ForeScout CounterACT Quick Installation Manual

ForeScout CounterACT Quick Installation Manual

The Forescout platform provides infrastructure and device visibility, policy management, orchestration and workflow streamlining to enhance network security. The platform provides enterprises with real-time contextual information of devices and users on the network. Policies are defined using this contextual information that helps ensure compliance, remediation, appropriate network access and streamlining of service operations. This guide describes the installation for a single stand-alone CounterACT Appliance preinstalled with version 8.0. Some Appliances may come preinstalled with a later version. To use version 8.1, follow the approved upgrade path, outlined in the version Release Notes.

For more detailed information or information about upgrade or about deploying multiple Appliances for enterprise-wide network protection, refer to the Forescout Installation Guide and Forescout Administration Guide. See Additional Forescout Documentation for information on how to access these guides. Additionally, you can navigate to the support website located at: http://www.forescout.com/support for the latest documentation, knowledge base articles, and updates for your Appliance.

ForeScout CounterACT Package Contents

Your Forescout package includes the following components:

  • The CounterACT Appliance
  • Front Bezel
  • Rail Kits (Mounting brackets)
  • Power cord(s)
  • DB9 Console connecting cable (for serial connections only)
  • Enterprise Products Safety, Environmental, and Regulatory Information
  • Getting Started document (CT-xxxx Appliances based on hardware revision 5x and Forescout 51xx Appliances only)

ForeScout CounterACT Overview

Perform the following to set up your Forescout deployment:

  1. Create a Deployment Plan
  2. Set up your Switch
  3. Connect Network Cables and Power On
  4. Configure the Appliance
  5. Remote Management
  6. Verify Connectivity
  7. Set Up the Forescout Console

Create a Deployment Plan

Before performing the installation, you should decide where to deploy the Appliance and learn about Appliance interface connections. Decide Where to Deploy the Appliance Selecting the correct network location where the Appliance will be installed is crucial for a successful deployment and optimal performance. The correct location will depend on your desired implementation goals and network access policy. The Appliance should be able to monitor the traffic that is relevant to the desired policy. For example, if your policy depends on monitoring authorization events from endpoints to corporate authentication servers, the Appliance will need to be installed so that it sees endpoint traffic flowing into authentication server(s). For more information about installation and deployment, refer to the Forescout Installation Guide. See Additional Forescout Documentation for information on how to access this guide.

Appliance Interface Connections

The Appliance is generally configured with three connections to the network switch.

Management Interface

The management interface allows you to manage the Forescout platform and perform queries and deep inspection of endpoints. The interface must be connected
to a switch port with access to all network endpoints. Each Appliance requires a single management connection to the network. This connection requires an IP address on the local LAN and port 13000/TCP access from machines that will be running the Console management application. The management port must have access to additional network services.

ForeScout CounterACT Quick Installation Manual

ForeScout CounterACT Network Access Requirements

Port

Service

To or From Forescout Platform

Function

22/TCP

 

 

 

SSH

From

Allows remote inspection of OS X and Linux endpoints.

Allows the Forescout platform to communicate with network switches and routers.

To

Allows access to the Forescout platform command line interface.

2222/TCP

SSH

To

(High Availability) Allows access to the physical Appliances that are part of the High Availability pair.

Use 22/TCP to access the shared (virtual) IP address of the pair.

25/TCP

SMTP

From

Allows the Forescout platform access to the enterprise mail relay.

53/UDP

DNS

From

Allows the Forescout platform to resolve internal IP addresses.

80/TCP

HTTP

To

Allows HTTP redirection.

123/UDP

NTP

From

Allows the Forescout platform access to a local time server or ntp.forescout.net.

By default the Forescout platform accesses ntp.foreScout.net

135/TCP

MS-WMI

From

Allows remote inspection of Windows endpoints.

139/TCP

 

 

SMB, MS-RPC

 

 

From

Allows remote inspection of Windows endpoints (For endpoints running Windows 7 and earlier).

445/TCP

Allows remote inspection of Windows endpoints.

 

Port

Service

To or From Forescout Platform

Function

161/UDP

SNMP

From

Allows the Forescout platform to communicate with network switches and routers.

For information about configuring SNMP, refer to the Forescout Administration Guide.

162/UDP

SNMP

To

Allows the Forescout platform to receive SNMP traps from network switches and routers.

For information about configuring SNMP, refer to the Forescout Administration Guide.

389/TCP (636)

LDAP

From

Allows the Forescout platform to communicate with Active Directory.

Allows communication with the Forescout platform’s web-based portals.

443/TCP

HTTPS

To

Allows HTTP redirection using TLS.

2200/TCP

SecureConnector for Linux

To

Allows SecureConnector to create a secure (encrypted SSH) connection to the Appliance from Linux machines.

SecureConnector is a script based agent that enables management of Linux endpoints while they are connected to the network.

10003/TCP

SecureConnector for Windows

To

Allows SecureConnector to create a secure (encrypted TLS) connection to the Appliance from Windows machines. SecureConnector is an agent that enables management of Windows endpoints while they are connected to the network. Refer to the Forescout Administration Guide for more information about SecureConnector.

When SecureConnector connects to an Appliance or to the Enterprise Manager it is redirected to the Appliance to which its host is assigned. Ensure this port is open to all Appliances and to the Enterprise Manager to allow transparent mobility within the organization.

 

Port

Service

To or From Forescout Platform

Function

10005/TCP

SecureConnector for OS X

To

Allows SecureConnector to create a secure (encrypted TLS) connection to the Appliance from OS X machines. SecureConnector is an agent that enables management of OS X endpoints while they are connected to the network. Refer to the Forescout Administration Guide for more information about SecureConnector.

When SecureConnector connects to an Appliance or to the Enterprise Manager it is redirected to the Appliance to which its host is assigned. Ensure this port is open to all Appliances and to the Enterprise Manager to allow transparent mobility within the organization.

13000/TCP

Forescout platform

From/To

For deployments with only one Appliance – from the Console to the Appliance.

For deployments with more than one Appliance – from the Console to the Appliance and from one Appliance to another. Appliance communication includes communication with the Enterprise Manager and the Recovery Enterprise Manager, using TLS.

Monitor Interface

The monitor interface allows the Appliance to monitor and track network traffic. Any available interface can be used as the monitor interface. Traffic is mirrored to a port on the switch and monitored by the Appliance. The use of 802.1Q VLAN tagging depends upon the number of VLANs being mirrored.

  • Single VLAN: When monitored traffic is generated from a single VLAN, the mirrored traffic does not need to be VLAN tagged.
  • Multiple VLANs: If monitored traffic is from more than one VLAN, the mirrored traffic must be 802.1Q VLAN tagged.

When two switches are connected as a redundant pair, the Appliance must monitor traffic from both switches. No IP address is required on the monitor interface.

Response Interface

The Appliance responds to traffic using the response interface. Response traffic is used to protect against malicious activity and to perform policy actions. These actions may include, for example, redirecting web browsers or performing session blocking. The related switch port configuration depends upon the traffic being monitored. Any available interface can be used as the response interface.

  • Single VLAN: When monitored traffic is generated from a single VLAN, the response port must belong to the same VLAN. In this case, the Appliance requires a single IP address on that VLAN.
  • Multiple VLANs: If monitored traffic is from more than one VLAN, the response port must also be configured with 802.1Q VLAN tagging for the same VLANs. The Appliance requires an IP address for each monitored VLAN.

Readmore ForeScout CounterACT Quick Installation Manual PDF

 ForeScout CounterACT Manual PDF