You have to consider the following before doing a fresh installation of your OfficeScan (OSCE) server:
- IPV6 Support
- Location of the OfficeScan Server
- Remote Installation
- Server Performance
- Dedicated Server
- Scan Method Deployment During Installation
- Network Traffic
- Third-party Security Software
- Active Directory
- Web Server
The IPv6 requirements for the OfficeScan server fresh installation are as follows:
- The OfficeScan server must be installed on Windows Server 2008 or Windows Server 2012. It cannot be installed on Windows Server 2003 because this operating system only supports IPv6 addressing partially.
- The server must use an IIS web server. Apache web server does not support IPv6 addressing.
- If the server will manage IPv4 and IPv6 clients, it must have both IPv4 and IPv6 addresses and must be identified by its host name. If a server is identified by its IPv4 address, IPv6 clients cannot connect to the server. The same issue occurs if pure IPv4 clients connect to a server identified by its IPv6 address.
If the server will manage only IPv6 clients, the minimum requirement is an IPv6 address. The server can be identified by its host name or IPv6 address. When the server is identified by its host name, it is preferable to use its Fully Qualified Domain Name (FQDN). This is because in a pure IPv6 environment, a WINS server cannot translate a host name to its corresponding IPv6 address.The FQDN can only be specified when performing a local installation of the server. It is not supported on remote installations.
- Verify that the host machine’s IPv6 or IPv4 address can be retrieved using, for example, the “ping” or “nslookup” command.
- If you are installing the OfficeScan server to a pure IPv6 computer:
- Set up a dual-stack proxy server that can convert between IPv4 and IPv6 addresses (such as DeleGate). Position the proxy server between the OfficeScan server and the Internet to allow the server to successfully connect to Trend Micro hosted services, such as the ActiveUpdate server, the Online Registration website, and Smart Protection Network.
- Do not install Policy Server for Cisco NAC and Cisco Trust Agent. These programs do not support IPv6 addressing.
Remote installation allows you to launch the installation on one computer but install OfficeScan to another computer. If you perform a remote installation, Setup checks if the target computer meets the requirements for server installation.
To ensure that installation can proceed:
- On each target computer, start the Remote Registry service using an administrator account and not a Local System account. Remote Registry service is managed from Microsoft Management Console (Click Start > Run, and type "services.msc").
- Record the computer's host name and logon credentials (user name and password).
- Verify that the computer meets the OfficeScan server system requirements.
OfficeScan can accommodate a variety of network environments. For example, you can position a firewall between the OfficeScan server and its clients, or position both the server and all clients behind a single network firewall. If there is a firewall between the server and its clients, configure the firewall to allow traffic between the client and server listening ports.
Enterprise networks require servers with higher specifications than those required for small and medium-sized businesses.
The number of networked computer clients that a single OfficeScan server can manage depends on several factors, such as available server resources and network topology.
Contact your Trend Micro representative for help in determining the number of clients the server can manage.
The typical number of clients an OfficeScan server can manage are as follows:
- 3,000 to 5,000 clients for an OfficeScan server with 2GHz dual processor with 2GB of RAM
- 5,000 to 20,000 clients for an OfficeScan server with 2.13GHz Core2Duo™ processor with 4GB of RAM
When selecting a computer that will host the OfficeScan server, consider the following:
- The CPU load the computer handles
- If the computer performs other functions
If the target computer has other functions, choose a computer that does not run critical or resource-intensive applications.
In this OfficeScan version, you can configure clients to use either smart scan or conventional scan.
Conventional scan is the scan method used in all earlier OfficeScan versions. A conventional scan client stores all OfficeScan components on the client computer and scans all files locally.
Smart scan leverages threat signatures that are stored in-the-cloud. When in smart scan mode, the OfficeScan client first scans for security risks locally. If the client cannot determine the risk of the file during the scan, the client connects to a Smart Protection Server.Smart scan provides the following features and benefits:
- Provides fast, real-time security status lookup capabilities in the cloud
- Reduces the overall time it takes to deliver protection against emerging threats
- Reduces network bandwidth consumed during pattern updates. The bulk of pattern definition updates only need to be delivered to the cloud and not to many endpoints.
- Reduces the cost and overhead associated with corporate-wide pattern deployments
- Lowers kernel memory consumption on endpoints. Consumption increases minimally over time.
Scan Method Deployment
On fresh installations, the default scan method for clients is the smart scan method.
OfficeScan also allows you to customize the scan method for each domain after installing the server. Consider the following:
- If you did not change the scan method after installing the server, all clients that you install will use smart scan.
- If you want to use conventional scan on all clients, change the root level scan method to conventional scan after installing the server.
- If you want to use both conventional and smart scan, Trend Micro recommends retaining smart scan as the root level scan method and then changing the scan method on domains that you want to apply conventional scan.
When planning for deployment, consider the network traffic that OfficeScan generates.
The server generates traffic when it does the following:
- Connects to the Trend Micro ActiveUpdate server to check for and download updated components
- Notifies clients to download updated components
- Notifies clients about configuration changes
The client generates traffic when it does the following:
- Starts up
- Updates components
- Updates settings and installs a hot fix
- Scans for security risks
- Switches between roaming mode and normal mode
- Switches between conventional scan and smart scan
Network Traffic During Component Updates
OfficeScan generates significant network traffic when it updates a component. To reduce network traffic generated during component updates, OfficeScan performs component duplication. Instead of downloading an updated full pattern file, OfficeScan only downloads the "incremental" patterns (smaller versions of the full pattern file) and merges them with the old pattern file after the download.
Clients updated regularly only download the incremental pattern. Otherwise, they download the full pattern file.
Trend Micro releases new pattern files regularly. Trend Micro also releases a new pattern file as soon as a damaging and actively circulating virus/malware is discovered.
Update Agents and Network Traffic
If there are low-bandwidth or "heavy traffic" sections of the network between clients and the OfficeScan server, designate selected OfficeScan clients as Update Agents, or update sources for other clients. This helps distribute the burden of deploying components to all clients.
For example, if you have a remote office with 20 or more computers, designate an Update Agent to replicate updates from the OfficeScan server and act as a distribution point for other client computers on the local network. See the Administrator’s Guide for more information on Update Agents.
Trend Micro Control Manager and Network Traffic
Trend Micro Control Manager™ manages Trend Micro products and services at the gateway, mail server, file server and corporate desktop levels. The Control Manager web-based management console provides a single monitoring point for products and services throughout the network.
Use Control Manager to manage several OfficeScan servers from a single location. A Control Manager server with fast, reliable Internet connection can download components from the Trend Micro ActiveUpdate server. Control Manager then deploys the components to one or more OfficeScan servers with unreliable or no Internet connection.
Remove third-party endpoint security software from the computer to which you will install OfficeScan server. These applications may prevent successful OfficeScan server installation or affect its performance. Install the OfficeScan server and client immediately after removing third-party security software to keep the computer protected from security risks.
All OfficeScan servers must be part of an Active Directory domain to take advantage of the Role-based Administration and Security Compliance features.
The OfficeScan web server’s functions are as follows:
- Allows users to access the web console
- Accepts commands from clients
- Allows clients to respond to server notifications
You can use an IIS web server or Apache web server. If you use an IIS web server, ensure that the server computer does not run IIS-locking applications.Setup automatically stops and restarts the IIS service during installation.
If you use an Apache web server, the administrator account is the only account created on the Apache web server. Create another account from which to run the web server to prevent compromising the OfficeScan server if a hacker takes control of the Apache web server.
Refer to the Apache website for the latest information on Apache web server upgrades, patches, and security issues.