Carrying on from this post...
Lab Setup
Systems:
VSCAN1 &
VSCAN2: Win. 2008R2 SP1 servers, with McAfee VSE 8.8, McAfee VSEfS 1.1.0,
ONTAP AV Connector 1.0
NACLU1:
Clustered Data ONTAP 8.2.1 Cluster
NASVM1:
Storage Virtual Machine
IP Addressing:
VSCAN1 on 10.10.10.21
VSCAN2 on 10.10.10.22
User Account for VSCAN:
Just one domain user account, which is an
administrative user on both VSCAN servers.
LAB\vscan
Setting Up AV
Scanning with User LAB\vscan
In this example, the domain user account LAB\vscan is used for:
1) Logging on to VSCAN1 & VSCAN2 to Install VSCAN Components
(the domain account is added to the local administrators group on these servers)
2) ONTAP AV Connector Web Service Credentials
3) Connection to Cluster Management LIF
4) McAfee Network Appliance Filer AV Scanner
Administrator Account
1) Logging on to VSCAN1 & VSCAN2 to
Install VSCAN Components
Log on using the Anti-Virus administrator user account (in
this case LAB\vscan).
Check out this post
on installing the VSCAN components:
2) ONTAP AV Connector Web Service
Credentials
Image 1: Entering
the LAB\vscan account in ONTAP AV Connector Web Service Credentials
Note: If you’re
getting “Access is denied” when entering an account in “ONTAP AV Connector Web
Service Credentials”, turn off UAC (Use Account Control) and reboot the system,
additionally you can add the account in the GPO: Default Domain Policy > Computer Configuration > Policies >
Windows Settings > Security Settings > Local Policies > User Rights
Assignment > Log on as a service
Image 2: ONTAP AV
Connector ‘Access is denied’
Image 3: McAfee
VSEfS and ONTAP AV Connector services
3) Connection to Cluster Management LIF
We already have a
CIFS server setup on the domain (lab.priv) for our Vserver NASVM1. In the
following example, our Vserver NASVM1 only has data LIFs (we’ve not configured
a management LIF in NASVM1). We don’t want to configure a management LIF in NASVM1;
we simply want to use the Cluster Management LIF.
Establish a domain-tunnel, so we can login with Active
Directory accounts to the Cluster:
NACLU1::>
domain-tunnel create -vserver NASVM1
Create a login for the vscan domain user account
(LAB\vscan):
NACLU1::>
security login create -username
LAB\vscan -application ontapi -authmethod domain -role readonly -vserver NACLU1
Click on: Start
> All Programs > NetApp > ONTAP AV Connector > Configure ONTAP
Management LIFs
Image 4: Configure
ONTAP Management LIFs
Enter a DNS name or IP Address for the Cluster Management
LIF (NACLU1).
Enter the VSCAN domain user account (LAB\vscan) and it’s
password.
Image 5: Entering
connection information CDOT AV Connector
Click Test
And if all is good you should get “ONTAP to ... using
account ... was successful” - click OK.
Image 6: ONTAPI to
Cluster was successful
Click Update
Click Save
Click Quit
Image 7: ONTAP AV
Communicator account configured for connecting anti-virus products to Clustered
Data ONTAP
4) McAfee Network Appliance Filer AV Scanner
Administrator Account
IMPORTANT: Check
out the following post sections 3 and 4, for configuring NetApp filers scan
settings and ICAP settings - Off-box
Anti-Virus Scanning in Clustered Data ONTAP 8.2.1 with McAfee - Quick Install
Guide
In the VirusScan
Console: Network Appliance Filer AV Scanner and Network Appliance Filers tab, under ‘Administrator Account’ we add
our VSCAN domain user account.
IMPORTANT: Also notice
in the image below that the loopback IP 127.0.0.1 has been added under ‘This
server is processing scan requests for these filers.
Image 8: Network
Appliance Filer AV Scanner settings
Configuring
Anti-Virus Scanning in Clustered ONTAP 8.2.1
Create a scanner pool with using the VSCAN servers IP
addresses, and the VSCAN domain user account:
NACLU1::>
vserver vscan scanner-pool create
-vserver NASVM1 -scanner-pool POOL1 -servers 10.10.10.21,10.10.10.22 -privileged-users LAB\vscan
NACLU1::>
vserver vscan scanner-pool show
Scanner
Pool Privileged
Scanner
Vserver
Pool
Owner Servers
Users Policy
--------
---------- ------- ------------
------------ -------
NASVM1 POOL1
vserver 10.10.10.21, LAB\vscan idle
10.10.10.22
NACLU1::>
vserver vscan scanner-pool show
-instance
Vserver: NASVM1
Scanner Pool: POOL1
Applied Policy: idle
Current Status: off
Scanner Pool Config Owner: vserver
List
of IPs of Allowed Vscan Servers: 10.10.10.21, 10.10.10.22
List of Privileged Users: LAB\vscan
Configure the pool as a primary pool:
NACLU1::>
vserver vscan scanner-pool apply-policy
-vserver NASVM1 -scanner-pool POOL1 -scanner-policy primary
NACLU1::>
vserver vscan scanner-pool apply-policy
-vserver NASVM1 -scanner-pool POOL1 -scanner-policy ?
primary
Always active
secondary
Active if no primary Vscanner is
connected
idle
Never active
Enable Anti-Virus Scanning on the storage virtual
machine:
NACLU1::>
vserver vscan enable -vserver NASVM1
NACLU1::>
vserver vscan connection-status show
Connected Connected
Vserver
Node Server-Count Servers
---------
-------- ------------ ------------------------
NASVM1 NACLU1N1 2 10.10.10.21, 10.10.10.22
Advanced
Configuration
Not going into much
detail here...
Advanced configuration includes configuring
on-access-policy, modifying cifs share vscan-fileop-profile attributes, and
more...
NACLU1::>
vserver vscan on-access-policy show
Policy
Policy File-Ext
Policy
Vserver Name Owner Protocol Paths Excluded Excluded
Status
---------
--------- ------- -------- ---------------- ---------- ------
NACLU1 default_ cluster CIFS - - off
CIFS
NASVM1 default_ cluster CIFS - - on
CIFS
NACLU1::>
cifs share modify -vscan-fileop-profile
?
no-scan - Virus scans are never triggered for
accesses to this share.
standard - Virus scans can be triggered by open,
close, and rename operations.
strict - Virus scans can be triggered by open,
read, close, and rename operations.
writes-only
- Virus scans can be triggered only when a file that has been modified is
closed.
NASVM1::>
vserver cifs share show -field
vscan-fileop-profile
vserver
share-name vscan-fileop-profile
-------
---------- --------------------
NASVM1 admin$
standard
NASVM1 c$
standard
NASVM1 ipc$
standard
NASVM1 prdvol1
standard
NASVM1 prdvol2
standard
NASVM1 prdvol3
standard
When creating the login for the scan user account ( security login create -username LAB\vscan -application ontapi -authmethod domain -role readonly -vserver NACLU1 ) I get an error - Error: command failed: failed to set field "role" to "readonly"
ReplyDeleteWhy can I not use the readonly role? What is the cause?
Sorry Paul, I don't have the answer. Does that account you're using have permission? What's the version of ONTAP?
DeleteYou should use your cluster mgmt lif which will then see all of the SVM. Then setup that user without defining a vserver.
DeleteIf you try and define a vserver you cant apply a role, it'll force it as vsadmin
I got a problem, when I try to set the Ontap Management LIFs on step 3, I always get ".. failed. The underlying connection was closed."
ReplyDeleteThanks for making this available. It made my install much easier. The answer to the roll question. This worked for me. -role vsadmin-readonly
ReplyDelete