This section provides requirements, details of supported configurations, and other information necessary for planning your Secure Configuration Manager installation environment. For the most recent information, see the Secure Configuration Manager Technical Information web page.
You can choose one of the following deployment types based on the size of your IT environment.
For small enterprises of 50 computers or fewer, you can install all Secure Configuration Manager components on one computer. You can then install additional consoles on other computers as needed.
For larger enterprises, install Core Services and the Secure Configuration Manager database on separate computers. Then install the console on multiple additional computers to manage the agents and other Secure Configuration Manager components.
NetIQ does not recommend or support installing Secure Configuration Manager components on domain controllers for the following reasons:
When you create a local group on a domain controller, the end result is a domain group. The local group needed to handle authentication is not created.
This configuration can also cause performance issues because the domain controller is very busy even if you do not install Secure Configuration Manager components on that computer.
You also have the option to install Core Services on multiple computers. In this configuration, you can install Core Services and the database in a computer or install the database on a computer, and install Core Services in other computers and enable them to connect to the database.
To install Secure Configuration Manager in the multiple Core Services setup, please contact Technical Support.
Having multiple Core Services allows you to divide managed resources, or endpoints, into managed groups based on business units or other organizational needs. Resources managed by one Core Services computer are completely separate from resources managed by a different Core Services.
This configuration may be appropriate if your organization needs to maintain a high level of internal security. For more information, see Multiple Core Services Requirements.
Depending on the agents you are deploying, you may be able to share registered agents between Core Services. For more information, see Section 3.3, Working with Multiple Core Services
Secure Configuration Manager supports Microsoft Windows in English, French, German, and Spanish, and Microsoft SQL Server in United States - English. Ensure that the language version for the Microsoft Windows operating system is the same across all computers where you install the console, Core Services, and database.
Secure Configuration Manager supports Federal Information Processing Standard (FIPS 140-2) communication among the product components. FIPS 140-2 standards regulate the implementation and communication of cryptographic software. Users working under FIPS guidelines must have Secure Configuration Manager function within a secure FIPS-enabled environment. For more information about configuring components for FIPS communication, see the NetIQ Secure Configuration Manager User Guide and the security agent guides.
NOTE:When you enable Secure Configuration Manager to function in a FIPS-enabled environment, Core Services cannot communicate with iSeries security agents.
Open the ports listed in the following table on the firewall for proper communication between Secure Configuration Manager components.
|
Port Number |
Component Computer |
Port Use |
|---|---|---|
|
700 |
Security Agent for Windows (Deployment Agent) |
Used by the Deployment Agent and remote computer during deployment. |
|
1433 |
Database |
Used by Microsoft SQL Server if you are using a default instance of SQL Server. This port is also used by the console to listen for communication from the database. When used by Core Services, the port uses bi-directional communications to communicate with the console and the database. |
|
1621 |
Core Services |
Used by Core Services to listen for communication from the Windows agent when both the agent and the Core Services computer are in FIPS mode. |
|
1622 |
Security Agent for Windows |
Used by the Windows agent to listen for communications from Core Services. This port uses bi-directional communications. |
|
1622 |
Security Agent for iSeries |
Used by NetIQ Security Solutions for iSeries PSAudit and PSSecure to listen for communication from Core Services. Core Services uses this port to run reports and actions. This port uses bi-directional communications. |
|
1622 |
UNIX Agent |
Used by the UNIX agent to listen for communication from Core Services. Core Services uses this port to run reports and actions. This port uses bi-directional communications. |
|
1626 |
Core Services |
Used by Core Services to communicate with Agents using SSL (Secure Sockets Layer) protocol. Agents include Windows, UNIX, and iSeries agents. SSL is a protocol developed by Netscape for ensuring security and privacy in Internet communications. SSL uses a private key to encrypt data that is transferred over the SSL connection. |
|
1627 |
Core Services |
Used by Core Services to listen for communication from the Security Agent for Windows or UNIX. |
|
8044 |
Core Services |
Used by Core Services to communicate with the console computer. This port uses bi-directional communications. |
|
8044 |
Web Server |
Used by the Web server that is embedded in Core Services. The Web server uses port 8044 by default, but this port is configurable. |
|
2005 |
Security Agent for Windows |
Used by the Windows agent to interact with the utility tools in Secure Configuration Manager. Ensure that this port is reserved for Secure Configuration Manager. NOTE:If this port is already reserved and not available for Secure Configuration Manager, you can use any other free port, but ensure that you change the port number in the HKEY_LOCAL_MACHINE\SOFTWARE\NetIQ\VigilEnt registry accordingly. |
NOTE:If you are using non-default ports, ensure that those ports are available and are open on the firewall.
This section provides requirements, recommendations, and configuration information for the Secure Configuration Manager database computer. The size of your Secure Configuration Manager database and the number of concurrent connections can affect console performance.
This section provides hardware, software, and permissions requirements for installing the Secure Configuration Manager database.
The following table lists the requirements and recommendations for the database computer.
|
Category |
Minimum Requirements and Recommendations |
|---|---|
|
Processor |
See the hardware recommendations for Secure Configuration Manager database in the NetIQ Secure Configuration Manager Technical Information web page. |
|
Disk Space |
|
|
Memory |
|
|
Database |
See the NetIQ Secure Configuration Manager Technical Information page for Secure Configuration Manager database. |
|
Operating System |
|
|
Port |
See database port information in Section 2.4.3, Default Ports. |
You can install SCM database in Microsoft SQL server cluster environment. While installing the database, provide the clustered SQL Server name when prompted to provide the database server name.
If you are installing the Secure Configuration Manager in a distributed environment or in a cluster environment, ensure the following:
You have write permissions to the data and log file locations of the SQL Server data directory.
A DNS Resolve method is present that queries a DNS server for the IP address associated with a host name or vice-versa.
The Secure Configuration Manager database computer requires that Microsoft SQL Server or Microsoft SQL Server Express use mixed-mode authentication. Non-U.S. language versions of SQL Server and SQL Server Express are not supported. For more information about supported SQL Server versions, see Database Computer Requirements.
Follow the instructions provided in the Microsoft SQL Server documentation to install the database software.
NOTE:Named instances cannot contain special characters. If you are using a named instance that contains special characters, rename the database instance so that it does not contain special characters.
To complete the Secure Configuration Manager installation, the Browser Service must be running in SQL Server or SQL Server Express.
To verify the SQL Server or SQL Server Express Browser Service is running:
Open SQL Server Configuration Manager.
In the left pane, select the SQL Server services.
In the right pane, ensure that SQL Server Browser is set to Running.
(Conditional) If the SQL Server Browser is stopped, select SQL Server Browser, and on the Action menu, click Start.
To complete the Secure Configuration Manager installation, the TCP/IP protocol must be enabled in SQL Server or SQL Server Express.
To verify the SQL Server TCP/IP protocol is enabled:
Open SQL Server Configuration Manager.
In the left pane, expand SQL Server Network Configuration and select Protocols for MSSQLSERVER.
In the right pane, ensure that TCP/IP is set to Enabled.
(Conditional) If the TCP/IP protocol is disabled, select TCP/IP, and on the Action menu, click Enable.
This section provides hardware, software, and permissions requirements for Core Services computers.
When planning to install Core Services, take into account the following considerations:
Secure Configuration Manager supports IPv4 and IPv6 addresses, but uses IPv4 addresses for communication among the console, Core Services, and the Secure Configuration Manager database. The Core Services computer must be configured for IPv4 addresses at a minimum. Alternatively, you can set up the Core Services computer as a dual-stack host to support both IPv4 and IPv6 addresses.
The following table lists the requirements and recommendations for the Core Services computer.
|
Category |
Minimum Requirements and Recommendations |
|---|---|
|
Processor |
See the hardware recommendations for Secure Configuration Manager Core Services in the NetIQ Secure Configuration Manager Technical Information web page. |
|
Disk Space |
|
|
Memory |
|
|
Operating System |
See the NetIQ Secure Configuration Manager Technical Information page for Secure Configuration Manager Core Services. |
|
Additional Software |
|
|
Ports |
See Core Services ports information in Section 2.4.3, Default Ports. |
If you plan to install more than one Core Services computer, each Core Services computer must meet the requirements specified in this section. In addition, depending on the agents you deploy, you might need to complete an additional step to enable multiple Core Services to communicate with registered agents.
Windows, UNIX, and iSeries agents support shared secret authentication. Therefore, you must export the domain keys from your first Core Services, and the other Core Services must import those keys to communicate with that agent. For more information, see Section 3.3, Working with Multiple Core Services.
This section provides hardware, software, and permissions requirements for the Secure Configuration Manager console computer.
This section provides requirements for a Secure Configuration Manager environment. When planning to install the console, take into account the following considerations:
Running more than 10 active consoles concurrently can reduce product performance.
The size of your Secure Configuration Manager database and the number of concurrent connections can affect console performance. You can adjust the refresh period to improve performance. For more information, see the NetIQ Secure Configuration Manager User Guide.
Secure Configuration Manager supports IPv4 and IPv6 addresses, but uses IPv4 addresses for communication among the console, Core Services, and the Secure Configuration Manager database. The console computer must be configured for IPv4 addresses at a minimum. Alternatively, you can set up the console computer as a dual-stack host to support both IPv4 and IPv6 addresses.
The following table lists the requirements for console computers.
|
Category |
Minimum Requirements and Recommendations |
|---|---|
|
Processor |
See the hardware recommendations for Secure Configuration Manager console in the NetIQ Secure Configuration Manager Technical Information web page. |
|
Disk Space |
|
|
Memory |
|
|
Monitor |
|
|
Operating System |
See the NetIQ Secure Configuration Manager Technical Information page for Secure Configuration Manager console. |
|
Additional Software |
|
|
Usage Permissions |
The Windows user account you use to run the console must be one of the following:
If you are running the console on the database computer, your account must have write permissions to the NetIQ\Secure Configuration Manager folder and its subfolders and must be a member of the VigilEnt_Users group. |
This section provides requirements information for agent computers.
For the list of agent versions supported by Secure Configuration Manager, see the NetIQ Secure Configuration Manager Technical Information page.
In Secure Configuration Manager, platform represents the type of endpoint. The requirements for agent computers vary depending on the platform.
The following table lists the agent platforms that Secure Configuration Manager supports and where you can find the requirements for those platforms.
|
Platform |
Location of Requirements Information |
|---|---|
|
Windows |
NetIQ Secure Configuration Manager Windows Agent Installation and Configuration Guide |
|
UNIX and Linux |
Installation and Configuration Guide for NetIQ Secure Configuration Manager UNIX Agent |
|
iSeries |