This section provides requirements, details of supported configurations, and other information necessary for planning your Secure Configuration Manager installation environment. For the most recent information, see the Secure Configuration Manager Web page.
For small enterprises of 50 computers or fewer, you can install all Secure Configuration Manager components on one computer. You can then install additional consoles on other computers as needed. Installing all required components on one computer is not a recommended configuration for most production networks.
NOTE:An all-in-one configuration is supported for Windows Server 2003, Server 2008, Server 2008 R2, Server 2012, and Server 2012 R2. You can install Secure Configuration Manager consoles on Windows Vista, but you must install Core Services and the Secure Configuration Manager database on separate computers.
For larger enterprises, install Core Services and the Secure Configuration Manager database on separate computers. Then install the console on multiple additional computers to manage the agents and other Secure Configuration Manager components.
Installing Secure Configuration Manager components on domain controllers is neither recommended nor supported for the following reasons:
When you create a local group on a domain controller, the end result is a domain group. The local group needed to handle authentication is not created.
This configuration can also cause performance issues because the domain controller is very busy even if you do not install Secure Configuration Manager components on that computer.
Secure Configuration Manager supports Microsoft Windows in English, French, German, and Spanish, and Microsoft SQL Server and Microsoft SQL Server Express in United States - English. Ensure that the language version for the Microsoft Windows operating system is the same across all computers where you install the console, Core Services, and database.
You also have the option to install Core Services on multiple computers. In this configuration, you must install a separate Secure Configuration Manager database for each Core Services computer.
Having multiple Core Services allows you to divide managed resources, or endpoints, into managed groups based on business units or other organizational needs. Resources managed by one Core Services computer are completely separate from resources managed by a different Core Services. This configuration may be appropriate if your organization needs to maintain a high level of internal security. For more information, see Multiple Core Services Requirements.
Depending on the agents you are deploying, you may be able to share registered agents between Core Services. For more information, see Section 3.3, Working with Multiple Core Services.
Secure Configuration Manager supports Federal Information Processing Standard (FIPS 140-2) communication among the product components. FIPS 140-2 standards regulate the implementation and communication of cryptographic software. Users working under FIPS guidelines must have Secure Configuration Manager function within a secure FIPS-enabled environment. For more information about configuring components for FIPS communication, see the User Guide for NetIQ Secure Configuration Manager and the security agent guides.
NOTE:When you enable Secure Configuration Manager to function in a FIPS-enabled environment, Core Services cannot communicate with iSeries security agents.
The Secure Configuration Manager AutoSync service lets you regularly download the latest security knowledge from an update service Web site to ensure that the Secure Configuration Manager agents always audit with the latest security intelligence. The Autosync client queries and receives updates from the NetIQ AutoSync server. For more information, see the User Guide for NetIQ Secure Configuration Manager.
You can install the AutoSync client on your Core Services computer, or you can install the standalone AutoSync client separately from Core Services.
Install a standalone AutoSync client when your Core Services computer is not directly connected to the Internet, or if you do not want the Core Services computer to download from the Internet. For more information about the standalone AutoSync client, see Section 3.4, Deploying the Standalone AutoSync Client.
Open the ports listed in the following table for proper communication between Secure Configuration Manager components.
Port Number |
Component Computer |
Port Use |
---|---|---|
700 |
Security Agent for Windows (Deployment Agent) |
Used by the Deployment Agent and remote computer during deployment. |
1433 |
Database |
Used by Microsoft SQL Server or SQL Server Express if you are using a default instance of SQL Server. This port is also used by the console to listen for communication from the database. When used by Core Services, the port uses bi-directional communications to communicate with the console and the database. |
1621 |
Core Services |
Used by Core Services to listen for communication from the Windows agent when both the agent and the Core Services computer are in FIPS mode. This port requires, at a minimum, Secure Configuration Manager 5.9 and Security Agent for Windows 5.9 with FIPS mode enabled on both the Core Services and Windows agent computers. |
1622 |
Security Agent for Windows |
Used by the Windows agent to listen for communications from Core Services. This port uses bi-directional communications. |
1622 |
Security Agent for iSeries |
Used by NetIQ Security Solutions for iSeries PSAudit and PSSecure to listen for communication from Core Services. Core Services uses this port to run reports and actions. This port uses bi-directional communications. |
1622 |
UNIX Agent |
Used by the UNIX agent to listen for communication from Core Services. Core Services uses this port to run reports and actions. This port uses bi-directional communications. |
1626 |
Core Services |
Used by Core Services to communicate with Agents using SSL (Secure Sockets Layer) protocol. Agents include Windows, UNIX, and iSeries agents. SSL is a protocol developed by Netscape for ensuring security and privacy in Internet communications. SSL uses a private key to encrypt data that is transferred over the SSL connection. |
1627 |
Core Services |
Used by Core Services to listen for communication from the Security Agent for Windows or UNIX. This port requires Secure Configuration Manager 5.9 and Security Agent for Windows 5.9, at a minimum. |
8044 |
Core Services |
Used by Core Services to communicate with the console computer. This port uses bi-directional communications. |
8044 |
Web Server |
Used by the Web server that is embedded in Core Services. The Web server uses port 8044 by default, but this port is configurable. |
This section provides requirements, recommendations, and configuration information for the Secure Configuration Manager database computer, which hosts the Secure Configuration Manager database. The size of your Secure Configuration Manager database and the number of concurrent connections can affect console performance.
This section provides hardware, software, and permissions requirements for installing the Secure Configuration Manager database.
NOTE:Named instances cannot contain special characters. If you are using a named instance that contains special characters, rename the database instance so that it does not contain special characters.
The following table lists the requirements and recommendations for the database computer.
Category |
Minimum Requirements and Recommendations |
---|---|
Processor |
500 MHz Intel Pentium III server class or equivalent (Recommended) 3 GHz Intel Xeon server processor or equivalent |
Disk Space |
20 GB free disk space (Recommended) 100 GB free disk space NOTE:For Windows Server 2012 and Windows Server 2012 R2, minimum recommended disk space is 40 GB. |
Memory |
1.5 GB (Recommended) 6 GB NOTE:For Windows Server 2012 and Windows Server 2012 R2, minimum recommended memory 4 GB. |
Operating System |
One of the following operating systems:
|
Database |
One of the following database versions:
|
Installation Permissions |
The user account used to install the database must be a member of the Administrators local group on the computer. |
Port |
1433: Used by Microsoft SQL Server or SQL Server Express if you are using a default instance of SQL Server. If you specified a non-default instance of SQL Server or SQL Server Express when you installed Secure Configuration Manager, the associated port needs to be open. |
Additional Settings |
Set the System variable TEMP to C:\windows\temp in the System Properties > Environment Variables window on the Secure Configuration Manager database computer. |
In a Microsoft cluster environment, you must install the database on the active node in the cluster. The database automatically rolls over to the new active node when a failover occurs. However, when the database rolls over, Core Services loses communication to the database. To re-establish communication, you must restart the NetIQ Core Services service.
The Secure Configuration Manager database computer requires that Microsoft SQL Server or Microsoft SQL Server Express use mixed-mode authentication. Non-U.S. language versions of SQL Server and SQL Server Express are not supported. For more information about supported SQL Server versions, see Database Computer Requirements.
Follow the instructions provided in the Microsoft SQL Server documentation to install the database software. Also, if you enabled dynamic port allocation, update the Core Services connection URL to reflect the new TCP/IP port. You can change the connection URL in the Core Services Configuration Utility.
To complete the Secure Configuration Manager installation, the Browser Service must be running in SQL Server or SQL Server Express.
To verify the SQL Server or SQL Server Express Browser Service is running:
Open SQL Server Configuration Manager.
In the left pane, select the SQL Server services.
In the right pane, ensure that SQL Server Browser is set to Running.
(Conditional) If the SQL Server Browser is stopped, select SQL Server Browser, and on the Action menu, click Start.
To complete the Secure Configuration Manager installation, the TCP/IP protocol must be enabled in SQL Server or SQL Server Express.
To verify the SQL Server TCP/IP protocol is enabled:
Open SQL Server Configuration Manager.
In the left pane, expand SQL Server Network Configuration and select Protocols for MSSQLSERVER.
In the right pane, ensure that TCP/IP is set to Enabled.
(Conditional) If the TCP/IP protocol is disabled, select TCP/IP, and on the Action menu, click Enable.
This section provides hardware, software, and permissions requirements for Core Services computers.
When planning to install Core Services, take into account the following considerations:
Secure Configuration Manager supports IPv4 and IPv6 addresses, but uses IPv4 addresses for communication among the console, Core Services, and the Secure Configuration Manager database. The Core Services computer must be configured for IPv4 addresses at a minimum. Alternatively, you can set up the Core Services computer as a dual-stack host to support both IPv4 and IPv6 addresses.
The following table lists the requirements and recommendations for the Core Services computer.
Category |
Minimum Requirements and Recommendations |
---|---|
Processor |
500 MHz Intel Pentium III server class or equivalent (Recommended) 3 GHz Intel Xeon server processor or equivalent |
Disk Space |
20 GB free disk space (Recommended) 100 GB free disk space NOTE:For Windows Server 2012 and Windows Server 2012 R2, minimum recommended disk space is 40 GB. |
Memory |
512 MB (Recommended) 6 GB NOTE:For Windows Server 2012 and Windows Server 2012 R2, minimum recommended memory 4 GB. |
Operating System |
One of the following operating systems:
|
Additional Software |
|
Installation Permissions |
The user account used to install Core Services must be a member of the Administrators local group on the computer. |
Ports |
1621: Used by Core Services to communicate with the Security Agent for Windows when both the agent and Core Services are in FIPS mode. This port requires, at a minimum, Secure Configuration Manager 5.9 and Security Agent for Windows 5.9 with FIPS mode enabled on both the Core Services and the Windows agent computers. 1626: Used by Core Services to communicate with SSL agents. For more information about SSL and non-SSL agents, see Section 2.5.2, Default Ports. 1627: Used by Core Services to listen for communication from the Security Agent for UNIX or Windows. This port requires Secure Configuration Manager 5.9 and Security Agent for Windows 5.9 or Security Agent for UNIX 7.2, at a minimum. 8044: Used by Core Services to communicate with the console computer. Also used by the Web server that is embedded in Core Services. (This port is configurable.) |
If you plan to install more than one Core Services computer, each Core Services computer must meet the requirements specified in this section. In addition, depending on the agents you deploy, you may need to complete an additional step to enable multiple Core Services to communicate with registered agents.
Windows, UNIX, and iSeries agents support shared secret authentication. Therefore, you must export the domain keys from your first Core Services, and the other Core Services must import those keys to communicate with that agent. For more information, see Section 3.3, Working with Multiple Core Services.
This section provides hardware, software, and permissions requirements for the Secure Configuration Manager console computer.
This section provides requirements for a Secure Configuration Manager environment. When planning to install the console, take into account the following considerations:
Running more than 10 active consoles concurrently can reduce product performance.
The size of your Secure Configuration Manager database and the number of concurrent connections can affect console performance. You can adjust the refresh period to improve performance. For more information, see the User Guide for NetIQ Secure Configuration Manager.
Secure Configuration Manager supports IPv4 and IPv6 addresses, but uses IPv4 addresses for communication among the console, Core Services, and the Secure Configuration Manager database. The console computer must be configured for IPv4 addresses at a minimum. Alternatively, you can set up the console computer as a dual-stack host to support both IPv4 and IPv6 addresses.
The following table lists the requirements for console computers.
Category |
Minimum Requirements and Recommendations |
---|---|
Processor |
500 MHz Intel Pentium III or equivalent (Recommended) 3 GHz Intel Xeon server processor or equivalent |
Disk Space |
4 GB free disk space (Recommended) 100 GB free disk space NOTE:For Windows Server 2012 and Windows Server 2012 R2, minimum recommended disk space is 40 GB. |
Memory |
1 GB (Recommended) 6 GB NOTE:For Windows Server 2012 and Windows Server 2012 R2, minimum recommended memory 4 GB. |
Operating System |
One of the following operating systems:
|
Monitor |
1024 x 768 resolution and 16-bit color |
Additional Software |
All of the following products:
|
Installation Permissions |
The user account you use to install the console must be a member of the Administrators local group on the computer. |
Usage Permissions |
The Windows user account you use to run the console must be one of the following:
If you are running the console on the database computer, your account must have write permissions to the NetIQ\Secure Configuration Manager folder and its subfolders and must be a member of the VigilEnt_Users group. |
This section lists the agent versions supported by Secure Configuration Manager, and also directs you to specific requirements information for each agent.
When you install Secure Configuration Manager, the setup program automatically installs and registers a Windows agent on the Core Services computer. The run-as account for the Windows agent service on the Core Services computer should have appropriate permissions, such as Domain Administrator permissions, to modify remote computers. For more information about the Windows agent service and required permissions, see the Installation and Configuration Guide for NetIQ Secure Configuration Manager Windows Agent and Section 3.2, Installing Secure Configuration Manager Components.
NOTE:To ensure optimum deployment of Windows agents to remote computers, do not remove the Windows agent from the Core Services computer.
Ensure that the required ports are open to enable communication between the agent computers and Secure Configuration Manager Core Services. For more information about the ports used to communicate with the agents, see the Help.
Secure Configuration Manager supports the minimum agent versions listed in the following table:
Agent |
Minimum Version |
---|---|
NetIQ Secure Configuration Manager for Windows |
5.9 |
NetIQ Secure Configuration Manager for UNIX Agent |
7.3 |
NetIQ Security Solutions for iSeries |
8.1 |
You can check the version of an installed agent by running the Agent Version report in Secure Configuration Manager. You can also check the NetIQ Web site to ensure that you have the latest agent version. For more information, including a complete list of supported agent versions, see the NetIQ Technical Support Web site.
In Secure Configuration Manager, platform represents the type of endpoint. The requirements for agent computers vary depending on the platform. All agent installations require Administrator permissions on the computer on which you are installing the agent.
The following table lists the agent platforms that Secure Configuration Manager supports and where you can find the requirements for those platforms.
Platform |
Location of Requirements Information |
---|---|
Windows |
Installation and Configuration Guide for NetIQ Secure Configuration Manager Windows Agent |
UNIX and Linux |
Installation and Configuration Guide for NetIQ Secure Configuration Manager UNIX Agent |
iSeries |