13.1 Creating a DAC Host

Novell ZENworks Network Access Control auto-discovers endpoints on your network so that the testing and transition from quarantine to non-quarantine areas happens quickly and smoothly after an endpoint is booted up. Novell ZENworks Network Access Control also relies on auto-discovery functionality to track DHCP IP address transitions so that it can continue to communicate seamlessly with endpoints after an IP change. The utility used for auto-discovery is Device Activity Capture (DAC). DAC listens or sniffs the network for, most importantly, DHCP traffic, but can be configured to discover other types of IP traffic if needed (such as from static IP addresses). DAC listens for DHCP ACK (a unicast from the DHCP server to the endpoint) messages so that it knows exactly when an endpoint has received a new IP address and can be tested with a TCP/IP connection. DAC works in a number of configurations:

This section explains how to install DAC on a remote system. For Windows servers, use the Windows installer to set up the first interface, then manually add other interfaces.

HINT:When DAC is installed on the ES, it is sometimes referred to as Embedded DAC (EDAC). When DAC is installed remotely, it is sometimes referred to as Remote DAC (RDAC).

Your DAC host can be a Windows server. This section provides instructions on setting up a Windows host.

First, download the executable file to your Windows server, then run the installer to install the first interface. For this release, if you want to add additional interfaces, you must install them manually. A future release will expand the options in the installer to include multiple interfaces. Add any additional interfaces and start the service.

The following sections contain more information:

13.1.1 Downloading the EXE File

To download the EXE file to a Windows machine:

Browser window

Download and save the EXE file to a Windows machine. Copying files is described in Section 1.9, Copying Files. The EXE file can be downloaded directly from the MS:

/usr/local/nac/webapps/ROOT/installers

Or, if you have an install CD, copied from the following directory:

X:\support\Installers\DACInstaller.exe

Where X: is the drive letter of your CD drive.

13.1.2 Running the Windows Installer

The Windows installer performs the following tasks:

  • Installs the DAC software

  • Installs the JavaJRE software if needed

  • Installs the WinPcap software if needed

  • Modifies the wrapper.conf file

  • Installs DAC as a Windows service

NOTE:If you have already installed DAC, you must uninstall it before attempting to install a newer version. See the Section 13.1.8, Removing the Software for instructions.

NOTE:If you have made configuration changes to the wrapper.conf file in a previous version of DAC, when you remove and re-install DAC, your changes are not saved. You will need to re-enter any changes, such as adding additional interfaces or ESs to the wrapper.conf file after installing DAC. You can save your previous wrapper.conf file before you uninstall DAC for reference; do not save the old wrapper.conf file and copy it over the new wrapper.conf file.

To run the Windows installer:

Windows server

  1. Navigate to the EXE file downloaded in Section 13.1.1, Downloading the EXE File.

  2. Double-click on the EXE file. The DAC InstallShield Wizard Welcome window appears:

    Figure 13-1 The DAC InstallShield Wizard Welcome Window

  3. Click Next. The Setup Type window appears:

    Figure 13-2 RDAC Installer, Setup Type

  4. Select Complete to install the DAC software, the JavaJRE software, and the WinPcap software. If you already have JavaJRE or WinPcap installed, select Custom.

  5. Click Next. The Choose Destination Location window appears:

    Figure 13-3 RDAC Installer, Choose Destination Location

  6. In most cases, you should accept the default location. (Click Change to select a different location.) Click Next. The Confirm New Folder window appears:

    Figure 13-4 RDAC Installer, Confirm New Folder

  7. Click Yes. If you selected Custom in Step 4, the Select Features window appears; otherwise the NIC Selection window appears (Figure 13-6):

    Figure 13-5 RDAC Installer, Select Features

  8. Select the features to install. Click Next. The NIC Selection window appears:

    Figure 13-6 RDAC Installer, NIC Selection

  9. All of the interfaces installed on your Windows server are listed in this window. Select the one you want to use and click Next. The TCP Port Filter Specification window appears:

    Figure 13-7 RDAC Installer, TCP Port Filter Specification

  10. In most cases you should accept the default entry. Click Next. The Enforcement Server Specification window appears:

    Figure 13-8 RDAC Installer, Enforcement Server Specification

  11. Enter the IP address of the Enforcement Server (ES) to use. Click Next. The Ready to Install the Program window appears:

    Figure 13-9 RDAC Installer, Ready to Install the Program

  12. Click Install.

  13. If you selected Complete in Step 4, the InstallShield Wizard launches the Java installer first and then the WinPcap installer.

    If you selected Custom in Step 4, the installers for only the selected feature will launch.

    You will be notified by the Java and WinPcap installers if you already have the software installed.

    Follow the instructions on the installer windows.

    When the installation is complete, the InstallShield Wizard Complete window appears:

    Figure 13-10 RDAC Installer, InstallShield Wizard Complete

  14. The following folders and files are created:

      • DAC
      • VERSION
        • bin
        • InstallSSDAC.bat
        • rdac
        • SSDAC.bat
        • UninstallSSDAC.bat
        • wrapper.exe
        • conf
        • wrapper.conf
        • lib
        • DAC_keystore
        • Jpcap.dll
        • libjpcap.so
        • SA_DeviceActivityCapturer.jar
        • wrapper.dll
        • wrapper.jar
        • log
        • wrapper.log

  15. Perform the steps detailed in Section 13.1.3, Adding Additional Interfaces if you have additional interfaces to add.

  16. Perform the steps detailed in Section 13.1.4, Configuring the MS and ES for DAC.

  17. Go to Section 13.1.6, Starting the Windows Service.

13.1.3 Adding Additional Interfaces

For this release, if you want to add additional interfaces, you must install them manually. A future release will expand the options in the installer to include multiple interfaces.

To add additional interfaces to the DAC host:

Windows server

  1. Open the DAC/conf/wrapper.conf file with a text editor.

    1. Locate the Application Parameters section in the wrapper.conf file. You will see a list of entries like the following:

      wrapper.app.parameter.X

      Where X is the numerical value representing the order in which the parameter will be added to the command.

    2. Change any parameters necessary for your specific setup. The interface and IP address parameters are the only parameters that require a change; however, changing other parameters can assist you for debugging purposes.

      Example 13-1 Example wrapper.conf File

      # Application parameters.  Add parameters as needed starting from 1
wrapper.app.parameter.1=RemoteDac
wrapper.app.parameter.2=-d
wrapper.app.parameter.3=-l
wrapper.app.parameter.4=../log/DAC.log
wrapper.app.parameter.5=-k
wrapper.app.parameter.6=../lib/DAC_keystore
wrapper.app.parameter.7=-h
#replace wrapper.app.parameter.8 with the Enforcement Server IP address.
#for multiple Enforcement Servers add more parameters and increment the ones below
#example:
#wrapper.app.parameter.8=<ip 1>
#wrapper.app.parameter.9=<ip 2>
#wrapper.app.parameter.10=<ip 2>
#wrapper.app.parameter.11=-i
#wrapper.app.parameter.12="\Device\NPF_{9F658297-43BF-4EA0-A1E3-3FA2FFD55C70}"
#wrapper.app.parameter.13=-f
#etc...
wrapper.app.parameter.8=172.17.100.100
wrapper.app.parameter.9=-i
#replace wrapper.app.parameter.10 with your interface
#to find your interfaces please run the following from the lib directory
#java -jar SA_DeviceActivityCapturer.jar -L
#this will list all available interfaces replace the following parameter with your interface
wrapper.app.parameter.10="\Device\NPF_{54052575-E4CC-46A5-B626-9167DD4F9BE3}"
wrapper.app.parameter.11=-f
wrapper.app.parameter.12="udp src port 67"

  2. Perform the steps detailed in Section 13.1.4, Configuring the MS and ES for DAC.

  3. Go to Section 13.1.6, Starting the Windows Service.

13.1.4 Configuring the MS and ES for DAC

  1. Create a keystore file containing a unique key, signed certificate, and a CA certificate that is required for SSL communication.

    1. On the Novell ZENworks Network Access Control MS, enter the following command at the command line:

      /usr/local/nac/bin/SSL-createRemoteDACCertificate

    2. When the command completes, copy the DAC_keystore file (from /tmp or wherever you specified) to C:\Program Files\StillSecure\DAC\lib\ .

    3. After copying the DAC_keystore file from the MS, delete the file from its temporary location on the MS.

      NOTE:Note that for each remote DAC host, this step must be repeated as each host should have its own unique key.

  2. Add a firewall rule to the ES or ESs to which the DAC host will be sending packets. On each ES:

    1. Enter the following command to dump the Lokkit iptables chain:

      iptables -nvL RH-Lokkit-0-50-INPUT --line-numbers

    2. Add a rule AFTER the RELATED, ESTABLISHED rule. The rule numbers are listed in the first column of the output from the previous statement. For example, if the RELATED, ESTABLISHED rule is rule 5, the INSERT command would look like the following:

      iptables -I RH-Lokkit-0-50-INPUT 6 -p tcp --dport 8999 -s <DAC host IP> -m state --state NEW -j ACCEPT

      If you want this addition to survive a reboot, you must use the iptables-save command and dump the iptables ruleset to /etc/sysconfig/iptables with the following command:

      /sbin/iptables-save > /etc/sysconfig/iptables

13.1.5 Adding Additional ESs

For this release, if you want to add additional ESs, you must install them manually. A future release will expand the options in the installer to include multiple ESs.

To add additional interfaces to the DAC host:

Windows server

  1. Open the DAC/conf/wrapper.conf file with a text editor.

    1. Locate the Application Parameters section in the wrapper.conf file. You will see a list of entries like the following:

      wrapper.app.parameter.X

      Where X is the numerical value representing the order in which the parameter will be added to the command.

    2. Add additional ESs:

      1. Locate the line that represents the initial ES, for example:

        wrapper.app.parameter.8=172.17.100.100

      2. Add another line just below the initial ES with the new IP address or addresses:

        wrapper.app.parameter.9=172.17.100.150
wrapper.app.parameter.10=172.50.50.7

      3. Increment the rest of the wrapper.app.parameter numbers by the number of ESs added. For this example of adding two ESs, increment by two; change 10 to 12, 11 to 13, and so on

        wrapper.app.parameter.11=-i
wrapper.app.parameter.12="\Device\NPF_{54052575-E4CC-46A5-B626-9167DD4F9BE3}"
wrapper.app.parameter.13=-f
wrapper.app.parameter.14="udp src port 67"

13.1.6 Starting the Windows Service

You can start the Windows service manually, or you can reboot the Windows server, which starts the service automatically.

To start the Windows service manually:

Windows server

  1. Select Start>>Settings>>Control Panel>>Administrative Tools>>Services. The Services window appears:

    Figure 13-11 NAC Endpoint Activity Capture Service

  2. Right-click on the NAC Endpoint Activity Capture service and select Start.

    The service is set to automatic start at the next reboot by default.

13.1.7 Viewing Version Information

To view version information:

Windows server

  1. Select Start>>Settings>>Control Panel>>Add or Remove Programs.

  2. Click once on the DAC listing.

  3. Click Click here for support information. The Support Info window appears.

  4. The version and other support information is displayed. Click Close.

  5. Close the Add or Remove Programs window.

13.1.8 Removing the Software

Each of the three software packages must be removed individually.

To remove the RDAC software:

Windows server

  1. Select Start>>Settings>>Control Panel>>Add or Remove Programs.

  2. Click once on the DAC listing.

  3. Click Remove.

  4. Click Yes when asked if you want to completely remove the application and features. When the uninstallation is complete, the Uninstall Complete window appears:

    Figure 13-12 RDAC Uninsall Complete

  5. Select one of the options and click Finish.

To remove the JavaJRE software:

Windows server

  1. Select Start>>Settings>>Control Panel>>Add or Remove Programs.

  2. Click once on the J2SE Runtime Environment listing.

  3. Click Remove.

  4. Click Yes when asked if you want to completely remove the application and features. When the uninstallation is complete, the Uninstall Complete window appears:

  5. Select one of the options and click Finish.

To remove the WinPcap software:

Windows server

  1. Select Start>>Settings>>Control Panel>>Add or Remove Programs.

  2. Click once on the WinPcap listing.

  3. Click Remove.

  4. Click Yes when asked if you want to completely remove the application and features. When the uninstallation is complete, the Uninstall Complete window appears:

  5. Select one of the options and click Finish.