Table Of Contents
Installing the Runtime Environment
Increasing the Open Files Limit
Installing Connector on Linux
Revised: July 15, 2010Overview
This chapter provides a step-by-step guide to installing the Linux Connector on x86 and x86-64 servers running either Red Hat Enterprise Linux version 5 or Cent OS Linux version 5. Connector is used to deliver web traffic from a client to the Web Scanning Services.
To enable Connector to integrate with the widest possible variety of software and devices it has two modes of operation, determined during installation.
•Standalone mode should be used when there are no edge devices on the corporate network.
•Enterprise mode should be used when an edge device, for example Microsoft ISA, is already present in the corporate network.
Cisco does not support the installation of the Linux Connector onto any other distributions of Linux or UNIX operating system, or any custom configuration beyond the instructions in this guide.
The chapter assumes you have followed the procedure detailed in this guide when installing either Red Hat or Cent OS Linux. Cisco strongly recommends that you follow every installation step as outlined rather than using your own Linux installation processes.
Before beginning installation, ensure that your server is suitably sized and capable of running the Linux operating system and Connector with the expected number of users. See Linux System Requirements.
Linux System Requirements
The Linux operating system has very basic hardware requirements. The following requirements are based the number of users expected to send their web traffic through Connector.
For deployments of 500 or more users, Cisco strongly recommends multiple servers are deployed behind a hardware load balancer to ensure there is no interruption of service in the event of a server failure. DNS load balancing (also known as round-robin) is not recommended due to the failover delay caused by caching of DNS responses by local computers.
Your technical account manager or a member of Cisco's customer support team will be happy to discuss deployment options with you.
A TCP/IP network connection and outbound Internet access on TCP ports 80 and 8080 are required for all installations
.
Pre-Installation Requirements
Before installing Connector you must determine where it will be installed. Connector is very lightweight and does not require its own dedicated server. You must also ensure your firewall is configured correctly and SELinux is switched off. See Post-Installation Configuration.
To prepare to install Connector:
Step 1 Determine which mode the connector will use See Overview.
Step 2 In ScanCenter, generate the authentication keys, as necessary. Keys are required for users with dynamic IP addresses only. Keys can also be used with static IP addresses.
Step 3 If you require the connector to perform group lookup with Active Directory or a Windows domain, create a dedicated user within the `Domain Users' group of the primary domain controller.
Step 4 If you have stopped ISA Server to remove a previously installed version of the connector, restart it.
Accessing Your Server
To access your Linux server from a client computer you will need a secure shell (SSH) client.
To download the free PuTTY SSH client for Microsoft Windows:
Step 1 Go to http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html.
Step 2 In the Binaries section, right-click the putty.exe hyperlink and then click Save Link As.
Step 3 Save the putty.exe file to your desktop.
Step 4 Double-click the putty.exe program file to run the SSH client.
To connect to the Linux server:
Step 1 Enter the IP address of the Linux server in the Host Name box.
Step 2 Ensure the Connection type is SSH.
Step 3 Ensure the Port is 22.
Step 4 Click Open to connect to the server. The first time you connect to the server via SSH you may see a warning message about a trusted cache. This is normal, and you should accept the notification. Once a connection is established, the login screen is displayed.
Step 5 At the login prompt, type root and press Enter.
Step 6 At the password prompt, enter the root password you created during the Linux installation and press Enter. See Installing Linux.
Note If you are unable to connect, confirm with your network administrator that your network firewall allows connections from your desktop computer to the Linux server on TCP port 22.
Installing the Runtime Environment
Connector is written in the Java language, which enables it to run on multiple platforms. However, like any Java application, it requires a Java runtime environment (JRE) to be installed on the host server.
Caution You must install the official Sun JRE. Alternatives such as JRockit and IcedTea are not supported and may prevent the Connector from running.
When you have logged in to your Linux server, the command prompt is displayed, for example
[root@localhost ~]#
Note The default server name is localhost. You may see a different hostname in your command prompt depending on the settings you entered during installation.
To install the Sun JRE:
Step 1 Change to the root directory to begin installation.
cd /root/Step 2 If you have a 32-bit server, download the 32-bit Java installer.
wget http://80.254.145.118/linux/jre-6u13-linux-i586-rpm.binAlternatively, if you have a 64-bit server, download the 64-bit Java installer.
wget http://80.254.145.118/linux/jre-6u13-linux-x64-rpm.binIf you are unsure if your server is 32-bit or 64-bit, download the 32-bit installer.
Step 3 Once the download has completed, make the program file executable.
chmod a+x ./jre-*.binStep 4 Run the program file to start the installation process.
./jre-*.binThe Sun JRE license agreement is displayed.
Step 5 Read through the agreement. You can press Space to display the next page.
Step 6 Once you have read through the agreement, accept the terms.
yesStep 7 Add the JAVA_HOME environment variable to the global server settings so it knows where to find the Java runtime environment:
echo export JAVA_HOME=/usr/java/latest >> /etc/profileStep 8 Reload the profile:
source /etc/profileStep 9 Test that Java has been installed correctly.
java -versionThis command should display the Java runtime environment version. If you see any other output, please review the steps above before calling support.
Note In some instances it may be necessary to manually create a symbolic link with ln -s /usr/java/latest/bin/java /usr/bin/java.
Installing Connector
Before installing the Connector you must ensure the Sun JRE is installed. See Installing the Runtime Environment. The Linux default open file limit is too low and must be increased to support high traffic levels before installation.
Increasing the Open Files Limit
To increase the open files limit:
Step 1 At the command prompt, open the limits.conf file for editing.
vi /etc/security/limits.confThe limits.conf file is displayed.
Step 2 Use the Down Arrow key to move the cursor to the end of the file.
Step 3 Press the A key to enter insert (or edit) mode.
Step 4 Type conn and press the Tab key.
Step 5 Type hard and press the Tab key.
Step 6 Type nofile and press the Tab key.
Step 7 Type 32768 and press the Tab key.
Step 8 Confirm that the text you have entered appears as follows:
conn hard nofile 32768Step 9 Press the Esc key to exit editing mode.
Step 10 Type :wq to save your changes and exit the limits.conf file.
Running the Installer
When you have increased the open files limit, you can install Connector.
Step 1 At the command prompt, change to the root directory to begin installation.
cd /root/Step 2 Download and execute the Connector installer (approximately 700 kb):
rpm -ivh http://80.254.145.118/linux/connector.noarch.rpmStep 3 Confirm that installation was successful by typing:
ls /opt/connector/
Note You should see a listing of files including agent.properties. If you do not see a listing of files or see an error, check you have Internet connectivity and try the steps above again before contacting support.
Basic Connector Operations
To stop the Connector, at the command prompt type:
/etc/init.d/connector stopTo start the Connector, at the command prompt type:
/etc/init.d/connector startTo restart the Connector, at the command prompt type:
/etc/init.d/connector restartFor configuration instructions, see Configuring Connector.
Configuring Connector
Configuring the Connector is achieved by editing the main configuration file called agent.properties and restarting the Connector. There is no graphical interface for configuring the Linux Connector.
Contact your technical account manager or a member of the customer support team for assistance with configuring the Connector to your specific requirements and testing its functionality. This section is intended as a very basic overview to show you how to open the file for editing and how to apply your changes.
Note Your technical account manager or a member of the customer support team can provide a pre-configured agent.properties file which you can simply upload to the server. This is the easiest approach for new installations.
Before you can configure the Connector, you need to connect to your server either from the console or via an SSH connection. See Accessing Your Server. You should now be logged in to your Linux server, and see a prompt similar to:
[root@localhost ~]#To configure the Connector:
Step 1 Open the agent.properties file for editing.
vi /opt/connector/agent.propertiesStep 2 The agent.properties file will be displayed. Use the arrow keys to locate the configuration option you wish to edit, as directed by the customer support engineer.
Step 3 Press a to enter insert (or edit) mode.
Step 4 Use the Delete key to remove the existing configuration option, and type in your required modification.
Step 5 Press the Esc key (escape) to exit editing mode.
Step 6 Type :wq to save your changes and exit the agent.properties file.
Step 7 You must restart the Connector to apply your changes. This can take up to 60 seconds, and should be done at a quiet time.
/etc/init.d/connector restartStep 8 When complete, type exit to close your SSH session.
Applying an Exception
An exception (or bypass) is used when you do not wish a particular website to be filtered by the Web Scanning Services. For example, you may use a secure site that restricts access to your offices egress IP address therefore in which case you would not want the web request to be routed through the shared filtering tower.
Note Your technical account manager or a member of the customer support team can provide assistance with configuring and applying exceptions. This is intended as a very basic reference.
Before you can add an exception, you need to connect to your server either from the console or via an SSH connection. See Accessing Your Server. You should now be logged in to your Linux server, and see a prompt similar to:
[root@localhost ~]#To apply an exception:
Step 1 Open the agent.properties file for editing:
vi /opt/connector/agent.propertiesStep 2 The agent.properties file will be displayed. Press the Page Down key to scroll to the bottom of the file.
Step 3 Press A to enter insert (or edit) mode
Step 4 Type in the exception, for example:
hotmail.com-exception_pattern=*hotmail.comhotmail.com-primary_allowed=80,443hotmail.com-primaryProxy=DIRECTStep 5 Press the Esc key (escape) to exit editing mode
Step 6 Type :wq to save your changes and exit the agent.properties file
Step 7 You must restart the Connector to apply your changes. This can take up to 60 seconds, and should be done at a quiet time:
/etc/init.d/connector restartStep 8 When complete, type exit to close your SSH session.
Upgrading Connector
Upgrading Connector to the latest General Availability (GA) version is straightforward.
To upgrade Connector:
Step 1 Change to the root directory to begin installation
cd /root/Step 2 Backup the Connector configuration to the root directory
cp /opt/connector/agent.properties agent.properties-`date -I`Step 3 Download and execute the Connector upgrade (approximately 700 kb):
rpm -Uvh http://80.254.145.118/linux/connector.noarch.rpmStep 4 Restart the Connector to ensure the upgrade completes:
/etc/init.d/connector restart
You should now be able to browse the Internet through Connector. If you are unable to do so, you should contact support for assistance. You must provide a copy of the log files in /opt/connector/logs/.