Trend Micro

Control Manager TM
5

Installation and Deployment Guide

cm
Control Manager
Trend Micro Incorporated reserves the right to make changes to this document
and to the products described herein without notice. Before installing and
using the software, please review the readme files, release notes and the latest
version of the Control Manager documentation, which are available from
Trend Micro’s Web site at:
www.trendmicro.com/download/documentation/
NOTE: A license to the Trend Micro Software usually includes the right to
product updates, pattern file updates, and basic technical support for one (1)
year from the date of purchase only. Maintenance must be reviewed on an
annual basis at Trend Micro’s then-current Maintenance fees.
Trend Micro, the Trend Micro t-ball logo, Trend Micro Control Manager,
Damage Cleanup Services, Outbreak Prevention Services, Trend Virus Control
System, ServerProtect, OfficeScan, ScanMail, InterScan, and eManager are
trademarks or registered trademarks of Trend Micro, Incorporated. All other
product or company names may be trademarks or registered trademarks of
their owners.
All other brand and product names are trademarks or registered trademarks of
their respective companies or organizations.
Copyright© 1998-2008 Trend Micro Incorporated. All rights reserved. No part
of this publication may be reproduced, photocopied, stored in a retrieval
system, or transmitted without the express prior written consent of Trend
Micro Incorporated.
Document Part No. TMEM53359/70921
Release Date: February 2008
The Installation Guide for Trend Micro Control Manager™ is intended to
introduce the main features of the software, installation instructions for your
production environment. You should read through it prior to installing or
using the software.
For technical support, please refer to Contacting Technical Support starting on
page 7-2 for technical support information and contact details. Detailed
information about how to use specific features within the software are
available in the online help file and online Knowledge Base at Trend Micro’s
Web site.
Trend Micro is always seeking to improve its documentation. If you have
questions, comments, or suggestions about this or any Trend Micro
documents, please contact us at docs@trendmicro.com. Your feedback is
always welcome. Please evaluate this documentation on the following site:
www.trendmicro.com/download/documentation/
rating.asp
Contents
Preface
What’s New in This Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P-ii
Control Manager Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .P-vi
About this Installation Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P-vii
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P-vii
Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P-viii

Chapter 1: Introducing Trend Micro Control Manager™

Control Manager Standard and Advanced .................................................. 1-2
How to Use Control Manager ...................................................................... 1-2
Understanding Trend Micro Management
Communication Protocol .............................................................................. 1-3
Reduced Network Loading and Package Size ....................................... 1-4
NAT and Firewall Traversal Support ..................................................... 1-5
HTTPS Support ......................................................................................... 1-5
One-way and Two-way Communication Support ................................ 1-6
One-way Communication ..................................................................... 1-6
Two-way Communication ..................................................................... 1-6
Single Sign-on (SSO) Support .................................................................. 1-7
Control Manager Architecture ...................................................................... 1-7

Chapter 2: Planning and Implementing the Control Manager

Deployment
Identifying Deployment Architecture and Strategy ................................... 2-2
Understanding Single-Site Deployment ................................................. 2-2
Understanding Multiple-Site Deployment ............................................. 2-5
Installation Flow ............................................................................................. 2-9
Supported Operating Systems ....................................................................... 2-9
Testing Control Manager at One Location ............................................... 2-10
Server Distribution Plan .............................................................................. 2-12
Understanding Administration Models ................................................ 2-12
Understanding Control Manager Server Distribution ........................ 2-12
Single-Server Topology ........................................................................... 2-13

i
Trend Micro Control Manager™ Installation Guide

Multiple-Server Topology .......................................................................2-13

Network Traffic Plan ....................................................................................2-13
Understanding Control Manager Network Traffic .............................2-13
Sources of Network Traffic .................................................................2-14
Traffic Frequency ..................................................................................2-14
Logs .........................................................................................................2-14
Managed Product Agent Heartbeat ....................................................2-14
Network Protocols ...................................................................................2-15
Sources of Network Traffic .........................................................................2-15
Log Traffic .................................................................................................2-15
Trend Micro Management Communication Protocol
Policies .......................................................................................................2-16
Trend Micro Management Infrastructure Policies ..............................2-16
Product Registration Traffic ...................................................................2-17
Deploying Updates ........................................................................................2-18
Understanding Deployment Updates ....................................................2-18
Data Storage Plan ..........................................................................................2-19
Database Recommendations ..................................................................2-19
ODBC Drivers ..........................................................................................2-19
Authentication ..........................................................................................2-20
Web Server Plan ............................................................................................2-20
Web Server Configuration ......................................................................2-20

Chapter 3: Installing Trend Micro Control Manager for the First

Time
System Requirements ......................................................................................3-2
Minimum System Requirements .............................................................. 3-2
Recommended System Requirements ..................................................... 3-4
Installing a Control Manager Server .............................................................3-4
Verifying Successful Installations ...............................................................3-22
Verify a Successful Control Manager Server Installation ...................3-22
Post-installation Configuration ...................................................................3-24
Registering and Activating Control Manager .......................................3-24
Configuring User Accounts ....................................................................3-24
Downloading the Latest Components ..................................................3-24
Setting Notifications ................................................................................3-25
Registering and Activating Your Software ................................................3-25

ii
 Activating Control Manager ................................................................... 3-25
Converting to the Full Version .............................................................. 3-26
Renewing Your Product Maintenance .................................................. 3-26

Chapter 4: Upgrading Servers or Migrating Agents to Control

Manager 5.0
Upgrading to Control Manager 5.0 .............................................................. 4-2
Upgrading Control Manager 3.0 or 3.5 Servers ..................................... 4-2
Upgrading and Migrating Scenarios ..................................................... 4-2
Rolling Back to Control Manager 3.0/3.5 Servers .............................. 4-10
Planning Control Manager Agent Migration ............................................ 4-11
Migration Scenarios for Control Manager 2.x Agents ....................... 4-13
Control Manager 2.5x Agent Migration Flow .................................. 4-14
MCP Agent Migration Flow ............................................................... 4-15
Migrating Control Manager 2.5x and MCP Agents ............................ 4-15
Migrating the Control Manager Database ................................................. 4-17
Migrating Control Manager SQL 2005 Database
to Another SQL 2005 Server ................................................................ 4-17

Chapter 5: Using Control Manager Tools

Using Agent Migration Tool (AgentMigrateTool.exe) .............................. 5-2
Using the Control Manager MIB File .......................................................... 5-2
Using the NVW 1.x SNMPv2 MIB File ...................................................... 5-3
Using the NVW Enforcer SNMPv2 MIB File ........................................... 5-3
Using the NVW System Log Viewer ........................................................... 5-4
Using the NVW 1.x Rescue Utility .............................................................. 5-4
Using the Appliance Firmware Flash Utility ............................................... 5-4
Using the DBConfig Tool ............................................................................. 5-5

Chapter 6: Removing Trend Micro Control Manager

Removing a Control Manager Server .......................................................... 6-2
Manually Removing Control Manager ......................................................... 6-2
Remove the Control Manager Application ............................................ 6-3
Stopping Control Manager Services .................................................... 6-3
Removing Control Manager IIS Settings ............................................ 6-4
Removing Crystal Reports, TMI, and CCGI ..................................... 6-5
Deleting Control Manager Files/Directories

iii
Trend Micro Control Manager™ Installation Guide

and Registry Keys .................................................................................... 6-6

Removing the Database Components ................................................. 6-7
Removing Control Manager and NTP Services ................................. 6-7
Removing a Windows-Based Control Manager 2.x Agent ....................... 6-7

Chapter 7: Getting Support

Before Contacting Technical Support .......................................................... 7-2
Contacting Technical Support ....................................................................... 7-2
TrendLabs ........................................................................................................ 7-3
Other Useful Resources ................................................................................. 7-3

Index

iv
 Preface
Preface
This Installation Guide introduces Trend Micro Control Manager™ 5.0, guides you
through the installation planning and steps, and walks you through configuring Control
Manager to function according to your needs.
This preface contains the following topics:
• What’s New in This Version on page P-ii
• Control Manager Documentation on page P-vi
• About this Installation Guide on page P-vii
• Audience on page P-vii
• Document Conventions on page P-viii

P-i
Trend Micro Control Manager™ Installation Guide

What’s New in This Version

Trend Micro Control Manager 5.0 represents a significant advance in monitoring and
management software for antivirus and content security products. Architectural
improvements in this new version make Control Manager more flexible and scalable
than ever before.
The following new features are available in version 5.0:
• Improved Reporting and Logs on page P-ii
• Improved User Access Control on page P-ii
• Improved Product Directory Management and Monitoring on page P-iii
• Intelligent Component Monitoring on page P-iii
• Product License Deployment Support on page P-iii

Improved Reporting and Logs

Control Manager 5.0 provides an Ad Hoc Query feature, allowing users to query
managed product or Control Manager information from the Control Manager database
through data views.
Users can now create their own report templates. Using drag-and-drop functionality for
columns, rows, bars, and pie graphs makes creating your templates quick, efficient, and
easy.

Improved User Access Control

Control Manager 5.0 provides improved user access control through the following ways:
• Customized account types allow Control Manager administrators to specify which
menu items users can access from the Control Manager Web console.
Example: The Control Manager administrator creates an account type that allows
users to access only the product tree and the logs and reports section of the Web
console. No other areas of the Control Manager Web console will display for users
with that account type.
• Customized user accounts allow administrators to specify which
products/directories a user can access, as well as specifying what actions the user
can perform on products/directories to which the user has access.
Example: Bob and Jane are both OfficeScan administrators. Both have identical
account type permissions (they have access to the same menu items in the Web

P-ii
 Preface

console). However, Jane oversees operation for all OfficeScan servers, while Bob on
the other hand only oversees operation for OfficeScan servers protecting desktops
for the Marketing department. The information that they can view on the Web
console will be very different. Bob logs on and only sees information that is
applicable to the OfficeScan servers his Control Manager user account allows (the
OfficeScan servers for the Marketing department). When Jane logs on, she sees
information for all OfficeScan servers because her Control Manager user account
grants her access to all OfficeScan servers registered to Control Manager.

Improved Product Directory Management and Monitoring

Control Manager 5.0 provides improved product management and monitoring through
the Product Directory. The improvements are as follows:
• OfficeScan-like view for products with multiple clients
• Parent Control Manager servers can now manage products that are controlled by
their child Control Manager servers.
• Supports searching for managed products or managed product clients by name
• When moving managed products in the product tree, access rights can be
maintained from the product's previous location

Intelligent Component Monitoring

Control Manager 5.0 displays only the components for managed products a user has
access rights to and which are registered to Control Manager. Previous Control Manager
versions displayed all components for all products.

Product License Deployment Support

Control Manager now supports the deployment and re-deployment of Activation Codes
to managed products. Control Manager license management supports the following:
• Managed products can register their Activation Code (AC) to Control Manager
• Control Manager administrators can view the status of all ACs of registered
managed products or ACs that other users input. They also can see which managed
products use the AC.
• Control Manager administrators can add new ACs and deploy the ACs to selected
managed products.

P-iii
Trend Micro Control Manager™ Installation Guide

• Control Manager administrators can select an existing AC and deploy the AC to

selected managed products.
• Control Manager administrators can renew ACs and then deploy them to related
managed products that have used the AC.
• Control Manager administrators can delete ACs when the AC is not used by any
managed products or in the process of deploying the AC.

Log Aggregation Support

Control Manager supports sending a log aggregation command to managed products.
Managed products drop information you deem unnecessary and send the aggregated log
to Control Manager.

Increased Managed Product Support

Control Manager has expanded support to the following Trend Micro managed
products:
TABLE PREFACE-1. Managed Product Support

MANAGED PRODUCT NAME VERSION

OfficeScan 8.0

ScanMail for Microsoft Exchange 6.0

PortalProtect for Sharepoint Supported on 2007 and x64 OS

ScanMail for Lotus Domino OS/AS 400 support

ServerProtect for Linux 3.0

ServerProtect for Microsoft Windows/Novell NetWare X64 OS

• 1.5
InterScan Gateway Security Appliance
• 1.5 + SP1

• 7.0
InterScan Messaging Security Suite
• 7.0 + SP1

InterScan Web Security Appliance 3.0

InterScan Web Security Suite 3.0

P-iv
 Preface

TABLE PREFACE-1. Managed Product Support

MANAGED PRODUCT NAME VERSION

• 5.0
InterScan WebProtect for ISA
• 5.01

Network VirusWall Enforcer 2500 2.0

Network VirusWall Enforcer 1200 2.0

• 1.0
InterScan Messaging Security Appliance 5000
• 7.0

• 1.0
Total Discovery Appliance
• 2.0 (under development)

ServerProtect for Linux 2.5

P-v
Trend Micro Control Manager™ Installation Guide

Control Manager Documentation

The Trend Micro Control Manager™ documentation consists of the following:
TABLE PREFACE-2. Control Manager Documentation

DOCUMENT DESCRIPTION

Web-based documentation that is accessible from the Control

Manager management console.
Online Help The online help contains explanations of Control Manager
components and features, as well as procedures needed to
configure Control Manager.

The Knowledge Base is an online database of problem-solving and

troubleshooting information. It provides the latest information about
Knowledge Base known product issues. To access the Knowledge Base, go to the
following Web site:
http://esupport.trendmicro.com/support
The Readme file contains late-breaking product information that is
not found in the online or printed documentation. Topics include a
Readme file description of new features, installation tips, known issues, and
product release history.
Printed documentation provided in the package contents and PDF
form that is accessible from the Trend Micro Enterprise DVD or
downloadable from the Trend Micro Web site.
Installation Guide The Installation Guide contains detailed instructions of how to
install Control Manager and configure basic settings to get you "up
and running". See About this Installation Guide for a summary
of the chapters available in this book.

PDF documentation that is accessible from the Trend Micro

Solutions CD for Control Manager or downloadable from the Trend
Micro Web site.
Administrator’s Guide The Administrator’s Guide contains detailed instructions of how to
deploy, install, configure, and manage Control Manager and
managed products, and explanations on Control Manager
concepts and features.

PDF documentation that is accessible from the Trend Micro

Solutions CD for Control Manager or downloadable from the Trend
Micro Web site.
Tutorial
The Tutorial contains hands on instructions of how to deploy,
install, configure, and manage Control Manager and managed
products registered to Control Manager.

P-vi
 Preface

Note: Trend Micro recommends checking the Update Center at

http://www.trendmicro.com/download/ for updates to the Control Manager™
documentation and program file.

About this Installation Guide

The Trend Micro Control Manager™ Installation Guide provides the following
information:
TABLE PREFACE-3. Administrator’s Guide High-Level Overview

TASK DESCRIPTION

Chapter 1: Introducing Trend Micro Control

Manager™: Provides an overview of Control Manager
product architecture, and a description of all features
Pre-Installation
Chapter 2: Planning and Implementing the Control
Manager Deployment: Provides deployment and product
application information and Trend Micro recommendations on
the optimal deployment of Control Manager

Chapter 3: Installing Trend Micro Control Manager for

the First Time: Provides first-time installation procedures for
Control Manager
Installation
Chapter 4: Upgrading Servers or Migrating Agents to
Control Manager 5.0: Provides information and procedures
for upgrading to Control Manager from previous versions
• Appendix A: System Checklists: Provides printable
Appendices checklists for numerous Control Manager tasksAppendix
B: Understanding Data Views

Audience
The Control Manager documentation assumes a basic knowledge of security systems.
There are references to previous versions of Control Manager to help system
administrators and personnel who are familiar with earlier versions of the product. If
you have not used earlier versions of Control Manager, the references may help
reinforce your understanding of the Control Manager concepts.

P-vii
Trend Micro Control Manager™ Installation Guide

Document Conventions
To help you locate and interpret information easily, the Control Manager documentation
(Administrator’s and Installation Guide) uses the following conventions.
TABLE PREFACE-4. Control Manager Documentation Conventions

CONVENTION DESCRIPTION

Acronyms, abbreviations, and names of certain

ALL CAPITALS
commands and keys on the keyboard
Menus and menu commands, command buttons, tabs,
Bold
and options
Examples, sample command lines, program code, and
Monospace
program output

Note: Provides configuration notes or recommendations

Provides best practice information and Trend Micro

Tip: recommendations

Provides warnings about processes that may harm your

WARNING! network

P-viii
 Chapter 1
Introducing Trend Micro Control Manager™

Trend Micro Control Manager is a central management console that manages Trend
Micro products and services, at the gateway, mail server, file server, and corporate
desktop levels. The Control Manager Web-based management console provides a single
monitoring point for antivirus and content security products and services throughout
the network.
Control Manager allows system administrators to monitor and report on activities such
as infections, security violations, or virus/malware entry points. System administrators
can download and deploy update components throughout the network, helping ensure
that protection is consistent and up-to-date. Example update components include virus
pattern files, scan engines, and anti-spam rules. Control Manager allows both manual
and pre-scheduled updates. Control Manager allows the configuration and
administration of products as groups or as individuals for added flexibility.
This chapter contains the following topics:
• Control Manager Standard and Advanced on page 1-2
• How to Use Control Manager on page 1-2
• Understanding Trend Micro Management Communication Protocol on page 1-3
• Control Manager Architecture on page 1-7

1-1
Trend Micro Control Manager™ Installation Guide

Control Manager Standard and Advanced

Control Manager is available in two versions; Standard and Advanced. Control Manager
Advanced includes features that Control Manager Standard does not. For example,
Control Manager Advanced supports a cascading management structure. This means
the Control Manager network can be managed by a parent Control Manager Advanced
server with several child Control Manager Advanced servers reporting to the parent
Control Manager Advanced server. The parent server acts as a hub for the entire
network.

Note: Control Manager 5.0 Advanced supports the following as child Control Manager
servers:

- Control Manager 5.0 Advanced

- Control Manager 3.5 Standard or Enterprise Edition
- Control Manager 3.0 SP6 Standard or Enterprise Edition

Control Manager 5.0 Standard servers cannot be child servers.

For a complete list of all features Standard and Advanced Control Manager servers
support see Trend Micro Control Manager Product Features on page A-8.

How to Use Control Manager

Trend Micro designed Control Manager to manage antivirus and content security
products and services deployed across an organization’s local and wide area networks.
TABLE 1-1. Control Manager Features

FEATURE DESCRIPTION

Using the Product Directory and cascading management struc-

ture, these functions allow you to coordinate virus-response
Centralized configuration and content security efforts from a single management console
This helps ensure consistent enforcement of your organiza-
tion's virus/malware and content security policies.

Proactive outbreak With Outbreak Prevention Services (OPS), take proactive

steps to secure your network against an emerging virus/mal-
prevention ware outbreak

1-2
 Introducing Trend Micro Control Manager™

TABLE 1-1. Control Manager Features

FEATURE DESCRIPTION

Control Manager uses a communications infrastructure built on

Secure communication the Secure Socket Layer (SSL) protocol.
infrastructure Depending on the security settings used, Control Manager can
encrypt messages or encrypt them with authentication.

Secure configuration and These features allow you to configure secure management
component download console access and component download

System administrators can give personalized accounts with

customized privileges to Control Manager management con-
Task delegation sole users.
User accounts define what the user can see and do on a Con-
trol Manager network. Track account usage through user logs.

This feature allows you to monitor all commands executed

using the Control Manager management console.
Command Tracking Command Tracking is useful for determining whether Control
Manager has successfully performed long-duration com-
mands, like virus pattern update and deployment.

Control managed products in real-time.

Control Manager immediately sends configuration modifica-
On-demand product tions made on the management console to the managed prod-
control ucts. System administrators can run manual scans from the
management console. This command system is indispensable
during a virus/malware outbreak.

Centralized update Update virus patterns, anti-spam rules, scan engines, and
other antivirus or content security components to help ensure
control that all managed products are up-to-date.

Get an overview of the antivirus and content security product

performance using comprehensive logs and reports.
Centralized reporting Control Manager collects logs from all its managed products;
you no longer need to check the logs of each individual prod-
uct.

Understanding Trend Micro Management

Communication Protocol
Trend Micro Management Communication Protocol (MCP) agent is Trend Micro's next
generation agent for managed products. MCP replaces TMI as the way Control Manager
communicates with managed products. MCP has several new features:
• Reduced network loading and package size

1-3
Trend Micro Control Manager™ Installation Guide

• NAT and firewall traversal support

• HTTPS support
• One-way and two-way communication support
• Single sign-on (SSO) support

Reduced Network Loading and Package Size

TMI uses an application protocol based on XML. Even though XML provides a degree
of extensibility and flexibility in the protocol design, the drawbacks of applying XML as
the data format standard for the communication protocol consist of the following:
XML parsing requires more system resources compared to other data formats such as
CGI name-value pair and binary structure (the program leaves a large footprint on your
server or device).
The agent footprint required to transfer information is much larger in XML compared
with other data formats.
Data processing performance is slower due to the larger data footprint.
Packet transmissions take longer and the transmission rate is less than other data
formats.
MCP's data format is designed to resolve these issues. The MCP's data format is a
BLOB (binary) stream with each item composed of name ID, type, length, and value.
This BLOB format has the following advantages:
• Smaller data transfer size compared to XML: Each data type requires only a
limited number of bytes to store the information. These data types are integer,
unsigned integer, Boolean, and floating point.
• Faster parsing speed: With a fixed binary format, each data item can be easily
parsed one by one. Compared to XML, the performance is several times faster.
• Improved design flexibility: Design flexibility has also been considered since each
item is composed of name ID, type, length, and value. There will be no strict item
order and compliment items can be present in the communication protocol only if
needed.
In addition to applying binary stream format for data transmission, more than one type
of data can be packed in a connection, with or without compression. With this type of

1-4
 Introducing Trend Micro Control Manager™

data transfer strategy, network bandwidth can be preserved and improved scalability is
also created.

NAT and Firewall Traversal Support

With limited addressable IP addresses on the IPv4 network, NAT (Network Address
Translation) devices have become widely used to allow more end-point computers to
connect to the Internet. NAT devices achieve this by forming a private virtual network
to the computers attached to the NAT device. Each computer that connects to the NAT
device will have one dedicated private virtual IP address. The NAT device will translate
this private IP address into a real world IP address before sending a request to the
Internet. This introduces some problems since each connecting computer uses a virtual
IP and many network applications are not aware of this behavior. This usually results in
unexpected program malfunctions and network connectivity issues.
For products that work with Control Manager 2.5/3.0 agents, one pre-condition is
assumed. The server relies on the fact that the agent can be reached by initiating a
connection from server to the agent. This is a so-called two-way communication
product, since both sides can initiate network connection with each other. This
assumption breaks when the agent sits behinds a NAT device (or the Control Manager
server sits behind a NAT device) since the connection can only route to the NAT
device, not the product behind the NAT device (or the Control Manager server sitting
behind a NAT device). One common work-around is that a specific mapping
relationship is established on the NAT device to direct it to automatically route the
in-bound request to the respective agent. However, this solution needs user involvement
and it does not work well when large-scale product deployment is needed.
The MCP deals with this issue by introducing a one-way communication model. With
one-way communication, only the agent initiates the network connection to the server.
The server cannot initiate connection to the agent. This one-way communication works
well for log data transfers. However, the server dispatching of commands occurs under a
passive mode. That is, the command deployment relies on the agent to poll the server
for available commands.

HTTPS Support
The MCP integration protocol applies the industry standard communication protocol
(HTTP/HTTPS). HTTP/HTTPS has several advantages over TMI:

1-5
Trend Micro Control Manager™ Installation Guide

• A large majority of people in IT are familiar with HTTP/HTTPS, which makes it

easier to identify communication issues and find solutions those issues
• For most enterprise environments, there is no need to open extra ports in the
firewall to allow packets to pass
• Existing security mechanisms built for HTTP/HTTPS, such as SSL/TLS and
HTTP digest authentication, can be used.
Using MCP, Control Manager has three security levels:
• Normal security: Control Manager uses HTTP for communication
• Medium security: Control Manager uses HTTPS for communication if HTTPS is
supported and HTTP if HTTPS is not supported
• High security: Control Manager uses HTTPS for communication

One-way and Two-way Communication Support

MCP supports one way and two-way communication.

One-way Communication
NAT traversal has become an increasingly more significant issue in the current
real-world network environment. In order to address this issue, MCP uses one-way
communication. One-way communication has the MCP client initiating the connection
to and polling of commands from the server. Each request is a CGI-like command
query or log transmission. In order to reduce the network impact, the connection is kept
alive and open as much as possible. A subsequent request uses an existing open
connection. Even if the connection is dropped, all connections involving SSL to the
same host benefit from session ID cache that drastically reduces re-connection time.

Two-way Communication
Two-way communication is an alternative to one-way communication. It is still based on
one-way communication, but has an extra channel to receive server notifications. This
extra channel is also based on HTTP protocol. Two-way communication can improve
real time dispatching and processing of commands from the server by the MCP agent.
The MCP agent side needs a Web server or CGI compatible program that can process
CGI-like requests to receive notifications from Control Manager server.

1-6
 Introducing Trend Micro Control Manager™

Single Sign-on (SSO) Support

Through MCP, Control Manager supports single sign-on (SSO) functionality for Trend
Micro products. This feature allows users to sign in to Control Manager and access the
resources of other Trend Micro products without having to sign in to those products as
well.

Control Manager Architecture

Trend Micro Control Manager provides a means to control Trend Micro products and
services from a central location. This application simplifies the administration of a
corporate virus/malware and content security policy. Refer to Table 1-2, “Control
Manager Components,” on page 1-7 for a list of components Control Manager uses.
TABLE 1-2. Control Manager Components

COMPONENT DESCRIPTION

Acts as a repository for all data collected from the agents. It can be
a Standard or Advanced Edition server. A Control Manager server
includes the following features:
• An SQL database that stores managed product configurations
and logs
Control Manager uses the Microsoft SQL Server database
(db_ControlManager.mdf) to store data included in logs,
Communicator schedule, managed product and child server
information, user account, network environment, and
notification settings.
• A Web server that hosts the Control Manager management
console
Control Manager server • A mail server that delivers event notifications through email
messages
Control Manager can send notifications to individuals or groups
of recipients about events that occur on the Control Manager
network. Configure Event Center to send notifications through
email messages, Windows event log, MSN Messenger, SNMP,
Syslog, pager, or any in-house/industry standard application
used by your organization to send notification.
• A report server, present only in the Advanced Edition, that
generates antivirus and content security product reports
A Control Manager report is an online collection of figures about
virus/malware and content security events that occur on the
Control Manager network.

1-7
Trend Micro Control Manager™ Installation Guide

TABLE 1-2. Control Manager Components

COMPONENT DESCRIPTION

MCP handles the Control Manager server interaction with man-

aged products that support the next generation agent
Trend Micro Management MCP is the new backbone for the Control Manager system.
Communication Protocol MCP agents install with managed products and uses one/two way
communication to communicate with Control Manager. MCP
agents poll Control Manager for instructions and updates.

Handles the Control Manager server interaction with older man-

aged products
The Communicator, or the Message Routing Framework, is the
communication backbone of the Control Manager system. It is a
Trend Micro Infrastructure component of the Trend Micro Infrastructure (TMI). Communica-
tors handle all communication between the Control Manager
server and older managed products. They interact with Control
Manager 2.x agents to communicate to older managed products.

Receives commands from the Control Manager server and sends

status information and logs to the Control Manager server
The Control Manager agent is an application installed on a man-
Control Manager 2.x aged product server that allows Control Manager to manage the
Agents product. Agents interact with the managed product and Communi-
cator. An agent serves as the bridge between managed product
and communicator. Hence, install agents on the same computer
as managed products.

Allows an administrator to manage Control Manager from virtually

any computer with an Internet connection and Windows™ Internet
Explorer™
Web-based management The Control Manager management console is a Web-based con-
console sole published on the Internet through the Microsoft Internet Infor-
mation Server (IIS) and hosted by the Control Manager server. It
lets you administer the Control Manager network from any com-
puter using a compatible Web browser.

1-8
 Chapter 2
Planning and Implementing the Control
Manager Deployment

Administrators must take several factors into consideration before deploying Control
Manager to their network. This chapter helps you plan for Control Manager deployment
and manage a Control Manager test deployment.
This chapter contains the following topics:
• Identifying Deployment Architecture and Strategy on page 2-2
• Installation Flow on page 2-9
• Supported Operating Systems on page 2-9
• Testing Control Manager at One Location on page 2-10
• Server Distribution Plan on page 2-12
• Network Traffic Plan on page 2-13
• Sources of Network Traffic on page 2-15
• Deploying Updates on page 2-18
• Data Storage Plan on page 2-19
• Web Server Plan on page 2-20

2-1
Trend Micro Control Manager™ Installation Guide

Identifying Deployment Architecture and Strategy

Deployment is the process of strategically distributing Control Manager servers to your
network environment to facilitate and provide optimal management of antivirus and
content security products.
Deploying enterprise-wide, client-server software like Control Manager to a
homogenous or heterogeneous environment requires careful planning and assessment.
For ease of planning, Trend Micro recommends two deployment architectures:
• Single-site deployment: Single-site deployment refers to distributing and
managing child servers and managed products from a single Control Manager
located in a central office. If your organization has several offices but has fast and
reliable local and wide area connection between sites, single-site deployment still
applies to your environment.
• Multiple-site deployment: Multiple-site deployment refers to distributing and
managing Control Manager servers in an organization that has main offices in
different geographical locations.

Note: If you are using Control Manager for the first time, Trend Micro recommends the use
of a Control Manager Advanced parent server to handle single-site and multiple-site
deployments.

Understanding Single-Site Deployment

Single-site deployment refers to distributing and managing child servers and managed
products from a single Control Manager located in a central office.

2-2
 Planning and Implementing the Control Manager Deployment

FIGURE 2-1. A single-server deployment using Control Manager

Advanced parent server and mixed child servers

Before deploying Control Manager to a single-site, complete the following tasks:

• Determine the number of managed products and cascading structures
• Plan for an optimal server-managed products/cascading structure ratio
• Designate the Control Manager Standard server or Control Manager Advanced
server

Note: Control Manager 5.0 Advanced supports the following as child Control Manager
servers:

- Control Manager 5.0 Advanced

- Control Manager 3.5 Standard or Enterprise Edition
- Control Manager 3.0 SP6 Standard or Enterprise Edition

Control Manager 5.0 Standard servers cannot be child servers.

Determining the Number of Managed Products and Cascading

Structures
Determine how many managed products and cascading structures you plan to manage
with Control Manager. You will need this information to decide what kind and how

2-3
Trend Micro Control Manager™ Installation Guide

many Control Manager servers you need to deploy, as well as where to put these servers
on your network to optimize communication and management.
If you have a heterogeneous network environment (that is, if your network has different
operating systems, such as Windows and UNIX), identify how many managed products
are Windows or UNIX-based. Use this information to decide whether to implement a
Control Manager cascading structure environment.

Planning for an Optimal Server-managed Products/Cascading

Structure Ratio
The most critical factor in determining how many managed products or cascading
structures a single Control Manager server can manage on a local network is the
agent-server communication or parent and child server communication.
Use the recommended system requirements as a guide in determining the CPU and
RAM requirements for your Control Manager network.

Designating Control Manager Servers

Based on the number of managed products and cascading structure requirements,
decide and designate your Control Manager server. Decide whether to designate an
Advanced or Standard server.
Locate your Windows servers, and then select the ones to assign as Control Manager
servers. You also need to determine if you need to install a dedicated server.
When selecting a server that will host Control Manager, consider the following:
• The amount of CPU load
• Other functions the server performs
If you are installing Control Manager on a server that has other uses (for example,
application server), Trend Micro recommends that you install on a server that is not
running mission-critical or resource-intensive applications.

Note: Both OfficeScan and Control Manager use IIS to communicate with clients and
agents/child servers, respectively. There is no conflict between these two applications,
but since both of them are using IIS resources, Trend Micro recommends installing
Control Manager on another computer to reduce the performance stress on the
server.

2-4
 Planning and Implementing the Control Manager Deployment

Depending on your network topology, you may need to perform additional site-specific
tasks.

Understanding Multiple-Site Deployment

As with single-site deployment, collect relevant network information and identify how
this information relates to deploying Control Manager to your multiple sites.
Given the uniqueness of each network, exercise judgment as to how many Control
Manager servers would be optimal.
Deploy Control Manager servers in a number of different locations, including the
demilitarized zone (DMZ) or the private network. Position the Control Manager server
in the DMZ on the public network to administer managed product or child servers and
access the Control Manager management console using Internet Explorer over the
Internet.

FIGURE 2-2. A multi-site deployment using multiple Control Manager

Advanced parent servers and mixed child servers

Consider the following for multi-site deployment:

• Group managed products or child servers
• Determine the number of sites

2-5
Trend Micro Control Manager™ Installation Guide

• Determine the number of managed products and child servers

• Plan for network traffic
• Plan for an optimal server-managed products/cascading structure ratio
• Decide where to install the Control Manager server

Grouping Managed Products or Child Servers

Consider the following when you group managed products and child servers:
TABLE 2-1. Considerations Grouping Managed Products or Child Servers

CONSIDERATION DESCRIPTION

If different access and sharing rights apply to the company

Company network and
security policies network, group managed products and child servers accord-
ing to company network and security policies.

Group managed products and child servers according to the

company's organizational and functional division. For exam-
Organization and function ple, have two Control Manager servers that manage the
production and testing groups.
Use geographical location as a grouping criterion if the loca-
Geographical location tion of the managed products and child servers affects the
communication between the Control Manager server and its
managed products or child servers.

Group managed products and child servers according to

Administrative responsibility system or security personnel assigned to them. This allows
group configuration.

Determining the Number of Sites

Determine how many sites your Control Manager deployment will cover. You need this
information to determine the number of servers to install, as well as where to install the
servers.
Gather this information from your organization’s WAN or LAN topology charts.

Determining the Number of Managed Products and Child Servers

You also need to know the total number of managed products and child servers Control
Manager server will manage. Trend Micro recommends gathering managed product and
child server population data per site. If you cannot get this information, even rough

2-6
 Planning and Implementing the Control Manager Deployment

estimates will be helpful. You will need this information to determine how many servers
you need to install.

Planning for Network Traffic

Control Manager generates network traffic when the server and managed
products/child servers communicate. Plan the Control Manager network traffic to
minimize the impact on an organization's network.
These are the sources of Control Manager-related network traffic:
• Heartbeat
• Logs
• Communicator schedule
• Managed product registration to Control Manager server
Control Manager servers, by default, contain all the product profiles available during
the Control Manager release. However, if you register a new version of a product to
Control Manager, a version that does not correspond to any existing product
profiles, the new product will upload its profile to the Control Manager server.
• Child server registration to Control Manager parent server
• Downloading and deploying updates

Planning for an Optimal Server-managed Products/Cascading

Structure Ratio
When deploying Control Manager across the WAN, the Control Manager server in the
main office administers child servers and managed products in the remote office. If you
will have managed products or child servers in the remote office reporting to the server
in the main office over the WAN, you need to consider the diversity of the network
bandwidth in your WAN environment. Having different network bandwidth in your
WAN environment can be beneficial to Control Manager. If you have managed products
or child servers both on the LAN and across the WAN reporting to the same server,
reporting is staggered naturally; the server prioritizes those with the faster connection,
which, in almost all cases, are the managed products or child servers on the LAN.
Use the recommended system requirements as a guide in determining the CPU and
RAM requirements for your Control Manager network.

2-7
Trend Micro Control Manager™ Installation Guide

Designating Control Manager Servers

Based on the number of managed products and cascading structure requirements,
decide and designate your Control Manager server.
Locate your Windows servers, and then select the ones to assign as Control Manager
servers. You also need to determine if you need to install a dedicated server.
When selecting a server that will host Control Manager, consider the following:
• The amount of CPU load
• Other functions the server performs
If you are installing Control Manager on a server that has other uses (for example,
application server), Trend Micro recommends installing on a server that does not run
mission-critical or resource-intensive applications.

Note: Both OfficeScan and Control Manager use IIS to communicate with clients and
agents/child servers, respectively. There is no conflict between these two applications,
but since both of them are using IIS resources, Trend Micro recommends installing
Control Manager on another computer to reduce the performance stress on the
server.

Deciding Where to Install the Control Manager Server

Once you know the number of clients and the number of servers you need to install,
find out where to install your Control Manager servers. Decide if you need to install all
your servers in the central office or if you need to install some of them in remote offices.
Place the servers strategically in certain segments of your environment to speed up
communication and optimize managed product and child server management:
• Central office: A central office is the facility where majority of the managed
products and child servers in the organization are located. The central office is
sometimes referred to as headquarters, corporate office, or corporate headquarters. A central
office can have other smaller offices or branches (referred to as ’remote offices’ in
this guide) in other locations.

Tip: Trend Micro recommends installing a parent server in the central office.

2-8
 Planning and Implementing the Control Manager Deployment

• Remote office: A remote office is defined as any small professional office that is
part of a larger organization and has a WAN connection to the central office. If you
have managed products and child servers in a remote office that report to the server
in the central office, they may encounter difficulties connecting to the server.
Bandwidth limitations may prevent proper communication to and from the Control
Manager server.
The network bandwidth between your central office and remote office may be
sufficient for routine client-server communication, such as notifications for updated
configuration settings and status reporting, but insufficient for deployment and
other tasks.

Installation Flow
Setting up your Control Manager system is a multi-step process that involves the
following:
Step 1: Planning the Control Manager system installation (server distribution, network
traffic, data storage, and Web server considerations).
Step 2: Installing the Control Manager server. During installation of the Control
Manager server, provide a location for backup and restoration files.
Step 3: Installing Control Manager agents.

Supported Operating Systems

The following operating systems support the Control Manager server and agent
installation:

Control Manager Server

• Windows 2000 Server SP 3/SP 4
• Windows 2000 Advance Server SP 3/SP 4
• Windows 2003 Server Standard Edition SP 1/SP 2
• Windows 2003 Server Standard Edition R2 without patches/SP 1
• Windows 2003 Server Enterprise Edition SP 1/SP 2
• Windows 2003 Server Enterprise Edition R2 without patches/SP 1

2-9
Trend Micro Control Manager™ Installation Guide

• WOW, 64 bit architecture of Windows 2003 Standard/Enterprise

Older Control Manager Agents

TABLE 2-2. Older Control Manager Agents Supported Operating Systems

MICROSOFT OTHERS

• Windows XP Professional • Novell Desktop 9

Version • AIX
• Windows 2000 Server • Red Hat Linux 6.2, 7.1, 7.2
• Windows 2000 Advanced • RedHat Enterprise Linux 4.3
Server
• Turbolinux 6.5, 7.0
• Windows NT 4.0 + SP3
• SuSE Linux 6.3, 7.2, 7.3
• Windows NT 4.0 + SP6a or • SuSE Enterprise 9.2
later
• AS/400
• Windows 2003, Standard
Edition, Enterprise Edition • OS390
• Others: GateLock, Linux 6.x
kernel, Solaris 2.6, 2.7, 2.8,
Debian 3.1 4

Testing Control Manager at One Location

A pilot deployment provides an opportunity for feedback to determine how features
work and the level of support likely needed after full deployment.

Tip: Trend Micro recommends conducting a pilot deployment before performing a

full-scale deployment.

Piloting Control Manager at one location allows you to accomplish the following:
• Gain familiarity with Control Manager and managed products
• Develop or refine the company's network policies
A pilot deployment is useful to determine which configurations need improvements. It
gives the IT department or installation team a chance to rehearse and refine the
deployment process and test if your deployment plan meets your organization’s business
requirements.
A Control Manager test deployment consists of the following tasks:

2-10
 Planning and Implementing the Control Manager Deployment

Preparing for the Test Deployment

Complete the following activities during the preparation stage:
Step 1: Decide the Control Manager server and agent configuration for the test
environment.
• Establish TCP/IP connectivity among all systems in a heterogeneous trial
configuration.
• Verify bidirectional TCP/IP communications by sending a ping command
to each agent system from the manager system and vice versa.
Step 2: Evaluate the different deployment methods to see which ones are suitable for
your particular environment.
Step 3: Complete a System Checklist used for the pilot deployment.

Selecting a Test Site

Select a pilot site that best matches your production environment. Try to simulate, as
closely as possible, the type of topology that would serve as an adequate representation
of your production environment.

Creating a Rollback Plan

Create a disaster recovery or rollback plan (for example, how to roll back to Control
Manager 3.0/3.5) in case there are some difficulties with the installation or upgrade.
This process should take into account local corporate policies, as well as IT resources.

Beginning the Test Deployment

After completing the preparation steps and System Checklist, begin the pilot
deployment by installing Control Manager server and agents.

Evaluating the Test Deployment

Create a list of successes and failures encountered throughout the pilot process. Identify
potential pitfalls and plan accordingly for a successful deployment.
You can implement the pilot evaluation plan into the overall production installation and
deployment plan.

2-11
Trend Micro Control Manager™ Installation Guide

Server Distribution Plan

Understanding Administration Models

Early in the Control Manager deployment, determine exactly how many people you
want to grant access to your Control Manager server. The number of users depends on
how centralized you want your management to be. The guiding principle being: the
degree of centralization is inversely proportional to the number of users.
Follow one of these administration models:
• Centralized management: This model gives Control Manager access to as few
people as possible. A highly centralized network would have only one administrator,
who then manages all the antivirus and content security servers on the network.
Centralized management offers the tightest control over your network antivirus and
content security policy. However, as network complexity increases, the
administrative burden may become too much for one administrator.
• Decentralized management: This is appropriate for large networks where system
administrators have clearly defined and established areas of responsibility. For
example, the mail server administrator may also be responsible for email protection;
regional offices may be independently responsible for their local areas.
A main Control Manager administrator would still be necessary, but he or she shares
the responsibility for overseeing the network with other product or regional
administrators.
Grant Control Manager access to each administrator, but limit access rights to view
and/or configure segments of the Control Manager network that are under their
responsibility.
With one of these administration models initialized, you can then configure the Product
Directory and necessary user accounts to manage your Control Manager network.

Understanding Control Manager Server Distribution

Control Manager can manage products regardless of physical location and so it is
possible to manage all your antivirus and content security products using a single
Control Manager server.

2-12
 Planning and Implementing the Control Manager Deployment

However, there are advantages to dividing control of your Control Manager network
among different servers (including parent and child servers for Advanced Edition users).
Based on the uniqueness of your network, you can decide the optimum number of
Control Manager servers.

Single-Server Topology
The single-server topology is suitable for small to medium, single-site enterprises. It
facilitates administration by a single administrator, but does not preclude the creation of
additional administrator accounts as required by your Administration plan.
However, this arrangement concentrates the burden of network traffic (agent polling,
data transfer, update deployment, and so on) on a single server, and the LAN that hosts
it. As your network grows, the impact on performance also increases.

Multiple-Server Topology
For larger enterprises with multiple sites, it may be necessary to set up regional Control
Manager servers to divide the network load.
For information on the traffic that a Control Manager network generates, see
Understanding Control Manager Network Traffic on page 2-13.

Network Traffic Plan

To develop a plan to minimize the impact of Control Manager on your network, it is
important to understand the Control Manager network generated traffic.
The following section helps you understand the traffic that your Control Manager
network generates and develop a plan to minimize its impact on your network. In
addition, the section about traffic frequency describes which sources frequently generate
traffic on a Control Manager network.

Understanding Control Manager Network Traffic

To develop a plan to minimize the impact of Control Manager on your network, it is
important to understand Control Manager network generated traffic.

2-13
Trend Micro Control Manager™ Installation Guide

Sources of Network Traffic

The following Control Manager sources generate network traffic:
• Log traffic
• Trend Micro Management Infrastructure and MCP policies
• Product registration
• Downloading and deploying updates

Traffic Frequency
The following sources frequently generate traffic on a Control Manager network:
• Logs
• MCP polling and commands
• Trend Micro Management Infrastructure policies

Logs
Managed products send logs to Control Manager at different intervals – depending on
their individual log settings.

Managed Product Agent Heartbeat

By default,managed product agents send heartbeat messages every sixty minutes.
Administrators can adjust this value from 5 to 480 minutes (8 hours). When choosing a
heartbeat setting, choose a balance between the need to display the latest Communicator
status information and the need to manage system resources.
The default setting will be satisfactory for most situations, however should you feel the
need to customize these settings, familiarize yourself with the following considerations:
• Long-interval Heartbeats (above 60 minutes): the longer the interval between
heartbeats, the greater the number of events that may occur before the Control
Manager console displays it
For example, if a connection problem with an agent is resolved between heartbeats,
it then becomes possible to communicate with an agent even if its status appears as
Inactive or Abnormal.

2-14
 Planning and Implementing the Control Manager Deployment

• Short-interval Heartbeats (below 60 minutes): short intervals between

heartbeats present a more up-to-date picture of your network status at the Control
Manager server. However, this increases the amount of network bandwidth used.

Note: Before adjusting the interval to a number below 15 minutes, study your existing
network traffic to understand the impact of increased use of network bandwidth.

Network Protocols
Control Manager uses the UDP and TCP protocols for communication.

Sources of Network Traffic

Log Traffic
Constant sources of network traffic in a Control Manager network are ‘product logs’,
logs that managed products regularly send to the Control Manager server.
TABLE 2-3. Control Manager Log Traffic

LOG CONTAINS INFORMATION ABOUT

Virus/Spyware/Grayware Detected virus/malware, spyware/grayware, and other

security threats.

Security Violations reported by content security products.

Web Security Violations reported by Web security products.

Miscellaneous events (for example, component updates,

Event
and generic security violations).

The environment of a managed product. The Status tab

Status
of the Product Directory displays this information.

Network Virus Viruses detected in network packets.

Performance Metric Used for previous product versions.

URL Usage Violations reported by Web security products

2-15
Trend Micro Control Manager™ Installation Guide

TABLE 2-3. Control Manager Log Traffic

LOG CONTAINS INFORMATION ABOUT

Security Violation Violations reported by Network VirusWall products

Client compliances reported by Network VirusWall prod-

Security Compliance ucts

The difference between security compliances and secu-

Security Statistic rity violations calculated and reported by Network Virus-
Wall products

Endpoint Violations reported by Web security products

Trend Micro Management Communication Protocol

Policies
The Trend Micro Management Communication Protocol (MCP) is the latest part of the
communications backbone of Control Manager. MCP implements the following
policies:
MCP Heartbeat: The MCP heartbeats to Control Manager ensure that Control
Manager displays the latest information, and that the connection between the managed
product and the Control Manager server is functional.
MCP Command Polling: When an MCP agent initiates a command poll to Control
Manager, Control Manager notifies the agent to send managed product logs or issues a
command to the managed product. Control Manager also interprets a command poll as
a passive heartbeat verifying the connection between Control Manager and the managed
product.

Trend Micro Management Infrastructure Policies

The Trend Micro Management Infrastructure (TMI) is part of the communications
backbone of Control Manager and generates its own ‘housekeeping’ traffic. TMI
implements two policies:
• Communicator Heartbeat: The Communicator, the message routing framework
of TMI, polls the Control Manager server at regular intervals. This ensures that the
Control Manager console displays the latest information, and that the connection
between the managed product and the Control Manager server is functional.

2-16
 Planning and Implementing the Control Manager Deployment

• Work-hour policy: The work-hour policy defines when a Communicator sends

information to the Control Manager server. Use the Communication Scheduler to
define this policy; a user can set three periods of inactivity – also called ‘off-hour’
periods. There are two types of information, however, that do not follow the
Communicator Scheduler:
• Emergency messages
• Prohibited messages
TMI sends emergency messages to the Control Manager server – even when the
Communicator is in an off-hour period. However, TMI never sends prohibited
messages to Control Manager – even when the Communicator is active.

Product Registration Traffic

Product profiles provide Control Manager with information about how to manage a
particular product. Managed products upload profiles to the Control Manager server the
first time they register with the server.
Each product has a corresponding product profile, and in many cases, different versions
of a product have their own version specific profile. Profiles contain the following
information:
• Category (for example, antivirus)
• Product name
• Product version
• Menu version
• Log format
• Update component information– updates that the product supports (for example,
virus pattern files)
• Command information
By default, Control Manager servers contain all the product profiles that were available
when the managed products released. However, when a new version of a product
registers with Control Manager, the new product uploads its new product profile to the
Control Manager server.

2-17
Trend Micro Control Manager™ Installation Guide

Deploying Updates

Understanding Deployment Updates

Updating a Control Manager network is a two-step process:
Step 1: Obtain the latest update components from Trend Micro. Control Manager can
download components either directly from the Trend Micro update server, or
from an alternative location.
Step 2: Deploy these components to the managed products.
Control Manager deploys update components to managed products, including:
• Pattern files/Cleanup templates
• Engines (scan engines, damage cleanup engines)
• Anti-spam rules
• Product programs (depending on the product)
• Network virus pattern files (Network VirusWall products only)

Note: Control Manager can only update damage cleanup templates/engines after activating
Damage Cleanup Services.

Trend Micro strongly recommends regularly updating these components to help ensure
managed products can protect your network against the latest threats. For product
program updates, refer to the specific program’s documentation.
Deploying updates to managed products is a bandwidth intensive operation. If possible,
it is important to perform deployments when it will have the least impact on the
network.
You can stagger the deployment of component updates using Deployment Plans.
Furthermore, check that the network connection between your Control Manager server
and managed products can accommodate the updates. This will be a factor to consider
when deciding how many Control Manager servers your network needs.

2-18
 Planning and Implementing the Control Manager Deployment

Data Storage Plan

Control Manager data must be stored in an SQL database. If you install Control
Manager on a server that does not have its own database, the installation program
provides the option to install the Microsoft SQL Express. However, due to the
limitations of SQL Express, large networks require an SQL server.

Note: Control Manager uses SQL and Windows authentication to access the SQL server.

Database Recommendations
If you install Control Manager and its SQL server on the same computer, configure the
SQL server to use a fixed memory size equivalent to two-thirds of the total memory on
the server. For example, if the server has 256MB of RAM, set 150MB as the fixed
memory size for the SQL server.
Install the Control Manager SQL database on the Control Manager server itself, or on a
separate server (for example, a dedicated SQL server). If Control Manager manages over
1,000 products, Trend Micro recommends using a dedicated SQL server.

Note: For instructions on how to manage SQL resources, and other sizing
recommendations, refer to Microsoft SQL documentation.

ODBC Drivers
Control Manager uses an ODBC driver to communicate with the SQL server. For most
instances, ODBC version 3.7 is sufficient. However, to use a Named Instance of SQL
2000, version 2000.80.194.00 is required.
The Control Manager setup program can verify the ODBC driver version if the SQL
server is installed on the Control Manager computer. For remote SQL servers, verify the
driver manually to ensure that Control Manager can access the database.

2-19
Trend Micro Control Manager™ Installation Guide

Authentication
Control Manager uses mixed-mode authentication for accessing the SQL database
rather than Windows authentication.

Web Server Plan

Web Server Configuration

The Web server information screen in the Control Manager setup program presents
similar server identification options as the host ID definition screen: host name, FQDN,
or IP address. The decision considerations for the Web server name are the same:
• Using the host name or FQDN facilitates Control Manager server IP address
changes, but makes the system dependent on the DNS server
• The IP address option requires a fixed IP
Use the Web server address to identify the source of component updates. The
SystemConfiguration.xml file stores this information and sends it to agents as part of a
notification for these agents to obtain updates from the Control Manager server. Update
source related instructions appear as follows:
Value=http://<Web server
address>:<port>/TvcsDownload/ActiveUpdate/<component>
Where:
• Port: The port that connects to the update source. You can also specify this on the
Web server address screen (default port number is 80)
• TvcsDownload/ActiveUpdate: The Control Manager setup program creates this
virtual directory in the IIS specified Web site
• Component: This depends on the updated component. For example, when the
virus pattern file is updated, the value added here is:
Pattern/vsapi.zip
Pattern corresponds to the \\. . . Control
Manager\WebUI\download\activeupdate\pattern folder on the Control Manager
server. Vsapi.zip is the virus pattern in compressed form.

2-20
 Chapter 3
Installing Trend Micro Control Manager for the
First Time

This chapter guides you through installing Control Manager server. In addition to listing
the system requirements for the Control Manager server the chapter also contains
post-installation configuration information as well as instructions on how to register and
activate your software.
This chapter contains the following topics:
• System Requirements on page 3-2
• Installing a Control Manager Server on page 3-4
• Verifying Successful Installations on page 3-22
• Post-installation Configuration on page 3-24
• Registering and Activating Your Software on page 3-25

3-1
Trend Micro Control Manager™ Installation Guide

System Requirements
Individual company networks are as individual as the companies themselves. Therefore,
different networks have different requirements depending on the level of complexity.
This section describes both minimum system requirements and recommended system
requirements, including general recommendations and recommendations based on the
size of networks.

Minimum System Requirements

The following table lists the minimum system requirements for a Control Manager
server.

Note: Control Manager 5.0 Advanced supports the following as child Control Manager
servers:

- Control Manager 5.0 Advanced

- Control Manager 3.5 Standard or Enterprise Edition
- Control Manager 3.0 SP6 Standard or Enterprise Edition

Control Manager 5.0 Standard servers cannot be child servers.

Please refer to the managed product documentation for detailed agent system
requirements.
TABLE 3-1. Control Manager server hardware minimum system requirements

HARDWARE MINIMUM REQUIREMENTS

SPECIFICATIONS

Intel™ Pentium™ III 600MHz or higher

• Single CPU
CPU
• Dual CPU
• Quad CPU

• 2GB RAM minimum

Memory
• 4GB RAM recommended

3-2
 Installing Trend Micro Control Manager for the First Time

TABLE 3-1. Control Manager server hardware minimum system requirements

HARDWARE MINIMUM REQUIREMENTS

SPECIFICATIONS

• 790MB for Control Manager Standard/Advanced Version

Disk space
• 300MB for SQL 2005 Express (Optional)

TABLE 3-2. Control Manager server software minimum system requirements

SOFTWARE MINIMUM REQUIREMENTS

SPECIFICATIONS

• Microsoft™ Windows™ 2000 Server SP 3/SP 4

• Windows 2000 Advanced Server SP 3/SP 4
• Windows 2003 Server Standard Edition SP 1/SP 2
• Windows 2003 Server Standard Edition R2 without patches/SP 1
Operating system
• Windows 2003 Server Enterprise Edition SP 1/SP 2
• Windows 2003 Server Enterprise Edition R2 without patches/SP
1
• WOW, 64 bit architecture of Windows 2003 Standard/Enterprise

• Microsoft IIS server 5.0 (For 2000 platform)

Web server
• Microsoft IIS server 6.0 (For 2003 platform)

• Microsoft Data Engine (MSDE) 2000 + SP3

Database • Microsoft SQL Server 2000 (2000 + SP3 is recommended)
• Microsoft SQL Express 2005

• Microsoft .NET Framework 2.0 (included in Control Manager

package)
• Windows Installer 3.1 (included in the Control Manager package)
Others • VC2005 Redistribution (included in Control Manager package)

• MDAC 2.8 SP1 or above for SQL Express (not included in the
Control Manager package)

• Browser- Windows Internet Explorer 6 or higher

Management • Java VM- Microsoft Version 5.0.0.3805 or higher
console
• JRE 1.4.2 or 1.5.0

3-3
Trend Micro Control Manager™ Installation Guide

Please refer to the URL below to download the latest Control Manager 2.x agents:
http://www.trendmicro.com/en/products/management/tmcm/evaluate/
requirements.htm

Recommended System Requirements

Observe the following system requirements to obtain optimum Control Manager
performance:

General Recommendations
• Do not install Control Manager on a Primary Domain Controller (PDC), a Backup
Domain Controller (BDC), or on a server with any other Trend Micro product. This
can result in severe performance degradation.
• Physical memory is a system resource – all applications on the server share it. Scale
the memory with the processor; do not overpopulate with memory

TABLE 3-3. General Control Manager server recommendations

HARDWARE/SOFTWARE RECOMMENDED REQUIREMENT

SPECIFICATION

100Mbps, 32-bit, adapter for both the Control Manager server

Network adapter and managed product. Preferably one designed for bus mas-
tering, direct memory access (DMA)

File system NT File System (NTFS) partition

VGA monitor capable of 1024 x 768 resolution, with at least

Monitor 256 colors.

Installing a Control Manager Server

After deciding the topology to use for your network, you can begin to install your
Control Manager server. See Server Address Checklist on page A-2 to help you record
relevant information for installation.
You need the following information for the installation:
• Relevant target server address and port information

3-4
 Installing Trend Micro Control Manager for the First Time

• Control Manager registration key

• Security Level you want to use for Server-Agent communication
The following are database-related considerations:
• Decide if you want to use an SQL server with Control Manager. If the SQL server is
located on a server other than the Control Manager server, obtain its IP address,
FQDN, or NetBIOS name. If there are multiple instances of the SQL server,
identify the one that you intend to use
• Prepare the following information about the SQL database for Control Manager:
• User name for the database
• Password

Note: Control Manager uses both Windows authentrication and SQL authentrication to
access the SQL server.

• Determine the number of managed products that Control Manager will handle. If
an SQL server is not detected on your server, Control Manager will install SQL 2005
Express SP 2, which can only handle a limited number of connections
Installing Control Manager requires performing the following steps:
Step 1: Install all required components
Step 2: Specify the installation location
Step 3: Register and activate the product and services
Step 4: Specify Control Manager security and Web server settings
Step 5: Specify backup settings and configure database information
Step 6: Set up root account and configure notification settings

Tip: Trend Micro recommends upgrading to version 5.0 instead of doing a fresh
installation.

3-5
Trend Micro Control Manager™ Installation Guide

To install a Control Manager server:

Step 1: Install all required components

1. On the Windows taskbar, click Start > Run, and then locate the Control Manager
installation program (Setup.exe). If installing from the Trend Micro Enterprise
DVD, go to the Control Manager folder on the DVD. If you downloaded the
software from the Trend Micro Web site, navigate to the relevant folder on your
computer. The installation program checks your system for required components.
If the installation program does not detect the following components on the server,
dialog boxes appear prompting you to install the missing components:
• Windows Installer 3.1: This component is included in the Control Manager
installation package
• MDAC 2.8 SP1 or higher: This component is not included in the Control
Manager installation package
• .Net Framework 2.0: This component is included in the Control Manager
installation package
• Visual C 2005 SP1 Redistribution Package: This component is included in
the Control Manager installation package
2. Install all missing components. The IIS confirmation dialog box appears.

3. Click Yes to continue the installation. The Welcome screen appears.

3-6
 Installing Trend Micro Control Manager for the First Time

The installation program checks your system for existing components. Before
proceeding with the installation, close all instances of the Microsoft Management
Console. For more information about migration, see Planning Control Manager
Agent Migration on page 4-11.

3-7
Trend Micro Control Manager™ Installation Guide

4. Click Next. The Software License Agreement appears.

FIGURE 3-1. Choose Yes to agree with the License Agreement

3-8
 Installing Trend Micro Control Manager for the First Time

If you do not agree with the terms of the license, click No; the installation will
discontinue. Otherwise, click Yes. A summary of detected components appears.

FIGURE 3-2. Displays local system environment information

Step 2: Specify the installation location

1. Click Next. The Select Destination Folder screen appears.

3-9
Trend Micro Control Manager™ Installation Guide

FIGURE 3-3. Select a destination folder

2. Specify a location for Control Manager files. The default location is

C:\Program Files\Trend Micro. To change this location, click
Browse, and then specify an alternate location.

Note: The setup program installs files related to the Control Manager communication,
(the Trend Micro Management Infrastructure and MCP) in predetermined
folders in the Program files folder.

Step 3: Register and activate the product and services

1. Click Next. The Product Activation screen appears.

3-10
 Installing Trend Micro Control Manager for the First Time

FIGURE 3-4. Enter the Activation Code to activate Control Manager and
services

2. Type the Activation Code for Control Manager and any other additional purchased
services (you can also activate optional services from the Control Manager console).
To use the full functionality of Control Manager 5.0 and other services (Outbreak
Prevention Services), you need to obtain Activation Codes and activate the software
or services. Included with the software is a Registration Key that you use to register
your software online to the Trend Micro Online Registration Web site and obtain an
Activation Code.

3-11
Trend Micro Control Manager™ Installation Guide

3. Click Next. The World Virus Tracking screen appears.

FIGURE 3-5. Participate in the World Virus Tracking Program

4. Click Yes to participate in the World Virus Tracking Program. You can add your
data to the Trend Micro Virus Map by choosing to participate in the World Virus
Tracking Program. When you choose to participate, Trend Micro Control Manager
will only send anonymous information through HTTP, and you can stop
participating any time by choosing No and updating your status on the Control
Manager management console.

3-12
 Installing Trend Micro Control Manager for the First Time

Step 4: Specify Control Manager security and Web server settings

1. Click Next. The Select Security Level And Host Address screen appears.

FIGURE 3-6. Select a security level

2. From the Security level list, select the security level for Control Manager
communication with agents. The options are as follows:
• High: All communication between Control Manager and managed products
use 128-bit encryption with athentication. This ensures the most secure
communication between Control Manager and managed products.
• Medium: If supported, all communication between Control Manager and
managed products use 128-bit encryption. This is the default setting when
installing Control Manager.
• Low: All communication between Control Manager and managed products use
40-bit encryption. This is the least secure communication method between
Control Manager and other products.
3. Select a host address for agents to communicate with Control Manager:

3-13
Trend Micro Control Manager™ Installation Guide

Tip: Trend Micro recommends installing Control Manager using a host name.
Installing using an IP address can cause issues if the IP address of the Control
Manager server requires changing. Control Manager does not support changing
the installation IP address. This results in an administrator having to reinstall
Control Manager if the server’s IP address must change. Installing using a host
name avoids the issue.

To use a FQDN/host name:

a. Select Fully qualified domain name (FQDN) or host name.
b. Select or type an FQDN or host name in the accompanying field.
To use an IP address:
a. Select IP address.
b. Type an IP address in the accompanying field. Separate multiple entries using a
semi-colon ( ; ).
4. Click Next. The Specify Web Server Information screen appears.
The settings on the Specify Web Server Information screen define communication
security and how the Control Manager network identifies your server.

3-14
 Installing Trend Micro Control Manager for the First Time

FIGURE 3-7. Specify Web server information

5. From the Web site list, select the Web site to access Control Manager.
6. From the IP address list, select the IP address or FQDN/host name you want to
use for the Control Manager Management Console. This setting defines how the
Control Manager communication system identifies your Control Manager server.
The setup program attempts to detect both the server's fully qualified domain name
(FQDN) and IP address and displays them in the appropriate field.
If your server has more than one network interface card, or if you assign your server
more than one FQDN, the names and IP addresses appear here. Choose the most
appropriate address or name by selecting the corresponding option or item in the
list.
If you use the host name or FQDN to identify your server, make sure that this name
can be resolved on the product computers; otherwise the products cannot
communicate with the Control Manager server.
7. From the Web access security level list, select the security level for Control Manager
communication. The options are as follows:

3-15
Trend Micro Control Manager™ Installation Guide

• High - HTTPS only: All Control Manager communication uses HTTPS

protocol. This ensures the most secure communication Control Manager and
other products.
• Medium - HTTPS primary: If supported all Control Manager
communication uses HTTPS protocol. If HTTPS is unavailable, agents use
HTTP instead. This is the default setting when installing Control Manager.
• Low - HTTP based: All Control Manager communication uses HTTP
protocol. This is the least secure communication method between Control
Manager and other products.
8. If you selected Low - HTTP based, and if you have not specified an SSL Port
value in the ISS administration console, specify the access port for Control Manager
communication in the SSL Port field.

Step 5: Specify back up settings and configure database information

1. Click Next. The Choose Destination Location screen appears.

FIGURE 3-8. Choose a destination location for back up and authentication

files

3-16
 Installing Trend Micro Control Manager for the First Time

2. Specify the location of the Control Manager backup and authentication files (for
more information see the Control Manager files that should be backed up on page
4-7). Click Browse to specify an alternate location.
3. Click Next. The Setup Control Manager Database screen appears.

FIGURE 3-9. Choose the Control Manager database

4. Select a database to use with Control Manager.

• Install Microsoft SQL Express: the setup program automatically selects this
option if an SQL server is not installed on this computer. Do not forget to
specify a password for this database in the field provided.

Tip: The Microsoft SQL Express is suitable only for a small number of connections.
Trend Micro recommends using an SQL server for large Control Manager
networks.

• SQL Server: the setup program automatically selects this option if the program
detects an SQL server on the server. Provide the following information:

3-17
Trend Micro Control Manager™ Installation Guide

• SQL Server (\Instance): this server hosts the SQL server that you want
to use for Control Manager. If an SQL server is present on your server, the
setup program automatically selects it.
To specify an alternative server, identify it using its FQDN, IP address, or
NetBIOS name.
If more than one instance of SQL server exists on a host server (this can
be either the same server where you are installing Control Manager, or
another server), you must specify the instance. For example:
your_sql_server.com\instance
• SQL Server Authentication: provide credentials to access the SQL
server. By default, the User name is sa.

WARNING! For security reasons, do not use an SQL database that is not password
protected.

5. Under Trend Micro Control Manager database, provide a name for the Control
Manager database. The default name is db_ControlManager.
6. Click Next to create the required database. If the setup program detects an existing
Control Manager database you have the following options:
• Append new records to existing database: the Control Manager you install
retains the same settings, accounts, and Product Directory entities as the
previous server. In addition, Control Manager retains the root account of the
previous installation - you cannot create a new root account.

Note: When installing Control Manager 5.0, you cannot select Append new records
to existing database for previous Control Manager database versions.

• Delete existing records, and create a new database: the existing database is
deleted, and another, using the same name, is created
• Create a new database with a new name: you are returned to the previous
screen to allow you to change your Control Manager database name

Note: If you append records to the current database, you will not be able to change the
root account. The Root account screen appears.

3-18
 Installing Trend Micro Control Manager for the First Time

Step 6: Set up root account and configure notification settings

1. Click Next. The following screen appears:

FIGURE 3-10. Enter information for the Control Manager root account

2. Provide the following required account information:

• User ID
• Full Name
• Password
• Password confirmation
• Email address
3. Click Next. The Specify Message Routing Path screen appears. This screen only
appears if the host server does not have TMI installed.

3-19
Trend Micro Control Manager™ Installation Guide

FIGURE 3-11. Define routes for messages or requests

4. Define the routes for incoming and outgoing messages or requests. These settings
allow you to adapt Control Manager to your company's existing security systems.
Select the appropriate route.

Note: Message routing settings are only set during installation. Proxy configurations
made here are not related to the proxy settings used for Internet
connectivity–though the same proxy settings are used by default.

3-20
 Installing Trend Micro Control Manager for the First Time

Source of incoming messages

• Direct from registered agents: the agents can directly receive incoming
messages.
• Proxy server: uses a proxy server when receiving messages. For additional
details about using and configuring proxies, see Configuring Proxy Settings on
page 5-60.
• IP port forwarding: this feature configures Control Manager to work with the
IP port forwarding function of your company's firewall. Provide the firewall
server’s FQDN, IP address or NetBIOS name, and then type the port number
that Control Manager opened for communication.
Route for outgoing messages
• Direct to registered agents: Control Manager sends outgoing messages
directly to the agents.
• Proxy server : Control Manager sends outgoing messages through a proxy
server. For additional details about using and configuring proxies, see
Configuring Proxy Settings on page 5-60.
5. Click Finish to complete the installation.

3-21
Trend Micro Control Manager™ Installation Guide

FIGURE 3-12. Setup complete

Verifying Successful Installations

Follow the procedures below to confirm that Control Manager server has successfully
installed.

Verify a Successful Control Manager Server Installation

To confirm a successful Control Manager server installation, check the following:
The following folders appear under the Program Files\Trend Micro directory:
• Common\TMI
• Common\CCGI
• Control Manager
The setup program creates the following services:
• Trend Micro Control Manager

3-22
 Installing Trend Micro Control Manager for the First Time

• Trend Micro Common CGI

• Trend Micro Management Infrastructure
• Trend Micro Network Time Protocol
The following processes are running:
CCGI processes:
• Jk_nt_service.exe
• Java.exe
IIS process:
• Inetinfo.exe (Internet Information Services)
ISAPI filters:
• CCGIRedirect
• ReverseProxy
• TmcmRedirect
TMI processes:
• CM.exe (TMI-CM)
• MRF.exe (Message Routing Framework Module)
• DMServer.exe (TMI-DM full-function)
Control Manager processes:
• ProcessManager.exe • UIProcessor.exe
• LogReceiver.exe • ReportServer.exe
• MsgReceiver.exe • NTPD.exe
• LogRetriever.exe • DCSProcessor.exe
• CmdProcessor.exe • CasProcessor.exe

3-23
Trend Micro Control Manager™ Installation Guide

Post-installation Configuration
After successfully installing Control Manager, Trend Micro recommends you perform
the following post-installation configuration tasks.
1. Register and activate Control Manager
2. Configure user accounts and account types
3. Download the latest components
4. Set notifications

Registering and Activating Control Manager

After successfully installing Control Manager, please check the license status and
expiration date on the management console, by clicking Administration > License
Management > Control Manager. If the status is not Activated or is expired, obtain an
Activation Code and activate your software (on the Web console, click Administration
> License Management > Control Manager > Specify a new Activation Code). If
you experience issues with your Activation Code, please contact technical support. For
more information, see Registering and Activating Your Software on page 3-25.

Configuring User Accounts

Create Control Manager user accounts based on your needs. Consider the following
when creating your accounts:
• The number of different user types (Administrators, Power Users, and Operators)
• Assign appropriate permissions and privileges to each kinds of user types
• For users to take advantage of the cascading management structure, they need to
have Power User rights or greater
For more information, see Configuring Control Manager User Access on page 5-7.

Downloading the Latest Components

After installation, manually download the latest components (Pattern files\Cleanup
templates, Engine updates) from the Trend Micro ActiveUpdate server to help maintain
the highest security protection. If a proxy server exists between a Control Manager
server and the Internet, configure the proxy server settings (on the Web console, click

3-24
 Installing Trend Micro Control Manager for the First Time

Administration > Settings > Proxy Settings). For more information, see
Downloading and Deploying New Components on page 5-35.

Setting Notifications
After installation, configure the events that will trigger notifications to monitor
significant virus/malware attacks and related security activities. Besides specifying
notification recipients, choose notification channels and test them to make sure they
work as expected (on the Web console, click Administration > Event Center). For
more information, see Using Event Center on page 6-8

Registering and Activating Your Software

Activate the Control Manager server to keep your security and product updates current.
To activate your product, register online and obtain an Activation Code using your
Registration Key.
If you install Control Manager for the first time:
• You have purchased the full version from a Trend Micro reseller, the Registration
Key is included the product package
Register online and obtain an Activation Code to activate the product
• You install an evaluation version
Obtain a full version Registration Key from your reseller and then follow the full
version instructions to activate the product.

Activating Control Manager

Activating Control Manager allows you to use its full functionality, including
downloading updated program components. You can activate Control Manager after
obtaining an Activation Code from your product package or by purchasing one through
a Trend Micro reseller.

Note: After activating Control Manager, log off and then log on for changes to take effect.

3-25
Trend Micro Control Manager™ Installation Guide

To register and activate Control Manager:

1. Mouseover Administration on the main menu. A drop-down menu appears.
2. Mouseover License Management. A sub-menu appears.
3. Click Control Manager. The License Information screen appears.
4. Click the Activate the product/Specify a new Activation Code link.
5. In the New box, type your Activation Code. If you do not have an Activation Code,
click the Register online link and follow the instructions on the Online
Registration Web site to obtain one.
6. Click Activate, and then click OK.

Converting to the Full Version

Upgrade your Control Manager to the full version and activate it to continue to use it
beyond the evaluation period. Activate Control Manager to use its full functionality
including downloading updated program components.
To convert to the full version:
1. Purchase a full version Registration Key from a Trend Micro reseller.
2. Register your software online.
3. Obtain an Activation Code.
4. Activate Control Manager according to the instructions in the procedure above.

Renewing Your Product Maintenance

Renew maintenance for Control Manager or its integrated related products and services
(Outbreak Prevention Services) using one of the following methods.
To renew your product or service maintenance, first obtain an updated Registration Key.
The Registration Key allows you to acquire a new Activation Code. The procedures for
renewing your product maintenance differ depending on whether you are using an
evaluation or full version.
To renew product maintenance using Check Status Online:
1. Mouseover Administration on the main menu. A drop-down menu appears.
2. Mouseover License Management. A sub-menu appears.

3-26
 Installing Trend Micro Control Manager for the First Time

3. Click Control Manager. The License Information screen appears.

4. On the working area under Control Manager License Information, click Check
Status Online, and then click OK.
5. Log off and then log on to the Web console for changes to take effect.
To renew maintenance by manually entering an updated Activation Code:
1. Mouseover Administration on the main menu. A drop-down menu appears.
2. Mouseover License Management. A sub-menu appears.
3. Click Control Manager. The License Information screen appears.
4. On the working area under Control Manager License Information, click the
Activate the product link.
5. Click the Specify a new Activation Code link and follow the instructions on the
Online Registration Web site.
6. In the New box, type your Activation Code.
7. Click Activate.
8. Click OK.

3-27
Trend Micro Control Manager™ Installation Guide

3-28
 Chapter 4
Upgrading Servers or Migrating Agents to
Control Manager 5.0

Upgrading existing Control Manager 3.0 or 3.5 servers to Control Manager 5.0 requires
careful consideration and detailed planning. Likewise, the same is true when migrating
MCP and older Control Manager agents to a Control Manager 5.0 server.
This chapter contains the following topics:
• Upgrading to Control Manager 5.0 on page 4-2
• Planning Control Manager Agent Migration on page 4-11
• Migrating the Control Manager Database on page 4-17

4-1
Trend Micro Control Manager™ Installation Guide

Upgrading to Control Manager 5.0

The following table lists the considerations when upgrading to the Standard or
Advanced Edition:
TABLE 4-1. Considerations when upgrading to Control Manager 5.0

STANDARD ADVANCED
CAPABILITY EDITION EDITION

Upgrade Control Manager 3.0 or 3.5 servers Yes Yes

Retain the reporting functions No Yes

Upgrade a Standard edition to Advanced Edition Yes N/A

To upgrade from a Standard Edition to an

Advanced Edition, obtain an Advanced Edition
Activation Code (AC), and then reinstall Control
Manager (only reinstall, do not uninstall and then
reinstall). During installation, provide the new
Advanced Edition AC.

Convert an Enterprise/Advanced Edition to Stan- N/A Yes

dard Edition

Upgrading Control Manager 3.0 or 3.5 Servers

Trend Micro recommends installing Control Manager 5.0 over the previous installtion of
Control Manager 3.0/3.5. This way all your previous settings, logs and reports, and
Product Directory remain the same. However, before upgrading verify that the server
where Control Manager installs has sufficient system resources.

WARNING! Always back up the existing server before performing the upgrade.

Upgrading and Migrating Scenarios

Control Manager supports three scenarios for upgrading or migration:
• Scenario 1: Upgrading a Control Manager 3.5 Server to Control Manager 5.0
• Scenario 2: Migrating to a Fresh Control Manager 5.0 Installation Using the Agent
Migrate Tool

4-2
 Upgrading Servers or Migrating Agents to Control Manager 5.0

• Scenario 3: Upgrading or Migrating a Cascading Environment

Scenario 1: Upgrading a Control Manager 3.5 Server to Control

Manager 5.0
When upgrading Control Manager 3.5 directly to Control Manager 5.0, administrators
can choose to backup Control Manager or backup the entire operating system of the
server where Control Manager installs. Backing up the operating system is more work
intensive but provides better security to prevent data loss.
To upgrade by backing up the previous Control Manager server and database:
1. Backup the existing Control Manager 3.5 database.
2. Backup all the files under \Trend Micro\CmKeyBackup\*.*.
3. Backup all folders of the current Control Manager 3.5 server.
4. Backup the registries of the current Control Manager 3.5 server.
5. Install Windows Installer 3.1, if necessary.
6. Install MDAC 2.8 SP1, if necessary.
7. Install Control Manager 5.0 over Control Manager 3.5.

Note: See Table 4-3, “Control Manager files that should be backed up,” on page 4-7 for
steps 2 through 4.

To upgrade by backing up the entire operating system of the server and the
Control Manager database:
1. Backup the operating system of existing Control Manager 3.5 server.
2. Backup the existing Control Manager 3.5 database.
3. Install Windows Installer 3.1 (If necessary)
4. Install MDAC 2.8 SP1 (If necessary)
5. Install Control Manager 5.0 over Control Manager 3.5.

Scenario 2: Migrating to a Fresh Control Manager 5.0 Installation

Using the Agent Migrate Tool
This scenario involves installing Control Manager 5.0 on a separate server from the
existing Control Manager server. This allows you to slowly decommission the previous

4-3
Trend Micro Control Manager™ Installation Guide

server. See Planning Control Manager Agent Migration on page 4-11 for more
information about migrating agents.
To migrate a Control Manager 3.5 server to a fresh installation of Control
Manager 5.0:
1. Backup the existing Control Manager 3.5 database.
2. Perform a fresh installation of Control Manager 5.0 on a different computer.
3. Use the Agent Migration Tool to migrate entities from the Control Manager 3.5
server to the Control Manager 5.0 server.

Note: The Agent Migration Tool only supports migrating managed products. The Agent
Migration Tool does not support migrating logs, reports, or the Product Directory
structure from the previous server.

Scenario 3: Upgrading or Migrating a Cascading Environment

Control Manager provides two methods for updating a cascading environment. The first
involves unregistering and then re-register the child Control Manager servers. The other
method involves creating a file (CascadingUpgrade.ini) to insert on the child server.
TABLE 4-2. CascadingUpgrade.ini Variables

PARENT CONTROL
VARIABLE MANAGER SETTINGS DESCRIPTION
SCREEN

PARENT CONTROL MANAGER SERVER SETTINGS

Host Server FQDN or IP address The host name or IP address

of the parent Control Manager
server.

Port Port The port number used to com-

munciate with the proxy
server.

Protocol Connect using HTTPS The protocol used to commu-

nicate with the parent Control
Manager server.

4-4
 Upgrading Servers or Migrating Agents to Control Manager 5.0

TABLE 4-2. CascadingUpgrade.ini Variables

PARENT CONTROL
VARIABLE MANAGER SETTINGS DESCRIPTION
SCREEN

WebServerUser Web server authentication The user name required for

the Web server’s authentica-
tion.

WebServerPassword The password required for the

Web server’s authentication.

MCP PROXY SETTINGS

Enable Use a proxy server to commu- Specify 1 to indicate you use a

nicate with the parent Control proxy server. Specify a 0 if you
Manager server do not use a proxy server.

Type Proxy protocol The protocol used to commu-

nicate with the proxy server.

Host Server name or IP address The host name or IP address

of the proxy server.

Port Port The port number used to com-

munciate with the proxy
server.

ProxyServerUser Proxy server authentication The user name required for

the proxy server’s authentica-
tion.

ProxyServerPassword The password required for the

proxy server’s authentication.

To upgrade or migrate a cascading environment by unregistering child servers:

1. Unregister all child Control Manager servers from the parent Control Manager
server.
2. Backup the parent Control Manager server.
3. Backup all child Control Manager servers.
4. Upgrade the parent Control Manager server.
5. Upgrade all child Control Manager servers.
6. Register all child Control Manager servers to the parent Control Manager server.

4-5
Trend Micro Control Manager™ Installation Guide

To upgrade or migrate a cascading environment using CascadingUpgrade.ini:

1. Backup the parent Control Manager server.
2. Backup all child Control Manager servers.
3. Create the following file using a text editor:
CascadingUpgrade.ini file
Use the following format for the CascadingUpgrade.ini file:
[Common]
Host=
Port=
Protocol=
WebServerUser=
WebServerPassword=

[Proxy]
Enable=
Type=
Host=
Port=
ProxyServerUser=
ProxyServerPassword=
4. Insert a CascadingUpgrade.ini file in the Control Manager folder of each child
Control Manager server.
5. Upgrade the parent Control Manager server.
6. Upgrade all child Control Manager servers.

4-6
 Upgrading Servers or Migrating Agents to Control Manager 5.0

TABLE 4-3. Control Manager files that should be backed up

CONTROL
MANAGER 3.0/3.5 LOCATION
INFORMATION

Database Use the SQL Enterprise Manager or osql to back up the Control
Manager database. Refer to the Control Manager Back up
db_ControlManager using SQL Enterprise Manager / osql online
help topics for detailed steps.

Authentication infor-
mation

(ensures that man-

aged products
reporting to the Con- \Program Files\Trend Micro\CmKeyBackup\*.*
trol Manager server
will report to the
same server if Con-
trol Manager is
restored)

\Program Files\Trend Micro\Control Man-

ager\Settings\*.*

\Program Files\Trend Micro\Control Man-

ager\DataSource.xml

\Program Files\Trend Micro\Control Man-

ager\CascadingLogConfiguration.xml

Configuration files
\Program Files\Trend Micro\Control Man-
ager\Settings\DMregisterinfo.xml

\Program Files\Trend Micro\Control Man-

ager\Settings\EntityEmulator.xml

\Program Files\Trend Micro\Control Man-

ager\Settings\ProductUIHandler.xml

\Program Files\Trend Micro\Control Man-

ager\Settings\SystemConfiguration.xml

GUID information
GUID value in \Program files\Trend
Micro\COMMON\TMI\TMI.cfg

4-7
Trend Micro Control Manager™ Installation Guide

TABLE 4-3. Control Manager files that should be backed up

CONTROL
MANAGER 3.0/3.5 LOCATION
INFORMATION

\Program Files\Trend Micro\com-

mon\tmi\mrf_entity.dat
Managed product
information
\Program Files\Trend Micro\com-
mon\tmi\mrf_entity.bak

ActiveUpdate files
\Program Files\Trend Micro\Control Man-
ager\webui\download\Activeupdate

4-8
 Upgrading Servers or Migrating Agents to Control Manager 5.0

TABLE 4-3. Control Manager files that should be backed up

CONTROL
MANAGER 3.0/3.5 LOCATION
INFORMATION

HKEY_LOCAL_MACHINE\SOFTWARE\TrendMi-
cro\TVCS\

HKEY_LOCAL_MACHINE\SOFTWARE\TrendMi-
cro\TMI\

HKEY_LOCAL_MACHINE\SOFTWARE\TrendMi-
cro\CommonCGI

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Win-
dows\CurrentVersion\Uninstall\TMCM

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Win-
dows\CurrentVersion\Uninstall\TMI

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Win-
dows\CurrentVersion\Uninstall\MSDE
Control Manager
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDE

HKEY_LOCAL_MACHINE\SOFTWARE\Micro-
soft\MSSQLServer

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl-
Set\Services\TMCM

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl-
Set\Services\TrendMicro_NTP

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl-
Set\Services\TrendMicro Infrastructure\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl-
Set\Services\TrendCCGI

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl-
Set\Services\MSSQLServer

4-9
Trend Micro Control Manager™ Installation Guide

Rolling Back to Control Manager 3.0/3.5 Servers

If upgrading to Control Manager 5.0 is unsuccessful, perform the following steps to roll
back to your Control Manager 3.0/3.5 system.
Scenario 1: Rolling Back a Control Manager 3.5 Server to Control
Manager 5.0
To rollback from a Control Manager server and database backup:
1. Remove the Control Manager 5.0 server
2. Install Control Manager 3.5 server
3. Restore the Control Manager 3.5 database with the backup database.
4. Restore all the Control Manager 3.5 folders with the backed up folders.
5. Restore Control Manager 3.5 registries with the backed up registries.
6. Restore all the files under \Trend Micro\CmKeyBackup\*.*.
7. Apply Control Manager 3.0/3.5 service packs and hot fixes.
8. Import the old certificate.
To rollback from an entire operating system of the server and the Control
Manager database backup:
1. Restore the Control Manager 3.5 database with the backup database.
2. Restore the operating system of the server with the backed up operating system.

Scenario 2: Rolling Back from a Fresh Control Manager 5.0

Installation Using the Agent Migrate Tool
See Planning Control Manager Agent Migration on page 4-11 for more information
about migrating agents.
To rollback to a Control Manager 3.5 server from a fresh installation of Control
Manager 5.0:
1. Restore the Control Manager 3.5 database with the backup database.
2. Use the Agent Migration Tool to migrate entities from the Control Manager 5.0
server to the Control Manager 3.5 server.

4-10
 Upgrading Servers or Migrating Agents to Control Manager 5.0

Scenario 3: Rolling Back a Cascading Environment

To rollback a cascading environment by unregistering child servers:
1. Unregister all child Control Manager servers from the parent Control Manager
server.
2. Rollback the parent Control Manager server.
3. Rollback all child Control Manager servers.
4. Apply Control Manager service packs and hot fixes.
5. Register all child Control Manager servers to the parent Control Manager server.
To rollback a cascading environment that used CascadingUpgrade.ini to
upgrade:
1. Unregister all child Control Manager servers from the parent Control Manager
server.
2. Rollback the parent Control Manager server.
3. Rollback all child Control Manager servers.
4. Apply Control Manager service packs and hot fixes.
5. Register all child Control Manager servers to the parent Control Manager server.

Planning Control Manager Agent Migration

There are two ways to migrate agents to a Control Manager 5.0 server:
• Rapid upgrade
Rapid upgrade works using the following approach:
TABLE 4-4. Rapid Upgrade

ORIGINAL SERVER/AGENT ACTION

Control Manager 3.0 SP 6 Registers Control Manager 2.5x agents to Control Man-
with Control Manager 2.5x ager 5.0 server; Control Manager agents maintain their
agents original Product Directory structure

4-11
Trend Micro Control Manager™ Installation Guide

TABLE 4-4. Rapid Upgrade

ORIGINAL SERVER/AGENT ACTION

Control Manager agents:

Registers Control Manager 2.5x agents to Control Man-
ager 5.0 server; Control Manager agents maintain their
Control Manager 3.0 SP 6 original Product Directory structure
with mixed agents MCP
Registers MCP agents to Control Manager 5.0 server;
MCP agents maintain their original Product Directory
structure

Control Manager 3.5/5.0 Registers MCP agents to Control Manager 5.0 server;
MCP agents maintain their original Product Directory
with MCP agents structure

Control Manager agents:

Registers Control Manager 2.5x agents to Control Man-
ager 5.0 server; Control Manager agents maintain their
Control Manager 3.5/5.0 original Product Directory structure
with mixed agents MCP
Registers MCP agents to Control Manager 5.0 server;
MCP agents maintain their original Product Directory
structure

Trend Micro recommends rapid upgrade for migrating agents in a laboratory setting
or in relatively small networks, preferably during test deployments (see Testing
Control Manager at One Location on page 2-10). However, since you cannot stop
the migration once it starts, this method works best for smaller deployments, since
the degree of difficulty increases with the size of the network.
• Phased upgrade
Trend Micro recommends a phased upgrade for large, single-server Control
Manager 3.0/3.5 networks. This is essential for multiple-server networks. This
method offers a more structured approach to migrating your system, and follows
these guidelines:
• Start migration on systems with the least impact on the existing network, and
then proceed to the systems with progressively greater impact
• Upgrade the old network in well-planned stages, rather than all at once
This will simplify any troubleshooting that may be required.
Phased upgrade involves the following steps:

4-12
 Upgrading Servers or Migrating Agents to Control Manager 5.0

a. Install Control Manager 5.0 on a server that does not have any previous
Control Manager version installed (preferably without any managed products).
b. Run the AgentMigrateTool.exe tool on the Control Manager 5.0 server.
Use the Control Manager agent installation together with the Using Agent Migration
Tool (AgentMigrateTool.exe) to plan the upgrade of agents on existing Control Manager
networks. The Agent Migration tool can generate a list of servers with Control Manager
agents. Doing so eliminates the need to manually select the agent servers.

Migration Scenarios for Control Manager 2.x Agents

The following agent migration scenarios are possible:
• Single-server migration:

FIGURE 4-1. Migration of agents belonging to a single server

You can use both Rapid and Phased migration in this instance. See Upgrading to
Control Manager 5.0 on page 4-2.
• Consolidation of different servers/agents:

4-13
Trend Micro Control Manager™ Installation Guide

FIGURE 4-2. Migration of agents belonging to multiple servers

Because of new Control Manager access control features, functions previously

handled by separate Control Manager servers - to restrict user access to specific
segments of the antivirus network - can now be combined in a single Control
Manager server.

Control Manager 2.5x Agent Migration Flow

During Control Manager 2.5x agent migration, the agent migration tool performs the
following:
1. Stops the Trend Micro Infrastructure service
2. Obtains the Product Directory information from the Control Manager 3.0 or 3.5
server
3. Removes the agent information from the Control Manager 3.0 or 3.5 database and
TMI.cfg
4. Retains the Control Manager 2.5x agent version (no upgrade takes place)
5. Writes the agent information to the Control Manager 5.0 database and TMI.cfg
6. Restarts the Trend Micro Infrastructure service

4-14
 Upgrading Servers or Migrating Agents to Control Manager 5.0

If AgentMigrationTool.exe cannot complete or finish the Control Manager 2.5x agent

migration, it removes the agent information from the Control Manager 5.0 database and
TMI.cfg and then writes them back to the Control Manager 3.0/3.5 database.

MCP Agent Migration Flow

During MCP migration, the agent migration tool performs the following:
1. Stops the Trend Micro Management Infrastructure service of the destination server.
2. Obtains the Product Directory information from the Control Manager server.
3. Retains the Control Manager agent version (no upgrade takes place).
4. Writes the agent information to the database of the destination server.
5. Restarts the Trend Micro Management Infrastructure service of the destination
server.
6. Stops and then restarts the Trend Micro Control Manager service of the destination
server.
7. Requests the source server to issue a Change Server command and waits for polling
by the MCP agent.

Migrating Control Manager 2.5x and MCP Agents

Use AgentMigrateTool.exe to migrate Windows-based agents originally
administered by Control Manager 3.0 server, Control Manager 3.5 server, or Control
Manager 5.0 server. When migrating agents, 2.5x agents migrate first, then MCP agents
migrate.
If an agent migration is unsuccessful, the following occurs:
• The agent continues to be managed by the source server
• Agent logs are on both the source and destination servers
Migrated logs will not show logs unless the agents register to the destination server.
Destination Control Manager server purges migrated logs when purge triggers.

Note: Run AgentMigrateTool.exe directly on the destination server — a Control

Manager 5.0 server to which you migrate the agents.

4-15
Trend Micro Control Manager™ Installation Guide

To migrate Control Manager 2.5x or MCP agents:

1. Using Windows Explorer, open the Control Manager 5.0 root folder. For example:
<root>\Program Files\Trend Micro\Control Manager\

2. Double-click AgentMigrateTool.exe.

Note: Remember to start the destination Control Manager server's Remote Registry service
or agent migration will not be successful.

3. Click Configure Source Server Settings on the main menu.

4. On the Configurations screen under Source server, type the IP address of the
source server—Control Manager 3.0, Control Manager 3.5, or Control Manager 5.0
server hosting the agents that will migrate.
5. Under System Administrator Account, specify the administrator user name and
password used to access the source server, and then click Connect.
6. On the main window, click Add > or Add All >> to migrate agents from the
Source to the Destination list.
7. Select all or one of the following options:
• Retain tree structure: AgentMigrateTool.exe instructs the destination
server (that is, a Control Manager 5.0 server) to retain the original Product
Directory structure of the selected managed products
• Migrate logs: AgentMigrateTool.exe copies the logs of the
selected managed products from the source to the destination server
• Enable HTTPS: AgentMigrateTool.exe notifies migrating agents
to use HTTPS to register to Control Manager. If you do not select this option,
agents use HTTP to register to Control Manager
These options apply to agents listed in the Destination list.

Tip: Trend Micro recommends enabling the Retain tree structure and Migrate
logs options when migrating all agents from the source server.

Migrating managed products that use Control Manager 2.1 agents prevents the
destination server from querying the old logs of the migrated managed product.
Trend Micro recommends upgrading to Control Manager 2.5 agents before
running AgentMigrateTool.exe.

4-16
 Upgrading Servers or Migrating Agents to Control Manager 5.0

The following products use the Control Manager 2.1 agent:

• InterScan eManager 3.50 (all applicable platforms)
• InterScan eManager 3.52 (all applicable platforms)
• ScanMail eManager 5.0 (all applicable platforms)
• ScanMail eManager 5.1 (all applicable platforms)
• InterScan Messaging Security Suite 5.1 for Windows

8. Click Migrate.
AgentMigrateTool.exe migrates the agent(s) listed in the Destination list.

Migrating the Control Manager Database

You have two ways to migrate a Control Manager database:
• Install Control Manager 5.0 on a Control Manager 3.0/3.5 server. Tthis is the
recommended method
The Control Manager 5.0 setup automatically upgrades the database to version 5.0.
Refer to Control Manager 2.5x agent migration on page 4-14 for more details.
• Manually transfer the Control Manager 3.0/3.5 database to Control Manager 5.0
server

Migrating Control Manager SQL 2005 Database to Another

SQL 2005 Server
Modify a number of parameters in TMI.cfg to move a Control Manager database from
an SQL 2005 server to another SQL 2005 server.
To migrate an existing database to another SQL 2005 server:
1. Using Windows Services, stop the following Control Manager services:
• Trend Micro Management Infrastructure
• Trend Micro CCGI
• Trend Micro Control Manager

4-17
Trend Micro Control Manager™ Installation Guide

2. Copy the Control Manager database from the old SQL Server to the new SQL
Server.

Note: Control Manager encrypts the CFG_DM_DB_PWD value. Trend Micro

recommends configuring the target SQL server with the same authentication
account used to access db_ControlManager, as well as keeping the same ID
and password combination.

3. Open <root>\Program Files\Trend Micro\COMMON\TMI\TMI.cfg using

a text editor.

Note: Back up TMI.cfg to roll back to the original settings.

4. Replace the CFG_DM_DB_DSN=Server= parameter value with the name of the

destination SQL Server.
5. Retain the old ID and password. Otherwise, update the values for the following
parameters:
CFG_DM_DB_ID
CFG_DM_DB_PWD
6. Save and close TMI.cfg.
7. Click Start > Programs > Administrative Tools > Data Sources (ODBC) to
open the ODBC Data Source Administrator.
8. Activate the System DSN tab and then configure the ControlManager_DataBase
data source.
9. On the Microsoft SQL Server DSN Configuration, select the destination server to
modify the Which SQL Server do you want to connect to? value and then click
Next.
If the destination server is not available from the list, type the server name.
10. On the next window, select With SQL Server authentication using a logon ID
and password entered by the user and Connect to SQL Server to obtain
default settings for the additional configuration options.
11. Type the same ID and password available in TMI.cfg and then click Next.
12. Click Finish to save the new configuration and close Microsoft SQL Server DSN
Configuration.

4-18
 Upgrading Servers or Migrating Agents to Control Manager 5.0

13. Click OK to close ODBC Data Source Administrator.

14. Using Windows Services, restart all Control Manager services.
Log on to the management console and access the Product Directory to check if all
managed products are registered. If so, then you have successfully moved database to
the destination SQL Server.

4-19
Trend Micro Control Manager™ Installation Guide

4-20
 Chapter 5
Using Control Manager Tools

Control Manager provides a number of tools to help you with specific configuration
tasks.
Control Manager houses most tools at the following location:
<root>:\Control Manager\WebUI\download\tools\
This chapter provides instructions on how to use the following Control Manager tools:
• Using Agent Migration Tool (AgentMigrateTool.exe) on page 5-2
• Using the Control Manager MIB File on page 5-2
• Using the NVW 1.x SNMPv2 MIB File on page 5-3
• Using the NVW Enforcer SNMPv2 MIB File on page 5-3
• Using the NVW System Log Viewer on page 5-4
• Using the NVW 1.x Rescue Utility on page 5-4
• Using the Appliance Firmware Flash Utility on page 5-4
• Using the DBConfig Tool on page 5-5

5-1
Trend Micro Control Manager™ Installation Guide

Using Agent Migration Tool

(AgentMigrateTool.exe)
The Agent Migration tool provided in Control Manager 5.0 Standard or Advanced
Edition migrates agents administered by a Control Manager 3.0, 3.5, or 5.0 server (see
Migrating Control Manager 2.5x and MCP Agents on page 4-15).
Run AgentMigrateTool.exe directly on the destination server from the following
location:
<root>\Program Files\Trend Micro\Control Manager\

Note: For MCP agents, the Agent Migration Tool supports Windows-based and
Linux-based agent migration.

For Control Manager 2.x agents, the Agent Migration Tool can only migrate
Windows-based agents. Please contact Trend Micro Support for migrating
non-Windows based agents (see Contacting Technical Support on page 7-2).

Using the Control Manager MIB File

Download and use the Control Manager MIB file with an application (for example,
HPTM OpenView) that supports SNMP protocol.
To use the Control Manager MIB file:
1. Access the Control Manager management console.
2. Click Administration on the main menu. A drop-down menu appears.
3. Click Tools.
4. On the working area, click Control Manager MIB file.
5. On the File Download screen, select Save, specify a location on the server, and then
click OK.
6. On the server, extract the Control Manager MIB file cm2.mib, Management
Information Base (MIB) file.
7. Import cm2.mib using an application (for example, HP OpenView) that
supports SNMP protocol.

5-2
 Using Control Manager Tools

Using the NVW 1.x SNMPv2 MIB File

Download and use the NVW 1.x SNMPv2 MIB file with an application (for example,
HP OpenView) that supports SNMP protocol.
To use the NVW 1.x SNMPv2 MIB file:
1. Access the Control Manager management console.
2. Click Administration on the main menu. A drop-down menu appears.
3. Click Tools.
4. On the working area, click NVW 1.x SNMPv2 MIB file.
5. On the File Download screen, select Save, specify a location on the server, and then
click OK.
6. On the server, extract the NVW 1.x SNMPv2 MIB file nvw.mib2, Management
Information Base (MIB) file.
7. Import nvw.mib2 using an application (for example, HP OpenView) that
supports SNMP protocol.

Using the NVW Enforcer SNMPv2 MIB File

Download and use the NVW Enforcer SNMPv2 MIB file with an application (for
example, HP OpenView) that supports SNMP protocol.
To use the NVW Enforcer SNMPv2 MIB file:
1. Access the Control Manager management console.
2. Click Administration on the main menu. A drop-down menu appears.
3. Click Tools.
4. On the working area, click NVW Enforcer SNMPv2 MIB file.
5. On the File Download screen, select Save, specify a location on the server, and then
click OK.
6. On the server, extract the NVW Enforcer SNMPv2 MIB file nvw2.mib2,
Management Information Base (MIB) file.
7. Import nvw2.mib2 using an application (for example, HP OpenView) that
supports SNMP protocol.

5-3
Trend Micro Control Manager™ Installation Guide

Using the NVW System Log Viewer

Use the NVW System Log Viewer to open Network VirusWall logs for Network
VirusWall products.
To use the log viewer:
1. Access the Control Manager management console.
2. Mouseover Administration on the main menu. A drop-down menu appears.
3. Click Tools.
4. On the working area, click NVW System Log Viewer.
5. Using the log viewer, import logs from the Network VirusWall device.

Using the NVW 1.x Rescue Utility

Uploading the Network VirusWall program file with the Network VirusWall 1.x Rescue
Utility performs the same function as uploading the program file through the command
line interface. The utility, however, is a user-friendly, Windows based option for those
who prefer to use a graphical user interface.
To access the Network VirusWall 1.x Rescue Utility:
1. Using Windows Explorer, open the Control Manager 3.5 root folder. For example:
<root>\Program Files\Trend Micro\Control Manager\WebUI\download\tools
2. Double-click the NVW1.x_Rescue_Utility.exe application.

Using the Appliance Firmware Flash Utility

Use the Appliance Firmware Flash Utility (AFFU) to update the device BMC firmware,
BIOS, and program file. The utility is a graphical user interface tool that provides a
user-friendly method of uploading the latest program file and boot loader for Network
VirusWall Enforcer 2500 appliances.
To access the AFFU:
1. Access the Control Manager management console.
2. Mouseover Administration on the main menu. A drop-down menu appears.
3. Click Tools.

5-4
 Using Control Manager Tools

4. On the working area, click AFFU.

5. On the File Download screen, select Save, specify a location on the server, and then
click OK.
6. Extract the AFFU file to the server.

Using the DBConfig Tool

The DBConfig tool allows users to change the user account, password, and the database
name for the Control Manager database.
The tool offers the following options:
• DBName: Database name
• DBAccount: Database account
• DBPassword: Database password
• Mode: Database's authentication mode (SQL or WA)

Note: The Default Mode is SQL authentication mode, however Windows authentication
mode is necessary when configuring for Windows authentication.

Control Manager 3.5 only supports SQL authentication.

To use the DBConfig tool:

1. From the Control Manager server, click Start > Run.
2. Type cmd, and then click OK. The command prompt dialog box appears.
3. Change the directory to the Control Manager root directory (for example,
<root>\Program Files\Trend Micro\Control Manager\DBConfig).
4. Type the following:
dbconfig
The DBConfig tool interface appears.
5. Specify which settings you want to modify:
Example 1: DBConfig -DBName="db" -DBAccount="sqlAct"
-DBPassword="sqlPwd" -Mode="SQL"

5-5
Trend Micro Control Manager™ Installation Guide

Example 2: DBConfig -DBName="db" -DBAccount="winAct"

-DBPassword="winPwd" -Mode="WA"

5-6
 Chapter 6
Removing Trend Micro Control Manager

This chapter contains information about how to remove Control Manager components
from your network, including the Control Manager server, Control Manager agents, and
other related files.
This chapter contains the following sections:
• Removing a Control Manager Server on page 6-2
• Manually Removing Control Manager on page 6-2
• Removing a Windows-Based Control Manager 2.x Agent on page 6-7

6-1
Trend Micro Control Manager™ Installation Guide

Removing a Control Manager Server

You have two ways to remove Control Manager automatically (the following instructions
apply to a Windows 2000 environment; details may vary slightly, depending on your
Microsoft Windows platform):
• From the Start menu, click Start > Programs > Trend Micro Control Manager
> Uninstalling Trend Micro Control Manager.
• Using Add/Remove Programs:
a. Click Start > Settings > Control Panel > Add/Remove Programs.
b. Select Trend Micro Control Manager, and then click Remove.
This action automatically removes other related services, such as the Trend
Management Infrastructure and Common CGI services, as well as the Control
Manager database.
c. Click Yes to keep the database, or No to remove the database.

Note: Keeping the database allows you to re-install Control Manager on the
server and retain all system information, such as agent registration, and
user account data.

If you re-installed the Control Manager server, and deleted the original database, but did
not remove the agents that originally reported to the previous installation then the
agents will re-register with the server when:
• Managed product servers restart the agent services
• Control Manager agents verify their connection after an 8-hour period

Manually Removing Control Manager

This section describes how to remove Control Manager manually. Use the procedures
below only if the Windows Add/Remove function or the Control Manager uninstall
program is unsuccessful.

Note: Windows-specific instructions may vary between operating system versions. The
following procedures are written for Windows 2000.

6-2
 Removing Trend Micro Control Manager

Removing Control Manager actually involves removing distinct components. These

components may be removed in any order; they may even be removed together.
However, for purposes of clarity, the uninstallation for each module is discussed
individually, in separate sections. The components are:
• Control Manager application
• Trend Micro Management Infrastructure
• Common CGI Modules
• Control Manager Database (optional)
Other Trend Micro products also use the Trend Micro Management Infrastructure and
Common CGI modules, so if you have other Trend Micro products installed on the
same computer, Trend Micro recommends not removing these two components.

Note: After removing all components, you must restart your server. You only have to do this
once — after completing the removal.

Remove the Control Manager Application

Manual removal of the Control Manager application involves the following steps:
1. Stopping Control Manager Services.
2. Removing Control Manager IIS Settings.
3. Removing Crystal Reports, TMI, and CCGI.
4. Deleting Control Manager Files/Directories and Registry Keys.
5. Removing the Database Components.
6. Removing Control Manager and NTP Services.

Stopping Control Manager Services

Use the Windows Services screen to stop all of the following Control Manager services:
• Trend Micro Management Infrastructure
• Trend Micro CCGI
• Trend Micro Control Manager
• Trend Micro NTP

6-3
Trend Micro Control Manager™ Installation Guide

Note: These services run in the background on the Windows operating system, not the
Trend Micro services that require Activation Codes (for example, Outbreak
Prevention Services).

To stop Control Manager services:

1. Click Start > Programs > Administrative Tools > Services to open the Services
screen.
2. Right-click <Control Manager service>, and then click Stop.
To stop IIS and Control Manager services from the command prompt:
Run the following commands at the command prompt:
• net stop w3svc
• net stop tmcm

FIGURE 6-1. View of the command line with the necessary services
stopped

Removing Control Manager IIS Settings

Remove the Internet Information Services settings after stopping the Control Manager
services.
To remove Control Manager IIS settings:
1. From the Control Manager server, click Start > Run. The Run dialog box appears.
2. Type the following in the Open field:
%SystemRoot%\System32\mmc.exe %SystemRoot%\System32\Inetsrv\iis.msc

6-4
 Removing Trend Micro Control Manager

3. On the left-hand menu, double-click the server name to expand the console tree.
4. Double-click Default Web Site.
5. Delete the following virtual directories:
• ControlManager
• TVCSDownload
• Viewer9
• TVCS
• Jakarta
• WebApp
6. Right-click the IIS Web site you set during installation.
7. Click Properties.
8. Click the ISAPI Filters tab.
9. Delete the following ISAPI filters:
• TmcmRedirect
• CCGIRedirect
• ReverseProxy
10. On IIS 6 only, delete the following Web service extensions:
• Trend Micro Common CGI Redirect Filter (If removing CCGI)
• Trend Micro Control Manager CGI Extensions
11. Click OK.

Removing Crystal Reports, TMI, and CCGI

Removal of TMI and CCGI is optional. Use Add/Remove Programs to uninstall Crystal
Reports.
To remove Crystal Reports:
1. On Control Manager server, click Start > Settings > Control Panel >
Add/Remove Programs.
2. Scroll down to Crystal Reports Runtime Files, then click Remove to remove the
Crystal Reports related files automatically.

6-5
Trend Micro Control Manager™ Installation Guide

To remove TMI and CCGI:

• Use Microsoft's service tool Sc.exe to remove TMI and CCGI:
http://support.microsoft.com/kb/251192/en-us

Deleting Control Manager Files/Directories and Registry

Keys
To manually remove a Control Manager server:
1. Delete the following directories:
• ...\Trend Micro\Control Manager
• ...\Trend Micro\COMMON\ccgi
• ...\Trend Micro\COMMON\TMI
2. Delete the following Control Manager registry keys:
• HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CommonCGI
• HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\DamageCleanupServic
e
• HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\MCPAgent
• HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\OPPTrustPort
• HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TMI
• HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TVCS
• HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\VulnerabilityAssessme
ntServices
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Uninstall\TMCM
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Uninstall\TMI
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TMCM
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrendCC
GI
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrendMicr
o Infrastructure
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrendMicr
o_NTP

6-6
 Removing Trend Micro Control Manager

Removing the Database Components

To remove Control Manager ODBC settings:
1. On the Control Manager server, click Start > Run. The Run dialog box appears.
2. Type the following in the Open field:
odbcad32.exe
3. On the ODBC Data Source Administrator window, click the System DSN tab.
4. Under Name, select ControlManager_Database.
5. Click Remove, and click Yes to confirm.
To remove the Control Manager SQL Server 2005 Express database:
1. On Control Manager server, click Start > Settings > Control Panel >
Add/Remove Programs.
2. Scroll down to SQL Server 2005 Express, then click Remove to remove the
Crystal Reports related files automatically.

Tip: Trend Micro recommends visiting Microsoft's Web site for instructions on removing
SQL Server 2005 Express if you have any issues with the uninstallation:
http://support.microsoft.com/kb/909967

Removing Control Manager and NTP Services

To remove Control Manager and NTP services:
• Use Microsoft's service tool Sc.exe to remove Control Manager and NTP services:
http://support.microsoft.com/kb/251192/en-us

Removing a Windows-Based Control Manager

2.x Agent
To remove one or more agents, you must run the uninstallation component of the
Control Manager Agent setup program.
Uninstall agents remotely, either by running the program from the Control Manager
server, or another server, or locally, by running the setup program on the agent
computer.

6-7
Trend Micro Control Manager™ Installation Guide

To remove a Windows-based Control Manager 2.x agent:

1. Mouseover Administration on the main menu. A drop-down menu appears.
2. Mouseover Settings from the drop-down menu. A sub-menu appears.
3. Click Add/Remove Product Agents. The Add/Remove Product Agents screen
appears.
4. Click Use RemoteInstall.exe and install the application.
5. Using Microsoft Explorer, go to the location where you saved the agent setup
program.
6. Double-click the RemoteInstall.exe file. The Control Manager Agent
setup screen appears.

FIGURE 6-2. Trend Micro Agent setup program

7. Click Uninstall. The Welcome screen appears.

6-8
 Removing Trend Micro Control Manager

8. Click Next. The Control Manager source server log on screen appears.

FIGURE 6-3. Control Manager source server logon

9. Specify and provide Administrator-level logon credentials for the Control Manager
server e. Type the following information:
• Host name
• User name
• Password
10. Click Next. Select the product whose agent you want to remove.
11. Click Next. Select the servers from which to remove the agents. You have two ways
to select those servers:
To select from the list:
a. In the left list box, double-click the domain containing the antivirus servers,
and the domain expands to show all the servers inside.

6-9
Trend Micro Control Manager™ Installation Guide

b. Select the target server(s) from the left list box, and then click Add. The
chosen server appears on the right list box. Click Add All to add agents to all
servers in the selected chosen domain.
Alternatively, you can double-click on a server to add it to the left list.
To specify a server name directly:
a. Type the server's FQDN or IP address in the Server name field.
b. Click Add. The server appears on the right list box.
To remove servers from the list, select a server from the right list box, and then click
Remove. To remove all servers, click Remove All.
12. Click Back to return to the previous screen, Exit to abort the operation, or Next to
continue.
13. Provide Administrator-level logon credentials for the selected servers. Type the
required user name and password in the appropriate field.
14. Click OK. The Uninstallation List screen provides the following details about the
target servers: server name, domain, and the type of agent detected.

FIGURE 6-4. Analyze chosen Control Manager server

6-10
 Removing Trend Micro Control Manager

15. Click Next to continue. The table on this screen shows the following information
about the target servers: server name, operating system version, IP address, Domain
name, and the version of the agent you will remove.
Click Back to return to the previous screen, Exit to abort the operation, or
Uninstall to remove the agent. The uninstallation begins.
16. Click OK, and then at the Removing Agents screen, click Exit.

6-11
Trend Micro Control Manager™ Installation Guide

6-12
 Chapter 7
Getting Support

Trend Micro has committed to providing service and support that exceeds our users’
expectations. This chapter contains information on how to get technical support.
Remember, you must register your product to be eligible for support.
This chapter contains the following topics:
• Before Contacting Technical Support on page 7-2
• Contacting Technical Support on page 7-2
• TrendLabs on page 7-3
• Other Useful Resources on page 7-3

7-1
Trend Micro Control Manager™ Installation Guide

Before Contacting Technical Support

Before contacting technical support, here are two things you can quickly do to try and
find a solution to your problem:
• Check your documentation: the manual and online help provide comprehensive
information about Control Manager. Search both documents to see if they contain
your solution.
• Visit our Technical Support Web site: our Technical Support Web site contains
the latest information about all Trend Micro products. The support Web site has
answers to previous user inquiries.
To search the Knowledge Base, visit
http://esupport.trendmicro.com/support

Contacting Technical Support

In addition to phone support, Trend Micro provides the following resources:
• Email support
support@trendmicro.com

• On-line help - configuring the product and parameter-specific tips

• Readme - late-breaking product news, installation instructions, known issues, and
version specific information
• Knowledge Base - technical information procedures provided by the Support team:
http://esupport.trendmicro.com/support

• Product updates and patches

http://www.trendmicro.com/download/

To locate the Trend Micro office nearest you, open a Web browser to the following
URL:
http://www.trendmicro.com/en/about/contact/overview.htm

To speed up the problem resolution, when you contact our staff please provide as much
of the following information as you can:
• Product serial number

7-2
 Getting Support

• Control Manager Build version

• Operating system version, Internet connection type, and database version (for
example, SQL 2000 or SQL 7.0)
• Exact text of the error message, if any
• Steps to reproduce the problem

TrendLabs
Trend Micro TrendLabsSM is a global network of antivirus research and product support
centers providing continuous 24 x 7 coverage to Trend Micro customers worldwide.
Staffed by a team of more than 250 engineers and skilled support personnel, the
TrendLabs dedicated service centers worldwide ensure rapid response to any virus
outbreak or urgent customer support issue, anywhere in the world.
The TrendLabs modern headquarters has earned ISO 9002 certification for its quality
management procedures in 2000 - one of the first antivirus research and support
facilities to be so accredited. Trend Micro believes TrendLabs is the leading service and
support team in the antivirus industry.
For more information about TrendLabs, please visit:
www.trendmicro.com/en/security/trendlabs/overview.htm

Other Useful Resources

Trend Micro offers a host of services through its Web site, www.trendmicro.com.
Internet-based tools and services include:
• The World Virus Tracking Center - monitor virus incidents around the world
• HouseCall™ - Trend Micro online virus scanner
• Virus risk assessment – the Trend Micro online virus protection assessment
program for corporate networks

7-3
Trend Micro Control Manager™ Installation Guide

7-4
 Index

Index
A mail server 1-7
activating manually removing 6-2
Control Manager 3-24–3-25 MCP 1-8
Outbreak Prevention Services 3-11 migrating database 4-17
activating Control Manager 3-25 PDF documentation P-vii
Activation Code 3-25 registering 3-24–3-25
Administrator’s Guide P-vi remove manually 6-3
about P-vii removing overview 6-1
AG. See Administrator’s Guide removing server 6-2
Agent Migration Tool 5-2 removing Windows-based agent 6-7
migrating agents 5-2 report server 1-7
AgentMigrateTool.exe. See Agent Migration Tool security levels 3-13, 3-15
agents server 1-7
removing Windows-based 6-7 SQL database 1-7
audience P-vii supported operating systems 2-9
system requirements 3-2
B testing pilot deployment 2-10
back up. See backing up Control Manager 2.5/3.0 infor- Trend Micro Infrastructure 1-8
mation verifying installation 3-22
Web server 1-7
C Web-based management console 1-8
command polling Control Manager 2.5x agent migration flow 4-14
MCP 2-16 Control Manager agents
command prompt supported operating systems 2-10
Control Manager, stopping service from 6-4 convention
communication document P-viii
one-way 1-6 convert
two-way 1-6 full version 3-26
configuration
Web server 2-20 D
configuring data storage
user accounts 3-24 plan 2-19
Control Manager 1-1 database
activating 3-24–3-25 recommendations 2-19
Administrator’s Guide P-vi deployment
agent 1-8 architecture and strategy 2-2
architecture 1-7 multiple-site 2-5
basic features 1-2 single-site 2-2
command prompt, stopping service from 6-4 documentation P-vi
installation steps 3-5
installing 3-1, 3-6 F
latest documentation P-vii firewall traversal support 1-5

I–1
Trend Micro Control Manager™ Installation Guide

flow HTTPS support 1-5

migrating Control Manager 2.5x agent 4-14 NAT and firewall traversal 1-5
migrating MCP agents 4-15 one-way and two-way communication 1-6
full version reduced network loading and package size 1-4
convert 3-26 MIB file
Control Manager 5-2
H NVW 1.x SNMPv2 5-3
heartbeat NVW Enforcer SNMPv2 5-3
MCP 2-16 migrating 4-11
TMI 2-14 Control Manager 2.5x agent migration flow 4-14
Control Manager SQL 2000 4-17
I database 4-17
installation P-vii
different servers/agents 4-13
flow 2-9 MCP agents 4-15
Installation Guide P-vi
phased upgrade 4-12
installation steps
rapid upgrade 4-11
Control Manager 3-5
scenarios 4-13
installing single-server migration 4-13
Control Manager 3-1, 3-6
steps 4-15
steps 3-5
strategy 4-11
verifying Control Manager server 3-22 Trend VCS, Control Manager 2.x, and MCP Agents
K 4-15
Knowledge Base P-vi minimum system requirements 3-2
multiple-site deployment
URL P-vi
understanding 2-5
L
logs
N
traffic 2-15 NAT traversal support 1-5
network traffic
M sources 2-15
managed products network traffic plan 2-13
support P-iv NVW 1.x Rescue Utility 5-4
manual NVW System Log Viewer 5-4
remove
MSDE 6-7
O
manually ODBC
settings, Control Manager 6-7
remove Control Manager 6-3
one-way communication 1-6
manually uninstalling 6-2
MCP 1-8 online help P-vi
operating systems
command polling 2-16
supported 2-9
heartbeat 2-16
migration flow 4-15 Outbreak Prevention Services
activating 3-11
policies 2-16
understanding 1-3 P
MCP benefits
phased upgrade 4-12

I–2
 Index

pilot deployment tool

testing 2-10 AgentMigrateTool.exe 5-2
policies Control Manager MIB file 5-2
MCP 2-16 NVW 1.x Rescue Utility 5-4
TMI 2-16 NVW 1.x SNMPv2 MIB file 5-3
preface P-i NVW Enforcer SNMPv2 MIB file 5-3
pre-installation P-vii NVW System Log Viewer 5-4
product registration traffic, network 2-13
traffic 2-17 traversal support
NAT and firewall 1-5
R Tutorial P-vi
rapid upgrade 4-11 two-way communication 1-6
readme file P-vi
recommendations U
database 2-19 understanding
recommended system requirements 3-4 multiple-site deployment 2-5
registering single-site deployment 2-2
Control Manager 3-24–3-25 updates
Registration Key 3-11, 3-26 deploying 2-18
remove Upgrading 4-2
manual upgrading 4-2
Control Manager 6-3 backing up Control Manager information 4-7
Microsoft Data Engine 6-7 considerations 4-2
removing Control Manager servers 4-2
Control Manager manually 6-2 URLs
Control Manager server 6-2 Knowledge Base P-vi
Control Manager Windows-based agent 6-7 user accounts
renew product maintenance 3-26 configuring 3-24
rolling back
to Control Manager 3.0/3.5 server 4-10 V
verifying
S Control Manager server installation 3-22
security levels 3-14
server distribution plan 2-12 W
single-site deployment Web server
understanding 2-2 configuration 2-20
SolutionBank-see Knowledge Base P-vi plan 2-20
SSO 1-7 who should read this document
system requirements 3-2 audience P-vii
minimum 3-2 World Virus Tracking 3-12
recommended 3-4

T
TMI
heartbeat 2-14
policies 2-16

I–3
Trend Micro Control Manager™ Installation Guide

I–4