InterScan Web Security Suite - Trend Micro™ Online Help

newshumansvilleΔιαχείριση Δεδομένων

16 Δεκ 2012 (πριν από 4 χρόνια και 8 μήνες)

718 εμφανίσεις

InterScan
TM
Web Security Suite
3
Antivirus and Content Security at the Web Gateway
Installation Guide
for Crossbeam X-Series Platforms
Web Security
w
s
General Copyright Information
The products, specifications, and other technical information regarding the
products contained in this document are subject to change without notice. All
information in this document is believed to be accurate and reliable, but is
presented without warranty of any kind, expressed or implied, and users must
take full responsibility for their application of any products specified in this
document. Trend Micro Incorporated disclaims responsibility for errors that
may appear in this document, and it reserves the right, in its sole discretion and
without notice, to make substitutions and modifications in the products and
practices described in this document.
This material is protected by the copyright and trade secret laws of the United
States and other countries. It may not be reproduced, distributed, or altered in
any fashion by any entity (either internal or external to Trend Micro
Incorporated), except in accordance with applicable agreements, contracts, or
licensing, without the express written consent of Trend Micro Incorporated.
For permission to reproduce or distribute please contact your Trend Micro
Incorporated account executive.
All other product names mentioned in this manual may be trademarks or
registered trademarks of their respective companies.
Trend Micro Copyright Information
Trend Micro Incorporated reserves the right to make changes to this document
and to the products described herein without notice. Before installing and
using the software, please review the readme files, release notes, and the latest
version of the applicable user documentation, which are available from the
Trend Micro Web site at:
http://www.trendmicro.com/download
Trend Micro, the Trend Micro t-ball logo, InterScan Web Security Suite, and
Trend Micro Control Manager are trademarks or registered trademarks of
Trend Micro, Incorporated. All other product or company names may be
trademarks or registered trademarks of their owners.
Copyright© 2008 Trend Micro Incorporated. All rights reserved.
Document Part No. IHEM33621/80505
Release Date: August 2008
Protected by U.S. Patent No. 5,951,698.
The user documentation for Trend Micro InterScan Web Security Suite for Crossbeam
X-Series Platforms is intended to introduce the main features of the software and
installation instructions for your production environment. You should read
this documentation prior to installing or using the software.
Detailed information about how to use specific features within the software are
available in the online help file and the online Knowledge Base at Trend
Micro’s Web site.
Trend Micro is always seeking to improve its documentation. Your feedback is
always welcome. Please evaluate this documentation on the following site:
http://www.trendmicro.com/download/documentation/rating.
asp
Crossbeam Systems Copyright Information
CROSSBEAM, CROSSBEAM SYSTEMS, X40, X45, X80, C2, C6, C10, C12,
C25, C30, C30i, SecureShore, and any logos associated therewith are
trademarks or registered trademarks of Crossbeam Systems, Inc. in the U.S.
Patent and Trademark Office, and several international jurisdictions.
Contents
v
Contents
Preface
Audience ............................................................................................................viii
InterScan Web Security Suite Documentation ............................................viii
Crossbeam Systems Related Documentation ................................................ix
Document Conventions ...................................................................................ix
Support and Training .........................................................................................x
Customer Comments ........................................................................................xi
Chapter 1: Introduction to InterScan Web Security Suite
About InterScan Web Security Suite ...........................................................1-2
Deployment Options .....................................................................................1-2
Standalone IWSS Server Configuration ..................................................1-2
IWSS Server-Farm Configuration ...........................................................1-5
Chapter 2: Before Installing InterScan Web Security Suite
InterScan Web Security Suite Requirements ..............................................2-2
Licensing Requirements ............................................................................2-2
Other Requirements ..................................................................................2-2
X-Series Platform-specific Requirements ...................................................2-3
Hardware Requirements ...........................................................................2-3
Software Version Requirements ..............................................................2-4
XOS Setup Requirements .........................................................................2-4
XOS Setup Instructions .................................................................................2-5
Create and Configure a VAP Group for the Application ....................2-6
Create and Configure a Management Circuit ........................................2-7
Create and Configure Traffic Circuits ....................................................2-8
Save the Running Configuration ...........................................................2-13
Chapter 3: Installing the Application
Loading the Application ................................................................................3-2
Installing the Application ...............................................................................3-3
Verifying the Installation ...............................................................................3-7
Troubleshooting the Installation ..................................................................3-8
Trend Micro™ InterScan™ Web Security Suite for Crossbeam X-Series Installation Guide
vi
Chapter 4: Application Management
XOS CLI Commands for Basic Application Management .....................4-2
Show Application CLI Command ...........................................................4-3
The IWSS Configuration Menu ....................................................................4-4
Application Uninstallation ........................................................................4-5
Appendix A: Setting Up an External Master IWSS Server for an IWSS
Server-farm Configuration Deployment
vii
Preface
Preface
Welcome to the Trend Micro™ InterScan™ Web Security Suite for Crossbeam X-Series Platforms
Installation Guide for release 3.1. This guide describes how to install and configure the
InterScan Web Security Suite (IWSS) application on a Crossbeam Systems X-Series
Platform. For more information regarding this application, visit our Web site at:
http://www.trendmicro.com
This preface describes the following topics:
• Audience
• InterScan Web Security Suite Documentation
• Crossbeam Systems Related Documentation
• Document Conventions
• Support and Training
• Customer Comments
Trend Micro™ InterScan™ Web Security Suite for Crossbeam X-Series Installation Guide
viii
Audience
This guide is intended for system integrators and other qualified service personnel
responsible for installing, configuring, and managing the software on a Crossbeam
Systems X-Series Platform.
InterScan Web Security Suite Documentation
In addition to the Installation Guide, the IWSS documentation set includes the
following:
• Administrator’s Guide—This guide provides detailed information about all
InterScan Web Security Suite configuration options. Topics include how to update
your software to keep protection current against the latest risks, how to configure
and use policies to support your security objectives, and using logs and reports.
• Readme file—This file contains late-breaking product information that is not
found in the online or printed documentation. Topics include a description of new
features, installation tips, known issues, and release history.
• Online help—The online help provides “how to’s” for the main product tasks,
usage advice, and field-specific information such as valid parameter ranges and
optimal values. You can access the online help by opening the Web console and
then clicking the help icon.
• Knowledge Base—The Knowledge Base is an online database of problem-solving
and troubleshooting information. It provides the latest information about known
product issues. To access the Knowledge Base, open:
http://esupport.trendmicro.com/support
The latest versions of the Installation Guide, Administrator’s Guide, and readme file are
available in electronic form at:
http://www.trendmicro.com/download/
Preface
ix
Crossbeam Systems Related Documentation
The following Crossbeam Systems documentation may be helpful when configuring
XOS and installing IWSS on an X-Series Platform:
• X40 and X80 Security Services Switch Hardware Installation Guide
• X45 Security Services Switch Hardware Installation Guide
• XOS Command Reference Guide
• XOS Release Notes
• XOS Configuration Guide
• Install Server User Guide
• Deploying Multiple Security Services on the Crossbeam X-Series Platform: Using Trend Micro™
InterScan Web Security Suite and Check Point™ VPN-1 Power NGX R65
For the latest updates to Crossbeam technical documentation, visit the Crossbeam
Systems Customer Support Web site located at:
http://www.crossbeam.com/services/online_support.php
Document Conventions
To help you locate and interpret information easily, the IWSS documentation uses the
following conventions.
C
ONVENTION
D
ESCRIPTION
ALL CAPITALS Acronyms, abbreviations, and names of
certain commands and keys on the keyboard
Bold Menus and menu commands, command
buttons, tabs, options, and ScanMail tasks
Italics References to other documentation
Monospace Examples, sample command lines, program
code, Web URL, file name, and program
output
Trend Micro™ InterScan™ Web Security Suite for Crossbeam X-Series Installation Guide
x
Support and Training
Refer to the following Web site regarding IWSS support:
• Trend Micro support Web site:
http://esupport.trendmicro.com
.
To report issues and request technical assistance for Crossbeam X-Series Platform
hardware and software, contact Crossbeam Systems Customer Support:
• United States:+1 800-331-1338 or +1 978-318-7595
• EMEA:+ 33 4 8986 0400 (during normal working hours)
+1 978-318-7595 (outside office hours and on public holidays, if
applicable)
• Asia Pacific:+1 978-318-7595
• Email Customer Support:
support@crossbeam.com
In addition, you can access online resources, submit new technical support requests, and
view all of your open requests by logging into the Crossbeam Online Support Web site,
located at:
http://www.crossbeam.com/services/online_support.php
Crossbeam Systems also offers extensive customer training on all of its products. For
current course offerings and schedules, please refer to the Crossbeam Training and
Education Web site located at:
http://www.crossbeam.com/services/training_education.php
Note:
Important information to help users properly
understand and carry out specific tasks
Tip:
Recommendations
WARNING!
Precautions users must take to avoid major
errors (data loss, data unavailability, install
failure, etc).
C
ONVENTION
D
ESCRIPTION
Preface
xi
Customer Comments
To submit comments regarding our products or their documentation:
• Email your product comments to
alliance_support@trendmicro.com
.
• Email your documentation comments to
alliance_support@trendmicro.com
Trend Micro™ InterScan™ Web Security Suite for Crossbeam X-Series Installation Guide
xii
1-1
Chapter 1
Introduction to InterScan Web
Security Suite
This chapter provides a brief introduction to InterScan Web Security Suite (IWSS) and
its operation on a Crossbeam Systems X-Series Platform.
Topics include the following:
• About InterScan Web Security Suite
• Deployment Options
Trend Micro™ InterScan™ Web Security Suite for Crossbeam X-Series Installation Guide
1-2
About InterScan Web Security Suite
IWSS dynamically defends against Web-based attacks with integrated threat protection
at the Internet gateway. This high-performance software solution complements
award-winning antivirus and anti-spyware with a new Web Reputation feature that
detects and blocks Web threats based on the reputation of the source domain. It scans
the content and flow of HTTP and FTP traffic and triggers agent-less cleanup when
spyware activity is detected on clients and servers.
Deployment Options
Crossbeam X-Series Platforms support the following deployment options:
• Standalone IWSS Server Configuration
• IWSS Server-Farm Configuration
Standalone IWSS Server Configuration
In this scenario, you install an IWSS server and a PostgreSQL database on each Virtual
Application Processor (VAP) that you configure on the X-Series Platform. Each VAP
runs on a separate Application Processing Module (APM) and functions as a standalone
IWSS server with its own PostgreSQL database. You can use Trend Micro Control
Manager to replicate configuration files across multiple IWSS servers (VAPs) installed
on the same X-Series Platform.
Note:You must log into each VAP separately to manage policies and generate event reports
for each IWSS server installed on the X-Series Platform.
Introduction to InterScan Web Security Suite
1-3
Figure 1-1 illustrates this deployment option.
F
IGURE
1-1
Standalone IWSS Server Configuration: IWSS Server and
PostgreSQL Database Installed on Each VAP
The Standalone IWSS Server Configuration deployment option has two possible use
cases:
• IWSS VAPs installed with PostgreSQL databases stored on the Control Processing
Module (CPM)
• IWSS VAPs installed with PostgreSQL databases stored on the Application
Processing Module (APM) local disks
Table 1-1 on page 1-4 lists the benefits and limitations of these use cases.
By default, all PostgreSQL databases are stored on the Control Processing Module
(CPM). However, during IWSS installation, you can choose to move the PostgreSQL
database directory (
/etc/iscan/postgres
) on each VAP to its APM local disk(s).
Note:If you wish to enable URL access logging in IWSS, you must move each VAP's
PostgreSQL database directory onto its APM local disk(s).
Trend Micro™ InterScan™ Web Security Suite for Crossbeam X-Series Installation Guide
1-4
WARNING! Once you move the PostgreSQL database directories onto the APM local
disk(s), that configuration is permanent. To move the database directo-
ries back onto the CPM, you must uninstall and reinstall IWSS on the
X-Series Platform.
T
ABLE
1-1.
Use Cases for Standalone IWSS Server Configuration
U
SE
C
ASE
B
ENEFITS
L
IMITATIONS
IWSS VAPs installed with
PostgreSQL databases
stored on the CPM
Provides support for
APM redundancy.

Logging HTTP/FTP
access events to the
database is not
recommended.

The CPM has limited
disk space for event
log storage.
IWSS VAPs installed with
PostgreSQL databases
stored on the APM local
disks
Provides enough disk
space to log HTTP/FTP
access events to the
database.

APM failover is not
recommended.

To keep database logs
consistent, each VAP
must always load on
the APM on which its
database is stored.
APMs are not
interchangeable and
should not be
configured for
redundancy.
Introduction to InterScan Web Security Suite
1-5
IWSS Server-Farm Configuration
In this scenario, you create an IWSS server-farm configuration with the Master server
installed on a Red Hat Enterprise Linux (RHEL) server and the Slave server(s) installed
on the X-Series Platform. You install a Slave IWSS server on each VAP that you
configure on the X-Series Platform, and then configure each Slave server to use the
shared PostgreSQL database stored on the external Master server. See Figure 1-2.
F
IGURE
1-2
IWSS Server-Farm Configuration: IWSS Server Installed on
Each VAP and Shared PostgreSQL Database Installed on an
External IWSS Server
Using a shared PostgreSQL database allows you to consistently implement policies
across all IWSS servers installed on the X-Series Platform and generate consolidated
traffic reports for those servers. Hosting the PostgreSQL database on an external Master
server allows the Slave servers on the X-Series Platform to maximize the amount of
APM local disk space used for file scanning, thereby improving overall IWSS
performance.
Trend Micro™ InterScan™ Web Security Suite for Crossbeam X-Series Installation Guide
1-6
Table 1-2 on page 1-6 summarizes the use case for the IWSS Server-Farm Configuration
deployment option and its benefits.
T
ABLE
1-2.
Use Case for IWSS Server-Farm Configuration
U
SE
C
ASE
B
ENEFITS
L
IMITATIONS
IWSS VAPs installed with
shared PostgreSQL data-
base stored on external
IWSS server

Provides support for
APM redundancy.

Allows users to
consolidate policy
management and
traffic reporting.

Maximizes IWSS
performance.
None
2-1
Chapter 2
Before Installing InterScan Web
Security Suite
This chapter presents product-specific prerequisites and pre-installation setup required
for installing InterScan Web Security Suite (IWSS) on a Crossbeam Systems X-Series
Platform.
Topics include the following:
• InterScan Web Security Suite Requirements
• X-Series Platform-specific Requirements
• XOS Setup Instructions
Trend Micro™ InterScan™ Web Security Suite for Crossbeam X-Series Installation Guide
2-2
InterScan Web Security Suite Requirements
Licensing Requirements
IWSS requires the following licenses:
• InterScan Web Security Suite Anti-Virus and Web Reputation
• InterScan Web Security Suite URL Filtering
• InterScan Web Security Suite Malicious Mobile Code
To obtain access to all IWSS features, you must install all three of the above licenses on
each VAP on the X-Series Platform.
Note:These licenses are required for both Standalone IWSS Configuration and IWSS
Server-Farm Configuration deployments.
Other Requirements
IWSS may require these other components:
• Directory Servers
To configure policies based on LDAP users and groups, IWSS can integrate with
the following LDAP directories:
• Microsoft™ Active Directory™ 2000 and 2003
• Linux OpenLDAP Directory 2.2.16
• Sun™ Java System Directory Server 5.2 (formerly Sun ONE Directory Server)
• Internet Content Adaptation Protocol (ICAP)
IWSS can work with the following ICAP devices:
• NetApp™ NetCache™ release 6.0.1
• Blue Coat Systems™ SGOS version 4 or above
• Cisco Content Engine version 5.3
• Any cache server that is ICAP 1.0 compliant
Before Installing InterScan Web Security Suite
2-3
X-Series Platform-specific Requirements
Hardware Requirements
Table 2-1 lists the X-Series Platform hardware requirements for this application. In
addition, if the application must process heavy traffic or must sustain a large number of
network connections, the application may require more APM memory.
T
ABLE
2-1.
X-Series Platform Hardware Requirements
X-Series Platform Chassis
Models Supported
X40, X80, X45
APM Models Supported APM-8400, APM-8600
Minimum APM Memory 4 GB RAM
CPM Models Supported CPM-8400, CPM-8600
NPM Models Supported NPM-8200, NPM-8210, NPM-8600
APM Local Disk
Requirements

Each APM must have at least one local disk.

If PostgreSQL databases are to be stored on
the APM local disks, and the IWSS VAP group
includes APM-8600s, then Trend Micro and
Crossbeam recommend using two local disks
with a RAID 1 configuration on each APM.
See the XOS Configuration Guide for more
details on configuring RAID settings on local
hard drives installed on APM-8600s.

To maintain IWSS log files, each APM must
have at least 1.7GB of APM local disk space
for every 3 million HTTP requests per day.
This calculation is based on the amount of
disk space that the PostgreSQL database
consumes when HTTP/FTP access logging is
enabled.
Trend Micro™ InterScan™ Web Security Suite for Crossbeam X-Series Installation Guide
2-4
Software Version Requirements
The Crossbeam Systems X-Series Platform on which you are installing the IWSS
application must meet the following software version requirements:
• The X-Series Platform must be running XOS version 8.1.
• The VAP group on which the application is to be installed must be configured to
run the xslinux_v3 VAP OS.
XOS Setup Requirements
Before installing IWSS on an X-Series Platform, you must perform the following steps
to configure XOS to support the application.
1.Create and configure a VAP group for the application.
2.Create and configure a management circuit.
3.Create and configure traffic circuits.
4.Save the running configuration.
See XOS Setup Instructions on page 2-5 for more details.
The above XOS configuration components must meet the following requirements:
• The management circuit must be configured with the
increment-per-vap

parameter, even if the IWSS VAP group contains only one VAP.
• If the X-Series Platform is running in Series-2 NPM mode, each circuit configured
with the
increment-per-vap
parameter must also be configured with the
ip-flow-rule-no-failover
parameter.
• The
vap-count
parameter setting must be equal to the
max-load-count
parameter
setting.
• If IWSS is to be serialized with Check Point VPN-1 Power NGX R65, both VAP
groups must be configured to use the
skip-port
or
skip-port-protocol
IP flow
rule.
In Series-2 NPM mode, the IP flow rule,
skip-port
, must be manually configured
for the IWSS VAP group.
In Series-6 NPM mode, the default system IP flow rule,
skip-port-protocol
, is
implemented with a default priority of 21 and is applied to all VAP groups
Before Installing InterScan Web Security Suite
2-5
configured on the X-Series Platform. To keep
skip-port-protocol
enabled, a
VAP group cannot be configured to use an IP flow rule that includes
no
skip-port-protocol
and has a priority higher than 21.
• Only one application (IWSS) can be installed on each VAP group.
• If IWSS or any other application has been uninstalled from an existing VAP group
that includes APMs to be used for the new IWSS installation, it is recommended
that you delete the existing VAP group and create a new VAP group for the new
IWSS installation.
XOS Setup Instructions
Before installing IWSS, you must configure the XOS to support the application. The
following subsections provide instructions for creating the required XOS configuration:
• Create and Configure a VAP Group for the Application
• Create and Configure a Management Circuit
• Create and Configure Traffic Circuits
• Save the Running Configuration
Note:Refer to the Crossbeam Systems XOS Configuration Guide and XOS Command Reference
Guide for instructions on modifying these XOS setup commands to meet your
installation requirements.
Trend Micro™ InterScan™ Web Security Suite for Crossbeam X-Series Installation Guide
2-6
Create and Configure a VAP Group for the Application
To create and configure a VAP group for the application, enter the following XOS CLI
commands:
CBS# configure vap-group <VAP_group_name> xslinux_v3
CBS(config-vap-grp)# vap-count <number_of_APMs_in_group>
CBS(config-vap-grp)# ap-list <APM_name1> [<APM_name2>]
[<APM_name3>] ...
CBS(config-vap-grp)# max-load-count <number_of_APMs_in_group>
CBS(config-vap-grp)# ip-flow-rule <flow_rule_name>
CBS(ip-flow-rule)# action load-balance
CBS(ip-flow-rule)# activate
CBS(ip-flow-rule)# end
For example:
CBS# configure vap-group iwss xslinux_v3
CBS(config-vap-grp)# vap-count 2
CBS(config-vap-grp)# ap-list ap1 ap2
CBS(config-vap-grp)# max-load-count 2
CBS(config-vap-grp)# ip-flow-rule iwss_fr
CBS(ip-flow-rule)# action load-balance
CBS(ip-flow-rule)# activate
CBS(ip-flow-rule)# end
WARNING! If you choose to move each server's PostgreSQL database directory to its
APM local disk(s), the X-Series Platform must always load each IWSS
VAP on the same APM in order to keep the database logs consistent. This
means that the X-Series Platform should not fail over an IWSS VAP on to
another APM. You can reduce the risk of APM failover by using the
ap-list command to specify the APMs to be included in the VAP
group, as shown in the example above.
Before Installing InterScan Web Security Suite
2-7
WARNING! Before installing the IWSS application, you must make sure that the
max-load-count setting is equal to the vap-count setting.
Create and Configure a Management Circuit
To create and configure a circuit to manage the application, perform the following steps:
1.Create a management circuit:
CBS# configure circuit <management_circuit_name>
CBS(conf-cct)# device-name <management_circuit_device_name>
CBS(conf-cct-vapgroup)# vap-group <VAP_group_name>
CBS(conf-cct-vapgroup)# ip-flow-rule-no-failover
CBS(conf-cct-vapgroup)# ip <management_IP_addr_of_first_VAP>/<0-32>
<broadcast_IP_address> increment-per-vap
<management_IP_addr_of_last_VAP>
CBS(conf-cct-vapgroup)# end
Note:You must specify the increment-per-vap parameter even if the VAP
group contains only one VAP.
For example:
CBS# configure circuit mgmt
CBS(conf-cct)# device-name mgmt
CBS(conf-cct-vapgroup)# vap-group iwss
CBS(conf-cct-vapgroup)# ip-flow-rule-no-failover
CBS(conf-cct-vapgroup)# ip 192.168.10.124/24 192.165.10.255
increment per vap 192.168.10.125
CBS(conf-cct-vapgroup)# end
Trend Micro™ InterScan™ Web Security Suite for Crossbeam X-Series Installation Guide
2-8
2.Assign the circuit to a physical interface (chassis slot # / port #):
CBS# configure interface {fastethernet | gigabitethernet |
10gigabitethernet} <slot_number>/<port_number>
CBS(conf-intf-<iftype>)# logical <logical_name>
CBS(intf-<iftype>-logical)# circuit <management_circuit_name>
CBS(intf-<iftype>-logical)# end
For example:
CBS# configure interface gigabitethernet 1/1
CBS(conf-intf-gig)# logical lgcl11
CBS(intf-gig-logical)# circuit mgmt
CBS(intf-gig-logical)# end
3.Configure a default IP route for the management circuit to use to communicate with
the VAP group:
CBS# configure ip route <first_IP_address_in_range>/<0-32>
<next_hop_IP_address> vap-group <VAP_group_name>
For example:
CBS# configure ip route 0.0.0.0/0 192.168.10.1 vap-group iwss
4.Setup a DNS server for the VAP group:
CBS# configure dns server <DNS_server_IP_address> vap-group
<VAP_group_name>
For example:
CBS# configure dns server 192.168.15.25 vap-group iwss
Create and Configure Traffic Circuits
To allow the X-Series Platform to load-balance incoming traffic across all VAPs in the
IWSS VAP group, you must assign a single, shared IP address to the internal network
side of the VAP group. However, to allow the X-Series Platform to correctly load
balance return packets, you must assign a unique IP address for the external network
side of each VAP, since each VAP's external traffic flows originate from a different
APM.
Before Installing InterScan Web Security Suite
2-9
You assign the VAP group's internal side and external side IP addresses to the traffic
circuit(s) that you configure for the IWSS VAP group and then assign the circuits to one
or more physical interfaces on the NPM. You must create and configure traffic circuits
to support one of the following interface configurations:
• Single-interface configuration— Create and configure a single traffic circuit and
map that circuit to one physical interface used for both internal side traffic and
external side traffic.
• Multiple-interface configuration—Create and configure two circuits and map
each circuit to a different physical interface, one for internal side traffic and one for
external side traffic.
Note:To assign a unique IP address to each VAP for the external side traffic, you must
configure a circuit with the
increment-per-vap
parameter.
See the XOS Configuration Guide and the XOS Command Reference Guide for instructions on
creating advanced circuit and interface configurations.
Create and Configure a Traffic Circuit for a Single-interface
Configuration
To create and configure a traffic circuit for a single-interface configuration, complete the
following steps:
1.Create one circuit for both the internal and external side traffic. Configure the
circuit with the
increment-per-vap
and
alias
parameters. Use the
alias
IP
address for the internal side traffic, and use the
increment-per-vap
IP addresses
for the external side traffic.
CBS# configure circuit <traffic_circuit_name>
CBS(conf-cct)# device-name <traffic_circuit_device_name>
CBS(conf-cct)# vap-group <VAP_group_name>
CBS(conf-cct-vapgroup)# ip-flow-rule-no-failover
CBS(conf-cct-vapgroup)# ip <external_IP_addr_of_first_VAP>/<0-32>
<broadcast_IP_addr> increment-per-vap
<external_IP_addr_of_last_VAP> alias
<shared_internal_IP_addr_for_VAP_group>
CBS(conf-cct-vapgroup)# end
Trend Micro™ InterScan™ Web Security Suite for Crossbeam X-Series Installation Guide
2-10
For example:
CBS# configure circuit traffic
CBS(conf-cct)# device-name traffic
CBS(conf-cct)# vap-group iwss
CBS(conf-cct-vapgroup)# ip-flow-rule-no-failover
CBS(conf-cct-vapgroup)# ip 10.201.162.3/23 10.201.163.255
increment-per-vap 10.201.162.6 alias 10.201.162.7/23
CBS(conf-cct-vapgroup)# end
2.Assign the circuit to a physical interface (chassis slot# / port #).
CBS# configure interface {fastethernet | gigabitethernet |
10gigabitethernet} <slot_number>/<port_number>
CBS(conf-intf-<iftype>)# logical <logical_name>
CBS(intf-<iftype>-logical)# circuit <traffic_circuit_name>
CBS(intf-<iftype>-logical)# end
For example:
CBS# configure interface fastethernet 1/4
CBS(conf-intf-gig)# logical trflgcl14
CBS(intf-gig-logical)# circuit traffic
CBS(intf-gig-logical)# end
Before Installing InterScan Web Security Suite
2-11
Create and Configure Traffic Circuits for a Multiple-interface
Configuration
To create and configure traffic circuits for a multiple-interface configuration, complete
the following steps:
1.Create one circuit for the internal traffic interface.
CBS# configure circuit <internal_traffic_circuit_name>
CBS(conf-cct)# device-name <internal_traffic_device_name>
CBS(conf-cct)# vap-group <VAP_group_name>
CBS(conf-cct-vapgroup)# ip
<shared_internal_IP_addr_for_VAP_group>/<0-32>
<broadcast_IP_address>
CBS(conf-cct-vapgroup)# end
For example:
CBS# configure circuit inttraffic
CBS(conf-cct)# device-name inttraffic
CBS(conf-cct)# vap-group iwss
CBS(conf-cct-vapgroup)# ip 10.201.162.3/23 10.201.163.255
CBS(conf-cct-vapgroup)# end
2.Create one circuit for the external traffic interface:
CBS# configure circuit <external_traffic_circuit_name>
CBS(conf-cct)# device-name <external_traffic_device_name>
CBS(conf-cct)# vap-group <VAP_group_name>
CBS(conf-cct-vapgroup)# ip-flow-rule-no-failover
CBS(conf-cct-vapgroup)# ip <external_IP_addr_of_first_VAP>/<0-32>
<broadcast_IP_address> increment-per-vap
<external_IP_addr_of_last_VAP> alias
<shared_internal_IP_addr_for_VAP_group>
CBS(conf-cct-vapgroup)# end
Trend Micro™ InterScan™ Web Security Suite for Crossbeam X-Series Installation Guide
2-12
For example:
CBS# configure circuit exttraffic
CBS(conf-cct)# device-name exttraffic
CBS(conf-cct)# vap-group iwss
CBS(conf-cct-vapgroup)# ip-flow-rule-no-failover
CBS(conf-cct-vapgroup)# ip 10.201.164.3/23 10.201.165.255
increment-per-vap 10.201.164.6 alias 10.201.164.7/23
CBS(conf-cct-vapgroup)# end
3.Assign each circuit to a physical interface (chassis slot# / port #).
CBS# configure interface {fastethernet | gigabitethernet |
10gigabitethernet} <slot_number>/<port_number>
CBS(conf-intf-<iftype>)# logical <logical_name>
CBS(intf-<iftype>-logical)# circuit <internal_traffic_circuit_name>
CBS(intf-<iftype>-logical)# end
CBS# configure interface {fastethernet | gigabitethernet |
10gigabitethernet} <slot_number>/<port_number>
CBS(conf-intf-<iftype>)# logical <logical_name>
CBS(intf-<iftype>-logical)# circuit <external_traffic_circuit_name>
CBS(intf-<iftype>-logical)# end
For example:
CBS# configure interface gigabitethernet 1/4
CBS(conf-intf-gig)# logical lgcl14
CBS(intf-gig-logical)# circuit inttraffic
CBS(intf-gig-logical)# end
CBS# configure interface gigabitethernet 1/5
CBS(conf-intf-gig)# logical lgcl15
CBS(intf-gig-logical)# circuit exttraffic
CBS(intf-gig-logical)# end
Before Installing InterScan Web Security Suite
2-13
Save the Running Configuration
Use the following command to save the XOS running configuration that you have just
created:
CBS# wr
Trend Micro™ InterScan™ Web Security Suite for Crossbeam X-Series Installation Guide
2-14
3-1
Chapter 3
Installing the Application
This chapter provides instructions for loading and installing the application and for
verifying and troubleshooting the installation.
Note:Be sure you have completed the required XOS configuration procedures described in
the previous chapter before attempting to install InterScan Web Security Suite (IWSS).
Topics include the following:
• Loading the Application
• Installing the Application
• Verifying the Installation
• Troubleshooting the Installation
Trend Micro™ InterScan™ Web Security Suite for Crossbeam X-Series Installation Guide
3-2
Loading the Application
Complete the following steps to load the IWSS application on your Crossbeam Systems
X-Series Platform.
1.Log into your X-Series Platform as
root
.
CBS# unix su
Password:
[root@xxxx admin]#
2.Copy the CBI package to the
/crossbeam/apps/archive/
directory on the
CPM.
[root@xxxx admin]# cp iwss-3.1-21-xos.cbi /crossbeam/apps/archive/
3.Verify that the application is loaded on the X-Series Platform.
CBS# show application
App ID: iwss
Name: InterScan Web Security Suite
Version: 3.1
Release: 21-xos
CBI Version: 1.0.1.0
Installing the Application
3-3
Installing the Application
Complete the following steps to install the application on your Crossbeam Systems
X-Series Platform.
1.Run the following command at the XOS CLI prompt:
CBS# application iwss version 3.1 vap-group iwss install
2.When the license agreement is displayed, type
y
and then press ENTER to accept
the license agreement.
3.When prompted to select how IWSS will be installed, enter the number that
corresponds to the IWSS deployment option that you have chosen.
Enter
1
for a Standalone IWSS Server Configuration deployment. Enter
2
for an
IWSS Server-Farm Configuration deployment.
Refer to Deployment Options on page 1-2 for more information on the two
available deployment options.
1. Install IWSS 3.1 and PostgreSQL database on each VAP
2. Install IWSS 3.1 on each VAP, but configure all to use
one PostgreSQL database (This requires a master IWSS
server to be accessible during installation)
Enter your choice: [ ]:
Note:If you select Option 2, you must have an external Linux RHEL server on which
an IWSS server and a PostgreSQL database are installed. The external IWSS
server must be online and accessible to the X Series Platform during IWSS
installation on the Crossbeam X-Series Platform. The external IWSS server will
server as the Master for the Slave IWSS servers on the X-Series Platform. The
Slave IWSS servers will use the database on the Master IWSS server for log
storage and policy retrieval.

See Appendix A, Setting Up an External Master IWSS Server for an IWSS
Server-farm Configuration Deployment, for details on how to setup an external
Master IWSS server.
If you selected Option 1, go to step 6. Otherwise, proceed to the next step.
Trend Micro™ InterScan™ Web Security Suite for Crossbeam X-Series Installation Guide
3-4
4.Enter the database information for the external IWSS server:
For example:
Please enter the IP address of the remote IWSS server: []:
192.168.13.7
Please enter the remote database port: [5432]:
Please enter the database name: [iwss]:
Please enter the database account: [sa]:
Please enter the database account password:
Password:
Confirm password:
5.When prompted, enter the access quota lifetime that IWSS will use.
The access quota lifetime defines the time interval at which quota information is
synchronized between each IWSS server's cache and the shared PostgreSQL
database. The default value is 3600 seconds. A value between 10 to 30 seconds is
recommended.
Enter the access quota lifetime IWSS will use (in seconds)
[3600]:
Proceed to step 8.
6.When prompted, enter the password that will be used for the PostgreSQL database.
Please enter the password for the PostgreSQL database:
Password:
Confirm password:
Installing the Application
3-5
7.When prompted, indicate whether you would like to move the PostgreSQL database
directory on each VAP to its APM local disk(s).
WARNING! If you choose y, each VAP’s database directory
(/etc/iscan/postgres) is permanently moved to its APM local
disk(s). If you later wish to move the databases off of the APM local
disks, you must uninstall and reinstall IWSS on the VAP group, and
choose n at the prompt below.
Note:If you wish to enable URL access logging in IWSS, you must choose y to move
the PostgreSQL database(s) to the APM local disks.
Would you like to move the IWSS database directory on the VAP
to the APM local disk: [n]:
8.When prompted, enter the
max_threads_per_proc
value that IWSS will use.
The
max_threads_per_proc
value is the maximum number of worker threads
created for each child process. Every HTTP connection requires at least one
worker thread for IWSS to perform I/O and scanning for that connection. The
default
max_threads_per_proc
value is 500. A value between 250 and 500 is
recommended.
Enter the [http]/max_threads_per_proc value IWSS will use
[500]:
Trend Micro™ InterScan™ Web Security Suite for Crossbeam X-Series Installation Guide
3-6
9.When prompted, enter the
max_tpc_proc
value IWSS will use.
The
max_tpc_proc
parameter defines the maximum number of child processes
that the HTTP daemon can fork. The default value is 4.
WARNING! Make sure the APM local disks have enough memory to support the
maximum number of threads that can be spawned. Each thread can
consume between 160 KB to 500 KB of memory.

After installation, you can use the Configuration Menu to gradually
increase the value of this parameter to support more connections.
Note that the IWSS daemon restarts when you apply new parameter
settings.
Enter the [http]max_tpc_proc value IWSS will use [4]:
10.When prompted, indicate whether you wish to make changes to your answers to the
installation interview questions. To rerun the installation interview and change your
answers to the questions, type
y
and press ENTER. To proceed with the
installation, type
n
and press ENTER.
Are any changes needed? [n]: n
At this stage, the IWSS installer is extracted and installed on
every member of the VAP group.
** A reboot is required for the change(s) to take affect. **
Extracting Bundle: [####################] 100% [ ok ]
Installing iwss on VAP iwss_2: [####################] 100% [ ok ]
Installing iwss on VAP iwss_1: [####################] 100% [ ok ]
Installing the Application
3-7
11.Reload the VAP group.
CBS# reload vap-group <VAP_group_name>
The X-Series Platform reloads the VAP group and moves the following folders to
the APM local disk(s) for each VAP. Note that local disk names may be in the
format of
aplocaldisk1
or
aplocaldisk2
depending on your APM type and
configuration.

/etc/iscan/tmp ' /mnt/aplocaldisk/iwss/tmp

/etc/iscan/tmufe ' /mnt/aplocaldisk/iwss/tmufe

/etc/iscan/log ' /mnt/aplocaldisk/iwss/log
Note:The X-Series Platform stores the above folders on the APM local disks,
regardless of the selected deployment option.
12.Save the running configuration.
CBS# wr
Verifying the Installation
Execute the following command to verify the operational state of the application:
CBS# show application vap-group <VAP_group_name>
The following example displays the operational state of the application on a VAP group
named
iwss
:
CBS# show application vap-group iwss
VAP Group : iwss
App ID : iwss
Name : InterScan Web Security Suite
Version : 3.1
Release : 21-xos
Start on Boot : yes
iwss_1 : running
iwss_2 : running
Trend Micro™ InterScan™ Web Security Suite for Crossbeam X-Series Installation Guide
3-8
Troubleshooting the Installation
If the IWSS installation fails, log into each VAP and look for the files
/tmp/iwss_install.out
and
/tmp/install.log
. These files contain records of
the most recent IWSS installation and list any errors that occurred during installation.
4-1
Chapter 4
Application Management
This chapter provides information about basic application management controls. For
additional information, refer to the XOS Command Reference Guide.
Topics include the following:
• XOS CLI Commands for Basic Application Management
• Show Application CLI Command
• The IWSS Configuration Menu
• Application Uninstallation
Trend Micro™ InterScan™ Web Security Suite for Crossbeam X-Series Installation Guide
4-2
XOS CLI Commands for Basic Application
Management
Figure 4-1 lists the XOS CLI commands that you can use to perform basic application
management tasks.
Note:All VAPs in the InterScan Web Security Suite (IWSS) VAP group must be “UP” for
the following
start
,
stop
, and
restart
commands to take effect.
T
ABLE
4-1.
CLI Commands for Basic Application Management
C
OMMAND
F
UNCTION
application iwss vap-group
<VAP_group_name> configure
Reconfigure the parameter settings for
the IWSS application.
application iwss vap-group
<VAP_group_name> start
Start the application.
application iwss vap-group
<VAP_group_name> stop
Stop the application.
application iwss vap-group
<VAP_group_name> restart
Restart the application.
application-update vap-group
<VAP_group_name>
Update the VAP group. Use this com-
mand each time you increment the
VAP count after the initial application
installation. The command installs the
IWSS application on the newly created
VAPs.
show application [vap-group
<VAP_group_name>]
Display the status of the applications
installed on all VAP groups, or display
the status of the application installed
on the specified VAP group.
Application Management
4-3
Show Application CLI Command
Use the
show application
command to display the status of the VAP group on
which you have installed IWSS. For example, the following command displays the status
of the IWSS application on a VAP group named
iwss
.
CBS# show application vap-group iwss

Start on Boot
indicates whether the application will start during VAP boot (
yes
) or
not (
no
).
Start on Boot
is enabled at install time and when the user runs the
application iwss vap-group <VAP_group_name> start
CLI command. Similarly,
Start on Boot
is disabled when the user runs the
application iwss vap-group
<VAP_group_name> stop
CLI command.
The command also shows the application’s status (
running
or
stop
) for each VAP in
the VAP group. The XOS health system polls the application every five seconds to
determine the application’s state and reports it to the CLI.
VAP Group: iwss
App ID: iwss
Name: InterScan Web Security Suite
Version: 3.1
Release: 21-xos
Start on Boot: yes
iwss_1: running
iwss_2: running
Trend Micro™ InterScan™ Web Security Suite for Crossbeam X-Series Installation Guide
4-4
The IWSS Configuration Menu
You can use the IWSS Configuration Menu to reconfigure the IWSS application
parameter settings that you specified during the IWSS installation interview.
To access the Configuration Menu and reconfigure IWSS application parameter settings,
perform the following steps:
1.Enter the following XOS CLI command:
CBS# application iwss vap-group <VAP_group_name> configure
The IWSS Configuration Menu appears:
InterScan Web Security Suite Configuration Menu
1. Reconfigure access quota lifetime
2. Reconfigure [http]/max_threads_per_proc in intscan.ini
3. Reconfigure [http]/max_tpc_proc in intscan.ini
4. Exit
2.Select the option that corresponds to the parameter setting you want to change, and
enter the new parameter value when prompted.
For example, the following commands change the
max_threads_per_proc

parameter setting from 500 to 300:
Enter choice: 2
Enter the new max_threads_per_proc value [500]: 300
3.Repeat steps 1 and 2 for each parameter you wish to change.
4.Type
4
to exit the Configuration Menu.
5.When prompted, type
y
and press ENTER to reload the VAP group and apply the
configuration changes, as shown in the following example.
Enter choice: 4
Apply changes? [y]: y
** A restart is required for the change(s) to take affect. **
Configuring iwss on VAP iwss_2: [####################] 100% [ ok ]
Configuring iwss on VAP iwss_1: [####################] 100% [ ok ]
Application Management
4-5
Application Uninstallation
WARNING! When IWSS is uninstalled, all its files and directories are deleted,
including those that are stored on the APM local disks.
Use the following procedure to uninstall the IWSS application:
1.Type the following XOS CLI command:
CBS# application iwss version 3.1 vap-group <VAP_group_name>
uninstall
This command uninstalls the IWSS application from the specified VAP group. The
CLI displays the progress of the uninstallation and prompts you to reboot the VAP
group when the uninstallation is complete.
For example, the following command uninstalls the IWSS 3.1 application from a
VAP group called iwss, which has two VAPs:
CBS# application iwss version 3.1 vap-group iwss uninstall
Trend Micro, InterScan Web Security Suite 3.1 release 21-xos
Stopping iwss on VAP iwss_2: [####################] 100% [ ok ]
Stopping iwss on VAP iwss_1: [####################] 100% [ ok ]
Uninstalling iwss on VAP iwss_2: [####################] 100% [ ok ]
Uninstalling iwss on VAP iwss_1: [####################] 100% [ ok ]
** A reboot is required for the change(s) to take affect. **
2.Reload the VAP group.
CBS# reload vap-group <VAP_group_name>
Note:If you wish to uninstall the application from multiple VAP groups, you must
repeat steps 1 and 2 for each VAP group.
3.Optionally, remove the application file (CBI) from the CPM
(/crossbeam/apps/archive).
CBS# application-remove iwss
Trend Micro™ InterScan™ Web Security Suite for Crossbeam X-Series Installation Guide
4-6
A-1
Appendix A
Setting Up an External Master IWSS
Server for an IWSS Server-farm
Configuration Deployment
Before installing Slave InterScan Web Security Suite (IWSS) servers on an X-Series
Platform as part of an IWSS server-farm configuration, you must first install and
configure the Master IWSS server on an external Red Hat Enterprise Linux (RHEL)
server.
To install and configure an external Master IWSS server for Slave IWSS servers that are
to be installed on an X-Series Platform, perform the following steps:
1.On a Red Hat Enterprise Linux (RHEL) server, download the IWSS Linux installer
from www.trendmicro.com
.
2.Extract the contents of the installer to a temporary directory and execute the script
install_iwss.sh
.
3.Follow the prompts. Make sure to accept the defaults so that a PostgreSQL database
is installed locally.
4.Log in to the IWSS Web console (
http://<IWSS_IP_address>:1812
).
Username is
admin
and default password is
adminIWSS85
.
Trend Micro™ InterScan™ Web Security Virtual Appliance™ Administrator’s Guide
A-2
5.From the main IWSS menu, select Administration > IWSS Configuration >
Server Farm.
6.Under Server Configuration, select Enable for use in a multiple IWSS server
configuration and click Save. This configures the Master IWSS server to propagate
its in-memory block lists across all slave IWSS servers in the server-farm.
7.From the RHEL server command, open the file,
/etc/iscan/postgres/pgdata/pg_hba.conf
for editing in vi or another
text editor.
8.To allow Slave IWSS servers installed on the X-Series Platform to connect to the
local PostgreSQL database on the RHEL server, add the following line at the end of
the
pg_hba.conf
file:
host all all <network> <network subnet> password
Where:
Note: Refer to XOS Setup Instructions on page 2-5 for information on configuring a VAP
group for the IWSS application and configuring a management circuit for that VAP
group.
For example:
host all all 192.168.13.0 255.255.255.0 password
9.Save the file.
10.Restart IWSS services on the RHEL server.
/usr/iwss/rcIwss restart
network
This is the network that includes the IP addresses
assigned to the management circuit configured for
the IWSS VAP group on the X-Series Platform.
network subnet
This is the subnet that includes the management
circuit IP addresses configured for the IWSS VAP
group on the X-Series Platform.