Sunday, 11 May 2014

Off-Box AV Scanning in CDOT 8.2.1 with McAfee - Quick Install Guide: Part 3

Carrying on from this post...

Lab Setup

Systems:

VSCAN1 & VSCAN2: Win. 2008R2 SP1 servers, with McAfee VSE 8.8, McAfee VSEfS 1.1.0, ONTAP AV Connector 1.0

NACLU1: Clustered Data ONTAP 8.2.1 Cluster
NASVM1: Storage Virtual Machine

IP Addressing:

VSCAN1 on 10.10.10.21
VSCAN2 on 10.10.10.22

User Account for VSCAN:

Just one domain user account, which is an administrative user on both VSCAN servers.

LAB\vscan

Setting Up AV Scanning with User LAB\vscan

In this example, the domain user account LAB\vscan is used for:

1) Logging on to VSCAN1 & VSCAN2 to Install VSCAN Components (the domain account is added to the local administrators group on these servers)
2) ONTAP AV Connector Web Service Credentials
3) Connection to Cluster Management LIF
4) McAfee Network Appliance Filer AV Scanner Administrator Account

1) Logging on to VSCAN1 & VSCAN2 to Install VSCAN Components

Log on using the Anti-Virus administrator user account (in this case LAB\vscan).

Check out this post on installing the VSCAN components:

2) ONTAP AV Connector Web Service Credentials

Image 1: Entering the LAB\vscan account in ONTAP AV Connector Web Service Credentials

Note: If you’re getting “Access is denied” when entering an account in “ONTAP AV Connector Web Service Credentials”, turn off UAC (Use Account Control) and reboot the system, additionally you can add the account in the GPO: Default Domain Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Log on as a service

Image 2: ONTAP AV Connector ‘Access is denied’

Image 3: McAfee VSEfS and ONTAP AV Connector services

3) Connection to Cluster Management LIF

We already have a CIFS server setup on the domain (lab.priv) for our Vserver NASVM1. In the following example, our Vserver NASVM1 only has data LIFs (we’ve not configured a management LIF in NASVM1). We don’t want to configure a management LIF in NASVM1; we simply want to use the Cluster Management LIF.

Establish a domain-tunnel, so we can login with Active Directory accounts to the Cluster:

NACLU1::> domain-tunnel create -vserver NASVM1

Create a login for the vscan domain user account (LAB\vscan):

NACLU1::> security login create -username LAB\vscan -application ontapi -authmethod domain -role readonly -vserver NACLU1

Click on: Start > All Programs > NetApp > ONTAP AV Connector > Configure ONTAP Management LIFs

Image 4: Configure ONTAP Management LIFs

Enter a DNS name or IP Address for the Cluster Management LIF (NACLU1).
Enter the VSCAN domain user account (LAB\vscan) and it’s password.

Image 5: Entering connection information CDOT AV Connector

Click Test
And if all is good you should get “ONTAP to ... using account ... was successful” - click OK.

Image 6: ONTAPI to Cluster was successful

Click Update
Click Save
Click Quit

Image 7: ONTAP AV Communicator account configured for connecting anti-virus products to Clustered Data ONTAP

4) McAfee Network Appliance Filer AV Scanner Administrator Account

IMPORTANT: Check out the following post sections 3 and 4, for configuring NetApp filers scan settings and ICAP settings - Off-box Anti-Virus Scanning in Clustered Data ONTAP 8.2.1 with McAfee - Quick Install Guide

In the VirusScan Console: Network Appliance Filer AV Scanner and Network Appliance Filers tab, under ‘Administrator Account’ we add our VSCAN domain user account.

IMPORTANT: Also notice in the image below that the loopback IP 127.0.0.1 has been added under ‘This server is processing scan requests for these filers.

Image 8: Network Appliance Filer AV Scanner settings

Configuring Anti-Virus Scanning in Clustered ONTAP 8.2.1

Create a scanner pool with using the VSCAN servers IP addresses, and the VSCAN domain user account:

NACLU1::> vserver vscan scanner-pool create -vserver NASVM1 -scanner-pool POOL1 -servers 10.10.10.21,10.10.10.22 -privileged-users LAB\vscan

NACLU1::> vserver vscan scanner-pool show
          Scanner    Pool                 Privileged   Scanner
Vserver   Pool       Owner   Servers      Users        Policy
--------  ---------- ------- ------------ ------------ -------
NASVM1    POOL1      vserver 10.10.10.21, LAB\vscan    idle
                             10.10.10.22

NACLU1::> vserver vscan scanner-pool show -instance
                             Vserver: NASVM1
                        Scanner Pool: POOL1
                      Applied Policy: idle
                      Current Status: off
           Scanner Pool Config Owner: vserver
List of IPs of Allowed Vscan Servers: 10.10.10.21, 10.10.10.22
            List of Privileged Users: LAB\vscan

Configure the pool as a primary pool:

NACLU1::> vserver vscan scanner-pool apply-policy -vserver NASVM1 -scanner-pool POOL1 -scanner-policy primary

NACLU1::> vserver vscan scanner-pool apply-policy -vserver NASVM1 -scanner-pool POOL1 -scanner-policy ?
  primary     Always active
  secondary   Active if no primary Vscanner is connected
  idle        Never active

Enable Anti-Virus Scanning on the storage virtual machine:

NACLU1::> vserver vscan enable -vserver NASVM1

NACLU1::> vserver vscan connection-status show
                      Connected Connected
Vserver   Node     Server-Count Servers
--------- -------- ------------ ------------------------
NASVM1    NACLU1N1            2 10.10.10.21, 10.10.10.22

Advanced Configuration

Not going into much detail here...

Advanced configuration includes configuring on-access-policy, modifying cifs share vscan-fileop-profile attributes, and more...

NACLU1::> vserver vscan on-access-policy show
          Policy    Policy                            File-Ext   Policy
Vserver   Name      Owner   Protocol Paths Excluded   Excluded   Status
--------- --------- ------- -------- ---------------- ---------- ------
NACLU1    default_  cluster CIFS     -                -          off
          CIFS
NASVM1    default_  cluster CIFS     -                -          on
          CIFS

NACLU1::> cifs share modify -vscan-fileop-profile ?
no-scan     - Virus scans are never triggered for accesses to this share.
standard    - Virus scans can be triggered by open, close, and rename operations.
strict      - Virus scans can be triggered by open, read, close, and rename operations.
writes-only - Virus scans can be triggered only when a file that has been modified is closed.

NASVM1::> vserver cifs share show -field vscan-fileop-profile
vserver share-name vscan-fileop-profile
------- ---------- --------------------
NASVM1  admin$     standard
NASVM1  c$         standard
NASVM1  ipc$       standard
NASVM1  prdvol1    standard
NASVM1  prdvol2    standard
NASVM1  prdvol3    standard

3 comments:

  1. When creating the login for the scan user account ( security login create -username LAB\vscan -application ontapi -authmethod domain -role readonly -vserver NACLU1 ) I get an error - Error: command failed: failed to set field "role" to "readonly"

    Why can I not use the readonly role? What is the cause?

    ReplyDelete
    Replies
    1. Sorry Paul, I don't have the answer. Does that account you're using have permission? What's the version of ONTAP?

      Delete
    2. You should use your cluster mgmt lif which will then see all of the SVM. Then setup that user without defining a vserver.

      If you try and define a vserver you cant apply a role, it'll force it as vsadmin

      Delete