Security Compliance can query unmanaged endpoints in the network to which the OfficeScan/Apex One server belongs. You can use Active Directory and IP addresses to query endpoints and install the OfficeScan/Apex One agent.
To synchronize the Active Directory in the OfficeScan/Apex One server:
- Go to Administration > Active Directory > Active Directory Integration.
- Under Active Directory Domains, specify the Active Directory domain name.
- Specify credentials that the OfficeScan/Apex One server will use when synchronizing data with the specified Active Directory domain.
The credentials are required if the server is not part of the domain. Otherwise, the credentials are optional. Be sure that these credentials do not expire or the server will not be able to synchronize data.
- Click the + button to add more domains.
If necessary, specify domain credentials for any of the added domains.
- Click the + button to delete domains.
- Specify encryption settings if you specified domain credentials.
As a security measure, OfficeScan/Apex One encrypts the domain credentials you specified before saving them to the database. When OfficeScan/Apex One synchronizes data with any of the specified domains, it will use an encryption key to decrypt the domain credentials.
- Go to the Encryption Settings for Domain Credentials section.
- Type an encryption key that does not exceed 128 characters.
- Specify a file to which to save the encryption key.
You can choose a popular file format, such as .txt. Type the file's full path and name, such as C:\AD_Encryption\EncryptionKey.txt.
If the file is removed or the file path changes, OfficeScan/Apex One will not be able to synchronize data with all of the specified domains. - Click one of the following:
- Save: Save the settings only. Because synchronizing data may strain network resources, you can choose to save the settings only and synchronize at a later time, such as during non-critical business hours.
- Save and Synchronize: Save the settings and synchronize data with the Active Directory domains.
- Log in to the OfficeScan/Apex One web console.
- Go to Assessment > Unmanaged Endpoints.
- Under Unamanged Endpoints, click Define Scope.
- In the Define Scope page, either choose to search for endpoint via Active Directory or IP address:
- Via Active Directory:
- Go to the Active Directory Scope section.
- Select "Use on-demand assessment to perform real-time queries and get more accurate results".
Disabling this option causes OfficeScan/Apex One to query the database instead of each OfficeScan/Apex One agent. Querying only the database can be quicker but is less accurate.
- Select the objects to query.
If querying for the first time, select an object with less than 1,000 accounts and then record how much time it took to complete the query. Use this data as your performance benchmark.
- To define an IP address scope:
- Go to the IP Address Scope section.
- Select Enable IP Address Scope.
- Via Active Directory:
- Specify an IP address range and click the plus (+) or minus (-) button to add or delete IP address ranges:
- For a pure IPv4 OfficeScan/Apex One server, type an IPv4 address range.
- For a pure IPv6 OfficeScan/Apex One server, type an IPv6 prefix and length.
- For a dual-stack OfficeScan/Apex One server, type an IPv4 address range and/or IPv6 prefix and length.
The IPv6 address range limit is 16 bits, which is similar to the limit for IPv4 address ranges. The prefix length should therefore be between 112 and 128.
- Under Advanced Setting, specify ports used by OfficeScan/Apex One servers to communicate with agents. Setup randomly generates the port number during OfficeScan/Apex One server installation.
To view the communication port used by the OfficeScan/Apex One server, go to Agents > Agent Management and select a domain. The port displays next to the IP address column. Trend Micro recommends keeping a record of port numbers for your reference.
- To check the endpoints connectivity using a particular port number, select "Declare an endpoint unreachable by checking port <x>".
- When connection is not established, OfficeScan/Apex One immediately treats the endpoint as unreachable. The default port number is 135. Enabling this setting speeds up the query.
- When connection to endpoints cannot be established, the OfficeScan/Apex One server no longer needs to perform all the other connection verification tasks before treating endpoints as unreachable.
- To save the scope and start the query, click Save and re-assess. To save the settings only, click Save only.
The Outside Server Management screen displays the result of the query.
- Choose the endpoint where you want to install the OfficeScan/Apex One agent and click Install.
- Enter a domain administrator credential and click Log on.
- Wait for the installation to be finished.
- Once the OfficeScan/Apex One agent is installed, you will get a pop up like this: