You are on page 1of 113

NWD-102886-15E

P ASOLINK

PNMSj+

N ETWORK
Installation Manual
(Windows Server 2008,
Windows Server 2008 R2,

M ANAGEMENT
Windows Server 2012 R2)

S YSTEM

NEC Corporation
Copyright © 2010
NWD-102886

Table of Contents

1. Installation Sequence················································································· 1

2. LAN Setting ····························································································· 2

3. SNMP Service Setting ················································································ 4

3.1. To Remove SNMP Service ································································4


3.2. To Stop SNMP Service ··································································· 13
4. PNMSj+ Setup ························································································ 16

5. Firewall Setup ························································································ 23

5.1. For Windows Server 2008 ······························································ 23


5.2. For Windows Server 2008 R2, Windows Server 2012 R2························ 27
6. Configuring the PNMSj+ Server································································· 32

7. Launching PNMSj+ ················································································· 35

Appendix A Security Setting ··········································································· 38

A-1 Installing Data Storage Encryption Software ······································ 38


A-2 BIOS Password Setting ·································································· 38
A-3 Setting for Cycle of Password Modification and Expiration Date ············· 38
A-4 OS User Account Security Policy Setting ············································ 42
A-5 Time Out Restriction Setting of Unused Session··································· 44
A-5-1 Screen saver setting···············································································44
A-5-2 HTTP/HTTPS timeout setting ·································································47
A-6 The Application Automatic Start on the removable media Unable Setting ·· 48
A-7 Port Restriction Setting ································································· 50
A-7-1 Port Opening Setting ·············································································50
A-7-2 Port Closing Setting ··············································································56
A-8 Uninstallation of unused application ················································· 62
A-9 User’s SID Confirmation································································ 66
A-10 Disapproval Setting of Trusted Host Support ······································ 67
A-11 Deletion Setting of Current Directory Description for Path Environment
Variable ····························································································· 69
A-12 The Setting which only the User of an Administrator right permits access to
a Setting File ······················································································· 72
A-13 The Communication Encryption Setting of the File Sharing with VPN ······ 78
A-13-1 VPN Setting for PNMSj+ Server ························································79
A-13-2 VPN Setting for PNMSj+ Client ························································87
A-13-3 Confirm VPN connection between PNMSj+ Server and Client ···············99

-i-
NWD-102886

A-14 Setting to Delete Default Contents ·················································· 101


A-15 The measure setting of the Clickjacking aggressive····························· 102
A-16 Setting to use the certificate of Web Application issued by the Certification
Authority which is recognized by the Client ·············································· 104
A-17 Setting to Restrict Access of External Search for Filed and Contents······· 105
A-18 Web Browser Setting ··································································· 106
A-19 SSH Security Setting ····································································110

- ii -
NWD-102886

1. Installation Sequence
Only Administrator group privilege level users are authorized to configure the following settings:

Step 1: Ethernet option


LAN setting(s)

Step 2:
SNMP service setting(s)

Step 3:
Pasolink Network Management System (PNMS)
setup

Step 4:
Firewall Setup

Step 5:
Configuring the PNMSj+ Server

Step 6:
Launching PNMS

-1-
NWD-102886

2. LAN Setting
(1) For Windows Server 2008, Windows Server 2008 R2 :
In the Network Connections window, right-click [Local Area Connection] and select
[Properties].
For Windows Server 2012 R2 :
In the Network Connections window, right-click [Ethernet] and select [Properties].

(2) Verify that the Internet Protocol (TCP/IP) checkbox is checked in the Local Area Connection
Properties window. Click [Properties].

-2-
NWD-102886

(3) Verify that the Use the following IP address is selected and input IP address (IPv6: IPv6
address), Subnet mask (IPv6: Subnet prefix length), and Default gateway assigned to the
PNMSj+ server machine. Click on [Advanced...].

(4) Verify that the values input in (3) above are displayed inside the page of IP Settings tab.

-3-
NWD-102886

3. SNMP Service Setting

NOTE
It is necessary to stop or remove the SNMP Service if it
already been installed.

3.1. To Remove SNMP Service

3.1.1 For Windows Server 2008, Windows Server 2008 R2

(1) Click Programs and Features in the Control Panel window.

(2) In the Programs and Features window, click on Turn Windows features on or off.

-4-
NWD-102886

(3) Select Features out of the Tree on the left side and click Remove Features which appears to the
right.

(4) The Remove Features Wizard window appears. Uncheck the checkbox from the SNMP
Services list, then click [Next>].

-5-
NWD-102886

(5) Confirm that the Simple Network Management Protocol is not checked then click [OK].
Return to above window and click [Remove].

(6) During Removal, this the following window will be displayed.

-6-
NWD-102886

(7) After the Results window click the [Close] to restart the computer.

(8) After the restart, click [Close] to complete the removal of SNMP Services.

-7-
NWD-102886

3.1.2 For Windows Server 2012 R2

(1) Click Turn Windows features on or off in the Control Panel window.

(2) Select Manage  Remove Roles and Features in the Server Manager window.

-8-
NWD-102886

(3) The Remove Roles and Features Wizard window appears. Click [Next>].

(4) Select local machine from the list and click [Next>].

-9-
NWD-102886

(5) Remain the default setting. Click [Next>].

(6) Uncheck the checkbox from the SNMP Services list.

- 10 -
NWD-102886

The following window appears. Click [Remove features].

(7) Click [Next>].

- 11 -
NWD-102886

(8) Click [Remove].

(9) When the removal is completed, click [Close] and restart the server machine.

- 12 -
NWD-102886

3.2. To Stop SNMP Service


(1) To stop SNMP Service, click Administrative Tools in the Control Panel window.

(2) Click Services from the list in the Administrative Tools window.

- 13 -
NWD-102886

(3) Confirm that the SNMP Service and SNMP Trap Service are installed and started automatically.
Select Action  Properties on the menu bar in the Services window, or right-click SNMP
Service / SNMP Trap Service and then click Properties in the SNMP Service / SNMP Trap
Service pop-up menu.

(4) Select the Manual from the Startup type field and click on Stop button in the Service status area
of the General tab. Click [OK] or [Apply].

- 14 -
NWD-102886

(5) Confirm that both SNMP Service and SNMP Trap Service are Stopped, and the startup
condition for each is shown as Manual.

(6) Restart the server machine.

When Shutdown Event Tracker is active, make following changes to the settings and click [OK].
Option : Check off Planned and select Other (Planned).
Comment : To change settings

- 15 -
NWD-102886

4. PNMSj+ Setup

NOTE
If PNMSj+ software has already been installed, please
uninstall it before installing a new version.

(1) Specify the folder for the PNMSj+ installation software. Double-click on either install.exe (for
32bit OS) or install_64.exe (for 64bit OS).
(The installer can be found in the PnmsSetupDisk (Rev.x.xx.xxx.xxx) folder)
(“ x.xx.xxx.xxx “ denotes the respective PNMSj+ Version)

(2) The following window is displayed during the loading progress.

- 16 -
NWD-102886

(3) Introduction window appears. Click [Next].

(4) License Agreement window appears. Select “I accept the terms of the License Agreement”
after confirming the contents, and click [Next].

- 17 -
NWD-102886

(5) Specify the directory where the PNMSj+ is to be installed. Click [Next].
 Restore Default Folder:
Click this button to revert to default folder
 Choose:
Click this button to select another directory

NOTE
The default path is C:\PNMSj. It is not possible to include
a multi byte character, blank space (e.g. as in “Program
Files”), or the following characters. (C denotes the
directory where the currently running OS is installed)
!" # $ % * , / : ; < = > ? [ \ ] ^ ` { | }

- 18 -
NWD-102886

(6) Specify the License Key file if available. Click [Next].


 Restore Default File:
Click this button to revert to default file
 Choose:
Click this button to choose the license key file

NOTE
If no license key file is available, Application will run in trial
mode.

IMPORTANT: IMMEDIATE IMPORT OF LICENSE


You may use the PNMSj+ on a trial basis for 30 days. If this
period is passed the PNMSj+ can be operated To obtain the
license, please contact NEC.

- 19 -
NWD-102886

(7) Specify the directory for storing PNMSj+ log files. Click [Next].
 Restore Default Folder:
Click this button to revert to default folder
 Choose:
Click this button to select another directory

NOTE
The default path is <PNMSj+ Install Directory> when a
Stored Directory is not specified. It is not possible to
include blank spaces as in “Program Files”.

- 20 -
NWD-102886

(8) Click [Install].

(9) During installation, this window is displayed.

- 21 -
NWD-102886

(10) Click [Done] to close the PNMSj+ installation wizard.

- 22 -
NWD-102886

5. Firewall Setup

5.1. For Windows Server 2008

(1) Click Windows Firewall in the Control Panel window.

(2) Click Allow a program through Windows Firewall.

- 23 -
NWD-102886

(3) Click on [Add program...] button.

(4) Click on [Browse...].

- 24 -
NWD-102886

(5) Select javaw.exe from following PNMSj+ installation sub-folder the click [Open].
Path: [PNMSj+ installation folder]\jre\bin\javaw.exe

(6) Select javaw and click [OK].

- 25 -
NWD-102886

(7) Confirm that javaw checkbox has been checked.

- 26 -
NWD-102886

5.2. For Windows Server 2008 R2, Windows Server 2012 R2

(1) Click System and Security in the Control Panel window.

(2) Click Windows Firewall in the System and Security window.

- 27 -
NWD-102886

(3) For Windows Server 2008 R2 : Click Allow a program or feature through Windows Firewall.
For Windows Server 2012 R2 : Click Allow an app or feature through Windows Firewall.

(4) Click on [Allow another program...] button.

- 28 -
NWD-102886

(5) Click on [Browse...].

- 29 -
NWD-102886

(6) Select the javaw.exe from the following PNMSj+ installed directory sub-folder and click
[Open].
Path: [PNMSj+ installation folder]\jre\bin\javaw.exe

(7) Select Java(TM) Platform SE binary and click [Add].

- 30 -
NWD-102886

(8) Confirm that the Java(TM) Platform SE binary checkbox has been checked.
Note:
The both boxes under Home/Work (Private) and Public categories has to be checked off.

- 31 -
NWD-102886

6. Configuring the PNMSj+ Server

In order to make a Client connection to PNMSj+ application, it’s necessary to edit the related jnlp
files on the server.

NOTE
PNMSj+ related xxxx.jnlp files need to be edited on the
PNMSj+ PC server.

There is a Tool packed with Application package which can perform automatically editing.
The following 8 files will be edited by running this Tool (batch).
Pnms.properties
Pnms.lax
Pnmsj.jnlp
PnmsjServer.jnlp
PnmsDirect.jnlp
PnmsLinkSummary.jnlp
NetworkSetting.jnlp
HistoryViewer.jnlp

(1) Double click tool booting Bat file (InitialConnectionSetting.bat) located under the directory
<PNMSj+ installed folder>\bin.

- 32 -
NWD-102886

(2) InitialConnectionSetting dialogue box will appear. Select Primary IP Address from IP Address in
pull-down menu.

(3) Select either Protocol of "HTTP" or "HTTPS" and click [OK].

NOTE
The initial protocol setting is selected to "HTTP". If Client is
required to select with "HTTPS" protocol, it is also necessary
to apply the setting described in APPENDIX B of PNMSj+
HTTP Server Installation Manual (Windows Server 2008,
Windows Server 2008 R2, Windows Server 2012 R2) Manual.

NOTE
Alias must match the Alias setting of IIS.
Please refer to "PNMSj+ HTTP Server Installation Manual
(Windows Server 2008, Windows Server 2008 R2, Windows
Server 2012 R2)" for Alias setting of IIS.
(When operating in a redundant configuration, set Alias of
Primary and Secondary to the same setting.)

- 33 -
NWD-102886

(4) Confirmation dialogue will appears and click [OK].

(5) If Initial Connection Setting dialogue box has still been remaining, please click [Cancel].

- 34 -
NWD-102886

7. Launching PNMSj+

NOTE
Before Launching PNMSj+, please execute the procedure of
Server_Win Manual.

(1) Click Start  PNMSj+  Pnms to start the application.

(2) Enter a valid <User name> and the appropriate <Password>.


And click [login].
User name: (Default User name : admin)
Password: (Initial Password: ADMINISTRATOR)

NOTE
From the next "PNMSj+" login, you can use user name which is
“admin” and new password set by you.

Step (3) to (5) are the setting procedure only for the first time startup.

- 35 -
NWD-102886

(3) Click [OK] when the following dialogue box appears.

(4) Please enter the initial password in the text box of Old password and set up new password, then
click [OK].

(5) Please click [OK] on the dialogue of "Change password successfully".

(6) PNMSj+ will appears.

- 36 -
NWD-102886

NOTE
If another application is using the SNMP Port, application
initialization will not be possible. Instead, application will show
following message and then will shut down.

- 37 -
NWD-102886

Appendix A Security Setting

It's recommended to set the following procedure in order to reinforce the security of PNMSj+.
But, this setting isn't essential setting.

A-1 Installing Data Storage Encryption Software


When encrypting data storage, you need to install encryption software. Refer to the manual of your
software in use for the installation and setting procedure.

NOTE
When PNMSj+ is in the UNMS server and you already set
J-14 Installing Data Storage Encryption Software of UNMS
Installation Manual, skip the following steps.

NOTE
The PNMSj+ may not work properly if the files related to the
PNMSj+ are encrypted.

A-2 BIOS Password Setting


You need to set a password on the BIOS setting window so that the BIOS might not be easily changed.
Refer to the BIOS manual of the terminal since the setting method differs depending on the terminal in use.

NOTE
When PNMSj+ is in the UNMS server and you already set J-2
BIOS Password Setting of UNMS Installation Manual, skip
the following steps.

A-3 Setting for Cycle of Password Modification and Expiration Date


Set the Password History Count and the Password Expiration Date for user account.

NOTE
When PNMSj+ is in the UNMS server and you already set J-6
OS User Account Password Expiration Date Setting of UNMS
Installation Manual, skip the following steps.

NOTE
On PNMSj+, the default value of the Password History Count
is "12" times and the default value of the Password Expiration
Date is "180" days. You need to unify the Password History
Count and the Password Expiration Date among the OS and
PNMSj+.

- 38 -
NWD-102886

(1) Select [Start]  [Control Panel]  [Administrative Tools]  [Local Security Policy].

(2) Local Security Policy window appear. Select [Security Settings]  [Account Policies] 
[Password Policy]. Double-click "Enforce password history".

- 39 -
NWD-102886

(3) Enforce password history Properties window appear. Enter "12" password remenberd. Click
[OK] in the Enforce password history Properties window.

(4) Double-click "Maximum password age"in the Local Security Policy window.

- 40 -
NWD-102886

(5) Maximum password age Properties window appear. Enter "180" days. Click [OK] in the
Maximum password age Properties window.

(6) Close the Local Security Policy.

- 41 -
NWD-102886

A-4 OS User Account Security Policy Setting


In case of using Password, it have to be protected from the brute force attack which try to tear a password
as well as dictionary attack.
To meet this security condition, set to make the account lock by the restriction count of authentication
failures for OS user's account and PNMSj+ user's account.

NOTE
When PNMSj+ is in the UNMS server and you already set J-7
OS User Account Lock Threshold Setting of UNMS
Installation Manual, skip the following steps.

(1) Select [Start]  [Control Panel]  [Administrative Tools]  [Local Security Policy].

- 42 -
NWD-102886

(2) Local Security Policy window appear. Select [Security Settings]  [Account Policies] 
[Account lockout Policy]. Double-click "Account lockout threshold".

(3) Account lockout threshold window appear. Enter "5" invalid logon attempts. Click [OK] in the
Account lockout threshold window.

(4) Close the Local Security Policy window.

- 43 -
NWD-102886

A-5 Time Out Restriction Setting of Unused Session


A session has to be ended after the duration time passed.
To meet this security condition, set the setting of a screen saver and the setting of Time-out Value.

NOTE
When PNMSj+ is in the UNMS server and you already set J-5
Automatic Logoff Time Setting of OS User Account of UNMS
Installation Manual, skip the following steps.

A-5-1 Screen saver setting

(1) Select [Start]  [Control Panel] [Display].

- 44 -
NWD-102886

(2) Select [Change screen saver].

(3) Screen Saver Settings window appear. Select type of Screen saver. Set timeout value and check
the "On resume, display logon screen".

- 45 -
NWD-102886

(4) Click [OK] on the Screen Saver Settings window.

- 46 -
NWD-102886

A-5-2 HTTP/HTTPS timeout setting

NOTE
When PNMSj+ is in the UNMS server, skip the following
steps.

(1) Select [Start]  [Control Panel]  [System and Security]  [Administrative Tools] 
[Internet Infomation Services(IIS) Manager].
(2) Select local computer. Default Web Site will appear in the Description field. Select "Advanced
Settings..." in the Action field.

(3) Advanced Settings window appear. Set the value "Limit – Connection Time-out (seconds)".

- 47 -
NWD-102886

(4) Click [OK] in the Advanced Settings window.

A-6 The Application Automatic Start on the removable media Unable Setting
The Application Automatic Start on the removable media have to deactivate.
To meet this security condition, invalidate the Automatic Start on the removable media.

NOTE
When PNMSj+ is in the UNMS server and you already set -10
Disapproval Setting of Automatic Execution for Application
on Removable Media of UNMS Installation Manual, skip the
following steps.

- 48 -
NWD-102886

(1) Select [Start]  [Control Panel]  [AutoPlay].

(2) Uncheck the checkbox of "Use AutoPlay for all media and devices", and click [Save].

- 49 -
NWD-102886

A-7 Port Restriction Setting


It's necessary to open the port used by PNMSj+ and block a port besides that up.
Refer to APPENDIX F: REGARDING TCP, UDP USED BY PNMSJ+ SERVER on Operation Manual for
the port used by PNMSj+.

NOTE
When PNMSj+ is in the UNMS server, it is necessary to open
the port of UNMS Installation Manual Appendix A: Firewall
Setting.

NOTE
If the system is used at the IPv6 configuration, please allow
ICMPv6 in the Firewall setting.

A-7-1 Port Opening Setting


(1) On the desktop of PNMSj+ Server, select [Start]  [Server Manager].
(2) Click the "Local Server".

- 50 -
NWD-102886

(3) Click the "Windows Firewall" setting.

(4) The Windows Firewall window opens. Select "Advanced settings" on the Windows Firewall
window.

- 51 -
NWD-102886

(5) The "Windows Firewall with Advanced Security" window opens.

In case of setting Inbound Rule, select "Inbound Rules", and then in case of setting Outbound,
select "Outbound Rules".

- 52 -
NWD-102886

(6) Click "New Rule...".

(7) "New Inbound Rule Wizard" window opens. Select "Port" on "New Inbound Rule Wizard", and
click the [Next].

- 53 -
NWD-102886

(8) Select TCP or UDP, and click the [Next] after input the port number in "Specific local ports".

(9) Select "Allow the connection", and click the [Next].

- 54 -
NWD-102886

(10) Select all of "Domain", "Private" and "Public", and click the [Next].

(11) Input any name by your own discretion in "Name", and click the [Finish].

- 55 -
NWD-102886

(12) The validated regulation is added in Windows Firewall with Advanced Security window.

A-7-2 Port Closing Setting


(1) On the desktop of PNMSj+ Server, select [Start]  [Server Manager].
(2) Click the "Local Server".

- 56 -
NWD-102886

(3) Click the setting of "Windows Firewall".

(4) The Windows Firewall window opens. Select "Advanced settings" on the Windows Firewall
window.

- 57 -
NWD-102886

(5) The "Windows Firewall with Advanced Security" window opens.

In case of setting Inbound Rule, select "Inbound Rules", and then in case of setting Outbound,
select "Outbound Rules".

From next picture, indicates a setting window by "Outbound Rules".

(6) Click the "New Rule..." button.

- 58 -
NWD-102886

(7) "New Inbound Rule Wizard" window opens. Select "Port" on "New Inbound Rule Wizard" and
click the [Next] button.

(8) Select TCP or UDP and click the [Next] button after input the port number in "Specific local
ports".

- 59 -
NWD-102886

(9) Select "Block the connection", and Click the [Next] button.

(10) Select all of "Domain", "Private" and "Public", and click the [Next] button.

- 60 -
NWD-102886

(11) Input any name by your own discretion in "Name", and click the [Finish] button.

(12) The regulation made in Windows Firewall with Advanced Security window, which is added as
[Block] in "Actions".

- 61 -
NWD-102886

A-8 Uninstallation of unused application


Confirm unused application and uninstall it.

NOTE
Never delete the following applications because PNMSj+
needs them absolutely.

Application Name Program Name Service name


PNMSj+ PNMSj+ -
W3SVC(World Wide Web Publishing Service)
IIS -
WAS(Windows Process Activation Service)
File sharing - Server
Task Scheduler - TaskScheduler
SquidNT Squid Squid for Windows
Internet Explorer - -

NOTE
When PNMSj+ is in the UNMS server, never delete the
applications of UNMS Installation Manual J-11 Uninstallation
of unused application.

- 62 -
NWD-102886

The confirmation procedure of an installed program is as follows:

(1) Click Programs in the Control Panel window.

(2) Click Programs and Feature in the Programs window.

- 63 -
NWD-102886

(3) Programs and Feature window appear. Confirm programs are used by PNMSj+.

The confirmation procedure of an installed service is as follows:

(1) Click Administrator Tools in the Control Panel window.

- 64 -
NWD-102886

(2) Click Services in the Administrator Tools window.

(3) Confirm services are used by PNMSj+.

- 65 -
NWD-102886

A-9 User’s SID Confirmation


Confirm the SID (Security ID) of the user distinction ID for Windows each system account uses.

NOTE
When PNMSj+ is in the UNMS server and you already set J-3
Confirmation of the user management ID of UNMS
Installation Manual, skip the following steps.

(1) Open Command Prompt.


(2) Execute the following command.
whoami /USER

- 66 -
NWD-102886

A-10 Disapproval Setting of Trusted Host Support


The support to the Trusted Host have to set invalid.
To meet this security condition, delete the setting of the Trusted Host.

NOTE
When PNMSj+ is in the UNMS server and you already set
J-12 Disapproval Setting of Trusted Host Support of UNMS
Installation Manual, skip the following steps.

(1) Open the Windows PowerShell.


(2) Execute the next command, confirm whether the Trusted Host has been registered or not. If the
Trusted Host has been registered, the value is indicated under the item of "Value".
Get-Item wsman:\localhost\Client\TrustedHosts

- 67 -
NWD-102886

(3) If the Trusted Host has been registered, execute the following command and it's cleared.
Clear-Item wsman:\localhost\Client\TrustedHosts

(4) Enter "y", push down [Enter] key.

- 68 -
NWD-102886

A-11 Deletion Setting of Current Directory Description for Path Environment Variable
Don't include the current directory in the Path Variable for All Account.
To meet this security condition, delete the current directory from the Path Variable.

NOTE
When PNMSj+ is in the UNMS server and you already set
J-13 Deletion Setting of Current Directory Description for
Path Environment Variable of UNMS Installation Manual,
skip the following steps.

(1) Select [Start]  [Control Panel]  [System and Security]  [System]  [Advanced system
settings].

- 69 -
NWD-102886

(2) Click the [Environment Variables] button on Advanced Tab in System Properties window.

(3) Environment Variables window appear. Check that there is no environment variable containing
the current directory "." in the Value field of the System variables part. Check value field of all
System variables.

If there is the value of environment variable containing the current directory ".", execute the
following procedure.

- 70 -
NWD-102886

(4) Select an environment variable containing the current directory and click [Edit]. (Don’t delete
the system variable itself.)
(5) Delete "." in the Variable value field of the Edit System Variable window and click [OK].

Example) Delete the current directory "." in Variable value.


(Before)

(After)

(6) Click [OK] in the Environment Variables window. Click [OK] in the System Properties window.

- 71 -
NWD-102886

A-12 The Setting which only the User of an Administrator right permits access to a Setting File
The setting which restricts access restriction of PNMSj+ installation folder to the following user/a group.

Group/User Permission
Full Modify Read & List Read Write
control execute folder
contents
SYSTEM ✓ ✓ ✓ ✓ ✓ ✓
Administrators ✓ ✓ ✓ ✓ ✓ ✓
IUSR(*1) - - ✓ ✓ ✓ -
IIS_IUSRS(*1) - - ✓ ✓ ✓ -
VPN_User(*2) - - ✓ ✓ ✓ -
(*1) When PNMSj+ is in the UNMS server, these user’s setting is unnecessary.
(*2) This user is the user added "A-13 The Communication Encryption Setting of the File Sharing
with VPN".

Permission which becomes "✓" is permitted.

- 72 -
NWD-102886

(1) Right-click PNMSj+ install folder, select Properties.


Example)C:\PNMSj

(2) Select Security tab in the PNMSj Propeties window, and click [Edit].

- 73 -
NWD-102886

(3) Permissions for PNMSj window appear. Select Users group and click [Remove].

(4) If there is Everyone user, delete it. Select Everyone and click [Remove].
(If 3. File sharing setup of Server Setting Manual is being put into effect, there is Everyone
User.)

NOTE
When PNMSj+ is in the UNMS server, skip the following
steps.

(5) Click [Add] to add user for IUSER.

- 74 -
NWD-102886

(6) Users or Groups window appear. Enter "IUSR" at "Enter the object names to select" field, and
click [OK].

(7) Select "IUSR" at "Group or user names" field, and check the checkbox to "Allow" of "Read &
execute", "List folder contents" and "Read".

- 75 -
NWD-102886

(8) Click [Add] to add user for IIS_IUSRS.

(9) Users or Groups window appear. Enter "IIS_IUSRS" at "Enter the object names to select" field,
and click [OK].

- 76 -
NWD-102886

(10) Select "IIS_IUSRS" at "Group or user names" field, and check the checkbox to "Allow" of
"Read & execute", "List folder contents" and "Read".

(11) Click [OK] in the Permissions for PNMSj window. Click [OK] in the PNMSj Properties
window.

- 77 -
NWD-102886

A-13 The Communication Encryption Setting of the File Sharing with VPN
It is the setting to encrypt the Communication of the File Sharing by VPN of Windows.

NOTE
When this setting is put into effect, it's necessary to make the
OS user account of the same name on the PNMSj+ Server
Machine and the PNMSj+ Client Machine. It's also necessary
to put "A-12 The Setting which only the User of an
Administrator right permits access to a Setting File" into
effect.

[Before VPN Setting]


(1) Right-click PNMSj+ install folder, select Properties.
Example)C:\PNMSj

(2) Select Security tab in the PNMSj Propeties window, and click [Edit].

(3) Permissions for PNMSj window appear. Select Everyone and click [Remove].

(4) Make user account of Windows OS. (Example: "VPN_User")


 This user account is used for VPN exclusive account.
In this section, the user name of the VPN exclusive account is specified as "VPN_User".

- 78 -
NWD-102886

A-13-1 VPN Setting for PNMSj+ Server

(1) Select [Start]  [Control Panel]  [Network and Internet]  [Network and Sharing
Center]  [Change adapter settings].

(2) Click [Alt] key, and Select [File]  [New Incoming Connection...]

- 79 -
NWD-102886

(3) Check the checkbox of OS user account who start PNMSj+ in the Who may connect to this
computer? Window, and click [Next].

(4) Click [Next] in the How will people connect? Window.

- 80 -
NWD-102886

(5) Click [Allow access] in the Networking Software allows this computer to accept connections
from other kinds computers window.

(6) Click [Close] in the The people you chose can now connect to this computer winodow.

(7) Right-click the PNMSj+ install folder, and select "Share with"  "Specific people...".

- 81 -
NWD-102886

(8) Select user account "VPN_User" who selected step3 in the File Sharing window, and click
[Share].

(9) Click [Done].

- 82 -
NWD-102886

(10) Open the Server Manager window. Select [Tools]  [Computer Management].

(11) Select "Shared Folders",and Shared" in the Computer Management window.Shared folder list
appears.

- 83 -
NWD-102886

(12) Right-click PNMSj folder, select Properties at the popup menu.

(13) PNMSj Properties window appears.Select Share Permissions tab, click [Add].

- 84 -
NWD-102886

(14) Enter the "VPN_User", and click [OK].

(15) Select "VPN_User" in the PNMSj Properties window , check the "Allow" checkbox of all
permission. And click [OK].

- 85 -
NWD-102886

(16) Right-click the PNMSj+ install folder, and select Properties.

(17) PNMSj Properties window appear. Select Security tab, and [Edit...].

- 86 -
NWD-102886

(18) Select user account "VPN_User" who selected step3 in thePermissions for PNMSj window.
Check the Allow checkbox of "Modify" and "Write" at the Permissions for VPN_User. Click
[OK].

A-13-2 VPN Setting for PNMSj+ Client


<For Windows7>
(1) Select [Start]  [Control Panel]  [Network and Internet]  [Network and Sharing
Center]  [Set up a new connection or network].

- 87 -
NWD-102886

(2) Set Up a Connection or Network – Choose a connection option window appear. Select "Connect
to a workplace", and click [Next].

(3) Connection to a Workplace – How do you want to connect? window appear. Select "Use my
Internet connection (VPN)".

- 88 -
NWD-102886

(4) Connection to a Workplace – Do you want to set up an Internet connection before continuing?
window appear. Select "I’ll set up an Internet connection later".

(5) Enter the PNMSj+ Server IP Address at Internet address textbox, and click [Next].

- 89 -
NWD-102886

(6) Enter user account "VPN_User" who selected step3 and password. Click [Create].

(7) Select [Start]  [Control Panel]  [Network and Internet]  [Network and Sharing
Center]  [Connect to a network].

- 90 -
NWD-102886

(8) Right-click "VPN Connection", and select Properties.

(9) VPN Connection Properties window appear. Select Security tab.


Select "Point to Point Tunneling Protocol(PPTP)" at Type of VPN.
Select "Maximum strength encryption" at Data encryption.
And click [OK].

- 91 -
NWD-102886

(10) Connect VPN at the PNMSj+ Client. Select [Start]  [Control Panel]  [Network and
Internet]  [Network and Sharing Center]  [Connect to a network].

(11) Right-click VPN connection, and select Connect.

- 92 -
NWD-102886

(12) Connect VPN Connection winodw appear. Enter user account "VPN_User" who settting step18
and password. Click [Connect].

<Windows10>
(1) Select [Start]  [Control Panel]  [Network and Internet]  [Network and Sharing
Center]  [Set up a new connection or network].

- 93 -
NWD-102886

(2) Set Up a Connection or Network – Choose a connection option window appear. Select "Connect
to a workplace", and click [Next].

(3) Connection to a Workplace – How do you want to connect? window appear. Select " Use my
Internet connection (VPN) ".

- 94 -
NWD-102886

(4) Connection to a Workplace – Do you want to set up an Internet connection before continuing?
window appear. Select " I’ll set up an Internet connection later".

(5) Enter the PNMSj+ Server IP Address at Internet address textbox, and click [Next].

- 95 -
NWD-102886

(6) Select [Start]  [Control Panel]  [Network and Internet]  [Network Connections].
Right-click "VPN Connection" and select Properties.

(7) VPN Connection Properties window appear. Select Security tab.


Select "Point to Point Tunneling Protocol(PPTP)" at Type of VPN.
Select "Maximum strength encryption" at Data encryption.
And click [OK].

- 96 -
NWD-102886

(8) The next, it is to connect VPN on the PNMSj+ client. Right-click "VPN Connection" and select
Connect / Disconnect.

(9) Settings – VPN window appear. Select VPN Connection, and Click [Connect].

- 97 -
NWD-102886

(10) Windows Security window appear. Enter user account " VPN_User" who settting step18 and
password. Click [OK].

The status of VPN Connection becomes “Connected”.

- 98 -
NWD-102886

A-13-3 Confirm VPN connection between PNMSj+ Server and Client

(1) The ipconfig command is carried out on PNMSj+ and confirm "IP address" of "PPP adapter
RAS(Dial In) Interface".

(2) PNMSj+ Client is started.

Open the Internet Explorer and enter the IP address of the PNMSj+ Server (not a Client PNMSj+
address), adding the surffix Pnmsj/Pnmsj.html. Enter "PNMSj+ Server IP Addres" as "PPP
adapter RAS(Dial In) Interface IP Address" of "PNMSj+ Server" which was confirmed in "Step
1". Click [Application] shown to Internet Explorer.

- 99 -
NWD-102886

(3) Refer to 3. Launching PNMSj+ Client in Installation Manual for the procedure until Login of
PNMSj+ Client.

(4) After Login PNMSj+ Client, select [Tools] [History Data Explorer] at the PNMSj+ main
window.

(5) History Data Explorer window apear. Enter the following in "Set data directory ".
\\[PPP adapter RAS(Dial In) Interface IP Address of PNMSj+ Server confirmed in the
procedure of Step.1]PNMSj\
Click [test]. Confirm "Test OK" appear.

- 100 -
NWD-102886

A-14 Setting to Delete Default Contents


The default contents must delete.
To meet this security condition, delete the default contents.

NOTE
When PNMSj+ is in the UNMS server, skip the following
steps.

(1) Open C:\inetpub\wwwroot folder.


(2) Right-click all files in the folder and select [Delete] in the popup menu to delete default content
of IIS service.

- 101 -
NWD-102886

A-15 The measure setting of the Clickjacking aggressive


Web Application must have the mechanism (It is to prevent to being shown by Web Application
unapproved of the other in IF Frame.) to against the Clickjacking aggressive.
To satisfy this security condition, HTTP response head (the permit of Web Browser to indicate page inside
<frame> or <iframe> ) is set the nondisplay.

NOTE
When PNMSj+ is in the UNMS server, skip the following
steps.

(1) Select [Start]  [Administrative Tools]. Click the [Internet Infomation Services(IIS)
Manager].

- 102 -
NWD-102886

(2) Select site and double-click "HTTP Response Headers".

(3) Click Add in Actions.

- 103 -
NWD-102886

(4) Select "X-Frame-Options" in Name and specify "DENY" in Value, Click the [OK] button.

A-16 Setting to use the certificate of Web Application issued by the Certification Authority which is
recognized by the Client
The certificate of web application must be issued by the Certification authority which is recognized by the
client who is used by the user of this web application generally.
To satisfy this security condition, it introduces the certificate to the application by HTTP and check the
Indication certificate of the Browser in the security report.

NOTE
When starting up the PNMSj+ Client on HTTP, skip the
following steps.

Refer to PNMSj Installation Manual APPENDIX B: Launching PNMSj+ Client with HTTPS
protocol, introduce the certificate.

- 104 -
NWD-102886

A-17 Setting to Restrict Access of External Search for Filed and Contents
Web Application must restrict accessing to the files and the contents allowed to indicate by the search
function of the internal and the search engine made by the outside world.
To satisfy this security condition, the hidden file, the secret file and setting file and so on exclude in the
object of the search function which is made by the internal and the external.

(1) Create robots.txt file and write follow line.


user-agent:*
disallow: /

(2) Locate the robots.txt file in the PNMSj install folder.


Example) PNMSj install folder is C:/PNMSj.

- 105 -
NWD-102886

A-18 Web Browser Setting


TLS which has the function of the server authentication and the encryption function must use for the
session authorized by Web Application.
Also Web Server must have the setting which is able to use the latest version of TLS protocol.
To satisfy this security condition, set to use the latest version of TLS for the both of the Server and the
Client.

NOTE
It's to need the following environment to use TLS1.2.
More than .NET Framework 4.5

NOTE
When starting up the PNMSj+ Client on HTTP, skip the
following steps.

 For Internet Explorer


(1) Start the Internet Explorer.
(2) Select Tools  “Internet Options”.

- 106 -
NWD-102886

(3) Select Advanced tab in the Internet Options window. Check the checkbox "Use TLS1.2".
Click [OK] in the Internet Options window.

(4) Close the Internet Explorer.

- 107 -
NWD-102886

 For Firefox
(1) Start the Firefox.

(2) Enter “about:config” at the address bar, and click [Enter].

(3) The “This might void your warranty!” window appears. Click [I’ll be careful I
promise!].

- 108 -
NWD-102886

(4) Double-click the “Security.tls.version.max” line.

(5) The "Enter integer value" window appears. Enter “3” at the
security.tls.version.max. And click [OK].

(6) Close the Firefox.

- 109 -
NWD-102886

A-19 SSH Security Setting


Regarding the Security Setting related by SSH, refer to "RMON Collection Agent Operation Manual".

- 110 -