Trend Micro Worry-Free Business Security Standard Edition

is the full windows path to the folder where the ESP Agent should be installed. Note: The Windows user running setup.exe must have Administrative privileges on the computer and must be able to write a log file to the same folder that contains the “setup.exe” file, otherwise the installation will fail and a log file will not be created. Embedding in a Common Build If your organization employs a specific build image or common operating environment (COE) on a CD or image that is used to prepare new computers, you can include the ESP Agent in this build. To create the image, follow these directions: For Windows 1. Install the ESP Agent on the computer to be imaged. 2. The ESP Agent will immediately attempt to connect to the ESP Server. If it successfully connects to the ESP Server, it will be assigned a ComputerID. This ComputerID is unique to that particular computer, so it should not be part of a common build image. The next steps will delete this ID. 3. Open the Windows services dialog and stop the ESP Agent service. 4. Open the registry to HKLM\Software\BigFix\EnterpriseClient\GlobalOptions and delete the values ComputerID, RegCount, and ReportSequenceNumber. 5. The ESP Agent is now ready to be imaged. Note: If the ESP Agent is started again for any reason (including a system restart), it will re-register with the server and you will need to perform steps 3-4 again. The ESP Server has built-in conflict detection and resolution so if for any reason you fail to delete the ID, the ESP Server will notice that there are multiple ESP Agents with the same ComputerID and force the ESP Agent to re-register and everything will work normally. However, we do recommend you perform the steps above to avoid having a grayed-out ESP Agent (the first imaged computer) in the computer list in the ESP Console. For Macintosh and Linux 1. Let the client register. 2. Stop the ESP Agent in the approved way, using sudo systemstarter stop BESClient.exe. 3. If they exist, remove RegCount, ReportSequenceNumber, and ComputerID from the client preferences folder: /Library/Preferences/com.bigfix.besagent.plist. (On Linux systems edit the .config file in this location). 4. Delete the __BESData folder. The default location is \Library\Application Support\BigFix\BES Client. 5. The ESP Agent is now ready to be imaged. Note: If the ESP Agent is started again for any reason (including a system restart), it will re-register with the server and you will need to perform steps 2-4 again. On a Windows system, the data in the folder simply overwrites the old install. On Unix systems, however, the ESPData folder acts as a registry and must be deleted before imaging. Administrator''s Guide 48 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Using Email You can send users an e-mail containing a URL and asking them to use it to install the ESP Agent when they log in to the network. This is an effective technique for Win9x computers since there are no limitations on user rights on those platforms. However, where administrative rights are enforced, this method requires users to log in with administrator privileges. Enabling Encryption on ESP Agents Once installed, you can set up your ESP Agents to encrypt all outgoing reports to protect data such as credit card numbers, passwords and other sensitive information. Note: You must have encryption enabled for your ESP deployment before enabling it for your Agents. In particular, for the required option, your clients will go silent if you enable them without first setting up your deployment. To enable encryption, follow these steps: 1. From the ESP Management Domain, open the Computer Management folder and click the Computers node. 2. Select the computer or set of computers that you want to employ encryption. 3. From the right-click context menu, select Edit Computer Settings. 4. From the Edit Settings dialog, click Add. 5. In the Add Custom Setting dialog, enter the setting name as _ESPClient_Report_Encryption (note the double underline starting the name). There are three possible values for this setting:  required: causes the ESP Agent to always encrypt. In the event that there is no encryption certificate available in the masthead or if the target computer (ESP Relay or Server) cannot accept encryption, the ESP Agent will not send reports.  optional: the ESP Agent encrypts if it is able, otherwise it sends its reports in clear-text.  none: No encryption will be done, even if an encryption certificate is present. This allows you to turn off encryption after you enable it. 6. Click OK to accept the value and OK again to complete the setting. You will need to enter your private key password to deploy the setting action. Administrator''s Guide 49 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Running the ESP Administration Tool  The Installer automatically creates the ESP Administration Tool (also called ESP Admin), when it installs the other components of the Console program. This program operates independently of the ESP Console and is intended for Administrative Operators only. You can find it from the Start menu: Start > All Programs > ESP Enterprise > ESP Administration Tool. To run the program, you must first browse to the signing key (license.pvk): Note that you can also change your administrative password through this interface. Once you have selected the signing license, click OK to continue. You will need to supply your private key password to proceed. User Management If this is the first time you have run the program, the Administration Tool will provide you with a blank slate of users. Click Add User to include new ESP Operators. This is where you will return when you want to add, remove or edit the management rights of your users. You can find out more about how to assign management rights in the section titled Adding New Operators and Master Operators (page 82). Administrator''s Guide 50 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Masthead Management Click the second tab to view the Masthead Management dialog. If you don’t yet have a masthead, which is required to run the ESP Console, this dialog provides an interface to Request and subsequently Activate a new masthead. If you have an existing masthead, you can edit it to change gathering intervals and locking. For more information on managing your masthead, see the section named Editing the Masthead (page 91). You can also export your masthead, which can be useful if you want to extend your ESP network to other servers. Administrator''s Guide 51 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform System Options The third tab opens the System Options dialog. The first option sets a baseline minimum for refresh intervals. This refers to the Fixlet list refresh period specified in the Preferences dialog of the ESP Console. The default period is 15 seconds, but if you feel that your network can handle the bandwidth, you can lower this number to make the Console more responsive. Conversely, if your network is strained, you may want to increase this minimum. This dialog also lets you set the default visibility of external sites. These are, by default, globally visible to all Console operators. To give you extra control, you can set the visibility to hidden, and then adjust them individually through the Console. You must be an administrator or a master operator to make these hidden sites become visible. This dialog also lets you add your own logo to any content that is presented to the user through the ESP Agent. Branding can be important to reassure your users that the information has corporate approval. Administrator''s Guide 52 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Advanced Options The fourth tab opens the Advanced Options dialog. This dialog lists any global settings that apply to your particular ESP installation. These options are name/value pairs, and are typically supplied by your ESP Support Technician. As an example, if you are subscribed to the Power Management site, one of these options would allow you to enable the WakeOnLAN functionality. Replication The fifth tab opens the Replication dialog. This dialog helps you to visualize your replication servers. For more information, see the section titled Managing Replication (page 72). Encryption The final tab opens the Encryption dialog. This dialog allows you to generate a new encryption key or to disable encryption altogether. For more information, see the section titled Managing Agent Encryption (page 85). Administrator''s Guide 53 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Understanding Operator Rights  ESP Console users, also known as publishers or operators, can be in charge of flexibly defined groups of computers with varying degrees of freedom. As the Site Administrator, you are in charge of each operator''s domain and the specific rights they have over that domain. You can manage your team of operators and administrators by using the ESP Administration Tool. This program is usually found in the start menu, under Programs > ESP Enterprise > ESP Administration Tool. There are three basic classes of users: Site Administrators, Master Operators and ordinary (Non-Master) Operators. They each have different responsibilities and restrictions, described below.   Site Administrators  As a Site Administrator, you are the caretaker of the site-level key. This is a special key and should only be used for site-level tasks, and never for ESP Console operations. For day-to-day operations, you must create a Master Operator key. Only use your Site Administrator key when performing top-level management tasks, including the following:  Creating/Modifying/Deleting Users with the ESP Administration Tool.  Setting global system options including the Minimum Refresh Interval, Default Fixlet Visibility, and the Agent UI Icon with the ESP Administration Tool.  Editing Mastheads.  Administering Distributed Server Architecture (DSA) configurations. This includes setting the replication rate and the linkage between Replication Servers. Master Operators  Master Operators can perform all of the functions of ordinary operators. In addition, they can also:  Edit the management rights settings for other operators. This allows you to divide up the computers on your network among various operators so they each see a smaller subset of client computers.  Create new computer settings, which monitor and control ESP Agent behavior and hold various labeled values for filtering. For more information, see the article on configuring BigFix settings at the support site.  Create or edit global retrieved properties, which are used to filter and sort computers and can be used to create reports.  View all unmanaged assets.  Change the ESP Agent heartbeat, to optimize ESP performance.  Subscribe or unsubscribe from Fixlet sites. Administrator''s Guide 54 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform  Create new custom Fixlet sites.  Designate operators to be custom site owners, writers and readers.  Globally hide or unhide Fixlet messages.  Audit all Actions taken in the ESP Console.  Manage External Fixlet Site subscriptions. Operators  Ordinary operators can perform various management functions on computers under their control depending on the management rights that are delegated to them by master operators. They can:  Deploy Actions.  Create custom content, including Fixlet messages, Tasks, Baselines and Analyses. The Site Administrator can grant or revoke this right from the ESP Administration Tool.  Change or delete computer settings, which monitor and control ESP Agent behavior and hold various labeled values that can be used for sorting and filtering.  View unmanaged assets according to each Operator’s scope (as defined by Scan Points). The Site Administrator can grant or revoke this right from the ESP Administration Tool.  Be custom site owners, writers, and readers if granted the privilege by Master Operators. Operators and Analyses  Operators have various rights and restrictions when it comes to activating and deactivating analyses:  Ordinary operators cannot deactivate an analysis activated by other operators on computers they administer.  Master Operators cannot directly activate custom analyses authored by ordinary operators. They can, however, make a copy of an analysis and activate the copy. Administrator''s Guide 55 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform This chart summarizes the privileges and abilities of both types of Console Operator: User Privileges Master Operator Operator Initialize Action Site Yes No Manage Fixlet Sites Yes No Change ESP Agent heartbeats Yes No Create Fixlets Requires Custom Authoring Requires Custom Authoring Create Tasks Requires Custom Authoring Requires Custom Authoring Create Analyses Requires Custom Authoring Requires Custom Authoring Create Baselines Requires Custom Authoring Requires Custom Authoring Create Groups Yes Manual Groups Only Activate/Deactivate Analyses All Administered Take Fixlet/Task/Baseline Action All Administered Take Custom Action Requires Custom Authoring Requires Custom Authoring Stop/Start Actions All Administered Manage Administrative Rights Yes No Manage Global Retrieved Properties Yes No View Fixlets All Administered View Tasks All Administered View Analyses All Administered View Computers All Administered View Baselines All Administered View Computer Groups All Administered View Unmanaged Assets Administered by ESP Admin Administered by ESP Admin View Actions All Administered Make Comments All Administered View Comments All Administered Globally Hide/Unhide Yes No Locally Hide/Unhide Yes Yes Use Wizards Requires Custom Authoring Requires Custom Authoring Remove computer from database All Administered Create Manual Computer Groups Yes Yes Delete Manual Computer Groups Yes No Create Automatic Computer Groups Yes Requires Custom Authoring Yes Requires Custom Authoring and Delete Automatic Computer Groups Administered Create Custom Site Yes No Modify Custom Site Owners Yes No Modify Custom Site Readers/Writers Yes Site Owners Administered: The operator must own or have permissions Requires Custom Authoring: Granted by the Site Administrator through ESP Admin Administered by ESP Admin: Granted by the Site Administrator through ESP Admin Adding ESP Console Operators  Administrator''s Guide 56 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform As the ESP Site Administrator, you must create accounts for each new ESP Console operator, allowing them to view the database using the ESP Console. For security purposes, a password-protected public/private key is also generated so the new operator can properly create and sign actions. To add a new operator, use the ESP Administration Tool. 1. When you install the ESP Server, the ESP Admin Tool is automatically run so you can add new operators. However, you may add operators at any time by launching Start > Programs > ESP Enterprise > ESP Administration Tool. 2. If not already displayed, browse to your site signing key (license.pvk) and select it. Click OK. 3. Click the User Management tab. Click Add User to start adding new ESP Console operators with publishing credentials. For each operator/publisher you add, you will fill out data in the Add Publisher dialog: 4. Enter the Username and Email address of the person you want to designate as a publisher, or operator. Start with yourself, making sure you grant yourself management rights. 5. Create a Password and retype it for confirmation. Once you hand the keys over to your operators, they can change their passwords if they wish. 6. Enter a Private Key Length from the pull-down menu, or accept the default. 7. Check the first box if you want this operator to administer management rights, making them a Master Operator. As the ESP administrator, you should check this box when you add yourself to the user list. Administrator''s Guide 57 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform 8. Check the second box if you want this operator to be able to create custom content such as custom Fixlet messages, Tasks and Baselines. The availability of this feature depends on the license granted you by Trend Micro, Inc. By default, operators only see actions and action results for actions that they have issued. This is recommended for better Console performance. However, you can also choose to have the operator see all actions and action results that were taken against computers that the operator administers. WARNING! Custom actions grant the user the ability to create and deploy custom actions to any computer the operator manages with just a few mouse clicks. Use good judgment when granting these rights to operators. . 9. At this point, you can also grant rights to view unmanaged assets. You can grant all-or-none access, or limit users to their personal Scan Point scope. Make note of this operator and password in a safe place and then click OK. 10. A dialog will appear prompting you to choose a location in which to create a new folder that will contain the operator’s credentials. You will need to choose both the parent folder and the name for the new folder, which will default to the operator’s name. Consider using a removable disk for additional security. You will hand this folder, along with the password, to the designated ESP Console operator. 11. ESP will ask you for the Site Admin Private Key Password (this is the password you created when you first installed ESP) to authenticate you as the ESP Site Administrator. Type it in and click OK. Note that you will have opportunities later to change this password. 12. Repeat this process for each operator you wish to authorize as an ESP Console operator. These operators will then have a personal folder that acts as their key to the ESP Console. They should take care to protect the disk containing this folder, which holds the following files:  publisher.pvk: the private key created for each authorized operator/publisher. As with the key to the front door, the operator must understand the responsibility of caring for this file.  publisher.crt: the signed certificate authorizing each operator/publisher to issue actions. This file is also stored in the database. 13. Once you have granted publishing rights to all your designated ESP Console operators, click APPLY and provide your site level password again. 14. The ESP Administration Tool must propagate the action site – with the new operator information – throughout your network. Click Yes to send the updated user information to all the ESP Agents. At any time, you can add new authorized operators by running the ESP Administration Tool again. Administrator''s Guide 58 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Notes on Operators:  You should propagate the action site whenever you change any operator information, especially when you revoke operators.  If two operators were created prior to ESP Version 7.0 with the same email address, their signing certificates may conflict with each other and they will not be able to use the custom site functionality until one of them is deleted and reissued. Such users will be highlighted in red in ESP Admin – clicking on repair will pop up a message box explaining the problem.  A user’s status as Operator or Master Operator is permanently associated with the username and cannot be changed.  To be on the safe side, Site Administrators would be wise to create users with a default password and store a backup copy of the console key files with those default passwords. Console operators who forget their password can be provided with the saved copy. Administrator''s Guide 59 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Part Three  Configuring the ESP Components  Now that the ESP components have been installed, you can configure your system for greater efficiency or to support larger or non-standard deployments. The picture below represents a large and fairly complex deployment of ESP. Study the picture to understand how the system communicates. In particular, notice that all information flows into the ESP Server in the HQ/Data Center, that there are multiple levels of ESP Relays, and that all communications flow through the relay chain back to the server. Administrator''s Guide 60 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Using ESP Relays  ESP Relays can significantly improve the performance of your ESP installation. ESP Relays are designed to lighten both upstream and downstream burdens on the ESP Server. Rather than communicating directly with an ESP Server, ESP Agents can instead be instructed to communicate with designated ESP Relays, considerably reducing both server load and client/server network traffic. ESP Relays work by:  Relieving Downstream Traffic. The ESP Server has many duties, one of the most taxing of which is distributing files, such as patches or software packages, and Fixlet messages to the ESP Agents. ESP Relays can be set up to ease this burden, so that the ESP Server does not need to distribute the same file to every ESP Agent. Instead, the file is sent once to the ESP Relay, which in turn distributes it to the ESP Agents. In this model, the ESP Agent connects directly to the ESP Relay and does not need to connect to the ESP Server.  Reducing Upstream Traffic. In the upstream direction, ESP Relays can compress and package data (including Fixlet relevance, action status and retrieved properties) from the ESP Agents for even greater efficiencies.  Reducing Congestion on Low-Bandwidth Connections. If you have an ESP Server communicating with computers in a remote office over a slow connection, designate one of those computers as an ESP Relay. Then, instead of sending patches over the slow connection to every ESP Agent independently, the ESP Server only sends a single copy to the ESP Relay (if it needs it). That ESP Relay, in turn, distributes the file to the other computers in the remote office over its own fast LAN. This effectively removes the slow connection bottleneck for remote groups on your network.  Reducing the Load on the ESP Server. The ESP Server has many duties including handling connections from ESP Agents and ESP Relays. At any given instant, the ESP Server is limited in how many connections it can effectively service. ESP Relays, however, can buffer multiple ESP Agents and upload the compressed results to the ESP Server. ESP Relays also distribute downloads to individual ESP Agents, further reducing the workload of the ESP Server and allowing ESP to operate faster and more efficiently. ESP Relays are an absolute requirement for any network with slow links or more than a few thousand ESP Agents. Even with only a few hundred ESP Agents, ESP Relays are recommended: they make downloads faster by distributing the load to several computers rather than being constricted by the physical bandwidth of the ESP Server. ESP is quite powerful; it is easy to deploy an action causing hundreds of thousands of ESP Agents to download very large files all at once. Windows XP SP2 alone is more than 200MB and it is not uncommon to distribute software packages that are gigabytes in size. Without ESP Relays, even network pipes as fast as T1 (or faster) lines can be overwhelmed by many ESP Agents requesting large, simultaneous file downloads. Establishing the appropriate ESP Relay structure is one of the most important aspects of deploying ESP to a large network. When ESP Relays are fully deployed, an action with a Administrator''s Guide 61 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform large download can be quickly and easily be sent out to tens of thousands of computers with minimal WAN usage. In an effort to ease deployment burdens and reduce the total cost of ownership of ESP, the ESP Relays are designed to run on shared servers such as file/print servers, domain controllers, SMS servers, AV distribution servers, etc. As a consequence, a typical ESP installation will have less than 1% of its relays running on dedicated computers. For the most part, the ESP Relay uses minimal resources and should not have a noticeable impact on the performance of the computer running it (see the next section ESP Relay requirements). The ESP Agents can be set to automatically find their closest ESP Relay. These features allow for significant savings in both hardware and administrative overhead. Note: If the connection between an ESP Relay and ESP Server is unusually slow, it may be beneficial to connect the ESP Relay directly to the Internet for downloads. More information about ESP Relay can be found by visiting the Trend Micro support site, or by talking to your Trend Micro sales engineer or support technician. ESP Relay requirements An ESP Relay takes over most of the download duties of the ESP Server. If several ESP Agents simultaneously request files, the ESP Relay may consume a fair amount of bandwidth to serve them up. Generally, however, the duties of the ESP Relay are not too demanding. When many actions are being deployed at once, CPU and disk usage can spike, but typically for only a short duration. The primary resource constraint for the ESP Relay will be disk space. The requirements for an ESP Relay computer vary widely depending on a number of factors. Here are some requirements for the ESP Relays:  The ESP Relay must have a two-way TCP connection to its parent (which can be an ESP Server or another ESP Relay).  The ESP Relay can be installed on an ordinary workstation, but if many ESP Agents simultaneously download files, it may slow the computer down. Also, for the ESP Relay to work properly, the computer must be powered on. That means workstations that are commonly powered off are poor choices for ESP Relays.  Workgroup file servers, print servers, SMS servers, AntiVirus servers, domain controllers, test servers, and other server-quality computers that are always turned on are good candidates for installing an ESP Relay. ESP Relays were designed to be installed on an existing shared server to reduce the total hardware cost of deploying ESP. Most companies already have partially utilized servers in the appropriate places throughout their networks. Fortunately, should you need to purchase a new computer for the task, the ESP Relay requirements are low. An inexpensive workstation-class computer or bottom-of-the-line server should suffice.  ESP Relays must be installed on Windows 2000, XP, Server 2003, Vista, Server 2008, 7, Server 2008 R2, Red Hat Enterprise Linux 4/5/6, or Solaris 10 computers. Administrator''s Guide 62 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform  Due to the fact that older versions of Internet Explorer used outdated network libraries, the computers running the ESP Relays must have at least Internet Explorer 4.0 or above to work properly.  More information about ESP Relay can be found at the Trend Micro support site.  The ESP Relay cache size is configurable but is set to 1GB by default. It is recommended that you have at least 2 GB available for the ESP Relay cache to prevent hard drive bottlenecks. Administrator''s Guide 63 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Designating an ESP Relay To set up an ESP Relay, you need to designate a Windows 2000, XP, Server 2003, Vista, Server 2008, 7, Server 2008 R2, Red Hat Enterprise Linux 4/5/6, or Solaris 10 computer that is running an ESP Agent to act as the ESP Relay. The ESP Agents on your network will detect the new Relays and automatically connect to them. To create an ESP Relay, use the ESP Console, and follow these steps: 1. In the ESP Console, click the Tasks icon in the Navigation treeto bring up a tree/list of all Tasks. 2. Find the Task with the title Install ESP Relay (it may include a version number after it). This Task will be relevant as long as there is at least one ESP Agent that meets the requirements for the ESP Relay. 3. Choose your deployment option by choosing one of the actions in the Task. You can target single or multiple computers with this action. Administrator''s Guide 64 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Automatically Discovering Relays Once you have set up your ESP Relays, you are almost done. If they are configured to perform automatic relay selection, the ESP Agents will automatically find the relay that is the fewest hops away and point to that computer instead of the server. This is the recommended technique, since it dynamically balances your system with minimal administrative overhead. To make sure your ESP Agents are set up to automatically discover relays: 1. Start up the ESP Console and select the ESP Management Domain. From the Computer Management folder, click the Computers node to bring up a list of ESP Agents in the list panel. 2. Shift- and ctrl-click to select the set of computers you want to automatically detect ESP Relays. Press Ctrl-A to select the entire set of ESP Agents. 3. Right-click on this highlighted set and choose Edit Computer Settings from the pop-up menu. Depending on whether you selected one or more computers, the dialog boxes are slightly different. Typically, you will have selected all the ESP Agents in your network, so you will see the multiple-select dialog. 4. Check the box marked ESP Relay Selection Method. 5. Click the button marked Automatically Locate Best ESP Relay. 6. Click OK. Defaulting to Automatic Relay Discovery As you install ESP Agents, you may want them to automatically discover the closest ESP Relay by default. Here is how to set this up: 1. As described in the previous section, open the Edit Computer Settings dialog 2. Select the Target tab. 3. Click the button labeled All computers with the property. 4. In the window below, select All Computers. 5. Select the Constraints tab. 6. Uncheck the Expires On box. 7. Click OK. Now as new ESP Agents are installed, they will automatically find and connect to the closest ESP Relay without any further action. Administrator''s Guide 65 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Notes about Automatic Relay Discovery The ESP Agents use a sophisticated algorithm to figure out which ESP Relay is the closest on the network. The algorithm uses small ICMP packets with varying TTLs to discover and assign the most optimal relay. If multiple optimal relays are found, the algorithm automatically balances the load. If a relay goes down, the Agents will perform an auto-failover. This represents a major improvement over manually specifying and optimizing relays. However, there are a few important notes about automatic relay selection:  ICMP must be open between the ESP Agent and the ESP Relays. If the ESP Agent cannot send ICMP messages to the ESP Relays, it will be unable to find the optimal ESP Relay (in this case it would use the failover relay if specified or pick a random relay).  Sometimes fewer network hops are not a good indication of higher bandwidth. In these cases, ESP Relay Auto-selection may not work properly. For instance, a datacenter may have an ESP Relay on the same high-speed LAN as the ESP Agents, but an ESP Relay in a remote office with a slow WAN link is fewer hops away. In a case like this, you should manually assign the ESP Agents to the appropriate optimal ESP Relays.  ESP Relays will use the DNS name that the operating system reports. This name must be resolvable by all ESP Agents otherwise they will not find the ESP Relay. This DNS name can be overridden with an IP address or different name using a Task in the ESP Support site.  ESP Agents can report the distance to their corresponding relays. This information is valuable and should be monitored for changes. Computers that abruptly go from one hop to five, for instance, may indicate a problem with their relays.  More information about ESP Relays, automatic relay selection, and troubleshooting ESP Relay can be found at the Trend Micro support site. Administrator''s Guide 66 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Using Relay Affiliation ESP Relay Affiliation is intended to provide a more sophisticated control system for automatic relay selection. The feature is very flexible and may be used in many different ways but the primary use case is to allow the ESP infrastructure to be segmented into separate logical groups. A set of ESP Agents and ESP Relays can be put into the same affiliation group such that the ESP Agents will only attempt to select the ESP Relays in their affiliation group. This feature is built on top of automatic relay selection and you should understand that process (see the previous section) prior to implementing ESP Relay Affiliation. ESP Relay Affiliation only applies to the automatic relay selection process. The manual relay selection process (see next section) is unaffected even if computers are put into ESP Relay Affiliation groups. Creating ESP Agent Affiliation Groups ESP Agents are assigned to one or more Relay Affiliation groups through the ESP Agent setting: _BESClient_Register_Affiliation_SeekList This ESP Agent setting should be set to a semi-colon (;) delimited list of relay affiliation groups, for example: AsiaPacific;Americas;DMZ Creating ESP Relay and Server Affiliation Groups ESP Relays and ESP Servers can be assigned to one or more Affiliation groups through the ESP Agent setting: _BESRelay_Register_Affiliation_AdvertisementList This ESP Agent setting should also be set to a semi-colon (;) delimited list of relay affiliation groups, for example: AsiaPacific;DMZ;* Note: ESP Relays and ESP Servers are not required to have a SeekList setting. The SeekList is only used by the ESP Agent. ESP Relay Affiliation List Information There are no pre-defined relay affiliation group names; you are free to pick group names that are logical to your deployment of ESP. There are some naming rules you should observe:  Do not use special characters (including “.”) when picking names Administrator''s Guide 67 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform  Group names are not case sensitive  Leading and trailing whitespaces are ignored in comparisons The ordering of Relay Affiliation groups is important for the ESP Agent. The asterisk (*) has a special meaning in a Relay Affiliation list: it represents the set of unaffiliated computers. Unaffiliated computers are ESP Agents or ESP Relays which do not have any relay affiliation group assignments or have the asterisk group listing. For more information on ESP Relay Affiliation, see the article at the Trend Micro support site. Manually Selecting Relays You may have a reason to manually specify exactly which ESP Agents should connect to which ESP Relay. You can do that too. Here is how: 1. Start up the ESP Console and select the ESP Management Domain. From the Computer Management folder, click the Computers node to bring up a list of ESP Agents in the list panel. 2. Shift- and ctrl-click to select the set of computers you want to attach to a particular ESP Relay. 3. Right-click on this highlighted set and choose Edit Computer Settings from the pop-up menu. As with creating the relays (above), the dialog boxes are slightly different if you have selected one or multiple computers. 4. Check the box labeled Primary ESP Relay and then select a computer name from the drop-down list of available ESP Relay servers. 5. Similarly, you can assign a Secondary ESP Relay, which will be the backup whenever the Primary Relay Server is unavailable for any reason. 6. Click the OK button. Administrator''s Guide 68 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Viewing ESP Relay Selections To see which ESP Agents are selecting which ESP Relays: 1. Start up the ESP Console and select the ESP Management Domain. 2. From the Computer Management folder, click the Computers node to bring up a list of ESP Agents. 3. Look under the Relay column in the List Panel (this column may be hidden; if so you may need to right-click on the column headings and make sure Relay is checked). The ESP Relay columns show information including the ESP Relay method, service and computer. By default, the ESP Agents will attempt to find the closest ESP Relay (based on the fewest number of network hops) every six hours. More information on ESP Relays can be found at the Trend Micro support site. Monitoring ESP Relay Health ESP allows you to monitor your ESP Agent/Relay setups to ensure they are working optimally. Before deploying a large patch, you may want to check the status of your ESP Relays to guarantee a smooth rollout. Here are some suggestions for monitoring your ESP Relay deployment:  Click on the ESP Management domain and the Analyses node and activate the ESP Relay Status analysis. This Analysis contains a number of properties that will give you a detailed view of the ESP Relay health.  Click on the Results tab for the analysis to monitor the Distance to ESP Relay property in the ESP Relay Status Analysis to get a sense of what is normal in your network. If your topology suddenly changes, or you notice that some of your ESP Agents are using extra hops to get to the server, it could indicate the failure of an ESP Relay.  Try to minimize the number of ESP Agents reporting directly to the ESP Server because it is generally less efficient than using ESP Relays. You can see which computers are reporting to which ESP Relays by studying this Analysis. Administrator''s Guide 69 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Optimizing the ESP Server(s)  ESP is designed to operate efficiently, with minimal impact on network resources. However, there may be installations that stretch the recommended configurations, where there just seem to be too many ESP Agents for the allotted server power. The best solution is to properly spec your server for your environment; you may be able to modify some preferences to get better performance. Most of these optimizations involve a trade- off between throughput and responsiveness, so proceed with caution. Your Trend Micro support technician has more information about which modifications might be best for your particular deployment. Here are some possible optimization techniques:  Deploy ESP Relays to reduce the load on the server. This is by far the most effective way to increase the performance and responsiveness of ESP. Generally, the more ESP Relays, the better the performance (as a rule of thumb, one ESP Relay for 500-1000 ESP Agents is a good choice, although it can be much higher for a dedicated computer).  Slow down the ESP Agent heartbeat from File > Preferences. This decreases the frequency of messages that are regularly dispatched by the ESP Agents to update their retrieved properties. Reducing this frequency will reduce the amount of network traffic generated, but also decreases the timeliness of the retrieved properties. However, regardless of the heartbeat settings, the ESP Agents always send up their latest information whenever they receive a refresh ping from the ESP Server or when they notice that a Fixlet is relevant.  Slow down the Fixlet List Refresh rate from File > Preferences. This decreases the update frequency for the information displayed in the ESP Console. If there are many ESP Agents or Consoles simultaneously connected or the database is very large, reducing this frequency can substantially reduce the load on the ESP Server. If multiple ESP Console operators are going to be simultaneously using the ESP Console, you should set the refresh rate to be something higher than the default (15 seconds) to reduce the load on the ESP database. Consider changing it to 60-120 seconds or more if there are many ESP Console operators. The ESP Admin tool on the ESP Server will allow you to set a global minimum refresh rate.  Your database administrator may be able to help you with the following optimizations:  Change the SQL Server Recovery Model for the BFEnterprise database to Simple rather than Full which is the default.  Reduce the percentage of memory allocated to SQL Server from 100% to 85%, to ensure that the web server and operating system are not starved for memory.  More performance recommendations can be found at the Trend Micro support site. Administrator''s Guide 70 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Optimizing the ESP Console(s) To be responsive, the ESP Console requires reasonable CPU power, memory and cache space. If you have an ESP Console that is taking a long time to load or that is performing sluggishly, there are several techniques you can use to speed it up:  Make sure you have sufficient memory. The ESP Console benefits greatly from capacious memory to speed up the viewing, filtering and sorting of content (Fixlet messages, Tasks, Actions, etc.). If your computer does not have enough physical memory, the ESP Console will run noticeably slower. You can check memory usage from the Task Manager (Ctrl-Shift-ESC). Select the Performance tab and refer to the Physical Memory section. If the available memory is less than 10% of the total memory, you are running low on RAM and can benefit from adding more.  Use high-speed network connections between your ESP Consoles and Servers, preferably with LAN connections of at least 100 MBPS. The ESP Database can be sizeable for a large network, so running the ESP Console from a computer with a slow connection will often result in very long load times.  Use remote control software. With so much data to load and display, operating the ESP Console in a remote office over a slow link can be tedious. In situations like this, you may be able to benefit from solutions such as Citrix, Terminal Services or other remote control software. Set up the remote control server on a computer with fast access to the ESP Server. Allow that machine to present instances of the ESP Console and let the branch office run these Consoles remotely. The database stays in the main office, and the remote office enjoys optimal performance. For more information, see the section on Remote Citrix / Terminal Services Configuration (page 109).  Delete old actions. The ESP database stores information about old actions which the ESP Console loads in at startup and saves out at shutdown. If you do not need to track these old actions, you can delete them, allowing the ESP Console to load and close faster. Note that deleted actions continue to exist in the database, but are simply not loaded into the ESP Console or Web Reports and can be undeleted if necessary.  More information about enhancing the performance of ESP is available at the Trend Micro support site. Administrator''s Guide 71 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Managing Replication (DSA)  Replication servers are simple to set up and require minimal maintenance. You may wish to tweak the interval or allocate your ESP Servers differently. Most of these changes are done through the ESP Administration Tool. Here you can see the current settings for your ESP Servers and make the appropriate changes. Change the Replication Interval 1. Start up the ESP Administration Tool. 2. Select the Replication tab. 3. Select the desired server from the drop-down menu. Using longer replication intervals will mean that the servers will need to replicate data less often, but they will have more data to transfer each time. Note that replication intervals can be different for “replicating from” and “replicating to” a server. 4. Select the desired replication interval from the menu at the right. 5. Click OK. Switching the Master Server By default, server 0 (zero) is the master server. ESP Administration will only allow you to perform certain administrative tasks (such as creating and deleting users) when you are connected to the master server. If you wish to switch the master to another server, you must set the deployment option masterDatabaseServerID to the desired ID. Here is how: 1. Start up the ESP Administration Tool. 2. Select the Advanced Options tab and click the Add button. 3. Type masterDatabaseServerID as the name, and then enter the desired ID as the value. 4. Click OK. Once that value has successfully replicated to the new server, it will become the master server. If a server suffers a failure while it is the master, another server will need to be made the master server by direct manipulation of the ADMINFIELDS table in the database. The details of this are beyond the scope of this guide, but broadly speaking, you might use a tool like SQL Enterprise Manager to view and alter the ADMINFIELDS table. Set the variable name masterDatabaseServerID to the desired value. Administrator''s Guide 72 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Uninstalling a Replication Server To uninstall a replication server, you will have to call the database-stored procedure delete_replication_server, which removes the specified ID from the replication set. Be careful not to delete the wrong server, or you may lock yourself out. The details of this procedure are beyond the scope of this guide, but basically you must log into the database with SQL Server Management Studio. You can call the procedure with something like: dbo.delete_replication_server( 1 ) This would delete the ESP Server with ID=1. The steps involved in completely deleting the server are beyond the scope of this guide, but the full procedure is available in a KB article at the Trend Micro support site. Managing Bandwidth  File downloads consume the bulk of the bandwidth in a typical ESP Installation. You can control this bandwidth by throttling, which limits the number of bytes per second. You can specify the bandwidth throttling on either the ESP Server or on the ESP Agent or on both (in which case the lower of the two values is used). This can be important whenever you have bandwidth issues, as in the following situations:  A remote office with a thin channel  Remote dial-in users or users on a slow connection  A shared channel with higher-priority applications  A WAN or LAN that is already saturated or has stringent load requirements Bandwidth throttling settings (and other ESP Relay, ESP Server, and ESP Agent settings) can be set using the Tasks from the ESP Support site. Select the ESP Management domain and select the ESP Component Management node in the Navigation treeto see the entire task list. For more information About ESP Relay, please visit the Trend Micro support site. Administrator''s Guide 73 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Dynamic Throttling  When a large download becomes available, each link in your ESP deployment may have unique bandwidth issues. There are server-to-client, server-to-relay and relay-to-client links to consider, and each may require individual adjustment. As explained in the previous section, it is possible to simply set a maximum value (throttle) for the data rates, and for this there are broad-based policies you can follow. You might, for instance, throttle an ESP Agent to 2Kb/s if it is more than three hops from an ESP Relay. However, the optimal data rates can vary significantly, depending on the current hierarchy and the network environment. A better technique is to use dynamic bandwidth throttling, which monitors and analyzes overall network capacity. Whereas normal throttling simply specifies a maximum data rate, dynamic throttling adds a “busy time” percentage. This is the fraction of the bandwidth that you want to allocate when the network is busy. For instance, you could specify that ESP downloads should not use any more than 10% of the available bandwidth whenever ESP detects existing network traffic. Dynamic throttling also provides for a minimum data rate, in the case the busy percentage is too low to be practical. When you enable dynamic throttling for any given link, ESP monitors and analyzes the existing data throughput to establish an appropriate data rate. If there is no competing traffic, the throughput is set to the maximum rate. In the case of existing traffic, ESP will throttle the data rate to the specified percentage or the minimum rate, whichever is higher. You control dynamic bandwidth throttling with computer settings. There are four basic settings for each link:  DynamicThrottleEnabled: This setting defaults to zero (disabled). Any other value enables dynamic throttling for the given link.  DynamicThrottleMax: This setting usually defaults to the maximum unsigned integer value, which indicates full throttle. Depending on the link, this value sets the maximum data rate in bits or kilobits per second.  DynamicThrottleMin: This setting defaults to zero. Depending on the link, this value sets the minimum data rate in bits or kilobits per second. This value places a lower limit on the percentage rate given below.  DynamicThrottlePercentage: This setting defaults to 100%, which has the same effect as normal (non-dynamic) throttling. It represents the fraction of the maximum bandwidth you wish to use when the network is busy. It typically has a value between five and ten percent, to prevent it from dominating existing network traffic. (A zero for this setting is the same as 100%.) As with any other setting, you can create or edit the dynamic bandwidth settings by right- clicking on an item (or group of items) in any computer list and choosing Edit Computer Settings from the context menu. The specific variable names include the ESP Server/Relay settings: _ BESRelay_HTTPServer_DynamicThrottleEnabled Administrator''s Guide 74 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform _BESRelay_HTTPServer_DynamicThrottleMaxKBPS _BESRelay_HTTPServer_DynamicThrottleMinKBPS _BESRelay_HTTPServer_DynamicThrottlePercentage The ESP Agent settings: _BESClient_Download_DynamicThrottleEnabled _BESClient_Download_DynamicThrottleMaxBytesPerSecond _BESClient_Download_DynamicThrottleMinBytesPerSecond _BESClient_Download_DynamicThrottlePercentage The ESP Gathering settings: _BESGather_Download_DynamicThrottleEnabled _BESGather_Download_DynamicThrottleMaxBytesPerSecond _BESGather_Download_DynamicThrottleMinBytesPerSecond _BESGather_Download_DynamicThrottlePercentage Note: For any of these settings to take effect, you must restart the affected services (ESP Server, Relay or Agent). If you set an ESP Server and its connected ESP Agent to differing maximums or minimums, the connection will choose the smaller value of the two. Creating Agent Dashboards  You can create custom Agent Dashboards, similar to those in the ESP Console. Dashboards are HTML files with embedded Relevance clauses that can analyze the local computer and print out the current results. ESP Agents with a dashboard have an extra tab to display the resulting report. To create an Agent Dashboard, you must create a new folder named __UISupport (note the leading underlines) in the __BESData folder. This is a subfolder of the BES Client folder, so the final pathname looks like: Program Files/BigFix Enterprise/BES Client/__BESData/__UISupport Place the Dashboard file (named _dashboard.html) and any accompanying graphics files into this folder. The next time the Agent starts up, it will incorporate these files into its interface, adding to the Dashboard tab. When the user clicks on this tab, the Dashboard will calculate the latest values of each Relevance clause and display them. The Relevance statements are embedded in the HTML inside special tags with the form: For instance, to find and print the time, use the following: Administrator''s Guide 75 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform When the ESP Agent displays the page containing this statement, the ESP Agent evaluates the Relevance clause “now” and substitutes the value for the tag. The following sample HTML prints out the word “Date:” and then the current date and time: Date: To allow the user to refresh the Relevance evaluation, add this line to the file: Date: Refresh This link, labeled Refresh, causes the page to reload. When it does, it reevaluates the relevance clauses. It is easy to see how you would add other Relevance expressions to this page. For instance, to print out the OS and the computer name, add these two lines: Date: Operating System: Computer Name: Refresh You can use style sheets to format the output. You can even use the default style-sheet, offer.css for some preset formatting. Here is an example of a Dashboard with a title, a header, a refresh link and a section of retrieved property values: For the offer.css to work correctly the following graphics files should be copied to the __UISupport directory from the ESP Agent directory: bodyBg.jpg, bodyHeaderBg.jpg bullet.gif sectionHeaderBG.gif When executed from the ESP Agent, this dashboard will produce the following output: Administrator''s Guide 77 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform To learn more about Relevance expressions, see the BigFix Relevance Language Reference. Administrator''s Guide 78 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Geographically Locating ESP Agents   Since the ESP Agents are often deployed in remote offices, it is useful to create a property that lets the ESP Agents report their own location. You can create a location property in ESP using the Location Property Wizard. 1. In the ESP Console, go to the ESP Management domain, click on the Computer Management folder node, and then click on the Location Property Wizard node. A wizard document will open. 2. The wizard creates a named property allowing the ESP Agents to identify themselves based on their subnet, IP range, or other information. Read the instructions in the wizard to create the property.   Viewing Reports over the Web  The ESP Web Reports component of the ESP Server can monitor, print or analyze the status of the local database. It also has the ability to read the databases of other ESP Servers and include their data. That offers the administrator a top-level view of a large or far-flung enterprise with multiple database servers and hundreds of thousands of managed computers. ESP Web Reports can be viewed at any time from Start > Programs > ESP Enterprise > ESP Web Reports or from the ESP Console under Tools > View Web Reports.   Aggregating Multiple ESP Servers into One Web Reports  Server  Any ESP Web Report server can be set up to include data from any other ESP Server. In order to do so, the program must be able to connect to the other databases using ODBC communications over TCP/IP (i.e., the computers must be on the same LAN or connected by VPN, etc.). To set up the ESP Web Reports using a SQL Server authenticated account, perform the following steps: 1. From the ESP Console, open the ESP Web Reports page under Tools > View Web Reports. 2. Log into the ESP Web Reports as an administrator. 3. Click on Administration, then Database Settings, and then click on the Add New Database link. 4. Enter a Server Name that will identify this database. If connecting through a DSN (Data Source Name), enter the DSN name. If connecting through an IP address, select Use a default DSN-less connection and type in the IP address of the ESP Server you wish to include (e.g., 192.168.100.123 or besserver1.acme.com). 5. There are two ways to provide authentication for your database. The first option is Windows Authentication, which is convenient if you have access to the Microsoft SQL Server Enterprise Manager and the servers are in the same domain. 6. Alternatively, you can choose the option labeled Use Username and Password to login. With this option, you need to enter the Username and Password of a user with access to the desired database. You can use your ESP Console username and Administrator''s Guide 79 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform password, or you can use the Microsoft SQL Server Enterprise Manager to create a new user who has total access to the AggregatedBy table and read access to all other tables in the BFEnterprise database. 7. Confirm or edit the Web Reports Server URL, which will be inserted into this database as an identifier. Logging Web Reports  You can keep track of your Web Reports usage of by setting up a log file. The name of the log file is stored in the registry. Here is how to set or access the name: 8. Run Regedit and find the HKey Local Machine\Software\BigFix\Enterprise Server\BESReports key. You will see some variables and pathnames used by Web Reports. You need to add two values to this key; one for the logging flag, and one for the filename. 1. Create a new DWORD value named LogOn and set it to 1 to turn on logging. 2. Create a new string value named LogPath and set it to the full pathname of your desired log file, e.g. “C: \fullpath\file.txt". The next time you launch Web Reports, a log of the session will be saved to the specified file. Administrator''s Guide 80 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform HTTPS Configuration   To provide more security to Web Reports, you can use HTTPS instead of HTTP to make your browser connection. To use HTTPS, you must have a proper SSL certificate. The SSL certificate should be in standard OpenSSL PKCS7 (.pem) file format. If the certificate meets all of the trust requirements of the connecting browser, then the browser will connect without any interventions by the user. If the certificate does not meet the trust requirements of the browser, then the user will be prompted with a dialog asking if it is OK to proceed with the connection, and provided with access to information about the certificate. Typically, a trusted certificate is one which is signed by a trusted authority (e.g., Verisign), contains the correct host name, and is not expired. The .pem file is your SSL certificate, which you must obtain through your favorite CA. If you don''t require authentication back to a trusted root, you can also generate a self-signed certificate with the OpenSSL utilities (see the Trend Micro support site for more information). Once you have a certificate, place it on the computer running web reports (usually the ESP Server) and follow these directions: 1. Run regedit and locate HKEY_LOCAL_MACHINE\Software\BigFix\EnterpriseClient\Settings\Client You need to add or modify three subkeys; one for the HTTPS flag, one for the location of the SSL certificate, and one for the HTTPS port number. For x64 systems, the key will be here: HKEY_LOCAL_MACHINE\Software\Wow6432Node\BigFix\EnterpriseClient\Settings\Cl ient 2. Create a new sub-key of Client called _WebReports_HTTPServer_UseSSLFlag (it may already exist). 3. Create a new string value (reg_sz) for the key _WebReports_HTTPServer_UseSSLFlag called value and set it to 1 to enable HTTPS. 4. Create a new sub-key of Client called _WebReports_HTTPServer_SSLCertificateFilePath (it may already exist). 5. Create a new string value (reg_sz) for the key _WebReports_HTTPServer_SSLCertificateFilePath called value and set it to the full path name of the SSL certificate (cert.pem). 6. Create a new sub-key of Client called _WebReports_HTTPServer_PortNumber (it may already exist). 7. Create a new string value (reg_sz) for the key _WebReports_HTTPServer_PortNumber called value and set it to port number you would like to use (typically 443). 8. Update the Web Reports URL to use https:// instead of http:// and Port 443 instead of Port 80. You can do this by editing the URL string within Web Reports. To do this, from the Overview page select the Databases link. Then select the Edit Database link under the appropriate database. Then you can modify the entry for Web Reports URL. 9. Restart the ESPWebReports Service. Administrator''s Guide 81 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Part Four  Managing and Maintaining ESP  Now that you have installed the ESP components and customized the configuration to suit your own needs, this section explains how to maintain and manage your ESP installation. Adding New Operators and Master Operators  There are two classes of operator for the ESP Console: Ordinary Operators and Master Operators.  Ordinary Operators manage a subset of the ESP Agents based on their management rights and have restricted privileges to administer ESP functions.  Master Operators have the ability to manage all the ESP Agents and can also assign management rights to other operators. The Site Administrator has the most important primary key (license.pvk), and can do anything a Master Operator can. However, it is bad practice to use your site key for ordinary operations. Instead, create a Master Operator account and use that key (publisher.pvk) exclusively for Console operations. To add new Operators and Master Operators to the ESP system, simply repeat the steps outlined in Adding New Operators and Master Operators (page 82). Assigning Management Rights  In a typical ESP deployment, there will be anywhere from a couple hundred to a couple hundred thousand computers reporting to a single ESP Server. At these scales, it is often important to separate out which computers can be controlled by different ESP Console operators for organizational and security reasons. ESP allows you to break down management rights into separate sections based upon geography, department, computer type (servers vs. workstations), or any other property. Each ESP Console operator can be assigned management rights to the appropriate computers. All of this is done by assigning computers to operators based on computer properties. For instance, you could allow a member of a server team to control all computers that have server-based operating systems in the company datacenter. First specify which subnets are in the datacenter, then any computer in that subnet with a server OS will be managed by the given operator. Using this approach, the operators can see a subset of computers and will not be able to see information or change anything on computers that they do not manage. When they view the ESP Console or ESP Web Reports, it appears to them that they have their own ESP Server with no other computers. Because different operators can be assigned to overlapping groups of computers, any kind of configuration is possible. ESP Console operators only receive information from their assigned computers, improving manageability and responsiveness. Administrator''s Guide 82 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Here is how to Add or Delete management rights: 1. Log in to the ESP Console as a Master Operator. 2. Click on the ESP Management domain and click on the Operators node (if this choice is not available, you may not have the proper authorization to perform this command). You will see a list of ESP Console operators. 3. Right-click on a single operator from the list and select Assign User Management Rights from the pop-up menu. 4. If user rights have already been set for this user, you will see them here. Click the Add button to assign management rights to the selected operator. (You can also revoke specific management rights using this dialog box by clicking on the Delete button.) 5. Use the filter panel on the left to narrow down the computers you want to assign to this operator. By shift- or ctrl-clicking on items in the Retrieved Properties or Group folders, you can specify a set of computers that share common properties or settings. As new computers are added to the network, they will automatically be classified by their retrieved properties or group, and the proper ESP Console operators will automatically be assigned to manage them. Note: If you grant a user access to computers with a specific retrieved property value and the property value changes, then the user will no longer have access to those computers. For instance, if you assign a user permissions on a certain subnet and a laptop moves to a different location with a different subnet, the user will no longer be able to administer the laptop unless it comes back to the original office. 6. Click the OK button. Changing a Publisher Password  Any console operator can change their publisher credential password from the ESP Console: 1. Select Manage Signing Keys from the Tools menu. 2. Click the Change Password button at the bottom of the dialog. 3. Type in your old password to authenticate yourself, then enter your new password and confirmation. Note that the publisher password and database passwords are normally created as the same password, but they can be different if desired. Administrator''s Guide 83 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Changing an ESP Database Password  You can change your database password from the ESP Console. 1. Select Change Database Password from the File menu (you must have the proper permissions to select this item). 2. Type in your old password to authenticate yourself, and then enter your new password and confirmation. Note that the publisher password and database passwords are normally created as the same password, but they can be different if desired. Removing an ESP Console Operator  When an employee leaves, you will want to delete their access rights to the ESP database. This is done with the ESP Administration Tool: 1. Launch the program by selecting Start > Programs > ESP Enterprise > ESP Administration Tool. 2. Select a user from the list, and click Remove User. 3. When you have deleted the desired operator, click OK. This will remove that operator''s privileges from the database, stop all of the user’s pending actions and notify the ESP Agents that the private keys from that user are no longer valid. 4. You will be prompted to propagate the action site masthead to reflect the user changes. Click Yes to continue. 5. Enter your private key password and click OK. Using NT Authentication  By default, ESP Consoles create an ODBC connection to the SQL database, and the DSN is set to use SQL authentication. You can change this DSN to use NT authentication through the Windows ODBC Data Source Administrator. Doing so will cause the ESP Console to ask the current Windows user to authenticate with the SQL Server. For more information, see the article on NT authentication at the Trend Micro support site. Administrator''s Guide 84 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Managing Agent Encryption  Server and Relay-bound communications from ESP Agents can be encrypted to prevent unauthorized access to sensitive information. To enable it, you must generate a key and provide a setting value. The setting is accomplished in the ESP Console and is described elsewhere in the section labeled Enabling Encryption on ESP Agents. The key is generated from the Encryption tab of the ESP Administration Tool: 1. Launch the ESP Administration Tool by selecting Start > Programs > ESP Enterprise > ESP Administration Tool. 2. Select the Encryption tab. At the top of the dialog is a statement of the current state (in this example: Report encryption is currently DISABLED). ESP Agent encryption has four states, Disabled, Pending, Enabled and Pending Rotation:  Disabled: This state indicates that no encryption certificate is included in your deployment masthead, which means that Agents cannot encrypt their reports even if they are told to do so. Click on Generate Key to create an encryption certificate (and the corresponding private key which can be used to decrypt reports at the receiving end). This will cause you to enter the Pending state.  Pending: In this state, an encryption certificate has been generated and is ready for deployment, but the private key has not yet been distributed to all necessary decrypting relays and servers. Once you have manually distributed the private key, click on the Enable Encryption button to embed the certificate in the masthead and send it out to all clients. At that point, you will enter the Enabled state. You can also click Cancel to return to the Disabled state.  Enabled: In this state, an encryption certificate has been found in your deployment masthead, which means that you are able to turn on encryption (using the setting discussed previously) for any of the Agents in your Administrator''s Guide 85 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform deployment. At any time, you can click on Generate new key to create a new encryption certificate. This is useful if you have a key rotation policy or if your encryption key is ever compromised (see next section). Generating a new key returns you to the Pending state (unless you elect to deploy immediately as described in the next section). You can also click Disable to move back to the Disabled state.  Pending Rotation: In this state, an encryption certificate is included in your deployment masthead, and a new certificate has been generated and is ready to replace the existing certificate. Generating a New Encryption Key  Should your private key be compromised or if you have a policy of rotating keys, you can easily generate a new key from the ESP Administration Tool. Here is how: 1. Launch the ESP Administration Tool by selecting Start > Programs > ESP Enterprise > ESP Administration Tool. 2. Select the Encryption tab. 3. Click the Generate key button. The Create Encryption Credentials dialog opens. Administrator''s Guide 86 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform 4. From this dialog, select the key size. The default is 2048, which is adequate for most purposes. Check the box to use this key immediately. However, if you have established ESP Relays that use encryption, you should leave this box unchecked until you can distribute the new key to those Relays. 5. Click OK to distribute this new key to your ESP Agents. You must provide your Site Admin Private Key to propagate the Action. A final dialog will ask for confirmation. For more information on encryption key sizes and server requirements, see the knowledge-base article on server requirements at the Trend Micro support site. Administrator''s Guide 87 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Creating Top‐level Decrypting ESP Relays  When an Action is deployed, thousands of ESP Agents may report back in a short time- frame, typically to an ESP Relay. If you have elected to encrypt these reports, the Relay will bundle the reports together and pass them up to the ESP Server, which must then split up and decrypt each one of them. With many thousands of ESP Agents, this can impose a significant computational burden on the ESP Server. To improve performance, you can lighten the load on your ESP Server by allowing your top-level ESP Relays to do the bulk of the decryption. If you have over 50,000 ESP Agents, you may be able to substantially reduce the load on your ESP Server by moving decryption down into the relay chain. If the ESP Relay has its own decryption key, it can first decrypt the Agent messages into plain text and then bundle thousands of them into a single archive. This can then be compressed, encrypted and passed up to the ESP Server. At that point, the server can perform a single decryption on the entire archive, noticeably reducing its overhead. To spread the decryption duties, you simply need to distribute your encryption keys to your top-level ESP Relays. For normal server-level encryption, ESP creates an encryption key for you and places it in the ESP program folder: C:\Program Files\BigFix Enterprise\BES Server\Encryption Keys To allocate the load to your top-level ESP Relays, place the encryption key in the equivalent ESP Relay directory: C:\Program Files\BigFix Enterprise\BES Relay\Encryption Keys These top-level ESP Relays will decrypt all the documents received, bundle them together and then re-sign them with a single signature. You can put as many keys as you want in the folder and the ESP Relay will attempt to use each of them when it gets an encrypted Agent report. Agents encrypt against the key found in the masthead file which should be the last key created. However, it is possible that an ESP Agent will transmit a report with an older version of the masthead (and thus a different encryption key) if it hasn’t gathered the latest Action site for any reason. There are a few considerations:  You must manually transfer the key file from the server to the relay every time you create a new encryption key.  During the transfer process, it is important not to expose your private key file. This means you shouldn’t just move the key over the internet because anyone listening might be able make a copy of your private key file. Therefore it is best to physically transfer the key from one computer to another, for instance with a USB key.  During the encryption key creation process, you have the option to create the private key file but not propagate it out in the masthead. This step allows you time to transfer the new key file to the ESP Relays before Agents start posting encryption messages with that key. Administrator''s Guide 88 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Managing Downloads  ESP uses several methods to ensure that downloads are efficient and make the best use of available bandwidth. Among other techniques, caching is used extensively by all the ESP elements, including Servers, Relays and Agents. When an Action on an ESP Agent needs to download a file, the local cache is checked first. If the Agent can’t find it locally, it requests the file from its parent, typically an ESP Relay. When the file is requested, the Relay checks it own cache. If it finds the file, it immediately sends it down to the requesting Agent. Otherwise, it passes the request up to its parent, which may be another ESP Relay and the process continues. Ultimately, an ESP Server retrieves the file from an internal server or the Internet, caches it and then passes it back down the chain. After receiving the file, each Relay in the chain caches it, and continues to forward it down to the original ESP Agent, which also caches it. Each cache retains the file until it runs out of room. At that point, the cache is purged of the least-recently used (LRU) files to provide more space. You can view the ESP Relay cache size and other ESP Relay information by activating the ESP Relay Cache Information Analysis available from the ESP Support Fixlet site. The default cache size is 1 GB, but it can be changed by using the ESP Relay/ESP Server Setting: Download Cache Size Task, also from the ESP Support Fixlet site. There may be situations that require files to be manually downloaded and cached, typically because such files are not publicly available, in which case you must download the files directly from the source. You can pre-populate the download cache by copying files to the download cache location. You can also clear these files out manually if you wish. The caches are stored as subfolders of the BigFix Enterprise folder, which is created by default at C:\Program Files\BigFix Enterprise. The Server download cache is BES Server\wwwrootbes\bfmirror\downloads\sha1, and the Agent download cache is found at BES Client\__BESData\__Global\__Cache\Downloads. For security purposes, each file you save must be named with the sha1 hash value of the file. If the filename doesn’t match the sha1, the file will be ignored. As well as the download cache, ESP Relays maintain an Action cache (also 1 GB) holding all the files needed for each Action, and ESP Agents maintain a Utility cache. For information about troubleshooting Relays, including bandwidth and downloading, see the KB article on relay health at the Trend Micro support site. Administrator''s Guide 89 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Dynamic Download White-lists Dynamic downloading extends the flexibility of Action scripts, adding the ability to use relevance clauses to specify URLs. As with static downloads, dynamic downloads must specify files with the confirmation of a size or sha1. However, the URL, size, and sha1 are allowed to come from a source outside of the Action script. This outside source may be a manifest containing a changing list of new downloads. This technique makes it easy to access files that change quickly or on a schedule, such as antivirus or security monitors. This flexibility entails extra scrutiny. Since any Agent can use dynamic downloading to request a file, it creates an opportunity for people to use your server to host files indiscriminately. To prevent this, dynamic downloading uses a white-list. Any request to download from a URL (that isn’t explicitly authorized by use of a literal URL in the action script) must meet one of the criteria specified in a white-list of URLs on the ESP server, located at \Mirror Server\Config\DownloadWhitelist.txt. This file contains a newline-separated list of regular expressions using a Perl regex format, such as the following: http://.*\.site-a\.com/.* http://software\.site-b\.com/.* http://download\.site-c\.com/patches/JustThisOneFile\.qfx The first line is the least restrictive, allowing any file at the entire site-a domain to be downloaded. The second line requires a specific domain host and the third is the most restrictive, limiting the URL to a single file named "JustThisOneFile.qfx". If a requested URL fails to match an entry in the white-list, the download immediately fails with status NotAvailable. A note is made in the Relay log containing the URL that failed to pass. An empty or non-existent white-list will cause all dynamic downloads to fail. A white-list entry of “.*” (dot star) will allow any URL to be downloaded. Administrator''s Guide 90 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Editing the Masthead  You can change certain default parameters stored in the masthead for the ESP system by using the ESP Administration Tool. Here is how: 1. Launch the program from Start > Programs > ESP Enterprise > ESP Administration Tool. 2. Browse to the location of your site license and click OK. 3. Select the Masthead Management tab and Click the Edit Masthead button. 4. The Edit dialog appears. Note: It is recommended you keep the default settings on this page unless you have a specific reason to change them. Improper settings can cause ESP to work in non-optimal ways. Consult with a support technician for more details. 5. The parameters you can edit include:  ESP Server Port Number: In general, you will not want to change this number. In addition, if you decide to change this number after deploying the ESP Agents, ESP will not work correctly. See Administrator''s Guide 91 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform  Modifying Port Numbers, in the next section.  Cryptography: Check this box to implement the Federal Information Processing Standard on your network. This changes the masthead so that every ESP component attempts to go into FIPS mode. By default, the Agent will continue in non-FIPS mode if it fails to properly enter FIPS, which may be a problem with certain legacy operating systems. Be aware that checking this box can add 3-4 seconds to the ESP Agent startup time.  Gathering Interval: This option determines how long the ESP Agents will wait without hearing from the ESP Server before they check whether new content is available. In general, whenever the ESP Server gathers new content, it attempts to notify the ESP Agents that the new content is available through a UDP connection, circumventing this delay. However, in situations where UDP is blocked by firewalls or where network address translation (NAT) remaps the IP address of the ESP Agent from the ESP Server’s perspective, a smaller interval becomes necessary to get timely response from the ESP Agents. Higher gathering rates will only slightly affect the performance of the ESP Server, because only the differences are gathered – an ESP Agent does not gather information it already has.  Initial Lock state: You can specify the initial lock state of all ESP Agents. Locked ESP Agents will report which Fixlet messages are relevant for them, but will not apply any actions. The default is to leave them unlocked and to lock specific ESP Agents later on. However, you may wish to start with the ESP Agents locked and then unlock them on an individual basis in order to give you more control over newly installed ESP Agents. Alternatively, you can set them to be locked for a certain period of time (in minutes).  Action Lock Controller: This parameter determines who can change the action lock state. The default is Console, which allows any ESP Console operator with management rights to change the lock state of any ESP Agent in the network. If you wish to delegate control over locking to the end user, you may select Agent, but this is not recommended.  Action Lock Exemptions: In rare cases, you may need to exempt a specific URL from any locking actions. Check this box and enter the exempt URL. 6. Click OK to enter the changes. 7. Enter your site password at the prompt. Note: The masthead changes do NOT affect ESP Agents that are already deployed, but you can export the masthead using the ESP Admin tool and replace the masthead in the ESP Server so that ESP Agents deployed with the new masthead will use these changes.   Administrator''s Guide 92 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Modifying Port Numbers  The ESP Console and ESP Server communicate using ODBC, which operates on port 1433 by default. For more information about changing this port please ask your database administrator. By default, the ESP Server uses port 52311 to communicate with the ESP Agents, but any port number can be chosen (although you should avoid the reserved ports between 1- 1024 because of potential conflicts and difficulty managing network traffic). Your choice of the ESP Server Port Number is factored into the generation of the masthead, which specifies URLs for the action, registration, reporting, and mirror servers. As a consequence, you must finalize your port number before installation. Administrator''s Guide 93 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Modifying Global System Options  The ESP Admin Tool allows you to modify a few basic system defaults, such as the minimum refresh, Fixlet visibility and the Agent UI Icon. Here is how: 1. Launch the ESP Admin Tool from Start > Programs > ESP Enterprise > ESP Administration Tool. 2. Select the System Options tab. 3. At the top, you can set the global Minimum Refresh. The default is 15 seconds, which is a good trade-off between responsiveness and low network load. If you find that ESP communications are impacting your network, you can raise the minimum to 60 seconds or more. 4. External sites are visible to all Console operators by default, but you can change that in the section marked Default Fixlet Visibility. Click the lower button to make external content invisible to all but Master Operators. 5. You can customize the Agent User Interface with your own logo. You can use any graphic you choose, but because it is a global setting, corporate branding is typical. When you present your ESP Agents with a message or an offer, they will see the icon you supply in the title bar, as well as the tray and task bar. The icon file should have several images of different sizes. The first image in the file should be a 64 x 64 image with transparency and will be used in the body of the dialogs. The title bar and task bar icons are chosen by size, targeting the size indicated by system metrics SM_CXICON and SM_CYICON. These are typically 16 or 32. The icon file should be created according to Microsoft''s procedure for creating a Windows XP icon with transparency. Click the Add Icon button to browse for an appropriate icon (.ico) file. Scheduling Replication  If you have multiple ESP Servers in your deployment, you can schedule when each will replicate. The default is five minutes, but you can shorten the time for greater recoverability or increase it to limit network activity. Here is how: 1. Launch the ESP Admin Tool from Start > Programs > ESP Enterprise > ESP Administration Tool. 2. Select the Replication tab. 3. Click the Refresh button to see the latest Replication Graph. 4. Select the IP Address of an ESP Server and then choose the desired replication time. Administrator''s Guide 94 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Extending the ESP License  When you first request your action site license, your query is archived with Trend Micro, Inc. and you are issued a license for a specific period of time. Before your license expires, ESP will warn you, giving you sufficient time to renew your license. When you are coming close to the expiration date, ESP will notify you using a Fixlet message. Similarly, if you start to exceed the number of ESP Agents allocated by your license, ESP will alert you. To extend your license expiration or add new ESP Agent licenses to your installation, follow these steps: 1. Notify your ESP support technician (if you have not paid for the extended license, you will need to talk to your sales person or reseller to buy an extended license). 2. Your server will check daily for a new version of your license. If you would like to force your server to check right away, go in the ESP Console to the ESP Management domain, click on the License Overview node, and click the Check for license update button. Recreating Site Credentials  Private/public key encryption creates a chain of signing authority from the ESP root down through the ESP Site Administrator and including each ESP Console operator. If you lose your site credential or change the IP address of your ESP Server, the chain is broken. The consequences are serious: you must start over with a new request to Trend Micro, Inc. for a site certificate. Then you must re-install the entire system, including all the ESP Agents (contact your support technician for details on how you might migrate your ESP Agents to a new ESP Server) and re-create all the users. If this happens, please contact your support technician. To protect your site certificate, obey these important rules:  Do not lose the private key for your site (saved in the file named license.pvk). Follow standard procedures for backing up and securing critical confidential information.  Do not change the IP address/hostname or port number of the ESP Server, since it is the primary identifier for your site certificate. Any change to the IP address or port number that was specified when the license was requested negates the license and will necessitate a fresh installation of the ESP system. If you plan to decommission an ESP Server, be sure to apply the same IP address and port number to the replacement server.  Do not forget your password. Follow your corporate standards for noting and storing your password. Note: The ESP Site Administrator can change the password of the site-level key, provided he or she knows the current password. Administrator''s Guide 95 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Updating the ESP Software  Like the other software installations in your enterprise, the ESP program itself will need to be maintained and updated on occasion. Fortunately, that capacity is built into the system. To guarantee that you are running the latest version of ESP, be sure to install the ESP Agent on all ESP Server and ESP Console computers. Whenever an update is issued, a Fixlet message will be delivered to you with everything you need to install the update. If, for whatever reason, you do not wish to use the Fixlet messages to automatically update the ESP components, you can choose to manually update each ESP component. Instructions on how to do this will be included in the upgrade Fixlet message or will be available from your support technician. ESP Announcements  ESP maintains a mailing list to announce new products, updates, informational notices, and other information useful to ESP Administrators. ESP highly recommends that all ESP customers subscribe to the ESP Administrator announcements mailing list at: http://bigmail.bigfix.com/mailman/listinfo/besadmin-announcements. Changing the Agent Icon  By default, the icon in the upper left corner of the Agent UI is the ESP logo. This same icon appears in the tray when an Action is pending and in the task bar when the program is running. You can change this icon to help you clarify to your end users who is the source of the action, and also to comply with corporate branding and trademark requirements. Here is how to change the icon: 1. Run the ESP Administration Tool (Start > Program Files > ESP Enterprise > ESP Administration Tool). 2. Click the System Options tab. 3. Click the Change Icon button and use the Open dialog to browse for your icon (.ico) file. 4. The Administration Tool will immediately propagate this graphic to the Agents, but it will not be incorporated into the interface until the Agent restarts. After that, when a Agent interface appears (in response to an action, a dashboard or an offer), it will include the graphic icon you specified. Administrator''s Guide 96 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Maintaining and Troubleshooting ESP  If you are subscribed to the Patches for Windows site, you will be able to ensure that you have the latest upgrades and patches to your SQL Server database servers. That means that you must install the ESP Agent on all your computers, including the ESP Server and ESP Console computers. In addition, you may want to take advantage of these other tools and procedures:  If you have the SQL Server installed, you should become familiar with the MS SQL Server Tools, which can help you keep the database running smoothly.  It is standard practice to back up your database on a regular schedule, and the ESP database is no exception. It is also wise to run the occasional error-check to validate the data.  If you start to notice any performance degradation, check for fragmentation. ESP writes out many temporary files, which may create a lot of disk fragmentation, so defragment your drive when necessary. Of course, regular maintenance also involves running the occasional error-check on your disk drives as well.  The ESP Diagnostics Tool performs a complete test on the server components and can be run any time you experience problems. See the section on Running the ESP Diagnostics Tool (page 39).  Check the ESP Management domain often. There are a number of Fixlets available that can detect problems with any of your ESP components. This can often head off problems before they ever affect your network.  Check the ESP Knowledge Base at http://support.bigfix.com/. This site is continually updated, and if you cannot find an existing knowledge-base article about your question, you can find information on how to submit a question to a Trend Micro support technician.  Add ESP Relays to improve the overall system performance and pay close attention to them. Healthy ESP Relays are key to a healthy ESP deployment.  Review the Deployment Health Checks dashboard in the ESP Management domain for optimizations and failures.  Set up monitoring activities on the ESP Server(s) to notify you in the event of a software or hardware failure, including:  ESP Server powered off or unavailable  Disk failure  Event log errors about ESP Server applications  ESP Server services states  FillDB buffer directory data back-up situations Administrator''s Guide 97 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform   Part Five  Resources    Deployment Scenarios  The next few pages contain deployment scenarios that illustrate some basic configurations taken from actual case studies. Your organization will look similar to one of the examples below, depending on the size of your network, the various bandwidth restrictions between clusters and the number of Relays and Servers. The main constraint is not CPU power, but bandwidth. Pay careful attention to the ESP Relay distribution in each scenario. Relays provide a dramatic improvement in bandwidth and should be thoughtfully deployed, especially in those situations with thin pipes. ESP Relays are generally most efficient in fairly flat hierarchies. A top-level ESP Relay directly eases the pressure on the ESP Server, and a layer under that helps to distribute the load. But hierarchies greater than two tiers deep may be counterproductive and must be carefully deployed. Multiple tiers are generally only necessary when you have more than fifty ESP Relays. In such a case, the top tier ESP Relays would be deployed on dedicated servers which would service anywhere from 50-200 second-tier ESP Relays. The following examples will help you deploy the most efficient network layout. Notice that additional ESP Servers can also add robustness to a network, by spreading the load and supplying redundancy. Using redundant ESP Servers allows failbacks and failovers to be automated, providing minimal data loss, even in catastrophic circumstances. With the proper deployment of ESP Servers and ESP Relays, networks of any size can be accommodated. Beyond the examples we present here, your ESP support technician will be happy to help you with other configurations. Administrator''s Guide 98 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Basic Deployment   This is a vastly simplified deployment designed to point out the basic hierarchy and the ports used to connect the components. Administrator''s Guide 99 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Note the following about the diagram:  Port 80 is used to collect Fixlet messages over the Internet from Fixlet providers such as Trend Micro.  A dedicated port (defaulting to 52311) is used for HTTP communications between ESP Servers, Consoles, Relays and Agents.  You need both an ODBC and an HTTP connection to run the ESP Console.  ESP Relays are used to share the server load. This diagram only shows two ESP Relays, but you can use dozens or even hundreds of ESP Relays in a similar flat hierarchy. Typically an ESP Relay is deployed for every 500-1,000 computers.  The ESP Relays require an HTTP port (defaulting to 52311) to communicate with the ESP Agents.  The ESP Relays can also take advantage of a UDP port to alert the ESP Agents about updates, but this is not strictly necessary.  The ESP Agents are typically PCs or Workstations, but can include other servers, dockable laptops and more. Any device that can benefit from patches and updates is a candidate to include in the ESP deployment. ESP has far greater flexibility and potential than this simple case suggests. It is capable of overseeing hundreds of thousands of computers, even if they are spread out around the world. The next scenarios build on this basic deployment. Administrator''s Guide 100 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Main Office with Fast‐WAN Satellites  This configuration is common in many universities, government organizations, and smaller companies with only a few geographical locations. This type of deployment is relatively easy to set up and administer because there are no (or very few) slow WAN pipes to worry about. Administrator''s Guide 101 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Note the following about the diagram:  In this configuration, the ESP Relays are used both to relieve the ESP Server and to distribute the communications, optimizing the bandwidth.  This scenario has large WAN pipes, so office relays can communicate directly to the main ESP Server. A thin WAN could force a change in the layout of the ESP Relays (see the scenarios above and below).  The more ESP Relays in the environment, the faster the downloads and response rates.  Because of the nature of this network, when the ESP Agents are set to Automatically Locate Best ESP Relays, many of the ESP Relays are the same distance away. In this scenario, the ESP Agents automatically load- balance themselves amongst all the ESP Relays that are nearby.  For this high-speed LAN, a relatively flat hierarchy is recommended, with all ESP Relays reporting directly to the main ESP Server. Any extra levels in the hierarchy would only introduce unnecessary latency. However, if there were over 50-100 ESP Relays in this environment, another level of ESP Relays should be considered. Administrator''s Guide 102 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Distributed Server Architecture Setup  Companies with sensitive or high availability needs will want to deploy multiple, fully- redundant servers to maintain continuous operation even in the face of serious disruptions. Multiple ESP Servers also help to distribute the load and create a more efficient deployment. Here is a bare-bones diagram of how multiple servers might be set up in a single location or in two widely separated offices: Administrator''s Guide 103 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Note the following about the diagram:  The ESP Servers are connected by a fast WAN, allowing them to synchronize several times per hour.  The servers need both an ODBC and an HTTP link to operate and replicate properly.  There is a primary ESP Server with an ID of 0 (zero). It is the first ESP Server that you install, and it is the default server for running ESP Administration.  For the sake of clarity, this is a minimal configuration. A more realistic deployment would have a top-level ESP Relay and other WAN connections to regional offices.  The ESP Servers and Relays are configured so that control can be automatically routed around a server outage (planned or otherwise), and upon failover reconnection, the databases will be automatically merged.  The ESP Servers communicate on a regular schedule to replicate their data. You can review the current status and adjust the replication interval through ESP Administration > Replication. For the best possible performance, these pipes should be fat.  This diagram only shows two ESP Servers, but the same basic architecture would apply to each additional server. With multiple servers, a shortest-path algorithm is used to guide the replication.  When an outage or other problem causes a network split, it is possible to for a custom Fixlet or a retrieved property to be modified independently on both sides of the split. When the network is reconnected on failover, precedence will go to the version on the server with the lowest ESP Server ID. Administrator''s Guide 104 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Efficient ESP Relay Setup  To increase efficiency and reduce latency, this company has set up a hierarchy of ESP Relays to help relieve the server load. Each ESP Relay they add takes an extra burden off the ESP Server for both patch downloads and data uploads. Setting up ESP Relays is easy, and the ESP Agents can be set to automatically find the closest relay, further simplifying administration. Administrator''s Guide 105 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Note the following about the diagram:  There is a dedicated server computer known as the Top-Level ESP Relay that is used to take the load off of the ESP Server computer.  All ESP Relays are manually configured to point to either the top level ESP Relay or to another ESP Relay that is closer. The general rule for configuring ESP Relays is that you want as few levels as possible to the ESP Relays unless there is a bandwidth bottleneck. Communications over thin pipes should be relay to relay. The top-level ESP Relay will relieve the ESP Server, and the secondary ESP Relay can allow a single download to be distributed over hundreds of ESP Agents.  There is an ESP Relay in the DMZ set up with a special trust relationship with the ESP Server. This ESP Relay will allow ESP Agents in the DMZ or on the public Internet to be managed by ESP. The DMZ places a security firewall between the ESP Relay and the set of home computers and laptops reporting in from the Internet.  This diagram shows a single ESP Relay in the large regional office. However, for offices with more than a few hundred Agents, there will typically be multiple ESP Relays to effectively distribute the load.  As a general rule, you should deploy at least one ESP Relay per 500-1000 ESP Agents to maximize the efficiency of the ESP Relay. See the article on relays at the Trend Micro support site for more information. Administrator''s Guide 106 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Hub and Spoke  This scenario involves a main data center, a small number of large regional offices and many small regional offices. This configuration is common in large international organizations. The ESP Agents are installed on computers in offices all around the world. Many of these locations have slow WAN connections (8 kbps-512 kbps), but there will be many offices with faster WAN connections (1mbps-45mbps). Administrator''s Guide 107 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Often these locations are configured in a hub-and-spoke arrangement. This scenario builds on the previous one, but the hub-and-spoke configuration permits more levels in the ESP Relay hierarchy. Note the following about the diagram:  In this scenario, the ESP Relays are carefully deployed at the proper junctions within the WAN to optimize bandwidth. Poor placement of ESP Relays can adversely impact your network performance.  It is vital that at least one ESP Relay is installed in every location with a slow WAN connection. Often a company will already have a server in just such a spot, acting as a file server, print server, AV distribution server, SMS distribution server or domain controller, or any other computer. The ESP Relay is usually installed on these existing computers.  To provide redundancy in a typical office, more than one ESP Relay should be installed. In case an ESP Relay fails for any reason (powered down, disconnected from the network, etc.), its attached ESP Agents can then automatically switch-over to a different ESP Relay. A redundant relay is less important in very small offices because fewer computers are affected by the failure of an ESP Relay.  When the ESP Agents are set to Automatically Locate Best ESP Relays, they will choose the closest one. If any ESP Relay should fail, the ESP Agents will automatically seek out another ESP Relay. You should monitor the ESP Relay configuration after the initial automated setup (and periodically after that) to ensure that the ESP Agents are pointing to appropriate locations. Talk to your support technician for more details on how to protect against overloading WAN pipes with ESP data.  Bandwidth throttling at the ESP Relay level is very helpful in this configuration. The ESP Relays are set up to download slowly across the WAN pipes so as not to saturate the slow links. See the article on throttling at the Trend Micro support site for more information.  Instead of pointing to the main ESP Server, the ESP Relays are configured to point to the top level ESP Relay. This frees up the ESP Server to couple more tightly to the ESP Console and improves reporting efficiency. The ESP Relays will be configured to manually create the optimal hierarchy. The hierarchy will have three levels (from the top down): 1. The top-level ESP Relay that connects directly to the ESP Server. 2. The regional office ESP Relays that connect to the top-level ESP Relay. 3. Multiple branch office ESP Relays that connect to specified regional office ESP Relays. Administrator''s Guide 108 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Remote Citrix / Terminal Services Configuration  Although ESP can efficiently deliver content even over slow connections, the ESP Console itself is data intensive and can overwhelm a link slower than 256 kbps. Adding more ESP Agents further increases the lag time. However, you can access the ESP Console remotely from a Citrix, Terminal Services, VNC or Dameware-style presentation server and realize excellent performance. Here is what this configuration looks like: Administrator''s Guide 109 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Note the following about the diagram:  In the main office, the ESP Console is set up on a computer that is close to the ESP Server for fast data collection. This will be your Presentation Server.  You must create user accounts for each remote user. These users will then be able to access the ESP Console quickly because the time-critical data loading is done at the main office over a fast link.  Your remote connection can be over HTTPS to improve security.  Note that running an ESP Console from a Presentation Server containing the private key is inherently less secure than if the key is stored on a removable drive.  You may be able to benefit from load-balancing software to spread the remote accesses across multiple servers.  The main bottleneck for an ESP Console running on Citrix is memory size. If the ESP Console runs out of memory, its performance will drop sharply. A good technique to determine the memory requirement is to open up the ESP Console as a Master Operator. Check the memory used: this will indicate the maximum memory requirement per user. Then log in as a typical operator and use this as your average memory requirement. If your Citrix server can support all concurrent users with the maximum memory then a single box will suffice. If not, then use the average memory requirement per user to determine how many extra Citrix servers you may need.  The second constraint is CPU power. During refreshes, the ESP Console works best with a full CPU core. That means the Presentation server will be optimized with one CPU core running the ESP Console for each concurrent user.  The final concern is disk space for the ESP Console cache. You can get a feel for the size of the cache by looking at an example on your local box: C:\Documents and Settings\\Local Settings\Application Data\BigFix\Enterprise Console\ESP_bfenterprise. There should be enough disk space to provide one cache file for each ESP Console operator. Administrator''s Guide 110 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Glossary  Action Password—See ESP signing password. ESP—See Endpoint Security Platform. ESP Agent—Software installed on each networked computer to be managed under ESP. The Agent accesses a pool of Fixlet messages, checks the computer it is installed on for vulnerabilities, and sends the ESP Server a message when such a condition occurs. ESP Console—A management program that provides an overview of the status of all the computers with the ESP Agent installed in the network, identifying which might be vulnerable and offering corrective actions. ESP database—A component of the ESP system that stores data about individual computers and Fixlet messages. The ESP Server’s interactions primarily affect this database, which runs on SQL Server. ESP Generator Install folder—The directory on the installation computer where the Generator places the installation files for the ESP system. ESP Installation Generator—An application that creates installers for the core ESP system components. ESP Relay—This is an ESP Agent that is running special server software. Relays spare your server and the network by minimizing direct server-Agent downloads and by compressing upstream data. Relays are automatically discovered by ESP Agents, which dynamically choose the best Relay to connect to. ESP Root Server—Refers to the HTTP or HTTPS services offered by the main ESP Server as an alternative to IIS. The ESP Root server is specially tuned to Fixlet traffic and is more efficient than IIS for this application. ESP Server—A collection of interacting applications (web server, CGI-BIN, and database server) that coordinates the relay of information to and from individual computers in the ESP system. The server processes may be hosted by a single server computer or segmented to run on separate server computers or replicated on redundant servers. ESP signing password—The password (specified when the ESP system was installed) used by an ESP Console operator to sign an action for deployment. It is called the action password in the Console interface. ESP Site Administrator—The person in charge of installing ESP and authorizing ESP Console operators. ESP system install folder—The directory on the ESP Server where the ESP Server and related files (including Console and Agent installers) will be installed. BigFix Action Scripting Language—The language used for crafting action scripts. Action can be crafted in different scripting languages, including AppleScript and Unix shells. BigFix Development Environment (BDE)—An integrated system for authoring and deploying, or publishing, Fixlet messages. Endpoint Security Platform (ESP)—A preventive maintenance tool for enterprises that monitors computers across networks to find and correct vulnerabilities with a few simple mouse-clicks. BigFix Relevance Language—The language in which relevance clauses are written. Administrator''s Guide 111 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Custom Site—You can create your own custom content and host it in a custom site. This can only be done by a Master Operator that has been granted the rights to create custom content (use the ESP Admin program to allocate these users). DSA—Distributed Server Architecture. Multiple ESP Servers are linked to provide full redundancy in case of failure. Fixlet message—A mechanism for targeting and describing a problematic situation on a computer and providing an automatic fix for it. Fixlet servers—Web servers offering Fixlet site subscriptions. They can be either internal to the enterprise network or external to the network (if direct external web access is allowed). Fixlet site—A trusted source from which the ESP Agent obtains Fixlet messages. installation computer—A secure computer (separate from the ESP Server computer) that hosts and runs the ESP Installation Generator. Management Rights—Ordinary ESP Console Operators can be limited to a specified group of computers. These limits represent the management rights for that user. Only an ESP Site Administrator or a Master Operator can assign management rights. Master Operator—An ESP Console Operator with administrative rights. A Master Operator can do almost everything an ESP Site Administrator can do, with the exception of creating new operators. masthead—Files containing the parameters of the ESP process, including URLs that point to where trusted Fixlet content is available. The ESP Agent brings content into the enterprise based on subscribed mastheads. Mirror server—A server required in the ESP system if the enterprise does not allow direct web access but instead uses a proxy server that requires password-level authentication. Operator—A person who operates the ESP Console. Ordinary operators can deploy Fixlet actions and edit certain computer settings. Master Operators have extra privileges, among them the ability to assign management rights to other operators. signing password—See ESP signing password. Site Administrator —The only ESP Console Operator with the right to create new Operators. SQL server—A full-scale database engine from Microsoft that can be acquired and installed into the ESP system to satisfy more than the basic reporting and data storage needs. A step up from SQLite . standard deployment—A deployment of ESP that applies to workgroups and to enterprises with a single administrative domain. It is intended for a setting in which all ESP Agent computers have direct access to a single internal server. VPN—Virtual Private Network. An encrypted channel (or tunnel) that allows companies to extend their local-area networks across the world by using an inexpensive Internet connection. WAN—Wide-area network. Many offices are connected by WAN. The bandwidth of your WAN determines the placement of ESP Relays in your deployment, with thin WANs requiring more relays to aggregate downloads and reduce overhead.   Administrator''s Guide 112 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform     Global Support  Trend Micro offers a suite of support options to help optimize your user-experience and success with this product. Here’s how it works:  First, check the Trend Micro website Documentation page  Next, search the ESP Knowledge Base for applicable articles on your topic  Then check the User Forum for discussion threads and community-based support If you still can’t find the answer you need, contact Trend Micro’s support team for technical assistance:  Phone/US: +1 (408) 257-1500  Email: support@support.trendmicro.com Administrator''s Guide 113 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Index  ESP Agent ∙ 7, 8, 9, 10, 11, 12, 14, 15, 20, 21,  A  22, 24, 26, 27, 28, 39, 40, 41, 42, 43, 44,  45, 46, 47, 50, 52, 53, 54, 56, 59, 60, 61,  Access ∙ ii  62, 63, 64, 65, 66, 67, 70, 71, 72, 74, 75,  Action  78, 80, 81, 83, 84, 86, 87, 88, 89, 90, 91,  password ∙ 107  92, 96, 98, 101, 102, 103, 104, 107, 108  site ∙ 22  Deploy ∙ 41, 42  site masthead ∙ 22, 25, 80  ESP Console ∙ vi, 7, 8, 9, 10, 11, 12, 14, 20,  Action Lock Controller ∙ 87  21, 22, 24, 26, 39, 40, 41, 48, 52, 53, 55,  activate ∙ 22, 53, 66  56, 61, 62, 65, 66, 67, 72, 75, 76, 78, 79,  Active Directory ∙ 42  80, 87, 88, 90, 91, 92, 96, 104, 107, 108  Add Database ∙ 75  Master Operators ∙ 20  Add Publisher ∙ 55  ESP Credentials ∙ 24  Add User ∙ 30, 55  ESP database ∙ 7, 16, 21, 39, 67, 80, 92, 107  administer management rights ∙ 31, 56  ESP Diagnostics ∙ 32, 37, 38, 92  administration ∙ 33, 42, 44, 101  ESP Evaluation Generator ∙ 22  Administrator ∙ i, 12, 20, 21, 24, 52, 53, 54,  ESP Installation ∙ 12, 22, 26, 27, 34, 40, 41,  55, 56, 78, 80, 90, 91, 107, 108  42, 44, 107, 108  afxm ∙ 26  ESP Relay ∙ 7, 8, 10, 14, 15, 16, 19, 39, 58,  aggregating ∙ 75, 76  59, 60, 61, 62, 63, 65, 66, 67, 70, 71, 92,  Aggregating ∙ 75, 76  94, 96, 98, 100, 101, 102, 104, 107, 108  AIX ∙ 11  ESP Root Server ∙ 107  Analyses ∙ 10, 53, 54  ESP Server ∙ vi, 7, 8, 9, 10, 11, 13, 14, 15, 16,  AntiVirus ∙ 60  17, 18, 19, 20, 21, 22, 24, 26, 27, 28, 29,  AppleScript ∙ 107  32, 33, 34, 37, 38, 39, 40, 41, 45, 46, 55,  Assigning Management Rights ∙ 21, 78, 79  58, 59, 60, 66, 67, 68, 69, 70, 71, 72, 75,  Audience ∙ vi  78, 86, 87, 88, 89, 90, 91, 92, 94, 96, 98,  audit ∙ vi  99, 100, 101, 102, 104, 107, 108  authenticate ∙ vi, 12, 21, 22, 33, 34, 56, 76,  ESP signing password ∙ 107, 108  79, 80, 108  ESP Site Administrator ∙ 12, 20, 21, 24, 55,  Authentication ∙ 33, 34, 35, 36, 76, 80  56, 90, 107, 108  Authorization ∙ 12, 20, 22, 23, 56, 90, 107  ESP Web Reports ∙ 29, 75, 78  BigFix ∙ i  Action Scripting Language ∙ 107  B  Development Environment ∙ 107  Enterprise Suite ∙ vi, 26, 107  Bandwidth ∙ 59, 70, 104  Relevance ∙ 74, 108  Baselines ∙ 53, 54, 56  Browse Install Folders ∙ 26, 44  BDE ∙ 107  buffer ∙ 59, 92  ESP Administration ∙ 35, 52, 55, 56, 80, 81,  82, 86, 89, 91  System Options ∙ 89, 91  C  Tool ∙ 52, 53, 55, 56, 69, 80, 81, 82, 86,  89, 91  CD ∙ 46  ESP Administration Tool ∙ 31, 48, 52, 56, 81,  Certify ∙ 21, 22  82, 91  Certifying ∙ 21  ESP Administration: ∙ 55, 79  Change Database Password ∙ 80  Administrator''s Guide 114 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Change Password ∙ 79  DNS ∙ 24, 63, 74  chart ∙ vi, 54  Domain ∙ 33, 35, 45, 47, 62, 65, 66  Client ∙ vi, 7, 8, 9, 10, 11, 12, 14, 15, 20, 21,  DOS ∙ 45  22, 24, 26, 27, 28, 39, 40, 41, 42, 43, 44,  Download ∙ 39, 72, 84, 85  45, 46, 47, 52, 53, 54, 56, 59, 60, 61, 62,  DSA ∙ 16, 18, 19, 52, 108  63, 65, 66, 67, 70, 72, 75, 78, 80, 86, 87,  DSN ∙ 75, 80  88, 89, 90, 91, 92, 96, 98, 101, 102, 103,  dynamic throttling ∙ 71  104, 107, 108  Dynamic Throttling ∙ 71  Client UI Icon ∙ 52, 89  ClientMSI ∙ 44  E  COE ∙ 46  compliance ∙ vi, 91  Edit  compression ∙ 59  Computer Settings ∙ 62, 65, 71  ComputerID ∙ 46  Masthead ∙ 86  confidential ∙ 90  Replication Graph ∙ 35  configuration ∙ vi, 8, 9, 15, 18, 21, 22, 34, 41,  encryption ∙ vi, 12, 22, 90  43, 58, 78, 97, 98, 100, 103, 104  Encryption ∙ 15, 47, 51, 81, 82, 83  Congestion ∙ 59  endpoint ∙ vi  connections ∙ 8, 10, 16, 18, 35, 59, 100, 103  Enterprise ∙ i, vi, 11, 26, 27, 28, 37, 40, 42,  Console ∙ vi, 7, 8, 9, 10, 11, 12, 14, 15, 16,  44, 52, 55, 69, 72, 75, 76, 80, 81, 82, 86,  20, 21, 22, 24, 26, 39, 40, 41, 48, 52, 53,  89, 91, 107  54, 55, 56, 57, 61, 62, 65, 66, 67, 75, 76,  Client ∙ 46  78, 79, 80, 87, 88, 89, 90, 91, 92, 96, 104,  Environment ∙ 107  107, 108  expiration ∙ 62, 90  Operators ∙ 10, 20, 55, 78, 108  CPU ∙ 9, 60, 94  credential ∙ 24, 79, 90  F  custom content ∙ 20, 21, 31, 53, 56, 108  customize ∙ vi, 89  failback ∙ 16, 18  Failback ∙ 19  failover ∙ 16, 18, 63, 100  D  Failover ∙ 19  filter ∙ 52, 79  Dashboards ∙ 72  firewall ∙ 13, 18, 102  Database ∙ 12, 20, 27, 34, 75, 80  Fixlet  deactivate ∙ 53  List ∙ 67  department ∙ 78  message ∙ vi, 7, 12, 14, 15, 41, 52, 53, 56,  deploy ∙ vi, 8, 9, 12, 14, 15, 16, 17, 19, 20,  59, 87, 90, 91, 96, 107, 108  22, 24, 27, 33, 34, 41, 42, 45, 56, 58, 59,  servers ∙ 16, 108  61, 66, 67, 69, 71, 78, 89, 92, 94, 95, 96,  site ∙ 12, 39, 52, 108  97, 99, 100, 102, 107, 108  frequency ∙ 67  Deploy ∙ 41, 42, 67, 94, 95  Full Interface ∙ 32, 37  diagnostic ∙ 37, 38  Diagnostic ∙ 37, 38  Discovery ∙ 62  G  disk ∙ 9, 11, 12, 24, 56, 60, 92  Distributed Server Architecture ∙ 16, 18, 52,  Gathering Interval ∙ 87  99, 108  geography ∙ 78, 97  global ∙ 45, 52, 67, 89  Administrator''s Guide 115 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform Global  key ∙ vi, 12, 21, 22, 24, 25, 26, 30, 40, 52, 55,  Options ∙ 46  56, 57, 76, 78, 80, 90, 92  Glossary ∙ 107  size ∙ 24  graphics ∙ 72  keywords ∙ 45  Keywords ∙ 45  H  L  HA ∙ 16, 18  hardware ∙ 9, 60, 92  LAN ∙ 11, 59, 63, 70, 75, 98  heartbeat ∙ 52, 67  laptop ∙ 11, 79  hierarchy ∙ 71, 95, 96, 98, 101, 104  latency ∙ 98, 101  High Availability ∙ 16, 18, 99  license ∙ vi, 21, 22, 23, 24, 25, 30, 40, 55, 56,  hostname ∙ 34, 42, 90  78, 86, 90  HPUX ∙ 11  crt ∙ 24, 25, 30  html ∙ 8, 52, 72, 73, 74, 102  License  HTTP ∙ 8, 18, 39, 77, 96, 100, 107  Agreement ∙ 23, 27  HTTPS ∙ 77, 107  Linux ∙ 11  Location Property Wizard ∙ 75  lock ∙ 12, 25, 70, 87  I  lockdown ∙ 13  icon ∙ 89, 91  logging ∙ 76  ID ∙ 17, 39, 46, 69, 70, 100  login ∙ 45  identifier ∙ 76, 90  Login ∙ 45  IE ∙ 11  logon ∙ 13  IIS ∙ 107  Initial Lock state ∙ 87  M  Initialize ∙ 54  inspects ∙ 14  Maintaining security ∙ 21  Install  Manage Signing Keys ∙ 79  ESP Components ∙ 26, 27, 40, 41, 42  Management ∙ 21, 33, 55, 78, 79, 86, 108  ESP Console ∙ 26, 40  Management Rights ∙ 21, 78, 79, 108  ESP Relay ∙ 61  Masthead ∙ 22, 23, 26, 30, 86  ESP Server ∙ 26, 27  Management ∙ 86  Installation ∙ vi, 7, 8, 11, 12, 14, 16, 17, 20,  MIME ∙ 22  21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 34,  mirror ∙ 39, 108  35, 37, 39, 40, 41, 42, 43, 44, 45, 47, 55,  Mirror ∙ 39, 108  56, 58, 60, 62, 70, 78, 87, 90, 91, 92, 100,  MS SQL Server Tools ∙ 92  103, 104, 107, 108  msdn ∙ 44  Internet ∙ 8, 11, 13, 14, 16, 20, 21, 24, 27,  MSI ∙ 44  39, 60, 96, 102, 108  inventory ∙ vi, 29  N  IP ∙ 9, 13, 22, 24, 39, 42, 63, 75, 87, 89, 90  Network Administrator ∙ 20  K  node ∙ 47, 62, 65, 66, 70, 75, 79, 90  NT ∙ 41, 42, 45, 80  kbps ∙ 103  NT Domains ∙ 42  Administrator''s Guide 116 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform O  relay ∙ 7, 8, 14, 15, 16, 21, 39, 59, 60, 61, 62,  63, 65, 66, 67, 70, 71, 72, 94, 96, 100,  ODBC ∙ 8, 9, 18, 40, 75, 80, 88, 96, 100  101, 102, 104, 107  Operating Requirements ∙ 9  Relay ∙ 7, 8, 14, 15, 21, 59, 60, 61, 62, 63,  Operator ∙ vi, 20, 32, 52, 53, 54, 56, 57, 78,  65, 66, 67, 70, 94, 96, 101, 102, 104, 107  79, 80, 108  Relevance ∙ 72, 73, 74, 108  Master ∙ 20, 21, 52, 53, 54, 56, 57, 78, 79,  relevant ∙ 14, 15, 39, 61, 67, 87  89, 108  remediate ∙ vi  Ordinary ∙ 78  remedies ∙ 7  optimization ∙ 67  remove user ∙ 80  OS ∙ 11, 73, 74, 78  Remove User ∙ 80  replicate ∙ 17, 34, 100  replication ∙ 17, 27, 35, 52, 69, 70, 89, 100  P  Replication ∙ 17, 34, 35, 51, 52, 69, 70, 89,  password ∙ 25, 55, 56, 76, 79, 80  100  Password ∙ 25, 55, 56, 76, 79, 80  Replication Interval ∙ 69  patch ∙ 66, 101  requirements ∙ vi, 9, 10, 11, 27, 41, 60, 61,  permission ∙ 20  70, 91  ping ∙ 67  responsiveness ∙ 67, 78, 89  policy ∙ 42, 44, 45  Retrieved Properties ∙ 10, 54, 79  port ∙ 86, 87, 88, 96  revoking ∙ 20, 21, 53, 57, 79  Port ∙ 86, 87, 88  rollout ∙ 8, 66  Preferences ∙ 46, 67  routers ∙ 9, 13  Preparing the ESP Server ∙ 21  Private Key ∙ 12, 21, 22, 24, 25, 26, 30, 55,  S  56, 80, 90  Length ∙ 55  Secondary ESP Relay ∙ 65  privileges ∙ 33, 42, 44, 45, 47, 54, 78, 80,  Security ∙ 12, 13, 21, 33, 90, 108  108  Server ∙ vi, 7, 8, 9, 13, 15, 16, 17, 33, 34, 52,  processor ∙ 11  69, 75, 89, 94, 96, 99, 100, 108  propagate ∙ 12, 32, 56, 57, 80, 91  settings ∙ 25, 52, 53, 67, 69, 70, 71, 72, 79,  property ∙ vi, 10, 17, 42, 52, 53, 59, 62, 66,  86, 108  67, 73, 75, 78, 79, 100  Setup ∙ 23, 24, 25, 99, 101  public key ∙ 12, 21, 22, 24, 90  Type ∙ 23, 24, 25  publisher ∙ 52  signature ∙ 12, 21, 22  signing password ∙ 107, 108  Site Administrator ∙ 12, 20, 21, 24, 52, 53,  R  54, 55, 56, 57, 78, 90, 107, 108  RAM ∙ 9, 11, 74  site level signing key ∙ 25, 55  recovery ∙ 67  Solaris ∙ 11  Recovery ∙ 67  spoke ∙ 103  redundant ∙ 7, 16, 17, 94, 99, 104, 107, 108  Spoke ∙ 103  refresh ∙ 52, 67, 73, 89  spoofing ∙ 12, 22  Refresh ∙ 52, 67  SQL ∙ 8, 9, 12, 13, 16, 20, 21, 27, 30, 33, 34,  registry ∙ 33, 35, 46, 76  67, 69, 70, 75, 76, 80, 92, 107, 108  reinstall ∙ 24  standard deployment ∙ 8, 58, 108  subnet ∙ 20, 75, 78, 79  Administrator''s Guide 117 © 2010 Trend Micro, Inc.Trend Micro Endpoint Security Platform subscriptions ∙ 53, 108  V  Suite ∙ i  system options ∙ 52  visibility ∙ 52, 89  VPN ∙ 16, 75, 108  vulnerability ∙ vi, 7, 15, 107  T  TCP ∙ 9, 13, 60, 75  W  throttling ∙ 70, 71, 104  throughput ∙ 67, 71  WAN ∙ 20, 59, 63, 70, 97, 98, 100, 103, 104,  Top Level ESP Relay ∙ 102  108  Web Reports ∙ 17, 37, 68, 75, 76, 77  Website ∙ 22  U  Windows Service Control Manager ∙ 43  Uninstalling a Replication Server ∙ 70  Wizard ∙ 23, 24, 26, 27, 75  Unix ∙ 107  unlock ∙ 87  Z  unmanaged ∙ 54  Unmanaged ∙ 54  ZENworks ∙ 45  unsubscribe ∙ 52      Administrator''s Guide 118 © 2010 Trend Micro, Inc.">