Netwitness® Endpoint Installation Guide: For Version 4.4
Netwitness® Endpoint Installation Guide: For Version 4.4
Netwitness® Endpoint Installation Guide: For Version 4.4
Contact Information
RSA Link at https://community.rsa.com contains a knowledgebase that answers common
questions and provides solutions to known problems, product documentation, community
discussions, and case management.
Trademarks
For a list of RSA trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm#rsa.
License Agreement
This software and the associated documentation are proprietary and confidential to Dell, are
furnished under license, and may be used and copied only in accordance with the terms of such
license and with the inclusion of the copyright notice below. This software and the
documentation, and any copies thereof, may not be provided or otherwise made available to any
other person.
No title to or ownership of the software or documentation or any intellectual property rights
thereto is hereby transferred. Any unauthorized use or reproduction of this software and the
documentation may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment
by Dell.
Third-Party Licenses
This product may include software developed by parties other than RSA. The text of the license
agreements applicable to third-party software in this product may be viewed on the product
documentation page on RSA Link. By using this product, a user of this product agrees to be fully
bound by terms of the license agreements.
Distribution
Dell believes the information in this publication is accurate as of its publication date. The
information is subject to change without notice.
August 2018
NetWitness Endpoint 4.4 Installation Guide
Contents
System Requirements 8
Supported Operating Systems for NetWitness Endpoint Servers 8
Supported Operating Systems for NetWitness Endpoint Agents 8
Windows OS Support 8
Mac OS Support 9
Linux OS Support 9
Prerequisites 9
Database Prerequisite 9
Java Prerequisite 10
Additional Components Included During Installation 10
Distributed Installation 10
Sizing Recommendations for NetWitness Endpoint Components 12
NetWitness Endpoint Database Server 12
NetWitness Endpoint ConsoleServer and NetWitness Endpoint API Server 13
NetWitness Endpoint UI 13
NetWitness Endpoint Roaming Agents Relay (RAR) Server 13
Recommendations for Configuring the Microsoft SQL Database Disk and Partitions 14
Installation and Configuration Guidelines for RSA-Provided NetWitness Endpoint Hardware 15
Configure RAID volumes in the BIOS 16
Install Microsoft Windows Server on the OS Volume 25
Install Microsoft SQL Server Enterprise 25
Split the Microsoft SQL Temp DB into Eight Files 25
Configure SQL DB Parallelism 26
Dell NetWitness Endpoint Hardware Specification 26
Installation 29
Step 1: Install Microsoft SQL Server 30
Part 1: Install Microsoft SQL Server 30
Part 2: Split the Microsoft SQL Temp DB into Eight Files 34
Part 3: Configure SQL DB Parallelism 35
3
NetWitness Endpoint 4.4 Installation Guide
4
NetWitness Endpoint 4.4 Installation Guide
References 149
Network Distributed Installation Considerations 149
5
NetWitness Endpoint 4.4 Installation Guide
6
NetWitness Endpoint 4.4 Installation Guide
l Installation
l Update Installation
l Additional Procedures
l References
For information about NetWitness Endpoint, its components, product features, related
technologies, and using the product, see the RSA NetWitness Endpoint 4.4 User Guide,
available on RSA Link.
Technical Support
Community https://community.rsa.com/community/products/netwitness
Email support@rsa.com
SYSTEM REQUIREMENTS
This topic provides information about the system requirements for installing and configuring
NetWitness Endpoint.
Windows OS Support
8 System Requirements
NetWitness Endpoint 4.4 Installation Guide
Mac OS Support
Linux OS Support
Prerequisites
Database Prerequisite
The NetWitness Endpoint Server requires Microsoft SQL Server, which must be pre-installed.
For step-by-step instructions to install Microsoft SQL Server, see Step 1: Install Microsoft SQL
Server.
The RSA NetWitness Endpoint database will be attached to your Microsoft SQL Server
instance. The supported versions are:
l Microsoft SQL Server 2012 Standard Edition
System Requirements 9
NetWitness Endpoint 4.4 Installation Guide
Note: RSA recommends Microsoft SQL Server 2012 or 2014 Enterprise Edition. The Standard
Edition has core and memory usage limitations, so larger deployments may require Enterprise
Edition to meet the specifications outlined in the following sections.
Microsoft SQL Server can be installed and run on a separate physical or virtual machine from
the NetWitness Endpoint Server. The NetWitness Endpoint UI can still be run locally on the
operator’s machine, even if the Microsoft SQL Server instance is running remotely. The
NetWitness Endpoint ConsoleServer service account must have sysadmin rights on the SQL
database.
Java Prerequisite
To support the NetWitness Endpoint Meta Service integration with NetWitness Suite 11.0, you
must install Java JRE version 8 update 131 or later on the NetWitness Endpoint server. For more
information on Java JRE, go to http://www.oracle.com/technetwork/java/index.html. For more
information about the Meta Service integration, see "NetWitness Suite Endpoint Meta
Integration" in the RSA NetWitness Endpoint 4.4 User Guide.
Note: Only Java JRE version 8 and its updates are supported. Java JRE versions 9 or later are
not supported.
Distributed Installation
NetWitness Endpoint has a scalable architecture. Depending on your needs, you can use
different installation configurations:
l Single-Server Mode has only one instance of the NetWitness Endpoint server and all
endpoints connect to that server. Each NetWitness Endpoint server instance includes
ConsoleServer, database server, and API server. Single-server mode can be deployed using
10 System Requirements
NetWitness Endpoint 4.4 Installation Guide
l Multi-Server Mode has more than one instance of the NetWitness Endpoint server, with one
instance being the Primary server and the rest (up to three) being Secondary servers. Multi-
server mode can be deployed according to the following guidelines:
o RSA recommends that each instance of a NetWitness Endpoint server (Primary or
Secondary) be installed on a separate machine.
o Install the NetWitness Endpoint UI on a separate machine (for example, the analyst
workstation); there can be multiple instances of the UI installed on different machines.
Note: When installing, RSA requires that all the servers connect through at least a gigabit
network.
The components are listed below, some of which are installed using the NetWitness Endpoint
Installer, and some of which must be installed separately.
Components to install using the NetWitness Endpoint Installer:
l NetWitness Endpoint ConsoleServer (for Primary server and Secondary servers)
l NetWitness Endpoint UI
l NetWitness Endpoint Agent (separate packagers for each agent type: Windows, Mac, and
Linux)
l (Optional) YARA
Note: The Microsoft SQL database requires a high-performance environment. See below for
minimum requirements for the NetWitness Endpoint database server.
System Requirements 11
NetWitness Endpoint 4.4 Installation Guide
Trial - 10 4 16 100 -
PoC - 1K 8 32 500 -
If using Microsoft SQL Server 2016 Standard Edition, the following requirements apply:
Note: The maximum number of modules supported with Microsoft SQL 2016 Standard Edition
is 2.5 million.
Note: For more information on database and OS partitions sized for 50K deployments, refer to
the following sections: Recommendations for Configuring the Microsoft SQL Database Disk and
Partitions and Installation and Configuration Guidelines for RSA-Provided NetWitness Endpoint
Hardware.
12 System Requirements
NetWitness Endpoint 4.4 Installation Guide
2. The following table shows the recommended hardware for hosting the NetWitness Endpoint
ConsoleServer on a dedicated computer, which can be a virtual machine.
3. Disk space is only used to host the operating system and installed software. The NetWitness
Endpoint ConsoleServer does not store data locally.
4. Additional hardware is not required for the API server, which integrates with Security
Analytics, except for the small (Trial / POC) installation. In a small deployment, additional
processing power and memory are required (as indicated in the table below).
5. The NetWitness Endpoint API server always co-exists with the ConsoleServer. There is no
option to install it separately. The following specifications are for ConsoleServer and API
server only (UI is not included).
NetWitness Endpoint UI
The analyst's usual workstation should be sufficient to host the NetWitness Endpoint UI, with a
minimum of 2 cores and 8 GB of RAM
1. The link speed between the NetWitness Endpoint ConsoleServer and the RAR server should
not be less than 300 Mbps (or 40 MBps).
2. Agent Relays are measured based on the maximum number of concurrent roaming agents,
rather than number of endpoints overall. When sizing the RAR, make sure you understand
the percentage of the workforce traveling at any one time. As an example, EMC sized its
System Requirements 13
NetWitness Endpoint 4.4 Installation Guide
NetWitness Endpoint RAR at 10% of the workforce, which seems to provide sufficient
headroom for its employees' collective traveling habits, even during peak travel, such as
large conferences.
3. A worker on VPN does not use the Roaming Agents Relay. So the remote workforce already
connected to the network does not enter the RAR calculation above.
4. In the event that a RAR connection is unavailable, the endpoint will buffer the data and
continue trying to find the server / fallback on the Relay.
5. Each RAR can connect to multiple ConsoleServers, but each ConsoleServer can connect to
only one RAR.
6. The RAR lives outside the corporate network, such as in a DMZ or the Cloud. The RAR
requires a publicly accessible DNS alias that agents will leverage when outside the
corporate network.
*Concurrent active roaming agents = maximum number of endpoints roaming at the same time
(disconnected from the corporate network and outside a VPN connection).
14 System Requirements
NetWitness Endpoint 4.4 Installation Guide
Note: When configuring SAN on your hardware, particularly logical unit numbers (LUNs),
RSA strongly recommends that you refer to the following White Paper:
https://www.emc.com/collateral/technical-documentation/h14621-microsoft-sql-server-best-
practice.pdf
l RAID 10: 10 x 800GB SSDs (~4 Usable) – DB (Queued Data, NetWitness Endpoint
database, NetWitness Endpoint database transaction log, SQL Server temp database
transaction log, SQL Server temp database)
System Requirements 15
NetWitness Endpoint 4.4 Installation Guide
The following procedure details the steps for configuring the RAID volumes.
The following information may be pertinent for setting up the machine:
l IDRAC IP Address = 192.168.0.120
IDRAC credentials = root/calvin
l Sda=volgroup0=c drive
Sdb=volgroup1=f drive
Sdc=volgroup2=d drive
16 System Requirements
NetWitness Endpoint 4.4 Installation Guide
3. Select Integrated RAID Controller 1:Dell PERC <PERC H730P Mini> Configuration
Utility.
System Requirements 17
NetWitness Endpoint 4.4 Installation Guide
18 System Requirements
NetWitness Endpoint 4.4 Installation Guide
System Requirements 19
NetWitness Endpoint 4.4 Installation Guide
12. Click Create Virtual Disk and then confirm the action.
13. Repeat steps 5-12 for the next volume, using the following settings:
l Select RAID 6
20 System Requirements
NetWitness Endpoint 4.4 Installation Guide
14. Repeat steps 5-12 for the next volume, using the following settings:
l Select RAID 10
l Switch from HDD to SSD in physical disk and select all the drives
System Requirements 21
NetWitness Endpoint 4.4 Installation Guide
15. Go back one menu, click Virtual Disk Management, and double-check that all drives are
listed.
22 System Requirements
NetWitness Endpoint 4.4 Installation Guide
System Requirements 23
NetWitness Endpoint 4.4 Installation Guide
18. Select GPT as the Partition Style during Initialize Disk step in Disk Management, as shown
below:
19. After initializing the disk, create the volume as New Simple Volume:
20. On the New Simple Volume Wizard, select the options as shown below:
24 System Requirements
NetWitness Endpoint 4.4 Installation Guide
Caution: For the RAID 10 Data volume, it is very important that you configure it as follows
when you format it via Disk Management: 64K stripe on volume and 64K block size in
Windows with a 1024 offset and NTFS file system. If it is configured any other way it will
have very serious impacts on system performance.
Caution: Making any modifications to the Microsoft SQL database other than what is
specified in the NetWitness Endpoint documentation is not supported and may result in errors
when installing the NetWitness Endpoint product.
System Requirements 25
NetWitness Endpoint 4.4 Installation Guide
Description Quantity
Basic Hardware Services: Business Hours (5X10) Next Business Day On Site 1
Hardware Warranty Repair 3 Year (976-9079)
26 System Requirements
NetWitness Endpoint 4.4 Installation Guide
Description Quantity
Declined recommended ProSupport service - Call your Dell Sales Rep if Upgrade 1
Needed (996-8029)
US Order (332-1286) 1
Bezel (325-BBEJ) 1
System Requirements 27
NetWitness Endpoint 4.4 Installation Guide
Description Quantity
800GB Solid State Drive SAS Mix Use MLC 12Gbps 2.5in Hot-plug Drive, 10
PX04SM (400-ALXS)
1TB 7.2K RPM Near-Line SAS 12Gbps 2.5in Hot-plug Hard Drive (400-ALUN) 6
1.2TB 10K RPM SAS 12Gbps 2.5in Hot-plug Hard Drive (400-AJON) 2
NEMA 5-15P to C13 Wall Plug, 125 Volt, 15 AMP, 10 Feet (3m), Power Cord, 2
North America (450-AALV)
28 System Requirements
NetWitness Endpoint 4.4 Installation Guide
INSTALLATION
This topic provides detailed installation instructions for installing NetWitness Endpoint. The
installation instructions in this topic assume you are deploying a brand new NetWitness Endpoint
4.4 installation.
If you are updating an existing NetWitness Endpoint 4.x to 4.4, refer to the section Update
Installation.
If you are currently on RSA ECAT 3.5, you should first uninstall ECAT 3.5 and then install
NetWitness Endpoint 4.4; however, agents currently on 3.5 can be upgraded using the 4.4 agent
packager.
Installation consists of the following steps, some of which are optional:
l Step 1: Install Microsoft SQL Server
Installation 29
NetWitness Endpoint 4.4 Installation Guide
Caution: Making any modifications to the Microsoft SQL database other than what is
specified in the NetWitness Endpoint documentation is not supported and may result in errors
when installing the NetWitness Endpoint product.
3. Click the option New SQL Server stand-alone installation or add features to an existing
installation.
The SQL Server 2012 Setup wizard is displayed.
4. The wizard will automatically perform the Setup Support Rules, an analysis of your
computer to identify potential installation problems. Click Show Details.
The results of the system analysis are displayed.
5. Make sure any issues it identifies (that do not have Status “Passed”) are dealt with before
moving on. When finished, click OK.
6. Wait for the Product Key dialog to open and do one of the following:
30 Installation
NetWitness Endpoint 4.4 Installation Guide
l Select Evaluation (which is the default). This will install the free trial edition, with a
180-day expiration (a license may be purchased later).
l Select Enter the product key, and enter your product key, if you have already
purchased a license.
8. Click Next.
The License Terms dialog is displayed.
9. Check I accept the license terms after reading the license terms fully.
11. If there are any product updates to install, it is recommended that you choose to perform any
such updates by checking Include SQL Server product updates (it should be checked by
default).
13. Click Install and wait for the Setup Support Rules panel to open (this will take some time).
The results of another system check are displayed.
14. Again, make sure that all rules have Status “Passed” before proceeding. (To re-check the
same rules, click Re-run.)
16. Select SQL Server Feature Installation, which allows you to customize exactly which
features you want installed.
Installation 31
NetWitness Endpoint 4.4 Installation Guide
Note: These selections are for SQL Server 2012. Other versions may have slightly
different choices.
19. Click Next and wait for the Installation Rules dialog to display.
20. The installer will perform yet another check of the system for potential problems. As before,
make sure you have dealt with any issues it reports.
22. The Instance ID and locations of various directories for your SQL Server instance (as well
as its name, if you choose to make it a named instance) are set at this step. Choose the
settings for the instance you are creating. You may simply choose the defaults if you like.
Note: If you choose to create a named instance (which is not required) record the name
for future use.
23. Click Next and wait for the Disk Space Requirements dialog to display.
25. Click Next and wait for the Server Configuration dialog to display.
32 Installation
NetWitness Endpoint 4.4 Installation Guide
27. Click Next and wait for the Database Engine Configuration dialog to display.
28. In the Server Configuration tab, under Authentication Model, check Mixed Mode (SQL
Server authentication and Windows authentication).
29. Under Specify the password for the SQL Server system administrator (sa) account,
enter and confirm a secure password of your choosing.
30. Under Specify SQL Server administrators, add all user accounts that will have access to
the SQL Server database:
b. Click Add… to give access to other users, including the NetWitness Endpoint
ConsoleServer Service account.
Note: When using a workgroup, you may create the same username and password on all
machines that will access the SQL server. They must be identical to ensure a remote
connection. Under a domain configuration, just add the desired users from the domain.
Note: You may ignore the Data Directories and FILESTREAM tabs.
Installation 33
NetWitness Endpoint 4.4 Installation Guide
34. Make sure any options to report data are left unchecked (which should be the default).
36. As before, ensure there are no problems (all rules have Status “Passed”).
38. You may review this information, as a final check that you are ready to install.
34 Installation
NetWitness Endpoint 4.4 Installation Guide
Installation 35
NetWitness Endpoint 4.4 Installation Guide
Caution: Making any modifications to the Microsoft SQL database other than what is
specified in the NetWitness Endpoint documentation is not supported and may result in errors
when installing the NetWitness Endpoint product.
Note: TCP/IP encryption is mandatory for a multi-server installation. This also must be
enabled on all secondary servers.
2. In the navigation panel on the left, expand SQL Server Network Configuration to reveal
the nodes under it.
3. Select the node of the instance you want to configure (there will be a node for each instance
of SQL Server installed on the current machine).
4. Make sure that next to TCP/IP, the status is set to Enabled (it may already be enabled).
This can be changed using the contextual menu (right-click).
Note: The ports used by the SQL Server instance can also be changed from this window.
Consult the SQL Server documentation.
36 Installation
NetWitness Endpoint 4.4 Installation Guide
5. Right-click the instance node in the navigation panel and select Properties.
8. Select SQL Server Services in the navigation panel. Your SQL Server instance is
displayed in the list on the right, as “SQL Server (NAME-OF-YOUR-SQLSERVER-
INSTANCE)”.
9. Right-click your instance, and select Restart. This must be done for your changes to take
effect.
Installation 37
NetWitness Endpoint 4.4 Installation Guide
10. When the instance has finished restarting, select File > Exit to quit the Configuration
Manager.
2. If presented with a login window, log on with Windows authentication by clicking Connect.
38 Installation
NetWitness Endpoint 4.4 Installation Guide
Note: You may be asked if you want to save the query to a file, which you may do,
although it is not necessary. For more information, go to: http://msdn.microsoft.com/en-
us/library/ms131048.aspx
Note: The NetWitness Endpoint Primary Server depends on the Microsoft Visual Studio
2015, 2012, and 2010 runtimes. However, the installer will automatically install these if they
are not found on the target machine.
Installation 39
NetWitness Endpoint 4.4 Installation Guide
ConsoleServer Arguments
While installing the NetWitness Endpoint Primary ConsoleServer, you may have to run various
commands from the command line. By running the help command, you get the supported
arguments for the ConsoleServer.
From the command line, execute the command ConsoleServer -help
For example:
C:\ECAT\Server>consoleserver -help
The supported arguments are:
/help
Shows this help message
/logerr[:Output file path]
Use this argument to optionally redirect the error output to a
different file. Specify 'none' as path to disable logging.
/cid
Displays the license agreement and license computer ID. (CID)
/install
Installs ECAT Server as a service. Cannot be used with other
arguments.
/uninstall
Removes RSAECATServer service.
Procedure
To install a Primary ConsoleServer:
Note: If you attempt to do a new install of a version of NetWitness Endpoint that only supports
update installations, a message will display and you will not be able to continue. Refer to the
associated NetWitness Endpoint Release Notes for supported installation and upgrade paths.
3. A prerequisite for NetWitness Endpoint includes the Microsoft .NET Framework 4.6.1. If
this is not already installed, the following screen will display (if Microsoft .NET Framework
4.6.1 is already installed, the RSA NetWitness Endpoint Welcome dialog is displayed, as
shown in Step 8):
40 Installation
NetWitness Endpoint 4.4 Installation Guide
4. Click Yes to continue (if you click No, the installer quits and you will not be able to
complete any further installation).
The following dialog is displayed:
Note: If the machine on which you are installing NetWitness Endpoint has not been kept
current with Windows updates, a message may display indicating that the installation of
Microsoft .NET 4.6.1 is blocked pending the prerequisite installation of the Windows update
corresponding to KB2919355. You must update the machine before you can proceed with the
Microsoft .NET 4.6.1 installation. For more information, see:
https://support.microsoft.com/en-us/kb/2919355
https://msdn.microsoft.com/en-us/library/hh925569%28v=vs.110%29.aspx
5. Click OK to continue.
The Microsoft .NET Framework 4.6.1 Setup dialog is displayed:
Installation 41
NetWitness Endpoint 4.4 Installation Guide
6. Select the checkbox to indicate you accept the license terms and then click Install.
The following dialog is displayed to indicate the installation progress:
7. Once the installation is complete the installer dialog will close and you will have to reboot
the machine.
8. Re-launch the NetWitness Endpoint installer executable file as instructed above in Step 2.
The RSA NetWitness Endpoint installer Welcome dialog is displayed.
42 Installation
NetWitness Endpoint 4.4 Installation Guide
10. You must accept the terms of the license agreement to proceed. Click Next.
The Select Destination Location dialog is displayed, as shown below:
11. Select the destination location for the installation files. A default location is provided, or you
can click Browse... to select a different location. All components will be installed in the
selected location, with subfolders for UI, Server, and Agent.
Installation 43
NetWitness Endpoint 4.4 Installation Guide
Note: If you have installed previous versions of NetWitness Endpoint you may notice that the
default location has changed from C:\ECAT to C:\Program Files\RSA\ECAT. Although it
is still possible to install NetWitness Endpoint in C:\ECAT, it is now recommended to install
in C:\Program Files\RSA\ECAT.
12. Once you have selected the desired destination location for the installation files, click Next.
The Select Components dialog is displayed, as shown below:
13. Select the installation type and components you wish to install from the following options in
the drop-down list:
l Full installation: installs the NetWitness Endpoint UI, NetWitness Endpoint Server, and
NetWitness Endpoint Agent Packager
l Custom installation: installs the components selected by clicking the checkboxes next to
the desired item below the drop-down (For example, to install just the NetWitness
Endpoint Primary Server, select Custom installation and check the box next to NWE
Server.)
Note: At this stage, the installation of the NetWitness Endpoint UI is optional. Its
absence will not prevent the Primary ConsoleServer from working properly.
Note: Each of the components selected to install will create a separate folder under the
installation destination folder previously selected in Step 11. For example, if using the
default installation destination folder, the NetWitness Endpoint UI will be installed
to: C:\Program Files\RSA\ECAT\UI.
44 Installation
NetWitness Endpoint 4.4 Installation Guide
l If you have a license file, select License file available and click Next.
l If you do not have a license file, select Do not have a license file. You will then need to
agree to a License Agreement to continue. Click I Agree on the License Agreement
dialog shown below:
Installation 45
NetWitness Endpoint 4.4 Installation Guide
This will generate a Computer ID, which you should write down.
Click Exit to quit installation. You must now generate a license file. Instructions for
downloading your license should have been sent via email to the contact listed on the
order (if you did not receive the email, contact RSA Customer Support). For further step-
by-step instructions on generating your license file, go to RSA Download Central. Once
you have your license file you will have to re-launch the NetWitness
Endpoint installation.
Note: If you lose your Computer ID (CID), you can retrieve it by running the following
ConsoleServer command from the command line. This command displays the license
agreement and CID:
ConsoleServer /cid
46 Installation
NetWitness Endpoint 4.4 Installation Guide
19. Enter the SQL Server you are using for NetWitness Endpoint. You can use the default entry
for SQL Database Name or enter a new name of your choosing. You can leave the default
value for SQL Server Port, enter 0, or leave it blank.
(If a port number other than the default value is detected, a message is displayed to indicate
that SQL Server is running on port 1443, and you must click OK to continue.)
Installation 47
NetWitness Endpoint 4.4 Installation Guide
l Select SQL Server Credential and click Next. The following dialog is displayed:
Enter the necessary SQL Server authentication username and password and click Next.
The NetWitness Endpoint installer will now test the database access for the SQL Server,
SQL Database Name, and SQL Server Port. If access is successful, you will proceed to
the next step. If the installer cannot reach the SQL Server the following message is
displayed:
48 Installation
NetWitness Endpoint 4.4 Installation Guide
Click OK. The SQL Server Authentication dialog displays and you can re-enter the SQL
Server credentials or click Back to return to the SQL Server Authentication dialog if you
wish to change your authentication method. You must resolve the authentication before
proceeding to the next step.
Note: If SQL Server is installed on a remote machine and cannot be reached, you may
need to manually create a firewall rule on the remote SQL Server to allow
communication on TCP port 1433.
22. The NWE Server and NWE Agents Certificates dialog is displayed, as shown below:
Installation 49
NetWitness Endpoint 4.4 Installation Guide
l If you already have NetWitness Endpoint certificates, you can select Use Existing NWE
Certificates and click Next.
If no NetWitness Endpoint certificates are found, the following message is displayed:
Click OK to accept each certificate. The ECAT Server Directories dialog will be
displayed, as shown below in Step 20.
l If you do not have certificates, you can select Generate New NWE Certificates and
click Next.
If existing certificates are found, the following message is displayed:
50 Installation
NetWitness Endpoint 4.4 Installation Guide
Click No to return to the previous dialog. If you click Yes, the following message is
displayed:
Caution: Deleting existing NetWitness Endpoint certificates cannot be undone and may
negatively impact your communication between the NetWitness Endpoint Server and
already deployed NetWitness Endpoint agents. It is strongly advised that you first
manually export existing NetWitness Endpoint certificates before they are deleted.
After clicking OK, the certificates are not deleted immediately but rather at the time of
actual installation.
24. If you previously selected to generate new certificates, the Exported NWE Certificates
Password dialog is displayed, as shown below:
Installation 51
NetWitness Endpoint 4.4 Installation Guide
You must create a password for the new certificates, which will be exported into the
NetWitness Endpoint Server cert directory (default location = C:\Program
Files\RSA\ECAT\Server\Cert). You should record this password in a secure location for
future reference.
Click Next.
25. On the NWE Server Directories dialog, shown below, you must enter the desired directories
for scan files and downloaded files.
26. A default location is provided for the Scan Files Path, but you can click Browse… to select
a different location for storing agent scan files.
52 Installation
NetWitness Endpoint 4.4 Installation Guide
Note: If the NetWitness Endpoint Server is on a different machine than the SQL
database, you must create a shared folder on the SQL database server. There are
different methods of providing access to the database. For more information, see Scan
Data Folder.
Note: The default location is the same as previous NetWitness Endpoint installations to
maintain backward compatibility. Also, it is not advisable to store files in C:\Program
Files\RSA\ECAT\Server.
27. A default location is provided for the Downloaded Files Path, but you can click Browse…
to select a different location for storing downloaded files.
Note: The default location is the same as previous NetWitness Endpoint installations to
maintain backward compatibility. Also, it is not advisable to store files in C:\Program
Files\RSA\ECAT\Server.
29. Provide a unique name for the Primary ConsoleServer. (The Installer will provide a default
suggestion, but you may change it.)
Note: Your IP address will be provided automatically for Server Hostname or IP. If you
enter a Server Hostname instead, it must be a fully qualified DNS name for the Machine
Containment function to work properly. If you enter a partial DNS name, agent machines
will go offline and a manual agent uninstall and reinstall will be required.
Installation 53
NetWitness Endpoint 4.4 Installation Guide
31. The following default port numbers, which are used internally by NetWitness Endpoint for
communication between its various components, are provided, but can be changed:
NWE Server HTTPS Port: 443
NWE Server UDP Beacon Port: 444
NWE API Server REST Interface Port: 9443
54 Installation
NetWitness Endpoint 4.4 Installation Guide
33. On the NWE Server Miscellaneous Configuration Options dialog, shown below, you can
select additional configuration options.
l Run As Service: Enable this option if you want the NetWitness Endpoint Server to run as
a service. Selecting this option also installs the Endpoint Meta Integrator as a service (for
more information, see "NetWitness Suite Endpoint Meta Integration" in the NetWitness
Endpoint User Guide).
l Create Firewall rules for NWE Agent and NWE Server communication: This option
is necessary if you have an active firewall as you will need to create firewall rules to
allow communication between the NetWitness Endpoint Server and the NetWitness
Endpoint Agent through the firewall.
l Create Firewall rules for NWE API Server (Primary Server Only): This option will
be grayed out if installing an NetWitness Endpoint Secondary Server.
l Create Firewall rules for SQL Server (Local Only): This option may be necessary if
you have an active firewall as you may also need to create a firewall rule to allow
communication between the NetWitness Endpoint Server and SQL Server. This option
will be grayed out if SQL Server runs on a remote machine.
Installation 55
NetWitness Endpoint 4.4 Installation Guide
36. Enter a username and password to allow the NetWitness Endpoint Server, which will be
running as a service, to log on to the machine on which the NetWitness Endpoint Server is
installed. The current Domain and Username are automatically entered by default.
Note: Enter a username in the form DOMAIN\username, and its password. You may
use either SQL Server credentials or your Windows authentication. If you use Windows
authentication, you must choose an account that has administration privileges on the
local machine. The entered credentials and database rights will be validated when you
click Next.
56 Installation
NetWitness Endpoint 4.4 Installation Guide
38. Select to enable the Launch NWE Server Service Output option if you want this action
performed during Setup.
40. You should review all of the options you selected in the previous steps, which are displayed
in this dialog. If you wish to change any options you may do so by clicking <Back to go back
through the previous dialogs.
Installation 57
NetWitness Endpoint 4.4 Installation Guide
41. Click Install to proceed with installing the NetWitness Endpoint Server.
The Installing dialog is displayed, as shown below:
42. At this point the installer performs the following functions according to selected options:
l Creates the SQL database, configuration files for NetWitness Endpoint Server and API
server, services, and firewall rules
l Copies files
Note: The installation will take some time. Please wait while the process is completed, or
click Cancel to cancel the installation.
43. When the installation process is complete, the following dialog is displayed:
58 Installation
NetWitness Endpoint 4.4 Installation Guide
Note: If you selected to run the NetWitness Endpoint Primary Server as a service, you should
set the service to restart automatically following a failure, using the server properties dialog.
Note: If you are also using RSA NetWitness Suite 11.0 or later and wish to use the
NetWitness Endpoint Meta Service to integrate data from NetWitness Endpoint agents with
the NetWitness Suite Log Decoder, you must also install Java JRE version 8 update 131 or
later (only Java JRE version 8 and its updates are supported, Java JRE versions 9 or later are
not supported). For more information on Java JRE, go to
http://www.oracle.com/technetwork/java/index.html. For more information about the Meta
Service integration, see "NetWitness Suite Endpoint Meta Integration" in the NetWitness
Endpoint User Guide.
Note: Losing the Private Keys for the certificates would break the secure connection between
the Agents and the ConsoleServer. Hence, you must make sure to back up the Private Keys in
a secure place from which they can be restored during a fresh Windows install in the event of
a material failure of the server.
Once a primary server is installed, it is highly recommended to export its encryption certificates
to a file, for use on other machines, or on the same machine if they were deleted by mistake
from the certificate location. You will also need to perform this step if (1) the NetWitness
Endpoint ConsoleServer is to be run from a different location, or (2) you wish to generate
packages on a different machine than the one they were created on, or (3) you are planning a
multi-server deployment.
Installation 59
NetWitness Endpoint 4.4 Installation Guide
1. Run mmc from a command line. This opens the Microsoft Windows management console.
3. From the list of available snap-ins, select Certificates and click Add.
60 Installation
NetWitness Endpoint 4.4 Installation Guide
Installation 61
NetWitness Endpoint 4.4 Installation Guide
7. You should now be able to see the generated certificates under Certificates (Local
Computer) > Personal > Certificates.
8. Select all the NetWitness Endpoint certificates, right-click, and select All Tasks > Export.
62 Installation
NetWitness Endpoint 4.4 Installation Guide
9. Click Next.
10. Select Yes, export the private key and click Next.
11. Select Personal Information Exchange and Export all extended properties and click
Next.
Installation 63
NetWitness Endpoint 4.4 Installation Guide
12. Enter a Password for the certificate encryption and click Next.
Note: This password will be required later to import the certificates on the other
machine.
13. After File name, enter the path name for the exported certificates file. You may click
Browse… to browse to an appropriate location. Click Save when done.
64 Installation
NetWitness Endpoint 4.4 Installation Guide
Installation 65
NetWitness Endpoint 4.4 Installation Guide
2. Run mmc from a command line. This opens the Microsoft Windows management console.
66 Installation
NetWitness Endpoint 4.4 Installation Guide
4. From the list of available snap-ins, select Certificates and click Add.
Installation 67
NetWitness Endpoint 4.4 Installation Guide
8. Right-click on Certificates (Local Computer) > Personal > Certificates and select All
Tasks > Import.
68 Installation
NetWitness Endpoint 4.4 Installation Guide
9. Click Next.
Installation 69
NetWitness Endpoint 4.4 Installation Guide
11. When importing the .pfx file, select Personal Information Exchange (.PFX,.P12) as the
file format, select the file, and click Open.
13. Enter the password, if any, that you used when exporting the certificates. The option Mark
this key as exportable must be selected.
70 Installation
NetWitness Endpoint 4.4 Installation Guide
15. Leave the certificate store selection to the default settings, and click Next.
Installation 71
NetWitness Endpoint 4.4 Installation Guide
17. Verify successful import into the personal certificate store by returning to mmc and selecting
Certificates (Local Computer) > Personal > Certificates. You should see the NetWitness
Endpoint certificates in the center pane.
72 Installation
NetWitness Endpoint 4.4 Installation Guide
Note: Please consult your local RSA Account Team if considering an installation that includes
Secondary servers.
The purpose of having a Secondary server is to offload the SQL Database from some of its
work. Each instance of ConsoleServer needs to have access to a separate instance of SQL
Server, which must also be on a separate machine. At the moment, Secondary servers cannot be
used for the sole purpose of segmenting the NetWitness Endpoint network, as all agents will
need the capability to report to the Primary Server.
Note: For a multi-server environment, there must be a shared network downloads folder for
files uploaded by agents.
The process for installing a Secondary server is very similar to installing the NetWitness
Endpoint Primary server. To install a Secondary server:
1. If not already done, unzip the archive file:
rsa_nwe_<4.4.x.x>_sw.zip
3. A prerequisite for NetWitness Endpoint includes the Microsoft .NET Framework 4.6.1. If
this is not already installed, the following screen will display (if Microsoft .NET Framework
4.6.1 is already installed, the Installation Wizard is displayed):
4. Refer to steps 4-8 in the topic Step 3: Install Primary ConsoleServer to complete installation of
Microsolft .NET Framework.
Installation 73
NetWitness Endpoint 4.4 Installation Guide
6. Select the destination location for the installation files. A default location is provided, or you
can click Browse... to select a different location.
7. Click Next.
The Select Components dialog is displayed.
8. Select Custom installation from the drop-down list and then click the checkbox next to
NWE Server.
Note: Because this is a Secondary server, do not select the NetWitness Endpoint UI. It is
recommended that the NetWitness Endpoint UI connect only to the Primary Server.
9. Click Next.
The NWE Server Type dialog is displayed, as shown below:
10. Select Secondary NWE Server for server type and click Next.
The SQL Server dialog is displayed.
11. Enter the SQL Server you are using for NetWitness Endpoint. The settings are the same as
for the NetWitness Endpoint Primary Server, except the Database Name. You can use the
default name or enter a different Database Name of your choosing.
74 Installation
NetWitness Endpoint 4.4 Installation Guide
Note: If SQL Server is installed on a remote machine and cannot be reached, you may
need to manually create a firewall rule on the remote SQL Server to allow
communication on TCP port 1433.
13. On the NWE Server and NWE Agents Certificates dialog, select the option Use Existing
NWE Certificates,as shown below:
Note: You must have previously imported the NetWitness Endpoint Primary ConsoleServer
certificate to the Secondary server.
Installation 75
NetWitness Endpoint 4.4 Installation Guide
Note: The Downloaded Files Path must match the directory selected for the NetWitness
Endpoint Primary Server. Also, the Scan Files Path should be local to the secondary database.
15. Click Next.The NWE Secondary Server Name dialog is displayed, as shown below:
76 Installation
NetWitness Endpoint 4.4 Installation Guide
Note: Your IP address will be provided automatically for Server Hostname or IP. If
you enter a Server Hostname instead, it must be a fully qualified DNS name for the
Machine Containment function to work properly. If you enter a partial DNS name,
agent machines will go offline and a manual agent uninstall and reinstall will be
required.
17. Create a password that will be used to synchronize databases between different servers.
Note: You need to remember the ECATSYNC password for Secondary server
commissioning from the NetWitness Endpoint UI, as detailed in the topic Step 7:
Configure Multi-Server Through NetWitness Endpoint UI.
Installation 77
NetWitness Endpoint 4.4 Installation Guide
19. Enter the following port numbers, which are used internally by NetWitness Endpoint for
communication between its various components:
o NWE Server HTTPS port: 443
o NWE Server UDP Beacon port: 444
Note: Port availability will be verified and an error message will display if the
specified ports are invalid or already used.
l Run As Service: Enable this option if you want the NetWitness Endpoint server to run as
a service. Selecting this option also installs the Endpoint Meta Integrator as a service (for
more information, see "NetWitness Suite Endpoint Meta Integration" in the NetWitness
Endpoint User Guide).
l Create Firewall rules for NWE agent and NWE server communication: This option
is necessary if you have an active firewall as you will need to create firewall rules to
allow communication between the NetWitness Endpoint server and the NetWitness
Endpoint agent through the firewall.
l Create Firewall rules for SQL Server: This option may be necessary if you have an
active firewall as you may also need to create a firewall rule to allow communication
78 Installation
NetWitness Endpoint 4.4 Installation Guide
between the NetWitness Endpoint server and SQL Server. However, it is of no use to
create this firewall rule if the SQL Server runs on a remote machine.
l If you selected the Run As Service option on the previous dialog, the Windows Service
Configuration dialog is displayed.
Enter a domain\username and password to allow the NetWitness Endpoint server, which
will be running as a service, to log on to the machine on which NetWitness Endpoint
server is installed. (You may use either SQL Server credentials or your Windows
authentication. If you use Windows authentication, it is recommended you choose an
account that has administration privileges on the local machine, to ensure smooth
operation of the server.)
Click Next.
l If you previously selected the Run As Service option, the Select Additional Tasks dialog
is displayed.
Click to enable the Launch NWE Server Service Output option if you want this action
performed during Setup.
Click Next.
24. You should review all of the options you selected in the previous steps, which are displayed
in this dialog. If you wish to change any options you may do so by clicking <Back to go back
through the previous dialogs.
Installation 79
NetWitness Endpoint 4.4 Installation Guide
Note: The installation will take some time. Please wait while the process is completed, or
click Cancel to cancel the installation.
Note: If you selected to run the NetWitness Endpoint Secondary Server as a service, you
should set the service to restart automatically following a failure, using the server
properties dialog.
Note: The Roaming Agents Relay (RAR) is a separate component that provides visibility to
endpoints that are disconnected from a corporate network. RAR can be deployed as a cloud
service. For information about installing and configuring RAR, see the topic Step 14: (Optional)
Deploy Roaming Agents Relay.
Note: This does not install the server, which has presumably already been installed.
80 Installation
NetWitness Endpoint 4.4 Installation Guide
a. Database server name (the name of the machine hosting the database for the secondary
server).
d. The database port: The option to use the default port (TCP 1433) is automatically
selected. To use a different port, uncheck Use default and enter the custom port that the
SQL Server is running on.
Installation 81
NetWitness Endpoint 4.4 Installation Guide
e. Enter the password for the NetWitness Endpoint synchronization account that you set
earlier.
6. Click Next. You will be prompted to commit to the secondary server information.
Note: If the message "Named Pipes Provider: Could not open a connection to SQL Server
[1326]" is displayed while commissioning a secondary server, there may be a connectivity
problem between the Primary and secondary SQL Server. In the case of remote SQL Server
installation, firewall rules may have to be created manually on both Primary and secondary
SQL Servers to allow communication on TCP port 1433, as shown below. (For local SQL
Server, the rules should have been created if you checked the "Create firewall rules ..."
option during Primary and secondary server installation, as described in the topics Step 3:
Install Primary ConsoleServer, procedure step 22, and Step 6: (Optional) Install Secondary Server,
procedure step 17.)
82 Installation
NetWitness Endpoint 4.4 Installation Guide
9. Your secondary server should now appear in the list of servers in the NetWitness Endpoint
UI as shown below:
Installation 83
NetWitness Endpoint 4.4 Installation Guide
Caution: After completing the installation process for a secondary server, you must first start
the Primary Server before starting the new secondary server, for the first time only.
Otherwise, an error message is displayed when you try to start the new secondary server.
l Red messages indicate errors, although some of them may not be critical.
84 Installation
NetWitness Endpoint 4.4 Installation Guide
Note: Metascan can be installed on the same machine where the NetWitness Endpoint
ConsoleServer is running, or on another server on the LAN. For performance reasons,
however, it is highly recommended to install Metascan on a different machine as it requires at
least 10 GB of free space (but you should verify current requirements with OPSWAT
Metascan).
Note: While installing Metascan, Windows might ask for several authorizations, especially
when installing the antivirus engines. Make sure to allow all of them (some drivers cannot be
verified by Windows).
4. On the Custom Setup dialog, you can either keep the default settings or make changes.
5. Click Install on the Ready to install Metascan dialog and wait until the Completed the
Metascan... dialog is displayed. This may take some time.
6. Click Finish and wait until the Metascan Install/Uninstall Complete dialog is displayed.
7. Click Close.
Metascan is now installed.
Note: Do not forget to start the service. ConsoleServer will not start if it is configured to
work with Metascan locally, but Metascan itself is not started.
Installation 85
NetWitness Endpoint 4.4 Installation Guide
10. To complete the set up process for Metascan, you will need to enter configuration
information through the NetWitness Endpoint UI. For more information, see "Monitoring and
External Components" in the RSA NetWitness Endpoint User Guide.
Note: YARA should be installed on the same machine where the NetWitness Endpoint
ConsoleServer is running.
To install YARA:
1. Save the main executable and your rules file into a folder relative to ConsoleServer.exe.
2. Enter configuration information in the Monitoring and External Components dialog in the
NetWitness Endpoint UI. For more information, see Monitoring and External Components
in the RSA NetWitness Endpoint User Guide.
The YARA user’s manual and executable file can be downloaded from:
http://code.google.com/p/yara-project/downloads/list
Note: When YARA is enabled, the NetWitness Endpoint ConsoleServer will show the rules
file(s) (“YR”) being used.
86 Installation
NetWitness Endpoint 4.4 Installation Guide
Installation 87
NetWitness Endpoint 4.4 Installation Guide
Note: Make sure that you generate the installer on a machine where the proper certificates
are installed (ones that match the certificates from ConsoleServer).
Caution: Never, under any circumstances, change the NetWitness Endpoint Service
Name after any agents have been deployed. The default Service Name can only be
changed before deploying agents.
88 Installation
NetWitness Endpoint 4.4 Installation Guide
ECAT Files
Result File The name of the agent installer file. This can be copied to a new client
machine and executed to install the agent.
For Windows, this will normally be a .exe file.
Base Configuration
ECAT The name of the agent in the services list. For Windows agents only. The
Service default name, EcatService, can be changed to something specific for your
environment.
Name
Caution: Never, under any circumstances, change the NetWitness
Endpoint Service Name after any agents have been deployed.
Primary The static IP or the domain name of the NetWitness Endpoint Primary
Hostname Server.
Auto- The date and time the NetWitness Endpoint agent automatically uninstalls.
Uninstall It can be left blank if not required.
Date
Force An option to overwrite the installed agent, regardless of the version. For
Overwrite Windows agents only. If this option is not selected, the same NetWitness
Endpoint installer can be run multiple times on a system, but will install the
agent only once.
Security
Installation 89
NetWitness Endpoint 4.4 Installation Guide
Field Description
Client Select the client certificate generated when the NetWitness Endpoint Server
Certificate was configured. The default name is NweAgentCertificate.
The client public certificate is bundled in the generated package and is the
same for each installed client.
Server Select the server certificate generated when the NetWitness Endpoint
Certificate Server was configured. The default name is NweServerCertificate.
NWE Service
NWE Driver
Service The name of the driver in the services list. The default name,
Name EcatServiceDriver, should be changed to something specific from your
environment. Use caution if you change the name after deployment, as it
might affect upgrades of the remote system.
Proxy
Server(s) The proxy server list contains one or more of the following strings separated
by semicolons:
[<protocol>=]<server>[":"<port>]
This field can be left empty if not required.
90 Installation
NetWitness Endpoint 4.4 Installation Guide
Field Description
Exception(s) The proxy exception list contains one or more of the following strings
separated by semicolons:
<server>
This field can be left empty if not required.
Certificate Choose one of the options from the drop-down to determine how the agent
Validation will validate the NetWitness Endpoint Server certificate:
- Thumbprint (default selection)
- Full chain
- None
Note: By default, this setting will match the Agent Certificate Validation
option selected in the Server Configuration panel of the NetWitness
Endpoint UI, but it may be changed if desired. For more information, see
the topic Server Configuration Window in the RSA NetWitness
Endpoint User Guide.
Settings
Monitoring An option to control the activation of the behavior tracking component. For
Mode Windows agents only.
- No Monitoring
- Network Monitoring Only
- Full Monitoring - This is the default option and must be selected for
behavior tracking and to use the Blocking System or Containment feature.
- Full Monitoring, Except Network
For more information on Monitoring Mode options, see the topic "Tracking
Systems" in the RSA NetWitness Endpoint User Guide.
Force disable WFP switch:
Agents running on Windows Vista or newer Windows operating systems
automatically switch to the more advanced WFP mode of network
monitoring. You can disable this auto-switch behavior by clicking the
checkbox for this option before creating the agent package, which will
make agents on all Windows operating systems work in the legacy TDI
mode of network monitoring.
Beacon The rate at which the client notifies the server of its status (in seconds).
interval(s)
4. To verify that the configuration parameters are valid, and to test the network connection to
all enabled servers before deployment, click Test Connection, and ensure it reports OK for
Installation 91
NetWitness Endpoint 4.4 Installation Guide
5. To generate the agent install file, click Generate Agent, depending on the target agent
platform.
The Agent executable is now ready to be deployed on a computer with the deployment
method of your choice.
Note: To update the agent of the same version, select the Force Overwrite
option in the NetWitness Endpoint Packager (see step 2 above).
Note: If the installation process fails for any reason and the connection to the server is
available, the installer will send an error log to the server.
For all agent status icons, see the topic "Agent Status Icons" in the NetWitness Endpoint User
Guide.
The agent can be deployed by any of the following methods:
l Option 1 (Preferred): Manually running the agent installer (administrator rights are
required) on the client machine (this will be a .exe for Windows).
Note: A Windows .exe installer simply starts the agent up invisibly, running in the
background. There is no interaction or feedback.
92 Installation
NetWitness Endpoint 4.4 Installation Guide
Note: Make sure that you generate the installer on a machine where the proper certificates
are installed (ones that match the certificates from ConsoleServer).
Upon successful completion of an update, the installation date on the computer list will be
updated, though a refresh might be needed to see it. In addition, the events panel will show the
result of the update. This is true for the client events panel and the global events panel.
To update an agent:
1. Generate a new agent installer.
Note: The new agent should have the same service name as the original.
Installation 93
NetWitness Endpoint 4.4 Installation Guide
3. Right click on the machine and select Agent Maintenance > Update Agent. (Alternatively,
several agents can be selected by holding CTRL or SHIFT to be updated simultaneously.)
4. Navigate to the location of the generated file, select the desired file and click Proceed. The
Update Agent window will then display the package file information.
5. Click Update.
Note: The installation date on the computer list will be updated when an update was
successfully applied, though a refresh might be needed to see it.
Note: The new agent should have the same service name as the original.
3. Under Update package, navigate to the location of the generated file, select the desired file
and click Proceed.
The Update Agent window will then display the package file information.
4. Click Update.
To update an agent using Agent Installer, simply double-click the agent installer (.exe file)
(preferred method). When generating the installer package for updating agents, be sure to verify
the Force Overwrite option.
To update an agent through command-line, run the following command:
msiexec /fvam <filename.msi>
94 Installation
NetWitness Endpoint 4.4 Installation Guide
Note: Make sure that you generate the installer on a machine where the proper certificates
are installed (ones that match the certificates from ConsoleServer).
Installation 95
NetWitness Endpoint 4.4 Installation Guide
ECAT Files
Result File The name of the agent installer file. This can be copied to a new client
machine and executed to install the agent.
For Mac agent, this must have a .pkg extension.
Base Configuration
96 Installation
NetWitness Endpoint 4.4 Installation Guide
Field Description
ECAT This setting is not honored by Mac agents. On Mac machines, the agent
Service runs as a daemon with the label ECATAgent.
Name
Primary The URL of the master console server to which the agent starts talking
Hostname as soon as it is installed.
Auto- The date and time the NetWitness Endpoint agent automatically uninstalls.
Uninstall It can be left empty if not required.
Date
Force This option is ignored for Mac agents, as the Mac installer will always
Overwrite overwrite the existing installation.
Security
Client Selects the client certificate generated, which the Mac agent will use to
Certificate communicate with the NetWitness Endpoint Server. The default name is
NweAgentCertificate.
The client public certificate is bundled in the generated package and is the
same for each installed client.
Server Selects the server certificate generated when the NetWitness Endpoint
Certificate Server was configured. The default name is NweServerCertificate.
3. Click Advanced tab. Only the following fields are supported for Mac agent:
Field Description
Certificate Choose one of the options from the drop-down to determine how the agent
Validation will validate the NetWitness Endpoint Server certificate:
- Thumbprint (default selection)
- Full chain
- None
Note: By default, this setting will match the Agent Certificate Validation
option selected in the Server Configuration panel of the NetWitness
Endpoint UI, but it may be changed if desired. For more information, see
the topic Server Configuration Window in the RSA NetWitness Endpoint
User Guide.
Installation 97
NetWitness Endpoint 4.4 Installation Guide
Field Description
Beacon The rate at which the client notifies the server of its status (in seconds).
interval(s)
4. To verify that the configuration parameters are valid, and to test the network connection to
all enabled servers before deployment, click Test Connection, and ensure it reports OK for
all of its tests.
Note: If the installation process fails for any reason and the connection to the server is
available, the installer will send an error log to the server. To view the error log message, go
to the location /var/log/install.log.
98 Installation
NetWitness Endpoint 4.4 Installation Guide
l Option 1: Manually running the agent installer (administrator rights are required) on the client
machine (this will be a .pkg for Mac). The Mac .pkg installer takes you through a series of
interactive installation steps.
1. Copy the generated .pkg file to the target Mac machine. (Administrator rights are required
for installation.)
2. Follow the instructions on the screen and enter the administrator username/password
when prompted.
Installation 99
NetWitness Endpoint 4.4 Installation Guide
Note: Command line installation opens up possibilities for automation and remote
installation. Admins can use an SSH session to remotely copy and install the package on
the Mac machines. For this, make sure the in-built SSH server on Mac OS-X is enabled.
To verify a Mac agent is running, open Activity Monitor and look for NetWitness
Endpoint agent.
100 Installation
NetWitness Endpoint 4.4 Installation Guide
l Driver:
/usr/local/ecat/ECATKext.kext
Note: Click Tools > Refresh or press F5 to refresh the Machines list when you need the
latest data.
From the Machines window, see the Machine Status column to check the status of the
machine. For more information, see the topic Agents Status Icons in the RSA NetWitness
Endpoint User Guide.
Installation 101
NetWitness Endpoint 4.4 Installation Guide
If you want to update an agent to the latest version of the NetWitness Endpoint agent, see the
topic Updating an Agent in the Managing Agents section of the RSA NetWitness Endpoint User
Guide.
Note: Make sure that you generate the installer on a machine where the proper certificates
are installed (ones that match the certificates from ConsoleServer).
102 Installation
NetWitness Endpoint 4.4 Installation Guide
Installation 103
NetWitness Endpoint 4.4 Installation Guide
NWE Files
Result File The name of the agent installer file. This can be copied to a new client
machine and executed to install the agent.
For Linux agent, this must have a .rpm extension.
Base Configuration
HTTPS Port The secure HTTP port number used by the ConsoleServer. The default
value is 443.
UDP Port The UDP port number used by the ConsoleServer. The default value is 444.
Auto- The date and time the NetWitness Endpoint agent automatically uninstalls.
Uninstall It can be left empty if not required
Date
Security
Client Select the client certificate generated, which the Linux agent will use to
Certificate communicate with the NetWitness Endpoint Server. The default name is
NweAgentCertificate.
The client public certificate is bundled in the generated package and is the
same for each installed client.
Server Select the server certificate generated when the NetWitness Endpoint
Certificate Server was configured. The default name is NweServerCertificate.
104 Installation
NetWitness Endpoint 4.4 Installation Guide
3. Click Advanced tab. Only the following two fields are supported for Linux agent.
Field Description
Certificate Choose one of the options from the drop-down to determine the way the
Validation agent will validate the NetWitness Endpoint Server certificate:
- Thumbprint (default selection)
- Full chain
- None
Beacon The rate at which the client notifies the server of its status (in seconds).
interval(s)
4. To verify that the configuration parameters are valid, and to test the network connection to
all enabled servers before deployment, click Test Connection, and ensure it reports OK for
all of its tests.
Installation 105
NetWitness Endpoint 4.4 Installation Guide
2. Copy the generated .rpm file to the target Linux machine. (Administrator rights are
required for installation.)
4. Follow the instructions on the screen and enter the administrator username/password when
prompted.
Note: Click Tools > Refresh or press F5 to refresh the Machines list when you need the
latest data.
From the Machines window, see the Machine Status column to check the status of the
machine. For more information, see the topic Agents Status Icons in the NetWitness
Endpoint User Guide.
106 Installation
NetWitness Endpoint 4.4 Installation Guide
The following are the default locations (as of release 4.3.0.4) for the Linux agent installation:
l The Linux agent is installed to the /opt/rsa/nwe-agent directory
If you want to update an agent to the latest version of the NetWitness Endpoint agent, see the
topic Update an Agent in the RSA NetWitness Endpoint User Guide.
Installation 107
NetWitness Endpoint 4.4 Installation Guide
The following figure describes the architecture for the Roaming Agents Relay.
108 Installation
NetWitness Endpoint 4.4 Installation Guide
Within the enterprise network, the NetWitness Endpoint agents that are deployed on client
machines (laptops, desktops, servers) communicate with the NetWitness
Endpoint ConsoleServer normally. When the NetWitness Endpoint agent is unable to connect to
the ConsoleServer for any reason, the following sequence of actions takes place:
1. The agent tries to resolve Enterprise Specific Hostname (ESH).
Installation 109
NetWitness Endpoint 4.4 Installation Guide
Or
Note: During a temporary downtime of the ConsoleServer, you should prevent switching to
RAR.
The above flow is also explained using a flow chart as shown in the following figure:
When the NetWitness Endpoint agent tries to connect to the RAR server, there is a sequence of
actions that takes place within the NetWitness Endpoint environment. The following figures
describes the flow.
110 Installation
NetWitness Endpoint 4.4 Installation Guide
The NetWitness Endpoint Roaming Agents Relay offers the following advantages:
l It monitors and protects endpoints outside the enterprise network.
l Agents can automatically determine if the endpoint is roaming and connect to either the
NetWitness Endpoint ConsoleServer or the RAR server.
l Enable RAR
Before installing RAR, you must ensure you meet the following hardware and software
requirements:
Installation 111
NetWitness Endpoint 4.4 Installation Guide
Hardware
This following hardware requirements should be sufficient to handle up to 5,000 agents. More
detailed hardware requirements are provided in the topic System Requirements.
l 100 GB disk space
l 12 cores
l 16 GB RAM
Software
2. RabbitMQ (tested with version 3.6.10); you should also enable the RabbitMQ management
UI by running the following command: rabbitmq-plugins enable rabbitmq_
management.
3. OpenSSL (latest)
2. Install RabbitMQ.
Note: RSA recommends using C:\ECAT as the base directory, though it is not
mandatory. The instructions in this guide assume you have used the recommended path.
4. Create the directory C:\ECAT\Relay and extract all the files from the rsa_nwe_4.4.x.x_
roaming_agents_relay.zip file into this directory.
112 Installation
NetWitness Endpoint 4.4 Installation Guide
6. Set the location of the RabbitMQ configuration file. From an elevated (Run as
Administrator) command prompt, execute the following commands:
rabbitmq-service.bat remove
set RABBITMQ_BASE=C:\ECAT\Relay
setx -m RABBITMQ_BASE C:\ECAT\Relay
rabbitmq-service.bat install
rabbitmq-service.bat start
The usage of each command is given below:
rabbitmq-service.bat remove -> remove RabbitMQ Service
set RABBITMQ_BASE=C:\ECAT\Relay -> Set path in this command prompt context
setx -m RABBITMQ_BASE C:\ECAT\Relay - > Set path in global context
rabbitmq-service.bat install -> Install RabbitMQ Service
rabbitmq-service.bat start -> Start RabbitMQ Service
Note: If you ever need to change the location of the RabbitMQ configuration file, you must re-
install RabbitMQ. For more information, see https://www.rabbitmq.com/configure.html.
a. Copy OpenSSL.exe, ssleay32.dll, and libeay32.dll from OpenSSL binary zip to the same
directory as the tool.
b. (Optional) Provide a different name to "vhost" in the configuration file of the tool
RoamingAgentsRelayConfigTool.exe.config against "CLSERVVhost". The default is
ecat. If you change the default, you must update the changes
in the RoamingAgentsRelay.exe.config and ConsoleServer configuration file. "VHost"
is a virtual segregation within RabbitMQ machine. All the queues and exchanges are
created within the "VHost".
Installation 113
NetWitness Endpoint 4.4 Installation Guide
9. Set the RabbitMQ install directory. Click Browse and select the directory.
For example, C:\Program Files\RabbitMQ Server\.
10. Enter a password from the User Interface of the tool (A password is required to export the
certificates with their private key).
l EcatRelayServer.pem
l EcatRelayServer.key
l EcatRelayCA.pem
l EcatRelayCA.cer
l EcatRelayServer.pfx
l EcatRelayClient.pfx
13. Create the directory “C:\ECAT\Relay\Certs and copy the files EcatRelayServer.pem,
EcatRelayServer.key, and EcatRelayCA.pem to the new directory.
15. Open http://localhost:15672 in the browser and log in with username “ecat” and password
“ecat” for managing RabbitMQ.
Note: Use the appropriate port if it was previously changed in the configuration file.
16. Navigate to the folder C:\ECAT\Relay\ and validate the correctness of vhost, port, and
credentials in the file RoamingAgentsRelay.exe.config.
17. Execute Roaming Agents Relay using one of the following options:
l In an elevated command prompt, install Roaming Agents Relay as a service using the
below command:
RoamingAgentsRelay.exe /install.
Open Windows services and start the service RSA ECAT Relay Server.
114 Installation
NetWitness Endpoint 4.4 Installation Guide
2. Import these certificates to the Personal folder of the Local Computer in certificate store.
For more information, see http://sanganakauthority.blogspot.com/2012/02/install-certificate-
in-local-computer.html.
a. Open ConsoleServer.exe.config.
b. Make sure that the "CLSERVVhost" entry has value configured previously.
Installation 115
NetWitness Endpoint 4.4 Installation Guide
3. Right-click within the Roaming Agents Relay window and click Create.
Relay Hostname Provide the hostname or IP address where the RAR server can be
reached.
HTTPS Enter the values of HTTPS port and UDP port that were previously
Port and UDP Port configured in RoamingAgentsRelay.exe.config.
116 Installation
NetWitness Endpoint 4.4 Installation Guide
Name Description
5. Click Save.
2. Right-click on the ConsoleServer for which the relay server must be assigned and select
Roaming Agent Relay > Assign as shown in the following figure.
Note: For each ConsoleServer, you can assign only one single RAR server. But a
single RAR server can be assigned to multiple ConsoleServers.
3. From the Select Relay drop-down, select the relay server to be assigned to
the ConsoleServer.
Installation 117
NetWitness Endpoint 4.4 Installation Guide
4. (Optional) Enter a hostname resolvable only within the enterprise network to help the agent
identify if it is inside or outside the network.
5. Click Assign.
The Relay server is assigned to the ConsoleServer. This also generates a unique 256-bit
AES key for all NetWitness Endpoint agents. Also, the agents will receive the relay-
related information automatically.
Note: The unique key and relay information will be sent to the agents only if the agents
are within the corporate network.
The Roaming Agents Relay is enabled by default. To change the status, use any one of the
following options:
l Using the Machine View:
118 Installation
NetWitness Endpoint 4.4 Installation Guide
d. Click Apply.
Installation 119
NetWitness Endpoint 4.4 Installation Guide
e. Click Save.
120 Installation
NetWitness Endpoint 4.4 Installation Guide
2. Right-click on the ConsoleServer for which the Relay server will be unassigned and select
Roaming Agent Relay > Decommission as shown in the following figure.
Installation 121
NetWitness Endpoint 4.4 Installation Guide
1. Select Start > All Programs > RSA NWE > NWE UI to run the NetWitness Endpoint UI
(user interface).
2. If you are opening the NetWitness Endpoint UI for the first time after installation, the
Configuration dialog is displayed. If you have previously connected to the NetWitness
Endpoint database with this installation, the NetWitness Endpoint UI will automatically
reconnect every time you open the NetWitness Endpoint UI.
Database Name of the SQL Server instance (if it was named, otherwise leave this
Instance blank).
Name
Database Name of the database used by NetWitness Endpoint. This was entered during
Name installation, and is the database automatically generated on the SQL Server.
If you need to look up the name, select Start > All Programs > Microsoft
SQL Server 2012 > SQL Server Management Studio, and look under
Databases.
Files UNC The path name for the folder where agents will upload files. (It must be a
Path shared network folder for a multi-server environment.)
122 Installation
NetWitness Endpoint 4.4 Installation Guide
Field Description
Name
Use SQL Check this if you want to use SQL Security, instead of Windows
Security authentication, and enter your User Name and Password.
Note: OPSWAT does not support UNC File path. Hence, it is recommended to use a
non-UNC file path for OPSWAT scan.
Note: To use UNC file path for OPSWAT scan, you must mount the share on the file
system as a symbolic link. For more information, see https://my.opswat.com/hc/en-
us/articles/202371520-How-do-I-scan-mapped-drives-with-Metascan-.
Installation 123
NetWitness Endpoint 4.4 Installation Guide
UPDATE INSTALLATION
This topic provides information for existing NetWitness Endpoint users to update to the latest
NetWitness Endpoint release, as described in the following topics:
1. Prerequisites: Always check for necessary prerequisites before applying an update.
2. Update Scenarios: Information and directions for applying the latest NetWitness Endpoint
software update.
3. Troubleshooting Update Issues: If you have trouble updating your NetWitness Endpoint
installation, this section provides troubleshooting information.
Prerequisites
Before installing any update, it is strongly recommended to do the following:
1. Backup all Microsoft SQL Server NetWitness Endpoint databases, primary and secondary.
To do so, use the standard Microsoft SQL Server tools such as SQL Server Management
Studio, as explained below.
2. Create a backup copy of the server and client certificates, as explained below.
3. Follow the recommended guidelines for using the Microsoft Windows Update service to
avoid interference with the NetWitness EndpointConsoleServer and the NetWitness Endpoint
update process, as detailed below.
To create a backup copy of the server and client certificates, follow the instructions given
in Step 4: (Optional) Export Primary Server Certificates in the Installation section.
3. Turn on the Windows Update service and proceed with the Windows Update and all
necessary steps such as download, installation, and reboot.
4. When the Windows Update is complete, turn off the Windows Update service.
Update Scenarios
This topic describes the procedures for updating to NetWitness Endpoint 4.4.x.x and NetWitness
Endpoint Roaming Agents Relay (RAR) 4.4.x.x from supported upgrade paths. Supported
upgrade paths are specified in the RSA NetWitness Endpoint <4.4.x.x> Release Notes.
Note: If you attempt to update NetWitness Endpoint from an unsupported path, a message will
display and you will not be able to continue with the update. Refer to the release notes for
information on supported update paths.
5. Click Next. The installer will attempt to detect and pre-fill existing installation
configurations. Installed components, if detected, are pre-checked on the Select Components
dialog, shown below.
6. If you wish to change the pre-selected options, select the installation type and components
you wish to install from the following options in the drop-down list:
l Full installation: installs the NetWitness Endpoint UI, NetWitness Endpoint Server, and
NetWitness Endpoint Agent Packager
l Custom installation: installs the components selected by clicking the checkboxes next to
the desired item below the drop-down (For example, to install just the NetWitness
Endpoint Primary server, select Custom installation and check the box next to NWE
Server.)
7. While selecting the programs to install, make sure to select NWE Agent Packager as you
will also need to update all agents.
9. If you are updating from 4.1.2.0, and if YARA was previously enabled, a message is
displayed asking if you want to copy the existing YARA executable and rules to the new
location and update the configuration in the new installation. If you click Yes, the files are
copied to the new location. If you click No, the YARA files will not be moved. Following
the update, YARA and OPSWAT can be configured from the Monitoring and External
Components option in the NetWitness Endpoint UI. (If you are updating from 4.2.0.x (or
later), you will not see this message as this was done during the 4.2 update.)
11. On the SQL Server dialog, shown below, enter the SQL Server you are using for NetWitness
Endpoint It is not recommended to change the default entry for SQL Database Name. Set the
SQL Server Port only if necessary.
l Select SQL Server Credential and click Next. The following dialog is displayed:
Enter the necessary SQL Server authentication username and password and click Next.
Note: If in attempting to connect to the SQL Server it is determined that there is already an
existing database, a message is displayed with options to either reuse or delete the existing
database. For more information, see Manage Existing Database During Installation.
14. The installer checks for Firewall rules and, if found, re-creates them.
15. On the Ready to Install dialog, review the installation configuration information. If you want
to make changes, click Back to return to previous configuration dialogs.
17. Restart the SQLServerAgent service on both Primary and Secondary servers.
19. Once the update is applied on all the servers, generate a new package and update all agents
using the option Tools > Agent Maintenance > Update All Agents in the NetWitness
Endpoint UI.
Note: For all agents communicating through RAR, you should wait until agents are
communicating directly to the ConsoleServer before updating to ensure a successful update.
Note: After updating all agents, some data in the NetWitness Endpoint UI may be out of date.
Clearing the cache or checking again after the initial scan should load the latest information.
Additional Components
The following additional components are optional and may be installed separately after updating
to NetWitness Endpoint 4.4.x.x.
l REST API Server
To install the REST API Server, run the ApiServer.exe file located in the
folder C:\Program Files\RSA\ECAT\Server.
For more information about the REST API Server, see the topic REST API Server in RSA
NetWitness Endpoint User Guide.
Caution: It is very important that you update the NetWitness Endpoint ConsoleServer to
NetWitness Endpoint 4.4.x.x before updating RAR.
2. Download the NetWitness Endpoint Roaming Agents Relay zip package (rsa_nwe_
<4.4.x.x>_roaming_agents_relay.zip)
4. Extract the following files from the zip package to the existing Roaming Agents Relay folder
(default location: C:\ECAT\Relay\), replacing older matching files if required:
a. Newtonsoft.Json.dll
b. RabbitMQ.Client.dll
c. RabbitMQ.config
d. RelayCustomActionLib.dll
e. RelayServerOutput.exe
f. RoamingAgentsRelay.exe
g. RoamingAgentsRelayConfigTool.exe
Note: Do not replace config files unless required.
If the Update Installer program detects a NetWitness Endpoint Server in the environment, but
the NetWitness Endpoint Server option is unchecked on the Select Components dialog, the
following message will be displayed:
If you click Yes, the existing NetWitness Endpoint Server will be uninstalled.
If you click No, you will return to the Select Components dialog.
The installer gathers NetWitness Endpoint Server configuration information from the
ConsoleServer.exe.config file, as well as information from the SQL database and from
Windows for firewall and Windows Service settings.
l If the installer cannot find the ConsoleServer.exe.config file, the following message is
displayed:
Click OK.
A dialog is displayed where you can browse to locate and select
the ConsoleServer.exe.config file.
l If the installer cannot retrieve the ConsoleServer.exe.config file or the file is invalid, the
following message is displayed:
Click OK. At this point your only option is to browse to another installation path to try to
locate the configuration file. If the installer cannot retrieve the previous installation's
configuration you cannot proceed with the update installation.
Once the installer has valid NetWitness Endpoint Server configuration information, it will
proceed with the update installation.
If Update Fails
If the update fails, the database will automatically rollback to its original state. You can reinstall
with the existing database just by relaunching the NetWitness Endpoint installer. The
NetWitness Endpoint system will be reinstalled and the database will be upgraded if needed.
ADDITIONAL PROCEDURES
This topic provides additional information related to installing and configuring NetWitness
Endpoint 4.4, as follows:
l Manage Existing Database During Installation
l Select Reuse and click Next. The existing database will be reused and upgraded to the
latest version (if applicable).
o If the database upgrade is supported for the existing database version, the following
message is displayed:
Or, if the database is already at the latest version, the following message is displayed:
Click OK to return to the Existing Database dialog. Your options in this case are to
cancel the installation, delete the existing database, or create a new database with
another name.
l Select Delete and click Next. The existing database, and all its data, will be deleted. The
following warning message is displayed:
o If you click No, you will be returned to the Existing Database dialog.
o If you click Yes, the following confirmation message is displayed:
Click OK to continue.
3. The NetWitness Endpoint Server and NetWitness Endpoint Agents Certificates dialog is
displayed, and you can continue the normal installation process for either the Primary or
secondary ConsoleServer. However, if you select to generate new NetWitness Endpoint
certificates and the installer does not find any existing certificates, the following message
will display:
4. If you have an existing database, it is strongly recommended that you import your existing
certificates instead of generating new ones to ensure the NetWitness Endpoint server can
continue to communicate with already deployed NetWitness Endpoint agents.
Click No to return to the previous dialog or Yes to continue generating new certificates.
1. Open the ConsoleServer.exe.config XML file and add the following line:
<add key=”DbSaUser” value=”[Username]”></add>
l RSA Live
l SMTP
l Syslog
l Incident Management
For more information about configuring these external components, see, Monitoring and External
Components in the RSA NetWitness Endpoint User Guide.
3. Right-click on Logins.
9. Click OK to finish
Note: NetWitness Endpoint requires the sysadmin server role to function properly. To avoid
possible interactions with other databases, it is recommended to create a separate instance of
SQL Server.
Adding configuration settings in this way allows for re-copying all the settings normally found in
Internet Options (under the Connections tab, in LAN Settings).
Note: In order for Meta Integrator to successfully connect to Log Decoder, a web proxy
exception may need to be configured. This can be done either in Internet Options or in
ConsoleServer.exe.config using the bypasslist XML node. Depending on the network
configuration, the bypass proxy server for local addresses (bypassonlocal in XML) may
produce the same result.
l <bypasslist>: https://docs.microsoft.com/en-us/dotnet/framework/configure-apps/file-
schema/network/bypasslist-element-network-settings
The following figure shows the equivalent of the configuration example provided above as it
would look in Internet Options:
If the service account is not authorized to use the proxy server, then you can optionally create a
new generic credential in the Credential Manager (found in the Windows Control Panel), by
selecting Add a generic credential, as shown below:
On the next screen, you need to enter the URL of your proxy server and the user name and
password required for the proxy, as shown below:
When you click OK, the following window is displayed, showing the new generic credential.
Note: Authenticated proxy servers are supported by using NTLM authentication. Basic
authentication is not supported with proxy servers.
2. Find and double-click the installer executable file for your current NetWitness
Endpoint installation (this is the same file you used to install the Primary ConsoleServer).
The RSA ECAT installer Welcome dialog for maintenance mode is displayed.
3. Click Next.
4. The installer gathers information about the previous installation and displays previously
specified configuration options rather than the default options as it follows the same
procedure as a full installation.
5. When the Select Components dialog is displayed, the component options will reflect the
previous installation.
l To remove a currently installed component, uncheck the checkbox next to it in the Select
Components dialog.
l To install a component not previously installed, check the checkbox next to it in the Select
Components dialog.
7. Click Next and continue through the remaining installer dialogs (same as for a full
installation).
8. Click Install on the Ready to Install dialog to complete the installation modification process.
Note: NetWitness Endpoint agents are uninstalled through the NetWitness Endpoint UI. For
information, see the topic Uninstall Agents and Remove Agents from the Database in the RSA
NetWitness Endpoint User Guide.
1. On the machine hosting the NetWitness Endpoint Primary ConsoleServer, open the Control
Panel and go to Programs and Features, as shown below:
3. If you plan to reinstall NetWitness Endpoint or reuse already deployed agents, you should
click No. If you click Yes, the existing NetWitness Endpoint certificates will be purged. In
either case, the following message is displayed:
4. If you plan to reinstall NetWitness Endpoint, you should click No. If you click Yes, the
NetWitness Endpoint license file will be deleted. In either case, the following message is
displayed:
5. If you click No, the uninstall process stops and nothing will have been deleted, purged, or
uninstalled. If you want to go ahead and uninstall NetWitness Endpoint, click Yes. The
Uninstall Status dialog is displayed, as shown below:
7. There is a SupportFiles.dll file that is not deleted, but which can be deleted manually, as
shown below:
Note: In all cases, the existing NetWitness Endpoint SQL database remains.
REFERENCES
The following topics provide reference information that pertains to installing and configuring
NetWitness Endpoint.
l Network Distributed Installation Considerations
l NetWitness Endpoint UI
l OPSWAT Metascan
Ideally, the SQL Server and NetWitness Endpoint ConsoleServer should reside on the same
machine to speed up the data insertion once the scans are received from the clients. If they are
installed on different machines, a good gigabit LAN connection is recommended.
References 149
NetWitness Endpoint 4.4 Installation Guide
It is preferable that all users of the NetWitness Endpoint UI, NetWitness Endpoint
ConsoleServer, and the SQL Server belong to the same Active Directory domain. This will
facilitate the login setup. For security reasons, it is recommended to use a different SQL
instance for NetWitness Endpoint databases.
Note: If the network administrators do not belong to a domain, all the accounts in the different
computers of the NetWitness Endpoint UI, NetWitness Endpoint ConsoleServer, and the SQL
server must have exactly the same username and password.
Note: Permission issues are particularly important when the SQL database and the
NetWitness Endpoint ConsoleServer are on separate servers and the QueuedData directory is
hosted on the ConsoleServer. If this is the case, you must enable delegation on the SQL Server
service account. If you fail to enable delegation under these conditions, the following error is
logged to the ConsoleServer-Error.log file: "System.ComponentModel.WarningException:
LIVE Kernel Download failed." When this occurs, any updated kernel definitions present in
the KernelData.csv file are not added to the database. For more information, refer to
Knowledge Base article 000034586, available on RSA Link.
To add a user to the Microsoft SQL Server, see Add a User to the Microsoft SQL Server.
Firewall Considerations
All NetWitness Endpoint executables must be allowed through the firewall to work.
When the option is checked, the Installshield should create firewall exceptions automatically.
Most firewalls will display a prompt when the NetWitness Endpoint ConsoleServer or the
NetWitness Endpoint UI is started for the first time requesting authorization to receive a remote
connection. This permission must always be granted. Under some circumstances, the Microsoft
SQL Server might not be granted this permission and the firewall rules should then be added
manually.
150 References
NetWitness Endpoint 4.4 Installation Guide
l NetWitness Endpoint UI
o The program ConsoleUI.exe, usually located in:
UI_INSTALLATION_FOLDER\ECATUI.exe
l OPSWAT MetascanServer:
Note: If installed on a different server, OPSWAT Metascan needs its connection port to
be opened.
Agent Installers from Machines Other than the NetWitness Endpoint Server
When working with multiple server machines, the NetWitness Endpoint UI can be run from a
different machine than the one on which the NetWitness Endpoint ConsoleServer was installed.
To be able to generate agent installers with the NetWitness Endpoint packager on a different
machine, the certificates must be exported and then imported. The certificates must first be
exported from the machine where they were originally created, most likely the NetWitness
Endpoint ConsoleServer machine. They should then be imported into the machine where the
agents are going to be generated with the NetWitness Endpoint packager.
References 151
NetWitness Endpoint 4.4 Installation Guide
The certificates are only needed for the NetWitness Endpoint ConsoleServer and the
NetWitness Endpoint Packager. To run the NetWitness Endpoint UI, no certificates are
required.
152 References
NetWitness Endpoint 4.4 Installation Guide
The files are placed in the QueuedData folder of the ConsoleServer, to be consumed by the
database later. If required, the scan files can also be placed on a different drive on the
ConsoleServer machine.
Conclusion: This set up works fine without any issues.
Note: Regardless of which method you choose, the SQL Instance User and SQL Agent User
need read/write/modify permissions and Active Directory delegation to the QueuedData
folder.
Method 1: The Scan Data files are written on the database server (DbServer)
For this setup, you must specify the Scan Data folder in the installer as:
\\DbServer\QueuedData
Method 2: The Scan Data files are written to the ConsoleServer (EcatServer) and retrieved by
the database server (DbServer)
For this setup, you must specify the Scan Data folder in the installer as:
\\EcatServer\QueuedData
This set up requires the SQL Server user to have enough permissions to access
the ConsoleServer and allow delegation in Active Directory.
Note: The database user has limited permissions, and reading on a remote machine is blocked
by default.
Conclusion: This method does not work just by sharing a folder on EcatServer as it also
requires sufficient user permissions.
Export Certificates
You can export newly created certificates using the following commands:
References 153
NetWitness Endpoint 4.4 Installation Guide
The password is set encrypted for security reasons, but it can also be set with unencrypted
password using the following commands:
{InstallationPath}\server\ConsoleServer.exe /setdbpswd
{sqlPassword}
{InstallationPath}\server\APIServer.exe /setdbpswd {sqlPassword}
You can create the firewall rule for SQL Server using the following command:
154 References
NetWitness Endpoint 4.4 Installation Guide
or
{InstallationPath}\Server\ConsoleServer.exe /uninstall
{InstallationPath}\Server\APIServer.exe /uninstall
References 155
NetWitness Endpoint 4.4 Installation Guide
156 References
NetWitness Endpoint 4.4 Installation Guide
NetWitness Endpoint File share 445, 137, With read/write access rights
Server 139
NetWitness Endpoint File share 445, 137, With read/write access rights;
UI 139 (optional) without this analyst
will not be able to inspect a
module when running UI from
their machine
NetWitness Endpoint Queued Data folder 445, 137, With read/write access rights
Server 139
References 157
NetWitness Endpoint 4.4 Installation Guide
NetWitness Queued Data folder 445, 137, With read/write access rights
Endpoint SQL Server 139
NetWitness Endpoint RAR (Remote 443 (TCP), Communication from the Agent
Agent Agents Relay) 444 (UDP) to the RAR Server (default
values)
158 References