Installation Guide A - PAnet Maintenance · Installation ... Installing Pointsec PC in an IBM RRU Environment ... Apart from this installation guide, the following documentation is

Pointsec PC

Installation Guide

Version 6.2, rev. AJuly 2007

© 2003-2007 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

©2003–2007 Check Point Software Technologies Ltd. All rights reserved.

Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoreXL, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Pointsec, Pointsec Mobile, Pointsec PC, Pointsec Protector, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, UTM-1, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 5,987,611, 6,496,935, 6,873,988, 6,850,943, and 7,165,076 and may be protected by other U.S. Patents, foreign patents, or pending applications.

For third party notices, see “THIRD PARTY TRADEMARKS AND COPYRIGHTS” on page 37.

Table of Contents i

Contents

Preface Introduction ...................................................................................................... 1Who Should Read This Guide?............................................................................. 2About This Guide ............................................................................................... 2Other Documentation ......................................................................................... 2Accepting Delivery of Pointsec PC ....................................................................... 3

Direct Delivery .............................................................................................. 3Outside Carrier Delivery ................................................................................. 3Electronic Download...................................................................................... 3

Who To Contact in the Case of an Unsuccessful Delivery........................................ 4

Chapter 1 Before You Install Pointsec PC About Pointsec PC Administrators........................................................................ 5Pointsec PC Environment Requirements............................................................... 5Pointsec PC System Requirements ...................................................................... 6Installing on Portable Computers ......................................................................... 6About Passwords................................................................................................ 6Password Options............................................................................................... 7

Fixed Passwords............................................................................................ 7Dynamic Tokens............................................................................................ 7Smart Cards ................................................................................................. 7

Do not Modify Pointsec for PC.msi Package.......................................................... 7Before Installing ................................................................................................ 7

Read the Release Notes................................................................................. 8Considerations for Other Programs .................................................................. 8Review precheck.txt ...................................................................................... 8Changing Graphics Displayed in Preboot and License Text Displayed during

Installation .............................................................................................. 19

Chapter 2 Installing Pointsec PC for Administrators Installing Pointsec PC on Windows Vista ............................................................ 21Registering Pointsec PC.................................................................................... 22Creating Administrator Accounts........................................................................ 25

Administrator Accounts Using Fixed Passwords .............................................. 25Administrators Using Smart Cards ................................................................ 27

Specifying Volumes, Encryption Methods, and the Recovery Path ......................... 28Log File Created During Installation .............................................................. 31

Logging On for the First Time............................................................................ 32Accessing Pointsec PC Management Console ...................................................... 34Encryption Progress.......................................................................................... 34Installing Pointsec PC in an IBM RRU Environment ............................................ 35

Running Using precheck.txt ......................................................................... 35Running InstallRRU.msi after Installation...................................................... 35Log File Created During Installation .............................................................. 36Booting the System into IBM RRU................................................................ 36

ii

1

Preface PPreface

In This Chapter

IntroductionPointsec PC Enterprise Workplace Edition (Pointsec PC) is a policy-based, enterprise security software solution. Pointsec PC combines boot protection, preboot authentication and strong encryption to ensure only authorized users are granted access to information stored in desktop and laptop PCs.

Pointsec PC is deployed and administered across the network. As encryption is both automatic and transparent, security is enforced without requiring special efforts from users.

Introduction page 1

Who Should Read This Guide? page 2

About This Guide page 2

Other Documentation page 2

Accepting Delivery of Pointsec PC page 3

Note - Pointsec PC is designed to be first installed and configured in a test environment comprised of an administrator’s workstation and networked computers. Once the Pointsec PC system has been thoroughly tested, it can be deployed to a production environment.

Who Should Read This Guide?

2

Who Should Read This Guide?This guide is for IT staff who will work as Pointsec PC administrators. As a Pointsec PC administrator, you should be well acquainted with your organization’s network and operating procedure.

About This GuideThis guide is designed to help you install Pointsec PC for the first time. It is organized as follows:

• Chapter 1, Before You Install Pointsec PC on page 5 , which covers information that will help you install Pointsec PC quickly and without problems

• Chapter 2, Installing Pointsec PC for Administrators on page 21, which takes you through the process of installing Pointsec PC for use on an administrator’s workstation.

Information on creating profiles, deploying them, administering Pointsec PC protected computers and updating Pointsec PC software can be found in the Pointsec PC Administrator’s Guide.

Other DocumentationApart from this installation guide, the following documentation is available:

Pointsec PC Release Notes contain the latest information on the current Pointsec PC release.

Pointsec PC Administrator’s Guide describes how to perform administrative tasks, for example, how to install and update Pointsec PC on client computers using profiles and how to remove Pointsec PC.

Pointsec PC Quick Start Guide describes in brief a master installation, creating sets, groups and users, and how to deploy Pointsec PC to your clients.

Accepting Delivery of Pointsec PC

Preface 3

Accepting Delivery of Pointsec PCThere are three methods of accepting a secure delivery of Pointsec PC:

• Direct delivery

• Outside carrier delivery

• Electronic download in an e-package

Direct DeliveryWith this delivery method, Pointsec PC is delivered directly to you by a Pointsec engineer. Before you accept delivery of Pointsec PC, always check the credentials of the Pointsec engineer.

The Pointsec PC CD-ROM case is sealed with three tamper-evident Pointsec stickers. Verify the authenticity of the package by ensuring that these stickers are unbroken and have not been tampered with in any way.

Outside Carrier DeliveryIn this method of delivery, Pointsec PC is delivered to you directly using a third-party shipper, such as FedEx or DHL. Before you accept delivery of Pointsec PC, always check the credentials of the carrier.

The Pointsec PC CD-ROM case is sealed with three tamper-evident Pointsec stickers. Verify the authenticity of the package by ensuring that these stickers are unbroken and have not been tampered with in any way.

Electronic DownloadIn this method of delivery, you download Pointsec PC directly from the Internet as an e-package.

To access the Pointsec PC e-package, you must register for an account on the Pointsec server site.

The server site is protected with a Pointsec certificate. You must accept this certificate to access the site. Once logged in, you can see all the e-packages you have purchased.

At the site, you enter a request for a user account and fill in the required information. The account is registered and you receive an e-mail from Pointsec containing the information you need to log in and download the e-package. The e-mail also contains information on how to verify the authenticity of the e-package.

Who To Contact in the Case of an Unsuccessful Delivery

4

Verifying the E-packageYour downloaded Pointsec e-package(s) each contain a ZIP file, containing the Pointsec product and a text file, product_file_name.txt which contains the information you need to verify that the package has not been tampered with.

To do this, use the command line utility fsum.exe to compute the MD5 checksum for the ZIP file and compare it with the MD5-checksum in product_file_name.txt. If the checksums match, you know that the e-package has not been tampered with.

You can download fsum.exe for free from http://www.slavasoft.com/fsum/.

To verify an e-package:

1. Copy fsum.exe, the downloaded ZIP file and product_file_name.txt to a temporary folder and run the fsum.exe with the -c switch.

fsum.exe compares the checksum specified in product_file_name.txt to the checksum it computes using the MD5 algorithm for the ZIP file. If the checksum for the ZIP file matches the checksum in product_file_name.txt, the ZIP file is marked OK and you know that the e-package has not been tampered with.

Otherwise, the file is marked with the word FAILED. See “Who To Contact in the Case of an Unsuccessful Delivery” on page 4 for more information if the verification fails.

2. Repeat the process for each Pointsec e-package that you have purchased.

Who To Contact in the Case of an Unsuccessful Delivery

If your Pointsec PC delivery shows signs of having been tampered with or the MD5 checksum you generate does not match the checksum in validate.txt, contact your Pointsec representative immediately for advice on how to proceed.

http://www.slavasoft.com/fsum/

5

Chapter 1Before You Install Pointsec PC

This chapter discusses Pointsec PC administration levels, system requirements, types of passwords used during installation and how you can streamline the installation process by using the precheck.txt file.

About Pointsec PC AdministratorsPointsec PC administrators control the profiles that are used to install Pointsec PC on client computers. When installing Pointsec PC, you will create two administrator accounts. For more information on Pointsec PC administrators, see the Pointsec PC Administrator’s Guide.

Pointsec PC Environment RequirementsTo maximize the level of security, you should ensure that the following environment requirements are met:

• You have received an authentic copy of Pointsec PC; see “Accepting Delivery of Pointsec PC” on page 3 for more information.

• You use a Pointsec PC service account with the following permissions on the local computer: Run as Service, RXWD to the Program Files\Pointsec directory. For more information, see the Pointsec PC Administrator’s Guide.

• You have a secure network share with the following permissions: RX for all users, RXWD for the Pointsec PC service account.

• A reliable time source on the local computer, i.e. it should be synchronized with a time server.

Pointsec PC System Requirements

6

• A phone verification database to determine the authenticity of a user over the phone.

• A test environment for the initial installation and creation of the deployable Pointsec PC profile/configuration.

Pointsec PC System RequirementsFor system requirements, including operating system, service pack, memory, and disk space requirements, please see thePointsec PC Release Notes.

Installing on Portable ComputersIf you are installing Pointsec PC on a portable computer, we recommend you connect the computer to the AC power supply. The time required to encrypt can vary depending on the size of the disk, what programs are running, and the speed of the processor.

If the portable computer’s battery fails, Pointsec PC may not have completed the encryption process. If this is the case, Pointsec PC will continue the encryption process when the computer reboots.

About PasswordsBefore you start installing Pointsec PC, you should know something about the types of passwords you will be asked to specify during the installation.

Note - We recommend that you always perform a backup of any computer on which you want to install Pointsec PC.

Note - Fragmented Disks

2 MBS of contiguous disk space is required for Pointsec PC installation. If this amount of continuous space is not available, the installation will fail. In general, it is considered good practice to avoid fragmented disks to enhance overall performance. It is also considered good practice to defragment disks prior to installing Pointsec PC.

Password Options

Chapter 1 Before You Install Pointsec PC 7

Password OptionsYou can use the following types of passwords when installing Pointsec PC: fixed passwords and dynamic tokens.

Fixed PasswordsFixed passwords, as the name implies, do not change. In Pointsec PC, a fixed password must contain at least six characters but no more than 31.

For more information, see “Administrator Accounts Using Fixed Passwords” on page 25 and the Pointsec PC Administrator’s Guide.

Dynamic TokensDynamic tokens, also known as one-time passwords, change constantly. Users use a small device, usually called a dynamic token, to generate a new password every time they start their workstations. Dynamic tokens are intended for environments requiring better security than fixed passwords can provide where password standards are not rigorous enough.

For more information, see “Administrators Using Dynamic Tokens” on page 26 and the Pointsec PC Administrator’s Guide.

Smart CardsSmart cards provide secure storage of user credentials and digital certificates. Pointsec PC supports both smart cards with readers, and readerless USB tokens.

For more information, see “Administrators Using Smart Cards” on page 27 and the Pointsec PC Administrator’s Guide.

Do not Modify Pointsec for PC.msi PackageDo not modify the Pointsec for PC.msi package in any way. For instance, do not attempt to modify the Pointsec for PC.msi package by using transforms. Modification of the Pointsec for PC.msi package invalidates the supportability of the product.

Before InstallingThe following sections discuss information you need to know and things you need to check before you start to install Pointsec PC.

Read the Release Notes

8

Read the Release NotesThe release notes contain the latest information on Pointsec PC. Read them to find out what is new, fixed or changed. You can find the release notes on your Pointsec PC CD.

Considerations for Other ProgramsConsider the following:

• Pointsec Media Encryption

If Pointsec Media Encryption is already installed on the workstation on which you want to install Pointsec PC, Single Sign On (SSO) will not work properly.

To fix this, manually insert the string value CompatibleGinas=pme.dll in Windows’ registry.

This action does not have to be taken if Pointsec Media Encryption is installed after Pointsec PC.

• Pointsec PC and Entrust

For information on Pointsec PC and Entrust installation and integration, please see the Pointsec PC Administrator’s Guide.

Review precheck.txtprecheck.txt is an installation settings file designed to make installing Pointsec PC even simpler. By configuring precheck.txt, you can streamline the installation process and configure settings faster. The precheck.txt file is in the same folder as the Pointsec PC.msi file.

When you start to install Pointsec PC, the installation program reads precheck.txt and determines if it should terminate in certain circumstances as specified by you. You can also configure precheck.txt when installing on a computer running IBM Rapid Restore Ultra (RRU).

In addition, you can use precheck.txt to configure settings for third-party Graphical Identification and Authentication (GINA) dlls, Single Sign On (SSO) delay times, and update intervals.

precheck.txt settings can be altered after installation by editing them in the Pointsec registry key.

Precheck SettingsThe following sections describe the settings you can configure in precheck.txt.

Review precheck.txt


General Settings

Table 1-1 General Settings

Setting Description

AddFilter=Yes This is a legacy setting for Windows Pointsec PC driver installation. It is no longer used.

AbortOnDualBoot=Yes The value can be Yes or No. The default value is Yes which will cause Pointsec PC to terminate an installation on a dual boot system.

IgnoreOldInstallation=No Set this setting to Yes to enable support for re-installing on selected volumes while keeping old installations on other volumes.

Note: You must use the same user accounts in both installations.

Note: A re-installation of the boot volume requires all volumes to be protected by Pointsec PC.

ChainToMBR= This setting specifies which boot record Pointsec PC will load and start immediately after Pointsec PC preboot logon:

Yes = Pointsec PC loads and starts the master boot record. Yes is the default. No = Pointsec PC loads and starts the partition boot record.

ExtendedLogging= This setting specifies whether or not log events containing the status of all user accounts and groups will be written to the central log file. This setting can be used to reduce the size of the central log file.

Yes = Write log events containing the status of all user accounts and groups to the central log file. No = Do not write log events containing the status of all user accounts and groups to the central log file.

No is the default.

Run= Here you can enter a program to run before Pointsec PC is installed.

Review precheck.txt

10

RunAfter= Here you enter the path to scripts or execs that you want run immediately after the user logs on to Windows after the reboot that follows the installation of Pointsec PC. For example:

• The path to the script required when installing in an IBM RRU environment.

• The path to the dotnetfx.exe to install the .NET Framework if it is not already installed on this machine. The dotnetfx.exe is found in the Pointsec PC directory: Pointsec for PC\1_Pointsec_for_PC\Tools\DotNetRunTime\dotnetfx.exe

Note: Best practice is to specify the path in UNC format: \\<server>\<share>\....

HidInf= Together with Drivers=, this setting is used to deploy the HID driver, found under /modules/hid. For example:

Drivers=HID\hptc1100.bin HidInf=HID\hptc1100.inf

The HID driver enables the pen on tablet PCs.

See the current Release Notes for available drivers.

Note: If you have installed a Wacom driver on a computer that does not have Wacom hardware installed, this can cause hanging during preboot. To avoid this, hold both SHIFT keys down while the progress bar is visible during the loading of Pointsec preboot. A new menu selection, HID drivers, will be displayed, allowing you to disable the Wacom driver(s).

Note: You can also deploy HID drivers after installation using pscontrol.exe. For example:

C:\>pscontrol register-hid hptc1100.inf C:\>pscontrol install-driver hptc1100.bin


Setting Description

Review precheck.txt


Drivers= The value of this setting specifies the preboot smart card drivers that will be installed together with the Pointsec PC system. These drivers enable communication between a smart card and Pointsec PC prior to the start of Windows.

The specified value for this setting must be a semicolon-separated list of file names with no paths specified and no blanks. For example:

Drivers=msc_p11.bin;prd_ccid.bin

Available drivers are located in the Modules folder.

With the help of this facility, it is possible to use a smart card to log on at initial authentication.

See the description of HidInf=, above, for information on using Drivers= to deploy HID drivers.

CSPRandom= This setting specifies the name of the Cryptographic Service Provider (CSP) to use for random number generation during installation. The CSP name is vendor specific, and it can normally be found in the documetation for the CSP.

The CSP must be installed on a machine’s Windows system prior to Pointsec PC installation.

The Pointsec PC installation program will attempt to use the CSP specified in this setting to generate random numbers. The CSP’s random number generation is vendor specific, and it might require the presence of external hardware, for example, a smart card.

If the random number generation fails, the installation is aborted.

ShowRecoveryMessages= This setting specifies whether or not the message box related to the unavailability of the recovery path will be displayed to the user.

Yes = Display the message box related to the unavailability of the recovery path to the user. No = Do not display the message box related to the unavailability of the recovery path to the user.

No is the default.


Setting Description

Review precheck.txt

12

SuspendEncryptionTimeout= The amount of time, in minutes, to delay the start of encryption after Windows has started.

Minimum value = 4 Maximum value = 60

The default value is 4.

KeyImportDirectory= The path to the key import directory.

Note: Specifying a path for this setting activates encryption key import.

Best practice is to specify the path in UNC format: \\<server>\<share>\....

KeyImportMethod= This setting specifies how the imported random data will be processed when using it to make keys.

Combine = Partition keys are generated by combining the imported random data with random data generated by Pointsec PC. Data used to protect partition keys is generated by combining partition keys with random data generated by Pointsec PC.

‘Combine’ is the default: if nothing is specified for this setting, the ‘Combine’ method will be used.

Direct = The imported random data is used ‘as is’ as a partition key. Data used to protect partition keys is generated by combining partition keys with random data generated by Pointsec PC.

You cannot use the key import directory’s PWD.DAT file when using the ‘Direct’ method.


Setting Description

Review precheck.txt


GINA Settings

You can set the following Graphical Identification and Authentication (GINA) options:

General Update Settings

These are settings that Pointsec PC will use if no other settings are configured for profile download, Pointsec PC upgrade download, and central log transfer.

Table 1-2 Gina settings

Setting Description

CompatibleGinas= Here you can enter the names of compatible Graphical Identification and Authentication (GINA) dlls, separated by semi-colons (;), e.g. CompatibleGinas=xx1.dll; xx2.dll; xx3.dll

No value specified is the default. Enter the names of GINAs that you would like Pointsec PC to attempt to perform SSO to.

Note: The GINAs may not actually be compatible with Pointsec PC Single Sign-on (SSO).

SmartCardDlls= Here you can enter the preferred smart card dll order, separated by semi-colons (;), e.g. SmartCardDlls=xx1.dll; xx2.dll; xx3.dll

No value specified is the default. Specify which dll files the system should use with smart cards.

Review precheck.txt

14

If a different value is set in one or more of the settings that follow, that value will be used for that setting.

Table 1-3 General Update settings

Setting Description

InitialStartDelay=1 Here you can specify the delay before Pointsec PC takes any action regarding intervals. The values are in minutes.


FirstDelay=0 Here you can specify the delay before Pointsec PC starts the interval. The values are in minutes. The default value is 90 minutes.


UpdateInterval=180 Here you can specify the interval Pointsec PC waits before checking for update profiles. The values are in minutes.

Note: Immediately after installation, Pointsec PC checks for update profiles, then it waits 90 minutes before checking for updates again (90 minutes is the default if no other value has been set for FirstDelay). After this second check for updates, the checks will be carried out at the interval that has been specified for this setting or, if nothing has been specified, at the default, every 180 minutes.


RetryInterval=3 Here you can specify the interval Pointsec PC waits between retries when searching for updates. The values are in minutes.


RetryCount=5 Here you can specify the number of times Pointsec PC should retry an update search before aborting tries for this cycle.


Review precheck.txt


Update Profile Download Settings

Here you can specify how update profiles should be managed.

Software Upgrade Download Settings

Here you can specify how software upgrades should be managed.

Table 1-4 Upgrade Profile Download settings

Setting Description

ProfileInitialStartDelay= First delay before any action. The value is in minutes.ProfileFirstDelay= Delay after the first action, for example, the first attempt to

read the update profile, before the real cycle starts. The value is in minutes. The default value is 90 minutes.

ProfileUpdateInterval= Update interval cycle time. The value is in minutes.

Immediately after installation, Pointsec PC checks for update profiles, then it waits 90 minutes before checking for update profiles again (90 minutes is the default if no other value has been set for ProfileFirstDelay). After this second check for update profiles, the checks will be carried out at the interval that has been specified for this setting.

ProfileRetryInterval= Time between retries. The value is in minutes.

ProfileRetryCount= Max retry attempts before retries are cancelled this cycle.

Table 1-5 Software Upgrade Download settings

Setting Description

PatchInitialStartDelay= First delay before any action. The value is in minutes.

PatchFirstDelay= Delay after the first action, for example, the first attempt to read the profile, before the real cycle starts. The value is in minutes.

Review precheck.txt

16

Central Log Transfer Settings

Here you can specify how the central log transfer should be managed.

PatchUpdateInterval= Update interval cycle time. The value is in minutes.

Immediately after installation, Pointsec PC checks for updates, then it waits 90 minutes before checking for upgrade profiles again (90 minutes is the default if no other value has been set for PatchFirstDelay). After this second check for upgrade profiles, the checks will be carried out at the interval that has been specified for this setting.

PatchRetryInterval= Time between retries. The value is in minutes.PatchRetryCount= Max retry attempts before retries are cancelled this cycle.

Table 1-5 Software Upgrade Download settings

Setting Description

Table 1-6 Central Log Transfer Settings

Setting Description

CentralLogInitialStartDelay=

First delay before any action. The values are in minutes.


CentralLogFirstDelay= Delay after the first action, for example, the first attempt to send the local log file to the central log before the real cycle starts. The values are in minutes.


CentralLogUpdateInterval= Update interval cycle time. The values are in minutes.

Immediately after installation, Pointsec PC checks tries to send the local log file to the central log, then it waits 90 minutes before sending the local log file again (90 minutes is the default if no other value has been set for CentralLogFirstDelay). After this second sending of the log file, the checks will be carried out at the interval that has been specified for this setting.

Review precheck.txt


CentralLogRetryInterval= Time between retries. The values are in minutes.


CentralLogRetryCount= Max retry attempts before retries are cancelled this cycle.


LogTransfer= This setting determines whether or not Windows log transfer process is enabled.

The possible values are:

0=Do not transfer the log file to Windows Event log. 1=Transfer the log file to Windows Event log.

MaxLogTransferSize= Specifies the maximum size of the segments of the local log file that are transferred to the central log in one transfer. The value assigned to this setting is expressed as an interger that represents the maximum number of kilobytes (1 KB = 1024 bytes) of data transferred.

The default value is 10 KB.

If, for example, the MaxLogTransferSize was set to 2 KB, and there was 5 KB of log data to transfer, the system would transfer the first (earliest) 2 KB of whole log entries first, then it would transfer the next 2 KB of whole log entries, and finally it would transfer the remaining 1 KB of whole log entries. Because only whole log entries are transferred, the transfers might not be exactly 2 KB, but they will not be more than 2 KB.

Table 1-6 Central Log Transfer Settings

Setting Description

Review precheck.txt

18

Single Sign-On Settings

Here you can specify how the single sign-on (SSO) settings.

Accessing precheck.txt

To use precheck.txt during the installation:

1. Copy the contents of the Pointsec PC directory from the Pointsec PC CD to a directory on your computer.

Table 1-7 Single Sign-On settings

Setting Description

UpdateSSO=0 This setting determines how Pointsec PC handles third party GINAs. The default value is 0.

The following values are permitted:

0 This is the default value. Pointsec PC will check whenever the computer is started or shutdown for any changes made to the GINA and rebuild the GINA order. Pssogina.dll will always be set as the active GINA.

1 Pointsec PC maintains Pssogina.dll as the active GINA. Pointsec PC checks every 10 seconds for registry changes to GINA order. If there are any changes, for example, if Pssogina.dll is replaced by nwgina.dll, Pointsec PC will rebuild the GINA order so that Pssogina.dll is the first GINA.

2 The same as 1 but Pointsec PC also checks that the files associated with the GINAs are actually physically present. If a file has been removed, Pointsec PC deletes the GINA entry in the registry. For example, if a user removes the file associated with nwgina.dll, Pointsec PC discovers that the file is missing, removes the entry nwgina.dll in the registry and moves the next GINA up automatically. Pssogina.dll is always the first GINA.

4 Pointsec PC will not make any changes. If a new GINA is added, this will be the active GINA on the system. This option will, if Pssogina.dll is replaced, disable Pointsec PC SSO and smart card support.

SSODelay_NWGINA=

Here you can specify the delay before performing SSO with a Novell login. The default is 5000 milliseconds (ms).

The minimum value is 0 ms, and the maximum is 60000 ms. This setting can be useful when you need to correct problems with SSO caused by slow systems.

SSODelay_MSGINA=

Here you can specify the delay before performing SSO with a Windows 2000/XP login. The default is 2000 milliseconds (ms).

The minimum value is 0 ms, the maximum value is 60000 ms. This setting can be useful when you need to correct problems with SSO caused by slow systems.

Changing Graphics Displayed in Preboot and License Text Displayed during Installation


2. In Windows Explorer, browse to the directory and open precheck.txt in any regular text editor.

3. Edit the file to suit your installation preferences and then save it.

4. To start your Pointsec PC installation, right-click on Pointsec for PC.msi and select Install.


Pointsec PC enables you to change the Pointsec PC graphic images displayed during preboot authentication to, for example, images containing your company’s logo. You can also change the license text displayed during installation.

1. Create a folder named oemvar in the folder that contains the Pointsec for PC.msi file:

2. Add the relevant files, described below, to the oemvar folder. During installation, the files that have been added to the oemvar folder will be registered as the files to be displayed during preboot.

Table 1-8 oemvar files

Filename Description Specifications

Banner.bmp Banner displayed during installation, except for the InstallShield progress dialog.

499w * 59h

256 colors

Banner.jpg Banner displayed in preboot. Jpeg images created with Photoshop 3.0 cannot be used.

447w * 98h

Desktop.jpg Background image displayed in preboot. Jpeg images created with Photoshop 3.0 cannot be used.

800w * 600h


20

Scrsvr.jpg Preboot screen saver image. Jpeg images created with Photoshop 3.0 cannot be used.

260 * 128 (width * height)

Ssbg.bmp Windows screen saver background image. 1280 * 1024 (width * height)

256 colors

Lic_oem.rtf License text displayed in installation. This is a rich text file.

Table 1-8 oemvar files

Filename Description Specifications

21

Chapter 2Installing Pointsec PC for Administrators

This chapter documents how to install Pointsec PC for use by Pointsec PC administrators, a so called ‘master installation’.

The installation process can be divided into four phases:

• “Registering Pointsec PC” on page 22

• “Creating Administrator Accounts” on page 25

• “Specifying Volumes, Encryption Methods, and the Recovery Path” on page 28

Installing Pointsec PC on Windows VistaThe installation of Pointsec PC on Windows Vista follows the same steps as the installations on Windows 2000 or Windows XP with one important difference. The Pointsec PC installation on Vista must be run with administrator’s rights in order to install a special driver.

To start the Pointsec PC installation on Vista:

1. Log on to Windows Vista as administrator.

2. Insert the Pointsec PC CD into your disk drive and browse to the autorun.exe file.

Tip - You can streamline the installation by using the precheck.txt file. See “Review precheck.txt” on page 8 for more information.

Registering Pointsec PC

22

3. Right-click on the autorun.exe file and choose Run as administrator. An User Account Control windows opens and asks for your permission to install the program.

4. Click Continue to allow the installation to be run with administrator rights. The License Information dialog box opens and you can continue with the instructions in the following section, “Registering Pointsec PC”, from step 3 on page 23 and onward.


Registering Pointsec PC involves accepting the software license, confirming that you have backed-up the workstation, and registering your license number.

To register Pointsec PC:

1. Insert the Pointsec PC CD into your disk drive, the following dialog box opens:

2. Click Install. The InstallShield wizard prepares the installation.

Note - In Windows Vista you cannot run the msi package directly from Pointsec PC CD-rom, you need to browse to the autorun.exe file on the CD, right-click on the file and choose Run as administrator, see section “Installing Pointsec PC on Windows Vista” on page 21.

Note - If you run Windows Vista on your workstation, see the instructions in the previous section, “Installing Pointsec PC on Windows Vista”, before continuing the installation.


Chapter 2 Installing Pointsec PC for Administrators 23

The License Information dialog box opens:

3. Click Accept. (If you do not accept the license agreement, you cannot proceed.) The ReadMe dialog box opens:

Note - If you start the installation on a computer that has a network connection but no access to Internet, the PointsecForPC.msi file can be slow in starting. The PointsecForPC.msi file is signed with a digital signiture for security, and when this file starts, Windows attempts to reach the publisher’s Certificate Revocation List (CRL) to see if the .exe file’s certificate has been revoked. If the CRL cannot be reached via the network connection, it takes a long time for the PointsecForPC.msi to start.

To circumvent this delay, open Internet Explorer, select Tools → Internet Properties or Internet Options (depending on the version). Click the Advanced tab. In the Settings window, scroll down to the heading Security and clear the Check for publisher’s certificate

revocation check box. Click OK.


24

4. Select Yes, I want to read ReadMe.txt to read the latest information on Pointsec PC before continuing with the installation. When you have read the latest information on Pointsec PC, close the file to continue with the installation process.

In the Welcome dialog box:

5. Only when you are certain that the information on the workstation you are installing on has been backed-up, click Next.

The following dialog box opens:

6. Enter your details and license information. You can either enter your licence number manually in the Serial number field or click the Insert button to import a Check Point licence (.lic) file.

Note - As a safety precaution, always back up any computer before installing Pointsec PC.

Note - Pointsec PC supports only one single licence, not multiple licences.

Creating Administrator Accounts


7. Click Next. The Add an administrator dialog box opens. You are now ready to start the second phase of the installation and create the Pointsec PC administrator accounts.

Creating Administrator AccountsIn this phase of the installation, you create Pointsec PC administrator accounts and specify the types of passwords they use.

Administrator Accounts Using Fixed PasswordsTo create an administrator account that uses a fixed password:

1. In the Add an administrator dialog box, select the Fixed password option:

2. Enter the following information:

3. Click Next. The Add User dialog box opens again. If the second administrator account will also use a fixed password, repeat the instructions above, click Next and then see “Specifying Volumes, Encryption Methods, and the Recovery Path” on page 28.

If the account is to use a dynamic token, see “Administrators Using Dynamic Tokens” on page 26.

If the account is to use a smart card, see “Administrators Using Smart Cards” on page 27.

Table 2-1

Field Explanation

User account name Enter a name for the user account.Password Enter a password for user account. Verify Password Re-enter the password to confirm it.

Administrator Accounts Using Fixed Passwords

26

Administrators Using Dynamic TokensPointsec PC supports any dynamic token that supports the ANSI X.9.9 security standard.

To create an administrator account that uses a dynamic token:

1. In the Add user dialog box, select the Dynamic token option. The Settings area displays the dynamic token options:

2. Click Open File, browse to the token.imp file, delivered with your token(s), and open it. The following dialog box opens:

3. Enter the key you received from Pointsec, the key will decrypt the information in the import file, and click OK. The Select Key (token) dialog box opens.

4. Look for the serial number that is printed on the back of your token and find that number in the list displayed. Select the number and click OK.

5. If the second administrator account is to use a fixed password, see “Administrator Accounts Using Fixed Passwords” on page 25. If the second account is to use the same type of dynamic token as you just specified, repeat the instructions above, click Next and then see “Specifying Volumes, Encryption Methods, and the Recovery Path” on page 28.

Note - Pointsec PC does not save information about your encryption keys for either the tokens or import files. If the information is lost, the import file will be unusable, and all password tokens not yet imported will be unusable until reprogrammed.

Administrators Using Smart Cards


Administrators Using Smart CardsTo create an administrator account that uses a smart card:

1. In the Add user dialog box, select the Smart card option. The Settings area displays a list of the certificates found, for example:

Note - It is good practice to always have one administrator account that uses fixed password authentication. This administrator account is a “back up” that can be used in case of problems with an administrator’s smart card, for example, physical damage, loss, theft, or malfunction.

When performing recovery, you might also need administrator accounts that do not authenticate using USB smart cards. On certain hardware, legacy USB devices are not fully supported during recovery when using USB smart card authentication. An example of a legacy USB device is the USB reader you might want to use for your recovery media. Therefore, you might not be able to perform recovery if recovery authentication uses USB smart cards on this hardware because the USB device that is supposed to read the recovery file will not work.

Note - The install wizard looks for certificates locally in Personal Store and, if accessible, on smart cards, on USB tokens, and in Microsoft Active Directory.

Note - If a certificate is stored in more than one place, it will be listed as many times as the install wizard finds it. When selecting a certificate that is listed multiple times, it does not matter which of the listed instances of that certificate you choose. Review the location column in the list to determine if the a certificate is listed more than once.

Specifying Volumes, Encryption Methods, and the Recovery Path

28

2. Select the certificate you want to associate with the administrator account you are creating and click Next. The following dialog box opens:

3. Select the both reader driver and card driver you are going to use. If you are going to use a combined token/reader, for example, the RSA SecurID 800, you must choose RSA SecurID 800 both under Select reader drivers and under Select card drivers.

4. Click Next to continue with the installation.


In this final phase of the installation, you will specify the type of Pointsec PC protection you wish to use and where to store recovery information in the event of a disk crash.

1. In the Protect volumes dialog box:



Configure the following settings:

Table 2-2

Setting Explanation

Volumes From the volumes listed, select the volumes you want Pointsec PC to protect; you can select a maximum of twelve volumes.

Note: In a Common Criteria validated environment, all volumes must be selected for protection.

Note: Never use volume/disk partition editing software with Pointsec PC installed on the workstation. If you need to resize a partition, remove Pointsec PC completely first and then resize the partition. Otherwise, resizing might cause loss of data.

Boot Protection Select this option to implement user authentication at boot level on the specified volume.

Note: In a Common Criteria validated environment, this setting must be selected.

Encryption Select this option to encrypt the volumes selected.

Algorithm Select the encryption algorithm you want to use.

Note: You must use the same algorithm for all volumes on the same computer.

Note: In a Common Criteria validated environment, either 3DES or AES must be selected.


30

2. Click Next to continue. The following dialog box opens:

3. Enter the path to the location where the recovery file that will be used to recover information will be stored. Best practice is to specify the path in UNC format: \\<server>\<share>\.... Click Next.

The following dialog box opens:

4. Click Next. The Pointsec PC installation program checks the selected volumes for integrity, starts installing Pointsec PC, installs the Pointsec PC’s Management Console (PCMC), and creates the Pointsec PC program folder.

Note - Specify a secure location that is regularly backed-up on the network.

Log File Created During Installation


After that, the following dialog box opens:

5. Select Finish, the following dialog box opens:

6. Click Yes to restart your workstation. Once restarted, the installation program installs the Pointsec PC system code necessary and verifies the volumes available. For example:

During every start-up, Pointsec PC runs a suite of self tests to verify that its integrity has not been compromised.

Once Pointsec PC is completely installed, you will have to authenticate yourself to access the PC.

Log File Created During InstallationWhile installing Pointsec PC, a log file containing the status of the installation is written. It is located here (depending on where the Documents and Settings folder is located):

Logging On for the First Time

32

C:\Documents and Settings\All Users\Application Data\Pointsec\Pointsec for PC\Pointsec_PC_install_[COMPUTERNAME].log

[COMPUTERNAME] is the name of the computer where Pointsec PC is installed.

Logging On for the First TimeOnce Pointsec PC is installed, you must authenticate yourself before you can access the workstation.

After restarting and installing the system code, Pointsec PC opens the User Identification dialog box:

1. Enter the name and password of one of the administrator accounts you specified during the installation, see “Creating Administrator Accounts” on page 25.

If the account uses a dynamic token the dialog box will generate a challenge when you enter the account name, for example:

2. Press the Tab key to move from one field to another. Click OK when you have entered the correct account information.

Logging On for the First Time


If the account uses a smart card, enter the PIN code:

Pointsec then communicates with the smart card for authentication:

Once Pointsec PC has authenticated you, the operating system starts as usual and you can log in to Windows.

Pointsec PC creates and saves the recovery file for the workstation in the location specified when installing Pointsec PC. After that, Pointsec PC starts to encrypt the volumes you selected, the encryption process runs in the background and you can get on with your work.

3. To review the encryption status, double-click on the Pointsec PC icon in the taskbar. Click Volumes to see how encryption is progressing. See also “Encryption Progress” on page 34.

Accessing Pointsec PC Management Console

34

Accessing Pointsec PC Management ConsoleTo access Pointsec PC Management Console:

1. Click Start and browse to Programs → Pointsec. Select Pointsec PC → Management Console.

2. When prompted, authenticate yourself. Pointsec PC Management Console opens:

For more information on working in the Management Console, see the Pointsec PC Administrator’s Guide.

Encryption ProgressThe following registry entries for Pointsec PC enable you to determine the encryption status and encryption progress.

Table 2-3

Entry Value Explanation

EncryptionState: 0 No encryption

1 Partial encryption

2 Encryption on all volumes

Installing Pointsec PC in an IBM RRU Environment


Installing Pointsec PC in an IBM RRU Environment

To install Pointsec PC in an IBM Rapid Restore Ultra (RRU) environment, you must run the installation package, InstallRRU.msi.

You can run InstallRRU.msi by specifying it in precheck.txt before installation or by manually running it after installing Pointsec PC as normal.

Running Using precheck.txtFor more information on precheck.txt, see Chapter 1, Review precheck.txt on page 8.

To run InstallRRU.msi using precheck.txt:

1. Open precheck.txt and locate the RunAfter setting. Set RunAfter= to the path to InstallRRU.msi. We recommend that you use a path of max 8 characters, without spaces or special characters, for example C:\P4PCINST\. Save the changes to precheck.txt and close the file.

2. Install Pointsec PC as normal, reboot the computer and authenticate. Once the computer has been rebooted, InstallRRU.msi is executed.

3. Press "OK" DONE. Pointsec PC is now installed with IBM RRU.

Running InstallRRU.msi after InstallationTo run InstallRRU.msi after installation:

EncryptionProgress: 0 Stable

1 Encrypting

2 Decrypting

Table 2-3

Entry Value Explanation

Note - If you want to do a silent installation, msiexec.exe can be used. The full search path must then be supplied. The normal location for msiexec.exe is in the system32 directory, for example:

C:\Windows\System32\msiexec.exe /i C:Ppointsec\InstallRRU.msi /q

Note - If there is an anti-virus application installed, ensure that InstallRRU.msi is not stopped from running. If InstallRRU.msi is stopped by mistake, you should be able to run it manually afterwards.

Log File Created During Installation

36

1. Install Pointsec PC as normal.

2. Run InstallRRU.msi when the installation is complete and the computer is up and running with Pointsec PC installed.

Log File Created During InstallationWhile installing Pointsec PC in an IBM RRU environment, a log file containing the status of the installation is written. It is located here:

X:\Program Files\Pointsec\P4PC_RRU.log

Booting the System into IBM RRUTo boot into IBM RRU:

1. Reboot the system, an IBM text is displayed prior to Pointsec PC preboot authentication (PBA), for example:

To interrupt normal startup press the blue Access IBM button

or

To boot to the IBM Rescue Recovery Environment, press F11

2. Pointsec PC PBA will be displayed. Authenticate to Pointsec PC, the following information is displayed:

Pointsec loading operating system... To boot to the IBM Rescue Recovery Environment, Press F11

3. Press F11. The system will now boot into IBM RRU.

Here you will have the option to restore from backup, etc. For more information, see your IBM RRU documentation.

Note - If there is an anti-virus application installed, ensure that InstallRRU.msi is not stopped from running. If InstallRRU.msi is stopped by mistake, you should be able to run it manually afterwards.

Note - Leave the system alone at this point. In order for the any of the boot options to work, you first need to be authenticated by Pointsec PC. IBM RRU will start even if you have not been authenticated but you will not be able to access the disk.

37

THIRD PARTY TRADEMARKS AND COPYRIGHTS

Entrust is a registered trademark of Entrust Technologies, Inc. in the United States and other countries. Entrust’s logos and Entrust product and service names are also trademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly owned subsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporate certificate management technology from Entrust.

Verisign is a trademark of Verisign Inc.

The following statements refer to those portions of the software copyrighted by University of Michigan. Portions of the software copyright © 1992-1996 Regents of the University of Michigan. All rights reserved. Redistribution and use in source and binary forms are permitted provided that this notice is preserved and that due credit is given to the University of Michigan at Ann Arbor. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission. This software is provided “as is” without express or implied warranty. Copyright © Sax Software (terminal emulation only).

The following statements refer to those portions of the software copyrighted by Carnegie Mellon University.

Copyright 1997 by Carnegie Mellon University. All Rights Reserved.

Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of CMU not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

The following statements refer to those portions of the software copyrighted by The Open Group.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

The following statements refer to those portions of the software copyrighted by The OpenSSL Project. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT `ÀS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The following statements refer to those portions of the software copyrighted by Eric Young. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG `ÀS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright © 1998 The Open Group.

The following statements refer to those portions of the software copyrighted by Jean-loup Gailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:

1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.

2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.

3. This notice may not be removed or altered from any source distribution.

The following statements refer to those portions of the software copyrighted by the Gnu Public License. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

The following statements refer to those portions of the software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expat maintainers. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR

38

ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own. Any re-distributions of the code MUST reference the author, and include any and all original documentation. Copyright. Bruce Verderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999, 2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001, 2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 John Ellson ([email protected]). Portions relating to gdft.c copyright 2001, 2002 John Ellson ([email protected]). Portions relating to JPEG and to color quantization copyright 2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more information. Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Van den Brande. Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application, provided that this notice is present in user-accessible supporting documentation. This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your productive use of gd. If you have questions, ask. "Derived works" includes all programs that utilize the library. Credit must be given in user-accessible documentation. This software is provided "AS IS." The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation. Although their code does not appear in gd 2.0.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their prior contributions.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0

The curl license

COPYRIGHT AND PERMISSION NOTICE

Copyright (c) 1996 - 2004, Daniel Stenberg, <[email protected]>.All rights reserved.

Permission to use, copy, modify, and distribute this software for any purpose

with or without fee is hereby granted, provided that the above copyright

notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder.

The PHP License, version 3.0

Copyright (c) 1999 - 2004 The PHP Group. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. The name "PHP" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected].

4. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission from [email protected]. You may indicate that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo"

5. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing version number. Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version. You may also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group. No one other than the PHP Group has the right to modify the terms applicable to covered code created under this License.

6. Redistributions of any form whatsoever must retain the following acknowledgment:

"This product includes PHP, freely available from <http://www.php.net/>".

THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM `ÀS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

39

This software consists of voluntary contributions made by many individuals on behalf of the PHP Group. The PHP Group can be contacted via Email at [email protected].

For more information on the PHP Group and the PHP project, please see <http://www.php.net>. This product includes the Zend Engine, freely available at <http://www.zend.com>.

This product includes software written by Tim Hudson ([email protected]).

Copyright (c) 2003, Itai Tzur <[email protected]>

All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

Redistribution of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

Neither the name of Itai Tzur nor the names of other contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Copyright © 2003, 2004 NextHop Technologies, Inc. All rights reserved.

Confidential Copyright Notice

Except as stated herein, none of the material provided as a part of this document may be copied, reproduced, distrib-uted, republished, downloaded, displayed, posted or transmitted in any form or by any means, including, but not lim-ited to, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of NextHop Technologies, Inc. Permission is granted to display, copy, distribute and download the materials in this doc-ument for personal, non-commercial use only, provided you do not modify the materials and that you retain all copy-right and other proprietary notices contained in the materials unless otherwise stated. No material contained in this document may be "mirrored" on any server without written permission of NextHop. Any unauthorized use of any material contained in this document may violate copyright laws, trademark laws, the laws of privacy and publicity, and communications regulations and statutes. Permission terminates automatically if any of these terms or condi-tions are breached. Upon termination, any downloaded and printed materials must be immediately destroyed.

Trademark Notice

The trademarks, service marks, and logos (the "Trademarks") used and displayed in this document are registered and unregistered Trademarks of NextHop in the US and/or other countries. The names of actual companies and products mentioned herein may be Trademarks of their respective owners. Nothing in this document should be construed as granting, by implication, estoppel, or otherwise, any license or right to use any Trademark displayed in the document. The owners aggressively enforce their intellectual property rights to the fullest extent of the law. The Trademarks may not be used in any way, including in advertising or publicity pertaining to distribution of, or access to, materials in

this document, including use, without prior, written permission. Use of Trademarks as a "hot" link to any website is prohibited unless establishment of such a link is approved in advance in writing. Any questions concerning the use of these Trademarks should be referred to NextHop at U.S. +1 734 222 1600.

U.S. Government Restricted Rights

The material in document is provided with "RESTRICTED RIGHTS." Software and accompanying documentation are provided to the U.S. government ("Government") in a transaction subject to the Federal Acquisition Regulations with Restricted Rights. The Government's rights to use, modify, reproduce, release, perform, display or disclose are

restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software and Noncommercial Computer Soft-ware Documentation clause at DFAR 252.227-7014 (Jun 1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in Data-General clause at FAR 52.227-14, Alternative III (Jun 87) and paragraph (c)(2) of the Commer-cial

Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987).

40

Use of the material in this document by the Government constitutes acknowledgment of NextHop's proprietary rights in them, or that of the original creator. The Contractor/Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043. Use, duplication, or disclosure by the Government is subject to restrictions as set forth in applicable laws and regulations.

Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty

THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT POSSIBLE PURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRANTIES,

EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR ANY OTHER PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THIS DOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS REGARDING THE USE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USE OF, OR OTHERWISE RESPECTING, THE MATERIAL IN THIS DOCUMENT.

Limitation of Liability

UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, OR THE INABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOP OR A NEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THIS DOCUMENT RESULTS IN THE NEED FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT OR DATA, YOU ASSUME ANY COSTS THEREOF. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT FULLY APPLY TO YOU.

Copyright © ComponentOne, LLC 1991-2002. All Rights Reserved.

BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC"))

Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release

PCRE LICENCE

PCRE is a library of functions to support regular expressions whose syntax and semantics are as close as possible to those of the Perl 5 language. Release 5 of PCRE is distributed under the terms of the "BSD" licence, as specified below. The documentation for PCRE, supplied in the "doc" directory, is distributed under the same terms as the software itself.

Written by: Philip Hazel <[email protected]>

University of Cambridge Computing Service, Cambridge, England. Phone:

+44 1223 334714.

Copyright (c) 1997-2004 University of Cambridge All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

* Neither the name of the University of Cambridge nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.