Documente Academic
Documente Profesional
Documente Cultură
Configuration Guide
enVision 4.0
RSA enVision 4.0
Configuration Guide
Copyright © 1996 - 2009 RSA Security Inc.
enVision, Enterprise Dashboard, and Internet Protocol Database (IPDB) are trademarks of RSA Security Inc. LogSmart is a
registered trademark of RSA Security Inc.
All other trademarks, service marks, registered trademarks, registered service marks mentioned in this document are the
property of their respective owners.
Information in this document is subject to change without notice. The software described in this document is furnished under
a license agreement or nondisclosure agreement. No part of this publication may be reproduced, stored in a retrieval system,
or transmitted in any form or any means electronic or mechanical, including photocopying and recording for any purpose
other than the purchaser’s personal use without the written permission of RSA Security Inc.
Audience
The Configuration Guide is for system administrators who need to configure an enVision site.
Documentation Set
The enVision documentation set consists of the following:
Documentation Description
Go to https://knowledge.rsasecurity.com and log into RSA SecurCare Online to download all product
documentation.
Conventions
This guide uses the following conventions:
Item Formatting
Fields, buttons, menu items, and so Bold font. (Note: Screen names are not bold.)
forth
Example: Type New Report in the Description field on the Report
Setup window.
Contact RSA
Contact RSA at:
Telephone: 781.375.9000
Fax: 781.375.9100
Sales
You can purchase enVision directly from RSA’s dedicated team of sales professionals or through RSA’s
North American and international resellers. Call RSA at 781.375.9000.
Technical Support
You can contact Technical Support as follows:
Through the Internet - The RSA SecurCare Online support page contains answers to common
questions and solutions to known problems. It also provides information on new releases,
important technical news, device configuration guides, product documentation, and software
downloads. You can visit the RSA SecurCare Online web site at
https://knowledge.rsasecurity.com. You can visit the RSA Technical Support web site at
https://www.rsa.com/support.
enVision is tightly coupled with its underlying appliance operating system and hardware, and together they
comprise a highly scalable platform that provides guaranteed levels of performance.
Site Deployment
enVision is deployed on a site basis. The enVision components are deployed based on the type of site you
have. The two types of sites are:
The ES series appliances are designed to operate in a stand-alone, non-distributed mode. They
have all three enVision components—Application, Collector, and Database—installed on one
appliance. The single appliance is a site. Some single appliance sites have an external storage
system.
See Chapter 2 “Single Appliance Site,” for information on a single appliance site.
The LS series appliances are designed to operate in a distributed installation. Each enVision
component—Application, Collector, and Database—is on its own appliance. The appliances
together form a site. Distributed multiple appliance sites allow multiple installations of any of the
three appliance types to be deployed in order to manage the variety of network infrastructures
found in production environments. All multiple appliance sites have external storage systems.
See Chapter 3 “Multiple Appliance Site” for information on a multiple appliance site.
See Chapter 4 “Remote Collector Site” for information on associating a Remote Collector site
with a multiple appliance site.
Configuration Tasks
The configuration process takes approximately 30 minutes to complete. You cannot change any of the site
configuration options after the wizard is finished. The configuration tasks for a single appliance site are as
follows:
Task Activity
1 Plan the installation. Complete the Configuration Wizard Planning Worksheet - Single Appliance
Site in this chapter.
2 Set up the RSA enVision appliance hardware. Complete the tasks in Chapter 3 “Single Appliance
Site” in the Hardware Guide.
3 Connect to the appliance using a KVM switch. (You can also connect remotely using DRAC instead
of using a local KVM. See Appendix B “Dell Remote Access Controller Utility.”)
The Configuration Wizard starts automatically.
5 Immediately after you configure RSA enVision 4.0, RSA strongly recommends that you download
and install two Content Updates: Event Source Update Package and VAM & Signature Content
Update Package.
Go to RSA SecurCareOnline https://knowledge.rsasecurity.com. Click on Products. Under RSA
enVision click Content Updates. Complete the instructions available on that page to download and
install the updates.
6 Apply the license keys that were sent, via email, to the contact provided when you ordered the
enVision appliance.
Next Steps
After the site configuration is complete, you must set up the processing options in enVision. See Chapter 5
“Next Steps” for more information.
Site Name
Selecting the site name is extremely important. Once you name the site you cannot change the name. A
valid site name is a unique 2- to 11-character, alphanumeric string.
The site name cannot be the same as any other enVision site name, nor can it be the same as any existing
Windows domain name, or NetBIOS name for a Windows domain. (The NetBIOS name for a Windows
domain is the name preceding the dot). For example if your Windows domain name is
MyDomainName.com, then the NetBIOS name for this Windows domain would be MyDomainName; it
would then be wrong to install an enVision site with the name MyDomainName.
Node name for the appliance. For example, for an ES series appliance site, if your site name is
Seattle, the ES appliance node name is Seattle-ES.
NIC Windows domain name created for your site. The site name also becomes the name of the
Windows domain created for your site, sitename.nic. For example, if your site name is Seattle,
the Windows domain for the site is Seattle.nic.
IP Address
The default addresses for the appliance are:
Gateway address—identifies the computer that routes the traffic to the outside network.
You can override the default values during configuration. If you want to override the default values, write
the new values in the table.
DNS Servers
Identify the primary and secondary DNS servers on your network, and options for the servers. enVision
uses the DNS servers to resolve IP addresses found in events for reporting and alerting.
Primary
Secondary
Do Not Use Recursion Select this check box to indicate that the DNS Do not Use Recursion
server uses forwarders exclusively to resolve
queries on behalf of its DNS clients. If the
process using forwarders for resolution fails to
resolve a query, a failure message is returned.
Forwarding Timeout Type the number of seconds that the DNS _____ seconds
server continues to attempt to contact and use
a listed forwarder. When the timeout expires,
DNS moves to the next forwarder on the list
and repeats the process. The default value is 5.
Time
Network Time Protocol
You can identify a server to which enVision will periodically synchronize its time.
If you are using a server to synchronize time, you should be aware that known NTP time
servers, such as atomic clocks, are outside your network and may be a security issue. RSA
assumes no risk to your network if you choose to use a known NTP server.
The enVision Configuration Wizard allows you to use the Windows Date and Time
Properties window to update your date and time directly from the wizard. If you change
the time zone on the Time Zone tab, you must click Apply before clicking on the Date &
Time tab to change the time. If you do not click Apply on the Time Zone tab, changing
the time on the Date & Time tab changes the time for the previously selected time zone.
ntp2.usno.navy.mil
tock.usno.navy.mil
tick.usno.navy.mil
navobs1.oar.net
ntp0.mcs.anl.gov
navobs1.wustl.edu
tick.usnogps.navy.mil
tock.usnogps.navy.mil
tick.ucla.edu
bigben.cac.washington.edu
ntp.alaska.edu
tick.mhpcc.hpc.mil
Time Zone
(While running the configuration wizard, you must confirm the current date and time in your selected time
zone.)
External IP Address
Indicate whether this site uses an external address.
Site Deployment
The appliance types used in a multiple appliance site are as follows:
Remote Collectors (RCs) capture incoming events remotely and forward data to their master site. Each
multiple appliance site has the option of having up to 16 Remote Collector (RC) server appliances. Each
RC is considered a site. RCs capture incoming events remotely. Remote collectors forward data collected
to the enVision site (using the NIC Forwarder Service). (The Administrator sets up the remote collector's
Forwarder parameters on the Modify Collector Service window in enVision. See Chapter 5 “Remote
Collector Site” for information on configuring RCs.
Note: The total events per second (EPS) for all Collectors per site (per D-SRV) cannot exceed 30,000 EPS.
The NIC domain is set up in a specific configuration with one site acting as the NIC domain master site.
Data flow and configuration information are based on your NIC domain configuration.
You set up the NIC domain during installation, using the enVision Configuration Wizard.
Master/Slave Relationship
The following diagram illustrates a basic enVision multiple site setup with a master site and a slave site. In
a configuration with more than one site, the master is always Site 1 in the hierarchy.
In a multiple site NIC domain, Site 1 is the NIC domain master site. You can only have one NIC domain
master site and it is always Site 1. The sites connected to Site 1 are slaves to Site 1.
Sites 2 and 5 are slaves to site 1; site 1 is the master site for sites 2 and 5, in addition to being the
NIC domain master site.
Sites 3 and 4 are slaves to site 2; site 2 is the master site for sites 3 and 4.
Sites 6 and 7 are slaves to site 5; site 5 is the master site for sites 6 and 7.
The exceptions are these site-specific items that only have meaning to the site where they were configured:
Directories
Module or tool settings that you set for:
Optionally, you can set up enhanced availability (EA) for the Local Collectors (LCs). This allows you to
define up to six cluster appliances (CAs) for a site to perform the LC roles.
The implementation of the enhanced availability feature for the Local Collectors is a Professional Services
package. You can arrange for a Professional Services package by contacting RSA at 781.375.9000.
Configuration Tasks
The configuration process takes approximately 30 minutes to complete. You cannot change any of the site
configuration options after the wizard is finished. In a multiple site domain, repeat the tasks on each site,
with the exception of Task 5. Task 5 only needs to be performed once in a NIC domain.
Task Activity
1 Complete the Configuration Wizard Planning Worksheet - Multiple Appliance Site in this
chapter.
Note: enVision uses the default IP address 192.168.1.55. IP address conflicts can occur if the LAN
cable is connected to an existing network when you run the configuration wizard. For this reason, you
should verify the LAN cable is not connected to an existing network or confirm the IP address is not
being used before you run the configuration wizard.
2 Set up the RSA enVision appliance hardware. Complete the tasks in Chapter 4 “Multiple Appliance
Site” in the Hardware Guide.
3 Connect to the D-SRV appliance using a KVM switch. (You can also connect remotely using DRAC
instead of using a local KVM. See Appendix B “Dell Remote Access Controller Utility.”)
The enVision Configuration Wizard starts automatically.
5 Within the NIC domain, verify that Replication is working correctly. To do so, open the Services
window, locate the NIC DB Replication Client service, and ensure it is running.
a. Before you begin, make sure that you have installed the RSA enVision 4.0 software.
b. Run the appserver_install.bat batch script in the nic\4000\servername\bin\ folder providing
the external LAN IP address of the A-SRV machine in the NIC Domain master site, as an
input parameter to the batch script. For example:
E:\nic\4000\servername\bin\ appserver_install.bat a-srv-ip_address
This batch program installs and starts the NIC App Server Service on the A-SRV and adds it
to the list of services in the Manage Services window in enVision.
Even if you have only one A-SRV in the NIC Domain, you must run the
appserver_install.bat batch program to install and start the NIC App Server Service.
Task Activity
7 Immediately after you configure RSA enVision 4.0, RSA strongly recommends that you download
and install two Content Updates: Event Source Update Package and VAM & Signature Content
Update Package.
Go to RSA SecurCareOnline https://knowledge.rsasecurity.com. Click on Products. Under RSA
enVision click Content Updates. Complete the instructions available on that page to download and
install the updates.
8 Apply the license keys that were sent, via email, to the contact provided when you ordered the
enVision appliance.
Next Steps
If there are Remote Collectors (RCs) for this site, see Chapter 4 “Remote Collector Site” for information
on configuring the remote sites.
After the site configuration is complete, you must set up the processing options in enVision. See Chapter 5
“Next Steps” for more information.
Site. Complete this section for each site in your NIC domain. (Make a copy of the worksheet, so
that you can complete a worksheet for each site.) If you are configuring a remote collector for a
multiple appliance site, see Chapter 4 “Remote Collector Site”.
NIC Domain
Draw a topology diagram of your NIC domain. Label the NIC domain master site. Label each site with a
site name to identify it for additional planning purposes.
Site
Complete this section of the worksheet for each site in the NIC domain.
Site Name
Selecting the site name is extremely important. Once you name the site you cannot change the name. A
valid site name is a unique 2- to 11-character, alphanumeric string.
The site name cannot be the same as any other enVision site name, nor can it be the same as any existing
Windows domain name, or NetBIOS name for a Windows domain. (The NetBIOS name for a Windows
domain is the name preceding the dot). For example if your Windows domain name is
MyDomainName.com, then the NetBIOS name for this Windows domain would be MyDomainName; it
would then be wrong to install an enVision site with the name MyDomainName.
Node name for each of the appliances in the site. For example, if your site name is Boston, the
Database server appliance node name is Boston-DS1.
NIC Windows domain name created for your site. The site name also becomes the name of the
Windows domain created for your site, sitename.nic. For example, if your site name is Boston,
the Windows domain for the site is Boston.nic.
Gateway address—used to identify the computer that routes the traffic to the outside network.
Select each appliance type in your site. If you want to override the default values, write the new values in
the table.
If there are remote collectors for this site, complete the Configuration Wizard Planning Worksheet –
Remote Collector Site in Chapter 4, “Remote Collector Site.”
DNS Servers
Identify the primary and secondary DNS servers on your network and options for the servers. enVision uses
the DNS servers to resolve IP addresses found in events for reporting and alerting.
Primary
Secondary
Do Not Use Recursion Select this check box to indicate that the DNS Do not Use Recursion
server uses forwarders exclusively to resolve
queries on behalf of its DNS clients. If the
process using forwarders for resolution fails to
resolve a query, a failure message is returned.
Forwarding Timeout Type the number of seconds that the DNS _____ seconds
server continues to attempt to contact and use
a listed forwarder. When the timeout expires,
DNS moves to the next forwarder on the list
and repeats the process. The default value is 5.
Time
Network Time Protocol (NTP)
You can identify a server to which enVision will periodically synchronize its time.
If you are using a server to synchronize time, you should be aware that known NTP time
servers, such as atomic clocks, are outside your network and may be a security issue. RSA
assumes no risk to your network if you choose to use a known NTP server.
The enVision Configuration Wizard allows you to use the Windows Date and Time
Properties window to update your date and time directly from the wizard. If you change
the time zone on the Time Zone tab, you must click Apply before clicking on the Date &
Time tab to change the time. If you do not click Apply on the Time Zone tab, changing
the time on the Date & Time tab changes the time for the previously selected time zone.
ntp2.usno.navy.mil
tock.usno.navy.mil
tick.usno.navy.mil
navobs1.oar.net
ntp0.mcs.anl.gov
navobs1.wustl.edu
tick.usnogps.navy.mil
tock.usnogps.navy.mil
tick.ucla.edu
bigben.cac.washington.edu
ntp.alaska.edu
tick.mhpcc.hpc.mil
Time Zone
While running the configuration wizard, you must confirm the current date and time in your selected time
zone.
This site’s data server (D-SRV) uses an external IP address and port number.
The RCs use the LS series appliances. See Appendix A “Hardware Specifications” in the Hardware Guide
for the specifications for the LS series appliances.
Note: The total events per second (EPS) for all Collectors per site (per D-SRV) cannot exceed 30,000 EPS.
Important! Before you configure the RC, make sure that its master is configured, and up and running.
Configuration Tasks
The configuration process takes approximately 30 minutes to complete. You cannot change any of the site
configuration options after the wizard is finished. The configuration tasks to configure an RC site are as
follows:
Task Activity
1 Complete the Configuration Wizard Planning Worksheet - Multiple Appliance Site in this
chapter.
2 Set up the RSA enVision appliance hardware. Complete the tasks in Chapter 5 “Remote Collector
Site” in the Hardware Guide.
5 Verify the RC configuration on the RC’s master site’s A-SRV. See “Verify the RC Configuration”
later in this chapter for complete instructions.
6 Configure the data forwarding scheduled task on the RC’s master site’s A-SRV. See “Configure the
Data Forwarding Task” later in this chapter for complete instructions.
7 Test the configuration. See “Test Configuration” section later in this chapter for complete
instructions.
8 Apply the license keys that were sent, via email, to the contact provided when you ordered the
enVision appliance.
b. Make sure that the RC is listed as a site and the information displayed is correct.
1. Complete the following steps to log in to enVision on the application server (A-SRV) of the
master site:
a. Start your web browser.
b. Type http://address:8080 in the Address field, where address is the machine name or IP
address of the A-SRV and 8080 is the port through which you access enVision.
c. Press Enter.
4. To specify when the data forwarding task is performed and how often, click Set Recurrence.
6. Click Schedule.
7. Click Apply.
8. If the NIC Scheduler Service is not running, start the NIC Scheduler Service.
1. After the Data Forwarding task runs, from the A-SRV analyze the devices collected on the RC
site.
2. Run a report (for example, Bandwidth Usage by Address) to analyze the devices collected.
Important! When you select the time range of the report, the forwarded data is four hours old by
default (and, at a minimum, one hour old).
Site Name
Selecting the site name is extremely important. Once you name the site, you cannot change the name. A
valid site name is a unique, 2- to 11-character, alphanumeric string.
The site name cannot be the same as any other enVision site name, nor can it be the same as any existing
Windows domain name, or NetBIOS name for a Windows domain. (The NetBIOS name for a Windows
domain is the name preceding the dot). For example if your Windows domain name is
MyDomainName.com, then the NetBIOS name for this Windows domain would be MyDomainName; it
would then be wrong to install an enVision site with the name MyDomainName.
Node name for the appliance. For example, if your site name is Hartford, the appliance node
name is Hartford-RC1.
NIC Windows domain name created for your site. The site name also becomes the name of the
Windows domain created for your site, sitename.nic. For example, if your site name is Hartford,
the Windows domain for the site is Hartford.nic.
Identify Appliance
The default addresses for the site are:
Gateway address—used to identify the computer that routes the traffic to the outside network.
If you want to override the default values, write the new values in the table.
DNS Servers
Identify the primary and secondary DNS servers on your network and options for the servers. enVision uses
the DNS servers to resolve IP addresses found in events for reporting and alerting.
Primary
Secondary
Do Not Use Recursion Select this check box to indicate that the DNS Do not Use Recursion
server uses forwarders exclusively to resolve
queries on behalf of its DNS clients. If the
process using forwarders for resolution fails to
resolve a query, a failure message is returned.
Forwarding Timeout Type the number of seconds that the DNS _____ seconds
server continues to attempt to contact and use
a listed forwarder. When the timeout expires,
DNS moves to the next forwarder on the list
and repeats the process. The default value is 5.
Time
Network Time Protocol (NTP)
You can identify a server to which enVision will periodically synchronize its time.
If you are using a server to synchronize time, you should be aware that known NTP time
servers, such as atomic clocks, are outside your network and may be a security issue. RSA
assumes no risk to your network if you choose to use a known NTP server.
The enVision Configuration Wizard allows you to use the Windows Date and Time
Properties window to update your date and time directly from the wizard. If you change
the time zone on the Time Zone tab, you must click Apply before clicking on the Date &
Time tab to change the time. If you do not click Apply on the Time Zone tab, changing
the time on the Date & Time tab changes the time for the previously selected time zone.
ntp2.usno.navy.mil
tock.usno.navy.mil
tick.usno.navy.mil
navobs1.oar.net
ntp0.mcs.anl.gov
navobs1.wustl.edu
tick.usnogps.navy.mil
tock.usnogps.navy.mil
tick.ucla.edu
bigben.cac.washington.edu
ntp.alaska.edu
tick.mhpcc.hpc.mil
Time Zone
(While running the configuration wizard, you must confirm the current date and time in your selected time
zone.)
This site’s data server (D-SRV) uses an external IP address and port number.
Set Up enVision
Setting up enVision involves three sets of tasks:
4. Set up views.
6. Schedule reports.
See the enVision online Help for a list of the required reading topics for each task. Additional tasks may be
required to perform the specific processing that you want.
Log In to enVision
You log in to enVision through a remote system, connecting to the enVision appliance (for multiple
appliance sites, connect to the Application Server, A-SRV). Use one of two protocols to access the system,
depending on how enVision has been configured:
To log in to enVision:
address is the machine name or IP address of the machine on which the system is installed;
for multiple appliance sites, this is the A-SRV (Application Server).
3. Press Enter.
When you connect through HTTPS, your browser may display certificate validation messages the
first time you access enVision. (Depending on how server certificates are configured on the
appliance, these messages may cite validation issues, such as, a host name mismatch between the
server and its certificate.)
Immediately change your password to a more secure one after you log in to enVision. See
the online Help for instructions.
Windows Macintosh
* You cannot use Mozilla Firefox to view the Enterprise Dashboard tool.
Earlier versions of enVision automatically launched the Java Plug-In Installation. Because
of the security constraints in the image for RSA enVision 3.5.0 and later, this no longer
happens and you must install the JRE manually.
Pop-up blockers, ad banner blockers, and personal firewalls can all interfere with the launching of
enVision, especially at first login. Make sure that you set up the blockers to allow enVision to operate
normally, or disable these blockers. (You can disable pop-up blockers in your browser under Tools/Pop-
Up Blocker or by clicking on the Pop-Ups icon). Configure personal firewalls to allow connections
between the enVision client and appliance.
enVision closes all open windows. All enVision services and processes continue to run without
interruption.
1. Connect the keyboard, monitor, and mouse to the appliance. You can connect from the USB
connectors and the video connector on either the front or back panel.
2. If the appliance is off, turn on the power using the front panel.
See Chapter 2 “Hardware Layout”, in the Hardware Guide for diagrams of the front and back panel of the
appliance.
2. Using a web browser, access the appliance from a remote location and configure enVision.
1. Reboot the machine, and when prompted, press Ctrl-E to set up remote access.
The system displays the initial Remote Access Controller (setup utility) screen with several
options. You only need to configure the options described in these instructions to configure
enVision.
3. Highlight NIC Selection and press the spacebar to set NIC Selection to Dedicated.
The setup utility opens a smaller screen with RCMP+ Encryption Key as the first option.
5. Highlight the IP Address Source option and use the plus (+) and minus (–) keys to select DHCP
or Static.
If you are going to select DHCP, attach your network cable to a network that has DHCP or contact
your network administrator.
If you select DHCP, the rest of the values are completed by the utility and you cannot change
them.
If you select Static, the values for MAC Address VLAN ID are completed by the utility and
you cannot change them, but you must specify a value for the following parameters:
ii. Highlight Subnet Mask and enter a value in the right column.
iii. Highlight Default gateway and enter a value in the right column.
iv. Highlight VLAN Enable and press the spacebar to set VLAN Enable to Off.
The setup utility opens the smaller DNS Configuration Options screen.
8. Depending on the IP Address Source option you selected in step 5, do one of the following:
If you selected DHCP, the DNS Configuration Options’ values are completed by the utility
and you cannot change them.
If you selected Static, the DNS Server from DHCP option is set to Off by the utility and you
cannot change it, but you must enter a value for the following options:
DNS Server1
DNS Server2
Return to Setup
1. Start a web browser and go to the Ethernet IP Address you specified in step 5 b of the “Set Up
the Remote Access Controller Utility” procedure.
2. Click Yes.
3. To log in:
c. Click OK.
If this is your first time accessing the Remote Access Controller utility, the system prompts you to
load the Console Redirection Plug-in.
6. Complete the configuration instructions for your type of appliance site as described in one of the
following chapters:
1. Rename the IP address for each appliance after factory typing and before you start the set up tasks.
2. Change IPaddresses in the lsconfigurationwizard.cfg file to match the addresses you renamed
on the appliances.
1. Access the appliance with a KVM (see Appendix A) or from a remote location (see Appendix B).
3. Change the C class of the IP address (for example, change 10.203.2 to 10.0.0).
You can use any value for the C class of the IP address, but enVision appends a value to each IP
address as illustrated in the diagram below:
5. Type *://site-ip-address.* in the Add this web site to the zone section.
Where site-ip-address can consist of your IP Address naming conventions for the 1st octet and 2nd
octet of the address, but you must use 1-255 for the 3rd octet. For example, *://10.203.1-255.*
6. Click AddCloseOK.
The system closes Internet Options.
1. When the configuration wizard starts automatically, click Cancel to stop the wizard.
2. Go to C:\WINDOWS\system32\drivers\etc.
This folder contains the lsconfiguration.cfg file, the enVision configuration wizard.
3. Edit the SwIpBase=10.203.2 IP address in the lsconfiguration.cfg file so that the IP addresses of
the enVision appliances match the newly renamed addresses.
6. Ping each machine to make sure that the renamed IP addresses are correct.