Setting up Policy Manager as proxy node - F-Secure Community
<main> <article class="userContent"> <p> </p>Setting up Policy Manager as proxy node <p>The following steps describe Policy Manager Proxy node installation for both Windows and Linux. </p> <ol><li> Install Policy Manager Server to act as a Proxy node, using the standard Policy Manager installer. </li> <li> Stop the Policy Manager service. <ol type="a"><li> Windows: <pre class="code codeBlock" spellcheck="false">[net stop fsms]</pre> </li> <li> Linux: <pre class="code codeBlock" spellcheck="false">[/etc/init.d/fspms stop]</pre> </li> </ol></li> <li> Fetch <strong>admin.pub</strong> from Master Policy Manager. You can either: <ol type="a"><li> Download it from Master Policy Manager using your browser (<pre class="code codeBlock" spellcheck="false"><a href="https://<policy" rel="nofollow">https://<policy</a> manager server IP/host name>:<https port number></pre>). For example: <a href="https://127.0.0.1:443" rel="nofollow">https://127.0.0.1:443</a>, <a href="https://policymanagerhost:443" rel="nofollow">https://policymanagerhost:443</a>. </li> <li> Export it from the Policy Manager Console. </li> <li> Retrieve it from host if Policy Manager Proxy host is already running Server Security or Linux Security and is connected to the Master Policy Manager. </li> </ol></li> <li> Go to the Policy Manager Server (proxy node) data folder, and place or replace (if any) the existing admin.pub file with the downloaded admin.pub file retrieved from the Master Policy Manager. <ol type="a"><li> Windows: <pre class="code codeBlock" spellcheck="false">C:\Program Files (x86)\F-Secure\Management Server 5\data\admin.pub</pre> </li> <li> Linux: <pre class="code codeBlock" spellcheck="false">/var/opt/f-secure/fspms/data/admin.pub</pre> </li> </ol></li> <li> Edit <strong>additional_java_args</strong> in registry or conf file adding the following properties: <ol type="a"><li> <pre class="code codeBlock" spellcheck="false">-DupstreamPmHost=<master PM address></pre> Example: -DupstreamPmHost=10.1.1.1 </li> <li> <pre class="code codeBlock" spellcheck="false">-DupstreamPmPort=<usually 443></pre> Example: -DupstreamPmPort=443 </li> <li> <pre class="code codeBlock" spellcheck="false">-DadminPubLocation="<path to admin.pub location from previous step, including the name of the file>"</pre> <strong>Note:</strong> Path to admin.pub for Linux is written in single quote. <div>Example: <ul><li> -DadminPubLocation="C:\Program Files (x86)\F-Secure\Management Server 5\data\admin.pub" (Windows) </li> <li> -DadminPubLocation='/var/opt/f-secure/fspms/data/admin.pub' (Linux) </li> </ul></div> </li> <li> <pre class="code codeBlock" spellcheck="false">-Djetty.startServerAsPrivileged=true</pre> (Additional step for Policy Manager for Linux 12.30 and 12.31 only.) </li> </ol><p><strong>Note:</strong> For Windows, edit String registry key "</p><pre class="code codeBlock" spellcheck="false">HKEY_LOCAL_MACHINE\SOFTWARE(Wow6432Node)\Data Fellows\F-Secure\Management Server 5\additional_java_args</pre>", and specify the above Java system properties using space as a delimiter. Property names and values are case sensitive. <p><strong>Note:</strong> For Linux, use config file </p><pre class="code codeBlock" spellcheck="false">/etc/opt/f-secure/fspms/fspms.conf</pre> instead of registry. Edit line with parameter additional_java_args and specify the above Java system properties in its value in quotes using space as a delimiter. Property names and values are case sensitive. </li> <li> Use <strong>fspmp-enroll-tls-certificate</strong> script to generate proxy node certificate. Run the script and authenticate yourself as root administrator of the Master Policy Manager: <ol type="a"><li> Windows: Script location is <pre class="code codeBlock" spellcheck="false"><F-Secure installation folder>/Management Server 5/bin/fspmp-enroll-tls-certificate.bat</pre> </li> <li> Linux: Script location is <pre class="code codeBlock" spellcheck="false">/opt/f-secure/fspms/bin/fspmp-enroll-tls-certificate</pre> </li> </ol></li> <li> Start Policy Manager service. <ol type="a"><li> Windows: <pre class="code codeBlock" spellcheck="false">[net start fsms]</pre> </li> <li> Linux: <pre class="code codeBlock" spellcheck="false">[/etc/init.d/fspms start]</pre> </li> </ol></li> </ol><p>You can now configure endpoints to use proxy by specifying proxy node in priority order in Policy Manager Proxy table. </p> <p><strong>Note:</strong> Policy Manager Proxy table editor does not allow to modify HTTPs port, this it is always set to 443. </p> </article> </main>