Defender 5.9.3 - Quick Start Guide

Defender Setup Wizard reference

Table 1: Defender Setup Wizard reference
Wizard step Options
Software Transaction Agreement Select the I accept these terms check box to accept the terms in the Software Transaction Agreement.
Select Features

Select the features you want to install.

Make sure you install the following required features:

  • Active Directory Preparation Installs Active Directory schema extensions, creates and configures control access rights, and creates organizational units required by Defender.
  • Defender Security Server Installs a server that performs two-factor authentication of users in your organization. Consider adding a second Defender Security Server to ensure that user authentication continues to work in case the primary Defender Security Server becomes unavailable.

    After installing the Defender Security Server, you need to configure it. For details, see Configure Defender Security Server

  • Defender Administration Console Adds Defender menus and commands into Microsoft’s Active Directory Users and Computers tool.

You can also install the following optional features:

  • Defender Management Portal Installs a Web-based portal that allows administrators to manage and deploy tokens, view Defender logs in real time, troubleshoot authentication issues, and view a number of reports providing information about Defender configuration, users, authentication statistics, audit trail, and security tokens.

    The portal also includes a self-service Web site for users called the Defender Self-Service Portal. Where possible, to guard against external password-based attacks, we recommend you to place the Defender Self-Service Portal on the internal network with no access from the Internet.

  • Defender Management Shell Installs a command-line interface that enables the automation of Defender administrative tasks. With the Defender Management Shell, administrators can use Windows PowerShell® scripts to perform token-related tasks such as assign tokens to users, assign PINs, or check for expired tokens.

 

Upgrade Installed Features

If this step appears, it indicates that there are previous versions of Defender features installed on the computer on which you are using the Defender Setup Wizard.

By default, only the features that are currently installed are selected for upgrade in this step. If necessary, you can select to install other features.

For the descriptions of the Defender features you can select in this step, see the Select Features step description earlier in this table.

Connect to Active Directory

Use the following options to specify parameters for connecting to Active Directory:

  • AD domain or domain controller name Type the fully qualified domain name of the domain or domain controller in the domain where you want to install Defender.

    Defender Setup will use the specified domain to extend Active Directory schema with Defender classes and attributes and create organizational units (OUs) required by Defender.

  • Connect using Specify the user account under which you want the Defender Setup to make changes in Active Directory.
Prepare Active Directory Make sure that all check boxes provided in this step are selected.
Specify Port

This step only shows up if you have selected to install the Defender Management Portal (Web interface).

Specify a communication port to be used by the Defender Management Portal. The default port is 8080.

Assign Administrator Role

This step only shows up if you have selected to install the Defender Management Portal (Web interface).

In this step, you can assign the Defender Management Portal Administrator role to an Active Directory group. As a result, members of that group will have full administrative access to the Defender Management Portal. Note that members of the Domain Admins group always have the Administrator role assigned by default.

To select the group to which you want to assign the Administrator role, click the Change button.

If you specify an Active Directory group other than Domain Admins, ensure you delegate sufficient permissions to that group. You can delegate permissions by using the Defender Delegated Administration Wizard. For more information, see “Delegating Defender roles, tasks, or functions” in the Defender Administrator Guide.

Completed the Setup Wizard

You can select the Start Defender Security Server Configuration tool check box to start the configuration tool after you complete the Defender Setup Wizard.

For instructions on how to configure the Defender Security Server, see Configure Defender Security Server.

Defender Security Server Configuration tool reference

For the Defender Security Server to work properly, you need to connect it to Active Directory. To do that, you need to use the Defender Security Server Configuration tool.

To open the Defender Security Server Configuration tool, complete the steps related to your version of Windows in the following table:

Table 2: Steps to open Defender Security Server Configuration tool

Windows Server® 2008 R2

Windows Server 2008

Windows Server 2012 R2

Windows Server 2012

  1. Click Start.
  2. Point to All Programs | One Identity| Defender.
  3. Click Defender Security Server Configuration.
On the Apps screen, click the Defender Security Server Configuration tile.

The Defender Security Server Configuration tool looks similar to the following:

The Defender Security Server Configuration tool has the following tabs:

Table 3: Defender Security Server Configuration tool tabs

Tab

Description

Active Directory LDAP

Use this tab to configure Active Directory connection settings. The Defender Security Server uses these settings to read data in Active Directory.

  • Addresses Set up a list of domains or specific domain controllers to which you want the Defender Security Server to connect to read data in Active Directory.

    To add a domain or domain controller to the list, click the Add button, and then enter the DNS name or IP address.

    To edit a list entry, select that entry, and click the Edit button.

    To remove a list entry, select that entry, and click the Remove button.

  • Port Type the number of the LDAP port on which you want the Defender Security Server to connect to Active Directory. The default port is 389.
  • SSL port Type the number of the SSL port on which you want the Defender Security Server to connect to Active Directory. The default SSL port is 0.
  • User name Type the user name of the service account under which you want the Defender Security Server to connect to Active Directory. Use either <domain>\<user name> format or distinguished name (DN) as shown on the screenshot above.

    The Defender Security Server communicates with Active Directory during the authentication process to read and write Defender-related data. Therefore, the service account you specify must have sufficient permissions in Active Directory. An account such as the built-in Administrator account or members of the Domain Admins group have the required permissions by default.

    You may want to create a service account in Active Directory specifically for use with the Defender Security Server. To assign the sufficient permissions to that service account, you can use the Defender Delegated Administration Wizard. For more information, see “Delegating Defender roles, tasks, and functions” in the Defender Administrator Guide.

  • Password Type the password that matches the user name specified in the User name text box.
Audit Log

Use this tab to configure Defender logging information.

To specify a different log path for the Defender Security Server log file, click Browse and navigate to the required location.

To change the size of the Defender Security Server log file, enter the required size in the Log size field.

To create a duplicate copy of the current Defender Security Server log, select the Create additional log with fixed name check box, and then enter the name of the log file in the Log name field.

If you want to save Defender Security Server logging information to a syslog server, as well as to the Defender Security Server log, select the Enable syslog check box and click Add.

In the IP Address or DNS Name field, enter the name or the IP address of the host computer where the syslog server is running.

In the Port field, enter the port number used by the computer specified in the IP Address or DNS Name field.

Test Connection

Use this tab to test the Active Directory connection settings specified on the Active Directory LDAP tab.

Click the Test button to check if the specified connection settings are correct. You can select the Test connection automatically check box to automatically test the specified connection settings.

Service

Use this tab to check the Defender Security Server service status and manage the service.

To restart the Defender Security Server service, click Restart Service.

To stop the Defender Security Server service, click Stop Service.

Communication ports

Defender uses the following communication ports:

Table 4: Default communication ports
Port Protocol Type of traffic
389 LDAP, TCP/IP Defender Security Server, Active Directory connections
636 LDAP Active Directory password changes (only if Defender is configured to handle Active Directory passwords).
1812/1813 or 1645/1646 UDP RADIUS protocol
2626 TCP Communications between Defender agents and the Defender Security Server.

Upgrading Defender

This section provides information on how to upgrade the Defender components. Defender is upgradeable from version 5.8 and later.

To upgrade a Defender component, install the new version of that component on the computer where an earlier version of the component is installed.

Related Documents