IDP安装手册(idp4.0).doc

IDP安装手册（idp4.0）目录IDP安装手册（idp4.0）1安装NSM Server211系统最低需求212运行系统更新补丁213安装NSM Server系统软件32安装NSM客户端（UI）721客户端最低需求722安装User Interface73配置IDP Sensor831IDP Sensor初始化832肯能会用到的CLI命令14安装NSM Server11系统最低需求首先，选定一台服务器以安装NSM Server，该服务器的最低需求如下：ComponentMinimum RequirementsOperating SystemSolaris 8, Solaris 9 operating system, ORRed Hat Enterprise Linux (ES/AS) 3.0-Update 5 or 4.0-Update 1CPUSun Microsystems UltraSPARC IIi 500MHz (or higher), ORLinux 1GHz (x86) processor (or higher)RAM1GB (or higher); 2GB+ (depending on the number of managed devices and configuration size)Swap Space4 GB for both GUI Server and Device ServerStorageIDE Hard Disk Drive with 10K rpm (minimum); 15K rpm(recommended); 18 GB disk space (minimum); 40 GB disk space recommended)Network Connection100MBps NIC Ethernet adapterOtherServer must be dedicated to running NetScreen-Security Manager12运行系统更新补丁安装NSM Serve之前，需要预先安装一个名为“systemupdate-linux”（针对Linux操作系统平台而言）的系统更新文件补丁，否则NSM无法正常安装。该文件在随机赠送的CD中可以找到。不同版本的系统更新补丁，在名称的前部会标识当前的版本号信息，如：nsm2006.1r2-systemupdate-linux.tar。推荐将该补丁安装在/usr目录下，解压缩后执行即可。相关命令如下：gzip -d systemupdate-nsm-linux.tar.gz/将文件解压缩tar xfv systemupdate-nsm-linux.tar/执行该文件执行之后，将创建一个名为“systemupdate”的目录，进入该目录，运行update脚本。相关命令如下：cd /systemupdate/导入该目录./update.sh/执行update脚本出现提示后按回车确定，等待脚本文件运行结束。该过程大约持续20分钟（实际上没那么长时间）13安装NSM Server系统软件安装完补丁文件之后，就可以在该操作系统平台之上安装NSM了。首先将NSM系统软件复制至服务器，推荐复制到/tmp文件夹中，然后直接安装即可。在linux下执行以下命令：sh nsm2006.1r2_servers_linux_x86.sh之后，安装向导会依次询问一些简单的设置，然后将自动进行安装。强烈建议使用默认设置进行安装，以后维护起来会很方便。典型输出如下：sh nsm2006.1_servers_linux_x86.shCreating staging directory.ok# PERFORMING PRE-INSTALLATION TASKS #Running preinstallcheck.Checking if platform is valid.okChecking for correct intended platform.okChecking if all needed binaries are present.okChecking for platform-specific binaries.okChecking for PostgreSQL.okChecking if user is root.okChecking if user root exists.okChecking if system meets RAM requirement.okChecking for sufficient disk space.okChecking if RPM binary is the minimum version .okNoting OS name.okStopping any running servers# GATHERING INFORMATION #1) Install Device Server only2) Install GUI Server only3) Install both Device Server and GUI ServerEnter selection (1-3) 3/同时安装Device Server 和GUI Server，选择3。（不大可能有用户把这两个server分别安装在两台服务器上，太浪费了。而且维护起来也不方便。）# GENERAL SERVER SETUP DETAILS #Will this machine participate in an HA cluster? (y/n) n n/是否部署在HA模式下，选择NO。# DEVICE SERVER SETUP DETAILS #The Device Server stores all of the user data under a single directory.By default, this directory is /var/netscreen/DevSvr. Because the user data (including logs and policies) can grow to be quite large, it is sometimes desirable to place this data in another partition.Please enter an alternative location for this data if so desired, or press ENTER for the location specified in the brackets.Enter data directory location /var/netscreen/DevSvr/Device Server存放user数据的目录，直接回车使用默认目录。# GUI SERVER SETUP DETAILS #The GUI Server stores all of the user data under a single directory.By default, this directory is /var/netscreen/GuiSvr. Because the user data (including database data and policies) can grow to be quite large, it is sometimes desirable to place this data in another partition.Please enter an alternative location for this data if so desired, or press ENTER for the location specified in the brackets.Enter data directory location /var/netscreen/GuiSvr/GUI Server存放所有user数据的目录，直接回车使用默认目录即可。The GUI Server stores all of the database logs under a single directory.By default, this directory is /var/netscreen/GuiSvr/xdb/log. Because the database log can grow to be quitelarge, it is sometimes desirable to place this log in another partition.Please enter an alternative location for this log if so desired, or press ENTER for the location specified in thebrackets.Enter database log directory location /var/netscreen/GuiSvr/xdb/log/GUI Server存放log数据的目录，直接回车使用默认目录即可。Enter the management IP address of this server /给NSM分配IP地址。NSM客户端需要NSM Server的IP地址才能访问NSM。Setting GUI Server address and port to x.x.x.x:7801 for Device ServerPlease enter a password for the super userEnter password (password will not display as you type)/给super用户设置密码，输入密码时输出不可见。这是在NSM客户端上访问NSM时需要输入的密码。Please enter again for verificationEnter password (password will not display as you type) /再次确认密码。Will a Statistical Report Server be used with this GUI Server? (y/n) n n# HIGH AVAILABILITY (HA) SETUP DETAILS #Will server processes need to be restarted automatically in case of a failure? (y/n) y/服务器进程一旦失效是否重启，选择yes。# BACKUP SETUP DETAILS #Will this machine require local database backups? (y/n) yEnter hour of day to start the database backup (00 = midnight, 02 = 2am, 14 =2pm .)02Will daily backups need to be sent to a remote machine? (y/n) nEnter number of database backups to keep 7Enter the rsync backup timeout 1800Will logging be enabled? (y/n) nEnter database backup directory /var/netscreen/dbbackupThe database backup server(s) requires that you have previously installed the rsync program.Enter the full path to rsync /usr/bin/rsync/设置本地数据备份（备份至远程其他设备），可不选。# DEVSVR DB SETUP DETAILS #Enter Postgres DevSvr Db port 5432Enter Postgres DevSvr Db super user netscreenEnter Postgres DevSvr Db password for user netscreenEnter password (password will not display as you type)Please enter again for verificationEnter password (password will not display as you type)# POST-INSTALLATION OPTIONS #Start server(s) when finished? (y/n) y/安装完成后是否开始服务，选择是。# CONFIRMATION #About to proceed with the following actions:- Install Device Server- Install GUI Server- Install High Availability Server- This machine does not participate in an HA cluster- Store Device Server data in /var/netscreen/DevSvr- Store GUI Server data in /var/netscreen/GuiSvr- Store GUI Server database log in /var/netscreen/GuiSvr/xdb/log- Use IP address 19 for management- Connect to GUI Server at 19:7801- Set password for super user- Servers will be restarted automatically in case of a failure- Local database backups are enabled- Start backups at 02- Daily backups will not be sent to a remote machine- Number of database backups to keep: 7- HA rsync command backup timeout: 1800- Logging is disabled: n- Create database backup in /var/netscreen/dbbackup- Use rsync program at /usr/bin/rsync- Postgres DevSvr Db Server port: 5432- Postgres DevSvr Db super user: netscreen- Postgres DevSvr Db password set for netscreen- Start server(s) when finished: YesAre the above actions correct? (y/n) y/确认已完成的设定。确认选择yes，重新修改选择no。# EXTRACTING PAYLOADS #Extracting payload.okDecompressing payload.ok# PERFORMING INSTALLATION TASKS #- INSTALLING Device Server -Looking for existing RPM package.okRemoving DevSvr files from default location.okInstalling Device Server RPM.okInstalling JRE.okCreating var directory.okCreating /var/netscreen/dbbackup.okPutting NSROOT into start scripts.okFilling in Device Server config file(s).okSetting permissions for Device Server.okSetting up PostgreSQL for DevSvr.okInstallation of Device Server complete./提示Device Server安装成功。- INSTALLING GUI Server -Copying dbbackup data to the installer backup directory.okLooking for existing RPM package.okRemoving GuiSvr files from default location.okInstalling GUI Server RPM.okInstalling JRE.okCreating var directory.okCreating /var/netscreen/dbbackup.okPutting NSROOT into start scripts.okFilling in GUI Server config file(s).okSetting permissions for GUI Server.okRunning generateMPK utility.okRunning fingerprintMPK utility.okInstallation of GUI Server complete./提示GUI Server安装成功。- INSTALLING HA Server -Looking for existing RPM package.okRemoving HaSvr files from default location.okInstalling HA Server RPM.okCreating var directory.okPutting NSROOT into start scripts.okFilling in HA Server config file(s).okSetting permissions for HA Server.okInstallation of HA Server complete./提示HA Server安装成功。- SETTING START SCRIPTS -Enabling Device Server start script.okEnabling GUI Server start script.okEnabling HA Server start script.ok# PERFORMING POST-INSTALLATION TASKS #Running nacnCertGeneration.okRemoving staging directory.okStarting GUI Server.okStarting Device Server.okStarting HA Server.okNOTES:- Installation log is stored in/usr/netscreen/DevSvr/var/errorLog/netmgtInstallLog.20051026152408/自动记录安装日志- This is the GUI Server fingerprint:B4:F4:62:A1:DE:20:12:94:E7:47:31:93:2C:EC:BC:CA:FA:E4:36:02You will need this for verification purposes when logging into the GUI Server. Please make a note of it.- If you are managing ScreenOS 4.x devices, you need to install the tftp-server RPM on this system. The TFTP server is used by the management server to update firmware images on 4.x devices. The root directory for the TFTP server must be set to /usr/netscreen/DevSvr/var/cache./安装成功后则会出现以上全部输出。2安装NSM客户端（UI）21客户端最低需求ComponentMinimum RequirementSoftwareMicrosoft Windows XP, ORMicrosoft Windows NT Workstation/Server 4.0, Service Pack 6a or higher,ORMicrosoft Windows 2000 Server, Advanced Server, or Professional editions ORRed Hat Enterprise Linux ES 3.0 or 4.0, Red Hat Enterprise Linux AS US English versions onlyHardwareIBM compatible PC400MHz Pentium II or equivalent (minimum); 700 MHz Pentium II or equivalent (recommended)RAM: 256 MB (minimum); 512 MB or above (recommended)384kbps (DSL) or LAN connection - minimum bandwidth required to connect to the NetScreen-Security Manager management system.22安装User Interface首先将NSM客户端软件复制在PC上，该软件是一个.exe文件，双击自动运行即可，在安装向导的提示下，依次点击下一步完成安装。安装完成后，双机NSM的图标，输入NSM Server的IP地址、用户名及密码，就可以登陆到NSM服务器上了。NSM的登陆界面如下：NSM是用来管理IDP用的，因此，完成了NSM服务器及客户端的安装，我们还要对IDP进行一些设置，否则，NSM无法识别IDP。下文将介绍对IDP的相关配置。3配置IDP Sensor31IDP Sensor初始化Juniper IDP设备（又称IDP Sensor）有一个默认的管理地址，我们可以在浏览器上通过输入 登陆到它的Web UI上，进行相关初始化配置。默认的用户名是：root，密码为abc123。如图所示：Juniper IDP Sensor提供两种配置向导：QuickStart和ACM（Appliance Configuration Manager。登陆IDP之后会任选一种进行安装。QuickStart是一个快速配置工具，可以进行一些简单的设置，比如设置管理IP、子网掩码、默认路由、时间、启用Inline 模式或者Sniffer 模式等。ACM则可以允许做一些更高级的设置，比如修改Root管理员密码、强制端口速率、配置DNS、启用bypass、决定端口是否转发等等。为了方便修改root密码，我们建议使用ACM进行初始化配置。点击“ACM”之后进入ACM