Compile a list of servers to be secured, and a list of the user workstations from which secure access needs to be provided.

In the example environment, a Management Server has already been installed. The SSH Tectia environment is administered by several system administrators, connecting to the Management Server via the TLS-protected web connection using the SSH Tectia Manager administration interface. The administrator workstations have Internet browsers (Netscape, Mozilla, or Internet Explorer) installed.

The sample environment consists of Unix servers, to which the network administrator terminals and file transfer connections need to be secured. The network administrators access the servers using a mix of Windows and Unix workstations. Figure 6.1 represents a simplified view of the environment, with the web-browser-equipped SSH Tectia Manager administrator workstations on the left, and examples of the target Unix servers and network administrator workstations on the right.

Figure 6.1. Initial state of the environment

Deploy the Management Agent to the servers and workstations. For more details, see Management Agent in this document and Chapter 4 in SSH Tectia Manager Administrator Manual.

The Management Agent installation is performed via a third-party software deployment system (for example, SMS, Active Directory, IBM Tivoli, or disk image files) or manually as a local installation. See Figure 6.2.

Figure 6.2. Deployment of the Management Agent

The Management Agent needs a configuration file, created by the Management Server, called the Initial Configuration Block (ICB). The ICB contains initial configuration data, such as the domain name of the Management Server, and information on how to authenticate the server and the Management Agent to the server. The ICB is deployed with the Management Agent and it is only required for the initial connection, after which the Management Agent builds itself a new configuration.

The Management Agent is an agent-type software component that runs transparently in the background and performs management actions (for example, upgrade, configuration update, log gathering) on the SSH Tectia software running on the host. Upon activation, it opens the management connection to the Management Server (see Figure 6.3) using the parameters provided in the ICB.

Figure 6.3. Initial management connection

The port used for the management connection is 17235. Opening the management connection from the client to the Management Server frees the Management Server from having to poll for potentially offline hosts, and from having to open ports and services for the management connection on all managed hosts.

Upon initial connection to the Management Server, an entry for the managed host is entered into the database and the host receives a unique identifier and a new shared secret for subsequent connections to the Management Server.

The managed hosts can be grouped into different host views, for example, by their operating system, location, or department. An entry for the managed host appears in all host views automatically (host entries do not need to be created in the Management Server host views prior to Management Agent deployment). The specific grouping in each view for the managed host can be manual or automatically assigned based on a hostname or operating system pattern. The host groups can be also predefined in the ICB or a combination of both automatic methods can be used.

Deploy SSH Tectia Server or ConnectSecure to the target servers, and SSH Tectia Client or ConnectSecure to the target workstations (see Chapter 7 of the SSH Tectia Manager Administrator Manual for details).

After the hosts have opened their management connections to the Management Server and can be seen in the administration interface, they are ready for centralized management. The first task is to deploy SSH Tectia software to hosts and to upgrade those hosts that are running an outdated or a third-party version of Secure Shell. This can be performed as a single management task, by selecting a target host group and specifying the required SSH Tectia software version for deployment. See Figure 6.4.

Figure 6.4. Deploying SSH Tectia Client via the administration interface

SSH Tectia Manager verifies the operating system running on each host that is queued for installation, and selects the appropriate installation package. It then pushes the installation packages through the management connection (see Figure 6.5), and performs the installation without requiring any further administrator interaction.

Figure 6.5. SSH Tectia deployment

The Management Agent notifies the Management Server on the success or failure of the installation jobs.

If a host is offline at the time of deployment, the installation job will remain pending until the host is online the next time, and the Management Agent connects to the Management Server. The pending installation job is then performed automatically.

After deploying SSH Tectia to all managed hosts, the administrators need to create appropriate SSH Tectia configuration files for SSH Tectia Client, ConnectSecure, and Server. This is done with the SSH Tectia Manager administration interface.

The configurations need to follow the guidelines set by the corporate security policy. The configurations will include, among other settings, the following parameters (see Figure 6.6):

Figure 6.6. Editing G3 SSH Tectia Server configuration in the administration interface

	Note
	Check that the configuration files are correct before distributing them to the managed hosts.

Once the configurations have been created and tested, assign them to the target host groups using a pre-selected host view. Configurations are typically assigned on a host-group basis. It is also possible to assign host-specific configurations to accommodate special cases, or the hosts can inherit configurations from a higher level in the host-group hierarchy. See Figure 6.7.

Figure 6.7. Assigning configurations in the administration interface

The deployment itself is performed in much the same way as the binary deployment in Step 3. See Figure 6.8. A host group can contain several different platforms, but SSH Tectia Manager automatically detects the operating system and assigns the corresponding configuration.

Any open Secure Shell sessions will continue using the old SSH Tectia Server configuration, while new sessions are opened using the new configuration. If a configuration error in the new configuration file prevents the SSH Tectia Server from running, the Management Agent reverts back to the old version and notifies the Management Server of the failure.

Figure 6.8. SSH Tectia configuration file deployment

Ensure that traffic to TCP/IP port 22 (the standard port for Secure Shell traffic) is allowed through firewalls within the target environment.

Test the secure sshg3 and sftpg3 connections to ensure connectibility.

Train the staff on secure connectivity using SSH Tectia (for availability of SSH Tectia training services in your region, please contact your local SSH sales).

Disable the telnet and ftp services from the target servers, and/or block access to the ports with a host firewall (see the relevant server OS documentation for details).

The network administrators can now start using SSH Tectia Client for secure administration duties.

SSH Tectia Manager displays the status of the SSH Tectia Server in the host group view, enabling the SSH Tectia Manager administrators to quickly respond to failures in service availability.

SSH Tectia Client/Server outputs log entries (for example, user logins, logouts, failed login attempts) to local syslog. The Management Agent periodically gathers these logs and pushes them to the Management Server through the management connection. See Figure 6.9.

Figure 6.9. SSH Tectia Server log gathering

The Management Server stores the SSH Tectia logs into the database. They can be sorted and searched according to date and time, hostname, and log message.