Security Compliance can query unmanaged endpoints in the network to which the OfficeScan server belongs. You can use Active Directory and IP addresses to query endpoints and install the OfficeScan agent.
To synchronize the Active Directory in the OfficeScan server:
- Go to Administration > Active Directory > Active Directory Integration.
- Under Active Directory Domains, specify the Active Directory domain name.
- Specify credentials that the OfficeScan server will use when synchronizing data with the specified Active Directory domain.
The credentials are required if the server is not part of the domain. Otherwise, the credentials are optional. Be sure that these credentials do not expire or the server will not be able to synchronize data.
- Click the + button to add more domains.
If necessary, specify domain credentials for any of the added domains.
- Click the + button to delete domains.
- Specify encryption settings if you specified domain credentials.
As a security measure, OfficeScan encrypts the domain credentials you specified before saving them to the database. When OfficeScan synchronizes data with any of the specified domains, it will use an encryption key to decrypt the domain credentials.
If the file is removed or the file path changes, OfficeScan will not be able to synchronize data with all of the specified domains.
- Go to the Encryption Settings for Domain Credentials section.
- Type an encryption key that does not exceed 128 characters.
- Specify a file to which to save the encryption key.
You can choose a popular file format, such as .txt. Type the file's full path and name, such as C:\AD_Encryption\EncryptionKey.txt.
- Click one of the following:
- Save: Save the settings only. Because synchronizing data may strain network resources, you can choose to save the settings only and synchronize at a later time, such as during non-critical business hours.
- Save and Synchronize: Save the settings and synchronize data with the Active Directory domains.
- Log in to the OfficeScan web console.
- Go to Assessment > Unmanaged Endpoints.
- Under Unamanged Endpoints, click Define Scope.
- In the Define Scope page, either choose to search for endpoint via Active Directory or IP address:
- Via Active Directory:
- Go to the Active Directory Scope section.
- Select "Use on-demand assessment to perform real-time queries and get more accurate results".
Disabling this option causes OfficeScan to query the database instead of each OfficeScan agent. Querying only the database can be quicker but is less accurate.
- Select the objects to query.
If querying for the first time, select an object with less than 1,000 accounts and then record how much time it took to complete the query. Use this data as your performance benchmark.
- To define an IP address scope:
- Go to the IP Address Scope section.
- Select Enable IP Address Scope.
- Via Active Directory:
- Specify an IP address range and click the plus (+) or minus (-) button to add or delete IP address ranges:
- For a pure IPv4 OfficeScan server, type an IPv4 address range.
- For a pure IPv6 OfficeScan server, type an IPv6 prefix and length.
- For a dual-stack OfficeScan server, type an IPv4 address range and/or IPv6 prefix and length.
The IPv6 address range limit is 16 bits, which is similar to the limit for IPv4 address ranges. The prefix length should therefore be between 112 and 128.
- Under Advanced Setting, specify ports used by OfficeScan servers to communicate with agents. Setup randomly generates the port number during OfficeScan server installation.
To view the communication port used by the OfficeScan server, go to Agents > Agent Management and select a domain. The port displays next to the IP address column. Trend Micro recommends keeping a record of port numbers for your reference.
- To check the endpoints connectivity using a particular port number, select "Declare an endpoint unreachable by checking port <x>".
- When connection is not established, OfficeScan immediately treats the éndpoint as unreachable. The default port number is 135. Enabling this setting speeds up the query.
- When connection to endpoints cannot be established, the OfficeScan server no longer needs to perform all the other connection verification tasks before treating endpoints as unreachable.
- To save the scope and start the query, click Save and re-assess. To save the settings only, click Save only.
The Outside Server Management screen displays the result of the query.
- Choose the endpoint where you want to install the OfficeScan agent and click Install.
- Enter a domain administrator credential and click Log on.
- Wait for the installation to be finished.
- Once the OfficeScan agent is installed, you will get a pop up like this: