6.1.2. Procedure – Installing Zorp Authentication Agent with Group Policy Object (GPO) deployment

Prerequisites: 

  • Create the necessary certificates as instructed in the Zorp Professional Administrator Guide in section Procedure 11.3.8.2, Creating certificates in Zorp Professional 7 Administrator Guide.

  • Set the parameters for the ZAS certificate.

  • Export the CA certificate signed by ZAS in .der format for the Windows client.

Steps: 

  1. Download the .exe format installer. The browser application or the Windows Defender Cloud might send a notification or a warning due to the new and unknown installer program, this can be disregarded.

  2. Install the Windows Client and import the CA certificate during the installation. Reboot the system, if it is necessary.

  3. Define the preferences with the help of the GUI or via the registry.

  4. Test the expected behaviour by initiating traffic.

  5. Export the following registries:

    • Export the HKEY_CURRENT_USER\Software\BalaBit\Satyr registry to the hlcuzaa.reg file, which contains the user settings for ZAA. The result shall be as follows:

      Windows Registry Editor Version 5.00
      
      [HKEY_CURRENT_USER\Software\BalaBit]
      
      [HKEY_CURRENT_USER\Software\BalaBit\Satyr]
      "Has preferences"=dword:00000000
      "SSL"=dword:00000001
      "Automatic"=dword:00000001
      "Details"=dword:00000000
      "Can Remember"=dword:00000001
      "Forget Password"=dword:00000000
      "Forget Password Interval"=dword:00000001
    • As ZAA Client is 32 bit executable, and runs on both 32 and 64 bit systems, if the target system is a 32 bit system, as Windows, for example, the following solution is required:

      Export the HKEY_LOCAL_MACHINE\SOFTWARE\BalaBit\Satyr, which contains the ZAA Multiplexer settings, into the hklmzaa32.reg file. The result shall be as follows:

      Windows Registry Editor Version 5.00
      
      [HKEY_LOCAL_MACHINE\SOFTWARE\BalaBit]
      
      [HKEY_LOCAL_MACHINE\SOFTWARE\BalaBit\Satyr]
      "InstallLang"="1033"
    • If the target system is a 64 bit system, export the HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BalaBit\Satyr registry to the hklmzaa64.reg file, which contains the multiplexer settings. The result shall be as follows:

      Windows Registry Editor Version 5.00
      
      [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BalaBit]
      
      [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BalaBit\Satyr]
      "InstallLang"="1033"
      Note

      If the ZAA Client will be used on both 32 and 64 bit systems, create both registries, adding or removing the WOW6432NODE string to the paths. ZAA will use the corresponding one.

      For more details, see 32-bit and 64-bit Application Data in the Registry.

      Later at the deployment, the registries can be distributed as duplicated keys on the target system safely, as detailed at the following site: Registry key WOW6432Node may be listed in system registry in 32 bit (x86) version of Windows 7.

      The service private certificate store, used by the ZAA Multiplexer, can also be deployed as a registry key.

    • Export the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Cryptography\Services\satyr-mpxd registry to the hklmzaacert.reg file. The result shall be as follows:

      Windows Registry Editor Version 5.00
       
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Services\satyr-mpxd]
       
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Services\satyr-mpxd\
      SystemCertificates]
       
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Services\satyr-mpxd\
      SystemCertificates\MY]
       
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Services\satyr-mpxd\
      SystemCertificates\MY\Certificates]
       
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Services\satyr-mpxd\
      SystemCertificates\MY\Certificates\6421DCB8501C2E1F15DB8BD3A94F435C01DB7CD3]
      "Blob"=hex:03,00,00,00,01,00,00,00,14,00,00,00,64,21,dc,b8,50,1c,2e,1f,15,db,\
      ...
      ...
      ...
      ...
      ...
        64,0a,87,e9,45,99,04,9e,28,cb,c0,6c,2a,e5,c7,cb,ce,29,d8,b1,e1
      Note
      Note that there can be several empty paths created by the system automatically, which can be included safely.

    For further details on registries, see Section 4.1.1, Registry entries on Microsoft Windows platforms in Zorp Authentication Agent Manual.

    As a result, there will be four registries exported.

  6. Switch to the GPO administrator system and download the ZAA msi flavor installer and place it in the Windows share where the other remotely installled applications are stored.

  7. Continue with the procedures detailed in section Procedure 4.1.5, Configuring Group Policy Object (GPO) deployment in Zorp Authentication Agent Manual