You are on page 1of 19

Quick Installation Guide

CounterACT 6.3

For a Single CounterACT Appliance

Table of Contents Welcome to CounterACT 6.3 Overview 1. Set Up your Switch Switch Connection Options Switch Setting Notes 3. Set up the CounterACT Console Install the CounterACT Console Log In Perform Initial Setup Contact Information 3 4 5 5 6 8 8 9 10 10 11 11 12 14 14 15 16 16 17 17 19 2 . Connect Network Cables and Power Up Unpack the Appliance and Connect Cables Power Up the Appliance Record the Interface Assignments 4. Verify Connectivity Verify Switch / Appliance Connectivity Perform Ping Test 6. Create a Deployment Plan Decide Where to Deploy the Appliance Learn About Appliance Interface Connections 2. Configure the Appliance 5.

CounterACT Console User Manual and Installation Guide • Warranty Document • Mounting Brackets • Power Cable • DB9 Console Connecting Cable (For Serial Connections Only) 3 .forescout. knowledge base articles and updates for your Appliance. refer to the CounterACT Installation Guide and Console User Manual.com/support for the latest documentation. CounterACT performs complete endpoint inspection and access control of every network device and seamlessly integrates with any existing IT infrastructure. This guide describes the installation for a single CounterACT Appliance. For more detailed information or information about deploying multiple Appliances for enterprise-wide network protection. you can navigate to the support website located at: http://www. These documents are located on the CounterACT CD in the /docs directory.Welcome to CounterACT 6. Additionally. Included in your CounterACT Package • CounterACT Appliance • Quick Installation Guide • CounterACT CD with Console software.3 ForeScout’s NAC (Network Access Control) solution lets customers gain complete control over network security without disrupting corporate and end-user productivity. CounterACT combines the cutting edge NAC and intrusion prevention technologies in a single Appliance.

4. 5. 6.Overview Perform the following to setup CounterACT: 1. 3. 2. Create a Deployment Plan Set Up your Switch Connect Network Cables and Power Up Configure the Appliance Verify Connectivity Set up the CounterACT Console 4 .

• In order to notify end users via their web browsers. Helpdesk. you should decide where to deploy the Appliance and learn about Appliance interface connections.1. Decide Where to Deploy the Appliance The Appliance should be deployed at a central location. Notes • It is recommended to monitor the authentication traffic between end users and authentication servers. the Appliance must monitor HTTP traffic between end users and the Internet/Intranet. Selecting the right location is important for successful deployment.1X) Typical CounterACT Deployment 5 .1X-based) Access Layer Switch (non-802. where it sees all vital network traffic and has access to your network devices. Core Layer Switch CounterACT Enterprise Manager (Manages up to 50 Appliances) Distribution Layer Switch CounterACT Deployed at the Distribution Layer Access Layer Switch (802. VPN Concentrator CounterACT Deployed at the VPN Concentrator AD/LDAP/RADUIS Server(s) Remediation. Create a Deployment Plan Before performing the installation.1X) Access Layer Switch (non-802. etc.

Allows Appliance access to communicate with network switches and routers Lets the Appliance receive SNMP traps from network switches and routers Secure Con. Management Interface This interface allows you to manage CounterACT and perform queries and deep inspection of endpoints. Secure Connector allows access to unmanageable endpoints via a secure executable file that runs at the desktop while the host is connected to the network.Learn about Appliance Interface Connections The Appliance is generally configured with three connections to the network switch. 6 . The interface must be connected to a switch port that has access to all network endpoints. The management interface must have access to the following on your network: Port 22/TCP 25/TCP 80/TCP 443/TCP 13000/TCP 53/UDP 123/UDP 161/UDP 162/UDP 10003/TCP Service SSH SMTP HTTP HTTPS Appliance DNS NTP SNMP SNMP Comments Allow Endpoints to access the Appliance command line interface (CLI) Allows the Appliance access to the enterprise mail relay Allows HTTP redirection Allows HTTP redirection using SSL Allows endpoints and the Enterprise Manager to access the Appliance Allows Appliance access to resolve internal IP addresses Allows Appliance access to a local time server or forescout. This connection requires an IP address on the local LAN and port 13000/TCP access from machines that will be running the CounterACT Console management application. Refer to the CounterACT Console User Manual for more information. Each Appliance requires a single management connection to the network.Creates a Secure Connector tunnel between endpoints and nector the Appliance.net ntp.

7 .1q VLAN tagged.Monitor Interface This connection allows the Appliance to monitor and track network traffic. the Appliance requires a single IP address on that VLAN. In this case. for example. redirecting Web browsers or performing firewall blocking.1q tagging for the same VLANs. the mirrored traffic must be 802. Depending on the number of VLANs being mirrored. The appliance requires an IP address for each protected VLAN. Traffic is mirrored to a port on the switch and monitored by the Appliance. • Single VLAN \ untagged: When monitored traffic is generated from a single VLAN. The related switch port configuration depends on the traffic being monitored. When two switches are connected as a redundant pair. Response Interface The Appliance responds to traffic using the interface. the traffic may or may not be 802. the response interface must also be configured with 802. the Appliance must monitor traffic from both switches. the response interface must belong to the same VLAN. • Single VLAN (untagged) When monitored traffic is generated from a single VLAN.1q VLAN tagged. No IP address is required on the monitor interface. the mirrored traffic does not need to be VLAN tagged. • Multiple VLANs\tagged: If monitored traffic is from more than one VLAN. Response traffic is used to protect against malicious activity and carry out NAC policy actions. • Multiple VLANs (tagged) When monitored traffic is from more than one VLAN. These actions may include.

3.2. Passive Inline Tap Instead of connecting to the switch monitoring port. 2. In summary. which will combine the two duplex streams into a single port. verify that your switch is setup to monitor the required traffic. if the traffic on the tapped port is VLAN tagged (802. Standard Deployment (Separate Management. These ports are described in Learn about Appliance Interface Connections. except in the case of “recombination” taps. If the tap is an injection capable. the response interface must be configured the same way as the monitored port. To successfully integrate the Appliance into your network. then the Appliance will combine the monitor and response interface so there is no need to configure a separate response port on the switch. Switch Connection Options The Appliance was designed to seamlessly integrate into a wide variety of network environments. Monitoring and Response Interface) The recommended deployment uses three separate ports. 1. This option can be used for any type of upstream or downstream switch configuration. Active (Injection-Capable) Inline Tap The Appliance can use an inline tap. the Appliance can use an inline tap. A passive tap requires two monitor ports. The traffic on the tapped port and response interface must be on matching VLANs. For example.1q). 8 . Several options are available for connecting the Appliance to your switch. then the response interface must also be a VLAN tagged port. Setup your Switch A.

mirror a single. This limitation does not apply when traffic between two routers is being monitored. then both the monitor and response interfaces must have 802.g. you will need to use the IP Layer response option. then either: -. This may be tagged.1q tags. IP Layer Response (for Layer-3-only Core Switch Installations) The Appliance can use its own management interface to respond to traffic. untagged uplink port -. Monitoring multiple VLANs is the recommended option as it provides the best overall coverage while minimizing the number of mirroring ports.mirror only a single VLAN -. or monitor just one interface (which does allow transmit/receive). Switch Setting Notes VLAN (802. then traffic does not need 802. • Some switches (e. if the switch strips the VLANs tags. Cisco 6509) may need old port configurations completely cleared out before entering new configurations. Verify that you do not overload the mirroring port. Although this option can be used with any monitored traffic. 9 .use the IP Layer response option • If the switch can only mirror one port. Additional • If the switch cannot mirror both transmit and receive traffic. and thus the Appliance cannot respond to monitored traffic using any other switch port.4. which limits the ability of the Appliance to detect scans aimed at the IP addresses included in the monitored subnet. then either monitor the entire switch or complete VLANs (this provides transmit/receive). The most common result from not clearing out old port information is that the switch strips 802. • If the switch cannot VLAN tag the mirroring ports. This is typical when monitoring a link connecting two routers.1q) Tags • Monitoring a Single VLAN (untagged traffic) If the monitored traffic is from a single VLAN. it is recommended when the Appliance monitors ports that are not part of any VLAN. • Monitoring Multiple VLANs (tagged traffic) If the monitored traffic is from two or more VLANs. This option cannot respond to ARP requests. B.1q tags.1q tagging enabled. In general. then mirror a single uplink port.

Remove the following items from the shipping container: Appliance Power Cable 2.CT-1000 (Copper) Rear Panel SAMPLE ONLY 10 .com/support/files/docs/SR1400-FamilyFixedRailKit.forescout. Unpack the Appliance and Connect Cables 1.3. Back Panel Sample . Refer to the following link for information regarding rack mounting: http://www.pdf 3. Connect Network Cables and Power Up A. Connect the network cables between the network interfaces on the Appliance rear panel and the switch ports.

are entered in the Initial Setup Wizard that opens when you first log on to the Console. Power Up the Appliance 1. Connect the keyboard and monitor to the Appliance. Refer to the CounterACT Installation Guide located on the CounterACT CD. 2. Eth Interface Eth0 Eth1 Eht2 Eth3 Eth4 Eth5 Eth6 Eth7 Eth8 Interface Assignment (e. or setup the Appliance for serial connection. Monitor. 3. These assignments. Record the physical interface assignments below and use them when completing the Channel setup at the Console. you will be prompted to register interface assignments. C. Response) 11 . Connect the other end of the power cable to a grounded AC outlet. Power up the Appliance from the front panel.B. referred to as Channel definitions. Connect the power cable to the power connector on the Appliance rear panel. Record the Interface Assignments After completing the Appliance installation at the data center and installing the CounterACT Console.g. Management. 4.

Press <Enter> to continue. you will be prompted to start configuration with the following message: CounterACT Appliance boot is complete.3. In addition. 1. This infor mation appears when initially setting up the Appliance.4. where FIPS is required. 3. Log on to the Appliance as root. and log on to the Console as admin. Select 1 – Configure 6. it appears at the Console to help you identify this Appliance.0 2) Restore saved CounterACT 6.0 configuration 3) Identify network interfaces 4) Configure keyboard layout 5) High Availability Setup 6) Enable FIPS 7) Turn machine off Choice (1-7): 6 The FIPS option lets you configure CounterACT to meet updated FIPS 140-2 (Federal Information Processing Standard) requirements. At the prompt Host name: Enter a name.3. At the prompt Description: Enter a unique description for this Appliance. Press <Enter> to display the following menu: 1) Configure CounterACT 6. At the prompt Choice: select 1 to setup the Appliance. At the prompt Continue: (yes/no)? press <Enter> to initiate the setup. 2.3. it appears at the Console to help you identify the CounterACT Appliance. In addition. The CounterACT Component selection prompt appears. 12 . 5. This name can be used when logging on to the Console. This option is only recommended for CounterACT deployments in the US Federal government.0. Configure the Appliance Prepare the following information before you configure the Appliance: Appliance Host Name CounterACT Admin Password Management Interface Appliance IP Address Network Mask Default Gateway IP Address DNS Domain Name DNS Server Addresses After power on. 4.

255. The management interface is the interface through which CounterACT components communicate. 13 . You will be contacted via e-mail regarding the expiration date. As such. License After the installation is complete. After each parameter is defined. You are prompted to enter network parameters: >>>>>> Network Settings <<<<<< Management Interface (one of:eth0. Additional servers can be entered in the same line. an evaluation license is set for 30 days. press <ENTER> to continue. it may be necessary to include an externally-resolving DNS server at the end of the list. eth1) Appliance IP Address: Network mask [255. reconfigure settings or complete the setup. 9. 7. separated by a space. At the prompt CounterACT Appliance Administrator Password: Enter a password to use when logging on to the Appliance and to the Console. Almost all DNS queries carried out by the Appliance will be for internal addresses. Perform general connectivity tests. You must install a permanent license before this period expires. The DNS server should resolve internal IP addresses.255.6. some may not. so the internal servers should be listed first.0]: Default gateway : DNS domain name: DNS server addresses: 8. and log on to the Console as admin. The password must be between 6 and 15 characters long and should contain at least one non-alphabetic character. See the CounterACT Console User’s Manual located on the CounterACT CD in the /docs folder for information about installing the license. Log on to the Appliance as root. While most internal DNS servers may resolve external addresses as well.

0% 0. • Both the monitor and response interface should see the expected VLANs.0% 0.0% eth3.2 3Mbps 0. Verify Connectivity Verify Switch/Appliance Connectivity Verify that the switch is properly connected to the Appliance before leaving the data center. The mode can be changed from the display.5.1% eth3.20 1Kbps 100.0% 0. • The response interface should primarily see broadcast traffic. The total bits per second and the percentage of each of the following traffic categories is shown: • The monitoring interface should primarily see mirrored traffic .2% eth3.0% [q]uit 14 . run the fstool ifcount command at the Appliance for each interface detected.0% 0. It works in two modes: per interface or per VLAN.display in VLAN mode I .0% 0.) This tool continuously displays network traffic on the specified interfaces.show previous N .8% 100.1 9Mbps 0.above 90%.display in interface mode P .0% [n]ext-> To my MAC From my MAC 0.0% 99.0% 0.quit displaying VLAN Mode: update=[4] [eth3:: 14 vlans] Interface/VLAN Total Broadcast eth3. [root@CounterACT root]# fstool ifcount eth0 eht1 eth2 (Separate each interface by a space.0% 0.9% 0.0% Show [v}lans [i]nterfaces <-[p]rev Mirrored 99.show next q . Command Options: v .4 542bps 100.0% 0.0% 0.0% 0.0% eth3.untagged 4Mbps 0. To do this.

0% * From my MAC 43.0% • To my MAC .0% 100.7% 0. verify that the interface is up.Destination MAC is the Appliance’s MAC • From my MAC . Use the following command at the Appliance: [root@CounterACT root]# ifconfig [interface name] up Perform Ping Test Run Ping from the Appliance to a network desktop to verify connectivity.1% 0.Interface Mode: update=[31] Interface eth0 eth1 [eth0:32 vlans] [eth1: 1 vlans] Total Broadcast Mirrored 5Kbps 42. 15 . If you do not see any traffic. the Appliance itself does not reply to ping.3% 0. 1.Traffic sent by this Appliance (Source MAC is the Appliance’s MAC. Run the following command: Ping [network desktop IP] By default. Destination can be broadcast or unicast).0% 475bps 0. Log in to the Appliance 2.0% *To my MAC 14.

Follow the on-screen instructions. 1.000 devices  • Disk space . manage and analyze the activity detected by the Appliance.6. Refer to the CounterACT Console User Manual for more information. Set Up the CounterACT Console Install the CounterACT Console The CounterACT Console is the central management application used to view. NAC. running Windows NT/2000/2003/XP/Vista or Linux  • 512MB RAM for up to 10. Insert the CounterACT CD ROM into the CD ROM drive. IPS.0.95/install.100 MB  • CD ROM drive Two methods are available for performing the Console installation: Use the installation software built into your Appliance. Open a browser window from the Console computer. The browser displays the Console installation window.htm file from the CD ROM with a browser. 16 . 2.000 devices  • 1Gig RAM for more than 10. Open the ManagementSetup. 3. 3. Type the following into the browser address line (where the IP address is the address of this Appliance) http://10.0. 2. Minimum requirements are:  • Non-dedicated PC. Install from CounterACT CD-ROM 1. Follow the on-screen instructions. Firewall and other policies can be defined from the Console.

In the Address field. 1. 4. you can log in to the CounterACT Console. enter admin. 3. 2. In the User Name field. Perform Initial Setup After logging in for the first time. enter the password you created during Appliance installation. Select Login to open Console. the Initial Setup Wizard appears. 5. enter the IP address or host name of the Appliance. Select the CounterACT icon from the shortcut location you created. In the Password field. 17 .Log In After completing the installation. The Wizard guides you through essential configuration steps to ensure that CounterACT is up-and-running quickly and efficiently.

18 . • LDAP user account information and the LDAP server IP address. • Authentication servers so the Appliance can analyze which network hosts have successfully authenticated. the network segment/VLANs to which the response interface is directly connected and a permanent IP address to be used by the Appliance at each such VLAN. • CounterACT administrator’s e-mail address. • Monitor and response interfaces. • Internal mail relay IP address – to allow delivery of e-mail alerts if SMTP traffic is not allowed from the Appliance (optional). domain administrative account name and password. • For segments/VLANs with no DHCP. • IP address range this Appliance will monitor (all the internal addresses. • Switch IP Address. including unused addresses).Before You Begin Prepare the following information before working with the Wizard: • NTP server address used by your organization (optional). • Domain credentials including. vendor and SNMP Parameters Refer to the CounterACT Console User Manual or Console Online Help for information about working with the Wizard.

All other trademarks are the property of their respective owners. CT6. the ForeScout logo are trademarks of ForeScout Technologies. Products protected by US Patent #6. ©2005 Intel Corporation.Contact Information For ForeScout technical support send email to support@forescout. Inc. ©2008 ForeScout Technologies.3-QIG 19 . March 2002. ForeScout Technologies. All rights reserved.489.com or call (630) 268-5591 Illustration courtesy of Intel Corporation. Inc.363.