Documente Academic
Documente Profesional
Documente Cultură
August 2008
Contents
Introduction ........................................................................................................................................1
About OfficeScan Domains..............................................................................................................1
Target Audience .................................................................................................................................3
Requirements .....................................................................................................................................3
Software ........................................................................................................................................3
Permissions ...................................................................................................................................3
Creating Group Policy Objects (GPOs) ................................................................................................4
Creating the Templates ...................................................................................................................4
Creating a New Group Policy Object ................................................................................................8
Adding a Template to the Group Policy Object .................................................................................9
Configuring a GPO ........................................................................................................................... 13
Configuring the OSCE Domain Name ............................................................................................ 13
Configuring the OSCE Server Name .............................................................................................. 15
Configuring the OSCE Server Port ................................................................................................ 17
Configuring the Clients’ Windows Firewall ..................................................................................... 19
Enabling the Remote Registry Service ...........................................................................................21
Linking a GPO .................................................................................................................................. 23
Create a Link................................................................................................................................ 23
Activate Link Settings ................................................................................................................... 25
Summary.......................................................................................................................................... 27
About the Author .............................................................................................................................. 28
Jagala “Gee” Brown ...................................................................................................................... 28
About Trend Micro Incorporated ........................................................................................................ 29
Contacting TrendEdge Publications ................................................................................................... 30
Trend Micro, the Trend Micro t-ball logo, and OfficeScan are trademarks or registered trademarks of Trend Micro,
Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein
without notice, and the information contained in this document is provided “as-is”. This document is for
informational purposes only, and is not supported by Trend Micro or its partners.
Introduction
This document describes how to leverage Microsoft™ Active Directory™ to prepare a computer running
Microsoft™ Windows Vista™ for Trend Micro™ OfficeScan™ Client/Server Edition 8.0 (OSCE) client
deployment. It includes the information needed to configure the OSCE domain that is to be used to
manage OSCE clients from within the OSCE management console and to help satisfy the prerequisites
for the Windows operating system.
The steps in this document were outlined using tools in Microsoft Windows Vista, but are
Note: valid for any version of Windows supported by OSCE 8.0: Windows 2000, Windows XP,
Windows Server 2003, Windows Vista, and Windows Server 2008.
There are multiple ways to install OSCE. This document seeks to provide settings that are related
directly to the Remote Install method while using a centrally administered directory service. The
configuration settings in this document work for several other OSCE installation methods, including:
• MSI install via Group Policy
Trend Micro provides this document “as-is" as a courtesy to interested parties. The accuracy
Note: of the information is solely the author’s responsibility. Neither Trend Micro nor its partners
support this document.
3. A DNS domain
The OSCE domain is a powerful and useful tool for managing OSCE clients. Once you have created the
domain(s) in the OSCE console, you can change the structure. In a large scale deployment, the process
of manually grouping the clients can be a time-consuming process. By automating the assignment of
OSCE domains you can place the OSCE clients into a management structure that is familiar to your
administrators at the time of client install.
You may wish to create several granular OfficeScan domains. Administrators often find that these more
granular domains simplify administration and work well with the methods they use to manage endpoints
on the network. Additionally, you can create the domains within the OSCE console prior to deployment.
These domains enable your administrators to set the level of protection desired within the OSCE
management console before an OSCE client is installed and allow the client to immediately take full
advantage of the protection OSCE provides.
.
Target Audience
The document is for use by customers, resellers, and implementers responsible for the deployment of
OfficeScan Client/Server Edition 8.0 (OSCE).
The following professionals benefit most from this document:
• Systems Engineers
• Systems Administrators
It is recommended that you have:
Requirements
Software
• Trend Micro OfficeScan Client / Server Edition 8.0 with Service Pack 1 (SP1):
o http://www.trendmicro.com/download/product.asp?productid=5
• Microsoft™ Windows™ Server 2003 or later with an Active Directory managed domain:
o http://technet.microsoft.com/en-us/windowsserver/2003/bb229701.aspx
• Microsoft Vista Service Pack 1 member client:
o http://www.microsoft.com/downloads/details.aspx?FamilyID=f559842a-9c9b-4579-b64a-
09146a0ba746
• Group Policy Management tools for Vista:
o http://www.microsoft.com/downloads/details.aspx?FamilyID=9ff6e897-23ce-4a36-b7fc-
d52065de9960&DisplayLang=en
Permissions
• A domain user account
• The permissions necessary to create, link, and edit Group Policy Objects
Note: For general information about using administrative templates with a registry-based
Group Policy, refer to the document entitled “REGPOLICY.DOC” at
http://www.microsoft.com/downloads/details.aspx?familyid=e7d72fa1-62fe-4358-8360-
8774ea8db847&displaylang=en.
You must save the templates files as UNICODE text with an extension of .ADM. As appears in Figure 1,
make sure that the Save As window shows Save as type: “All Files”, and Encoding: “UNICODE”.
To create the OSCE-32.ADM and OSCE-64.ADM templates, copy the text in Figure 2 for 64-bit clients
and Figure 3 for 32-bit clients into Windows Notepad and save the files in a location accessible by the
Vista SP1 member client running Windows’ Group Policy Management tools.
;OSCE-64.ADM:
CLASS MACHINE
CATEGORY "64-bit OfficeScan Client pre-install"
KEYNAME "SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorpOnce\
CurrentVersion"
#if VERSION >= 3
EXPLAIN "!!64bitExplainText"
#endif
PART "Enter the name of the Domain/Group that the client(s) will be a
member" TEXT
END PART
PART "Enter the name or IP of the OfficeScan Server that will manage
the client(s)." TEXT
END PART
PART "Enter the port number that the OfficeScan server uses to listen
for clients." TEXT
END PART
[STRINGS]
DomainNameExplainText ="This setting will determine which domain/group the
client(s) will be a member of once conected to an OfficeScan server."
ServerNameExplainText ="This setting will determine which server will manage the
client(s) once connected."
ServerPortExplainText ="This setting will determine the port used for client to
server communication."
64bitExplainText ="Use this category for 64-bit versions of XP, Vista, and
Windows Server."
SUPPORTED_Text ="At Least Windows XP clients or Windows Server 2003 servers."
;OSCE-32.ADM:
CLASS MACHINE
CATEGORY "32-bit OfficeScan Client pre-install"
KEYNAME "SOFTWARE\TrendMicro\PC-cillinNTCorpOnce\CurrentVersion"
#if VERSION >= 3
EXPLAIN "!!32bitExplainText"
#endif
PART "Enter the name of the Domain/Group that the client(s) will be a
member" TEXT
END PART
PART "Enter the name or IP of the OfficeScan Server that will manage
the client(s)." TEXT
END PART
PART "Enter the port number that the OfficeScan server uses to listen
for clients." TEXT
END PART
[STRINGS]
DomainNameExplainText ="This setting will determine which domain/group the
client(s) will be a member of once connected to an OfficeScan server."
ServerNameExplainText ="This setting will determine which server will manage the
client(s) once connected."
ServerPortExplainText ="This setting will determine the port used for client to
server communication."
32bitExplainText ="Use this category for 32-bit versions of XP, Vista, and
Windows Server."
SUPPORTED_Text ="At Least Windows XP clients or Windows Server 2003 servers."
Note: See the software requirements to find a link to the instructions for installing and
configuring the Group Policy Management tool.
It is recommended that you create and link a new GPO rather than modifying an existing GPO. To create
and link a new GPO within Active Directory on the Vista SP1 member client:
1. Logon with a domain user account that has administrative permissions within Active Directory.
Note: The settings configured via the procedure below will persist in the registry even after
the GPO has been deleted. The OSCE client will use the settings at install only;
therefore the settings that persist are benign. For general information about using
administrative template files with a registry-based Group Policy, see the document
entitled “REGPOLICY.DOC” at http://www.microsoft.com/downloads/details.aspx?
familyid=e7d72fa1-62fe-4358-8360-8774ea8db847&displaylang=en.
5. When you highlight “32-bit OfficeScan Client pre-install” you should be able to see and configure
the 32 or 64 bit settings for:
a. Domain Name
b. Server Name
c. Server Port
Configuring a GPO
Note: For more information about pre-configuring OfficeScan clients to report to a specific
server and join a specific domain, refer to the Trend Micro Solution ID 1035431 at
http://esupport.trendmicro.com/support/enterprise/search.do?cmd=displayKC&docType=
kc&externalId=PUB-en-1035431&sliceId=&dialogID=92792603&stateId=1 0 92768901.
4. If your edits are complete, close the Group Policy Management Editor.
Note: This setting MUST be used in conjunction with the OSCE Server Port setting.
4. If your edits are complete, close the Group Policy Management Editor.
Note: This setting MUST be used in conjunction with the OSCE Server Name setting.
4. If your edits are complete, close the Group Policy Management Editor.
4. If your edits are complete, close the Group Policy Management Editor.
Note: For more information about installing OfficeScan 8.0 clients on Windows Vista, refer to
the Trend Micro Solution ID 1034985 at http://esupport.trendmicro.com/support/
enterprise/search.do?cmd=displayKC&docType=kc&externalId=PUB-en-
1034985&sliceId=&dialogID=92786825&stateId=1 0 92768748.
4. If your edits are complete, close the Group Policy Management Editor.
Linking a GPO
Before a GPO can apply a change to any system, it must be linked to an object within Active Directory.
Linking the GPO in the correct location will ensure that only the systems that need the changes receive
them. The changes applied via the template above are persistent and will become benign after the install
of the OSCE client.
Note: For more information about installing OfficeScan 8.0 clients on Windows Vista, refer to
the Trend Micro Solution ID 1034985 at http://esupport.trendmicro.com/support/
enterprise/search.do?cmd=displayKC&docType=kc&externalId=PUB-en-
1034985&sliceId=&dialogID=92786825&stateId=1 0 92768748.
Create a Link
To link a GPO:
1. Logon with a domain user account that has administrative permissions within Active Directory.
2. Use GPUPDATE:
a. At the Command prompt “>”, type gpupdate /force.
b. Press the Enter key.
Summary
The use of domains (groups) in the OSCE management console greatly enhances the ability of
administrators to manage OfficeScan clients. The OSCE management console assigns domains
automatically based on client information. The OSCE management console allows an administrator to
manually arrange clients into domains within the console via drag and drop. Additionally, it is possible to
search for clients within the console based on specific criteria, then drag and drop those clients into
manually created domains to make administration easier. The ability to manually create domains is also
useful when an administrator has to duplicate an existing structure in the OSCE management console.
After completing the steps outlined in the Creating, Configuring, and Linking a GPO sections of this
document, the OSCE management console automatically creates and populates the domains. Further,
the settings in this document also can be used to automate the creation and population of pre-defined
OSCE domain names.
Once these steps in this document have been completed, and the GPO settings applied to the client
endpoints, administrators can proceed with any of the deployment methods outlined in the Trend Micro
OfficeScan Client/Server Edition 8.0 Administrator’s Guide or the Trend Micro OfficeScan Client/Server
Edition 8.0 Installation and Deployment Guide.
sav@trendmicro.com