IDP安裝手冊(idp4.0)

1、IDP安裝手冊（idp4.0）目錄 TOC o 1-3 h z u HYPERLINK l _Toc162260154 IDP安裝手冊（idp4.0） PAGEREF _Toc162260154 h 1 HYPERLINK l _Toc162260155 安裝NSM Server PAGEREF _Toc162260155 h 2 HYPERLINK l _Toc162260156 11系統(tǒng)最低需求 PAGEREF _Toc162260156 h 2 HYPERLINK l _Toc162260157 12運行系統(tǒng)更新補丁 PAGEREF _Toc162260157 h 2 HYPERLINK

2、 l _Toc162260158 13安裝NSM Server系統(tǒng)軟件 PAGEREF _Toc162260158 h 3 HYPERLINK l _Toc162260159 2安裝NSM客戶端（UI） PAGEREF _Toc162260159 h 7 HYPERLINK l _Toc162260160 21客戶端最低需求 PAGEREF _Toc162260160 h 7 HYPERLINK l _Toc162260161 22安裝User Interface PAGEREF _Toc162260161 h 7 HYPERLINK l _Toc162260162 3配置IDP Sensor

3、 PAGEREF _Toc162260162 h 8 HYPERLINK l _Toc162260163 31IDP Sensor初始化 PAGEREF _Toc162260163 h 8 HYPERLINK l _Toc162260164 32肯能會用到的CLI命令 PAGEREF _Toc162260164 h 14安裝NSM Server11系統(tǒng)最低需求首先，選定一臺服務器以安裝NSM Server，該服務器的最低需求如下：ComponentMinimum RequirementsOperating SystemSolaris 8, Solaris 9 operating system,

4、 ORRed Hat Enterprise Linux (ES/AS) 3.0-Update 5 or 4.0-Update 1CPUSun Microsystems UltraSPARC IIi 500MHz (or higher), ORLinux 1GHz (x86) processor (or higher)RAM1GB (or higher); 2GB+ (depending on the number of managed devices and configuration size)Swap Space4 GB for both GUI Server and Device Ser

5、verStorageIDE Hard Disk Drive with 10K rpm (minimum); 15K rpm(recommended); 18 GB disk space (minimum); 40 GB disk space recommended)Network Connection100MBps NIC Ethernet adapterOtherServer must be dedicated to running NetScreen-Security Manager12運行系統(tǒng)更新補丁安裝NSM Serve之前，需要預先安裝一個名為“systemupdate-linux”

6、（針對Linux操作系統(tǒng)平臺而言）的系統(tǒng)更新文件補丁，否則NSM無法正常安裝。該文件在隨機贈送的CD中可以找到。不同版本的系統(tǒng)更新補丁，在名稱的前部會標識當前的版本號信息，如：。推薦將該補丁安裝在/usr目錄下，解壓縮后執(zhí)行即可。相關(guān)命令如下：/將文件解壓縮tar xfv systemupdate-nsm-linux.tar/執(zhí)行該文件執(zhí)行之后，將創(chuàng)建一個名為“systemupdate”的目錄，進入該目錄，運行update腳本。相關(guān)命令如下：cd /systemupdate/導入該目錄./update.sh/執(zhí)行update腳本出現(xiàn)提示后按回車確定，等待腳本文件運行結(jié)束。該過程大約持續(xù)20分鐘

7、（實際上沒那么長時間）13安裝NSM Server系統(tǒng)軟件安裝完補丁文件之后，就可以在該操作系統(tǒng)平臺之上安裝NSM了。首先將NSM系統(tǒng)軟件復制至服務器，推薦復制到/tmp文件夾中，然后直接安裝即可。在linux下執(zhí)行以下命令：sh nsm2006.1r2_servers_linux_x86.sh之后，安裝向?qū)来卧儐栆恍┖唵蔚脑O置，然后將自動進行安裝。強烈建議使用默認設置進行安裝，以后維護起來會很方便。典型輸出如下：Creating staging directory.ok# PERFORMING PRE-INSTALLATION TASKS #Running preinstallcheck

8、.Checking if platform is validokChecking for correct intended platformokChecking if all needed binaries are presentokChecking for platform-specific binariesokChecking for PostgreSQLokChecking if user is rootokChecking if user root existsokChecking if system meets RAM requirementokChecking for suffic

9、ient disk spaceokChecking if RPM binary is the minimum version okNoting OS nameokStopping any running servers# GATHERING INFORMATION #1) Install Device Server only2) Install GUI Server only3) Install both Device Server and GUI ServerEnter selection (1-3) 3/同時安裝Device Server 和GUI Server，選擇3。（不大可能有用戶把

10、這兩個server分別安裝在兩臺服務器上，太浪費了。而且維護起來也不方便。）# GENERAL SERVER SETUP DETAILS #Will this machine participate in an HA cluster? (y/n) n n/是否部署在HA模式下，選擇NO。# DEVICE SERVER SETUP DETAILS #The Device Server stores all of the user data under a single directory.By default, this directory is /var/netscreen/DevSvr. B

11、ecause the user data (including logs and policies) can grow to be quite large, it is sometimes desirable to place this data in another partition.Please enter an alternative location for this data if so desired, or press ENTER for the location specified in the brackets.Enter data directory location /

12、var/netscreen/DevSvr/Device Server存放user數(shù)據(jù)的目錄，直接回車使用默認目錄。# GUI SERVER SETUP DETAILS #The GUI Server stores all of the user data under a single directory.By default, this directory is /var/netscreen/GuiSvr. Because the user data (including database data and policies) can grow to be quite large, it is

13、 sometimes desirable to place this data in another partition.Please enter an alternative location for this data if so desired, or press ENTER for the location specified in the brackets.Enter data directory location /var/netscreen/GuiSvr/GUI Server存放所有user數(shù)據(jù)的目錄，直接回車使用默認目錄即可。The GUI Server stores all

14、of the database logs under a single directory.By default, this directory is /var/netscreen/GuiSvr/xdb/log. Because the database log can grow to be quitelarge, it is sometimes desirable to place this log in another partition.Please enter an alternative location for this log if so desired, or press EN

15、TER for the location specified in thebrackets.Enter database log directory location /var/netscreen/GuiSvr/xdb/log/GUI Server存放log數(shù)據(jù)的目錄，直接回車使用默認目錄即可。Enter the management IP address of this server /給NSM分配IP地址。NSM客戶端需要NSM Server的IP地址才能訪問NSM。Setting GUI Server address and port to x.:7801 for Device Serv

16、erPlease enter a password for the super userEnter password (password will not display as you type)/給super用戶設置密碼，輸入密碼時輸出不可見。這是在NSM客戶端上訪問NSM時需要輸入的密碼。Please enter again for verificationEnter password (password will not display as you type) /再次確認密碼。Will a Statistical Report Server be used with this GUI

17、Server? (y/n) n n# HIGH AVAILABILITY (HA) SETUP DETAILS #Will server processes need to be restarted automatically in case of a failure? (y/n) y/服務器進程一旦失效是否重啟，選擇yes。# BACKUP SETUP DETAILS #Will this machine require local database backups? (y/n) yEnter hour of day to start the database backup (00 = mi

18、dnight, 02 = 2am, 14 =2pm .)02Will daily backups need to be sent to a remote machine? (y/n) nEnter number of database backups to keep 7Enter the rsync backup timeout 1800Will logging be enabled? (y/n) nEnter database backup directory /var/netscreen/dbbackupThe database backup server(s) requires that

19、 you have previously installed the rsync program.Enter the full path to rsync /usr/bin/rsync/設置本地數(shù)據(jù)備份（備份至遠程其他設備），可不選。# DEVSVR DB SETUP DETAILS #Enter Postgres DevSvr Db port 5432Enter Postgres DevSvr Db super user netscreenEnter Postgres DevSvr Db password for user netscreenEnter password (password

20、will not display as you type)Please enter again for verificationEnter password (password will not display as you type)# POST-INSTALLATION OPTIONS #Start server(s) when finished? (y/n) y/安裝完成后是否開始服務，選擇是。# CONFIRMATION #About to proceed with the following actions:- Install Device Server- Install GUI S

21、erver- Install High Availability Server- This machine does not participate in an HA cluster- Store Device Server data in /var/netscreen/DevSvr- Store GUI Server data in /var/netscreen/GuiSvr- Store GUI Server database log in /var/netscreen/GuiSvr/xdb/log- Use IP address 19 for management- Connect to

22、 GUI Server at 19:7801- Set password for super user- Servers will be restarted automatically in case of a failure- Local database backups are enabled- Start backups at 02- Daily backups will not be sent to a remote machine- Number of database backups to keep: 7- HA rsync command backup timeout: 1800

23、- Logging is disabled: n- Create database backup in /var/netscreen/dbbackup- Use rsync program at /usr/bin/rsync- Postgres DevSvr Db Server port: 5432- Postgres DevSvr Db super user: netscreen- Postgres DevSvr Db password set for netscreen- Start server(s) when finished: YesAre the above actions cor

24、rect? (y/n) y/確認已完成的設定。確認選擇yes，重新修改選擇no。# EXTRACTING PAYLOADS #Extracting payloadokDecompressing payloadok# PERFORMING INSTALLATION TASKS # INSTALLING Device Server Looking for existing RPM packageokRemoving DevSvr files from default locationokInstalling Device Server RPMokInstalling JREokCreating v

25、ar directoryokCreating /var/netscreen/dbbackupokPutting NSROOT into start scriptsokFilling in Device Server config file(s)okSetting permissions for Device ServerokSetting up PostgreSQL for DevSvrokInstallation of Device Server complete./提示Device Server安裝成功。 INSTALLING GUI Server Copying dbbackup dat

26、a to the installer backup directoryokLooking for existing RPM packageokRemoving GuiSvr files from default locationokInstalling GUI Server RPMokInstalling JREokCreating var directoryokCreating /var/netscreen/dbbackupokPutting NSROOT into start scriptsokFilling in GUI Server config file(s)okSetting pe

27、rmissions for GUI ServerokRunning generateMPK utilityokRunning fingerprintMPK utilityokInstallation of GUI Server complete./提示GUI Server安裝成功。 INSTALLING HA Server Looking for existing RPM packageokRemoving HaSvr files from default locationokInstalling HA Server RPMokCreating var directoryokPutting N

28、SROOT into start scriptsokFilling in HA Server config file(s)okSetting permissions for HA ServerokInstallation of HA Server complete./提示HA Server安裝成功。 SETTING START SCRIPTS Enabling Device Server start scriptokEnabling GUI Server start scriptokEnabling HA Server start scriptok# PERFORMING POST-INSTA

29、LLATION TASKS #Running nacnCertGenerationokRemoving staging directoryokStarting GUI ServerokStarting Device ServerokStarting HA ServerokNOTES:- Installation log is stored in/usr/netscreen/DevSvr/var/errorLog/netmgtInstallLog.20051026152408/自動記錄安裝日志- This is the GUI Server fingerprint:B4:F4:62:A1:DE:

30、20:12:94:E7:47:31:93:2C:EC:BC:CA:FA:E4:36:02You will need this for verification purposes when logging into the GUI Server. Please make a note of it.- If you are managing ScreenOS 4.x devices, you need to install the tftp-server RPM on this system. The TFTP server is used by the management server to

31、update firmware images on 4.x devices. The root directory for the TFTP server must be set to /usr/netscreen/DevSvr/var/cache./安裝成功后則會出現(xiàn)以上全部輸出。2安裝NSM客戶端（UI）21客戶端最低需求ComponentMinimum RequirementSoftwareMicrosoft Windows XP, ORMicrosoft Windows NT Workstation/Server 4.0, Service Pack 6a or higher,ORMic

32、rosoft Windows 2000 Server, Advanced Server, or Professional editions ORRed Hat Enterprise Linux ES 3.0 or 4.0, Red Hat Enterprise Linux AS US English versions onlyHardwareIBM compatible PC400MHz Pentium II or equivalent (minimum); 700 MHz Pentium II or equivalent (recommended)RAM: 256 MB (minimum);

33、 512 MB or above (recommended)384kbps (DSL) or LAN connection - minimum bandwidth required to connect to the NetScreen-Security Manager management system.22安裝User Interface首先將NSM客戶端軟件復制在PC上，該軟件是一個.exe文件，雙擊自動運行即可，在安裝向?qū)У奶崾鞠?，依次點擊下一步完成安裝。安裝完成后，雙機NSM的圖標，輸入NSM Server的IP地址、用戶名及密碼，就可以登陸到NSM服務器上了。NSM的登陸界面如下：

34、NSM是用來管理IDP用的，因此，完成了NSM服務器及客戶端的安裝，我們還要對IDP進行一些設置，否則，NSM無法識別IDP。下文將介紹對IDP的相關(guān)配置。3配置IDP Sensor31IDP Sensor初始化Juniper IDP設備（又稱IDP Sensor）有一個默認的管理地址，我們可以在瀏覽器上通過輸入 登陸到它的Web UI上，進行相關(guān)初始化配置。默認的用戶名是：root，密碼為abc123。如圖所示：Juniper IDP Sensor提供兩種配置向?qū)В篞uickStart和ACM（Appliance Configuration Manager。登陸IDP之后會任選一種進行安裝。QuickStart是一個快速配置工具，可以進行一些簡單的設置，比如設置管理IP、子網(wǎng)掩碼、默認路由、時間、啟用Inline 模式或者Sniffer 模式等。ACM則可以允許做一些更高級的設置，比如修改Root管理員密碼、強制端口速率、配置DNS、啟用bypass、決定端口是否轉(zhuǎn)發(fā)等等。為