Defender 5.11 - Administration Guide

Select the I accept these terms check box to accept the terms in the Software Transaction Agreement.

Select the features you want to install.

Make sure you install the following required features:

• Active Directory Preparation Installs Active Directory schema extensions, creates and configures control access rights, and creates organizational units required by Defender.
• Defender Security Server Installs a server that performs two-factor authentication of users in your organization. Consider adding a second Defender Security Server to ensure that user authentication continues to work in case the primary Defender Security Server becomes unavailable.

  After installing the Defender Security Server, you need to configure it. For details, see Step 2: Configure Defender Security Server.

• Defender Administration Console  Adds Defender menus and commands into Microsoft’s Active Directory Users and Computers tool.

You can also install the following optional features:

• Defender Management Portal Installs a Web-based portal that allows administrators to manage and deploy tokens, view Defender logs in real time, troubleshoot authentication issues, and view a number of reports providing information about Defender configuration, users, authentication statistics, audit trail, and security tokens

  The portal also includes a self-service Web site for users called the Defender Self-Service Portal. Where possible, to guard against external password-based attacks, we recommend you to place the Defender Self-Service Portal on the internal network with no access from the Internet.

• Defender Management Shell  Installs a command-line interface that enables the automation of Defender administrative tasks. With the Defender Management Shell, administrators can use Windows PowerShell scripts to perform token-related tasks such as assign tokens to users, assign PINs, or check for expired tokens.

If this step appears, it indicates that there are previous versions of Defender features installed on the computer on which you are using the Defender Setup Wizard.

By default, only the features that are currently installed are selected for upgrade in this step. If necessary, you can select to install other features.

For the descriptions of the Defender features you can select in this step, see the Select Features step description earlier in this table.

Use the following options to specify parameters for connecting to Active Directory:

• AD domain or domain controller name  Type the fully qualified domain name of the domain or domain controller in the domain where you want to install Defender.

  Defender Setup will use the specified domain to extend Active Directory schema with Defender classes and attributes and create organizational units (OUs) required by Defender.

• Connect using  Specify the user account under which you want the Defender Setup to make changes in Active Directory.

Make sure that all check boxes provided in this step are selected.

This step only shows up if you have selected to install the Defender Management Portal (Web interface).

Specify a communication port to be used by the Defender Management Portal. The default port is 8080.

This step only shows up if you have selected to install the Defender Management Portal (Web interface).

In this step, you can assign the Defender Management Portal Administrator role to an Active Directory group. As a result, members of that group will have full administrative access to the Defender Management Portal. Note that members of the Domain Admins group always have the Administrator role assigned by default.

To select the group to which you want to assign the Administrator role, click the Change button.

If you specify an Active Directory group other than Domain Admins, ensure you delegate sufficient permissions to that group. You can delegate permissions by using the Defender Delegated Administration Wizard. For more information, see “Delegating Defender roles, tasks, or functions” in the Defender Administration Guide.

Use this tab to configure Active Directory connection settings. The Defender Security Server uses these settings to read data in Active Directory.

• Addresses  Set up a list of domains or specific domain controllers to which you want the Defender Security Server to connect to read data in Active Directory.

  To add a domain or domain controller to the list, click the Add button, and then enter the DNS name or IP address.

  To edit a list entry, select that entry, and click the Edit button.

  To remove a list entry, select that entry, and click the Remove button.

• Port  Type the number of the LDAP port on which you want the Defender Security Server to connect to Active Directory. The default port is 389.
• SSL port  Type the number of the SSL port on which you want the Defender Security Server to connect to Active Directory. The default SSL port is 0.
• User name  Type the user name of the service account under which you want the Defender Security Server to connect to Active Directory. Use either <domain>\<user name> format or distinguished name (DN) as shown on the screenshot above.

  The Defender Security Server communicates with Active Directory during the authentication process to read and write Defender-related data. Therefore, the service account you specify must have sufficient permissions in Active Directory. An account such as the built-in Administrator account or members of the Domain Admins group have the required permissions by default.

  You may want to create a service account in Active Directory specifically for use with the Defender Security Server. To assign the sufficient permissions to that service account, you can use the Defender Delegated Administration Wizard. For more information, see “Delegating Defender roles, tasks, and functions” in the Defender Administration Guide.

• Password  Type the password that matches the user name specified in the User name text box.

Use this tab to configure Defender logging information.

To specify a different log path for the Defender Security Server log file, click Browse and navigate to the required location.

To change the size of the Defender Security Server log file, enter the required size in the Log size field.

To create a duplicate copy of the current Defender Security Server log, select the Create additional log with fixed name check box, and then enter the name of the log file in the Log name field.

If you want to save Defender Security Server logging information to a syslog server, as well as to the Defender Security Server log, select the Enable syslog check box and click Add.

In the IP Address or DNS Name field, enter the name or the IP address of the host computer where the syslog server is running.

In the Port field, enter the port number used by the computer specified in the IP Address or DNS Name field.

Use this tab to test the Active Directory connection settings specified on the Active Directory LDAP tab.

Click the Test button to check if the specified connection settings are correct. You can select the Test connection automatically check box to automatically test the specified connection settings.