounterACT requires TCP/IP communication. This section details CounterACT connectivity requirements. Check your security policy (Router ACLs, etc.), and modify, if required, to allow for this communication. Each Appliance requires a single management connection to the network. This connection requires an IP address on the local LAN and also requires Port 13000/TCP access from machines that will be running the CounterACT Console. In addition, the following are required:

12

Chapter 1

System Components and Requirements

Port 22/TCP

Service

To/From CounterACT

Function

SSH

To

Allows endpoints to access the CounterACT command line interface (CLI) Allows CounterACT access to the enterprise mail relay Allows HTTP redirection Allows HTTP redirection using SSL

25/TCP 80/TCP 443/TCP

SMTP HTTP HTTPS

From To To

13

Chapter 1

System Components and Requirements

Port 13000/TCP

Service

To/From CounterACT

Function

CounterACT

To

For systems with only one Appliance from the Console to the Appliance For systems with more than one CounterACT Appliance - from the Console to the Enterprise Manager and from the Enterprise Manager to the Appliance Allows CounterACT access to resolve internal IP addresses Allows CounterACT access to a local time server or ntp.forescout.net ForeScout default is set to ntp.foreScout.net. Allows CounterACT access to communicate with network switches and routers Allows CounterACT to receive SNMP traps from network switches and routers Allows a SecureConnector tunnel between end points and the Appliance. SecureConnector enables access to unmanageable endpoints via a secure executable file that runs at the desktop while the host is connected to the network. Refer to the CounterACT Console User Manual for more information about what SecureConnector does. A SecureConnector connecting to any Appliance or the Enterprise Manager is redirected to the Appliance to which its host is assigned. Arrange connectivity of this port to all Appliances and to the Enterprise Manager to allow transparent mobility within the organization. Port 10003 is default; you can change this.

53/UDP 123/UDP

DNS NTP

From From

161/UDP

SNMP

From

162/UDP 10003/TCP

SNMP SecureConnector

To To

14

Chapter 1

System Components and Requirements

Network Deployment Requirements


Each Appliance must be set up at a location in which it sees vital network traffic and can protect devices connected to your switch. CounterACT supports deployment options for: Monitoring multiple VLANs (tagged traffic) recommended, since it provides the best overall coverage while monitoring only a single port. Monitoring a tagged port (802.1q tagged) Monitoring a single VLAN (untagged) Monitoring a single port(s) (untagged)
Important notes:

Carefully consider the traffic to monitor. It is recommended to monitor the authentication traffic between end users and authentication servers. To notify end users via their web browsers, you need to monitor HTTP traffic between end users and the Internet/Intranet. Refer to the CounterACT Console User Manual for more information about these features.

Appliance Information Requirements


The following information regarding the CounterACT Appliance is required: CounterACT Appliance IP address CounterACT Appliance host name Management interface through which Appliance and Console communicate Network mask Default gateway IP address List of the companys DNS server addresses to allow resolving of internal IP addresses to their DNS names

Enterprise Manager Information Requirements


CounterACT Enterprise Manager IP address CounterACT Enterprise Manager host name Enterprise Manager Administrator password Management interface Network mask Default gateway

15

Chapter 1

System Components and Requirements

DNS domain name DNS server addresses

Network Connection Requirements


Network connections must allow full visibility to all response and monitor traffic.

16

Chapter 2: Hardware Setup

This chapter includes: About CounterACT Installation Appliance Interface Connections Setting Up Switch Connections Creating an Out-of-Band IP Management Interface

17

Chapter 2

Hardware Installation

About CounterACT Installation


CounterACT is designed for installation in various environments. The configurations shown here demonstrate some of the more typical options and introduce the terminology involved in the installation. Each Appliance requires three types of connections to the network. If your management network must be separated from the rest of your network, you can create an Out-of-Band management IP interface setup. This allows the management-related traffic to be routed through a management interface. Other traffic, for example the NAC Policy remote registry queries and HTTP notifications, is routed through standard response interfaces. See Creating an Out-of-Band IP Management Interface for more information. If you are installing CounterACT High Availability systems, the configuration and wiring are explained in Chapter 6: High Availability Systems.

Related Documents
Cisco Switches For information regarding Cisco switches, refer to: http://www.forescout.com/support/files/docs/Configuring-Cisco-SPAN.pdf Rack Mounting Instructions For information regarding rack-mounting instructions refer to: CT/AS 100 series:
http://www.forescout.com/downloads/support/CT-AS-Rail-Kit-100.pdf

CT/AS 1000/2000/4000 series:


http://www.forescout.com/downloads/support/CT-AS-Rail-Kit-1000-20004000.pdf

Appliance Interface Connections


The Appliance is generally configured with these three connections to the network switch: Management Interface Monitor Interface Response Interface

Management Interface
This interface allows you to manage CounterACT and perform queries and deep inspection of endpoints. The interface must be connected to a switch port with access to all network endpoints.

18

Chapter 2

Hardware Installation

Each Appliance requires a single management connection to the network. This connection requires an IP address on the local LAN and Port 13000/TCP access from machines that will be running the CounterACT Console management application. The management port must have access to additional services. See Network Access Requirements for more information.

Monitor Interface
This connection allows the Appliance to monitor and track network traffic. Traffic is mirrored to a port on the switch and monitored by the Appliance. Depending upon the number of VLANs being mirrored, the traffic may or may not be 802.1q VLAN tagged. Single VLAN (untagged): When monitored traffic is generated from a single VLAN, the mirrored traffic does not need to be VLAN tagged. Multiple VLANs (tagged): If monitored traffic is from more than one VLAN, the mirrored traffic must be 802.1q VLAN tagged. See IP Layer Response (for Layer-3-Only Core Switch Installation) for a workaround if this is not possible. When two switches are connected as a redundant pair, the Appliance must monitor traffic from both switches. See Setting Up Switch Connections for related information. No IP address is required on the monitor interface.

Response Interface
The Appliance responds to traffic using this interface. Response traffic is used to protect against malicious activity and to perform NAC policy actions. These actions may include, for example, redirecting web browsers or performing session blocking. The related switch port configuration depends upon the traffic being monitored. Single VLAN (untagged): When monitored traffic is generated from a single VLAN, the response port must belong to the same VLAN. In this case, the Appliance requires a single IP address on that VLAN. Multiple VLANs (tagged): If monitored traffic is from more than one VLAN, the response port must also be configured with 802.1q tagging for the same VLANs. The Appliance requires an IP address for each of the monitored VLANs.

19

Chapter 2

Hardware Installation

Setting Up Switch Connections


The Appliance was designed to seamlessly integrate with a wide variety of network environments. To successfully integrate the Appliance into your network, verify that your switch is set up to monitor required traffic. Depending upon the configuration, you can combine ports to reduce the number of cables/ports needed for installation. In each of these cases, the ports/cables can be either copper or fiber connections.

Standard Installation: Separate Management, Monitor and Response Ports


The recommended installation uses three separate cables as detailed in Appliance Interface Connections.

Combined Monitor and Response Port


If the switch is capable of receiving data packets into a mirrored port (for example, inpkts enable on a Cisco Catalyst switch), you can combine the monitor and response ports. This configuration is possible for both a single VLAN or a multiple VLAN installation.

Passive Inline Tap Instead of connecting to the switch monitor port, the Appliance can use a passive inline tap. A passive inline tap requires two monitor ports (one for upstream and one for downstream traffic), except in the case of a recombination tap, which combines the two duplex streams

20

Chapter 2

Hardware Installation

into a single port. The traffic on the tapped port and response interface must be on matching VLANs. For example, if the traffic on the tapped port is VLAN tagged (802.1q), the response port must also be a VLAN tagged port. Simply put, the response port must be configured in the same way as the monitor port.

Active (Injection Capable) Inline Tap The Appliance can use an active inline tap. If the tap is injection capable, the Appliance combines the monitor and response ports so there is no need to configure a separate response port on the switch. This option can be used regardless of the type of upstream or downstream switch configuration.

IP Layer Response (for Layer-3-Only Core Switch Installation) The Appliance can use its own management interface to respond to traffic. Although this option can be used with any monitored traffic, it is recommended in situations where the Appliance monitors ports that are not part of any VLAN, and cannot respond to monitored traffic using any other switch port. This is typical when monitoring a link connecting two routers. This option limits the ability to respond to ARP requests, which limits the ability of the Appliance to detect scans aimed at the IP addresses included in the monitored subnet. This limitation does not apply when traffic between two routers is being monitored.

Combined Management and Response Port (Single VLAN Only)


If the Appliance is protecting a single VLAN and the management IP is on the same VLAN, you can combine the management and response ports. This configuration is quite common for

21

Chapter 2

Hardware Installation

installation on an access layer switch. This configuration is not possible on a multiple VLAN installation.

Combined Management, Response and Monitor Port (Single VLAN Only)


If the Appliance is protecting a single VLAN, the management IP is on the same VLAN and the switch is capable of response into the monitor port, then all the cables can be combined into a single port. This configuration is quite common for installation on an access layer switch. This configuration is not possible on a multiple VLAN installation.

Switch Setting Guidelines


VLAN (802.1q) Tags Monitoring a Single VLAN (untagged): If the monitored traffic is from a single VLAN, then traffic does not need 802.1q tags. Monitoring Multiple VLANs (tagged): If the monitored traffic is from two or more VLANs, then both the monitored and response ports must have 802.1q tagging enabled. Monitoring multiple VLANs is recommended as it provides the best overall coverage while minimizing the number of mirroring ports. If the switch cannot use a VLAN tag on the mirroring port, then perform one of the following: Mirror only a single VLAN Mirror a single, untagged uplink port Use the IP Layer response option

22

Chapter 2

Hardware Installation

If the switch can only mirror one port, then mirror a single uplink port. This may be tagged. In general, if the switch strips the VLAN tags, you must use the IP Layer response option. Additional If the switch cannot mirror both transmitted and received traffic, then either monitor the entire switch or complete VLANs (this provides transmit/receive) or monitor just one interface (which does allow transmit/receive). Verify that you do not overload the mirroring port. Some switches (e.g. Cisco 6509) may require that former port configurations be completely deleted before entering new configurations. Not deleting old port information commonly causes the switch to strip 802.1q tags.

Creating an Out-of-Band IP Management Interface


If your management network must be separate from the rest of your network, you can create an Out-of-Band IP management interface setup. When you do this, management related traffic is transmitted through the management interface, while other traffic (for example, the NAC Policy remote registry queries and HTTP notifications) is transmitted through another interface. If this is the case, both interfaces will have an IP address. In order to create such a setup, first create an Out-of-Band IP management interface. If necessary, you may need to configure a gateway and routing rules. These tasks can be carried out by running the fstool netconfig command.
To create and configure the interface: 1. Log into the CounterACT Appliance as root. 2. Run the following command. fstool netconfig

The following menu opens:


CounterACT Machine Network Configuration Options: 1) Configure network interfaces 2) Configure default gateway 3) Configure static routing rules 4) Restart network services 5) Quit Choice (1-5): 1 3. Type 1 to configure the interface as required. After creating the interface, the menu

reopens.

23

Chapter 2

Hardware Installation

4. Type either 2 to Configure default gateway or 3 to Configure static routing rules.

The current Machine Static Routing Table Configuration opens. You will be prompted if no routing has been defined.
5. Type A and then press Enter to choose an interface in which to add a route.

A menu opens with the interface you selected and configuration parameters. Sample configuration parameters:
1) eth0 Address: 10.0.4.197 Netmask: 255.255.255.0

Choice (1-1) : 1 6. Press Enter to configure the routing.

Sample Configuration:
Destination Net IP address : 13.0.0.0 : 255.0.0.0

Destination Genmask IP address

Gateway IP address [0.0.0.0] : 10.0.4.108 ----------------------------------------------------CounterACT Machine Static Routing Table Configuration ----------------------------------------------------Destination Iface 13.0.0.0 eth0 12.0.0.0 eth0 11.0.0.0 eth0 Gateway 10.0.4.108 10.0.4.108 10.0.4.109 Genmask 255.0.0.0 255.0.0.0 255.0.0.0

(E)dit,(A)dd ,(D)elete,(S)ave,(B)ack : 7. Type S and press Enter to save the configuration.

Additional Example In this example, the CounterACT device has one in-band interface on the Intranet, and one Out-of-Band interface on the management segment. The mail server also has interfaces on both the Intranet and the management segment. In this example, mails from the CounterACT device need to be routed through the management segment to the mail server, and then sent to the Intranet.
To configure the mail routing: 1. Run the following command.

24

Chapter 2

Hardware Installation

fstool netconfig The following menu opens:


CounterACT Machine Network Configuration Options: 1) Configure network interfaces 2) Configure default gateway 3) Configure static routing rules 4) Restart network services 5) Quit Choice (1-5): 3 2. Type 3 and then A to add an interface. 3. When prompted, choose the interface to the management segment. 4. Configure the Destination Net IP Address to the IP address of the mail server. 5. Configure the Destination Genmask to 255.255.255.255. 6. Configure the Gateway IP Address to the default gateway of the management interface.

25

Chapter 3: Appliance Setup, Configuration, Installation and Post-Installation

This chapter includes: Setting Up an Appliance Installing an Appliance Post-Installation Procedures Installing a High Availability System Integrate the Appliance with Remote Management Module 2 (RMM2) Verifying FIPS Compliance Enabling FIPS Mode Additional Installation Tools

26

Chapter 3

Installing the Appliance

Setting Up an Appliance
1. Remove the following items from the shipping container. Appliance

Power cord

2. Connect the power cord to the power connector on the Appliance rear panel. See 3. 4. 5. 6.

Connect an Appliance to the Network for a diagram that details a sample rear panel. Connect the other end of the power cord to a grounded AC outlet. Set up the keyboard and monitor to the Appliance or set up the Appliance for serial connection. See Serial Port Setup. Power on the Appliance from the front panel. If the Appliance is installed in the location at which it will operate, connect it to the network. For information about performing this connection, see Connect an Appliance to the Network. If the Appliance is not in its final location, you can perform the Appliance configuration now and connect it to the network later.

Serial Port Setup


If you cannot carry out the installation with a keyboard and monitor, it can be performed using a remote serial port connection. If you are working with the CT- Remote Appliance, you cannot perform the full installation via a serial port.
Verify that you have the following:

A CounterACT Appliance with a serial port Another computer that will act as the client to control the installation process. Verify that all output is redirected and displayed on the terminal client A serial cable (supplied with the Appliance) A terminal client, such as "Hyper Terminal" (Windows) or "minicom" (Linux)

27

Chapter 3

Installing the Appliance

To set up a serial port connection: 7. Connect the two computers to each other. Connect the serial cross-cable to the

CounterACT computer.
8. Configure the terminal client according to the following parameters:

Baud: 19200 Parity: None Data Bit: 8 Stop Bits: 1 Flow Control: None (minicom enables flow control by default - edit the configuration to disable) Emulation: ANSI (at least for minicom) You may have to type the following command at the boot prompt in order to see the output on the computer connected though the serial cable. Note that you may not see the text as you type this. Type the following for CT-100: console=ttyS0,19200 Type the following for CT-1000/200 console=ttyS1,19200 9. Continue the setup procedure according to Installing an Appliance.

Installing an Appliance
Numerous configuration definitions set here can later be updated through the CounterACT Console. Refer to the CounterACT Console User Manual for more information.
1. Power on the Appliance.

The FIPS (Federal Information Processing Standard) option lets you configure CounterACT to meet FIPS 140-2 (level 2) requirements. This option is only recommended for CounterACT deployments in the US Federal government, where FIPS is required. See Enabling FIPS Mode for more information. When this is complete, the following menu opens:

28

Chapter 3

Installing the Appliance

Configure CounterACT- X.X.X 2) Restore saved CounterACT- X.X.X configuration 3) Identify network interfaces 4) Configure keyboard layout 5) High Availability Setup 6) Enable FIPS 7) Turn machine off 8) Reboot the machine Choice (1-8) : 3

During configuration, you are asked to specify the Ethernet monitor interfaces and response interfaces.
2. Once these parameters are determined, connect the interface cables to the associated

Ethernet ports. 3. In order to identify and mark the ports on the rear panel, type 3 and press Enter. A menu opens indicating which interface has been detected. The associated port LED blinks on the rear panel.
4. Mark the port on the panel so it is easily identifiable and press Enter.

Another menu opens indicating the next detected interface. The associated port LED now blinks.
5. Mark this port as well and press Enter. This process continues until all active

interfaces are detected. 6. Once all interfaces have been detected, press Enter. The following menu reopens:
1 Configure CounterACT- X.X.X 2) Restore saved CounterACT- X.X.X configuration 3) Identify network interfaces 4) Configure keyboard layout 5) High Availability Setup 6) Enable FIPS 7) Turn machine off 8) Reboot the machine Choice 1-8: 1 7. Type 1 and press Enter. The following menu opens:

29

Chapter 3

Installing the Appliance

>>>>>> CounterACT Initial Setup <<<<<< You are about to setup CounterACT. During the initial setup process you will be prompted for basic parameters that are essential to connect to this machine. Once this phase is done, you will be instructed to complete the setup by connecting to the machine via CounterACT GUI. Continue (yes/no)? [yes]: 8. Press Enter to continue. The following menu opens: >>>>>> CounterACT Component Selection <<<<<< Choose component to install: 1. CounterACT Appliance 2. CounterACT Enterprise Manager Choice : 1 9. Type 1 and press Enter. The setup is initialized. This may take a moment. The

following menu opens:


>>>>>> Setting Host Name <<<<<< Enter the ForeScout Linux Operating System host name. It is recommended that the host name you set will be unique. 10. Type a host name. This name can be used when logging into the Console. In addition,

it is used at the Console to help you identify the CounterACT Appliance you are viewing. The following menu opens:
>>>>>> Setting Description <<<<<< Enter a short description of this Appliance (e.g. New York office). Description: 11. Type a unique description for this Appliance. The following menu opens: >>>>> CounterACT Appliance Administrator Password <<<<<< This password is used to login as 'root' to the CounterACT Linux Operating System and to the CounterACT Console. The password should be between 6 and 15 characters long and should contain at least one nonalphabetic character. CounterACT administrator password: Verify password: 12. Type a password to use when logging into the Appliance and the Console and press Enter.

30

Chapter 3

Installing the Appliance

13. Retype the password. If you forget it after completing the setup, you can create a new

one from the Console. Refer to the Console Online Help. Log into the Appliance as root and log into the Console as admin. After the password is saved, the following menu opens:
>>>>>> Network Settings <<<<<< Management interface (one of: eth0, eth1, eth2, eth3, eth4, eth5, eth6, eth7, eth8) : eth0 Appliance IP address : 10.0.4.194 Network mask [255.255.255.0] : Default gateway : 10.0.4.253 DNS domain name: qa.def.dom DNS server addresses: 10.0.0.3 10.0.0.4 14. Type in network parameters at each of the relevant prompts and press Enter. 15. The management interface is the interface through which CounterACT components

communicate. Add a VLAN ID for the interface option only if the interface used to communicate between CounterACT components is plugged into a tagged port. The DNS resolves internal IP addresses. While most internal DNS servers may resolve external addresses as well, some may not. Thus you may have to include an externallyresolving DNS server at the end of the list. Nearly all DNS queries performed by the Appliance will be for internal addresses, so the internal servers must be listed first. After entering the last parameter, you are prompted to perform general connectivity tests, reconfigure settings, or complete the setup:
>>>>>> Configuration Summary <<<<<< Host name: Interface: IP address: Network mask: Default gateway: DNS server: Domain name: q4blade eth0 10.0.4.197 255.255.255.0 10.0.4.253 10.0.0.3 10.0.0.4 qa.def.dom

(T)est,(R)econfigure,(D)one : T 16. Type T and press Enter to verify the following:

Connected interfaces Connectivity of the default gateway DNS resolution

Results will indicate if any test failed so that you can reconfigure as needed. If there are no failures, the following menu opens:

31

Chapter 3

Installing the Appliance

Checking eth0...OK. (100Mb/s Full duplex) Checking default gateway...OK. Checking DNS resolution...OK. Press ENTER to review configuration summary 17. Press Enter and type D to complete the installation.

The following menus open:


Finalizing setup -: Done. Starting CounterACT Appliance: Done.

>>>>>> CounterACT Installation is Complete <<<<<< The Appliance installation is complete. The Setup Wizard, automatically initiated from the CounterACT Console, will guide you through the rest of the Appliance setup. Use the following URL to install the Console: http://10.0.4.227/guisetup.html - If you want to use this Appliance as a standalone, continue the setup by logging in to the Appliance at the Console and completing the Wizard. - If you want to register this Appliance with an Enterprise Manager that has already been setup, log in to the Enterprise Manager and register it from the Options window. Open this window by selecting the Options icon on the Consoler toolbar. After it has been registered, the Setup Wizard will guide you through the setup steps. Press ENTER to clear the screen 18. Press Enter to start work using the evaluation license, which is valid for 30 days unless

you request and receive an extension. During this period, you should have received a permanent license from ForeScout and placed it in an accessible folder on your disk or network. Install the license from this location before the 30-day demo license expires. You will be alerted that your license is about to expire in a number of ways: Through periodic email reminders Through the Status and License columns in the CounterACT Devices pane (accessible through the Options icon from the Main Console), which will indicate how many days remain until the license expires.

32

Chapter 3

Installing the Appliance

Through the Status pane in the CounterACT Devices pane, which also shows the time until license expiration. Through an icon and tooltip on the Console, Status bar.

Refer to the CounterACT Console User Manual located on the CounterACT CD in the /docs folder for information about installing the license.

Post-Installation Procedures
After installing an Appliance, perform the following tasks: Connect an Appliance to the Network Integrate the Appliance with Remote Management Module 2 (RMM2) Verify the Management Interface Connection Verify Switch/Appliance Connectivity Perform a Ping Test Generate a Configuration Summary for an Appliance Upgrade to the New Version Install the CounterACT Console. See Chapter 5: Installing the CounterACT Console. Run the Installation Wizard. Refer to the CounterACT Console User Manual.

Connect an Appliance to the Network


During configuration, you are asked to specify the Ethernet monitor and response interfaces. Once these parameters are determined, connect the interface cables to the associated Ethernet port on the rear panel of the Appliance.

Integrate the Appliance with Remote Management Module 2 (RMM2)


CounterACT supports Intel Remote Management Module 2 (RMM2) integration with CT1000/2000/4000 components. The module is an integrated server system solution that gives you locationindependent/ OS-independent remote access over the LAN or Internet to

33

Chapter 3

Installing the Appliance

CounterACT Appliances/Enterprise Managers. The RMM2 module is used to carry out KVM access, power on/off/reset and troubleshooting and maintenance tasks. Perform the following in order to setup and run the module: 1. Set up the Module The RMM2 connects to an Ethernet network. It is customary to connect it to a management network. For more information about RMM2 the module and connecting it to the network, refer to the Intel Remote Management Module 2 User Guide: ftp://download.intel.com/support/motherboards/server/sb/d93678001_rmm2_user_guid e.pdf 2. Acquire an IP Use DHCP If available, use DHCP to acquire an IP. The MAC address of the RMM2 module is indicated near the RMM2 port and on the appliance documents. Without Using DHCP If DHCP is not available, use the psetup utility on a computer connected to the same broadcast domain as the RMM2. Psetup is a utility that is used to probe and configure the Intel RMM2. Setup link are shown below. Psetup for Windows http://www.forescout.com/support/files/utils/psetup/psetup_1.2.3.exe md5: 551f0c2bd8a801ed3b3d24febb0cfe70 size: 139264 Psetup for Linux You must run the utility in a GUI Linux environment (X Windows). http://www.forescout.com/support/files/utils/psetup/psetup1.2.2 md5: 358350dbf9d4438aad22b8c265136bca size: 1566036 Linux Release Notes http://www.forescout.com/support/files/utils/psetup/ReleaseNotes_Psetup_Linux_V12 2.txt md5: a3fba30b7a60c97fd9a66b03d9917d6b

size: 4133 See the RMM2 user guide for more details: ftp://download.intel.com/support/motherboards/server/sb/d93678001_rmm2

34

Chapter 3

Installing the Appliance

3. Access and Configure the Module In general no configuration is required. It is highly recommended however to update the default password. Enter the IP address of the RMM2 module in your browser to access the management module.
1. The Intel remote Management Module 2 page opens.

2. Login. The default username is admin and the default password is password. The main

screen opens.

3. Select the User Management >Change Password menu option.

35

Chapter 3

Installing the Appliance

4. Update the password and login again. 5. Select Device Settings form the main screen and configure the module as required.

Verify the Management Interface Connection


Test the management interface connection to verify that the management interface is correctly configured.
To run the test: 1. Log into the Appliance. 2. Run the following command: fstool linktest

The following information is displayed:


Management Interface status Pinging default gateway information Ping statistics Performing Name Resolution Test Test summary

Verify Switch/Appliance Connectivity


Verify that the switch is properly connected to the Appliance:

36

Chapter 3

Installing the Appliance

To verify connectivity: 1. At the Appliance for each interface detected, run the following command: fstool ifcount

This tool continuously displays network traffic on the specified interfaces. It works in two modes: per interface or per VLAN (during the display, the mode can be changed). The tool displays the total bits per second and the percentage of traffic for the various interfaces. For example, to view traffic information for each interface, run the following command (separate each interface with a space):
root@CounterACT root]# fstool ifcount eth0 eth1 eth2

Note that: The monitor interface primarily sees mirrored traffic above 90%. The response interface primarily sees broadcast traffic. Both the monitor and response interfaces see the expected VLANs. 2. Proceed by entering one of the following commands:
V I P N q display in VLAN mode display in interface mode show previous show next quit displaying

VLAN Mode:
update=[4] [eth3: 14 vlans] Interface/Vlan Total Broadcast *From my MAC eth3.untagged 4Mbps 0.2% eth3.1 9Mbps 0.0% eth3.2 3Mbps 0.1% eth3.4 542bps 100.0% eth3.20 1Kbps 100.0% Show [v]lans [i]nterfaces <-[p]rev Mirrored 99.8% 100.0% 99.9% 0.0% 0.0% [n]ext-> *To my MAC 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% [q]uit

Interface Mode:
update=[31] Interface MAC eth0 eth1 [eth0: 32 vlans] [eth1: 1 vlans] Total Broadcast Mirrored 3Kbps 475bps 42.3% 0.0% 0.0% 100.0% To my MAC From my 14.1% 0.0% 43.7% 0.0%

*To my MAC - destination MAC is the Appliance's MAC. *From my MAC - traffic sent by this Appliance (source MAC is the Appliance's MAC, destination can be broadcast or unicast).

37

Chapter 3

Installing the Appliance

3. If you do not see any traffic, verify that the interface is up and running using the

following command at the Appliance:


[root@CounterACT root]# ifconfig [interface name] up.

Perform a Ping Test


Run the following command from the Appliance to a network desktop to verify connectivity: Ping [network desktop IP]

By default, the Appliance itself does not reply to ping.

Generate a Configuration Summary for an Appliance


You can generate a configuration summary of Appliances in your enterprise including, for example, the Appliance version, channel, switch, and additional networking information. This makes it easier to: Identify a missing configuration at a glance. Document an Appliance configuration so that a replacement system can be easily configured.
To generate a summary: 1. Log into the Appliance. 2. Run the following command: fstool netconfig_sum

The following menus open:


Version information Version Build number Internal Version Build date

Host information Hostname Domain name Dns Network information Gateway eth0 Address: Netmask: 3. Provide the information required.

38

Chapter 3

Installing the Appliance

Upgrade to the New Version


The Installer program automatically identifies an earlier Appliance version on your system. Upgrade options allow you to either maintain the configuration parameters from the previous version or define new parameters. Review the version Release Notes for important information before performing an upgrade. The Release Notes are located on your CounterACT CD ROM under the /docs folder and on the ForeScout web site. Upgrading with the CD 1. Insert the CounterACT Installation CD ROM into its drive. 2. Login as root. 3. Mount the CD ROM with the following command:
mount /mnt/cdrom 4. At the prompt, run the following commands: cd /mnt/cdrom ./ca_setup

A prompt indicates that you are about to upgrade the software. These procedures are detailed in Installing an Appliance. You can maintain previous values, which appear as the default, or define new values. Upgrading from the Console You can also perform the software upgrade from the Console. If you upgrade from the Console, you cannot update the installation parameters. For complete procedures, refer to the Console User Manual.

Installing a High Availability System


If you are working with a High Availability system, install CounterACT using the procedure described in Enabling FIPS Mode. Then install the nodes as described in Chapter 6: High Availability Systems.

Verifying FIPS Compliance


To verify that your system is FIPS (Federal Information Processing Standard) compliant, log into the Appliance/Enterprise Manager and run the following command:
fstool version

The following information is displayed:

39

Chapter 3

Installing the Appliance

root@haha-em-1 root]# fstool version CounterACT Appliance version information ---------------------------------------Version : X.X.X Build date : Mon Dec 31 09:29:27 2007 High Availability supported : No FIPS supported : Yes

Enabling FIPS Mode


The FIPS option lets you configure CounterACT to meet FIPS 140-2 (level 2) requirements. This option is only recommended for CounterACT deployments in the US Federal government, where FIPS is required. SSH cannot be used to connect to Appliances in FIPS mode.
To install CounterACT to operate in FIPS mode: 1. Install all enterprise Appliances in FIPS mode.

When installing the Appliance at the Data Center, type 6 and press Enter.
1) Configure CounterACT- X.X.X 2) Restore saved CounterACT- X.X.X configuration 3) Identify network interfaces 4) Configure keyboard layout 5) High Availability Setup 6) Enable FIPS 7) Turn machine off 8) Reboot the machine Choice (1-8) : 6

2. To continue, follow the directions in Installing an Appliance. 3. SSH is blocked since it is not FIPS-140-2 Level 2 compliant. Therefore, a terminal

application is added. To use the terminal: Run the fsterm.bat file located in the current directory at the location at which the Console is installed. For example, C:\Program Files\ForeScout CounterACT\GuiManager\current\fsterm.bat. Create a shortcut to easily open the file.

Additional Installation Tools


This section details additional tools that can be used for the installation.

Configuring the Interface Speed/Duplex


You can modify the default interface speed and duplex values.
1. Log into the CounterACT Appliance. 2. Run: fstool ethset

40

Chapter 3

Installing the Appliance

Interface speeds and duplex configuration: Interface Conf-Speed/Duplex eth0 eth1 e100 e100 Driver Link Status 100baseT/Half Auto/Full Cur-Speed/Duplex Auto/Auto Auto/Auto link ok link ok

The current interface speed and duplex configuration opens (as above) along with the following message.
CounterACT Interface Speeds and Duplex Configuration Options: 1) Edit interface speeds and duplex options 2) Blink interfaces 3) Quit Choice (1-3) : 1 3. Type 1 and press Enter to display a list of available Ethernet ports. 4. Choose the interface to configure and press Enter. The current configuration opens

along with configuration options. The following menu shows an example:


Choose eth0 configuration: 1) 2) 3) 4) 5) 6) Auto 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full

5. Configure as required and press Enter. 6. Type 2 and press Enter to identify the Ethernet interfaces (ports).

Restoring System Settings


Backup and restore procedures allow you to save your system settings and later restore them to an Appliance. Use this feature in cases of Appliance hard drive failures or when data on an Appliance is lost for any other reason. Refer to the CounterACT Console User Manual for more information.
To restore: 1. Power on the Appliance. When it finishes booting, the following menu opens: CounterACT boot is complete. Press Enter to continue. 2. Press Enter to start the restore procedure. The following menu opens:

41

Chapter 3

Installing the Appliance

1 Configure CounterACT-X.X.X 2 Restore saved CounterACT-X.X.X configuration 3 Identify network interfaces 4 Configure keyboard layout 5 Turn machine off Choice (1-5): 2 3. Type 2 and press Enter.

The following menu opens:


Restore options: 1) 2) 3) 4) 5) Restore from USB storage device Restore from CD-ROM Restore from floppy diskette Get shell prompt Cancel

Choice (1-5) : 4. Select the relevant restore option and press Enter.

The following menu opens:


The restore process will now search for backup files in the selected media. Note that backup file names must have a ".fsb" extension. Insert the media where the backup file reside and press ENTER to continue 5. Insert the media where the backup file resides and press Enter.

The following menu opens, displaying all .fsb files found on the media:
Searching for backup files in USB storage device(s)... Choose backup file: 1) qcc-V4.0.3-2004_12_22_15_27.fsb 2) Cancel Choice (1-2) : 6. Select the relevant backup option and press Enter.

The following menu opens:

42

Chapter 3

Installing the Appliance

Verifying /tmp/usbmnt/qcc-V4.0.3-2004_12_22_15_27.fsb... ------------------------Backup Volume Information ------------------------Product : CounterACT

Host-name : qcc Address : X.x.x.x Backup date : Wed Dec 22 15:27:43 IST 2004 Restore? (yes/no) : 7. Type yes and press Enter.

The following information is displayed:


************** CounterACT version X.X.X Restore ************** >>> Installing Packages <<< Checking stored Packages...... done.>>> Configuring the System <<< >>> Installing Database <<<Creating database... done. Restoring... done.

Installation log written to /tmp/CounterACT-install.log The Operating System will now reboot in order to complete the CounterACT restore process.

43

Chapter 4: Installing the Enterprise Manager

This chapter includes: About the Installation Setting Up the Enterprise Manager Installing the Enterprise Manager Post-Installation Procedures Gradual Upgrade Restoring System Settings

44

Chapter 4

Installing the Enterprise Manager

About the Installation


This section details the Enterprise Manager setup and configuration procedures. Numerous configuration definitions set here can later be updated through the CounterACT Console. Refer to the CounterACT Console User Manual for more information. If you are implementing a multiple CounterACT solution, setup and configure CounterACT on each Appliance and install and configure the Enterprise Manager on another Appliance.

Setting Up the Enterprise Manager


1. Remove the following items from the shipping container: Enterprise Manager

Power cord

2. Connect the power cord to the power connector on the rear panel of the Enterprise

Manager. See Connect the Enterprise Manager to the Network. 3. Connect the other end of the power cord to a grounded AC outlet. 4. Set up the keyboard, mouse and monitor to the Appliance or set up the Enterprise Manager for serial connection. See Serial Port Setup. 5. Power on the Enterprise Manager from the front panel.

45

Chapter 4

Installing the Enterprise Manager

Installing the Enterprise Manager


1. Power on the Enterprise Manager.

The FIPS option lets you configure CounterACT to meet updated FIPS 140-2 (Federal Information Processing Standard) requirements. This option is only recommended for CounterACT deployments in the US Federal government, where FIPS is required. After this is complete, the following menu opens:
Options: 1) 2) 3) 4) 5) 6) 7) 8) Configure X.X.X Restore saved X.X.X configuration Identify network interfaces Configure keyboard layout High Availability Setup Enable FIPS Turn machine off Reboot the machine

Choice (1-8) : 1 2. Type 1 and press Enter.

The following menu opens:


>>>>>> CounterACT Initial Setup <<<<<< You are about to setup CounterACT. During the initial setup process you will be prompted for basic parameters used to connect this machine to the network. When this phase is complete, you will be instructed to continue the setup from the CounterACT Console. Continue (yes/no)? [yes]: 3. Press Enter. The following menu opens: >>>>>> CounterACT Component Selection <<<<<< Choose component to set up: 1. CounterACT Appliance 2. CounterACT Enterprise Manager Choice: 2 4. Type 2 and press Enter.

The setup is initialized. This may take a few moments. The following menu opens:

46

Chapter 4

Installing the Enterprise Manager

>>>>>> Setting Host Name <<<<<< Enter the Enterprise Manager host name. It is recommended to choose a unique host name. Host name: 5. Type a name that can be used when logging into the Console. This name also opens

at the Console to help you to identify the Enterprise Manager with which you are working. The following menu opens:
>>>>>> Enterprise Manager Administrator Password <<<<<< This password is used to login as 'root' to the Enterprise Manager Operating System and as 'admin' to the CounterACT Console. The password should be between 6 and 15 characters long and should contain at least one non-alphabetic character. Enterprise Manager Administrator Password: Verify password: 6. Type the password to use when logging into the Appliance and Console. 7. Retype the password. If you forget the password after completing the setup, you can

create a new one from the Console. Refer to the Console Online Help. Log into the Appliance as root and log into the Console as admin. The following menus open:
Saving password... done.

>>>>>> Network Settings <<<<<< Management interface (one of: eth0, eth1, eth2, eth3, eth4, eth5, eth6, eth7, eth8): eth0 Enterprise Manager IP address: Network mask [255.255.255.0]: Default gateway : DNS domain name: DNS server addresses: 8. Enter each parameter and press Enter. The management interface is the interface

through which CounterACT components communicate. Add a VLAN ID for the interface option only if the interface used to communicate between CounterACT components is plugged into a tagged port. This DNS resolves internal IP addresses. While most internal DNS servers may resolve external addresses as well, some may not. It may be necessary to include an externally-resolving DNS server at the end of the list. Nearly all DNS queries performed by the Appliance will be for internal addresses, so the internal servers must be listed first. After you enter the last parameter, the following menu opens:

47

Chapter 4

Installing the Enterprise Manager

>>>>>> Configuration Summary <<<<<< Host name: Interface: IP address: Network mask: Default gateway: DNS server: Domain name: q4blade eth0 10.0.4.197 255.255.255.0 10.0.4.253 10.0.0.3 10.0.0.4 qa.def.dom

(T)est,(R)econfigure,(D)one : T 9. Type T and press Enter. You are prompted to perform general connectivity tests, to

reconfigure settings, or to complete the setup. If any of the tests failed, you will be asked to reconfigure your network parameters.
Checking eth0...OK. (100Mb/s Full duplex) Checking default gateway...OK. Checking DNS resolution...OK. Press ENTER to review configuration summary 10. Press Enter to review the configuration summary and type D.

The following menu opens:


Finalizing setup -: Done. Starting CounterACT Enterprise Manager: Done. >>>>>> CounterACT Initial Setup is Complete <<<<<< CounterACT Console will guide you through the rest of the Enterprise Manager setup. Use the following URL to install the CounterACT Console: http://10.0.4.228/guisetup.html Press ENTER to clear the screen 11. Press Enter to start working using the evaluation license, which is valid for 30 days.

You must install a permanent license before this period expires. You will be contacted via e-mail regarding the expiration date. Refer to the CounterACT Console User Manual located on the CounterACT CD in the /docs folder for information about installing the license.

Post-Installation Procedures
After installing the Enterprise Manager, perform the following tasks: Connect the Enterprise Manager to the Network Integrate with an Remote Management Module 2 (RMM2) Upgrade to the New Version

48

Chapter 4

Installing the Enterprise Manager

Connect the Enterprise Manager to the Network


During the Enterprise Manager configuration, you are asked to specify the network interface. Once this parameter is determined, connect the interface cable to the associated Ethernet port on the rear panel of the Appliance.

Integrate with an Remote Management Module 2 (RMM2)


CounterACT supports Intel Remote Management Module 2 (RMM2) integration with CT1000/2000/4000 components. The Intel RMM2 is an integrated server system solution that gives you locationindependent/ OS-independent remote access over the LAN or Internet to CounterACT Appliances/Enterprise Managers. The RMM2 module is used to carry out KVM access, power on/off/reset and perform troubleshooting and maintenance tasks. See Integrate the Appliance with Remote Management Module 2 (RMM2) for details.

Upgrade to the New Version


The Installer program automatically identifies any earlier CounterACT versions on your system. Review the CounterACT Release Notes for important upgrade information. The Release Notes are located on your CounterACT CD ROM under the /docs folder and on the ForeScout web site. Upgrade options allow you to either maintain the configuration parameters from the previous version or define new configuration parameters. Upgrading with the CD 1. Insert the CounterACT Installation CD ROM into its drive. 2. Login as root. 3. Mount the CD ROM with the following command:
mount /mnt/cdrom 4. At the prompt, run the following commands: cd /mnt/cdrom ./ca_setup

A prompt indicates that you are about to upgrade the software. These procedures are detailed in Installing an Appliance. You can maintain previous values, which appear as the default, or define new values. Upgrading from the Console You can also perform the software upgrade from the Console. If you upgrade from the Console, you cannot update the installation parameters. For complete procedures, refer to the Console User Guide.

Gradual Upgrade
The steps described below can be used to gradually upgrade a CounterACT deployment. A temporary Enterprise Manager (EM) is used to facilitate the gradual upgrade. During the transition period, two EMs are simultaneously active. The permanent EM will manage the appliances running the new version, while the temporary EM manages the appliances running the old version.

49

Chapter 4

Installing the Enterprise Manager

This may be required for large deployments where simultaneous upgrade is not desired or not allowed by the corporate IT policy.
To perform a gradual upgrade: 1. Ensure that the temporary Enterprise Manager can access the appliances by adding its

2. 3. 4.

5.

6. 7. 8. 9.

10. 11. 12.

13. 14. 15.

IP address in: Options -> Access -> Console Backup the permanent Enterprise Manager. Install from CDROM the current version of CounterACT on the temporary Enterprise Manager. Do not configure it. Restore the backup on the temporary Enterprise Manager. The temporary Enterprise Manager now has the same IP address and host-name as the permanent Enterprise Manager. When booting the temporary Enterprise Manager for the first time after the restore, stop the boot process at the red boot screen and type: CounterACT_S ((Note: there is a space between CounterACT and the S) then allow it to boot. The boot process should stop at some point prompting for commands. Change the temporary Enterprise Manager IP address by using: fstool netconfig Change the temporary Enterprise Manager name using: fstool netconfig -h sometemporary-name Allow the boot process to complete by typing: exit Connect to the temporary Enterprise Manager with the Console. You should see the appliances connected to both Enterprise Managers. Do not make any configuration changes on any of the Enterprise Managers until the next step is completed. Upgrade the permanent Enterprise Manager to the new version. The appliances should show at the permanent Enterprise Manager with "version mismatch". Select an appliance from the temporary Enterprise Manager and upgrade it to the new version. The upgraded appliance should show OK at the permanent Enterprise Manager Console, and with "version mismatch" at the temporary Enterprise Manager, Console. Verify the new version works to your satisfaction. Repeat the appliance upgrade step until all appliances are upgraded and show in the temporary Enterprise Manager with version mismatch. Shutdown the temporary Enterprise Manager.

Restoring System Settings


Back up and restore tools allow you to save your system settings and later restore them to an Appliance. Use this feature for CounterACT Appliance hard drive failures or when data on an Appliance is lost for another reason. Refer to the CounterACT Console User Manual for more information.
To restore: 1. Power on the Enterprise Manager.

50

Chapter 4

Installing the Enterprise Manager

When this is complete, the following menu opens:


CounterACT boot is complete. Press Enter to continue. 2. Press Enter.

The following menu opens:


1 2 3 4 5 6 7 8 Configure CounterACT-X.X.X Restore saved CounterACT X.X.X configuration Identify network interfaces Configure keyboard layout High Availability Setup Enable FIPS Turn machine off Reboot the machine

Choice 1-8: 2 3. Type 2 and press Enter.

The following menu opens:


Restore options: 1) 2) 3) 4) 5) Restore from USB storage device Restore from CD-ROM Restore from floppy diskette Get shell prompt Cancel

Choice (1-5) : 4. Select a restore option and press Enter.

The following menu opens:


The restore process will now search for backup files in the selected media. Note that backup file names must have a ".fsb" extension. Insert the media where the backup file resides and press ENTER to continue. 5. Insert the media where the backup file resides and press Enter.

The following prompt displays all .fsb files found on the media:
Searching for backup files in USB storage device(s)... Choose backup file: 1) qcc-V4.0.3-2004_12_22_15_27.fsb 2) Cancel Choice (1-2) : 6.

Select an option and press Enter. The following menu opens:

51

Chapter 4

Installing the Enterprise Manager

Verifying /tmp/usbmnt/qcc-V4.0.32004_12_22_15_27.fsb... ------------------------Backup Volume Information ------------------------Product : CounterACT

Host-name : qcc Address : X.x.x.x Backup date : Wed Dec 22 15:27:43 IST 2004 Restore? (yes/no) : 7. Type yes and press Enter.

The following information is displayed:


************** CounterACT version 6.X ************** >>> Installing Packages <<< Checking stored Packages...... done. >>> Configuring the System <<< >>> Installing Database <<< Creating database... done. Restoring... done. Installation log written to /tmp/CounterACT-install.log The Operating System will now reboot in order to complete the CounterACT restore process. Restore

52

Chapter 5: Installing the CounterACT Console

This chapter includes: About CounterACT Console Installation Logging In Using the Initial Setup Wizard at the Console Uninstalling Previous Versions

53

Chapter 5

Installing the Console

About CounterACT Console Installation


The CounterACT Wizard assists you in quickly installing the CounterACT Console software for both the Appliance and Enterprise Manager. When logging in, enter either the Appliance or Enterprise Manager login credentials you defined during these installations. The login detects whether to connect to the Appliance or the Enterprise Manager, based on these credentials. Two options are available for installing the software: Installation CD Installation software built into your Appliance to install the Console Installing from the Installation CD
To install: 1. Insert the Installation CD into the CD ROM of the PC that will run the Console

software. 2. Locate and open the ManagementSetup.htm file. The CounterACT Initial Installation dialog box opens:

3. elect the download link required. The download process initiates and the Choose

Install Folder dialog box opens:

54

Chapter 5

Installing the Console

4. Accept the default location or define a new location to install the Console and select Next.

The Choose Shortcut Folder dialog box opens:

5. Choose a location to create the shortcut icon and select Next.

The Pre-Installation Summary dialog box opens:

55

Chapter 5

Installing the Console

6. Review the settings you chose and select Install.

The Installing CounterACT dialog box opens and the Console installation begins:

After installation is complete, the Install Complete dialog box opens:

56

Chapter 5

Installing the Console

7. Select Done.

Installing from a Browser at your Appliance This option is not available when upgrading.
To use the installation software built into your Appliance to install the Console: 1. Open a browser window from the PC that will run the Console. 2. Run the following command from your browser address line:

http://IP address/install (where IP address is the address of your Appliance, for example http://10.0.0.95/install.) The browser displays the CounterACT software installation window.
3. Follow the on-screen instructions.

Logging In
After completing the installation, you can log into the CounterACT Console from the shortcut location you created during the installation.
1. Select the CounterACT icon from the shortcut you created.

The Login dialog box opens.

57

Chapter 5

Installing the Console

2. In the IP/Name field, type the IP address or host name of an Appliance or Enterprise

Manager. 3. In the User Name field, type your user name (default - Admin). 4. In the Password field, type your password. 5. Select Login to open the Console. The system comes with a predefined Admin user. The user password and CounterACT address are set during CounterACT installation. You can update the password using a command line utility or via the Console. Refer to the CounterACT Console User Manual for more information regarding the utility and about post login.

Using the Initial Setup Wizard at the Console


After login, the Initial Setup Wizard opens. The Wizard guides you through essential configuration steps to ensure that CounterACT is up and running quickly and efficiently.

Before selecting Next to proceed, gather the information listed below and enter it in the Value column for easy access.

58

Chapter 5

Installing the Console

Information Required by Wizard

Value

NTP server address used by your organization (optional) Internal mail relay IP address to allow delivery of e-mail alerts if SMTP traffic is not allowed from the Appliance (optional) CounterACT administrator e-mail address Monitor and response interfaces For segments/VLANs with no DHCP, the network segment/VLANs to which the response interface is directly connected and a permanent IP address to be used by CounterACT at each such VLAN IP address range that this Appliance will monitor (all the internal addresses, including unused addresses) LDAP user account information and the LDAP server IP address Domain credentials, including domain administrative account name and password Authentication servers so CounterACT can analyze which network hosts have successfully been authenticated Switch IP Address, Vendor and SNMP Parameters

Uninstalling Previous Versions


To uninstall a previous Console version: 1. Use the Windows uninstall tools to perform the uninstall procedure. 2. Alternatively, choose the Uninstall CounterACT Console icon from the ForeScout

program group on the Start menu.

59

Chapter 6: High Availability Systems

This chapter includes: About High Availability License Setup Requirements Pre-Installation Requirements Failover Connecting to the Network High Availability Software Installation High Availability Indicators on the Console Upgrading 6.0 High Availability Systems to the Latest Version Upgrading to High Availability from CounterACT Versions 4.x and 5.x Uninstalling High Availability Mode Restoring a Configuration Converting a Single Enterprise Manager/Appliance to High Availability

60

Chapter 6

High Availability Systems

About High Availability


CounterACT High Availability provides you with standby support in the event of system malfunction or failure. It is implemented in clusters with two Appliances or two Enterprise Manager nodes. Redundancy is achieved by assigning an Active node to manage activities required for effective Network Access Control (NAC), and a Standby node to take over in case of Active node failure. The two nodes are synchronized by a redundant pair of interconnecting cables.

License Setup Requirements


An evaluation license is valid for your High Availability system for 30 days. You must install a permanent license before this period expires. You will be contacted via e-mail regarding the

61

Chapter 6

High Availability Systems

expiration date. It is recommended to use the IP address of the High Availability cluster when issuing a High Availability license. If a license is only issued to the Primary node in a High Availability cluster, the system may not operate after failover to the Secondary node. An additional remote recovery system is also available. This tool provides a comprehensive recovery system for Enterprise Managers that have, for example, failed as a result of a natural disaster or crisis. This tool provides complete and continued management of remote Appliances after the crisis. Refer to the CounterACT Console User Manual for more information.

Pre-Installation Requirements
For pre-installation requirements, see Network Access Requirements.

Optional Switch Connectivity


Below are examples of High Availability cluster-switch connections.

62

Chapter 6

High Availability Systems

Failover
The Active and Standby nodes ping each other every second for operational updates. By default, failover from the Active node to the Standby node occurs 30 seconds after the Standby node detects that the Active node is down. Between 2 to 10 minutes after Active node failure, the Standby node becomes active.

Criteria
Full High Availability mode requires that: Both the Active and the Standby nodes are operating The Standby node is synchronized with the Active node and is fully up-todate When full High Availability mode is in effect, the following criteria cause the Standby node to become active: System failure System failure System maintenance Management Active node outage Hardware raid array breakdown; i.e., all disks are not functioning Active node powered off or cold boot occurred A management interface hardware failure on the Active node

63

Chapter 6

High Availability Systems

interface failure

Node Status
The status of the Active and Standby nodes is affected by restart as follows: Restart Active node In case the Active node fails, the Standby node becomes the Active node (swapping roles). After restart, the switchover remains in effect; i.e., the Active node that originally failed remains the Standby node, and the newly appointed Active node continues with that role. Restart Standby node - After restarting the Standby node, the Active/Standby roles do not change. Both nodes are restarted - Depending on which node restarts first, the nodes can remain as originally designated or assume reverse roles.

Connecting to the Network


This section shows sample wiring setups for a single switch. Dual cross cables must be connected for redundancy. CT-Remote is not supported in High Availability clusters.

CT-1000 Appliance Rear Panel

64

Chapter 6

High Availability Systems

CT1000 - Sample Connections Interface Cable Interface Cable

eth0 eth2 eth3 eth1

Management-1 Monitoring-1 Response-1 Sync-1

eth4* eth5* eth7

Monitoring-2* Response-2* Sync-2

*Only for redundant switch configuration. It is recommended to use two sync cables whenever possible. In addition, you can attach the sync>management cables to sockets on different NICs to improve handling of NIC failure with all attached sockets.

High Availability Software Installation


During the installation procedure, the nodes are referred to as First (Primary) and Secondary. These same nodes are referred to as Active (Primary) and Standby (Secondary) after installation and during operation, according to their current status. The installation/configuration procedure is performed in three main stages:
1. Set up High Availability for the Primary node. 2. Configure the Primary node. 3. Set up High Availability for the Secondary node. There is no need to configure it.

Reboot may occur during these stages. This does not indicate any type of failure or problem.

Identify Ethernet Ports


If you do not know the Ethernet port layout of either the Primary or Secondary node rear panel, follow this procedure.
To identify Ethernet ports: 1. Power on the Appliance. The following menu opens:

65

Chapter 6

High Availability Systems

Options: 1) Configure CounterACT-X.X.X 2) Restore saved CounterACT-X.X.X configuration 3) Identify network interfaces 4) Configure keyboard layout 5) High Availability Setup 6) Enable FIPS 7) Turn machine off 8) Reboot the machine Choice (1-8): 3 2. Type 3 and press Enter. 3. Respond to the prompts and record the layout.

Primary Appliance Setup


To perform Primary Appliance setup for High Availability: 1. Complete the identification of the interfaces or complete power on. The following

menu opens:
Options: 1) Configure CounterACT-X.X.X 2) Restore saved CounterACT-X.X.X configuration 3) Identify network interfaces 4) Configure keyboard layout 5) High Availability Setup 6) Enable FIPS 7) Turn machine off 8) Reboot the machine Choice (1-8): 5 2. Type 5 and press Enter. The following menu opens: Is this the FIRST node of the High Availability cluster? (yes/no): yes 3. Type yes and press Enter.

66

Chapter 6

High Availability Systems

The following menu opens:


Enter the cluster hostname: Define IP information required for communication with the cluster

When you enter a cluster hostname, for example High Availability_cluster, the system will automatically assign High Availability _cluster_1 to the Primary node, and High Availability _cluster_2 to the Secondary. You can add these in the DNS server.
4. Enter the name to represent the cluster on the network. Enter the cluster hostname:

Suggestion: When upgrading, use the previous hostname.


5. Select an Ethernet interface (port) for cluster management.

Suggestion: When upgrading, use the previous Ethernet interface (port), otherwise you may lose connections in the Control screen.
Select the Ethernet interface for the cluster management (one of: eth0, eth1, eth2, eth3)[eth0]: 6. Enter the IP address shared by both Appliances in the cluster. Communication with

sources external to the cluster is via this address. Suggestion: When upgrading, use the previous IP address of the cluster.
Enter the IP address of the cluster: 7. Enter the IP address of the Primary node (not to be confused with the cluster IP

address).
Enter IP address of this node: 8. Enter the IP address of the Secondary node. Enter the IP address of the other node: 9. Enter the IP address of the default gateway. Enter the IP address of the default gateway: 10. Enter the netmask size of the cluster IP address used by both Appliances. Enter the netmask size of the cluster IP address [24]: Assign an Out-of-Band IP Management Interface 1. Type yes to optionally assign an Out-of-Band IP address to the device.

This might be necessary if the interface you selected above does not have access to the segment containing the hosts to be managed. The additional interface is similar to the Out-of-Band interface sometimes created for non-High Availability devices (see Creating an Out-of-Band IP Management Interface).
Assign an Out-of-Band management IP address (yes/no) [no]: yes 2. Select the Ethernet interface.

67

Chapter 6

High Availability Systems

Select the Ethernet interface for the Out-of-Band management IP address (one of: eth0, eth1, eth2, eth3)[eth1]: 3. Enter the relevant Out-of-Band management IP addresses of the cluster and both

nodes.
Enter the Out-of-Band management IP address of the cluster: 4. Enter the Out-of-Band management IP address of this node: 5. Enter the Out-of-Band management IP address of the other node: 6. Enter the netmask size of the Out-of-Band management cluster IP address. Enter the netmask size of the Out-of-Band management cluster IP address: Define cluster access 7. Enter the addresses to be used for access to the cluster by external testing of the

reliability of specific nodes within the cluster.


Enter space separated IP address(es) for network keepalive (ping) tests (or none): 8. Enter the password to access the cluster and confirm it by typing it again. Enter the root password for the cluster: To verify, please enter the password again: Define IP information for intra-cluster communication 9. Select the primary Ethernet interface for intra-cluster communication. Verify that this

is not a segment used in your network.


Select the primary Ethernet interface for the intracluster communication (one of: eth2, eth3) [eth3]: 10. Select an Ethernet port other than the one you selected for external communication.

This port will be the default port for communication between the Primary and Secondary node.
Select the secondary Ethernet interface for the intracluster communication (one of: eth2, none) [eth2]: 11. Enter the private network to be used for communication between nodes within the

cluster. The same setting should be used for the Secondary node.

68

Chapter 6

High Availability Systems

Enter a private 24-bit subnet to be used by the High Availability cluster [172.17.2.0] Define additional services 12. Enter the DNS domain name and address; you can enter multiple addresses separated

by spaces. The DNS information is needed to map the host name to an IP address so the NTP server (defined in the next step) can be used to synchronize system clocks.
Enter the DNS domain name: Enter the DNS server addresses: 13. Enter the name of the NTP server. If you dont have an NTP server, type none. Enter the NTP server name or 'none' [ntp.forescout.net]: Define the operator e-mail 14. Enter the e-mail address to which to send reports, alerts and other CounterACT

notifications.
Enter the operator's email address: 15. Enter the mail relay address. This is an internal mail relay IP address to allow

delivery of e-mail alerts if SMTP traffic is not allowed from CounterACT to the Internet.
Enter the mail relay address or 'none': 16. Press Enter. Press Enter to continue

Configuring the CounterACT Appliance


After completing the preceding steps, the following menu opens:
Options: 1) Configure CounterACT-X.X.X Appliance 2) Restore saved CounterACT-X.X.X configuration 3) Identify network interfaces 4) Configure keyboard layout 5) High Availability Setup 6) Enable FIPS 7) Turn machine off 8) Reboot the machine Choice (1-8): 1 1. Type 1 and press Enter. 2. Proceed as described in Installing an Appliance.

69

Chapter 6

High Availability Systems

Secondary Appliance Setup


You will be required to specify the IP address and password of the Primary Appliance in order for the Secondary Appliance to be able to access the first. Before you begin setting up the Secondary Appliance, verify that the Primary Appliance is powered on, set up, and successfully configured. There is no need to configure the Secondary Appliance. When setting up the Secondary Appliance, use the same Ethernet interfaces and netmask settings used in the Primary Appliance.
Identify Ethernet Ports

If you do not know the Ethernet port layout of an Appliance rear panel, follow this procedure to identify Ethernet ports.
1. After powering on the Appliance, the following menu opens: Options: 1) Configure CounterACT-X.X.X 2) Restore saved CounterACT-X.X.X configuration 3) Identify network interfaces 4) Configure keyboard layout 5) High Availability Setup 6) Enable FIPS 7) Turn machine off 8) Reboot the machine Choice (1-8): 3 2. Type 3 and press Enter. 3. Respond to the prompts and record the layout. 4. After completing the identification of the interfaces or after power on, the following

menu opens:
Options: 1) Configure CounterACT-X.X.X 2) Restore saved CounterACT-X.X.X configuration 3) Identify network interfaces 4) Configure keyboard layout 5) High Availability Setup 6) Enable FIPS 7) Turn machine off 8) Reboot the machine Choice (1-8): 5 5. Type 5 and press Enter. 6. Type no and press Enter to specify Secondary node.

70

Chapter 6

High Availability Systems

Is this the FIRST node of the High Availability cluster? (yes/no): no 7. Enter the private network to be used for communication between nodes within the

cluster. Use the same setting you chose for the Primary node.
Enter a private 24-bit subnet to be used by the High Availability cluster [172.17.2.0]: 8. The default for the Ethernet port is the port defined on the Primary node for intra-

cluster communication. Use this setting.


Select the primary Ethernet interface for communication between nodes (one of: eth0, eth1, eth2, eth3, eth4, eth5, eth6, eth7) [eth7]: 9. Use the password you defined during the Primary node setup above. This is used by

the Secondary node to access the Primary node.


Enter the root password of the Primary node:

* Setting up the Built-in Firewall * * Attempting to retrieve the parameters from 172.17.2.171 * Changing password for user root passwd: all authentication tokens updated successfully

A series of menus opens. One of them will be similar to the following example:
Completed: 99.8%, Estimated time to finish: 0:03 minutes

The estimated time is used to copy relevant data from the Primary to the Secondary node. This procedure takes approximately 90 minutes for a 6GB disk. The following menu indicates that you have successfully completed the installation/configuration procedure for both nodes.
High Availability setup completed for this node. Press ENTER to continue 10. Press Enter.

Moving the Network Location of a High Availability Cluster


To move the location of a High Availability cluster from one network to another: 1. Shut down the Secondary node. 2. Shut down the Primary node. 3. Relocate both Appliances and connect them as described in Connecting to the

Network.

71

Chapter 6

High Availability Systems

4. Restart the Primary node. 5. Run hatool ha_setup on the Primary node, making sure to use the new network 6. 7. 8. 9. 10.

settings. Restart the Secondary node. Run hatool ha_setup on the Secondary node. It is recommended to do this from the Linux Console since the management IP address will probably be different. If the new DNS settings are different, run hatool dns_setup <new DNS> on both machines and reconfigure them. If the new NTP settings are different, run hatool ntp_setup <new NTP> on both machines and reconfigure them. Verify that the cluster is up and running.

Backup and Restore


The backup and restore procedure for High Availability differs from the standard backup and restore procedure. If one of the nodes crashes, the other node takes over. Follow the already known procedure of installing a new node as a Standby node (additional). To protect your system from a situation where both nodes crash or for some other reason you need first to backup while the High Availability cluster is operational, use the Backup and Restore feature. You will require an external storage device to restore the configuration file.
Backup as follows: 1. Connect the two Appliances with redundant cross cables. 2. Perform a backup of the system settings and copy the configuration backup files to an

external storage media.


Restore as follows: 1. Uninstall CounterACT in order to go back to the base Operating System. Or,

2. 3.

4. 5.

alternately, format the disk on the first Appliance and perform a clean install of the new version (V6.1.0 and higher). Restore the backup configuration files from the external storage media to the Primary node. Set up High Availability on the Primary node. The original High Availability values were saved along with the backup and are presented as default values, which should be accepted. Set up High Availability on the Secondary node. Perform the disk format and clean install if required. Connect the Appliance(s) with the switches after the configuration determines the layout of the Ethernet interfaces (ports) on the rear panel.

If you have performed the restore procedure after attempting to upgrade the two Appliances, continue the upgrade: 1. Log into the Primary node. 2. Run: hatool upgrade

72

Chapter 6

High Availability Systems

High Availability Indicators on the Console


Your Console indicates the status of your High Availability cluster. These icons appear on the status bar of the Console: Status of High Availability Appliances connected to the Enterprise Manager Status of the High Availability Enterprise Manager cluster

In addition, the CounterACT Appliance panel in the Console provides information on the High Availability status of each Appliance in the enterprise. The following categories of information are available.
N/A No High Availability system is installed. Up - High Availability is installed and running. Both nodes are up and

synchronized.
High Availability not supported The currently installed CounterACT

software version does not support High Availability.


Degraded A hardware or software failure has occurred to degrade the status of High Availability; check the tooltip for details. Upgrade CounterACT is in the process of upgrading. Setup CounterACT is in the process of configuring.

73

Chapter 6

High Availability Systems

Upgrading 6.0 High Availability Systems to the Latest Version


You can upgrade the Appliance and Enterprise Manager version from the Console. To see the procedure, refer to Upgrading Appliance Software in the CounterACT Console User Manual. If you run into difficulties when initially attempting to perform an upgrade, see Backup and Restore for details on how to proceed.

Upgrading to High Availability from CounterACT Versions 4.x and 5.x


This section details upgrading a pair of Appliances (or Enterprise Manager) to a High Availability cluster under CounterACT Version 6.x. The following procedure demonstrates the upgrade procedure of a High Availability cluster consisting of two Appliances:
1. An existing Appliance/Enterprise Manager installed with CounterACT Versions 4.x

to 5.x, using pre-V6.x file partitioning. 2. A new Appliance/Enterprise Manager installed with CounterACT Versions 6.x and with new file partitioning. CounterACT Versions 6.0.0 and higher, introduced a new file partitioning structure on the hard disk. This requires an additional step in the procedure to convert older file partitioning structures to the new structure. Even if the existing Appliance/Enterprise Manager is running Version 6.x, it may have been upgraded from 5.x, without performing a Clean Install, meaning the file partitioning on the hard disk is of a version earlier than that of CounterACT Version 6.0.0.
Terminology This section explains the terms and procedures used in the upgrade:

74

Chapter 6

High Availability Systems

File Partitioning Versions 4.x 5.x use a different file partitioning structure than Versions 6.x. Although the CounterACT application software is updated when performing an upgrade to Version 6.x, the Version 6.x file partitioning system on the hard disk is not upgraded until you perform a Clean Install of Version 6.x. Configuration Backup a basic backup of the configuration file does not

backup lists of connected hosts and open services currently learned by the Appliance. To also backup these hosts and services, perform an rSite backup. Because the Appliance continuously learns and maintains the rSite, it is recommended to perform this backup, although this is not mandatory. Note that the rSite backup must be restored to the same CounterACT version. For information on the procedure, refer to the CounterACT Console User Manual.
Backup Use portable media, such as a USB storage device, to backup

configuration and other data files.


Restore for instructions on how to restore, see Restoring a Configuration. Complete Install to install the operating system and CounterACT from the

Installation CD including the formatting of the hard disk. This procedure is detailed in the document Installation Guide-CounterACT-V6.x-non-app that comes on the CounterACT Installation CD.
Procedure

Optional: Before proceeding with the upgrade, backup the pre-upgrade configuration in order to return to the prior status in case of failure. You can backup both the configuration file and the rSite.
1. Connect the two Appliances/Enterprise Manager with synchronization cables to prepare them for High Availability installation.

75

Chapter 6

High Availability Systems

2. Upgrade to CounterACT V6.x

The Appliance remains with pre-V6.x file partitioning.


3. Backup new V6.x configuration

Backup new V6.x configuration (Backup and Restore) and optional backup of rSite, in order to restore after Clean Install (next step).
4. Perform Complete Install V6.x

This is in order to install V6.x file partitioning Status: Fully upgraded to V6.x with V6.x file partitioning, but lacking configuration.
5. Configure as High Availability Primary Node

For the procedure, see High Availability Software Installation .

6. Restore the configuration and rSite from previous backup (in Step 3). For the procedure, see Restoring a Configuration. Status: Upgraded V6.x Appliance now as High Availability Primary node with previous configuration.
7. Install new V6.x Appliance as V6.x Status: Both Appliances are now with V6.x and with V6.x file partitioning. 8. Define as High Availability Secondary Node

The Secondary node will be automatically configured according to the Primary node. See: High Availability Software Installation .
Both Appliances are now configured with CounterACT V6.x and as a High Availability cluster.

To configure as a High Availability node, see Primary Appliance Setup and Secondary Appliance Setup.

76

Chapter 6

High Availability Systems

Proceed with the configuration of High Availability on the Secondary node only after the Primary node is configured for High Availability and is up and running. You can configure the new V6.x Appliance as the Primary node instead of the V4.x5.x Appliance. Doing this can save you time because you will be restoring the configuration backup you saved in Step 3 to the new V6.x Appliance after it is installed and defined as a Primary node, while clean-installing the V4.x-5.x Appliance.

Uninstalling High Availability Mode


Use this procedure to remove the High Availability mode from a node. Up until the last step, you can re-activate the Primary node in order to continue using High Availability mode.
Step On Both Nodes

1 Backup the Primary configuration. If necessary, perform an rSite backup as well. 2 Clean Install the Secondary node. 3 Disconnect the High Availability cables. This effectively removes the High Availability function from the Appliances. 4 Shut down the Primary node (it can be reactivated later if necessary). 5 Restore configuration, and rSite data if previously performed, to the
Secondary node.

6 Verify that the Secondary node is configured in Single mode (not High
Availability) and is operating. At this stage the Secondary node is a standalone Appliance.

7 Perform a Clean Install on the Primary node and reactivate if necessary

Restoring a Configuration
This section details how to restore an Enterprise Manager/Appliance configuration.

Installing Software and Restoring Configuration on the Primary Node


On the Primary node, install from the CounterACT CD or as follows: 1. Power on the first Appliance. The following menu opens:

77

Chapter 6

High Availability Systems

Options: 1) Configure CounterACT-X.X.X 2) Restore saved CounterACT-X.X.X configuration 3) Identify network interfaces 4) Configure keyboard layout 5) High Availability Setup 6) Enable FIPS 7) Turn machine off 8) Reboot the machine Choice (1-8): 5 2. Type 2 and press Enter. 3. Insert the backup external media into the USB slot. 4. Type 1 to select Restore from USB, and select the correct backup configuration file. 5. After the Appliance is up, type the command: hatool ha_setup. 6. Respond with yes to the question: Is this the FIRST node of the High Availability cluster? (yes/no): 7. Configure the Primary node as High Availability. See Primary Appliance Setup for

more information. 8. Connect the redundant (dual) physical cables to the management, monitor and response ports between the Appliance and the switches.

Configuring the Secondary Node


1. Power on the second Appliance. The following menu opens: Options: 1) Configure CounterACT-X.X.X 2) Restore saved CounterACT-X.X.X configuration 3) Identify network interfaces 4) Configure keyboard layout 5) High Availability Setup 6) Enable FIPS 7) Turn machine off 8) Reboot the machine 2. Configure the High Availability settings, as in Secondary Appliance Setup.

Converting a Single Enterprise Manager/Appliance to High Availability


This section details converting a 6.2.0 or higher Enterprise Manager/Appliances to a High Availability system. The conversion will make the Enterprise Manager/Appliances suitable for use as Primary and Secondary nodes in a High Availability cluster.

78

Chapter 6

High Availability Systems

Convert the First Enterprise Manager/Appliance 1. After powering on the first Enterprise Manager/Appliance, type the command: hatool ha_setup 2. Proceed with High Availability configuration of the Enterprise Manager/Appliance as

detailed in: Identify Ethernet Ports and Primary Appliance Setup.


Convert the Secondary Enterprise Manager/Appliance 1. For an Appliance: Connect the redundant (dual) physical cables to the management,

monitor and response ports between the Appliance and the switches. For Enterprise Manager: Connect the redundant (dual) physical cables to the management port between the Enterprise Manager and the switches. 2. Make sure the second Enterprise Manager/Appliance is installed with Version 6.2.0 or higher. 3. Configure the High Availability settings, as in Secondary Appliance Setup.

79

Appendix A - Site Preparation Form


This appendix lists the CounterACT site parameter requirements. Verify that you have the information required and that your site is set up appropriately. Enter your information in the Value column.
Subject Communication Information Item Value

CounterACT IP address Subnet Mask Default Gateway Mail-relay server address DNS server host name and address E-mail address(es) used for sending alerts regarding worm attack attempts VLAN ID on which the CounterACT, router and Console are located (Only required if these components must be located on a VLAN and are connected to a tagged port.)

Internal Network

Address range(s) of protected network (It is recommended to use your enterprises entire internal IP range) Operating system on PC running CounterACT Console or CounterACT Enterprise Manager Allowed addresses for CounterACT Console or CounterACT Enterprise Manager connectivity Addresses of hosts allowed to control the CounterACT through SSH

Management

80

Appendix A

Site Preparation Form

Communication Equipment

Communication equipment to which the CounterACT is connected:

Switch with mirroring port supports traffic response Switch with mirroring port does not support traffic response Vendor and model: 19 Rack

Logistics

Available space: How near/far is rack/shelf space from a network connection and power connection (i.e. specify cable requirements)

Shelf Space Available space

Socket and cable availability

Standard power socket + cable Network socket + cable

Managed Switch SNMP Information

Switch IP Address and Brand Identify the IP address and brand of the switches to monitor. SNMP Community String Version and Type Discuss ReadOnly and ReadWrite abilities. Copper or Fiber Connectivity: 10/100/1000 BaseT Copper or Fiber can be used

Contact Details

Name Phone number E-mail address

81

Legal Copyright ForeScout Technologies, 2000-2009. All rights reserved. The copyright and proprietary rights in the guide belong to ForeScout Technologies. It is strictly forbidden to copy, duplicate, sell, lend or otherwise use this guide in any way, shape or form without the prior consent of ForeScout Technologies. This product is based on software developed by ForeScout Technologies. The products described in this document are protected by U.S. patent # 6,363,489 issued March 2002 and may be protected by other U.S. Patents and foreign patents. Redistribution and use in source and binary forms are permitted, provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials and other materials related to such distribution and use, acknowledge that the software was developed by ForeScout Technologies. THIS SOFTWARE IS PROVIDED AS IS AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. All other trademarks used in this document are the property of their respective owners.

8/9/10 Please send comments on documentation to: documentation@forescout.com

82