Install the Endpoint Security Manager Server Software

1. Before you begin:
   • Verify that the server meets the requirements described in ESM Server Software Requirements.
   • Obtain an authorization code from your Palo Alto Networks Account Manager or reseller and Activate Traps Licenses.
   • Obtain the software from https://support.paloaltonetworks.com (TOOLSSOFTWARE UPDATESFilter By: Endpoint Security Manager).
2. Initiate the ESM Server software installation. You can also install the ESM Server using Msiexec (see Install Traps Components Using Windows Msiexec).
   1. Double click the ESMCore installation file.
   2. Click Next to begin the setup process.
   3. On the End User License Agreement dialog, select the I accept the terms in the License Agreement check box and then click Next.
   4. Keep the default installation folder or click Change to specify a different installation folder and then click Next.
3. Specify the security level for communication between the ESM Server and the Traps agents.
   To encrypt communication over SSL, use a server-client certificate file (PFX format) and supply the password for decrypting the private key.

   

   1. Specify the ESM Server port to use for access to the server or keep the default setting (2125).
   2. Select the certificate configuration method:
      • External Certificate (SSL)—Encrypt communication between the server and the agents over SSL (default). Then Browse to the server-client certificate and enter the password required to decrypt the private key.
      • No Certificate (no SSL)—Do not encrypt communication between the server and the agents (not recommended).
   3. Click Next.
4. Configure the settings that enable communication between the ESM Server and the database.
   To set up access to the database, you must specify the authentication method and a user that has administrative privileges to administer the database. The username (and password) that you enter depend on the type of authentication method that you select: either Windows authentication (recommended) or SQL server authentication.

   

   1. Enter the fully qualified domain name or IP address of the database Server Name. If your SQL Server uses an instance other than the default, you must also include the instance name in the format <servername>\<instance>.
   2. Enter the name of the Database Name.
   3. Select the method of authentication and enter the account credentials. This account must also be added as a database owner on the database server (for more information, see Configure the MS-SQL Server Database).
      • Use Windows Authentication to authenticate using a Windows domain user account that has privileges to administer the database server and enter the Domain\User (for example, mydomain\administrator) and Password.
      • Use SQL Server Authentication to authenticate using a local user that has privileges to administer the database and enter the Login and Password.
   4. To enable secure communication between the ESM Server and the database using TLS/SSL 1.2:
      1. Select Secure DB Connection (SSL). This option enables the ESM Server to encrypt communication between the ESM Server and the database.
      2. For even stricter security, select the option to Validate SQL Server Certificate Signer. This enables the ESM Server to validate that the certificate the database presents matches a specific certificate. For validation to succeed, you must import the database certificate into Trusted Root Certification Authorities.

      Secure communication between the ESM Server and the database is supported with only SQL Server Enterprise or SQL Server Standard.
   5. Click Next.
      If one or more ESM Servers already connect to the database, the installer prompts you to join the database cluster of ESM Servers. If you select Yes, the installer obtains the remaining installation settings from the database. Skip to step 7 to complete the installation.
5. Set the password to uninstall the Traps software.

   

   1. Enter and then confirm an uninstall password, which must be eight characters or more. You will be prompted for this password any time you or a user tries to uninstall Traps software.
      After installing the ESM Server software, you can Change the Uninstall Password at a later date by creating an agent settings rule using the ESM Console.
   2. Click Next.
6. Import the Traps license. If you choose not provide a Traps license during installation, you will have read-only access to the ESM Console until you add a valid Traps license.

   

   1. Browse to the license file and then click Open. If you do not have a license, contact your Account Manager, reseller, or go to https://support.paloaltonetworks.com.
      The installer displays license details for the license file.
   2. Click Next.
7. Complete the installation.
   1. Click Install.
   2. When the installation is complete, click Finish.