Manager Installation Guide
revision 7.0







McAfee®
Network Protection
Industry-leading network security solutions





McAfee® Network Security Platform
Network Security Manager
version 5.1






COPYRIGHT
Copyright ® 2001 - 2010 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into
any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARKS
ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N),

ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION
THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA),
NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN,
VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or
its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks
herein are the sole property of their respective owners.
LICENSE AND PATENT INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH
THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED,
PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING
OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE
FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL
THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
This product includes or may include:
* Software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( * Cryptographic software written by Eric A. Young and software written by
Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses
which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for
any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such
software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software
program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. * Software originally written by
Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. * Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier. * Software written by
Douglas W. Sauder. * Software developed by the Apache Software Foundation ( A copy of the license agreement for this software can be found at
www.apache.org/licenses/LICENSE-2.0.txt. * International Components for Unicode ("ICU") Copyright (C) 1995-2002 International Business Machines Corporation and others. *
Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. * FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin,
Germany. * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. * Software copyrighted by
Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. * Software copyrighted by Expat maintainers. * Software copyrighted by The Regents of the
University of California, (C) 1996, 1989, 1998-2000. * Software copyrighted by Gunnar Ritter. * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
California 95054, U.S.A., (C) 2003. * Software copyrighted by Gisle Aas. (C) 1995-2003. * Software copyrighted by Michael A. Chase, (C) 1999-2000. * Software copyrighted by

Neil Winton, (C) 1995-1996. * Software copyrighted by RSA Data Security, Inc., (C) 1990-1992. * Software copyrighted by Sean M. Burke, (C) 1999, 2000. * Software copyrighted
by Martijn Koster, (C) 1995. * Software copyrighted by Brad Appleton, (C) 1996-1999. * Software copyrighted by Michael G. Schwern, (C) 2001. * Software copyrighted by Graham
Barr, (C) 1998. * Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000. * Software copyrighted by Frodo Looijaard, (C) 1997. * Software copyrighted by the Python
Software Foundation, Copyright (C) 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. * Software copyrighted by Beman
Dawes, (C) 1994-1999, 2002. * Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C) 1997-2000 University of Notre Dame. * Software copyrighted by Simone
Bordet & Marco Cravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001. * Software developed by the Indiana University Extreme! Lab
( * Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003. * Software developed by the University of
California, Berkeley and its contributors. * Software developed by Ralf S. Engelschall <> for use in the mod_ssl project (http:// www.modssl.org/). * Software
copyrighted by Kevlin Henney, (C) 2000-2002. * Software copyrighted by Peter Dimov and Multi Media Ltd. (C) 2001, 2002. * Software copyrighted by David Abrahams, (C) 2001,
2002. See /> for documentation. * Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000. *
Software copyrighted by Boost.org, (C) 1999-2002. * Software copyrighted by Nicolai M. Josuttis, (C) 1999. * Software copyrighted by Jeremy Siek, (C) 1999-2001. * Software
copyrighted by Daryle Walker, (C) 2001. * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002. * Software copyrighted by Samuel Krempp, (C) 2001. See
for updates, documentation, and revision history. * Software copyrighted by Doug Gregor (), (C) 2001, 2002. * Software copyrighted by
Cadenza New Zealand Ltd., (C) 2000. * Software copyrighted by Jens Maurer, (C) 2000, 2001. * Software copyrighted by Jaakko Järvi (), (C) 1999, 2000. *
Software copyrighted by Ronald Garcia, (C) 2002. * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, (C) 1999-2001. * Software copyrighted by Stephen
Cleary (
), (C) 2000. * Software copyrighted by Housemarque Oy <>, (C) 2001. * Software copyrighted by Paul Moore, (C)
1999. * Software copyrighted by Dr. John Maddock, (C) 1998-2002. * Software copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999. * Software copyrighted by Peter
Dimov, (C) 2001, 2002. * Software copyrighted by Jeremy Siek and John R. Bandela, (C) 2001. * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002. *
Software copyrighted by Carnegie Mellon University (C) 1989, 1991, 1992. * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003. * Software copyrighted by
Sparta, Inc., (C) 2003-2004. * Software copyrighted by Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, (C) 2004. * Software
copyrighted by Simon Josefsson, (C) 2003. * Software copyrighted by Thomas Jacob, (C) 2003-2004. * Software copyrighted by Advanced Software Engineering Limited, (C)
2004. * Software copyrighted by Todd C. Miller, (C) 1998. * Software copyrighted by The Regents of the University of California, (C) 1990, 1993, with code derived from software
contributed to Berkeley by Chris Torek.




Issued NOVEMBER 2010 / Manager Installation Guide
700-1801-00/ 7.0 - English


Contents

Preface v

Introducing McAfee Network Security Platform v
About this Guide v
Audience v
Conventions used in this guide v
Related Documentation vi
Contacting Technical Support vii
Chapter 1 Introduction to McAfee Network Security Platform 1
About the Network Security Manager 1
Manager components 1
Update Server 3
Chapter 2 About Network Security Central Manager 5
Chapter 3 Preparing for installation 6
Pre-requisites 6
General settings 6
Other third-party applications 7
Browser display settings (Windows) 7
Server requirements 7
Client system requirements 10
Java Runtime Environment (JRE) requirement 10
Database requirements 10
Pre-installation recommendations 11
Planning for installation 11
Functional requirements 12
Using anti-virus software with the Manager 12
User interface responsiveness 13

Chapter 4 Installing and upgrading the Central Manager/Manager 14
Installing the Manager 14
Manager installation with Local Service account privileges 24
Installing the Central Manager 25
Sensor license types 25
Adding a Sensor license 26
Manually Assigning a Sensor License 27
Java installation for client systems 28
Updating or upgrading in Network Security Platform 28
Upgrading your software 29
Updating your signature set or Sensor software 29
Adding a Sensor 29
Chapter 5 Working with Manager software 30
Starting Network Security Manager 30
Accessing Manager from a client machine 31
Logging onto Network Security Manager 31
Properly shutting down Network Security Manager services 32
iii


iv

Starting Network Security Central Manager 35
Logging onto Central Manager 36
Properly shutting down Central Manager 37
Chapter 6 Authenticating Access to the Manager using CAC 40
Chapter 7 Uninstalling the Manager 43
Uninstalling using Add/Remove Programs 43
Uninstalling via script 45
Index 46









v

Preface
This preface provides a brief introduction to the product, discusses the information in this
document, and explains how this document is organized. It also provides information such
as the supporting documents for this guide and how to contact McAfee Technical Support.
Introducing McAfee Network Security Platform
McAfee
®
Network Security Platform [formerly McAfee
®
IntruShield
®
] delivers the most
comprehensive, accurate, and scalable Network Access Control (NAC) and network
Intrusion Prevention System (IPS) for mission-critical enterprise, carrier, and service
provider networks, while providing unmatched protection against spyware and known,
zero-day, and encrypted attacks.
McAfee Network Security Platform combines real-time detection and prevention to provide
the most comprehensive and effective network IPS in the market.

About this Guide

This guide provides step-by-step instructions for the successful installation of the McAfee
®

Network Security Manager [formerly McAfee
®
IntruShield
®
Security Manager] interface
software. When the McAfee Network Security Manager (Manager) software is installed on
your target server, you can configure your security system by sending commands through
the Manager to all installed McAfee
®
Network Security Sensors [formerly McAfee
®

IntruShield
®
Sensors].
This guide is best followed by reading the Manager Configuration Basics Guide and then
followed by the other Configuration Guides for implementation.
Note: If you are upgrading to this version of Network Security Platform, we
recommend you first review the corresponding Network Security Platform Upgrade
Guide.
Audience
This guide is intended for use by network technicians and maintenance personnel
responsible for installing, configuring, and maintaining the Manager and the McAfee
Network Security Sensors (Sensors), but is not necessarily familiar with NAC or IPS-
related tasks, the relationship between tasks, or the commands necessary to perform
particular tasks.
Conventions used in this guide

This document uses the following typographical conventions:
McAfee® Network Security Platform 5.1

Preface

Convention Example
Terms that identify fields, buttons, tabs,
options, selections, and commands on the
User Interface (UI) are shown in
Arial N3arrow
bold font.
The
Service field on the Properties tab
specifies the name of the requested
service.
Menu or action group selections are indicated
using a right angle bracket.
Select My Company > Admin Domain >
Summary.

Procedures are presented as a series of
numbered steps.
On the Configuration tab, click Backup.

Names of keys on the keyboard are denoted
using UPPER CASE.
Press ENTER.
Text such as syntax, keywords, and values
that you must type exactly are denoted using
Courier New font.

Type: setup and then press
ENTER.
Variable information that you must type based
on your specific situation or environment is
shown in italics.
Type: sensor-IP-address and then
press ENTER.
Parameters that you must supply are shown
enclosed in angle brackets.
set Sensor ip <A.B.C.D>
Information that you must read before
beginning a procedure or that you to negative
consequences of certain actions, such as loss
of data is denoted using this notation.
Caution:
Information that you must read to prevent
injury, accidents from contact with electricity,
or other serious consequences is denoted
using this notation.
Warning:
Notes that provide related, but non-critical,
information are denoted using this notation.
Note:
Related Documentation
 Quick Tour
 4.1 to 5.1 Upgrade Guide
 Getting Started Guide
 IPS Deployment Guide
 Manager Configuration Basics Guide
 Administrative Domain Configuration Guide

 Manager Server Configuration Guide
 Sensor CLI Guide
 Sensor Configuration Guide
 IPS Configuration Guide
 NAC Configuration Guide
vi

McAfee® Network Security Platform 5.1

Preface

vii

 Integration Guide
 System Status Monitoring Guide
 Reports Guide
 User-Defined Signatures Guide
 Central Manager Administrator's Guide
 Best Practices Guide
 Troubleshooting Guide
 I-1200 Sensor Product Guide
 I-1400 Sensor Product Guide
 I-2700 Sensor Product Guide
 I-3000 Sensor Product Guide
 I-4000 Sensor Product Guide
 I-4010 Sensor Product Guide
 Gigabit Optical Fail-Open Bypass Kit Guide
 Gigabit Copper Fail-Open Bypass Kit Guide
 Special Topics Guide—In-line Sensor Deployment
 Special Topics Guide—Sensor High Availability

 Special Topics Guide—Virtualization
 Special Topics Guide—Denial-of-Service
Contacting Technical Support
If you have any questions, contact McAfee for assistance:
Online
Contact McAfee Technical Support .
Registered customers can obtain up-to-date documentation, technical bulletins, and quick
tips on McAfee's 24x7 comprehensive KnowledgeBase. In addition, customers can also
resolve technical issues with the online case submit, software downloads, and signature
updates.
Phone
Technical Support is available 7:00 A.M. to 5:00 P.M. PST Monday-Friday. Extended 24x7
Technical Support is available for customers with Gold or Platinum service contracts.
Global phone contact numbers can be found at McAfee Contact Information
/>act/index.html page.
Note: McAfee requires that you provide your GRANT ID and the serial number of
your system when opening a ticket with Technical Support. You will be provided with
a user name and password for the online case submission.







1

C HAPTER 1
Introduction to McAfee Network Security Platform
This section provides a brief introduction to the components of the McAfee

®
Network
Security Manager [formerly McAfee
®
IntruShield
®
Security Manager] and the part it plays in
the overall McAfee
®
Network Security Platform [formerly McAfee
®
IntruShield
®
]. The
complete McAfee Network Security Platform is a combination of network appliances and
software built for Network Access Control (NAC) as well as accurate detection and
prevention of intrusions, denial of service (DoS) and distributed denial of service (DDoS)
attacks, and network misuse. Network Security Platform combines real-time detection and
prevention for the most comprehensive and effective network security system.
Note:
For a high-level overview of Network Security Platform IPS components and
features, see the
Getting Started Guide.
For details of the NAC Module of Network Security Platform, see the NAC
Configuration Guide
.

About the Network Security Manager
McAfee Network Security Manager (Manager) consists of hardware and software
resources that are used to configure and manage your Network Security Platform

deployment.
Note: From version 5.1.17.2 or above, you do not require a license file to use the
Manager. For more details on licenses, refer to the Chapter Licensing in the Best
Practices Guide.

Manager components
Manager is a term that represents the hardware and software resources that are used to
configure and manage Network Security Platform. The Manager consists of the following
components:
 One of the following hardware/OS server platform (on page 2
):
 Microsoft Windows Server 2003 - SP2, (32 or 64 bit) Standard Edition, English
 Microsoft Windows Server 2003 - R2, (32 or 64 bit) Standard Edition, Japanese
 Microsoft Windows Server 2008 - R2, (64 bit) Standard Edition, English. Note that
this platform is supported only for fresh installations of Manager 5.1.11.22 or above.
 the Manager software (on page 2
)
 a back end database (on page 3
) to persist data (MySQL version 5.0.91)
McAfee® Network Security Platform 5.1

Introduction to McAfee Network Security Platform

 a connection to the McAfee
®
Network Security Update Server [formerly IPS Update
Server] (on page 3
)

Manager server platform

The Manager server is a dedicated Windows Server hosting the Manager software. You
can remotely access the Network Security Platform user interface from a Windows XP or
Windows 7 system using Internet Explorer 6.0, 7.0, or 8.0.
Sensors use a built-in 10/100 Management port to communicate with the Manager server.
You can connect a segment from a Sensor Management port directly to the Manager
server; however, this means you can only receive information from one Sensor (typically,
your server has only one 10/100 network port). During Sensor configuration, described in
the
Sensor CLI Guide, you will establish communication between your Sensor(s) and your
Manager server.
Manager software
The Manager software has a Web-based user interface for configuring and managing the
Network Security Platform. Network Security Platform users connect to the Manager
server from a Windows XP or Windows 7 system using the Internet Explorer browser
program. The Network Security Platform user interface runs with Internet Explorer versions
6.0, 7.0, and 8.0. The Manager functions are configured and managed through a GUI
application, the Network Security Platform user interface, which includes complementary
interfaces for system status, system configuration, report generation, and fault
management. All interfaces are logically parts of the Manager program.
Manager has five components:

Manager Home. The Manager Home page is the first screen displayed after the user logs
on to the system. The Manager Home page displays Operational Status-that is,
whether all components of the system are functioning properly, the number of
unacknowledged alerts in the system, and the configuration options available to the
current user. Options available within the Manager Home page are determined by the
current user's assigned role(s). The Manager Home page is refreshed every 5
seconds by default.
 Operational Status. The Operational Status page displays the status of Manager,
database, and any deployed Sensors; including all system faults.


Configuration. The Configuration page provides all system configuration options, and
facilitates the configuration of your Sensors, failover pairs of Sensors, administrative
domains, users, roles, Network Access Control (NAC), attack policies and responses,
user-created signatures, and system reports. Access to various activities, such as
user management, system configuration, or policy management is based on the
current user's role(s) and privileges. For more information on NAC configuration, see
NAC Configuration Guide.

Threat Analyzer. The Threat Analyzer page displays the hosts detected on your network
as well as the detected security events that violate your configured security policies.
The Threat Analyzer provides powerful drill-down capabilities to enable you to see all
of the details on a particular alert, including its type, source and destination
addresses, and packet logs where applicable.

Reports. Users can generate reports for the security events detected by the system and
reports on system configuration. Reports can be generated manually or automatically,
saved for later viewing, and/or e-mailed to specific individuals.
2

McAfee® Network Security Platform 5.1

Introduction to McAfee Network Security Platform

Other key features of Manager include:
 The
Incident Generator: The Incident Generator enables creation of attack incident
conditions, which, when met, provide real-time correlative analysis of attacks. Once
incidents are generated, view them using the
Incident Viewer, which is within the Threat

Analyzer tool.
For more information on Manager components, see
Manager Server Configuration Guide.
 Integration with other McAfee products: You can integrate Network Security Platform
with other McAfee products such as McAfee ePolicy Orchestrator (ePO), McAfee
®

Host Intrusion Prevention [formerly McAfee
®
Entercept] , and so on. Then Network
Security Platform collaborates with these products to provide you with a
comprehensive network security solution. For details, see Integration Guide.
 Integration with third-party products: Network Security Platform enables the use of
multiple third-party products for analyzing faults, alerts, and generated packet logs.
 Fault/Alert forwarding and viewing: You have the option to forward all fault
management events and actions, as well as IPS alerts to a third-party application.
This enables you to integrate with third-party products that provide trouble ticketing,
messaging, or any other response tools you may wish to incorporate. Fault and/or
alert forwarding can be sent to the following ways:
- Syslog Server: forward IPS alerts and system faults
- SNMP Server (NMS): forward IPS alerts and system faults
- Java API: forward IPS alerts
- Crystal Reports: view alert data from database via email, pager, or script
 Packet log viewing: view logged packets/flows using third-party software, such as
Ethereal.

Manager database
The Manager server operates with an RDBMS (relational database management system)
for storing persistent configuration information and event data. The compatible database is
MySQL (current version 5.0.91).

The Manager server for Windows (only) includes a MySQL database that can be installed
(embedded) on the target Windows server during Manager software installation.
Your MySQL database can be tuned on-demand or by a set schedule via Manager user
interface configuration. Tuning promotes optimum performance by defragmenting split
tables, re-sorting and updating indexes, computing query optimizer statistics, and checking
and repairing tables.
To graphically administrate and view your MySQL database, you can download the
MySQL administrator from the MySQL Web site
Update Server
For your Network Security Platform to properly detect and protect against malicious
activity, the Manager and Sensors must be frequently updated with the latest signatures
and software patches available. Thus, the Network Security Platform team constantly
researches and develops performance-enhancing software and attack-detecting
signatures that combat the latest in hacking, misuse, and denials of service (DoS). When a
severe-impact attack happens that cannot be detected with the current signatures, a new
3

McAfee® Network Security Platform 5.1

Introduction to McAfee Network Security Platform

4

signature update is developed and released. Since new vulnerabilities are discovered
regularly, signature updates are released frequently.
New signatures and patches are made available to customers via the McAfee Network
Security Update Server (Update Server). The Update Server is a McAfee owned and
operated file server that houses updated signature and software files for Managers and
Sensors in customer installations. The Update Server securely provides fully automated,
real-time signature updates without requiring any manual intervention.

Note: Communication between Manager and the Update Server is SSL-secured.
Configuring software and attack signature updates
You configure interaction with the Update Server using the Manager Configuration page.
You can pull updates from the Update Server on demand or you can schedule update
downloads. With scheduled downloads, the Manager polls the Update Server (over the
Internet) at the desired frequency. If an update has been posted, that update is registered
as “Available” in the Manager interface for on-demand downloaded. Once downloaded to
the Manager, you can immediately download (via an encrypted connection) the update to
deployed Sensors or deploy the update based on a Sensor update schedule you define.
Acceptance of a download is at the discretion of the administrator.
You have a total of five update options:

Automatic update to Manager, manual update from Manager to Sensors. This option enables
Manager server to receive updates automatically, but allows the administrator to
selectively apply the updates to the Sensors.
 Manual update to Manager, automatic update from Manager to Sensors. This option enables the
administrator to select updates manually, but once the update is selected, it is applied
to the Sensors automatically, without reboot.
 Fully manual update. This option allows the security administrator to determine which
signature update to apply per update, and when to push the update out to the
Sensor(s). You may wish to manually update the system when you make some
configuration change, such as updating a policy or response.

Fully automatic update. This option enables every update to pass directly from the Update
Server to the Manager, and from the Manager to the Sensor(s) without any
intervention by the security administrator. Note that fully automatic updating still
happens according to scheduled intervals.

Real-time update. This option is similar to fully automatic updating. However, rather than
wait for a scheduled interval, the update is pushed directly from Update Server to

Manager to Sensor. No device needs to be rebooted; the Sensor does not stop
monitoring traffic during the update, and the update is active as soon as it is applied to
the Sensor.








5

C HAPTER 2
About Network Security Central Manager
From release 4.1, McAfee
®
Network Security Platform [formerly McAfee
®
IntruShield
®
]
provides a centralized, “manager of managers” capability, named McAfee
®
Network
Security Central Manager [formerly McAfee
®
IntruShield
®
Command Center].

McAfee Network Security Central Manager (Central Manager) allows users to create a
management hierarchy that centralizes policy creation, management, and distribution
across multiple McAfee
®
Network Security Managers [formerly McAfee
®
IntruShield
®

Security Managers]. For example, a policy can be created in Central Manager and
synchronized across all McAfee Network Security Managers (Managers) added to that
Central Manager. This avoids manual customization of policy at every Manager.
Central Manager provides you with a single sign-on mechanism to manage the
authentication of global users across all Managers. McAfee
®
Network Security Sensor
[formerly McAfee
®
IntruShield
®
Sensor] configuration and threat analysis tasks are
performed at the Manager level.







6


C HAPTER 3
Preparing for installation
This section describes the McAfee
®
Network Security Manager (Manager) hardware and
software requirements and pre-installation tasks you should perform prior to installing the
software.
Unless explicitly stated, the information in this chapter applies to both the McAfee
®

Network Security Central Manager [formerly McAfee
®
IntruShield
®
Command Center] and
Manager though the sections refer to Manager.

Pre-requisites
The following sections list Manager installation and functionality requirements for your
operating system, database, and browser.
Caution: We strongly recommend that you also check the corresponding Release
Notes and Network Security Platform 4.1 to 5.1 Upgrade Guide for the hardware/software
requirements.

General settings
 McAfee recommends you use a dedicated server, hardened for security, and placed
on its own subnet. This server should not be used for programs like instant messaging
or other non-secure Internet functions.
 You must have Administrator/root privileges on your Windows server to properly install

the Manager software, as well as the installation of an embedded MySQL database
for Windows Managers during Manager installation.
 It is essential that you synchronize the time on the Manager server with the current
time. To keep time from drifting, use a timeserver. If the time is changed on the
Manager server, the Manager will lose connectivity with all McAfee
®
Network Security
Sensors (Sensors) and the McAfee
®
Network Security Update Server [formerly IPS
Update Server] because SSL is time sensitive.
 If Manager Disaster Recovery (MDR) is configured, ensure that the time difference
between the Primary and Secondary Managers is less than 60 seconds. (If the spread
between the two exceeds more than two minutes, communication with the Sensors
will be lost.
Tip: For more information about setting up a time server on Windows Server 2003
SP2, see the following Microsoft KnowledgeBase article:
/>
Note: Once you have set your server time and installed the Manager, do not change
the time on the Manager server for any reason. Changing the time may result in
errors that could lead to loss of data.

McAfee® Network Security Platform 5.1

Preparing for installation

Other third-party applications
Install a packet log viewing program to be used in conjunction with the Threat Analyzer
interface. Your packet log viewer, also known as a protocol analyzer, must support library
packet capture (libpcap) format. This viewing program must be installed on each client you

intend to remotely log onto the Manager from and view packet logs.
Wireshark (formerly known as Ethereal) is recommended for packet log viewing. WireShark is a
network protocol analyzer for Windows servers that enables you to examine the data
captured by your Sensors. For information on downloading and using Ethereal, go to
www.wireshark.com
.

Browser display settings (Windows)
 The Manager is viewed via client browser session. Only Windows XP and Windows 7
clients are supported using Internet Explorer 6.0, 7.0, or 8.0. Both 32 and 64-bit
Internet Explorer 8.0 are supported.
 Set your display to 32-bit or higher by selecting
Start > Settings > Control Panel > Display >
Setting
, and configuring the “Colors” field to True Color (32bit).
 McAfee recommends setting your monitor’s “Screen Area” to
1024 x 768 pixels. This can be done by changing the display settings at:
Start > Settings > Control Panel > Display > Settings.
 When working with the Manager using Internet Explorer, your browser should check
for newer versions of stored pages. By default, Internet Explorer is set to automatically
check for newer stored page versions. To check this function, open your IE browser
and go to
Tools > Internet Options > General, click the Settings button under “Temporary
Internet files” or "Browsing history" and under “Check for newer versions of stored
pages:” select any of the four choices except for Never. Selecting Never will cache
Manager interface pages that require frequent updating, and not refreshing these
pages may lead to system errors.
Server requirements
The following are the system requirements for a Manager server running with a MySQL
database.

7

McAfee® Network Security Platform 5.1

Preparing for installation



Minimum Recommended
OS
Any one of the following:
 Microsoft Windows Server 2003 - SP2,
(32 or 64 bit) Standard Edition, English
 Microsoft Windows Server 2003 - R2,
(32 or 64 bit) Standard Edition,
Japanese
 Microsoft Windows Server 2008 - R2,
(64 bit) Standard Edition, English.
Note that this platform is supported only
from Central Manager/Manager
5.1.11.22 and above.
Note: For 64-bit, only X64 architecture is
supported.
For Japanese, only Central
Manager/Manager of version 5.1.11.x and
above are supported on 64-bit.
Any one of the following:
 Windows Server 2008 -
R2, (64 bit) Standard
Edition, English.

 Windows Server 2003
R2 (Standard Edition),
Japanese OS (64 bit)



Memory
 2GB or higher for 32-bit
 4GB or higher for 64-bit
4GB
CPU
Server model processor such as Intel Xeon Same as the minimum
requirement.
Disk space
40GB 80GB disk with 8MB memory
cache
Network
100Mbps card 10/100/1000Mbps card
Monitor
32-bit color, 1024 x 768 display setting 1280 x 1024


Hosting the Manager on a VMware platform
The following are the system requirements for hosting Manager server on a VMware
platform.
8

McAfee® Network Security Platform 5.1

Preparing for installation




Minimum Recommended
OS
Any one of the following:
 Microsoft Windows Server
2003 - SP2, (32 or 64 bit)
Standard Edition, English
 Microsoft Windows Server
2003 - R2, (32 or 64 bit)
Standard Edition, Japanese
 Microsoft Windows Server
2008 - R2, (64 bit) Standard
Edition, English. Note that
this platform is supported
only for fresh installations of
Manager 5.1.11.22 or
above.
Note: For 64-bit, only X64
architecture is supported.
For Japanese, only Central
Manager/Manager of version
5.1.11.x and above are
supported on 64-bit.
Same as the minimum
requirement
Memory
2GB 2GB or higher
Virtual CPUs

2 2 or more
Disk Space
40GB 80GB

The following are the system requirements for hosting Manager server on a VMware
platform using Dell Powered Edge 1950.
System
Virtualization software VMWare ESX Server Version 3.5.0 Update 3 Build
123630
Virtual Infrastructure Client Version 2.5.0 Build 19826
CPU Intel Xeon ® CPU ES 5335 @ 2.00GHz; Physical
Processors – 2; Logical Processors – 8; Processor
Speed – 2.00GHz.
Memory Physical Memory: 16GB
Internal Disks 364.25 GB



9

McAfee® Network Security Platform 5.1

Preparing for installation

Client system requirements
The following table contains the minimum system requirements that you need to access
the Central Manager or the Manager from a client system.

Minimum
OS Windows XP (Standard Edition) SP2 or

Windows 7
Memory 512 MB
Browser Internet Explorer 6.0, 7.0, or 8.0.
Both 32 and 64 bit Internet Explorer 8.0 are
supported.
Monitor 32-bit color, 1024 x 768 display setting

Note: Internet Explorer is the supported browser for all clients. Internet Explorer, by
default, has pop-up blocking enabled. You must disable pop-up blocking to log on to
the Manager or the Central Manager.

Java Runtime Environment (JRE) requirement
When you first log onto the Manager, you are prompted to install a version of JRE on the
client machine (if it is not already installed). This version of the JRE software is required for
operation of various components within Manager including the Threat Analyzer and the
User-Defined Signature Editor. Refer the
Release Notes for the current JRE version.
Note: If you are using both 32-bit and 64-bit Internet Explorer 8.0 to access the
Manager from the same machine, then you are prompted to install the 32-bit as well
as the 64-bit JRE.

Database requirements
The Manager requires communication with MySQL database for the archiving and retrieval
of data.
The Manager CD-ROM includes a MySQL database for installation (that is, embedded on
the target Manager server) and use on the Manager server only. You must use the
Network Security Platform-supplied version of MySQL (currently 5.0.91). The MySQL
database must be dedicated to the Manager.
Note: If you have a MySQL database previously installed on the target server,
uninstall the previous version and install the Network Security Platform version.


10

McAfee® Network Security Platform 5.1

Preparing for installation

Pre-installation recommendations
These McAfee
®
Network Security Platform [formerly McAfee
®
IntruShield
®
] pre-installation
recommendations are a compilation of the information gathered from individual interviews
with some of the most seasoned McAfee Network Security Platform System Engineers at
McAfee.

Planning for installation
Before installation, ensure that you complete the following tasks:
 The server, on which McAfee
®
Network Security Manager [formerly McAfee
®

IntruShield
®
Security Manager] software will be installed, should be configured and
ready to be placed online.

 You must have administrator privileges for McAfee Network Security Manager
(Manager) server.
 This server should be dedicated, hardened for security, and placed on its own subnet.
This server should not be used for programs like instant messaging or other non-
secure Internet functions.
 Make sure the server meets at least the minimum requirements as mentioned in
Server requirements (on page 7
).
 Make sure the Windows operating system required for this version of the Manager
software is installed as defined by the system requirements in the version’s release
notes. The same holds true for the Windows Operating System required for the
client(s).
 Ensure the proper static IP address has been assigned to the Manager server. For the
Manager server, McAfee strongly recommends assigning a static IP against using
DHCP for IP assignment.
 If applicable, configure name resolution for the Manager.
 Ensure that all parties have agreed to the solution design, including the location and
mode of all McAfee
®
Network Security Sensors [formerly McAfee
®
IntruShield
®

Sensors], the use of sub-interfaces or interface groups, and if and how the Manager
will be connected to the production network.
 Get the required license file and grant number. Note that you do not require a license
file for using Manager/Central Manager version 5.1.17.2 or above.
 Accumulate the required number of wires and (supported) GBICs, SFPs, or XFPs.
Ensure these are approved hardware from McAfee or a supported vendor. Ensure

that the required number of Network Security Platform dongles, which ship with the
McAfee Network Security Sensors (Sensors), are available.
 Crossover cables will be required for 10/100 or 10/100/1000 monitoring ports if they
are directly connected to a firewall, router, or end node. Otherwise, standard patch
cables are required for the Fast Ethernet ports.
 If applicable, identify the ports to be mirrored, and someone who has the knowledge
and rights to mirror them.
 Allocate the proper static IP addresses for the Sensor. For the Sensors, you cannot
assign IPs using DHCP.
 Identify hosts that may cause false positives, for example, HTTP cache servers, DNS
servers, mail relays, SNMP managers, and vulnerability scanners.


11

McAfee® Network Security Platform 5.1

Preparing for installation

Functional requirements
Following are the functional requirements to be taken care of:
 Install Wireshark (formerly known as Ethereal

) on the client PCs. Ethereal is a n
etwork protocol analyzer
for Unix and Windows servers, used to analyze the packet logs created by Sensors.
 Ensure the correct version of JRE is installed on the client system, as described in the
Release Notes. This can save a lot of time during deployment.
 Determine a way in which Manager maintains the correct time. To keep time from
drifting, for example, point the Manager server to an NTP timeserver. (If the time is

changed on the Manager server, the Manager will lose connectivity with all Sensors
and the McAfee
®
Network Security Update Server [formerly IPS Update Server]
because SSL is time sensitive.)
 If Manager Disaster Recovery (MDR) is configured, ensure that the time difference
between the Primary and Secondary Managers is less than 60 seconds. (If the spread
between the two exceeds more than two minutes, communication with the Sensors
will be lost.)
 If you are upgrading from a previous version, we recommend that you follow the
instructions in the respective version’s release notes or, if one is available for your
release,
Upgrade Guide.


Using anti-virus software with the Manager
If you plan to install anti-virus software such as McAfee VirusScan on the Manager, be
sure the Central Manager or Manager installation directory and its sub-directories are
excluded from the anti-virus scanning processes. This is because the temporary files
created in the installation directory may conflict with the anti-virus scanner. The anti-virus
software may also delete essential MySQL files.

McAfee VirusScan and SMTP notification
From 8.0i, VirusScan includes an option (enabled by default) to block all outbound
connections over TCP port 25. This helps reduce the risk of a compromised host
propagating a worm over SMTP using a homemade mail client.
VirusScan avoids blocking outbound SMTP connections from legitimate mail clients, such
as Outlook and Eudora, by including the processes used by these products in an exclusion
list. In other words, VirusScan ships with a list of processes it will allow to create outbound
TCP port 25 connections; all other processes are denied that access.

The Manager takes advantage of the JavaMail API to send SMTP notifications. If you
enable SMTP notification and also run VirusScan 8.0i or above, you must therefore add
java.exe to the list of excluded processes. If you do not explicitly create the exclusion
within VirusScan, you will see a
Mailer Unreachable error in the Manager Operational Status
to each time the Manager attempts to connect to its configured mail server.
To add the exclusion, follow these steps:
12

McAfee® Network Security Platform 5.1

Preparing for installation

13

1 Launch the VirusScan Console.
2 Right-click the task called
Access Protection and choose Properties.
3 Highlight the rule called
Prevent mass mailing worms from sending mail.
4 Click
Edit.
5 Append java.exe to the list of
Processes to Exclude.
6 Click
OK to save the changes.
User interface responsiveness
The responsiveness of the user interface, the Threat Analyzer in particular, has a lasting
effect on your overall product satisfaction.
In this section we suggest some easy but essential steps, to ensure that Network Security

Platform responsiveness is optimal:
 During Manager software installation, use the recommended values for memory and
connection allocation.
 You will experience better performance in your configuration and data forensic tasks
by connecting to the Manager from a browser on a client machine. Performance may
be slow if you connect to the Manager using a browser on the server machine itself.
 Perform monthly or semi-monthly database purging and tuning. The greater the
quantity of alert records stored in the database, the longer it will take the user
interface to parse through those records for display in the Threat Analyzer. The
default Network Security Platform settings err on the side of caution and leave alerts
(and their packet logs) in the database until the user explicitly decides to remove
them. However, most users can safely remove alerts after 30 days.
Caution: It is imperative that you tune the MySQL database after each purge
operation. Otherwise, the purge process will fragment the database, which can
lead to significant performance degradation.
 Defragment the disks on the Manager on a routine basis, with the exception of the
MySQL directory. The more often you run your defragmenter, the quicker the process
will be. Consider defragmenting the disks at least once a month.
Warning: Do NOT attempt to defragment the MySQL directory using an O/S
defrag utility. To defragment MySQL tables, use a MySQL-specific utility,
myisamchk available in the <mysqlinstallation>\bin directory.
 Limit the quantity of alerts to view when launching the Threat Analyzer. This will
reduce the total quantity of records the user interface must parse and therefore
potentially result in a faster initial response on startup.
 When scheduling certain Manager actions (backups, file maintenance, archivals,
database tuning), set a time for each that is unique and is a minimum of an hour
after/before other scheduled actions. Do not run scheduled actions concurrently.










14

C HAPTER 4
Installing and upgrading the Central Manager/Manager
This section contains installation instructions for the McAfee
®
Network Security Manager
(Manager) software on your Windows server, including the installation of a MySQL
database. Unless explicitly stated, the information in this chapter applies to both the
McAfee
®
Network Security Central Manager [formerly McAfee
®
IntruShield
®
Command
Center] and Manager though the sections refer to Manager.
Caution: Close all open programs, including email, the
Administrative Tools > Services
window, and instant messaging to avoid port conflicts. A port conflict may cause the
Manager program to incur a BIND error on startup, hence failing initialization.
Close any open browsers and restart your server after installation is complete. Open
browsers may be caching old class files and cause conflicts.
IIS (Internet Information Server) and PWS (Personal Web Server) must be disabled or

uninstalled from the target server.
The following are the high-level steps for installing and starting the Manager:
1 Prepare your target server for Manager software installation. See Preparing for
installation (on page 6).
2 Install the Manager software. See Installing the Manager (on page 14).
3 Start the Manager program. During initial client login from the Manager server or a
client machine, Java runtime engine software (provided) must be installed for proper
program functionality. See Starting the Manager software (on page 30
).
Installing the Manager
The steps presented are for installation of the Network Security Central Manager/Network
Security Manager software on a Windows Server meeting the requirements mentioned in
Server requirements (on page 7
).
The following procedure prompts you to submit program and icon locations, including the
location and access information of your database. Please read each step carefully before
proceeding to the next.
Note 1: Ensure that the Pre-requisites (on page 6
) have been met and your target
server has been prepared before commencing installation.
Note 2: You can exit the setup program by clicking
Cancel in the setup wizard. Upon
cancellation, all temporary setup files are removed, restoring your server to its same
state prior to installation.
Note 3: After you complete a step, click
Next; click Previous to go one step back in the
installation process.
McAfee® Network Security Platform 5.1

Installing and upgrading the Central Manager/Manager


Note 4: Unless specified during installation, Network Security Manager is installed
by default.
Note 5: The Installation Wizard creates the default folders based on the Manager
Type you are installing. For example, for a first-time installation of Network Security
Manager, the default location is C:\Program Files\McAfee\Network Security
Manager\App. For Network Security Central Manager, it is C:\Program
Files\McAfee\Network Security Central Manager\App. Similarly, the Wizard creates
default folders for the MySQL database as well. For the sake of explanation, this
section mentions only the folder paths for Network Security Manager unless it is
necessary to mention the path for Network Security Central Manager.
Note 6: This note is relevant if you are installing the Central Manager or the
Manager on a 64-bit OS. Before you begin to install, make sure the Windows
Regional and Language Options are configured accordingly. For example, if you are
installing it on Windows Server 2003 R2 (Standard Edition), Japanese 64 bit OS,
ensure that the Windows Regional and Language Options are configured for
Japanese. If not, the Installation Wizard will treat the server as a 32-bit machine.
1 Log onto your Windows server as Administrator and close all open programs.
2 Insert the Manager CD-ROM into the appropriate drive or, if you downloaded the
software, double-click the executable file. The Installation Wizard starts with an
introduction screen.

Figure 1: Manager Installation Wizard - Welcome screen
Note: If the Installation Wizard does not automatically appear, locate and open
the Network Security Platform CD-ROM in My Computer, then find and double-
click the
setup.exe file.
3 Confirm your acknowledgement of the License Agreement by selecting “I accept the
terms of the License Agreement.” You will not be able to continue the installation if
you do not select this option.

15

McAfee® Network Security Platform 5.1

Installing and upgrading the Central Manager/Manager


Figure 2: Manager Installation Wizard - License Agreement
4 Select the Manager type to choose installation of either Network Security Manager or Network
Security Central Manager
.
For an upgrade, Network Security Manager or Network Security Central Manager is
displayed accordingly which you cannot change.

Figure 3: Select Manager type
Note: The Network Security Central Manager once installed cannot be
converted to Network Security Manager and vice versa.
5 Choose a folder where you want to install the Manager software.
For a first-time installation, the default location is C:\Program Files\McAfee\Network
Security Manager\App. For an upgrade, it is the same location as that of the earlier
version.

Restore Default Folder: resets the installation folder to the default location.
 Choose: Browse to a different location.
16

McAfee® Network Security Platform 5.1

Installing and upgrading the Central Manager/Manager


Caution: Installing the Manager software on a network-mapped drive may
result in improper installation.
The Manager software cannot be installed to a directory path containing special
characters such as a comma (,), equal sign (=), or pound sign (#).

Figure 4: Manager Installation Wizard - Choose Install Folder
6 Choose a location for the Manager shortcut icon:

In a new Program Group: enter the name for the new program folder where you want
to place the Manager icon: “Manager” is the default.

In an existing Program Group: select an existing program folder from the list where
you want to place the Manager icon.
The
Create Icons for All Users is automatically selected if you select a common
program folder.

In the Start Menu: select to place the Manager icon in your Start menu.

On the Desktop: select to place the Manager icon on your Desktop.
 In the Quick Launch Bar: select to place the Manager icon on your Quick Launch Bar.
 Other: select a different Programs folder to place the Manager icon. The default is
C:\Documents and Settings\All Users\Start Menu\Programs\McAfee\Network
Security Manager for Manager and C:\Documents and Settings\All Users\Start
Menu\Programs\McAfee\Network Security Central Manager for Central Manager.

Don’t Create Icons: skip the creation of Manager icon. The Manager program is
listed only within its directory folder.

Create Icons for All Users: Select this if you want the Manager icon to be available to

all users logging on to the Manager server (including users without Windows
administrator privileges) This is similar to NT domain administration where more
than user may log onto a workstation and use it with varying access roles.
17

McAfee® Network Security Platform 5.1

Installing and upgrading the Central Manager/Manager


Figure 5: Manager Installation Wizard - Choose Shortcut Folder
7 Set the following:
 Database Type is displayed as MySQL.
A MySQL database is provided on the Manager CD-ROM for installation and use
by Windows Manager servers only. You must use the provided MySQL version.
The database must reside on the same server as the Manager.
Provide the database connection information as follows:

 Database Name: Type a name for your database. It is recommended you keep the
default entry of “
lf” intact.
 Database User: Type a user name for database-Manager communication; this
account name is used by the Manager. This account enables communication
between the database and the Manager. When typing a user name, observe the
following rules:
- The MySQL database user name can be a combination of alphabets [both
uppercase (A-Z) and lowercase (a-z)], numbers [0-9] and/or, special characters
like "~ ` ! @ # $ % - * _ + [ ] : ; , ( ) ? { }".
- The first character must be a letter.
- Do not use null or empty characters.

- Do not use more than 16 characters.

Database Password: Type a password for the database-Manager communication
account. This password relates to the
Database User account.
- The MySQL database password can be a combination of alphabets [both
uppercase (A-Z) and lowercase (a-z)], numbers [0-9] and/or, special characters
like "~ ` ! @ # $ % - * _ + [ ] : ; , ( ) ? { }".
- Do not use null or empty characters.
Important: This password is
not the root password for database management;
the root password is added/entered in Step 9.
18