0% found this document useful (0 votes)

2K views498 pages

Server AG v632 733-1574

Uploaded by

modather nady

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

2K views498 pages

Server AG v632 733-1574

Uploaded by

modather nady

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 498

NETSCOUT

Server Administrator Guide

Release Version 6.3.2

Doc ID 733-1574, Rev. F/ August 2021

© NETSCOUT CONFIDENTIAL & PROPRIETARY

Ver. 6.3.2 | August 2021
733-1574 Rev. F

Use of this product is subject to the End User License Agreement available at http://www.NetScout.com/legal/terms-and-
conditions or which accompanies the product at the time of shipment or, if applicable, the legal agreement executed by and
between NetScout Systems, Inc. or one of its wholly-owned subsidiaries (“NETSCOUT”) and the purchaser of this product
(“Agreement”).

Government Use and Notice of Restricted Rights: In U.S. government (“Government”) contracts or subcontracts, Customer will
provide that the Products and Documentation, including any technical data (collectively “Materials”), sold or delivered pursuant
to this Agreement for Government use are commercial as defined in Federal Acquisition Regulation (“FAR”) 2.101and any
supplement and further are provided with RESTRICTED RIGHTS. All Materials were fully developed at private expense. Use,
duplication, release, modification, transfer, or disclosure (“Use”) of the Materials is restricted by the terms of this Agreement and
further restricted in accordance with FAR 52.227-14 for civilian Government agency purposes and 252.227-7015 of the Defense
Federal Acquisition Regulations Supplement ("DFARS") for military Government agency purposes, or the similar acquisition
regulations of other applicable Government organizations, as applicable and amended. The Use of Materials is restricted by the
terms of this Agreement, and, in accordance with DFARS Section 227.7202 and FAR Section 12.212, is further restricted in
accordance with the terms of NETSCOUT’S commercial End User License Agreement. All other Use is prohibited, except as
described herein.

This Product may contain third-party technology. NETSCOUT may license such third-party technology and documentation
("Third-Party Materials") for use with the Product only. In the event the Product contains Third-Party Materials, or in the event
you have the option to use the Product in conjunction with Third-Party Materials (as identified by NETSCOUT in the

Documentation provided with this Product), then such third-party materials are provided or accessible subject to the applicable
third-party terms and conditions contained either in the “Read Me” or “About” file located in the Software or on an Application
CD provided with this Product, or in an appendix located in the documentation provided with this Product. To the extent the
Product includes Third-Party Materials licensed to NETSCOUT by third parties, those third parties are third-party beneficiaries of,
and may enforce, the applicable provisions of such third-party terms and conditions.

Open-Source Software Acknowledgement: This product may incorporate open-source components that are governed by the GNU
General Public License ("GPL") or licenses that are compatible with the GPL license (“GPL Compatible License”). In accordance
with the terms of the GNU GPL, NETSCOUT will make available a complete, machine-readable copy of the source code
components of this product covered by the GPL or applicable GPL Compatible License, if any, upon receipt of a written request.
Please identify the product and send a request to:

NETSCOUT SYSTEMS, INC

GNU GPL Source Code Request

310 Littleton Road
Westford, MA 01886
Attn: Legal Department

NETSCOUT Server Administrator Guide 2

To the extent applicable, the following information is provided for FCC compliance of Class A devices:

This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the
FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is
operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not
installed and used in accordance with the instruction manual, may cause harmful interference to radio communications.
Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required
to correct the interference at their own expense.

Modifications to this product not authorized by NETSCOUT could void the FCC approval and terminate your authority to
operate the product. Please also see NETSCOUT’s Compliance and Safety Warnings for NetScout Hardware Products
document, which can be found in the documents accompanying the equipment, or in the event such document is not
included with the product, please see the compliance and safety warning section of the user guides and installation
manuals.

No portion of this document may be copied, photocopied, reproduced, translated, or reduced to any electronic medium or
machine form without prior consent in writing from NETSCOUT. The information in this document is subject to change without
notice and does not represent a commitment on the part of NETSCOUT.

The products and specifications, configurations, and other technical information regarding the products described or referenced
in this document are subject to change without notice and NETSCOUT reserves the right, at its sole discretion, to make changes
at any time in its technical information, specifications, service, and support programs. All statements, technical information, and
recommendations contained in this document are believed to be accurate and reliable but are presented "as is" without
warranty of any kind, express or implied. You must take full responsibility for their application of any products specified in this
document. NETSCOUT makes no implied warranties of merchantability or fitness for a purpose as a result of this document or
the information described or referenced within, and all other warranties, express or implied, are excluded.

Except where otherwise indicated, the information contained in this document represents the planned capabilities and intended
functionality offered by the product and version number identified on the front of this document. Screen images depicted in this
document are representative and intended to serve as example images only.

Copyright © NETSCOUT 2009-2018. All rights reserved.

733-1574-F

210409

NETSCOUT Server Administrator Guide 3

Table of Contents 4

What's New in 6.3.2 12

Revision History 14
1 Overview 15
1.1 nGeniusONE Servers 15
1.1.1 Clustered Server Types 16
1.1.2 Node Server Types 17
1.1.3 Servers Based on nGeniusONE 18
1.1.4 Child Nodes with Discrete Architecture 18
1.1.5 Automated Failover Functionality 19
1.1.6 Platform Options 20
1.1.7 Software 20
1.2 Related Product Servers 21
1.2.1 nGenius Session Analyzer 21
1.2.2 nGenius Subscriber Cache 22
2 Preparation 23
2.1 Before you Begin... 23
2.1.1 System Requirements 23
2.1.2 Supported Data Source Versions 26
2.1.3 Network Requirements 26
2.1.4 Client Requirements 27
2.2 Preparing to Upgrade 27
2.2.1 Supported Upgrade Paths 28
2.2.2 Sequence of Upgrade 28
2.2.3 Record Settings 28
2.2.4 Considerations for Upgrading Data Sources 29
2.2.5 Considerations for Upgrading Distributed Environments 29
2.3 Prepare Worksheets 29
2.3.1 Worksheet for Installation / Upgrade 29

NETSCOUT Server Administrator Guide 4

2.3.2 Worksheet for Configuration 31

2.4 Rack the Server 32
2.5 Cable the Server 32
2.5.1 Component Location 32
2.5.2 Cabling the Physical Console Port 33
2.5.3 Cabling the Manage Port 33
2.5.4 Cabling the iDRAC Port 33
2.5.5 Cabling Power 33
2.6 Configure Basic Networking 34
2.7 Obtain Software 35
2.7.1 Locating and Downloading Software 35
2.7.2 Validating Downloads 36
2.7.3 Installer Reference 37
2.8 Register Key to Generate License 40
3 Installation and Upgrade 43
3.1 Installing on Linux 43
3.1.1 Installer Sequence Overview 44
3.1.2 Installing / Upgrading the Server 44
3.2 Installing on Windows 48
3.2.1 Installer Sequence Overview 49
3.2.2 Running the Installer 49
3.3 Migrating from PM to nGeniusONE 53
3.3.1 Performance Manager vs. nGeniusONE 53
3.3.2 Migrating from PM to nGeniusONE Verification 54
4 Server Configuration 55
4.1 Using the nGApplianceConfig Script (Linux) 55
4.2 Configuring the Server (Windows) 57
4.2.1 Changing the IP Address 57
4.2.2 Changing the Web Port Number 58
4.2.3 Changing the Host Name 60
4.2.4 Changing the Date / Time or Time Zone 60
4.2.5 Changing the Server Type 60
5 Recovery 62
5.1 Uninstalling NETSCOUT Software 62
5.2 Restoring NETSCOUT Software (Linux) 64
5.3 Upgrading the Operating System (Linux) 65
6 Maintenance 66
6.1 Accessing the Appliance OS 66

NETSCOUT Server Administrator Guide 5

6.1.1 Connecting Locally 67

6.1.2 Connecting Remotely 67
6.2 Stopping and Restarting the System 69
6.2.1 Manually Stopping / Starting a Server 70
6.2.2 Using Server Management to Stop / Start 70
6.3 Adding Servers 70
6.3.1 Adding a Child Node 71
6.3.2 Integrating a Related Server 73
6.3.3 Integrating an Authentication Source 74
6.4 Configuring Authentication for Web Access 75
6.4.1 Authentication Modes 76
6.4.2 Preparing for External Authentication 76
6.4.3 Native (Local) 76
6.4.4 SAML 77
6.4.5 nGenius CM 83
6.4.6 OAM 85
6.4.7 Authentication: LDAP 86
6.4.8 RADIUS 95
6.4.9 SiteMinder 98
6.4.10 TACACS+ 101
6.4.11 Windows 124
6.5 Managing Users 127
6.5.1 User Privileges 127
6.5.2 nGenius Session Analyzer Privileges 133
6.5.3 Configuring Decode Options 136
6.6 Configuring Security 140
6.6.1 Security Information (Linux) 141
6.6.2 Managing Passwords 142
6.6.3 Enabling a Login Security Message 145
6.6.4 Configuring SSL/TLS 146
6.6.5 Configuring Syslog Forwarding 153
6.7 Working with Backups 166
6.7.1 Creating a Blank Database with Existing Configurations 167
6.7.2 Restoring from a Full Backup 167
6.8 Converting Servers 168
6.8.1 Converting nGeniusONE Servers 169
6.8.2 Converting a Secondary Server to a Primary Server 171
6.8.3 Converting a Standby to a Primary Server 174

NETSCOUT Server Administrator Guide 6

6.8.4 Testing the Standby Server Conversion 176

6.9 Working with Licenses 180
6.9.1 Understanding License Types and Options 180
6.9.2 Monitored Elements Supported per License 184
6.9.3 Register Key to Generate License 184
6.9.4 Installing the License 186
6.10 Changing Server Identity 187
6.10.1 Changing the Server Address or Hostname 187
6.10.2 Changing the Web Access Port with websecure 188
6.10.3 Changing the Web Access Port Manually 190
6.10.4 Modifying Server to Data Source Communication Port 191
6.10.5 Configuring the Server to Use an IPv6 Address 193
6.10.6 Configuring the Server to Use a Hostname 193
6.10.7 Configuring DNS Resolution 194
6.11 Configuring Alerts 194
6.11.1 Scripts for Alert Actions 195
6.11.2 Overriding Alert / Trap Destinations 197
6.11.3 Forwarding Alerts to a Syslog Server 199
6.11.4 Configuring SNMP Traps 200
6.11.5 Using the SNMPV3UserConfig Script 201
6.11.6 Enabling Certificate Expiration Alerts 201
6.11.7 Resetting Alert Baselines 203
6.12 Peforming Remote Upgrades 205
6.12.1 Upgrading Decode Pack Software Remotely 205
6.12.2 Appliance Software Upgrade Parameters 207
6.12.3 Upgrading Data Source Software Remotely 208
6.13 Additional Tasks 210
6.13.1 Changing Time Source and Time Zone 210
6.13.2 Troubleshooting Issues and Solutions 210
6.13.3 Adjusting Memory Allocation 214
6.13.4 Configuring Localization 214
7 nGeniusONE Feature Configuration 216
7.1 Global Settings 216
7.1.1 Global Settings - Applications 216
7.1.2 Global Settings - Applications 253
7.1.3 Global Settings - Locations 260
7.1.4 Global Settings - Voice/Video 283
7.2 Decryption 289

NETSCOUT Server Administrator Guide 7

7.2.1 Static and Dynamic Key Exchange 289

7.2.2 Supported Protocols 289
7.2.3 Configuring SSL and TLS Decryption 289
7.2.4 Using the HSM to Configure SSL/TLS Decryption 295
7.2.5 Importing Multiple SSL/IPSec Decryption Keys 299
7.3 Packet Analysis Extended File Names 300
8 nGenius Session Analyzer 302
8.1 nGenius Session Analyzer Servers and License Distribution 302
8.1.1 Primary and Secondary Servers 303
8.1.2 Number of Type 1 Licenses Needed 303
8.1.3 Type 1 License 304
8.1.4 Server Resilience 305
8.1.5 RAN License Distribution 306
8.1.6 License Enforcement for SpIprobe 14U, 3U, and 2U 306
8.2 nGenius Session Analyzer Deployment Models and Guidelines 307
8.2.1 Option 1 - Deployment with InfiniStreamNG Only 307
8.2.2 Option 2 - Deployment in nGenius CM with Legacy Probes 308
8.2.3 Option 3 - Deployment with Legacy Probes and RAN 309
8.2.4 nGenius Session Analyzer in Cloud Environments 310
8.3 Configuring nGenius Session Analyzer 310
8.3.1 Configuring nSA Nodes and Devices 311
8.3.2 Migrating from OAM to nGenius Configuration Manager 315
8.3.3 Replicating Files from an nSA Primary to Secondary Server 316
8.3.4 Configuring MPC Rulesets 317
8.3.5 Configuring nGenius Session Analyzer Services 320
8.3.6 Configurable nGenius Session Analyzer User Interface Options 324
8.3.7 Configuring nGenius Session Analyzer Drilldown from nGeniusONE 327
8.3.8 nGenius Session Analyzer Visibility to G10/GeoBlade in nGenius CM Mode 328
8.3.9 Configuring Failure and Timeout Indication in nGenius CM Authentication Mode 329
8.3.10 Enabling Access of SpIprobes in nGenius CM Mode 330
8.3.11 Configuring PCAPng Export for Scheduled Capture 331
8.3.12 Configuring nGenius Subscriber Cache Digit Types 332
8.3.13 Configuring DigitMasking_Default.xml 333
8.3.14 Mapping Global Title Translation Digit Types 338
8.3.15 User Plane Capture Configuration 340
8.4 Log, Backup, and Config Files 340
8.4.1 nGenius Session Analyzer Log Files 342
8.4.2 Backed-Up File Locations 342

NETSCOUT Server Administrator Guide 8

8.4.3 Post-Upgrade Configuration File Retention 343

9 nGenius Subscriber Cache (SCS) 347
9.1 nGenius Subscriber Cache (SCS) Resilience 347
9.2 nGenius Subscriber Cache Licensing 347
9.3 nGenius Subscriber Cache (SCS) Sizing 348
9.4 Configuring nGenius Subscriber Cache (SCS) 348
9.4.1 Trusted Key for nGenius Session Analyzer and ISA Servers 348
9.4.2 Configuring nGenius Subscriber Cache Digit Types 349
9.4.3 Configuring nGenius Subscriber Cache File Retention 350
9.4.4 nGenius Subscriber Cache File Collector Configuration 351
9.5 nGenius Subscriber Cache (SCS) Logs 351
A NETSCOUT Servers 353
A.1 Products Based on nGeniusONE Architecture 353
A.2 Related products with Discrete Architecture 353
A.3 Legacy Products 353
A.4 nGeniusONE Servers 354
A.4.1 Global Managers 354
A.4.2 Dedicated Global Managers 355
A.4.3 Standalone Servers 355
A.4.4 Local Servers 357
A.4.5 Standby Servers 357
A.4.6 Options for Virtual Environments 369
A.4.7 nGenius Configuration Manager 371
A.5 nGenius for Flows Servers 372
A.5.1 NetFlow Overview 372
A.5.2 IP SLA Test Types 373
A.5.3 IP SLA Requirements 374
A.5.4 IP SLA Overview 374
A.5.5 Getting Started With IP SLA 375
A.5.6 Activating IP SLA Test Types 375
A.5.7 Creating a File to Import SAA Device Configurations 375
A.5.8 Changing Router Duplex State 376
A.5.9 NetFlow and sFlow Collection Overview 376
A.6 Related Products with Discrete Architecture 377
A.6.1 nGenius Business Analytics 377
A.6.2 nSI 377
A.6.3 Pulse 378
A.6.4 nGenius TrueCall 386

NETSCOUT Server Administrator Guide 9

A.7 nGenius Performance Manager 386

A.7.1 Installing and Accessing the nGenius (Performance Manager) Client 386
B Tools & Utilities 391
B.1 Dell Tools 391
B.1.1 Working with iDRAC 391
B.1.2 Managing Systems with OMSA 408
B.1.3 Collecting System Information with DSET 409
B.1.4 Using the PERC Utility to Rebuild a Virtual Drive 410
B.2 NETSCOUT Tools 419
B.2.1 exportcli 419
B.2.2 nGeniusSQL 431
B.2.3 ngconfigsync 432
B.2.4 nscertutil 433
B.2.5 nstool 433
B.2.6 snmpv3script 438
B.2.7 techsupp 438
B.2.8 websecure 439
B.3 Ansible 441
B.3.1 Constraints 441
B.3.2 Terminology 441
B.3.3 nGenius Ansible Package 442
B.3.4 Ansible Controller Prerequisites 442
B.3.5 Setting up Ansible 443
B.3.6 Ansible Playbooks 447
B.4 Splunk Dashboard App 453
B.4.1 Configuring nGeniusONE Notification Center Violations 454
B.4.2 Installing the Splunk nGeniusONE App on the Splunk Search Head 454
B.4.3 Configuring the Launch Point for the nGeniusONE URL 454
B.4.4 Configuring the Splunk Forwarder on the Syslog Server 455
B.4.5 Configuring Collection on the Splunk Search Head - Receiving Violation Events from
Notification Center over Port 514 456
C Ports 457
C.1 Port Requirements 457
C.1.1 Required / Core Ports 457
C.1.2 Required Client Console Ports 459
C.1.3 Optional IPMI / Remote Management Ports 460
C.1.4 Optional External Authentication Servers 461
C.1.5 Optional External Services 461

NETSCOUT Server Administrator Guide 10

C.1.6 Required Internal-only / Loopback Ports 461

C.2 Network Port Topology 462
D Processes 463
D.1 Server Process Descriptions 463
D.2 Windows Services 467
D.3 Server Processes by Server Type 467
E Properties Files 470
E.1 Modifying the client.properties File 470
E.2 Modifying the serverprivate.properties File 473
E.3 Modifying the serverpublic.properties File 484
E.4 Modifying the umcclient.properties File 487
E.5 Modifying the vvmserver.properties File 490
E.6 Procedures using Property Files 491
E.6.1 Enabling Certificate Expiration Alarms 491
E.6.2 Forwarding Situations 493
E.6.3 Using the nGConfigSync Script 493
E.6.4 Configuring Export of WAV Files for nGenius UC Server 494
F Hardware 496
F.1 Appliance Details: Dell R740 Server 496
F.1.1 Hardware Overview 496
F.1.2 Status Indicators 497
F.1.3 Environmental Specifications 498

NETSCOUT Server Administrator Guide 11

What's New in 6.3.2

The NETSCOUT Server Administrator Guide 6.3.2 includes these new features.

New Features Sections

SAML Authentication Support Authentication: SAML
nGeniusONE and nGenius Configuration Manager now support nGenius CM
Security Assertion Markup Language (SAML) V2.0 for authentication
and authorization data with an identity provider (IdP). SAML support
includes:
l Mapping of IdP user attributes and IdP groups to
nGeniusONE/nGenius Configuration Manager
l Single Sign-on (SSO) support
SAML is also supported for nGenius Session Analyzer when using
nGenius Configuration Manager or nGeniusONE for authentication.
nCM Authentication Renamed to nGenius CM Authentication Authentication: nGenius CM
nCM authentication, the authentication method used by trusted
servers with nGeniusONE and nGenius Configuration Manager, is now
called nGenius CM authentication. The nGenius CM interface includes
options for enabling and configuring the newly introduced
SAML authentication type.
nGenius CM Configuration Support for Migration of ISNG Geo to Migrating from OAM to nGenius
ISNG ASI+ Mode Configuration Manager
This feature allows administrators of InfiniStreams with nGenius
Session Analyzer to centrally manage and update the deployment and
instrumentation-specific configuration. The centralized management
provides for consistent application of configuration across
instrumentation without requiring administrators to manually log in to
individual instrumentation.
Refer to the InfiniStreamNG (Geo Mode) Deployment Guide and the Guide
to the RESTful API for nGeniusONE Configuration for configuration details.
License Enforcement for 14U/3U/2U in nSA License Enforcement for 14U, 3U,
nGenius Session Analyzer and nGenius Configuration Manager and 2U
(nGenius CM) enforce Type 1 license counts for the 14U, 3U, and 2U
instrumentation. This static enforcement of Type 1 licenses for 14U,
3U, and 2U applies to both nGenius CM and OAM mode.

NETSCOUT Server Administrator Guide 12

New Features Sections

Global Title Handling in ISNG-Geo Mapping Global Title Translation
nGenius Session Analyzer with InfiniStreamNG(Geo) now supports: Digit Types
l Global Title mapping to pointcodes for full nSA visibility and
capabilities for all legs.
l Global Title search capability
These two new digit types are available in the Advanced View Session
list:
l GTTCallingNumber
l GTTCalledNumber
nSA can display GTTCallingNumber and GTTCalledNumber in Session
Details columns use the digit types as search filters. MPC rules on
GTTCalledNumber between INAP and ISUP and between INAP and
GSM A-Interface are now included in the default MPC ruleset.
Additional MPC rules on global title digits can be added as customized
MPC rules on site with the help of Customer Support.
Red Hat Linux 8 and Oracle Linux 8 Support Server Platform Requirements
Red Hat 8 and Oracle Linux 8 are now supported for these products: Upgrading the Operating System
l nGeniusONE (Linux)
l nGenius Performance Manager
l nGenius Configuration Manager Standalone
l nGenius TrueCall
l nGenius Session Analyzer
l nGenius Subscriber Cache (SCS)
l Omnis Cyber Investigator
CentOS 6 stopped receiving maintenance updates in November 2020.
In alignment, NETSCOUT has deprecated support of CentOS 6 with the
6.3.2 release. NETSCOUT still supports CentOS 7.
Automation - Ansible Playbook Support for nGenius Server Ansible
Platform
NETSCOUT provides a base set of Ansible playbooks that lets you use
Ansible to automate deployment of nGeniusONE software to multiple
hosts with a single command. You can use the nGeniusONE Ansible
Playbook to deploy nGeniusONE software to virtual or physical hosts
running any supported Linux versions.

NETSCOUT Server Administrator Guide 13

Revision History
Date Revision Reference Summary
April 2021 A NETSCOUT Administrator See What's New in 6.3.2.
Guide
May 2021 B Migrating from PM to Updated verification section for
nGeniusONE Verification migrating from Performance
Manager to nGeniusONE.
What's New in 6.3.2 Updated supported products list for
Red Hat Linux 8 and Oracle Linux 8
Support feature.
C Exclude Certain Digit Added mpcExcludeList section for
Values in MPC Searches NS-88162.
Splunk Dashboard App Updates to Splunk procedures.
July 2021 D Supported Upgrade Paths 6.3.2 Build 854 release
Authentication: SAML
nGenius CM
August 2021 E Configuring nGenius Removed the LocalConf config
Subscriber Cache Digit sections for nGenius Subscriber
Types Cache (SCS) digit types
Understanding License Updates to Cloud Adaptor Smart
Types and Options Edge Monitoring license.
F System Requirements Added minimum partitioning
requirements.
Register Key to Generate Updated to reflect current
License MasterCare process.

NETSCOUT Server Administrator Guide 14

© NETSCOUT CONFIDENTIAL & PROPRIETARY
1 Overview
The NETSCOUT Server Administrator Guide provides information needed to upgrade, install,
configure, manage, and maintain nGeniusONE servers and related product servers based on the
nGeniusONE architecture. nGeniusONE servers include nGeniusONE, nGenius
Configuration Manager, and nGenius for Flows, among others. Related product servers include
nGenius Session Analyzer and nGenius Subscriber Cache. Omnis Cyber Investigator is not
covered in this guide. This guide also provides information about configuring nGeniusONE,
nGenius Session Analyzer, and nGenius Subscriber Cache (SCS) features and functionality.

To successfully perform the administration tasks in this guide, you should be familiar with these
concepts and products:
l TCP/IP networking environments
l Web servers and browsers
l The operating system applicable to your network (Linux or Windows)

For current information about new features and enhancements, resolved issues, and known
issues with software, refer to each product's release notes. For information on using
nGeniusONE and other products' modules, refer to the online help included with the software.
For documentation related to other NETSCOUT products, visit https://my.NETSCOUT.com.

See these sections:

l nGeniusONE Servers
l Related Product Servers

1.1 nGeniusONE Servers

The nGeniusONE server architecture underlies a variety of NETSCOUT products. Depending on
your deployment, the server may be possible to install as a standalone, single server, or as
managing (parent) server in a distributed configuration. For each of these products, the options
vary for setting up a distributed deployment. This chapter provides an overview of how the
servers may relate to each other in your deployment. In particular, the nGeniusONE architecture
employs different methods to add nodes to a parent server. Review the following descriptions to
better understand terminology in this guide and how it applies to your deployment.

Note: Certain nGeniusONE installers include the legacy Performance Manager features and
client software. Refer to the Installer Reference for details.

NETSCOUT Server Administrator Guide 15

1.1.1 Clustered Server Types

The installer for nGeniusONE allows selection of the server type as either a Global (distributed)
type or a Standalone type. Depending on your choice, the server is configured with an
additional set of processes to function as a Local Server (managing devices). The installer for
products based on the nGeniusONE architecture may automatically configure your product as one
of these options, such as a Global Manager. After installation, the type of server selected during
installation and enabled during licensing is reflected in Server Management.

Note: nGenius for Flows servers, which are used to manage and monitor MIB-II devices,
follow the same guidance for Standalone, Global Manager, and Dedicated Global Manager
servers. An nGenius for Flows server is set up as one of those types, then enabled with an
nGenius for Flows license (see nGenius for Flows Servers).

1.1.1.1 Cluster Parents

These server types can be the parent in a distributed deployment. For any product based on the
nGeniusONE architecture, that supports global management features, the same guidelines apply
to that product.
l Global Manager (GM)— Global Manager is one of the options available for selection
during installation of an nGeniusONE server. The Global Manager has two server instances
- Its primary (Global) "server" handles centralized configurations, roll-up warehousing, and
communication for all the servers in a cluster. It also includes a Local Server (see below), to
manage devices directly from that server and to retrieve the data associated with those
devices.
You can use the Global Manager to centralize management and analysis of data collected
from remote, child nGeniusONE servers. To set up a cluster, you select the Global Manager
itself in the Server Management GUI, then Add a Local Server and supply the address and
credentials for a Standalone server.
l Dedicated Global Manager (DGM) — This type is a license-based switch of a server from a
Global Manager to a dedicated server management role. The Dedicated Global Manager
provides the same functionality as a Global Manager but does not directly manage devices.
Instead, devices are managed by the child Standalone (remote Local ) servers that you add
to this Dedicated Global Manager. This server type is installed and configured as for a
Global Manager, then its license type enables the specific, dedicated function. Note that
you cannot add a Global Manager to a DGM. You must first convert a Global Manager to a
Standalone server type. You can add a Standby Server to a Dedicated Global Manager as a
failover backup.
l nGenius Configuration Manager (nGenius CM) — Also referred to as Standalone nGenius
Configuration Manager, which reflects that it has only the configuration modules and none
of the analytic modules of an nGeniusONE server. This server has a separate installer that
bypasses type selection. nGenius CM is used only as an authentication source for related
child servers based on nGeniusONE architecture, such as nGenius Business Analytics, ,
nGenius Session Analyzer , and nGenius Subscriber Cache. It is not used to manage
nGeniusONE servers.

NETSCOUT Server Administrator Guide 16

1.1.1.2 Cluster Children

These servers can be children of a Global or Dedicated Global Manager in a clustered
environment. For a non-clustered environment, the Standalone server is the "parent."
l Local Server — Every nGeniusONE server has a server process running locally, to manage
core server functions on that system. In some cases, such as Standalone, the process is not
separately identified in Server Management.
This type is not selected during installation, but is automatically included with Global
Manager and Dedicated Global Manager configurations. That Local Server appears as a
separate entity in Server Management, by default, with the same IP Address as the
GM/DGM on which it resides. In a clustered/distributed deployment, a parent Global
Manager or Dedicated Global Manager also controls remote Local Servers that are part of
the cluster.
When you add another nGeniusONE server to a GM or DGM, it appears as a "Local" in the
Server Management list. This reflects the relationship of the servers. The parent Global
Manager provides the configuration for the child server, so you only need to "see" the local
server on that remote child, which is responsible for managing a set of devices and sending
data up to the parent server.
l Standalone Server — Standalone is one of the server types available for selection during
installation of an nGeniusONE server. This type provides analytic and configuration
modules from a single server, without the functionality to manage child nGeniusONE
servers. The Standalone server type can be added as a child node to a Global Manager or
Dedicated Global Manager. When that occurs, the server type is changed from Standalone
to Local. Standalone servers can also be configured as an authentication source for certain
server products (listed below). They also can add child trusted child servers (such as
nGenius Business Analytics) to receive data and/or access to devices managed by the
server. A Standalone server is NOT used to manage other servers though. It provides
analytics, configuration and authentication to associated servers, but that structure is not a
cluster/distributed deployment. Note that this is also the type to select during installation
and configuration when you are setting up a server for use as a Standby.

1.1.2 Node Server Types

As mentioned in the Cluster Children section, above, some deployments have child nodes that
function as a distributed network of data monitoring points. These are added as children from
the parent server's Server Management module. Some deployments may have child nodes that
use an nGeniusONE server as an authentication/configuration source only. Others node types
are not part of a cluster but use the nGeniusONE server as a means to access configuration,
licensing, and data. This section provides an overview of the three different classes of nodes, to
help understand the different mechanisms used to integrate with the parent server.

1.1.2.1 nGeniusONE-based Child Nodes

This section describes the servers that have the same architecture and are used for backup or as
remote monitoring nodes around your network, as part of your cluster

NETSCOUT Server Administrator Guide 17

l (Remote) Local: If your parent server is a Global Manager or a Dedicated Global Manager,

you can add other nGeniusONE Standalone servers to create a clustered deployment. You
do this from the parent server by selecting the Global row before selecting the Add button
in the Server Management GUI. When you select the Global row, the Add menu includes an
option to add a "Local Server ." This refers to the remote server that will be managed
locally. Use this method to add a Standalone server to the cluster.
l Standby Server — This server type provides redundant functionality to ensure continuous
operations should the server it is standby for become unavailable. Use your standard
installer to set up this server as a Standalone server type, then add it as a Standby server in
the Server Management GUI. This type can be added in Server Management on an
nGeniusONE server, a Standalone server, or an nGenius Configuration Manager server to
provide redundancy for that parent.
l NewsStand Server — (Deprecated) This option may appear in certain installers but is a
legacy feature for remote servers hosting reports in a newspaper format.

1.1.3 Servers Based on nGeniusONE

These server types share underlying architecture with nGeniusONE1:
l nGenius Session Analyzer
l nGenius Subscriber Cache

See 1.2 Related Product Servers.

1.1.4 Child Nodes with Discrete Architecture

This section describes the servers that interoperate with nGeniusONE but have different
architecture and so are not directly managed in the cluster. These servers do not provide data as
part of a distributed cluster and are not managed by the nGeniusONE parent. Instead the parent
provides these child nodes with access to data, devices, licensing information and other assorted
configuration details. Trusted nodes may be thought of as consumers receiving information. Each
of the servers are installed and configured separately, then added as child servers from within
the Server Management GUI. If your parent server type supports this feature, it will be offered as
an option in the Add Server menu.
l nGenius Business Analytics / nGenius ASI Stream (nAS)2 — (nBA/nAS) This is a platform
for Self Service Analytics and data-enablement projects based on ASI+ data. Integrating this
server type allows it to authenticate to other cluster nodes as a standard member, polling
data directly from the devices managed by the cluster nodes (or the Standalone). See the
nGenius Business Analytics documentation for more details, including installation and
configuration instructions.
l nGeniusPULSE —(Pulse) This infrastructure testing solution monitors the availability and
health of servers and network devices. It can be integrated with nGeniusONE servers for
contextual drilldown from nGeniusONE analytic tools to the integrated nGeniusPULSE

1Omnis Cyber Investigator has its own server administrator guide.

2Indicated server types can also be added in Server Management on an nGenius Configuration Manager server.

NETSCOUT Server Administrator Guide 18

server. When integrated with nGeniusONE, this product retrieves configurations from the
managing server (which applications to transmit to the Pulse server), and accesses certain
statistics computed on the nGeniusONE server about the monitored data. It does not
transmit ASI data. Note that integration requires additional steps, as mentioned in Pulse
l nGenius Subscriber Intelligence — (nSI) This service provider solution provides session
tracing and analysis. This server type uses the ASRs from nGeniusONE deployments. It can
be integrated to use the User Management and Authentication options from the managing
server. See the nGenius Subscriber Intelligence documentation for more details, including
installation and configuration instructions.

1.1.5 Automated Failover Functionality

Automated failover is designed to support a high level of server availability. The functionality is
based on the concept of designating a Standby Server for either a Dedicated Global Manager
(DGM) or a Local Server.

A Standby Server is paired with an Active Server, which is either a DGM or Local Server, and
backs up all the data produced and stored on the Active Server. The Standby Server
automatically assumes the duties of the Active Server when it fails. Failback is not supported. A
Standby Server cannot revert back to a former Active Server.

To enable a converted server to act as a DGM Primary and vice-versa, apply both DGM and
Standby licenses to both Primary DGM and Standby servers.

1.1.5.1 Dedicated Global Manager Failover

All the Local Servers and its Standby server actively monitor its health by sending a periodic
health check message. When the Standby server detects that the active server is down or in a
non-functional state, it also consults the Local Servers. If more than 50% of the Local Servers also
report the same status, it takes over the duties of the Active Dedicated Global Manager Server.

1.1.5.2 Local Server Failover

The Dedicated Global Manager and its Standby server both actively monitor its health by sending
periodic health check messages. When the Standby Server detects that the Active Server is down
or in a nonfunctional state, it also consults the Dedicated Global Manager. If the Dedicated
Global Manager also reports the same status, it takes over the duties of the Active Server.

1.1.5.3 General Automated Failover Considerations

Consider these points regarding automated failover:
l For automated conversion, no manual intervention is needed.
l The Standby checks the state of the Primary server ever 2 minutes by default. This
frequency is property based: primary.server.health.check.interval=2
l If the Primary is down for a certain period of time while being upgraded or debugged, the
Standby server does not perform any action or automated conversion.

NETSCOUT Server Administrator Guide 19

l If three consecutive Primary server health checks fail, the Standby server promotes itself as
Primary after six minutes at minimum (3*2=6 min).
l If each server has its own certificate, a Standby server with an imported SSL certificate will
transition and activate properly in the event of failure.
l Set standby.auto.fail.over.enable=false if you want to deactivate Automated Failover and
convert to Standby manually.

See Automated Failover Parameters and 5 Recoveryfor more information.

1.1.6 Platform Options

nGeniusONE is supported for a variety of platforms including hardware-based Linux or Windows
servers to virtual / cloud-based configurations. Certain products based on nGeniusONE
architecture are only supported on Linux. Consult release notes for your specific product to
understand whether Windows is supported. While this guide is primarily for use with the
NETSCOUT-built product, the core instructions are conceptually the same for all the platform
types.
l NETSCOUT-built nGeniusONE Server: This is an optimized Linux server hardware
platform purchased with nGeniusONE software already installed on a Dell hardware
platform. Depending when you purchased the server, it may be based on the Dell
PowerEdge platform.
For this type, NETSCOUT provides application software and an OS restore DVD.
l Custom-built nGeniusONE Server: This is a software-only option, for which you supply a
Linux or Windows hardware platform that meets system requirements and install
nGeniusONE software yourself. For this type, the application software is provided.
OS restore procedures can be followed for context, but you will need to use your own
kernel kit to recover the system, if necessary.
l Virtual nGeniusONE Server: A variety of virtual deployment environments are supported
for nGeniusONE including VMware, AWS, Azure, OpenStack, and Ubuntu. A summary of
these options and the associated reference guide to follow for installation is provided in
the chapter on: Options for Virtual Environments

1.1.7 Software
The standard nGeniusONE Server package contains the following software to be used in the
event that reinstalling the software and/or operating system is required:
l Restore DVD: CentOS 7 based kernel image and the installer for the Linux-based
nGeniusONE (and nGenius Performance Manager) application and nGenius Subscriber
Intelligence.
l Application DVD: Installer for the nGeniusONE application only. A DVD is provided for
both Windows and Linux installers.

For software only or virtual deployments, a Restore DVD is not applicable. For these
deployments, a list of those installers is provided in Options for Virtual Environments

NETSCOUT software and documentation are also available online by logging into your
MasterCare account at: https://my.NETSCOUT.com.

NETSCOUT Server Administrator Guide 20

For information on configuring nGeniusONE features and functionality, see nGeniusONE Feature
Configuration

1.2 Related Product Servers

These server types share underlying architecture with nGeniusONE1:
l nGenius Session Analyzer
l nGenius Subscriber Cache

For nGenius Session Analyzer and nGenius Subscriber Cache, integration is done in each related
product's Server and Users > Authentication Source module instead of adding each server as
a child server in the nGeniusONE or nGenius Configuration Manager Server Management.

nGenius Session Analyzer and nGenius Subscriber Cache have separate installers but share
underlying architecture with nGeniusONE, so the basic setup of these products are the same as
nGeniusONE.

Use these sections to prepare, install or upgrade, configure, and maintain nGeniusONE, nGenius
Session Analyzer, or nGenius Subscriber Cache servers:
l Preparation
l Installation and Upgrade
l Server Configuration
l Maintenance

Refer to these sections to configure product-specific features:

l Configuring nGenius Session Analyzer
l Configuring nGenius Subscriber Cache (SCS)

1.2.1 nGenius Session Analyzer

nGenius Session Analyzer provides analytics of subscriber data but does not directly manage
data sources. Instead, it must be integrated with another server that provides this data. The
parent server can be either nGeniusONE or nGenius Configuration Manager server, or an
OAM server. When integrated, the applicable data sources on those servers are visible to the
nGenius Session Analyzer server, and also provide authentication and configuration parameters.

Since integrating this server type also affects authentication, the integration is done in the
nGenius Session Analyzer Server and Users > Authentication Source GUI, rather than adding
it directly as a child server in the nGeniusONE or nGenius Configuration Manager Server
Management GUI. You can add a second nGenius Session Analyzer server through nGenius
Session Analyzer Server Management to create a distributed cluster. The installer automatically
configures the server so it is not necessary to specify Global or Standalone.

For nSA-specific feature configuration, see 8 nGenius Session Analyzer.

1Omnis Cyber Investigator is covered in a separate server administrator guide.

NETSCOUT Server Administrator Guide 21

1.2.2 nGenius Subscriber Cache

nGenius Subscriber Cache, also known as Subscriber Cache Server (SCS), is used to provide
optimized retrieval of subscriber data when integrated with an nSA or ISA server. From Server
Management on this server, you can add either a Secondary nGenius Subscriber Cache server or
an nSA or ISA server. The latter procedure creates a trusted relationship for providing data to
that caching server. For the Primary/Secondary relationship, multiple nGenius Session Analyzer
servers must point to the same nGenius Subscriber Cache server. The installer automatically
configures the server so it is not necessary to specify Global or Standalone.

For SCS-specific feature configuration, see 9 nGenius Subscriber Cache (SCS).

NETSCOUT Server Administrator Guide 22

© NETSCOUT CONFIDENTIAL & PROPRIETARY
2 Preparation
Refer to the following chapters as applicable for the administration activity you need to perform.

Note: Any time you perform a software configuration procedure, whether it is an upgrade or

re-running a configuration script, NETSCOUT recommends you complete the information
worksheets.
l Review Requirements
l Complete Information Worksheets
l Rack the Server
l Configure Basic Networking
l Obtain Software
l Obtain the License

After completing the above steps, you are prepared to perform an installation or upgrade and to
install the license and configure the server.

2.1 Before you Begin...

For new installation of custom deployments, for upgrades, or recovery, NETSCOUT recommends
a careful review of your deployment requirements before you use the installers. Use this chapter
to review:
l System Requirements
l Supported Data Source Versions
l Network Requirements
l Client Requirements

Additionally, if applicable, review the chapter on upgrade considerations.

2.1.1 System Requirements

The resources required for a server running nGeniusONE-based software are dependent on
several factors, as illustrated by the memory/CPU scenarios below. Your specific deployment
may require additional resources, as various attributes of your environment can affect the
memory, processor, and disk requirements. Consult with your NETSCOUT representative, if
needed, for appropriate sizing guidance.

NETSCOUT Server Administrator Guide 23

Note:
l The installer runs a System Resource Check to ensure that the minimum resources are
available for operation. This check ensures that the minimum memory, minimum
processor capacity, and approved operating system are available. For Linux servers the
check also verifies the existence of the necessary RPMs before continuing with the
installation or upgrade.
l In a distributed environment, the System Resource Check is run on the Global Manager
and all of its child Local Servers. The minimum resources must be available on each of
these servers. If the minimum is not met, the upgrade is aborted and none of the
servers is upgraded. This ensures that all of the servers in a distributed environment
are capable of an upgrade and that the Global Manager can perform remote upgrades.
l NETSCOUT products are designed and tested on dedicated servers. Third-party network
management software, database agents, port scanners, and security software installed
on the same server may lead to port conflicts and compromise the behavior and
performance of the NETSCOUT products.
Table 2.1 - Server Platform Requirements

Component Specification
Operating system Oracle Linux 8-8.3
Red Hat Enterprise Linux 7-8.3
CentOS 7-7.8
l Red Hat Linux 6 and CentOS 6 OS stopped receiving maintenance updates in
November 2020. In alignment, NETSCOUT has deprecated support. nGenius
servers still support these versions, but support in future releases is not
guaranteed.
l Red Hat Linux 7 and CentOS 7 are still supported.
Windows 2012 R2, 2016, 2019
NOTE: Recent patches and software releases for nGeniusONE include OpenJDK
Runtime Environment build 11.0.10+9 and Apache Tomcat to 9.0.35.
Refer also to Options for Virtual Environments
Processors1 Minimum of 8 CPUs, depending on your deployment. See example section below.
Memory l Minimum: 48 GB
l Recommended: 64 GB
nGenius Subscriber Cache - Based on network size and varies per customer.
Recommended is 256 GB, but may require up to 384 GB.
Storage RAID 5
l Minimum: 500 GB
l Recommended: 4 TB
Partitioning minimum
l /var - 20GB
l /tmp - 20GB
After granting the necessary space to the OS, NETSCOUT recommends allocating all
remaining space to /opt for the NETSCOUT dbone database.
Media device DVD drive
Power supply Dual, redundant power supplies
configuration

NETSCOUT Server Administrator Guide 24

Table 2.1 - Server Platform Requirements (continued)

Component Specification
IP address Static IP address
NOTE: Before installing on a server that has two or more NIC cards with different IP
addresses, verify that the IP address to be used by the server is listed first in your
system hosts file, as described in Configure Basic Networking.
Access privileges You must have read, write, create, and delete privileges for the directories or folders
where you install/upgrade nGeniusONE (root user for Linux ; Administrator for
Windows)
DirectX DirectX 8.1 or higher. In addition, all graphics hardware and drivers must fully support
(Windows only) the appropriate DirectX version. You can download and install the most recent DirectX
version from the Microsoft website.
1 An nGenius Configuration Manager Server has fewer requirements since it is not providing analytics processing.
A minimum of 16GB of memory and 8 CPUs is recommended.

The following example applies to nGeniusONE.

Table 2.2 - Example Memory and Processor Requirements - nGeniusONE

Scenario Processor1 Memory HD Capacity2

Fewer than 25 Concurrent Users on a 24 (net) CPUs 64 GB 8 TB

Standalone Server
< 15 million flows with < 50 physical
interfaces
Maximum of 100 Concurrent Users on a 32 (net) CPUs 128 GB 22 TB
Standalone Server
< 35 million flows with < 100 physical
interfaces
1 "Net CPUs" reflects accommodation of processors with hyperthreading. For example, 16 physical CPUs without
hyperthreading is 16 net CPUs. With hyperthreading, however, the net CPUs are 32.
2 Based on default retention period

The following table shows virtual nGenius Session Analyzer server requirements.

Table 2.3 - Virtual nGenius Session Analyzer Requirements

vCPU Memory Concurrent Hard Disk

Users/Queries
12 l Minimum: 48 GB 50 l Minimum: 500 GB
l Recommended: 64 GB l Recommended: 4 TB

Language Support

NETSCOUT servers are supported for use in English, Japanese, Korean, and Simplified Chinese.
You must configure the server for an alternate language prior to beginning your installation, or
remove/reinstall the software, to change the language. You also must select a language choice
during installation.

NETSCOUT Server Administrator Guide 25

l If you need to uninstall the software, refer to Uninstalling NETSCOUT Software

l For guidance preparing your system to use an alternate language, refer to Configuring
Localization.

Considerations for Custom-Built Servers

If you choose to use a custom-built server, note that system requirements vary for small or very
complex deployments. NETSCOUT recommends that your server meet or exceed the
specifications contained in System Requirements, above, and that you work with your local
NETSCOUT representative for guidance specific to your environment. If you are preparing to
install the NETSCOUT Server software on a custom-built server, review the additional
recommendations listed below.
l Disable any remote connection software (such as pcAnywhere or Dell OpenManage) that is
running.
l Disable any defragmentation software (such as Diskeeper) on the directory where
NETSCOUT software will be installed.
l Exclude the NETSCOUT directory from your anti-virus scanning to prevent locking
problems.

2.1.2 Supported Data Source Versions

The nGeniusONE Server relies on packet data supplied by data sources such as those below.
NETSCOUT recommends the data sources also be on the same software version as the
managing server. The versions indicated below are compatible for use with a v 6.3.2 NETSCOUT
server. Note, however, that certain features may require the data source and server be running
the same version of software.
l InfiniStream appliance running v6.0.1 or later
l vSTREAM virtual appliance running v6.1.1 or later
l vSTREAM Agent running v6.2.1 build 437 or later
l UC Collector appliance running v6.0.1 or later
l nGenius Collector:
o 3400H running v6.2.1 or later
o 3300/TS running v6.0.1 or later
o 3300D/LS running v6.0.1 or later
o VI3300 virtual appliance running v6.0.1 or later

2.1.3 Network Requirements

Review the following as you plan your deployment and before you add data sources and provide
user access to your server.
l Ensure that the server, data source, and all client systems are registered in the DNS for
proper name resolution.

NETSCOUT Server Administrator Guide 26

l Review the section on ports to ensure no port conflicts occur in your environment or on
your custom server, if applicable.
l ICMP Ping must be open to allow communication between the nGeniusONE Server and
physical data sources such as InfiniStream appliances.
l For 6.3.1 and later fresh installs, nGeniusONE uses port number 8443 for client HTTPS
connections by default. If you prefer, you can specify a different web server port number
and protocol. Note, however, that if you change communication port numbers, you will
need to adjust the communication port configured on the monitoring data sources.
For guidance modifying ports, refer to related topics in the maintenance section of this
guide and to the InfiniStream Hardware Appliance Administrator Guide.

2.1.4 Client Requirements

nGeniusONE software is accessed through a web-driven interface. Use the following as a
guideline for users who will be accessing the server.

Component Specification
Recommended Browsers Chrome 80 or higher
Firefox 75 or higher
Edge 44 or higher
Safari 13 or higher
IE 11 is supported but not recommended for these reasons:
l Frequently vulnerabilities
l Lack of support
l Performance not equal to other browsers
Recent patches and software releases for nGeniusONE include an important
JRE update to 1.8_241.
The following additional software is required to use nGenius Performance
Manager:
l Adobe Flash Player 32-bit1
l Java Runtime Environment (JRE) v1.8.0_121 or later
If using Performance Manager Java client plugin access, you must use Internet
Explorer 11 with the Java plugin.
Processor 2 GHz or higher
Available operating 2 GB free memory or higher
system memory
Available disk space 250 MB or higher
Desktop Display Settings Desktop resolution: 1024 x 768 minimum

2.2 Preparing to Upgrade

Take note of the considerations in this section before proceeding with an upgrade procedure.

Note: Contact Customer Support if any of the following apply to you:

l You are moving the software from one machine to another machine.
l You have any concerns about doing the upgrade.

NETSCOUT Server Administrator Guide 27

2.2.1 Supported Upgrade Paths

The 6.3.2 Build 854 release is supported for upgrade from the following versions:
l 6.3.2 Build 426
l 6.3.1 Build 1004*
l 6.3.1 Build 964
l 6.3.1 Build 835
l 6.3P2
l 6.3P*
l 6.3
l 6.2.2

*nGeniusONE, Virtual nGeniusONE, nGenius Performance Manager, and nGenius for Flows only.

To upgrade from an earlier version, you must first upgrade to one of the above versions.
NETSCOUT recommends performing a database backup before upgrading.

2.2.2 Sequence of Upgrade

l Read the release notes for versions following the one currently installed, all the way to the
one to which you wish to upgrade. Doing so will familiarize you with changes to the
product—including new feature and other considerations.
l Review the supported upgrade paths.
l Ensure system requirements are met.
l Record customized settings.
l Upgrade servers before upgrading data sources and upgrade parent servers before
upgrading child servers.

2.2.3 Record Settings

Although automated backups are made to the entire <NETSCOUT install> /rtm directory during
an upgrade, NETSCOUT recommends keeping records of any properties files or other files that
you have customized, because some settings are reset to defaults or otherwise modified during
an upgrade. Note the following recommendations:
l Make note of the current settings, using the Installation/Configuration Worksheet.
l The <NETSCOUT install> /rtm directory is backed up to folders labeled rtm_BACKUP_FOR_
xxx (where xxx is the version).
l If you have customized memory settings, you should not return to those settings after
upgrading . The upgrade process sets the memory settings for optimal performance for the
new version. If you believe there is an issue after the upgrade, contact Customer Support
for assistance, rather than modifying these files again.
l If you activated HTTPS and SSL on your NETSCOUT Server and you created your own Server
Certificate and Server Private Key files using names other than the server's default names
(server.crt and server.key), record those file names.

NETSCOUT Server Administrator Guide 28

2.2.4 Considerations for Upgrading Data Sources

NETSCOUT recommends servers and data sources be on the same version.

Always upgrade servers before the data sources. The NETSCOUT server also supports remote
upgrade for certain data sources, such as InfiniStream appliances. Refer to the online help for
guidance using server management and device configuration to remotely upgrade supported
data sources, or to the data source documentation for manual upgrade instructions.

2.2.5 Considerations for Upgrading Distributed Environments

The following considerations apply when upgrading in a cluster:
l All servers in a clustered environment must be run at the same version.
l Upgrade the Global Manager / Dedicated Global Manager before upgrading the child /
Local Servers.
l While the Global Manager and local servers are at different version levels, each local server
functions when accessed directly. Server operations continue with no loss of data.
However, the Global Manager's data is not synchronized from the remote servers until the
versions are consistent.
l Refer to online help for guidance using Server Management to upgrade data sources and
to perform remote upgrade of child servers.

2.3 Prepare Worksheets

Before you begin an installation, restore, or upgrade, be sure to collect the following details.
Some are required for installation and some for configuration. Always have these at hand before
changing your deployment.

Note: The nGeniusONE installer overwrites existing iptables file (or firewall rules). If you wish
to preserve the current configuration, make a record of the settings you need to preserve.
After installing nGeniusONE, refer to the recorded settings to modify the new iptables file. Do
not overwrite the new file.

2.3.1 Worksheet for Installation / Upgrade

Review and complete this worksheet prior to running the installer for new installations or
upgrades.

Parameter Notes Value

NETSCOUT Server Administrator Guide 29

Parameter Notes Value

Installation path Default path is /opt/NetScout for Linux
(C:/Netscout for Windows)
Server Type For certain deployments, you are prompted to
specify the server type. If this option is not
offered, there is only one type applicable for your
deployment so it is set automatically.
The following options are available for
nGeniusONE and nGenius for Flows. For all other
server products based on the nGeniusONE
architecture, the type is automatically set to
Global (Primary).
Global Manager: Select this type if the server
is to be:
l a standard Global Manager (manages
devices on other servers and also
supports devices being added directly)
l a Dedicated Global Manager (no direct
devices associated with this server,
purely management).
Standalone: Select this type if the server is
to:
l manage devices in a non-distributed
deployment.
l be configured as a standby server.
l be converted to a Global Manager at a
later date (this can be done with the
nGApplianceConfig script).
Host name Read from /etc/hosts, which should have been Ensure /etc/hosts file is
configured prior to installation or upgrade. updated to contain host
name and IP of your server
prior to install.
Example:
Host address Also read from /etc/hosts 10.10.10.10
testserver.test.com
testserver

NETSCOUT Server Administrator Guide 30

Parameter Notes Value

User password Password for the above user account
Use 8-15 alphanumeric characters with at least
one number; non-printing characters such as
spaces or tabs are not supported.
Database password A value must be provided here; non-printing
characters such as spaces or tabs are not
supported.

2.3.2 Worksheet for Configuration

Review and complete this worksheet to prepare for use of the nGApplianceConfig script (Linux
only), which is used for the second stage of configuration during first time ins. Use the same
worksheet for Windows installations; the same information is required, although no script is
used.

Parameter Notes Value

IP address For eth0. Be prepared to specify IPv4 / IPv6 / or both
(dual-stack).
Subnet mask For eth0
Gateway For eth0
Host name
Network domain name
Name (DNS) server(s) At least one is required
Time Server(s) (optional) If selected, you are offered to configure
for NTP, PTPv1, PTPv2, ). NETSCOUT recommends
you use the same time server for all systems in the
deployment.
Time zone (optional) If selected, you are offered menus to
choose a zone and region.
Server type For certain deployments, you are prompted to
specify the server type. If this option is not offered,
there is only one type applicable for your
deployment so it is set automatically.
The following options are available for nGeniusONE
and nGenius for Flows. For all other server products
based on the nGeniusONE architecture, the type is
automatically set to Global (Primary).
Global Manager: Select this type if the server is
to be:
l a standard Global Manager (manages
devices on other servers and also supports
devices being added directly)
l a Dedicated Global Manager (no direct
devices associated with this server, purely
management).
Standalone: Select this type if the server is to:

NETSCOUT Server Administrator Guide 31

Parameter Notes Value

l manage devices in a non-distributed
deployment.
l be configured as a standby server.
l be converted to a Global Manager at a later
date (this can be done with the
nGApplianceConfig script).
Eth1 interface (optional ) If you opt to configure this, the fields
below are required.
IP Address
Subnet Mask
Gateway

2.4 Rack the Server

For first time installations, set up the hardware for the nGeniusONE Server. Servers shipped
from NETSCOUT servers are based on the Dell PowerEdge series. Rack mount and cable the
server according to the instructions included with the kit. Additional information about cabling,
mounting, and environmental specifications is available on the following web pages:
l Dell R740: https://www.dell.com/support/home/us/en/bsd/product-
support/product/poweredge-r740/research
l Dell R730: http://www.dell.com/support/home/us/en/bsd/product-
support/product/poweredge-r730xd/research
l Dell R720: http://www.dell.com/support/home/us/en/19/product-
support/product/poweredge-r720/research

Note:
l Before installing the above hardware-based appliances, please refer to compliance and
safety warnings, available online at:
http://www.dell.com/learn/us/en/uscorp1/regulatory-compliance.
l For software-only deployments (you are providing the hardware), rack and cable the
hardware according to documentation associated with that hardware.
l For virtual deployments, refer to the documentation described in Options for Virtual
Environments.

2.5 Cable the Server

Use the information in this section to complete cabling of your server, in preparation for initial
setup.

2.5.1 Component Location

Each server has a common set of connector types, in slightly different locations on the unit. Refer
to these diagrams as you complete cabling tasks in this section.

NETSCOUT Server Administrator Guide 32

2.5.2 Cabling the Physical Console Port

You will need a console connection to complete configuration of the server (set IP address,
gateway address, network mask, et cetera). Cable a serial console terminal to the indicated serial
port, or skip to the next section if you plan to connect a virtual terminal after bootup. (More
details are in Accessing the Appliance OS ).

2.5.3 Cabling the Manage Port

The appliance uses the eth0 port for management and communication. Ports are auto-sensing
and should be connected before powering up the appliance.

2.5.4 Cabling the iDRAC Port

The server includes a dedicated port for remote management via web-based interface. Connect
this Ethernet port to a network from which you will be managing the appliance. Refer to the
overview of typical iDRAC usage in the tools section of this guide for more details.

2.5.5 Cabling Power

Do not power on the unit until all other cabling is complete. Each server is shipped with two AC
power cords. During normal operation, the power supply modules share the load between them.
This increases the reliability of the power supplies. When one of the power modules fails the
other module takes on the full load of the system. Refer to Appliance Specifications for the
details on the maximum power consumption.

WARNING: Read all safety warnings and installation instructions before you make any power
supply connections or perform any maintenance tasks on a power supply. Safety warnings
are provided in NETSCOUT’s Compliance and Safety Warnings for nGenius® Hardware Products
available on the https://my.NETSCOUT.com website.
1. Complete all cabling connections before you power the appliance.
2. Connect the AC power cord into the appliance power socket before connecting the other
end to a power source.
3. Ensure that you connect power cords to both power supplies to avoid false system alarms.
4. Wait to power on the system until you have reviewed the preparations for new appliances,
or for installation / upgrades (or restore).

NETSCOUT Server Administrator Guide 33

2.6 Configure Basic Networking

After cabling the server to your network, configure basic network connectivity for it before
installing software.

Prepare your information worksheets before proceeding with this and any software installation,
upgrade, or configuration step. You can adjust the networking options again later with a
configuration script, after installation or upgrade, but having the information at hand will save
you from having to restart steps if some information is not at hand.

1. Use a direct terminal connection to access a login prompt for the system.
2. For Windows:
Log in to the Windows server with an account that has administrator privileges. (Do not
use a cloned version of the Administrator account.)
For Linux:
Access the system command-line as the root user. If you have logged in as a different user
and assumed privileges with su, be sure to use su -l <root account> so that the full
environment is instantiated before you proceed.
3. Set the host name and address in the hosts file. If you have more than one NIC on your
system, the nGeniusONE installation program uses the first IP address it finds. Therefore,
it is important that the IP address you want to use for accessing the nGeniusONE Server is
the first entry in the hosts file. Verify this prior to running an nGeniusONE installer.

For Windows:
a. From Start > Control Panel > Network Connections, select Local Area Connection.
b. Click Properties.
c. Select Internet Protocol (TCP/IP) and click Properties.
d. Ensure that “Use the following IP address” is selected and that the server IP address
displays.
e. Click Advanced.
f. In the IP Settings tab, ensure that the server IP address displays at the top of the list.
g. Close all dialog boxes.
4. Add the new server's IP address and host name to the DNS Server or to the hosts file of
every client system that connects to the system hardware.
5. (IPv6 deployments only) Review the following additional requirements, which are relevant
only if you do not plan to run the nGApplianceConfig.plx script:
l Ensure the address is in the /etc/hosts file as illustrated below:
2001:0dB8:1219::87:aeb1:2be7 mysystem.netscout.com mysystem
127.0.0.1 localhost.localdomain localhost
l Ensure that the /etc/hosts file on any related servers (the current server, related child
nGeniusONE servers, external authentication servers, and DNS servers) contain an
IPv6 address-to-hostname mapping.
l For external authentication, a domain entry is not supported for IPv6.
l Ensure the following lines are in the /etc/sysconfig/networking/devices/ifcfg-eth0 file:

NETSCOUT Server Administrator Guide 34

NETWORKING_IPV6=yes
IPV6INIT=yes
USERCTL=yes
IPV6_AUTOCONF=no
6. Reboot the system to instantiate the changes.

2.7 Obtain Software

NETSCOUT software is provided as a DVD with your original order or as a download from the
Customer Support website. Software installers (for installation or upgrade) and certain OS
restore images are available on the NETSCOUT website.

This chapter provides guidance on the following:

l List of software installers for servers based on the nGeniusONE server architecture
l List of installers for data sources that you may use to upgrade your related data sources
after installation or upgrade of your server
l List of related OS files for use in your NETSCOUT deployment
l Procedure for locating and downloading application and OS software
l Procedure for validating integrity of downloads

2.7.1 Locating and Downloading Software

The procedure below summarizes how to locate software downloads using the NETSCOUT
support website.

Note: If you are using a DVD, you can copy those files from the DVD to your system, rather
than downloading. The installation and upgrade instructions presume the file is located in the
directory indicated below, and has execute permissions set as indicated.

1. Locate your MasterCare account credentials, then access the following URL:
https://my.NETSCOUT.com.
2. From the top navigation ribbon, select Licensing & Downloads.
3. From the displayed page, locate and select the appropriate product.
4. Select the appropriate product version at the top of the page.
5. From the table at the bottom of the page, select the tab for Downloads.
6. Locate the installer matching your requirements (see Installer Reference below, if needed).
7. Right-click to save the installation files corresponding to your requirements. Example: For
Linux versions of nGeniusONE Server, you must download the .bin file. Optionally,
download the matching MD5 /SHA files for checksum validation.
8. Use WinSCP or other tool, if needed to copy the files to the system on which the software
will be installed.
Note: It is very important that you save the file in a location outside the normal product
installation path. Select a folder such as /opt/install.
9. (For .bin or .exe files only) Ensure the downloaded file is executable:

NETSCOUT Server Administrator Guide 35

For Linux .bin files: chmod +x <filename>

For Windows .exe files: Access the file's Properties dialog > Security tab and then Edit
permissions, to verify and set Execute, if needed.
10. (Optional) Perform checksum validation on the downloaded files.

2.7.2 Validating Downloads

An optional, but highly recommended, step, is to verify the file integrity of the software you
downloaded above. NETSCOUT posts an MD5 and or SHA checksum file for each of the
download files, for use in this procedure.

Linux Procedure
1. Access the system command-line as the root user. If you have logged in as a different user
and assumed privileges with su, be sure to use su -l <root account> so that the full
environment is instantiated before you proceed.
2. Navigate to the directory to which you copied the downloaded files.
3. Ensure the checksum files and binary are in this same directory.
4. Use a utility of your preference, or one of the following commands to generate a new
checksum for the binary, and automatically compare it to the downloaded checksum.
Note: The output for either of the following commands is the same upon success or
failure.
# /usr/bin/md5sum -c <md5 checksum filename>
or
# /usr/bin/sha1sum -c <sha checksum filename>

Example of valid file output:

[root@host /opt/install]# /usr/bin/md5sum -c pm-6200-658-lin.md5
pm-6200-658-lin.bin: OK

Example of invalid file output :

[root@host /opt/install]# /usr/bin/md5sum -c pm-6200-658-lin.md5
pm-6200-658-lin.bin: FAILED
md5sum: WARNING: 1 of 1 computed checksum did NOT match

If the validation fails, try downloading the files and re-validating them again. For repeated
validation errors, contact Customer Support for assistance. '

Windows Procedure
1. Log in to the Windows server with an account that has administrator privileges. (Do not
use a cloned version of the Administrator account.)
2. Open a command shell and navigate to the folder to which you copied the downloaded
files.

NETSCOUT Server Administrator Guide 36

3. Use a utility, such as certutil, to generate a new checksum for the binary, after which you
can manually compare it to the downloaded checksum.
Note: The output for either of the following commands is the same upon success or
failure.
# C:\Windows\System32\certutil.exe -hashfile <md5 checksum
filename> MD5
or
# C:\Windows\System32\certutil.exe -hashfile <sha checksum
filename> SHA1

Example sequence using SHA file:

[root@host /opt/install]# C:\Windows\System32\certutil.exe -
hashfile pm-6110-629-lin.bin SHA1
SHA1 hash of file pm-6110-629-lin.bin:
96b90e10877ec4a49ac2ebaf194393a2503022c8

Compare to downloaded companion SHA file:

[root@host /opt/install]# >more pm-6110-629-lin_sha1sum.txt
96b90e10877ec4a49ac2ebaf194393a2503022c8 pm-6110-629-lin.bin

If the output of the hash command does not match the hash code in the corresponding
.md5 or sha1sum.txt file you downloaded with the matching binary, try downloading the
files and re-validating them again. For repeated validation errors, contact Customer
Support for assistance.

2.7.3 Installer Reference

This section identifies assorted installer types you may require in your deployment, along with a
brief indication of the differences. (In the tables below, vvvv is the release version; bbb is the
build number.)

2.7.3.1 Software Installers

The following servers share similar architecture. This guide can be used for almost all of these
installers, in conjunction with the specialized guides for other products. Virtual NETSCOUT
products have separate guides, identified in Options for Virtual Environments .

NETSCOUT Server Administrator Guide 37

Table 2.4 - Software Installers

Product Installer Description

nGeniusONE nG1-rrr-bbb-lin.bin nGeniusONE installer that
nGenius for Flows nG1-vvvv-bbb-win.exe includes all nGeniusONE
features without the legacy
Performance Manager1 or
Unified Management
Consoles; see also Options for
Virtual Environments
nGeniusONE with Performance pm-vvvv-bbb-lin.bin nGeniusONE application
Manager2 pm-vvvv-bbb-win.exe software including both the
legacy Performance Manager
client and nGeniusONE;
supported on Linux and
Windows
nGenius Configuration Manager nCM-vvvv-bbb-lin.bin Configuration modules only.
Supported for integration with
nGenius Business Analytics,
nSA, and TrueCall servers
nGeniusONE for virtual vnG1_vvvv-bbb.vhd Installs as a custom-built
environments2 vnG1_vvvv-bbb.ova virtual appliance; See Options
vnG1_vvvv-bbb.qcow2 for Virtual Environments
nGenius Session Analyzer nSA-vvvv-bbb-lin.bin Installer for nGenius Session
nSA_vvvv-bbb.ova (VMWare) Analyzer server which can
authenticate to nGeniusONE;
This guide can be used for
basic installation and server
configuration procedures
nGenius Subscriber Cache SCS-vvvv-bbb-lin.bin Installer for nGenius
Subscriber Cache server which
integrates with
nGenius Session Analyzer; This
guide can be used for basic
and server configuration
installation procedures
nGenius TrueCall nTC-vvvv-bbb-lin.bin Installer for nGenius TrueCall
web client which can
authenticate to nGeniusONE.
Refer to the TrueCall Server
Installation and Upgrade Guide
for full installation procedures.
1If running nGeniusONE without Performance Manager on a 16 GB 4 CPU system, you must use license option
222 or 308.
2 Includes legacy UMC and Performance Manager software.

NETSCOUT Server Administrator Guide 38

2.7.3.2 Data Source Installers

These installers are mentioned in this guide since NETSCOUT recommends installing the same
data source version as your server when you update the latter. Always update the data sources
after the server. Refer to online help topics for nGeniusONE Server Management for using that
module to upgrade physical data sources. For manual installation / upgrade on all the products
below, refer to the associated product installation or administration guide.

Table 2.6 - Data Source Installers

Product Installer Purpose

InfiniStream / InfiniStreamNG is-vvvv-bbb-eth.bin1 Monitoring software and
l Hardware appliances configuration tools
l Certified appliances
l Qualified COTS Software
appliances
nGenius Collector
InfiniStream / InfiniStreamNG Geo-vvvv-bbb-xxx.bin Supplemental installer to
GeoProbe support provide GeoProbe capabilities
for integrating with products
such nGenius Business Analytics
and Iris
vSTREAM virtual appliance and Refer to the vSTREAM Installation Guide for guidance on these
vSTREAM Agent installers, which vary depending on the deployment environment.
UC Collector ucdc-vvvv-bbb-eth.bin Streamlined agent specifically
designed to collect CDRs and
Lync reports
Virtual UC Collector UCC.ovf (VMware) Virtual version of hardware UC
UCC.qcow2 (Ubuntu/KVM) Collector
UCC.vhd (AWS/Azure)
1 There is no menu to select the device type; it is auto-detected by the installer.

2.7.3.3 Operating System Installers

In the unlikely event that you need to recover a component of your deployment, you may need
to reinstall the operating system. The table below lists the ISOs for for NETSCOUT-provided
physical hardware. Use the ISOs for servers, along with this guide, to recover a NETSCOUT
server-based product. For data source recovery, refer to the administrator guide associated with
that product.

NETSCOUT Server Administrator Guide 39

Table 2.10 - OS Recovery/Reinstall Files

Product Installer Purpose

Servers OS recovery software for server products based on the nGeniusONE
architecture is delivered on a Restore DVD. These are shipped with your
product order.
Replacement Restore DVDs for nGeniusONE can be requested from the
download pages accessible with a MasterCare account. If you require a
replacement Recovery DVD for any other server-based products, contact
your NETSCOUT representative or Customer Support.
Data Sources ngenius-datasource-vvvvG-restore- Operating system and drivers
InfiniStream 64bit.iso1 for G and H models
InfiniStreamNG Example models:
nGenius Collector 14xxH, 23xxH, 24xxH, 26xxH,
UC Collector 46xxH, 47xxH, 48xxH, 66xxG,
97xxG, 98xxG models, and for
Certified C-014xxH, C-026xxH,
C-048xxH, C-066xxG, C-
098xxG, C-09AxxG
ngenius-datasource-vvvvD-restore- Operating system and drivers
64bit.iso1 for D models
Example models:
19xxD, 29xxD, 45xxD, 79xxF,
85xxD, 89xxD or 89xxF
ngenius-datasource-vvvv-restore-64bit.iso Operating system and drivers
for prior models
1Applicable for use with UC Collectors and 3300 Collectors.

2.8 Register Key to Generate License

For servers that do not have the license pre-installed, use the following instructions to register
your evaluation or purchased software product and generate a license for use during the setup
process.

Note:
l For an overview of license types Understanding License Types and Options
l To register the software using a virtual IP address, the IP address must be bound to the
server you are licensing.
l You need the registration key, from your product order/Registration Coupon, to
generate a license.

Use the procedure below for each of the coupons you have received:

1. Locate all Registration Coupons for which you need to generate licenses.
2. Access your MasterCare account: https://my.NETSCOUT.com
3. Navigate to the product section for your product type.
4. Select the software version of interest, then scroll to the bottom of the page.

NETSCOUT Server Administrator Guide 40

5. Click the row corresponding for licensing type:

l Evaluation Licenses
l Permanent/Incremental and Full Licenses
For an explanation of license types, refer to Understanding License Types and
Requirements. The license options vary based on the selected product and release
version.

If the End User License Agreement (EULA) appears, click the I Agree button. The EULA
appears for:
l First-time users of the software download pages.
l Users who have not accessed the page within a year of the last published EULA.
6. Click Continue under "License Registration."

NETSCOUT Server Administrator Guide 41

7. The registration field appears at the bottom of the next page. Enter the registration key
from the Registration Coupon you received with your product shipment and click Yes to
confirm your product.

8. Enter your host ID or IP address and Operating System.

Note: Although some products permit keying on an IP address, certain licenses are locked
to hardware. If indicated, enter the Host ID of the system into this field. Obtain the Host ID
by typing: ifconfig eth0 from the command line of the system. The ID is the last four
bytes of the HW Address. For example, given output of eth0 Link encap:Ethernet
HWaddr 00:25:90:01:24:1A, the Host ID is 9001241A. For Incremental keys, the Host ID
must match that for an existing permanent license.

9. Click the Submit button. The system generates a license.

1By 2021, Adobe Flash will be obsolete and will be disabled in internet browsers. nGenius Performance Manager requires
Adobe Flash to work properly; refer to the Adobe Flash information page on my.netscout.com for details.

NETSCOUT Server Administrator Guide 42

© NETSCOUT CONFIDENTIAL & PROPRIETARY
3 Installation and Upgrade
This chapter provides steps to using the nGeniusONE installer for the following cases:
l First time installation of the server
l Installation following an uninstall or restore
l Upgrade of existing servers
l Migration from PM installer to nGeniusONE installer

Before you begin:

l Before you Begin... : Any time you install or upgrade your NETSCOUT products, it is very
important to review the requirements and latest release notes.
l Obtain the software: For appliances that are not pre-installed with the nGeniusONE
software, locate the software kit from your order or download it by accessing your
NETSCOUT MasterCare account at https://my.NETSCOUT.com.
l Register the software key, if needed, to obtain a license. If you previously registered, locate
your license.
l Customers with existing NETSCOUT products may upgrade to a newer release of the
NETSCOUT software using procedures in this chapter. However, the methods vary based
on your server's current software version, and the type of server. Carefully review all the
requirements and Preparing to Upgrade before proceeding.

After reviewing the above, proceed to :

l Using the Installer for Linux or
l Using the Installer for Windows
l Migrating from PM to nGeniusONE

3.1 Installing on Linux

After you have reviewed requirements and obtained software and licenses (if applicable), and
prepared your worksheets, use the following instructions to install or upgrade the server
software.

Note:
l This manual procedure is applicable for use with all server types. However, certain
servers, such as Standby or other child servers, are supported for remote upgrade.
Refer to online help topics on Server Management for upgrading servers, Decode Packs,

NETSCOUT Server Administrator Guide 43

and data sources.

l For virtual servers, refer to Options for Virtual Environments
l The installer automatically stops if required TCP or UDP ports are in use by other
processes. The conflicting port is specified so you can free it up before restarting the
installation.
l During the installation, the following options can be used at any of the input prompts.
o Enter: Use the enter key to accept a displayed prompt or default value, or to accept
the input you have provided, and continue to the next step.
o back : Return to the previous prompt.
o quit: Exit the installer at any time. Do not abort the installer using CTRL-C.

3.1.1 Installer Sequence Overview

Following is the sequence of the installer, with exceptions noted when the installer detects an
existing installation is present (upgrade).
l Introduction
l License Agreement
l Installation Location (not applicable for upgrades)
l Server Type (not applicable for upgrades)
l Installation Parameters (not applicable for upgrades)
l Pre-Installation Summary
l Installing...
l Install Complete
l Licensing (not applicable for upgrade)

3.1.2 Installing / Upgrading the Server

Use this procedure for all products based on the nGeniusONE architecture. This procedure uses
the nG1-vvvv-bbb-lin.bin installation file. See 2.7.3.1 Software Installers for installer names by
product type.

1. Before you begin, ensure you have the information required to configure your server. You
will need the indicated information below:

Parameter Notes Value

NETSCOUT Server Administrator Guide 44

Parameter Notes Value

Installation path Default path is /opt/NetScout for Linux
(C:/Netscout for Windows)
Server Type For certain deployments, you are prompted
to specify the server type. If this option is not
offered, there is only one type applicable for
your deployment so it is set automatically.
The following options are available for
nGeniusONE and nGenius for Flows. For all
other server products based on the
nGeniusONE architecture, the type is
automatically set to Global (Primary).
Global Manager: Select this type if the
server is to be:
l a standard Global Manager (manages
devices on other servers and also
supports devices being added
directly)
l a Dedicated Global Manager (no
direct devices associated with this
server, purely management).
Standalone: Select this type if the server
is to:
l manage devices in a non-distributed
deployment.
l be configured as a standby server.
l be converted to a Global Manager at a
later date (this can be done with the
nGApplianceConfig script).
Host name Read from /etc/hosts, which should have Ensure /etc/hosts file is
been configured prior to installation or updated to contain host
upgrade. name and IP of your server
prior to install.
Example:
10.10.10.10
Host address Also read from /etc/hosts
testserver.test.com
testserver

NETSCOUT Server Administrator Guide 45

Parameter Notes Value

User account name Initial account for accessing the GUI and
managing the server
User password Password for the above user account
Use 8-15 alphanumeric characters with at
least one number; non-printing characters
such as spaces or tabs are not supported.
Database password A value must be provided here; non-printing
characters such as spaces or tabs are not
supported.

2. Access the system command-line as the root user. If you have logged in as a different user
and assumed privileges with su, be sure to use su -l <root account> so that the full
environment is instantiated before you proceed.
3. (For upgrades only): Stop the NETSCOUT processes (the installer does not run if any
NETSCOUT processes are running). Refer to Server Processes and Stopping and Restarting
the System, if needed.
4. Navigate to, make executable, and launch the installer:
l For downloaded files, access the location to which you saved the installer file. For
example:
root@host ~]# cd /opt/install
root@host /opt/install]# chmod 777 nG1-rrrr-bbb-lin.bin
root@host /opt/install]# ./nG1-rrrr-bbb-lin.bin
If the installer does not begin to run, verify it was downloaded correctly (checksum
validation) and that file execute permissions were enabled. Otherwise, continue to
the next steps and respond to the installer prompts.
l For installations from a DVD, insert the disk. If your system does not automatically
mount the disk to the <CDROM> directory, mount it manually before running the
install script. For example:
root@host ~]mount /dev/cdrom /media/cdrom
root@host ~]cd /media/cdrom
root@host /media/cdrom]./install.sh console
5. Select a Locale by entering the appropriate number and pressing Enter. You must select
the language applicable to your geographical location to display the appropriate product
license agreement.
6. Review the Introduction, which provides instructions to navigate within the installer, then
press Enter to proceed.
7. Read the License Agreement. Use the Enter key to advance through the several pages of
this document. At the end of the license document, you must accept the agreement by
entering Y before pressing Enter.
8. The installer next always checks for previous configuration files. If present, the installer
assumes this is an upgrade and offers you an opportunity to preserve the settings or
change them. If you are preserving existing settings, skip to the next main step. If you opt
to change settings, or for installations wherein no configurations are found, respond to

NETSCOUT Server Administrator Guide 46

the following prompts:

a. Installation Location: Press Enter to accept the default offered value (/opt/NetScout).
For upgrades, the previously specified directory is offered.
b. Server Type: This option varies based on the type of server you are installing. For
certain server types, only one configuration is applicable so no type menu is offered.
Enter the menu option number corresponding to the server type to install:
l Global Manager (Applicable for Distributed Environments)
l Standalone Server
c. Host Name / IP address: This information is read from the /etc/hosts file and
presented in read-only mode. Press Enter to accept and continue. If the information is
not correct type quit now to exit the installer to correct the issue. Restart the installer
when ready.
Caution: Ensure /etc/hosts file is updated to contain host name and IP of your
server prior to install. Example: 10.10.10.10 testserver.test.com testserver

d. Web Server Port: For fresh installations, the default web server port is 8443. For
upgrades from pre-6.3.1 releases, the web server port will stay at what it was
previously. If this port is unavailable, the number is incremented by one until an
available port is found.
e. Web Server Protocol: HTTP or HTTPS. For fresh installations, the default web server
protocol is HTTPS. For upgrades from pre-6.3.1 releases, the protocol will stay at what
it was previously.
f. Press Next to accept and continue. If the information is not correct click Cancel now to
exit the installer to correct the issue. Restart the installer when ready.
g. Web User Account Name Password: This user account is required to perform the
configurations required to manage the server.
9. Review the information in the Pre-installation Summary. If you need to make changes,
enter back, to get to previous screens, make the corrections, and then press Enter to
return to the summary page . If the information on this page is correct, press Enter to
proceed with the installation.
10. When installer has finished configurations, a page of License Configuration instructions
display. Review them, then press Enter to continue.
11. When the Installation Complete message displays, press Enter to exit the installer.
12. Next steps:
l For upgrades:
o NETSCOUT recommends users clear the cache of the browser on the client
machine accessing the nGeniusONE server.
o After the server has been upgraded, you can upgrade the associated data sources.
Refer to the documentation for the data sources (such as the InfiniStream Appliance
Administrator Guide)
l For new installations or recovery: Before you start up the nGeniusONE server
processes, be sure to complete the following procedures in the indicated order:

NETSCOUT Server Administrator Guide 47

a. Installing the License (not required for upgrades)

b. Server Configuration (not required for upgrades)
c. After you start the nGeniusONE Server, ensure that the server and user systems
are able to communicate on the network:
o Verify network connectivity / name resolution:
i. Open a terminal window on the client system.
ii. Enter the following commands:
ping <IP address>
ping <hostname>
Use the IP address and hostname of the nGeniusONE Server you want to
reach.
iii. Repeat the same steps on the nGeniusONE Server to ensure that the server
can communicate with the client.
If needed, correct name resolution for the server and client.
o Verify that the nGeniusONE server is accessible to users:
i. Access the nGeniusONE server using a web browser, navigating to:
https://<nGeniusONE Server host name>:<port number>
You must use a host name or IP address. Use of localhost is not supported.
ii. Enter the user name and password created during the installation process.
iii. Click Log In.
If you are unable to log in to the web interface, refer to the chapter on troubleshooting.

3.2 Installing on Windows

After you have reviewed requirements and obtained software and licenses (if applicable), and
prepared your worksheets, use the following instructions to install or upgrade the server
software.

Note:
l This is a manual procedure, which is applicable for use with all server types. However,
certain servers, such as Standby or other child servers, are supported for remote
upgrade. Refer to online help topics on Server Management for upgrading servers,
Decode Packs, and data sources.
l For virtual deployments, refer to Options for Virtual Environments
l The installer automatically stops if required TCP or UDP ports are in use by other
processes. The conflicting port is specified so you can free it up before restarting the
installation.
l The nGenius Java-based client is automatically installed with Windows server
installations.
l During the installation, the wizard allows you to use Previous and Next buttons to
navigate between steps. Use the Cancel button to exit the installer.

NETSCOUT Server Administrator Guide 48

3.2.1 Installer Sequence Overview

If desired, review example sequences before proceeding:

l Sample Install Sequence

3.2.2 Running the Installer

The procedure below is applicable for installation or upgrade.

1. Before you begin, ensure you have the information required to configure your server. You
will need the indicated information below:

Parameter Notes Value

Language nGeniusONE-based software is supported
for use in English, Japanese, Korean, and
Simplified Chinese. You must configure the
server for an alternate language prior to
beginning your installation, or
remove/reinstall the software, to change the
language. You also must select a language
choice during installation.
Installation path Default path is /opt/NetScout for Linux
(C:/Netscout for Windows)
Server Type For certain deployments, you are prompted
to specify the server type. If this option is not
offered, there is only one type applicable for
your deployment so it is set automatically.
The following options are available for
nGeniusONE and nGenius for Flows. For all
other server products based on the
nGeniusONE architecture, the type is
automatically set to Global (Primary).
Global Manager: Select this type if the

NETSCOUT Server Administrator Guide 49

Parameter Notes Value

server is to be:
l a standard Global Manager (manages
devices on other servers and also
supports devices being added
directly)
l a Dedicated Global Manager (no
direct devices associated with this
server, purely management).
Standalone: Select this type if the server
is to:
l manage devices in a non-distributed
deployment.
l be configured as a standby server.
l be converted to a Global Manager at a
later date (this can be done with the
nGApplianceConfig script).
Host name Read from /etc/hosts, which should have Ensure /etc/hosts file is
been configured prior to installation or updated to contain host
upgrade. name and IP of your server
prior to install.
Example:
10.10.10.10
Host address Also read from /etc/hosts
testserver.test.com
testserver

Web port This is the port for users to access the GUI;
8443 by default for fresh installs; previous
value for upgrades from pre-6.3.1 releases.
Web protocol Web transport protocol. Default is HTTPS for
fresh installs or previous value for upgrades
from pre-6.3.1 releases.
User account name Initial account for accessing the GUI and
managing the server
User password Password for the above user account
Use 8-15 alphanumeric characters with at
least one number; non-printing characters
such as spaces or tabs are not supported.
Database password A value must be provided here; non-printing
characters such as spaces or tabs are not
supported.

2. Log in to the Windows server with an account that has administrator privileges. (Do not
use a cloned version of the Administrator account.)
3. (For upgrades only):

NETSCOUT Server Administrator Guide 50

a. Stop the nGeniusONE Server by going to Start > Programs > NetScout nGenius
Server and selecting Stop nGenius Server. (The installer does not run if any
NETSCOUT process are running.)
b. Open the Task Manager and ensure that all NETSCOUT processes are stopped before
proceeding. (Refer to Server Processes , if needed.)
4. Use one of the following two methods to start the installer:
l Installation DVD
a. Insert the nGeniusONE installation DVD disc that is marked for use with Windows.
b. If autorun is enabled on your Windows server, the installation initializes. Otherwise,
navigate to the DVD folder containing the following script and run install.bat.
l Downloaded Install File
a. Navigate to the folder where you downloaded the software install file.
After the installation wizard initializes, proceed to the next step.
5. Select a Locale by entering the appropriate number and pressing Next. You must select
the language applicable to your geographical location to display the appropriate product
license agreement.
6. Review the Introduction, which provides instructions to navigate within the installer, then
press Next to proceed.
7. Read the License Agreement. You must accept the agreement by clicking the "I accept..."
checkbox, before clicking Next.
8. The installer next always checks for previous configuration files. If present, the installer
assumes this is an upgrade and offers you an opportunity to preserve the settings or
change them. If you are preserving existing settings, skip to the next main step. If you opt
to change settings, or for installations wherein no configurations are found, respond to
the following prompts:
a. Installation Location: Press Next to accept the default offered value (C:\NetScout).
For upgrades, the previously specified directory is offered.
b. Server Type: This option varies based on the type of server you are installing. For
certain server types, only one configuration is applicable so no type menu is offered.
Enter the menu option number corresponding to the server type to install:
l Global Manager (Applicable for Distributed Environments)
l Standalone Server
c. Host Name / IP address: This information is read from the /etc/hosts file and
presented in read-only mode. Press Next to accept and continue. If the information is
not correct, click Cancel now to exit the installer to correct the issue. Restart the
installer when ready.
Caution: Ensure /etc/hosts file is updated to contain host name and IP of your
server prior to install. Example: 10.10.10.10 testserver.test.com testserver

NETSCOUT Server Administrator Guide 51

available port is found.

e. Web Server Protocol: HTTP or HTTPS. For fresh installations, the default web server
protocol is HTTPS. For upgrades from pre-6.3.1 releases, the protocol will stay at what
it was previously.
f. Press Next to accept and continue. If the information is not correct click Cancel now to
exit the installer to correct the issue. Restart the installer when ready.
g. Web User Account Name Password: This user account is required to perform the
configurations required to manage the server.
9. Review the information in the Pre-installation Summary. If you need to make changes,
click Previous, to get to previous screens, make the corrections, and then press Next to
return to the summary page . If the information on this page is correct, press Install to
proceed with the installation/upgrade.
10. (New installations only) When the installer has finished configurations, a Licensing pane
displays, prompting you to run the license utility now or later. Select the radio button
corresponding to your plan (you must license the product prior to starting the server, but
can defer that step). Click Done to continue and exit the installer.
Next steps:
l For upgrades:
o NETSCOUT recommends users clear the cache of the browser on the client
machine accessing the nGeniusONE server.
o After the server has been upgraded, you can upgrade the associated data sources.
Refer to the documentation for the data sources (such as the InfiniStream Appliance
Administrator Guide)
l For new installations or recovery: Before you start up the nGeniusONE server
processes, be sure to complete the following procedures in the indicated order:
a. Installing the License (not required for upgrades)
b. Server Configuration (not required for upgrades)
c. After you start the nGeniusONE Server, ensure that the server and user systems
are able to communicate on the network:
o Verify network connectivity / name resolution:
i. Open a terminal window on the client system.
ii. Enter the following commands:
ping <IP address>
ping <hostname>
Use the IP address and hostname of the nGeniusONE Server you want to
reach.
iii. Repeat the same steps on the nGeniusONE Server to ensure that the server
can communicate with the client.
If needed, correct name resolution for the server and client.
o Verify that the nGeniusONE server is accessible to users:

NETSCOUT Server Administrator Guide 52

i. Access the nGeniusONE server using a web browser, navigating to:

https://<nGeniusONE Server host name>:<port number>
You must use a host name or IP address. Use of localhost is not supported.
ii. Enter the user name and password created during the installation process.
iii. Click Log In.
If you are unable to log in to the web interface, refer to the chapter on troubleshooting.
11. As a final check to ensure the installation or upgrade is complete, ensure these
nGeniusONE Windows services are registered correctly.
l NGeniusNative
l NGeniusServer
l NSApache
l NSPostgreSQL
See D.2 Windows Services.

3.3 Migrating from PM to nGeniusONE

You can transition from the Performance Manager (PM) installation to the nGeniusONE
installation through a manual upgrade of the Global Manager (GM) or standalone PM by using
the nGeniusONE installer kit. You can also remotely upgrade Local and Standby servers from the
GM using the nGeniusONE installer.

3.3.1 Performance Manager vs. nGeniusONE

The Performance Manager and nGeniusONE kits use the following formats, respectively:
pm-<release>-<build#>-lin.<bin or exe>
nG1-<release>-<build#>-lin.<bin or exe>

Read the following sections carefully before migrating to nGeniusONE from PM.

3.3.1.1 Constraints
l Migration from PM to nGeniusONE is one-way.
l The Command Line Administration (CLA) utility has been deprecated since 6.2, but if you
are using PM you may still be using CLA. Before you can migrate from the PM to the
nGeniusONE build, you must confirm you have no dependency on CLA scripts. The REST
API framework replaces the CLA. The CLA will be removed, so 6.3.1 is the last chance to
migrate the CLA to the REST API framework.
l Fresh installs must use the nGeniusONE kit.
l As of 6.3.1 all nGeniusONE appliances are deployed with an nGeniusONE kit only. No
appliances are deployed with a PM kit.
l After GM is manually upgraded to the nGeniusONE kit, all remote Local and Standby
servers still on the PM kit can be remotely upgraded from the GM to the nGeniusONE kit or
each upgraded manually to the nGeniusONE kit. A mix deployment of nGeniusONE and PM
kits is not allowed.

NETSCOUT Server Administrator Guide 53

Upgrade of a PM install base to nGeniusONE provides these benefits:

l nGeniusONE uses a smaller resource footprint then PM.
l nGeniusONE has full engineering support, whereas PM functionality is becoming
increasingly difficult to maintain.
l If you are currently using the PM kit and not actively using any UMC features, it is best to
migrate to nGeniusONE for optimal functionality and support.

3.3.1.2 Prerequisites
Your deployment must meet these prerequisites to migrate from PM to nGeniusONE:
l All InfiniStream devices must be in ASI-only mode. If the InfiniStream device is in hybrid or
CDM mode, then the device and thereby nGeniusONE is not ready to be transitioned to the
nGeniusONE kit.
l Based on the recommendation of Customer Support, you are ready to transition from the
PM kit to nGeniusONE kit.
l nGenius Deployment Database can also provide statistics on CDM flows to help determine
if the system is ready for transition. Transitioning with active CMD flows will result in the
loss of access to CDM flow data.

3.3.2 Migrating from PM to nGeniusONE Verification

After you decide to transition from PM to nGeniusONE, Customer Support can verify the
migration before upgrade by causing PM to assume the identity of nGeniusONE. To cause PM to
act as nGeniusONE, the .asi_only file is created in the <NETSCOUT install> directory with a script
and the server is restarted. Contact Customer Support for more information.

After successful verification, installation steps remain the same except for the use of an
nGeniusONE kit instead of a PM kit.

NETSCOUT Server Administrator Guide 54

© NETSCOUT CONFIDENTIAL & PROPRIETARY
4 Server Configuration
If you are performing a first time installation, or a recovery of your system, use the procedures in
this chapter to complete additional required configurations (beyond basic networking). You can
also use these steps to change the configuration as part of your maintenance process (such as
changing the time source).

Before you begin, you will need the information from the configuration worksheets.
l For Linux servers, refer to: Using the nGApplianceConfig Script (Linux)
l For Windows servers, refer to : Configuring the Server (Windows)
l For virtual environments refer to: Options for Virtual Environments

4.1 Using the nGApplianceConfig Script (Linux)

After the nGeniusONE system is has been racked and has had basic networking set up, or after
the software has been installed for the first time, use the nGApplianceConfig script to complete
additional required configurations. You can also use this script to change parameters in the
future. For certain deployments, you can also use this script to change the server type, Server
Type is set with this script because the choice impacts communication settings. Finally, the script
then synchronizes needed changes to configuration files within the system.
l Backs up and modifies applicable configuration files
l Synchronizes property files
l Enables software to start automatically when the system starts

Procedure

This procedure is applicable for use the first time you set up your server, optionally after an
upgrade, or when you need to change settings.

Note: If you to exit the script, use CTRL-C before responding to the summary page.

1. The script does not prompt with existing values, so it is best to complete the configuration
worksheet before you begin.

Parameter Notes Value

IP address For eth0. Be prepared to specify IPv4 / IPv6 / or
both (dual-stack).

NETSCOUT Server Administrator Guide 55

Parameter Notes Value

Subnet mask For eth0
Gateway For eth0
Host name
Network domain name
Name (DNS) server(s) At least one is required
Time Server(s) (optional) If selected, you are offered to
configure for NTP, PTPv1, PTPv2, ). NETSCOUT
recommends you use the same time server for
all systems in the deployment.
Time zone (optional) If selected, you are offered menus to
choose a zone and region.
Server type For certain deployments, you are prompted to
specify the server type. If this option is not
offered, there is only one type applicable for your
deployment so it is set automatically.
The following options are available for
nGeniusONE and nGenius for Flows. For all other
server products based on the nGeniusONE
architecture, the type is automatically set to
Global (Primary).
Global Manager: Select this type if the server
is to be:
l a standard Global Manager (manages
devices on other servers and also
supports devices being added directly)
l a Dedicated Global Manager (no direct
devices associated with this server, purely
management).
Standalone: Select this type if the server is to:
l manage devices in a non-distributed
deployment.
l be configured as a standby server.
l be converted to a Global Manager at a
later date (this can be done with the
nGApplianceConfig script).
Eth1 interface (optional ) If you opt to configure this, the fields
below are required.
IP Address
Subnet Mask
Gateway

eth1 - If you are installing on hardware that includes an eth1 interface, you have the
option of configuring its address with the script, or selecting no to configure it later or not
at all. Configuring this interface is not required, but if you opt to do so, the script requires
an IP Address, a subnet mask and gateway.

NETSCOUT Server Administrator Guide 56

2. Connect to the server using PuTTY or other SSH tool.

3. Access the system command-line as the root user. If you have logged in as a different user
and assumed privileges with su, be sure to use su -l <root account> so that the full
environment is instantiated before you proceed.
4. Stop the NETSCOUT processes (the installer does not run if any NETSCOUT process are
running). Refer to Stopping and Restarting the System, if needed.
5. Run the configuration script:
# ./nGApplianceConfig.plx
6. When prompted, enter the information assembled above.
Note: Some terminal / SSH tools may not be configured to interpret backspace or delete
characters properly. If you make a typing error, be sure to review your entries in the
confirmation screen. If your entry contains an error, do not accept the values. The script
will then restart at the beginning with blank values.
7. At the end of the script, your input is displayed as a summary. At this point, you can enter
Y to proceed with configuration, N to restart configuration, or CTRL-C to exit the script and
not make any changes.
8. When the script has completed processing, you are prompted to reboot the server, which
is required to complete the configuration. A log of the configuration script is stored in
<nGeniusONE install>/log/nGApplianceConfigLog.txt.

4.2 Configuring the Server (Windows)

As part of ongoing maintenance, you may need to change some underlying attributes of your
server configuration that you provided during the installation. Use the steps in this chapter to
understand the steps necessary for the indicated task. For Linux-based servers, refer instead to:
Using the nGApplianceConfig Script (Linux)

Note: Use the installation and configuration worksheets as a guide before you begin, to
ensure you are prepared to provide requested details.
l Changing the IP Address
l Changing the Web Port Number
l Changing the Host Name
l Changing the Date / Time or Time Zone
l Changing the Server Type

4.2.1 Changing the IP Address

After you have run a Windows-based nGeniusONE installer, you can manually change the
networking details, but need to propagate the changes with additional steps.

Note:

1. Log in to the Windows server with an account that has administrator privileges. (Do not
use a cloned version of the Administrator account.)

NETSCOUT Server Administrator Guide 57

2. Access Network Connection>Properties>TCP/IP Properties, and adjust the following

attributes as needed:
l IP Address
l Subnet Mask
l Gateway
l DNS Server(s)
3. Stop the nGeniusONE server.
4. Start the nGeniusONE server.
5. Make sure that you modify the corresponding entry in your DNS servers or the hosts file
of every client system that connects to the server, including the data sources.

4.2.2 Changing the Web Port Number

Use the websecure script to change the port number for use with web communications between
user systems and the server. This script updates all related nGeniusONE configuration files and
is applicable for changing the server's web access port to 80, 8080, 443, 8443, or any non-well-
defined port greater than 1023. If you set a non-well-known port greater than 1023, firewall
changes are required. If your environment requires changing the web server to use any other
port, contact Customer Support.

Note:
l All servers in the deployment must use the same port number.
l The script used in this procedure modifies nGeniusONE files, not system files such as
/etc/sysconfig/iptables. If you modified iptables, which may be required for some
environments, you must update it separately.
l If you are changing the server to a secured port, you must also install a certificate. Use
the nscertutil tool to create and/or install a certificate.
l If you do use ncertutil, and your server is a child to another server (such as a Standby or
Secondary server), NETSCOUT recommends managing your certificates from the
managing / primary server, and then copying that truststore to the other nodes in the
deployment.
l Supports well-known, nonstandard HTTP (80, 8080) and HTTPS (443, 8443) ports.
Websecure accepts a port number in the command line. Ports 80 and 8080 can be
configured only for HTTP, ports 443 and 8443 only for HTTPS.

NETSCOUT Server Administrator Guide 58

Windows: # websecure.bat -protocol <HTTP|HTTPS> -port <port>

Linux: # ./websecure.sh -protocol <HTTP|HTTPS> -port <port>
Provide the protocol and port number you want the web service to use. The script
automatically restarts the server.
4. To verify your change, access the server with the new port number and/or by accessing
Server Management and viewing the port number in the General Information tab.
5. By default, NETSCOUT's servers ship with iptables configured to allow ports 80, 8080, 443,
and 8443. If you had customized your iptables to restrict any of these, modify it again to
accept the new port.
6. Repeat this procedure for all servers in the deployment, using the same port number.

Changing the Port in a Global Manager or Dedicated Global Manager Environment

Follow these steps to change the ports in a Global Manager (GM) or Dedicated Global Manager
(DGM) environment:

1. Navigate to the <NETSCOUT install>/rtm/bin folder on the GM or DGM.

2. Update all the local servers managed by the GM or DGM:
Windows: # websecure.bat -protocol <HTTP|HTTPS> -port <port> -all
Linux: # websecure.sh -protocol <HTTP|HTTPS> -port <port> -all
Provide the protocol and port number you want the web service to use. The script
automatically restarts the servers.
3. Update the GM or DGM:
Windows: # websecure.bat -protocol <HTTP|HTTPS> -port <port>
Linux: # websecure.sh -protocol <HTTP|HTTPS> -port <port>
4. To verify your change, access the servers with the new port number and/or access Server
Management and view the port numbers in the General Information tab.

Validation:

You can use curl to validate the change without using a web browser, substituting http and https
as appropriate, and using the IP address:port number for the server you want to test.
# curl -I <http|s>://<server_ip_address:port>/ -k

If the port change was successful, you will see a response such as:
HTTP/1.1 200 OK

For example:
# curl -I https://10.20.160.14:8443/ -k
HTTP/1.1 200 OK

If SSL is not enabled, the following output is reported:

curl: (35) SSL connect error

NETSCOUT Server Administrator Guide 59

4.2.3 Changing the Host Name

After you have run a Windows-based nGeniusONE installer, during which you specify the host
name and domain, changes to these values can be done with the following procedure.

Note: If you want to change the host "friendly name" as it appears in the nGeniusONE
deployment, access the parent server in your cluster and modify it from the Server
Management GUI or the Server Map editing procedure.

1. Log in to the Windows server with an account that has administrator privileges. (Do not
use a cloned version of the Administrator account.)
2. Access Control Panel>System>Change Settings>Change..., and modify the Computer
Name and/or domain, as needed.
3. Stop the nGeniusONE server.
4. Navigate to the <nGeniusONE install>\rtm\bin folder.
5. Edit pm_env.bat.
6. Locate the line with NSHOST and modify it to the new name.
7. Save and exit the file.
8. Start the nGeniusONE server.
9. Make sure that you modify the corresponding entry in your DNS servers or the hosts file
of every system that connects to the server, the parent server and any related data
sources.

4.2.4 Changing the Date / Time or Time Zone

After you have run a Windows-based nGeniusONE installer, if you need to modify the date or
time, you use standard Windows administrative tools. Note, however, that changing the time on
the server does not change the dates of the warehoused data, so user queries may not fully
match stored time stamps until the original data has fully archived off, over time.

Note: NETSCOUT recommends you use the same time server for all systems in the
deployment.

1. Log in to the Windows server with an account that has administrator privileges. (Do not
use a cloned version of the Administrator account.)
2. Access Control Panel>Date and Time, and modify as needed.
3. Restart the nGeniusONE server.

4.2.5 Changing the Server Type

Use this procedure to change your Windows-based nGeniusONE server to another server type
(for supported products), such as a Global Manager to a Standalone server.

1. Log in to the Windows server with an account that has administrator privileges. (Do not
use a cloned version of the Administrator account.)
2. Navigate to the C:\NetScout\rtm\bin folder.

NETSCOUT Server Administrator Guide 60

3. Start the Server Map utility:

nstool.bat com.netscout.database.util.ServerTool
The following menu options display:
1. Change Server Type
2. Display the Server Map Table
3. Export Server Map Table
4. Import Server Map Table
5. Erase Server Map Table
4. Enter option 1 (Change Server Type).
The utility displays the available options for conversion.
0. Return to Previous
1. Set SERVER_TYPE to Standalone Server
2. Set SERVER_TYPE to (Distributed) Local Server
3. Set SERVER_TYPE to (Distributed) Global Manager
q. to Quit
5. Select the menu option corresponding to the server type you want, then press Enter.
6. A warning displays that the Server Map table will be erased. Enter Y to confirm the
selection.
7. Enter y to confirm your selections. The system displays the old and new server types. For
example:
>1
OLD Server Type: SERVER_TYPE="Global Manager"
NEW Server Type: SERVER_TYPE="Standalone Server"
Warning: this will erase the Server_Map Table ('Y' to Continue)>y
OLD Server Type : SERVER_TYPE="Global Manager"
NEW Server Type : SERVER_TYPE="Standalone Server"
client.properties Binding Name set to:
ServiceManagerBindingName=ServiceManager
Stored password is Encrypted in Version2
Standalone Server found
Standalone ID is 1
New Entry Added to Server Map Table for IP : 10.20.160.14
-----------------------------------------------------------------
This option will set the server type in the Server Startup files
and make all Required changes to to the Server_Map table.
Select Item from Menu
0. Return to Previous
1. Set SERVER_TYPE to Standalone Server
2. Set SERVER_TYPE to (Distributed) Local Server
3. Set SERVER_TYPE to (Distributed) Global Manager
q. to Quit
>
8. Enter q to to exit nstool.
9. Restart the nGeniusONE server.

NETSCOUT Server Administrator Guide 61

© NETSCOUT CONFIDENTIAL & PROPRIETARY
5 Recovery
Should it be come necessary, you can restore your server by uninstalling only the application
software, or by fully reimaging the system.

After you have performed an uninstall or reimage, you can then proceed reinstalling the
software application. The last step of installation includes guidance for licensing and
configuration. If you reimaged the system, or opted not to retain settings, you will need to
perform those steps as well.

Note: Before you begin, optimally consider the following:

l If possible, save the license file from your server. Otherwise locate the software keys
used to register and create your licenses.
l Review the installation and configuration worksheets in case you need to re-enter
settings during recovery.
l For reimages, locate the DVD you received with your order, or download an applicable
ISO from the NETSCOUT Customer Support website.
l Locate the application software you want to use, either from your DVD or from the
Customer Support website.

Based on your recovery needs, or as guided by Customer Support, select one of the procedures
below:
l Uninstall Software
l Reimage the Operating System

5.1 Uninstalling NETSCOUT Software

If advised by NETSCOUT Customer Support to remove your nGeniusONE software as part of your
recovery process, use the steps below as a guide. You may be guided to uninstall and then
reinstall software, or completely restore the kernel before installing the application software.

Linux
1. Complete installation and configuration worksheets.
2. Access the system command-line as the root user. If you have logged in as a different user
and assumed privileges with su, be sure to use su -l <root account> so that the full
environment is instantiated before you proceed.

NETSCOUT Server Administrator Guide 62

3. Stop the NETSCOUT processes (the installer does not run if any NETSCOUT process are
running)). Refer to Stopping and Restarting the System, if needed.
4. If guided by support, create a full backup and/or a configuration backup of your server
into a location outside of the <nGeniusONE install> folder. Ensure a copy of the following
license file is also saved:
<nGeniusONE install>/rtm/bin/admin/.license.properties
5. Navigate to the /opt directory and run the following command:
root@host /opt ]# <nGeniusONE install>/rtm/bin/uninstall.sh
6. Respond to the script's prompts to uninstall nGeniusONE.
Note: The script prompts whether you want to save configuration settings. If guided by
Customer Support, specify No, to ensure a full uninstall.
7. After the uninstall completes, reboot the nGeniusONE server .
8. The uninstall process leaves certain files and folders intact, since a complete uninstall is
not always required. If guided by Customer Support, you should remove these manually.
a. Log back in to the server as the root user.
b. Navigate to the /opt directory (or other location in which you installed the nGeniusONE
software).
c. Manually delete the residual directory to ensure a clean re-installation. Example:
root@host ~]# cd /opt/
root@host /opt]# rm -rf NetScout
9. Your server is now ready to use the nGeniusONE installer.

Windows
1. Complete installation and configuration worksheets, locate your licenses, and download
and have your software available.
2. Log in to the Windows server with an account that has administrator privileges. (Do not
use a cloned version of the Administrator account.)
3. Stop the nGeniusONE Server by accessing Start > Programs > NetScout nGenius Server
and selecting Stop nGenius Server. (The installer does not run if any nGeniusONE
process are running.)
4. Open the Task Manager and ensure that all nGeniusONE processes are stopped before
proceeding. (Refer to Server Processes , if needed.)
5. Access Start > Programs > NetScout nGenius Server and select Uninstall nGenius
Server. An uninstall wizard opens.
6. Click the Next button to begin.
7. The wizard prompts whether you want to save configurations for a future reinstall. Select
the radio button for Yes or No, then click Uninstall.
8. After the uninstall completes, a reminder is posted that the some items are not removed.
The uninstall process leaves certain files and folders intact, since a complete uninstall is
not always required. Click Done to exit the wizard.

NETSCOUT Server Administrator Guide 63

9. Note that the wizard does not remove the nGenius Client software, which is automatically
included with the server software installation. If needed, access Start > Programs >
NetScout > nGenius Client and select Uninstall nGenius Client.
10. Click Uninstall to remove the software, then Done to exit the uninstall wizard.
11. Reboot the server.
12. If guided by Customer Support, you may now manually remove the residual folders.
a. Log back in to the server as an administrative user.
b. Navigate to the folder into which the nGeniusONE software was originally installed
(C:\NetScout, by default).
c. Manually delete the NetScout directory.
13. Your server is now ready to use the nGeniusONE installer.

5.2 Restoring NETSCOUT Software (Linux)

If directed by Customer Support, use one of the following procedures to restore the operating
system for your server.
l Recovery Using a DVD
l Recovery Using Virtual Media

Note:
l These procedures are applicable for Linux-based configurations for NETSCOUT-
provided hardware. For custom Linux deployments or for Windows deployments, you
will need to use your own kernel kit to recover the operating system, if necessary.
l Reimage procedures completely format the hard drive. If possible, be sure to back up
the configuration data and properties files beforehand.
l Contact Customer Support before using a restore DVD or ISO on any hardware other
than the original model.
l Before you begin:
o If possible, save the license file from your server. Otherwise locate the software keys
used to register and create your licenses.
o Review the installation and configuration worksheets in case you need to re-enter
settings during recovery.
o For reimages, locate the DVD you received with your order, or download an
applicable ISO from the NETSCOUT Customer Support website.
o Locate the application software you want to use, either from your DVD or from the
Customer Support website.

Recovery Using a DVD

1. Connect to your system locally with a direct terminal connection.
2. Place the Restore DVD in the DVD drive tray.
3. Reboot the system and ensure it boots from the DVD. Use the BIOS or Boot Menu to
change or select the boot order, if needed.

NETSCOUT Server Administrator Guide 64

4. The DVD automatically runs the reimaging procedure, and a static IP of 10.10.10.10 is
assigned.
5. When the Operating System installation is complete, reboot the system (when prompted).
6. When the DVD tray opens, remove the DVD.
7. You may now use the installer chapter to install the application software.
8. After installing the software, you must install licenses and configure the server.

Recovery Using Virtual Media

For NETSCOUT-built hardware with an iDRAC interface, you can optionally use an ISO or DVD on
your local system, rather than a physical drive on the remote system, to remotely reimage that
operating system.

1. Follow steps in: Use Virtual Media to Reimage a System

2. You may now use the installer chapter to install the application software.
3. After installing the software, you must install licenses and configure the server.

5.3 Upgrading the Operating System (Linux)

The Operating System (OS) upgrade process is similar to the OS recovery process, which requires
reimaging the hard drive. Reimage procedures completely format the hard drive, so back up the
configuration data and properties files before upgrading.

Follow these steps to upgrade your OS:

1. Back up your files. Also see "Performing Database Backups" in the help.
2. Reimage and install the Oracle Linux or Red Hat upgrade OS.
3. Reinstall the NETSCOUT product software.
4. Restore the database.

This procedure applies to Linux-based configurations for NETSCOUT-provided hardware. For

custom Linux deployments, you must use your own kernel kit.

NETSCOUT Server Administrator Guide 65

© NETSCOUT CONFIDENTIAL & PROPRIETARY
6 Maintenance
This section provides guidance for assorted tasks involved in managing and modifying your
deployment to suit your environment.

See these sections:

l Accessing the Appliance OS
l Stopping and Restarting the System
l Adding Servers
l Configuring Authentication for Web Access
l Configuring Security
l Working with Backups
l Converting Servers
l Working with Licenses
l Changing Server Identity
l Configuring Alerts
l Performing Remote Upgrades
l Additional Tasks

6.1 Accessing the Appliance OS

Refer to the sections in this chapter for guidance on the following access methods:
l Connecting Locally (via COM port)
l Connecting Remotely (PuTTY / SSH or RMM)
l Connecting as a User (Web)

For deployments that utilize the nGenius Client / Performance Manager, refer to Installing and
Accessing the nGenius (Performance Manager) Client.

Note: Default user logins are provided in this chapter, to facilitate initial setup. However,
NETSCOUT strongly recommends changing these and performing other steps to enhance
security of your deployment.

NETSCOUT Server Administrator Guide 66

6.1.1 Connecting Locally

For initial configuration, use the following instructions to log in using a physical console terminal
or terminal emulator application. After the system is networked, you can use SSH to connect.

1. If you have not already done so, use the DB9 cable provided with your system's kit to
connect a console terminal or Windows system COM1 serial port to the serial port located
on the back of the system.
Note: Attach or remove the console cable only while the appliance is powered down.
Attaching an unterminated cable to the console COM port can cause it to become
unresponsive. If this occurs, reboot the appliance.
2. Power up the appliance.
3. Access the system from the console terminal or from a terminal emulator application.
Adjust the following settings, if required:
Bits per second: 57600
Data bits: 8
Parity: None
Stop bits: 1
Flow control: None
Emulation: ANSI
ASCII Setup: Do not wrap lines that exceed terminal width
4. Press Enter until a login prompt for the appliance operating system appears.
5. For initial setup, log in as the root user with the following default values:
Username: root
Password: <root password>
Note: After you log in the first time, change the default root password. For additional
guidance refer to Configuring Security.

6.1.2 Connecting Remotely

After you have performed initial configuration, you can access the system using a secure shell
from another UNIX/Linux system or using an application such as PuTTY, from a Windows system.

Note: Telnet is disabled, by default, on NETSCOUT servers.

6.1.2.1 SSH from a Remote Windows System

1. Download and install PuTTY to your client system.
2. Launch PuTTY to display the PuTTY Configuration dialog.
3. From the Category list, select Session, to display Basic options for your PuTTY session.
4. Enter the Host Name or IP address of the NETSCOUT system.
5. Set the Port to 22.
6. Below the Host Name, set the Connection Type to SSH.
7. From the Category list > Connection section, select SSH.

NETSCOUT Server Administrator Guide 67

8. After the dialog displays Options controlling SSH connections, ensure the Preferred SSH
protocol version is set to 2.
9. Now, click Open to launch the PuTTY connection to that system.
10. If this is the first time you have connected to the server, you may be prompted as below to
verify that the host name or IP address is valid. If the address is as expected, click Yes to
continue the connection.
The server's host key is not cached in the registry
11. Respond to the operating system user login prompt. The default root login is:
Username: root
Password: <root password>
Access the system command-line as the root user. If you have logged in as a different user
and assumed privileges with su, be sure to use su -l <root account> so that the full
environment is instantiated before you proceed.

6.1.2.2 SSH from a Remote Linux/Unix System

1. From a Linux or UNIX system, you can open a command shell using SSH directly.
NETSCOUT recommends using SSH2 for enhanced security.
ssh -2 <host name or IP address>
2. Respond to the operating system user login prompt. The default root login is:
Username: root
Password: <root password>
Access the system command-line as the root user. If you have logged in as a different user
and assumed privileges with su, be sure to use su -l <root account> so that the full
environment is instantiated before you proceed.

6.1.2.3 Web-based RMM Access

Hardware-based appliances include ports for web-based remote administration and
troubleshooting of the appliance. An overview of typical iDRAC usage is provided in the tools
appendix of this guide, including use of the virtual console. For detailed instructions refer to the
Dell websites below:

For complete details, refer to the Dell Remote Access Controller Documentation on the Dell website.
l Dell R740 (iDRAC9)
https://www.dell.com/support/article/us/en/19/sln311300/idrac9-home
l Dell R730 (iDRAC8)
https://www.dell.com/support/article/us/en/19/sln310710/idrac8-home
l Dell R720 (iDRAC7)
https://www.dell.com/support/article/us/en/19/sln311149/idrac7-home

NETSCOUT Server Administrator Guide 68

6.1.2.4 Web-based nGeniusONE Server Access

After installation and configuration are done, administrators and users can access the
nGeniusONE server using a web browser.

Note:
l Refer to the chapter on Requirements for a list of supported web browsers and
versions.
l Disable popup blockers before accessing the nGeniusONE Server using a browser.
l For deployments that utilize the nGenius Client / Performance Manager, refer to
Installing and Accessing the nGenius (Performance Manager) Client.
1. Access the nGeniusONE server using a web browser, navigating to:
https://<nGeniusONE Server host name>:<port number>
You must use a host name or IP address. Use of localhost is not supported.
2. Enter the user name and password created during the installation process.
3. Click Log In.

Tips:
l If a user experiences issues with browser performance on a client system, clear the
browser's cache and have the user log in again.
l Disable virus scanning software. If you prefer not to disable virus scanning completely,
you can disable automatic scanning of all downloaded files and enable the scanning of
program files only as specified by file extension. Consult your virus software
documentation for specific instructions.
l Browser performance can degrade somewhat when the server is busy or under a heavy
load.
l If using Internet Explorer, you must enable Active Scripting (in Security Settings) to
permit logging in to nGeniusONE.

6.2 Stopping and Restarting the System

Stopping a server can be useful when troubleshooting and is usually required when installing a
patch. When you stop a server, several things happen automatically to ensure a smooth
shutdown:
l The server finishes the current logging cycle.
l A notification message is broadcast to all client systems.
l All database, web server, and server processes stop.

Note:
l To stop and restart the server to which you are currently logged in, you must use the
operating system command-line (see the manual method, below) rather than the Server
Management interface.
l In a clustered environment, you can use the Server Management interface to stop and
start servers managed by the primary, managing server.

NETSCOUT Server Administrator Guide 69

6.2.1 Manually Stopping / Starting a Server

Windows

1. From Start > (All) Programs > NetScout nGeniusONE Server, select the following
option, as appropriate:
Start nGeniusONE Server
Stop nGeniusONE Server
2. Use the Windows Task Manager to confirm that all processes are running or stopped, as
appropriate. See D.3 Server Processes by Server Type.
3. Confirm that the nGeniusONE services are registered correctly. See D.2 Windows Services.

Linux

1. Access the operating system command-line of the nGeniusONE server.

2. Navigate to the install directory:
# root@host ~] cd <nGeniusONE install>/rtm/bin
3. Run the indicated command, as your requirements dictate.
# root@host <nGeniusONE install>/rtm/bin ] stop
or
# root@host <nGeniusONE install>/rtm/bin ] start
4. When the action has completed, you can use the following command to verify the
appropriate processes are stopped or running:
# root@host <nGeniusONE install>/rtm/bin ] ./PS

6.2.2 Using Server Management to Stop / Start

1. From the nGeniusONE Console, access the Server Management module.
2. From the Servers tab, select the row with server that you want to stop. Note that for
certain configurations, this operation is not applicable and the icon is disabled or hidden.
3. From the Server Operations drop-down menu, select Stop or Start, as required.

6.3 Adding Servers

Certain types of child servers are added directly in the server's Server Management module,
others are added using specialized configuration methods. Use this chapter to understand how
different server types may be deployed for the indicated purposes and which mechanisms to
use. Depending on your server type, you may be adding servers for one of the following
purposes:
l As a remote local / standalone cluster node, to send data up to its parent server
l As a standby cluster node to provide redundancy for an individual server
l As a related server type for read access to devices and select statistics, and for licensing
and some configuration
l As a trusted child to receive authentication / configuration information

NETSCOUT Server Administrator Guide 70

The procedures in this chapter outline the different modes.

l Adding a Child Node
l Integrating a Related Server
l Integrating an Authentication Source

6.3.1 Adding a Child Node

For applicable server types, you can add child nodes either as nodes of a cluster, as standby for
backups, or as related servers. This chapter describes how to use the Server Management
module to add these servers, when applicable. To add a parent server as an authentication
source, instead refer to Integrating an Authentication Source.

Note:
l All servers in a distributed cluster (excluding "related servers with discrete architecture
(nBA, nSI, and Pulse)) must be running the same version of the application software and
configured with the same authentication method.
l All servers must be configured to use the same port number for HTTP/S
communication.
l It is not applicable to add a child server to a Standby Server or type such as nBA, nSI or
Pulse
l If the server you are accessing is a child node of a cluster, you must access the parent
server in order to add a Standby or related server to this node. All configurations in a
cluster are managed at the parent head of the cluster. For this reason, certain
configuration options, such as the Add a server icon, are disabled on child servers.

Procedure:

1. Access the server as an administrative user.

2. Launch Server Management.
3. From the Servers tab, select the server to which you want to add a child server.
4. Select the row for the server to which you are adding a child:
l To add a cluster child or a related server type child, select the managing / parent server
row (Type must be either Global or ConfigManager, not Local).
l To add a Standby Server, select a row with the type identified as Local. This can be the
LocalServer residing directly on a Global Manager, or a remote local server in that
cluster.
5. Click the Add Server icon.
6. A dialog box displays with options applicable to the type of server row you selected above.
Enter the required information for the server type you want to add.

NETSCOUT Server Administrator Guide 71

l If you selected a Local server, select Standby and configure these settings:

Server Information
Type Standby
Server Name A relevant name, or alias, to identify the server. This field can
contain spaces but not these restricted characters:
:,#!@=$%^&*()+<>?;|~"/'
Address / Host name Provide an IPv4 or IPv6 address, or a fully qualified domain
name.
Web Port Use the same web port number used by the Local Server
selected above.
User Login Information
User Name Provide the administrative web user name and password you
provided during installation of the Standby Server
Password

Additional Information
Alarm Suppression Time Duration in ms before a Standby alarm is re-issued
Backup Check Timeout Duration in ms for Standby to hear from its Primary server
(the local server it is backing up)

l If you selected a Global and are adding a cluster child, use these settings:

Server Information
Type Local Server (This is the remote Standalone child server you
want to add to the cluster)
Server Name A relevant name, or alias, to identify the server. This field can
contain spaces but not these restricted characters:
:,#!@=$%^&*()+<>?;|~"/'
Address / Host name Provide an IPv4 or IPv6 address, or a fully qualified domain
name.
Web Port Use the same web port number used by the parent server
selected above.
User Login Information
User Name Provide the administrator web user name and password you
provided during installation of the Standby Server
Password

Server Restart
Restart server after adding it For child servers that inherit configurations from the
managing server, it is optimal to restart the child server after
the add has been done. When such an operation is
applicable, this check box is displayed. If you intend to do
more configuration changes that need to be pushed to the
child server, you can uncheck this box to defer the restart and
perform it manually.

NETSCOUT Server Administrator Guide 72

l If you selected a Global or ConfigManager and are adding a related server child, use
these settings:

Type o nGenius Business Analytics

o nGenius Subscriber Intelligence1
o nGeniusPULSE1
1Not applicable for nGenius Configuration Manager

Server Name A relevant name, or alias, to identify the server. This field can
contain spaces but not these restricted characters:
:,#!@=$%^&*()+<>?;|~"/'
Address / Host name Provide an IPv4 or IPv6 address, or a fully qualified domain
name.
Web Port Use the same web port number used by the parent server
selected above.

6.3.2 Integrating a Related Server

These servers can be integrated with nGeniusONE in a manner that provides them access to
certain statistics and devices (requirements vary based on the specific server). Since these
servers are consumers only (they do not contribute to the analytic databases housed on
nGeniusONE), they are described separately from a normal cluster child.

The following server types can be added using in Server Management on a Standalone server, a
Global Manager, a Dedicated Global Manager (and for nGenius Business Analytics, nGenius
Configuration Manager).

Note: For each of the products below, refer to that product's documentation for more details,
including installation and configuration instructions.
l nGenius Business Analytics : Integrating this server type allows it to authenticate to other
cluster nodes as a standard member, polling data directly from the devices managed by
the cluster nodes (or the Standalone).
l nGenius Subscriber Intelligence: This server type uses the ASRs from nGeniusONE
deployments. It can be integrated to use the User Management and Authentication options
from the managing server.
l nGeniusPULSE: When integrated with nGeniusONE, this product retrieves configurations
from the managing server (which applications to transmit to the Pulse server), and access
certain statistics computed on the nGeniusONE about the monitored data. It does not
transmit ASI data. Note that integration requires additional steps, as mentioned in Pulse.

Of the above, only nGenius Business Analytics is supported for adding in nGenius
Configuration Manager.

Procedure:

1. Access the server as an administrative user.

2. Launch Server Management.
3. From the Servers tab, select the server to which you want to add a child server.

NETSCOUT Server Administrator Guide 73

4. Select the row for the server to which you are adding a child. The type for hte row you
select must be either Global or ConfigManager, not Local.
5. Click the Add Server icon.
6. A dialog box displays with options applicable to the type of server row you selected above.
Enter the required information for the server type you want to add.

Type l nGenius Business Analytics

l nGenius Subscriber Intelligence1
l nGeniusPULSE1
1Not applicable for nGenius Configuration Manager

Server Name A relevant name, or alias, to identify the server. This field can
contain spaces but not these restricted characters:
:,#!@=$%^&*()+<>?;|~"/'
Address / Host name Provide an IPv4 or IPv6 address, or a fully qualified domain name.
Web Port Use the same web port number used by the parent server
selected above.

6.3.3 Integrating an Authentication Source

Certain server types must be integrated with a managing server for authentication and
application and device configuration, but do not share data back to the managing server as part
of a cluster. The managing/parent server does not, therefore, add this child type through the
Server Management module. Instead, the Authentication Source module on the child is used to
establish a trusted relationship. Once enabld, certain licenses, configuration and applicable data
sources on the managing server are made known to this server.

For applicable products based on nGeniusONE architecture, the Authentication Source module
displays one or both of nGenius CM and OAM authentication options. These types are specific
to NETSCOUT and used to enable this trusted relationship.
l nGenius Session Analyzer and nGenius Subscriber Cache: Must be set to either nGenius
CM or OAM. The nGenius CM option can be set to either an nGeniusONE or nGenius
Configuration Manager server.

Note:
l The Native mode of authentication is available for all server types, to allow for basic
configuration and recovery should the managing server become unavailable. For certain
servers, however, the primary capabilities that rely on data are not functional until the
data source information and other details are transmitted from the managing
configuration server.
l Related nGenius Session Analyzer and nGenius Subscriber Cache servers must use the
same authentication source server and type.
l For nGenius Session Analyzer / nGenius Subscriber Cache deployments, those
supporting data sources must have geo-xxxx-yyy.bin software installed and configured
during that installation to operate in Local Mode. For more details on the device
requirements, refer to the nGenius Session Analyzer Release Notes and the InfiniStreamNG
Deployment Guide.

NETSCOUT Server Administrator Guide 74

Procedure:

1. Launch the Authentication Source module.

2. Click red X icon next to the nGenius CM or OAM authentication option, as applicable for
your server type.
3. Change the parameters described below. All fields are required.
For nGenius CM:

Parameter Description
nGenius CM IP/Host IP address or hostname of nGeniusONE or nGenius
Configuration Manager server. Note that for Omnis Cyber Investigator,
this must be an nGeniusONE server.
nGenius CM Port Usually 8443
nGenius CM User User name

nGenius CM Password Password

For OAM:

Parameter Description
UUMS IP/Host IP address or hostname of UUMS server. Use the hostname that matches
the SSL certificate used by the UUMS server.
UUMS Port UUMS port number. Usually 1199.
OAM IP/Host IP address or hostname of OAM server. Use the hostname that matches
the SSL certificate used by the OAM server.
OAM Port OAM port number. Usually 8443.
Webservice Port TCP port number of OAM server. Usually 11055.

4. Click OK to save the settings and exit parameters dialog.

5. Restart the managing server to implement your changes. It is not necessary to restart
child servers.

6.4 Configuring Authentication for Web Access

By default, nGeniusONE servers support a local, native mode for authenticating and authorizing
users accessing the web console. For some server types, authentication to an external
NETSCOUT server is also offered. LDAP, RADIUS, Windows Domain, SiteMinder, and SAML
servers provide authentication services, but no authorization for users logging in to
nGeniusONE. When a user first logs in successfully, nGeniusONE assigns the default user role
and other settings defined in Server Management for the given authentication method.
nGeniusONE stores this same user information in the server database. For subsequent
authentications, users are assigned the user role and other credentials stored in the nGenius
database.

Note:
l If needed, you can revert a server to Native mode authentication.
l Do not install the nGeniusONE and external server software on the same system.

NETSCOUT Server Administrator Guide 75

6.4.1 Authentication Modes

Depending on your server type, the following authentication modes may be present in the
Authentication Source configuration module:

Third Party Options

l LDAP
l RADIUS
l SAML
l SiteMinder
l CISCO ACS / ISE / TACACS+
l Windows Domain (Windows Active Directory)

NETSCOUT Options
l Native Mode (present for all servers)
l nGenius CM
l OAM

6.4.2 Preparing for External Authentication

System Administrator role can modify user roles and access privileges. Therefore, NETSCOUT
SYSTEMS strongly recommends that you enter at least one user name in the SYSADMIN
list. By doing so, you ensure that an administrator maintains full access and control of nGenius
user administration after external authentication is enabled. If no names are specified in the
SYSADMIN list, then nGenius user administration functionality is limited by the default user role
of HELPDSK, which has no authority for managing user roles and access privileges.

nGeniusONE uses only one form of authentication at a time, either local or one of the supported
external methods, and responds with an error message to invalid login attempts. That is, if a
user cannot be authenticated according to the main authentication method and server,
nGeniusONE rejects the login.

In a distributed server environment, the Global Manager and all Local Servers in the server
cluster must use the same authentication mechanism, either the local nGenius authentication or
one of the external methods. You cannot use different authentication methods on different
servers within the same distributed environment.

All of the supported external methods perform the task of authenticating users for logging in to
nGeniusONE. Once logged in, users’ authorization for accessing various features is managed
differently depending on the external method.

6.4.3 Native (Local)

6.4.3.1 Authentication: Native (Local)
All NETSCOUT servers based on the nGeniusONE architecture support local authentication mode
for user web login accounts. This mode allows configuration of users, user roles, and privileges
for feature access and web server access. This user database resides locally on the server. Note,

NETSCOUT Server Administrator Guide 76

however, that the primary function of certain servers (such as those that do not directly manage
data sources) requires additional settings that are provisioned when the server is configured for
authentication to an OAM server, an nGeniusONE server or nGenius Configuration Manager.

To enable Native authentication:

Access the server console as an administrative user and open the Authentication Source module.
Double-click the red icon next to Native to change the setting, then restart the server. If you are
not able to access the web server as an administrative user, you can revert the mode from the
system command-line, as described in Reverting to Native Mode Authentication

6.4.3.2 Reverting to Native Mode Authentication

When a server is configured for external authentication, but that source becomes permanently
unavailable you are not able to access the server GUI to change the authentication type. In case
that occurs, you can use the procedure below to revert the server to use native (local)
authentication.

1. Access the system command-line as the root user. If you have logged in as a different user
and assumed privileges with su, be sure to use su -l <root account> so that the full
environment is instantiated before you proceed.
2. Stop the NETSCOUT processes (the installer does not run if any NETSCOUT process are
running). Refer to Stopping and Restarting the System, if needed.
3. Navigate to <nGeniusONE install>/rtm/bin.
4. Run the following script:
# ./EA_set_default.sh
5. Restart the server.
6. Log in to the server web page using administrative account credentials. Following are the
NETSCOUT default values for the web administrative account:
User: administrator
Password: <administrator password>
7. Navigate to Authentication Source and reconfigure the settings for a new external
authentication server. Note that if you are changing the type of authentication server on
the parent of a cluster, such as a Global Manager, all servers in the cluster must use the
same authentication model.
8. Restart the server. If the server is the parent of a cluster, such as a Global Manager, restart
all the servers in the cluster.

6.4.4 SAML
6.4.4.1 Authentication: SAML
Security Assertion Markup Language (SAML) is an XML-based open-standard for transferring
identity data between an authentication Identity Provider (IdP) such as SailPoint, Okta, or Auth0,
and an application referred to as a Service Provider (SP), which is nGeniusONE or nGenius

NETSCOUT Server Administrator Guide 77

Configuration Manager. SAML support enables secure Single Sign-On (SSO) to nGeniusONE and
its trusted servers. When SAML is enabled, REST APIs can only be authenticated via a user-
generated key or trusted-server-generated key.

SSO workflows can be initiated from:

l nGeniusONE
l Identity Providers

6.4.4.1.1 nGeniusONE Redirect URL

SAML requires a redirect of the nGeniusONE URL upon user authentication. The following text
shows a sample redirect URL:
https://serverhostname:8443/console/samlIdpInitCallback

6.4.4.1.2 Configuring SAML Authentication on nGeniusONE

See your Identity Provider's documentation for information on enabling SAML from the IdP side.
Use the following procedure to configure SAML authentication for nGeniusONE. When
configured on a Global Manager, the SAML configuration is automatically propagated to Local
and Standby servers.

1. On the SAML server, add the nGeniusONE Server IP address to the list of hosts with
permission to connect. Refer to your vendor documentation for instructions.
2. From the nGeniusONE server, access the Authentication Source module.
3. Click SAML. The Configure SAML server for Authentication page appears.
4. Locate and change the parameters described in the following table. Ensure that you
specify values for all of the properties marked with asterisks (*) either by entering your
own parameters or by accepting the defaults. You may leave optional properties blank.

NETSCOUT Server Administrator Guide 78

Server Name Name of each server eligible for SAML configuration. The eligible server
names appear automatically:
l On Global Manager servers, managed Local and Standby
nGeniusONE servers appear automatically along with the Global
Manager when SAML authentication is selected.
l For nGenius Session Analyzer, eligible servers available for SAML
configuration appear when clicking Enable SAML Authentication on
the nGenius CM tab.
SAML Metadata XML XML snippet from the SAML provider used for connecting the Single Sign-
On (SSO) server and validating the response from the SSO server in a
mode of SSL connection. Copy or upload SAML metadata XML into this
field for each server.
This metadata is unique to each server. For the Global Manager or
Primary server, the metadata for that server is stored from the SAML
authentication UI to <NETSCOUT Install>rtm/samlmetadata.
SSO URL Read-only single sign-on URL from the SAML Metadata XML.
User SAML Attribute Maps nGeniusONE or nGenius Configuration Manager user values to
Mapping SAML markup attributes:
l User name
l First name
l Last name
l Email

5. Choose to use local server or SAML server settings. The following table shows local server
settings. Proceed to the following step for SAML server settings.

System Administrator User Configuration

NETSCOUT Server Administrator Guide 79

System Administrator User Configuration

Parameter Description
System Administration Users
Groups Click the Groups radio button to add and remove user groups to
configure the user groups you want to associate with System
Administration user privileges.
Roles/Server Access/ME Click the Roles/Server Access/ME Groups radio button to add and
Groups remove the following for System Administration users:
l Roles — The roles you want to associate with the System
Administration users.
l Server Access — The nGeniusONE Servers (and their IP addresses)
that are accessible to users authenticated by the external server.
In distributed environments, all local servers are accessible, by
default. Alternatively, you can restrict users’ access by selecting
specific nGeniusONE Servers.
l ME Groups — ME Group configuration is available only for UCM-
enabled nGeniusONE servers, which are installed using the
pm*.bin installation. Groups of previously defined probe
interfaces, router interfaces, and switch ports. When System
Administration users login to the nGeniusONE console, they are
restricted to these assigned ME groups. If no selections are made
from this pane, System Administration users have access to all
configured monitored elements.
Decode Options Click one of these radio buttons to choose a decode option for System
Administration users:
l Slice Size — Select this option to enter the number of bytes that
can be captured and decoded by users granted the appropriate
role and authenticated by the external server in the associated
field. Enter 0 for no slice size restrictions; enter a number in the
range from 1 to 2048 (default) to restrict slice size for System
Administration users.
l Frame Header — Select this option to restrict the user to frame
headers only.
Note: This value overrides settings configured in user accounts.
Data Capture Override — Check the check box to allow users with those roles role to
display or clear data captures of all users from the Capture Status view
User Configuration for Default Users
Groups Click the Groups radio button to add and remove user groups to
configure the user groups you want to associate with Default user
privileges.

NETSCOUT Server Administrator Guide 80

System Administrator User Configuration

Parameter Description
System Administration Users
Roles/Server Access/ME Click the Roles/Server Access/ME Groups radio button to add and
Groups remove the following for Default users:
l Roles — When a System Administrator modifies this setting, the
new value subsequently becomes the default role assigned to
authenticated users logging in for the first time. If necessary, the
System Administrator can later modify roles for individual users in
the nGeniusONE Server Management User Accounts window.
Refer to Understanding User Roles for additional details about
roles and access privileges.
l Server Access — The nGeniusONE Servers (and their IP addresses)
that are accessible to users authenticated by the external server.
In distributed environments, all local servers are accessible, by
default. Alternatively, you can restrict users’ access by selecting
specific nGeniusONE Servers.
l ME Groups — ME Group configuration is available only for UCM-
enabled nGeniusONE servers, which are installed using the
pm*.bin installation. Groups of previously defined probe
interfaces, router interfaces, and switch ports. When Default users
login to the nGeniusONE console, they are restricted to these
assigned ME groups. If no selections are made from this pane,
Default users have access to all configured monitored elements.
Decode Options Click one of these radio buttons to choose a decode option for System
Administration users:
l Slice Size — Select this option to enter the number of bytes that
can be captured and decoded by users granted the appropriate
role and authenticated by the external server in the associated
field. Enter 0 for no slice size restrictions; enter a number in the
range from 1 to 2048 (default) to restrict slice size for System
Administration users.
l Frame Header — Select this option to restrict the user to frame
headers only.
Note: This value overrides settings configured in user accounts.
Data Capture Override — Check the check box to allow users with those roles role to
display or clear data captures of all users from the Capture Status
view.

6. Use the table below to configure groups and roles using SAML server settings.

NETSCOUT Server Administrator Guide 81

SAML Server Settings

Group Configuration Settings
Parameter Description
Group Configuration Click the plus sign (+) to add a distribution list for a group for which to
grant access.
Groups Click the Groups radio button to add and remove user groups to
configure the user groups you want to associate with System
Administration user privileges.
Roles Click the Roles radio button to add and remove the following for
System Administration users:
l Roles — The roles you want to associate with the System
Administration users.
l Server Access — The nGeniusONE Servers (and their IP addresses)
that are accessible to users authenticated by the external server.
In distributed environments, all local servers are accessible, by
default. Alternatively, you can restrict users’ access by selecting
specific nGeniusONE Servers.
Membership Attribute Membership attribute defined on the SAML server; for example,
"memberOf."
Decode Options Click one of these radio buttons to choose a decode option for System
Administration users:
l Slice Size — Select this option to enter the number of bytes that
can be captured and decoded by users granted the appropriate
role and authenticated by the external server in the associated
field. Enter 0 for no slice size restrictions; enter a number in the
range from 1 to 2048 (default) to restrict slice size for System
Administration users.
l Frame Header — Select this option to restrict the user to frame
headers only.
Note: This value overrides settings configured in user accounts.
IP Address Masking For nGenius Session Analyzer instances using this server for
Settings authentication, set inner and outer IP view options and IPv4 and IPv6
masking options. See Masking IP Addresses (Service Provider Only) for
more information.

7. Click OK.
8. Click icon next to the SAML authentication option. You are prompted to approve changing
authentication for that server to SAML.
9. Click Yes.
10. Stop and restart the nGeniusONE Server to implement your changes.

NETSCOUT Server Administrator Guide 82

6.4.5 nGenius CM
6.4.5.1 Authentication: nGenius CM
Certain server types are intended to operate in a standalone mode. Some, however, can be
integrated with a managing server for centralized configuration and authentication. For servers
that offer nGenius CM as an authentication option, use the procedure below to establish it as a
trusted server to a managing nGeniusONE server or nGenius Configuration Manager server.

Note:
l nGenius CM authentication was formerly called "nCM authentication."
l nGeniusONE must be integrated with a separate server to provide protocol
configurations, authentication, and management of the data sources providing metrics.
Use the procedure below for integrating it with nGeniusONE server or nGenius
Configuration Manager, or you can integrate it with an OAM Server.
l Setting the authentication method to nGenius CM automatically modifies the current
server to obtain both authentication AND configuration details from the specified
managing server.
l Related nGenius Session Analyzer and nGenius Subscriber Cache (SCS) servers must use
the same authentication server and type.
l For Omnis Cyber Investigator, the child server is added to the managing parent server
as a TrustedServer type. It is listed as if it were added from the Server Management
menu on the parent server. Note that you can DELETE this server from the parent using
that server's Server Management utility. You cannot add it directly.
l In this mode, applicable data sources in Device Configuration on the managing server
are made known to this server.

Follow these steps to configure a server to authenticate via an nGeniusONE or nGenius

Configuration Manager server.

1. Launch the Authentication Source module.

2. Click the icon next to the nGenius CM authentication option.
3. Change the parameters described in the following table. All fields are required.

Parameter Description
nGenius CM IP/Host IP address or hostname of nGeniusONE or nGenius
Configuration Manager server.
When in IPV6 mode, use the nGeniusONE or nGenius
Configuration Manager server IPV6 address wrapped in
[ncmipv6address] square brackets, add
resthelper.disable.ipv6.hostname.lookup=false in the nGeniusONE or
nGenius Configuration Manager serverprivate.properties file, and restart
the nGeniusONE/ nGenius Configuration Manager, nGenius Session
Analyzer, and nGenius Subscriber Cache (SCS) servers.
nGenius CM Port Usually 8443

NETSCOUT Server Administrator Guide 83

Enable SAML For nGenius Session Analyzer only, click this option to display SAML
Authentication options if Security Assertion Markup Language (SAML) authentication is
configured on the nGenius CM server.
When configured on an nGenius Session Analyzer Primary server, the
SAML configuration is automatically propagated to any related nGenius
Session Analyzer Secondary servers.

SAML Options - nGenius Session Analyzer Only

Parameter Description
Servers Servers and related metadata and SSOs that can be configured to use
SAML. Click these icons to search, delete, and upload entries:
l to search by server name, SAML metadata XML, or SSO URL.
l
to hide the search fields.
l
to clear the filter search fields.
l
to delete a server entry.
l
to upload SAML metadata from an XML file
Server Name Name of each server eligible for SAML configuration. The eligible server
names appear automatically:
l On Global Manager servers, managed Local and Standby
nGeniusONE servers appear automatically along with the Global
Manager when SAML authentication is selected.
l For nGenius Session Analyzer, eligible servers available for SAML
configuration appear when clicking Enable SAML Authentication on
the nGenius CM tab.
SAML Metadata XML XML snippet from the SAML provider used for connecting the Single Sign-
On (SSO) server and validating the response from the SSO server in a
mode of SSL connection. Copy or upload SAML metadata XML into this
field for each server.
This metadata is unique to each server. For the Global Manager or
Primary server, the metadata for that server is stored from the SAML
authentication UI to <NETSCOUT Install>rtm/samlmetadata.
SSO URL Read-only single sign-on URL from the SAML Metadata XML.
User SAML Attribute Maps nGeniusONE or nGenius Configuration Manager user values to
Mapping SAML markup attributes:
l User name
l First name
l Last name
l Email

4. Click OK to save the settings and exit parameters dialog.

5. Stop and restart the managing server to implement your changes. It is not necessary to
restart child servers.

NETSCOUT Server Administrator Guide 84

6.4.5.2 Configuring nGenius CM Servers for SAML Authentication

If a server is already using nGenius CM authentication and you also want to enable Security
Markup Language (SAML) authentication, you must follow a set of steps before switching to
SAML to avoid losing the ability to log back in to that server.

Follow these steps to enable Security Markup Language (SAML) authentication on a server is
already using nGenius CM authentication.

1. Upgrade both nGeniusONE/nGenius Configuration Manager and the server using nGenius

CM authentication to 6.3.2 Build 854.
2. Start nGeniusONE/nGenius Configuration Manager.
3. Start the servers using nGenius CM authentication.
4. Configure SAML authentication on the server using nGenius CM authentication. Use the
shared secret key generated in nGeniusONE/nGenius Configuration Manager Server
Management. See "Viewing or Modifying General Information on the Server" in the
nGeniusONE/nGenius Configuration Manager Help for more information about
generating shared secret keys.
5. Configure SAML authentication on the nGeniusONE/nGenius Configuration Manager
server.
6. Stop and restart nGeniusONE/nGenius Configuration Manager and ensure login works
correctly.
7. If authentication works correctly, restart the servers using nGenius CM authentication.

6.4.6 OAM
6.4.6.1 Authentication: OAM
An nGeniusONE server must be integrated with a separate server to provide protocol
configurations, authentication, and management of the data sources providing metrics. The
options for authentication are either an Iris OAM Server, or an nGeniusONE or nGenius
Configuration Manager. Related nGenius Session Analyzer and nGenius Subscriber Cache
servers must use the same authentication server and type.

Follow these steps to configure the nGenius Session Analyzer or nGenius Subscriber Cache
server to authenticate via an Iris OAM server.

1. Access the Authentication Source module.

2. Select OAM. The Configure pane loads with fields to configure OAM authentication.
3. Change the parameters described in the following table. All fields are required, as
indicated by the * (asterisk) on each field label in the UI.

Parameter Description
UUMS IP/Host IP address or hostname of UUMS server. Use the hostname that matches
the SSL certificate used by the UUMS server.
UUMS Port UUMS port number. Usually 1199.

NETSCOUT Server Administrator Guide 85

OAM IP/Host IP address or hostname of OAM server. Use the hostname that matches
the SSL certificate used by the OAM server.
OAM Port OAM port number. Usually 8443.
Webservice Port TCP port number of OAM server. Usually 11055.

4. Click OK.
5. In the Authentication Server list, locate the OAM row in the Authentication Server pane
and click the icon in that row to switch methods.
6. Respond to the confirmation dialog that you do want to change authentication methods.
7. Stop and restart the nGenius Session Analyzer or nGenius Subscriber Cache Server to
implement your changes.

The nGenius Session Analyzer or nGenius Subscriber Cache server now authenticates users via
the OAM server specified for authentication.

6.4.7 Authentication: LDAP
You can use an LDAP server to authenticate users logging in to nGeniusONE Server. In a
distributed nGeniusONE environment, updating the authentication source on the Global
Manager updates the authentication source on its local child servers after they are restarted.
However, you must update LDAP configuration properties on the Global Manager and its child
servers.

See these sections:

l Configuring LDAP Authentication
l Changing LDAP Configuration or User Group Roles
l Importing an LDAP Server SSL/TSL Certificate
l Configuring Service Account LDAP Store Access

6.4.7.1 Configuring LDAP Authentication

Follow these steps to configure LDAP authentication.

1. On the LDAP server, add the nGeniusONE Server IP address to the list of hosts with
permission to connect. Refer to your LDAP Server's vendor documentation for
instructions.
2. From the nGeniusONE server, access the Authentication Source module.
3. Click LDAP. The Configure LDAP server for Authentication screen is displayed.
Note: You can configure all the options before you switch the authentication mode to use
LDAP. Until you click the red icon next to LDAP, the mode is not fully switched, allowing
you to work on configuration details and change the mode at a later time. Switching to
LDAP mode is the last step in this procedure.
4. Modify the Server Configuration options in the top part of the screen, referring to the
parameters list below. Ensure that you specify values for all of the properties marked with
asterisks (*) either by entering your own parameters or by accepting the defaults. You may

NETSCOUT Server Administrator Guide 86

leave optional properties blank. If you are using ldaps as protocol, add the property
ldap.url.scheme=ldaps in the serverprivate.properties file.

Server Configuration Section

Parameter Description
*Server IP/Host IP address or hostname of the LDAP Server
Alternate server IP/Host A secondary LDAP server IP address or hostname
(optional)
*Search base Domain name of LDAP server. Use dc= to indicate each domain
component, separated by commas. For example:
dc=mycompanynam,dc=com
*Timeout Timeout in milliseconds for connecting to the external server.
Minimum for external database environments is 10000 (10
seconds).
*Group Organizational unit or user group defined in LDAP server. The
(on LDAP server) default group name is People. If the DN Style is configured as
raw, the “Group” and “DN Prefix” configurations are not used.
*Server Port Connection port for the LDAP Server. The default value is 389. If
you enable SSL connections, ensure the port number is
changed to match the port used for configuring your LDAP
server to use LDAPS. Typically 389 for LDAP and 636 for LDAPS.
DN Prefix (optional) The attribute used by the LDAP server to look up user
distinguished names.
The default value of uid (userID) applies to OpenLDAP server
implementations.
If you have an Active Directory or other LDAP implementation,
enter cn (commonName). For example:
ldap.dnprefix=cn
Note: The ldap.dnprefix value is used only if the DN Style value
is normal.
If the DN Style is configured as raw, the “Group” and “DN Prefix”
configurations are not used.

NETSCOUT Server Administrator Guide 87

Server Configuration Section

Parameter Description
DN Style (optional) Format of the LDAP user credentials.
The default value of normal specifies full LDAP login credentials
using the cn (commonName) or uid (UserID) attribute. For
example:
cn=pm-
systemadmin,ou=sec,dc=mycompanyname,dc=com
where:
- cn=Common Name (example: systemadmin)
- ou=Organizational Unit (example: security)
- dc=Domain Component (examples:netscout, com)
The optional value of raw allows login with another credential
such as a full email address (plumberj@mycompanyname.com).
If the DN Style is configured as raw, the “Group” and “DN Prefix”
configurations are not used.
Enable SSL Connection (optional) Specify whether the authentication request from the
nGeniusONE Server to the LDAP server should use SSL. Note
l A separate procedure is required to import the
LDAP Server's SSL Certificate to the nGeniusONE Server.
l Ensure the server port above matches that used for LDAPS
on your LDAP server.

5. Modify the User Configuration options in the lower part of the screen. The user
configuration options vary based on whether the roles and groups are derived from the
local nGeniusONE server, or the LDAP server. Select one of the following and configure as
indicated:
l Use local server settings is the default. This allows logins to be authenticated against
the LDAP server, but the user roles for nGeniusONE functionality are defined locally on
the nGeniusONE Server.

NETSCOUT Server Administrator Guide 88

System Administrator User Configuration

Parameter Description
System Administration Users
+/- Add/Delete Users Click the plus sign (+) to open the List of System Administrators and:
(strongly recommended) o Enter one or more user login names separated by commas
(must match names in the external server) of users that you
want to have administrative privileges. For example, enter:
admin1,admin2
o Delete user login names from this list that you do not want to

have administrative privileges.

Important: NETSCOUT strongly recommends you specify at least
one System Administrator. In the nGeniusONE system, only the
System Administrator role can modify user roles and access
privileges. If no names are specified in the SYSADMIN list, then user
administration functionality is defined by the default HELPDSK user
role, which has no authority for managing users and access
privileges.
Groups Click the Groups radio button to add and remove user groups to
configure the user groups you want to associate with System
Administration user privileges.
Roles/Server Access/ME Click the Roles/Server Access/ME Groups radio button to add and
Groups remove the following for System Administration users:
o Roles — The roles you want to associate with the System
Administration users.
o Server Access — The nGeniusONE Servers (and their IP
addresses) that are accessible to users authenticated by the
external server. In distributed environments, all local servers
are accessible, by default. Alternatively, you can restrict users’
access by selecting specific nGeniusONE Servers.
o ME Groups — ME Group configuration is available only for
UCM-enabled nGeniusONE servers, which are installed using
the pm*.bin installation. Groups of previously defined probe
interfaces, router interfaces, and switch ports. When System
Administration users login to the nGeniusONE console, they are
restricted to these assigned ME groups. If no selections are
made from this pane, System Administration users have access
to all configured monitored elements.

NETSCOUT Server Administrator Guide 89

System Administrator User Configuration

Parameter Description
System Administration Users
Decode Options Click one of these radio buttons to choose a decode option for
System Administration users:
o Slice Size — Select this option to enter the number of bytes
that can be captured and decoded by users granted the
appropriate role and authenticated by the external server in the
associated field. Enter 0 for no slice size restrictions; enter a
number in the range from 1 to 2048 (default) to restrict slice
size for System Administration users.
o Frame Header — Select this option to restrict the user to

frame headers only.

Note: This value overrides settings configured in user accounts.
Data Capture Override — Check the check box to allow users with those roles role
to display or clear data captures of all users from the Capture
Status view
User Configuration for Default Users
Groups Click the Groups radio button to add and remove user groups to
configure the user groups you want to associate with Default user
privileges.
Roles/Server Access/ME Click the Roles/Server Access/ME Groups radio button to add and
Groups remove the following for Default users:
o Roles — When a System Administrator modifies this setting, the
new value subsequently becomes the default role assigned to
authenticated users logging in for the first time. If necessary,
the System Administrator can later modify roles for individual
users in the nGeniusONE Server Management User Accounts
window. Refer to Understanding User Roles for additional
details about roles and access privileges.
o Server Access — The nGeniusONE Servers (and their IP
addresses) that are accessible to users authenticated by the
external server. In distributed environments, all local servers
are accessible, by default. Alternatively, you can restrict users’
access by selecting specific nGeniusONE Servers.
o ME Groups — ME Group configuration is available only for
UCM-enabled nGeniusONE servers, which are installed using
the pm*.bin installation. Groups of previously defined probe
interfaces, router interfaces, and switch ports. When Default
users login to the nGeniusONE console, they are restricted to
these assigned ME groups. If no selections are made from this
pane, Default users have access to all configured monitored
elements.

NETSCOUT Server Administrator Guide 90

System Administrator User Configuration

frame headers only.

l Use LDAP server settings if you want to allow the LDAP administrator to control
assignment of users based on membership in the LDAP database.

Use LDAP Server settings: Group Configuration

Parameter Description
Group Configuration Enter the full LDAP group definition for the role. Entries are not
(on LDAP server) case sensitive. For example, if the DN prefix = cn, the group
configuration might be:
cn=pm-systemadmin,ou=security,dc=netscout,dc=com
where:
o cn=Common Name (example: systemadmin)
o ou=Organizational Unit (example: security)
o dc=Domain Component (example: netscout, com)
Each group configuration must have either roles or groups
assigned to it.
Groups Click the Groups radio button to add and remove user groups to
(on nGeniusONE server) configure the user groups you want to associate with Group
Configuration.
Roles Click the Roles radio button to configure the roles you want to
associate with the Group Configuration (the list includes both the
predefined roles below and any custom roles you have previously
configured):
Use + or to delete and add Roles.
Refer to Understanding User Roles for additional details about
roles and access privileges.

NETSCOUT Server Administrator Guide 91

Use LDAP Server settings: Group Configuration

Parameter Description
*Membership Attribute Enter the membership attribute for your LDAP configuration. The
default, memberOf, is the membership attribute for Active
Directory.
The membership attribute is used to find group configurations
listed in the Group Configuration row.
Use LDAP Server settings: Decode Option Settings
Parameter Description
SysAdmin Customize the option you want to be the default for all Sys Admin
users. Refer to Configuring Decode Options for details
Default Customize the option you want to be the default for general
users.

6. Click OK.
7. (Optional) To utilize SAM when logging into the nGeniusONE server, enter the following
properties in the <nGeniusONE install>/rtm/bin/serverprivate.properties file on the
nGeniusONE server:
ldap.enable.samaccountname.attr.login=true
ldap.users.common.domain=<domain_name>
ldap.user.principalclass.name=sAMAccountName
8. You are now ready to toggle LDAP authentication on. Return to the Server Management >
Settings pane for the server on which you want to enable LDAP authentication.
9. Display the Authentication Server list.
10. Click icon next to the LDAP authentication option. You are prompted to approve changing
authentication for that server to LDAP.
11. Click Yes.
12. Stop and restart the server to implement your changes.

6.4.7.2 Changing LDAP Configuration or User Group Roles

Restart the nGeniusONE or nGenius Configuration Manager server after taking any of these
actions:
l Changing an existing LDAP configuration in the Authentication Source module.
l Adding or removing user group roles used in LDAP configuration in User Management.
l Deleting the roles on the LDAP server

After restart, users must log back in to nGeniusONE or nGenius Configuration Manager to view
their updated roles or groups.

NETSCOUT Server Administrator Guide 92

6.4.7.3 Importing an LDAP Server SSL/TSL Certificate

If you have enabled your nGeniusONE server to authenticate users with an LDAP server, you
have the option to specify those authentications are performed over SSL/TSL. To complete the
setup process, when an nGeniusONE server is enabled for secure LDAP, use the following
procedures to import the LDAP Server's SSL/TSL certificate for use during authentication.

Note: Modification of the truststore requires a specific password which is made available to

authorized administrators with a MasterCare account. For security reasons, this password is
not published in general documentation.

6.4.7.3.1 Automatically Import an LDAP Server SSL/TSL Certificate (Linux Only)

Only for Linux servers, follow these steps to automatically import an SSL/TSL certificate
automatically with a script.

1. Change to the ngenius user.

su – ngenius
2. Change to the <nGeniusONE install>/rtm/bin directory and run the import script.
cd ~/rtm/bin ./ldapclient.sh <ldapservername>:<ssl port>

6.4.7.3.2 Manually Import an LDAP Server SSL/TSL Certificate (Linux and Windows)

Follow these steps to manually import an LDAP server SSL/TSL certificate.

1. Before you begin, contact Customer Support to obtain the appropriate password.
2. Obtain the certificate from your LDAP authentication server and copy it to your
nGeniusONE server in the /tmp directory.
3. Log into the nGeniusONE server operating system command line as the root user.
4. Navigate to the <nGeniusONE install>/jre/bin/ directory.
5. Run the following command:
Linux:
./keytool -import -alias <name> -file <certificate path/filename> -keystore <nGeniusONE
install>/rtm/html/ngeniusclient.truststore
Windows:
keytool -import -alias <name> -file <certificate path\filename> -keystore <nGeniusONE
install>\rtm\html\ngeniusclient.truststore
Important: The value for -file must include an absolute path to the filename.
Example:
./keytool -import -alias CompanyCert -file /tmp/ldap_server.cer -
keystore /opt/NetScout/rtm/html/ngeniusclient.truststore
6. The script launches, prompting you to enter the password you obtained from Customer
Support . Provide the password.

NETSCOUT Server Administrator Guide 93

7. When prompted whether to trust the certificate, reply with Yes.

8. Stop and restart the server.

6.4.7.4 Configuring Service Account LDAP Store Access

Service accounts can be configured to preauthorize nGeniusONE to allow access to the LDAP
store after LDAP is configured through the nGeniusONE user interface and the SSL certificate is
imported (see Authentication: LDAP and Importing an LDAP Server SSL Certificate).

Follow these steps to enable a service account to authorize query access to the LDAP store.

1. Create a user, domain, and password search configuration file.

rtm/bin/ldapsearchuserconfig.cfg
2. Add the following lines for admin user search. The <=> is used as a separator to avoid
confusion with the = in the username search string. NETSCOUT recommends encrypting
the username and password in the ldapSearchuserconfig.cfg file. Contact Customer
Support for more information.
UserName<=>CN=testuser,CN=Users,DC=testlab,DC=com
Password<=>MyPassword
3. Properties to add in serverprivate.propertiesfile.
ldap.tls.enable=true
enable.tls.ldap.user.search.with.admin.account=true

NETSCOUT Server Administrator Guide 94

6.4.8 RADIUS
6.4.8.1 Authentication: RADIUS
You can use a RADIUS server to authenticate users logging in to nGeniusONE Server using the
process described below.

1. On the RADIUS server, add the nGeniusONE Server IP address to the list of hosts with
permission to connect. Refer to your vendor documentation for instructions.
2. From the nGeniusONE server, access the Authentication Source module.
3. Click RADIUS. The Configure RADIUS server for Authentication page is displayed.
4. Locate and change the parameters described in the following table. Ensure that you
specify values for all of the properties marked with asterisks (*) either by entering your
own parameters or by accepting the defaults. You may leave optional properties blank.

Server Configuration

Parameter Description
*Server IP/Host IP address or hostname of the RADIUS Server. (Default = 127.0.0.1)
*Server Port Connection port for the RADIUS Server. (Default = 1812)
Alternate server IP/Host A secondary RADIUS server IP address or hostname. (Default =
(optional) 127.0.0.1)
*Alternate Server Port Connection port for the secondary RADIUS server. (Default = 1812)
*Shared Secret Key used to encrypt data between the nGeniusONE and RADIUS
servers.
*Timeout (optional) Timeout in milliseconds for connecting to the external server.
Minimum for external database environments is 10000 (10 seconds).
*Scheme Protocol (packet format) and handshake method used for
authentication. Click one of these options:
l CHAP (default)
l PAP

5. Use the table below to complete user configuration for System Administration users and
Default users:

NETSCOUT Server Administrator Guide 95

System Administrator User Configuration

Parameter Description
System Administration Users
+/- Add/Delete Users Click the plus sign (+) to open the List of System Administrators and:
(strongly recommended) l Enter one or more user login names separated by commas (must
match names in the external server) of users that you want to
have administrative privileges. For example, enter:
admin1,admin2
l Delete user login names from this list that you do not want to
have administrative privileges.
Important: NETSCOUT strongly recommends you specify at least one
System Administrator. In the nGeniusONE system, only the System
Administrator role can modify user roles and access privileges. If no
names are specified in the SYSADMIN list, then user administration
functionality is defined by the default HELPDSK user role, which has
no authority for managing users and access privileges.
Groups Click the Groups radio button to add and remove user groups to
configure the user groups you want to associate with System
Administration user privileges.
Roles/Server Access/ME Click the Roles/Server Access/ME Groups radio button to add and
Groups remove the following for System Administration users:
l Roles — The roles you want to associate with the System
Administration users.
l Server Access — The nGeniusONE Servers (and their IP addresses)
that are accessible to users authenticated by the external server.
In distributed environments, all local servers are accessible, by
default. Alternatively, you can restrict users’ access by selecting
specific nGeniusONE Servers.
l ME Groups — ME Group configuration is available only for UCM-
enabled nGeniusONE servers, which are installed using the
pm*.bin installation. Groups of previously defined probe
interfaces, router interfaces, and switch ports. When System
Administration users login to the nGeniusONE console, they are
restricted to these assigned ME groups. If no selections are made
from this pane, System Administration users have access to all
configured monitored elements.

NETSCOUT Server Administrator Guide 96

System Administrator User Configuration

Parameter Description
System Administration Users
Decode Options Click one of these radio buttons to choose a decode option for System
Administration users:
l Slice Size — Select this option to enter the number of bytes that
can be captured and decoded by users granted the appropriate
role and authenticated by the external server in the associated
field. Enter 0 for no slice size restrictions; enter a number in the
range from 1 to 2048 (default) to restrict slice size for System
Administration users.
l Frame Header — Select this option to restrict the user to frame
headers only.
Note: This value overrides settings configured in user accounts.
Data Capture Override — Check the check box to allow users with those roles role to
display or clear data captures of all users from the Capture Status view
User Configuration for Default Users
Groups Click the Groups radio button to add and remove user groups to
configure the user groups you want to associate with Default user
privileges.
Roles/Server Access/ME Click the Roles/Server Access/ME Groups radio button to add and
Groups remove the following for Default users:
l Roles — When a System Administrator modifies this setting, the
new value subsequently becomes the default role assigned to
authenticated users logging in for the first time. If necessary, the
System Administrator can later modify roles for individual users in
the nGeniusONE Server Management User Accounts window.
Refer to Understanding User Roles for additional details about
roles and access privileges.
l Server Access — The nGeniusONE Servers (and their IP addresses)
that are accessible to users authenticated by the external server.
In distributed environments, all local servers are accessible, by
default. Alternatively, you can restrict users’ access by selecting
specific nGeniusONE Servers.
l ME Groups — ME Group configuration is available only for UCM-
enabled nGeniusONE servers, which are installed using the
pm*.bin installation. Groups of previously defined probe
interfaces, router interfaces, and switch ports. When Default users
login to the nGeniusONE console, they are restricted to these
assigned ME groups. If no selections are made from this pane,
Default users have access to all configured monitored elements.

NETSCOUT Server Administrator Guide 97

System Administrator User Configuration

6. Click OK.
7. Click icon next to the RADIUS authentication option. You are prompted to approve
changing authentication for that server to RADIUS.
8. Click Yes.
9. Stop and restart the nGeniusONE Server to implement your changes.

6.4.9 SiteMinder
Login authentication through an external SiteMinder authentication server is supported with
servers based on nGeniusONE architecture. Configuration of SiteMinder authentication requires
steps in both the Authentication Source module and in property files. Refer to the following for
guidance:
l Configuring SiteMinder Authentication
l Mapping SiteMinder Groups to Server Groups

6.4.9.1 Authentication: SiteMinder
You can use a SiteMinder (SM) server to authenticate users logging in to nGeniusONE Server.
When configured, SiteMinder authentication allows users to log in automatically through the
SiteMinder-protected URL. In addition, integrating SiteMinder authentication with nGeniusONE
Server provides you with the following benefits:
l Command line tool to add, delete, and modify user groups
l Logging of session creation events in the nGeniusONE Server audit log

Use the following procedure to enable login authentication through an external SiteMinder
server:

NETSCOUT Server Administrator Guide 98

1. Access the Authentication Source module .

2. Click SM. This message is displayed:
Authentication is handled by SiteMinder Integration Server, therefore no configuration is
required.
3. Click the check mark next to the SM authentication option.
4. Click OK.
5. Stop the nGeniusONE Server.
6. Configure Mapping SiteMinder Groups to Server Groups .
7. Configure the SiteMinder HTTP headers:
a. In <nGeniusONE install>/rtm/bin, back up the webxpresentationserver.properties
file and serverprivate.properties files.
b. Add the following properties to both files:
smuserheader=EIN
smgroupheader=Groups
8. Navigate to <nGeniusONE install>/rtm/html, back up the client.properties file, and add
this to it:
siteminder.Authentication.enabled=true
9. Restart the nGeniusONE Server.

6.4.9.2 Mapping SiteMinder Groups to Server Groups

As part of the steps to enable SiteMinder authentication, you must map SiteMinder user groups
to user groups in the nGeniusONE Server.

Note:
l Membership of an nGeniusONE Server user in a user group is passed by the SiteMinder
application in an HTTP header. This information is updated in the nGeniusONE Server
database upon login using group membership information provided by SiteMinder.
l Configure group mapping by modifying the serverprivate.properties file (see below).
Adding new groups to the serverprivate.properties mapping automatically creates the
group in nGeniusONE Server.
l Groups passed by SM that are not mapped in the nGeniusONE Server are ignored. If no
nGeniusONE group mapping entry exists for any group provided by SM, access to
nGeniusONE is denied.
l User roles in nGeniusONE Server are based on group roles assigned in the nGeniusONE
Server.

To map SiteMinder groups:

1. Navigate to <nGeniusONE install>/rtm/bin and back up the serverprivate.properties file.

2. Open the file using a text editor.
3. Add the following properties to map groups one-to-one:
sso.group.memberof.PMGroup1=SMGroup1
sso.group.memberof.PMGroup2=SMGroup2
sso.group.memberof.PMGroup<n>=SMGroup<n>

NETSCOUT Server Administrator Guide 99

Examples:
sso.group.memberof.PMCustomer=WestCoast
sso.group.memberof.PMSales=SalesTeam
4. By default, new users and groups you create in SiteMinder inherit the Help Desk role in
the nGeniusONE Server. You can assign one or more different roles by defining properties
in the same serverprivate.properties file. Separate multiple entries using commas.
Examples:
SiteMinder.group.roles=SYSADMIN, NTWKADMIN, NTWKOPER, APROVR,
HELPDSK
SiteMinder.user.roles=SYSADMIN, NTWKADMIN, NTWKOPER, APROVR,
HELPDSK
5. Save and exit the serverprivate.properties file.
6. Load changes to group mappings and the allowedpmusers.dat file, execute the following
command: siteminderdatainit

You can also map multiple SiteMinder groups to a single group in nGeniusONE Server by
separating the SiteMinder groups with commas:
sso.group.memberof.PMGroup4=SMGroup2,SMGroup5,SMGroup6,SMGroup<n>

Example:
sso.group.memberof.PMCustomer=NewYork,WestCoast,SalesTeam

NETSCOUT Server Administrator Guide 100

6.4.10 TACACS+
For a Cisco Secure Access Control Server (ACS) or Identity Services Engine (ISE) user to log in to
nGeniusONE Server using the Terminal Access Controller Access Control System Plus (TACACS+)
protocol, two criteria must be met:

1. The user name and password entered on the Home page must be correct.
2. The ACS or ISE user must have the appropriate authorization for the nGeniusONE Server.

Authorization can be provided to an ACS or ISE user or group. For user groups, all members of
the group are authorized to log in to the nGeniusONE Server.

If you authorize a user, the user can then be added to an ACS or ISE group and maintain
authorization for the nGeniusONE Server. Conversely, an ACS or ISE user who is already a
member of an ACS or ISE group can individually be given authorization without other members
of the group being authorized.

After ACS or ISE is enabled, any user defined in the ACS or ISE system overrides a user of the
same login name that existed in the nGeniusONE Server database prior to the transition.

Cisco Secure TACACS+ provides both authentication and authorization for users logging in to the
NETSCOUT server. When a user is authenticated for the first time using TACACS+, the NETSCOUT
server creates the user profile and stores the user’s information in a database. For subsequent
authentications, the NETSCOUT server modifies the database information according to the
profile, user role, server list, and user groups provided by the TACACS+ external server.

If you authenticate with TACACS+ but maintain all user information locally on the NETSCOUT
server, you configure additional settings on the local server. Refer to the NETSCOUT server's
online help for more details working with the Authentication Source and User Management
modules. See these sections:
l Configuring TACACS+ Authentication
l ISE
l ACS v5.x
l ACS v4.x

NETSCOUT Server Administrator Guide 101

6.4.10.1 Configuring TACACS+ Authentication

Configure TACACS+ authentication by performing the following steps:

1. Log in to the nGeniusONE Console and go to Servers and Users > Authentication
Source and click TACACS+.
2. Locate and change the parameters described in the following table. Ensure that you
specify values for all of the properties marked with asterisks (*) either by entering your
own parameters or by accepting the defaults. You may leave optional properties blank.

Server Configuration

Property Description
*Server IP/Host The primary ACS or ISE Server IP address or hostname.
*Server port The port number on which the TACACS+ server is running. The default port is
49.
*Encryption Key The shared private key used to encrypt packets between the nGeniusONE
Server and the ACS or ISE Server. To ensure encryption, this setting cannot be
blank.
Note: When configuring the ACS or ISE Authentication Service, enter the same
value in the Key field (for Windows) or the NAS Secret field (for UNIX) that you
enter here.
Alternate Server Values for a secondary ACS or ISE Server.
IP/Host (optional)
*Alternate Server
Port
*Alternate
Encryption Key
*Local port Connection starting port. The default starting port is 9540.
*Protocol The application to be associated with the NGENIUS Service. The default setting
is IP.
Note:This setting must beIPfor Windows ACS or ISE Servers.
*Service Automatically populated as NGENIUS when "Use server user settings" is
selected.
*Timeout Timeout in milliseconds for socket connection. Minimum for external
database environments is 15000 (15 seconds).

3. Modify the User Configuration options in the lower part of the screen. The user
configuration options vary based on whether the roles and groups are derived from the
local nGeniusONE server, or the TACACS server. Select one of the following and configure
as indicated:
l Use local server settings is the default. This allows logins to be authenticated against
the LDAP server, but the user roles for nGeniusONE functionality are defined locally on
the nGeniusONE Server.

NETSCOUT Server Administrator Guide 102

System Administrator User Configuration

have administrative privileges.

NETSCOUT Server Administrator Guide 103

System Administrator User Configuration

frame headers only.

NETSCOUT Server Administrator Guide 104

System Administrator User Configuration

Parameter Description
System Administration Users
Decode Options Click one of these radio buttons to choose a decode option for
System Administration users:
oSlice Size — Select this option to enter the number of bytes
that can be captured and decoded by users granted the
appropriate role and authenticated by the external server in the
associated field. Enter 0 for no slice size restrictions; enter a
number in the range from 1 to 2048 (default) to restrict slice
size for System Administration users.
o Frame Header — Select this option to restrict the user to

frame headers only.

l Use server user settings if you want the user roles for access to nGeniusONE
features to be retrieved from the TACACS server. For this option, use the table below
to provide names of custom attributes defined in TACACS server; these fields are
required (*) and must match settings defined in the authentication server you are
using:
o ISE
o ACS v5.x
o ACS v4.x
In general, it is recommended that you accept the default values.
When you use ACS or ISE Server user settings for authentication, all new and existing
user account information must be maintained through Cisco Secure ACS or ISE.

Parameter Default Value

*User Profile NSPROFILE
*User Servers NSSERVERLIST
*User roles NSROLES
User Groups Optional field. Use value such as NSGROUP.

4. Click OK.
5. (Optional) Click ^ Server Management Operations Progress to view the progress of your
configuration and any related status messages.
6. Click icon next to the TACACS+ authentication option. You are prompted to approve
changing authentication for that server to TACACS.
7. Click Yes.
8. Stop and restart the nGeniusONE Server to implement your changes.

NETSCOUT Server Administrator Guide 105

6.4.10.2 ISE
*Important Requirements and Restrictions*
l There is no upgrade path from ACS v5.x to Identity Services Engine (ISE) configuration. To
support ISE you must perform the specified configurations.
l Reserve a System Administrator user account in nGeniusONE . The account cannot have
the same login name in ISE. Cisco ISE account names override account names in the
nGeniusONE Server. If you later want to revert to nGeniusONE authentication, you will
need the username and password for the reserved account.
l nGeniusONE supports a single identity store. An identity sequence is not supported. You
can use either Single Result Selection or Rule Based Selection.
l ISE must be configured to work with Active Directory and security groups must be defined.
l nGeniusONE does not support an authorization profile containing multiple group sources.

The configurations you must perform to use Cisco ISE with the nGeniusONE Server vary
depending on whether you plan to use an internal or an external identity store.

Policies and Configurations Required for an Internal Identity Store

l Identity Policies
l Authorization Policies
l Define a network device and ISE server for the Server
l Define shell profiles with custom attributes for authorization to the Server
l Define a TACACS Service Selection Policy
l Enable ISE authentication on the Server

Policies Required for an External Identity Store

l Identity Policies
l Authorization Policies
l Define a network device of the ISE server for the Server
l Define a TACACS Service Selection Policy
l Enable ISE authentication on the Server

6.4.10.2.1 Configuring Cisco ISE to Work with the Server

Ensure that you refer to the www.cisco.com Secure Access Control System 5.x user guides
for instructions as you perform these procedures, and see these sections:
l Policies Required for Internal Identity Stores
l Policies Required for External Identity Stores
l Configuring an Identity Policy

NETSCOUT Server Administrator Guide 106

Define a Network Device and AAA Client for the nGeniusONE Server

Define a network device and AAA Client for the nGeniusONE Server. Follow these steps to define
a network device and configure an AAA client.

1. Log in to Cisco Identity Services Engine (ISE) using an account granted the System Admin
or Super Admin role.
2. Go to Work Centers > Device Administration > Network Resources > Network
Devices.
3. Under Network Devices, click Add and do the following:
a. In the Name and Description fields, enter the information for your nGeniusONE Server.
b. Select IP Address or IP Range enter the address of your nGeniusONE Server or
servers.
c. Select Cisco from the Device Profile menu.
d. In Network Device Groups, select the appropriate location and device type.
e. Select the TACACS Authentication Settings check box and click the arrow to display
the settings.
f. In the Shared Secret field, enter the same key (uses MD5 encryption) used by both the
nGeniusONE Server and ISE to encrypt the data exchange between the servers. On the
nGeniusONE Server, this entry must match the Encryption Key field.
g. Select the TACACS Draft Compliance Single Connect Support radio button.

Define shell profiles with custom attributes for authorization to nGeniusONE (Internal
Identity Stores only)

Important: Shell profiles define the level of access in the nGeniusONE Server. You must
configure a minimum of one shell profile that defines the NTWKADMIN role. If you do not
configure a shell profile with NTWKADMIN permissions you will be unable to perform any
administrative functions in the nGeniusONE Server when you log in.

1. Go to Work Centers > Device Administration > Policy Elements.

2. On the left pane, expand the Results menu and click TACACS Profiles.
3. Under TACACS Profiles, click Add and create a shell profile. The following profile defines
the nGeniusONE user first name, last name, email address, data capture slice size, data
capture override, and intelligence header parameters to be passed to the nGeniusONE
user during authorization:
l Enter a name and description for the profile.
l In the Task Attribute View, select Shell from the Common Task Type menu.
l Select the Default Privilege and Maximum Privilege check boxes and selet 15 in
each.
l In the Custom Attributes tab, define the following attributes:
a. From the Type dropdown, select Mandatory.
b. In the Name field enter: NSROLES
c. In the Value field, enter: NTWKADMIN.

NETSCOUT Server Administrator Guide 107

d. Click the check mark icon.

e. From the Type dropdown, select Mandatory.
f. In the Name field enter: NSPROFILE
g. In the Value field, enter: network,admin,netadmin@mycompany.com,2048,0,0.
h. Click the check mark icon.
i. From the Type dropdown, select Mandatory.
j. In the Name field enter: NSSERVERLIST.
k. In the Value field, enter ALL, one or more IP addresses, or select an option from
the menu.
l. Click the check mark icon.
m. (Optional) Create additional shell profiles for nGeniusONE users granted different
levels of access. The following entries are valid for the NSROLES attribute:
o NTWKADMIN (Network Administrator)
o SYSADMIN (System Administrator)
o APROVR (Approver)
o NTWKOPER (Network Operator)
o HELPDSK (Help Desk)
o Custom_Role (nGeniusONE custom-defined role)
4. To create a group attribute, select Mandatory, enter NSGROUP in the Name field, and the
name of any defined nGeniusONE user groups in the Value field.
5. Click Submit to commit your changes.

Define a TACACS Service Selection Policy (Both Internal and External Identity Stores)

Refer to the Service Selection Policy information in the www.cisco.com Identity Services Engine
user guides for instructions.

6.4.10.2.2 Configuring an ISE Identity Policy

You must create a rule-based policy to determine which service to apply to any incoming
requests. The policy must contain a single identity store. The following procedure shows an
example of creating an identity policy and store. Refer to www.cisco.com Identity Services
Engine user guide documentation for more information on how to create an identity policy for
both internal and external identity stores.

1. Got to Work Centers > Device Administration > User Identity Groups and click + Add.
2. Enter a name and description and click Submit.

NETSCOUT Server Administrator Guide 108

3. Select the group you created from the list under the User Identity Groups folder.

4. Under Member Users > Users, click +Add to display the user list, and then double-click
the user(s) you want to add.
5. Click Identities. The user(s) appear in the Network Access Users list with their associated
group(s) under the User Identity Groups column.

6.4.10.2.3 Creating Authorization Policies for ISE Internal Identity Stores

Authorization Policies work with shell profiles to define the level of access to the nGeniusONE
Server based on the Cisco ISE security group.

Refer to the Authentication Policy information and the Shell Profile for Device Administration
information in the www.cisco.com Secure Access Control System user guides for instructions
when you create your authorization policy.

NETSCOUT Server Administrator Guide 109

6.4.10.2.4 Creating Authorization Policies for External Identity Stores

Authorization Policies work with shell profiles to define the level of access to the nGeniusONE
Server based on the security group. The following procedure shows an example of creating an
identity policy and store. Refer to the Authentication Policy information and the Shell Profile for
Device Administration information in the www.cisco.com Identity Services Engine user guides
for instructions when you create your authorization policy.

1. Got to Work Centers > Policy Elements > Results > TACACS Profiles and click + Add.
2. Name the profile and define tasks and attributes.

NETSCOUT Server Administrator Guide 110

3. Click Save.

6.4.10.3 ACS v5.x

*Important Requirements and Restrictions*
l There is no upgrade path from Cisco Secure ACS v4.x to ACS v5.x configuration. To support
ACS v5.x you must perform the specified configurations.
l Reserve a System Administrator user account in nGeniusONE . The account cannot have
the same login name in Cisco Secure ACS Server. Cisco Secure ACS account names override
account names in the nGeniusONE Server. If you later want to revert to nGeniusONE
authentication, you will need the username and password for the reserved account.
l nGeniusONE supports a single identity store. An identity sequence is not supported. You
can use either Single Result Selection or Rule Based Selection.
l ACS must be configured to work with Active Directory and security groups must be
defined.
l nGeniusONE does not support an authorization profile containing multiple group sources.

The configurations you must perform to use Cisco ACS v5.x with the nGeniusONE Server vary
depending on whether you plan to use an internal or an external identity store.

Policies and Configurations Required for an Internal Identity Store

l Identity Policies
l Authorization Policies

NETSCOUT Server Administrator Guide 111

l Define a network device and AAA client of the ACS server for the Server
l Define shell profiles with custom attributes for authorization to the Server
l Define a TACACS Service Selection Policy
l Enable Cisco Secure ACS v5.x authentication on the Server

Policies Required for an External Identity Store

l Identity Policies
l Authorization Policies
l Define a network device and AAA client of the ACS server for the Server
l Define a TACACS Service Selection Policy
l Enable Cisco Secure ACS v5.x authentication on the Server

6.4.10.3.1 Configuring Cisco ACS v5.x to Work with the Server

Ensure that you refer to the www.cisco.com Secure Access Control System 5.x user guides for
instructions as you perform these procedures, and see these sections:
l Policies Required for Internal Identity Stores
l Policies Required for External Identity Stores
l Configuring an Identity Policy

Define a network device and AAA Client for the nGeniusONE Server

Follow these steps to define a network device and configure an AAA client.

1. Log in to Cisco Secure ACS using an account granted the System Admin or Super Admin
role.
2. In the left pane, select Network Resources > Network Devices and AAA Clients.
3. In the right pane, click Create and do the following:
a. In the Name and Description fields enter the information for your nGeniusONE Server.
b. In Network Device Groups, select the appropriate location and device type.
c. Select Single IP Address to enter the address of your nGeniusONE Server or IP Range
(s) to enter multiple nGeniusONE Servers.
d. In Authentication Options, select the TACACS+ check box.
e. In the Shared Secret field, enter the same key (uses MD5 encryption) used by both the
nGeniusONE Server and ACS to encrypt the data exchange between the servers. On
the nGeniusONE Server, this entry must match the Encryption Key field.
f. Select the Single Connect Device check box.
g. Select the Legacy TACACS+ Single Connect Support radio button.

NETSCOUT Server Administrator Guide 112

Define shell profiles with custom attributes for authorization to nGeniusONE (Internal
Identity Stores only)

1. In the left pane, select Policy Elements > Authorization and Permissions > Device
Administration and select Shell Profiles.
2. In the right pane, click Create and perform the following configurations to create a shell
profile. The following profile defines the nGeniusONE user first name, last name, email
address, data capture slice size, data capture override, and intelligence header
parameters to be passed to the nGeniusONE user during authorization:
l In the General tab, enter a name for the profile.
l In the Custom Attributes tab, define the following attributes:
a. In the Attribute field enter: NSROLES
b. From the Requirement dropdown select Mandatory.
c. From the Attribute Value dropdown select Static and, in the text box, enter:
NTWKADMIN
d. Click Add.
e. In the Attribute field enter: NSPROFILE
f. From the Requirement dropdown select Mandatory.
g. Enter the IP address(es) of the nGeniusONE Server(s).
h. From the Attribute Value dropdown select Static and, in the text box, enter:
network,admin,netadmin@mycompany.com,2048,0,0
i. (Optional) Create additional shell profiles for nGeniusONE users granted different
levels of access. The following entries are valid for the NSROLES attribute:
o NTWKADMIN (Network Administrator)
o SYSADMIN (System Administrator)
o APROVR (Approver)
o NTWKOPER (Network Operator)
o HELPDSK (Help Desk)
o Custom_Role (nGeniusONE custom-defined role)
3. Click Submit to commit your changes.

Define a TACACS Service Selection Policy (Both Internal and External Identity Stores)

Refer to the Service Selection Policy information in the www.cisco.com Secure Access Control
System 5.x user guides for instructions.

NETSCOUT Server Administrator Guide 113

6.4.10.4 ACS v4.x

The Cisco Secure ACS administrator can add any installation of nGeniusONE (Global Manager,
Local Server, or Standalone) as an Authentication, authorization, and accounting (AAA) Client that
uses the ACS Authentication service.

In the Cisco Secure ACS administration, enter the following information as appropriate for your
environment. Ensure that you refer to the Configuring AAA Clients information in the
www.cisco.com Secure Access Control System user guides for instructions.

Windows
l AAA Client Hostname — Enter the hostname of the nGeniusONE Server.
l AAA Client IP Address — Enter the IP address of the nGeniusONE Server.
l Key — Enter the encryption key used for MD5 encryption. The key must match the
Encryption Key defined in nGeniusONE . Do not leave blank.
l Authenticate Using — TACACS+ (Cisco IOS).

UNIX
l Select AAA Configuration.
l Select TACACS+ NAS Configuration.
l Enter the fully qualified domain name of the nGeniusONE Server (if the name can be
resolved through DNS). Otherwise, enter the nGeniusONE Server IP address.
l NAS Secret — Enter the encryption key used for MD5 encryption. The key must match the
Encryption Key defined in nGeniusONE Do not leave blank.

See Cisco Secure ACS v4.x: Authorizing Cisco Secure ACS Users.

6.4.10.4.1 Cisco Secure ACS v4.x: Authorizing Cisco Secure ACS Users

To configure authorization for nGeniusONE Server and Cisco Secure ACS individuals and groups,
you must add the NGENIUS service and define custom attributes.

The procedures that follow describe how to:

l Add the NGENIUS Service to the Cisco Secure ACS Server
l Authorize an individual
l Authorize a group

Note: This topic provides general Cisco Secure ACS configuration instruction guidelines. You
must refer to www.cisco.com documentation for configuration instructions for your specific
Cisco Secure ACS version.

Adding the NGENIUS Service to the Cisco Secure ACS Server

The Cisco Secure ACS Administrator must first add NGENIUS as a service.

Windows

NETSCOUT Server Administrator Guide 114

1. On the ACS Server, navigate to Interface Configuration.

2. Select Advanced Options.
3. Check Per-user TACACS+/RADIUS Attributes to ensure that you can apply changes to
both the group and user level attributes, as well as being able to override them at the user
level.
4. On the main Interface Configuration screen, select TACACS+.
5. In the TACACS+ Services/New Services section, enter NGENIUS in the Service field, and IP
in the Protocol field.
6. Select the check boxes for Group and User (if available).

UNIX

1. Open the Cisco Secure ACS Advanced Configuration Interface.

2. On the Members/Profile tab, select Profile.
3. In the options menu, select Service-String.
4. On the string tab, enter NGENIUS, and click Apply.

After adding the NGENIUS service, you can define attributes for individuals and groups.

Providing Authorization to an Individual

In the User Setup configuration for Cisco Secure ACS, the Cisco Secure ACS administrator must
define the NSROLES, NSPROFILE, and NSSERVERLIST attributes.

Note:
l Windows: The Cisco Secure ACS administrator defines these attributes under the
TACACS+ Settings of the Interface Configuration section.
l UNIX: The Cisco Secure ACS administrator must use the Advanced administration
interface and define the three attributes in the Service-String folder for each profile.

NSROLES

Defines the nGeniusONE Server role for the user logging in through ACS.

Syntax:

NSROLES=<User role 1>[,<User role 2>,<User role 3>,...]

Enter one or more of the following codes, separated by commas, for the nGeniusONE Server
predefined user roles:
l APROVR — Approver
l HELPDSK — Help Desk
l NTWKADMIN — Network Administrator
l NTWKOPER — Network Operator
l SYSADMIN — System Administrator
l NPVIEWER — NewsPaper/Report Viewer

For example, to assign Network Administrator and System Administrator roles to a user, enter
the following for NSROLES:

NETSCOUT Server Administrator Guide 115

NSROLES=NTWKADMIN,SYSADMIN

NSPROFILE

Defines user parameters. All fields are required.

Syntax:
NSPROFILE= <Firstname>,<Lastname>,<emailaddress>, <data_capture_slice_
size>,<override_data_capture>,<restrict_frame_header>

The Firstname, Lastname, and Email parameters must not be blank. The email address must be
syntactically correct (name@domain).

The data capture decode slice size field defines the number of bytes that can be captured and
decoded by the individual. This parameter cannot be blank. Enter 0 for no slice size restrictions;
enter 1-2048 to restrict slice size for the individual.

The override_data_capture parameter allows users who are assigned the Network Administrator
role to view and clear other users' data captures. Enter 0 to disable override_data_capture; enter
1 to enable the override.

Note: If the user is not assigned the Network Administrator role, nGeniusONE Server
ignores the override_data_capture setting.

The <restrict_frame_header> parameter restricts the user to frame header only. Enter 0 for no
restrictions; enter 1 to restrict the user to frame header only.

For example, to set the NSPROFILE for John Doe with slice size restricted to 1512, override_data_
capture disabled, and restrict_frame_header enabled enter:
NSPROFILE=John,Doe,jdoe@mycompany.com,1512,0,1

NSSERVERLIST

Defines the nGeniusONE Servers that the user may access.

Syntax:
NSSERVERLIST=ALL|<ipaddress1[,ipaddress2,ipaddress3,...]>

Enter ALL for access to all valid nGeniusONE Server systems. You can optionally restrict user
access to specific nGeniusONE Servers by entering a comma separated list of valid nGeniusONE
IP addresses.

For example:
NSSERVERLIST=ALL

or
NSSERVERLIST=192.168.143.1,192.168.143.2

NETSCOUT Server Administrator Guide 116

Providing Authorization to a Group

To provide authorization for nGeniusONE Server to a group, define the NSROLES, NSPROFILE,
and NSSERVERLIST attributes using the Cisco Secure ACS Group Setup configuration.

The ACS administrator may elect to have all users of a group share the same attributes. This is
useful for setting up groups according to the nGeniusONE security roles, such as Network
Administrators or System Administrators. Alternatively, the administrator may assign unique
attributes to individual users. Individual user attributes always override the attributes for the
group to which that user belongs.

NSROLES (Group)

Defines the nGeniusONE role for all members of the group logging in through ACS.

Syntax:

NSROLES=<User role 1>[,<User role 2>,<User role 3>,...]

Enter one or more of the following codes, separated by commas, for the nGeniusONE predefined
user roles:
l APROVR — Approver
l HELPDSK — Help Desk
l NTWKADMIN — Network Administrator
l NTWKOPER — Network Operator
l SYSADMIN — System Administrator
l NPVIEWER — NewsPaper/Report Viewer

For example, to assign Network Administrator and System Administrator roles to a group, enter
the following for NSROLES:
NSROLES=NTWKADMIN,SYSADMIN

NSPROFILE (Group)

Defines group parameters. All fields are required.

Syntax:
NSPROFILE= <Firstname>,<Lastname>,<emailaddress>, <data_capture_slice_
size>,<override_data_capture>, restrict_frame_header

When defining NSPROFILE for a group, you must enter placeholder values for the Firstname,
Lastname, and Email. The email address must be syntactically correct (name@domain).

The data capture decode slice size field defines the number of bytes that can be captured and
decoded by the group. This parameter cannot be blank. Enter 0 for no slice size restrictions;
enter 1-2048 to restrict slice size for the group.

The override_data_capture parameter allows members of a group that is assigned the Network
Administrator role to view and clear other users' data captures. Enter 0 to disable override_data_
capture; enter 1 to enable the override.

NETSCOUT Server Administrator Guide 117

Note: If the group is not assigned the Network Administrator role, nGeniusONE ignores the
override_data_capture setting.

The <restrict_frame_header> parameter restricts the user to frame header only. Enter 0 for no
restrictions; enter 1 to restrict the user to frame header only.

For example, to set NSPROFILE for a group with a slice size restriction of 64 bytes, override_
data_capture disabled, and restrict_frame_header enabled enter:
NSPROFILE=network,admin,netadmin@mycompany.com,64,0,1

NSSERVERLIST (Group)

Defines the nGeniusONE Servers that the group may access.

Syntax:
NSSERVERLIST=ALL|<ipaddress1[,ipaddress2,ipaddress3,...]>

Enter ALL for access to all valid nGeniusONE Server systems. You can optionally restrict group
access to specific nGeniusONE Servers by entering a comma separated list of valid nGeniusONE
IP addresses.

For example:
NSSERVERLIST=ALL

or
NSSERVERLIST=192.168.143.1,192.168.143.2

Refer to the www.cisco.com Secure ACS documentation for instructions on setting up and
adding users to groups.

NSGROUP

Optional custom attribute:

Defines the nGeniusONE Server role for the user logging in through ISE.

Syntax:

NSROLES=<User role 1>[,<User role 2>,<User role 3>,...]

NETSCOUT Server Administrator Guide 118

For example, to assign Network Administrator and System Administrator roles to a user, enter
the following for NSROLES:
NSROLES=NTWKADMIN,SYSADMIN

NSPROFILE

Defines user parameters. All fields are required.

Syntax:
NSPROFILE= <Firstname>,<Lastname>,<emailaddress>, <data_capture_slice_
size>,<override_data_capture>,<restrict_frame_header>

The Firstname, Lastname, and Email parameters must not be blank. The email address must be
syntactically correct (name@domain).

Note: If the user is not assigned the Network Administrator role, nGeniusONE Server
ignores the override_data_capture setting.

The <restrict_frame_header> parameter restricts the user to frame header only. Enter 0 for no
restrictions; enter 1 to restrict the user to frame header only.

NSSERVERLIST

Defines the nGeniusONE Servers that the user may access.

Syntax:
NSSERVERLIST=ALL|<ipaddress1[,ipaddress2,ipaddress3,...]>

For example:
NSSERVERLIST=ALL

or
NSSERVERLIST=192.168.143.1,192.168.143.2

NETSCOUT Server Administrator Guide 119

Providing Authorization to a Group

To provide authorization for nGeniusONE Server to a group, define the NSROLES, NSPROFILE,
and NSSERVERLIST attributes using the Cisco Secure ACS Group Setup configuration.

NSROLES (Group)

Defines the nGeniusONE role for all members of the group logging in through ACS.

Syntax:

NSROLES=<User role 1>[,<User role 2>,<User role 3>,...]

For example, to assign Network Administrator and System Administrator roles to a group, enter
the following for NSROLES:
NSROLES=NTWKADMIN,SYSADMIN

NSPROFILE (Group)

Defines group parameters. All fields are required.

Syntax:
NSPROFILE= <Firstname>,<Lastname>,<emailaddress>, <data_capture_slice_
size>,<override_data_capture>, restrict_frame_header

When defining NSPROFILE for a group, you must enter placeholder values for the Firstname,
Lastname, and Email. The email address must be syntactically correct (name@domain).

NETSCOUT Server Administrator Guide 120

Note: If the group is not assigned the Network Administrator role, nGeniusONE ignores the
override_data_capture setting.

The <restrict_frame_header> parameter restricts the user to frame header only. Enter 0 for no
restrictions; enter 1 to restrict the user to frame header only.

NSSERVERLIST (Group)

Defines the nGeniusONE Servers that the group may access.

Syntax:
NSSERVERLIST=ALL|<ipaddress1[,ipaddress2,ipaddress3,...]>

For example:
NSSERVERLIST=ALL

or
NSSERVERLIST=192.168.143.1,192.168.143.2

Refer to the www.cisco.com Secure ACS documentation for instructions on setting up and
adding users to groups.

NSGROUP

Optional custom attribute:

(recursive snippet)

Follow these steps to configure the NSGROUP custom attribute:

1. Create an empty user group in nGeniusONE User Management.

2. In TACACS authentication configuration, select Use server user settings and enter
NSGROUP as a custom attribute in User Groups field.
3. Save the setting and restart the server.
4. On the TACACS/ISE server, configure the NSGROUP and the associate the user to the
newly created user group.
When the user logs in to nGeniusONE using the user name and password configured on
the TACACS/ISE server, the user group privileges and roles are applied.

NSGROUP

NETSCOUT Server Administrator Guide 121

l Optional custom attribute:

l o Configure one or more nGeniusONE user groups for this custom attribute.
o The user group's role, server list, and profile overrides the user's specific custom
attributes for NSROLES, NSSERVERLIST and NSPROFILE retrieved from the TACACS/ISE
server. After the NSGROUP attribute is configured, other custom attributes such as
NSROLES, NSSERVERLIST, and NSPROFILE are ignored as they are not applicable to the
user group.
o If the NSGROUP custom attribute is not entered in the User Groups field, the existing
behavior of user-based roles and privileges are applied to the newly created user.
l Follow these steps to configure the NSGROUP custom attribute:
l 1. Create an empty user group in nGeniusONE User Management.
2. In TACACS authentication configuration, select Use server user settings and enter
NSGROUP as a custom attribute in User Groups field.
3. Save the setting and restart the server.
4. On the TACACS/ISE server, configure the NSGROUP and the associate the user to the
newly created user group.
When the user logs in to nGeniusONE using the user name and password configured
on the TACACS/ISE server, the user group privileges and roles are applied.

Follow these steps to configure the NSGROUP custom attribute:

1. Create an empty user group in nGeniusONE User Management.

6.4.10.5 Configuring an Identity Policy

You must create a rule-based policy to determine which service to apply to any incoming
requests. The policy must contain a single identity store. Refer to www.cisco.com Secure Access
Control System or Identity Services Engine user guide documentation for information on how to
create an identity policy for both internal and external identity stores.

6.4.10.6 Creating Authorization Policies for Internal Identity Stores

Authorization Policies work with shell profiles to define the level of access to the nGeniusONE
Server based on the Cisco ACS v5.x security group.

NETSCOUT Server Administrator Guide 122

6.4.10.7 Creating Authorization Policies for External Identity Stores

Authorization Policies work with shell profiles to define the level of access to the nGeniusONE
Server based on the security group. Refer to the Authentication Policy information and the Shell
Profile for Device Administration information in the www.cisco.com Secure Access Control
System user guides for instructions when you create your authorization policy.

6.4.10.8 Receiving Messages About ACS or ISE

After integrating ACS or ISE and nGeniusONE Servers, messages are displayed in the following
locations:
l The nGeniusONE Server's >Activity Log displays an accounting of a successful login and
logout of an ACS or ISE user.
l (Windows only) All successful and failed authentication request logs are available in Cisco
Secure ACS or ISE under the Reports and Activity Tab.
Note: For a UNIX ACS or ISE Server, refer to www.cisco.com documentation for
information on how to configure the log file.
l Messages between ACS or ISE and nGeniusONE Server are logged in the nGeniusONE
Server debuglog-<day>.txt file located in the directory <nGeniusONE install>/rtm/log. These
messages are logged at debug.level=2.

NETSCOUT Server Administrator Guide 123

6.4.11 Windows
6.4.11.1 Authentication: Windows
Configure Windows Domain (Active Directory) authentication by performing the steps below.

Note: Users who require authentication across multiple domains can do so by adding their
domain name to their user name when logging into the nGeniusONE Server.

1. On the Windows Domain server, add the nGeniusONE Server IP address to the list of hosts
with permission to connect. Refer to your vendor documentation for instructions.
2. From the nGeniusONE Console, access the Authentication Source module and select the
option for Windows .
3. Locate and change the parameters described in the following table. Ensure that you
specify values for all of the properties marked with asterisks (*) either by entering your
own parameters or by accepting the defaults. You may leave optional properties blank.
4. Locate and change the parameters described in the following table. Ensure that you
specify values for all of the properties marked with asterisks (*) either by entering your
own parameters or by accepting the defaults. You may leave optional properties blank.

Server Configuration

Parameter Description
*Server IP/Host IP address or hostname of the Windows Domain Server. (Default =
127.0.0.1)
Alternate Server IP/Host A secondary Windows Domain server IP address or hostname. (Default =
(optional) 127.0.0.1)
*Search Base Domain name of Windows server. For example: netscout.com
*Timeout Timeout in milliseconds for connecting to the external server. Minimum
for external database. environments is 10000 (10 seconds).

5. Use the table below to complete user configuration for System Administration users and
Default users:

NETSCOUT Server Administrator Guide 124

System Administrator User Configuration

NETSCOUT Server Administrator Guide 125

System Administrator User Configuration

NETSCOUT Server Administrator Guide 126

System Administrator User Configuration

6. Click OK.
7. (Optional) Click ^ Operations Progress to view the progress of your configuration and any
related status messages.
8. Click icon next to the Windows authentication option. You are prompted to approve
changing authentication for that server to Windows.
9. Click Yes.
10. Stop and restart the nGeniusONE Server to implement your changes.

6.5 Managing Users

6.5.1 User Privileges
The following table lists and describes privileges configurable from nGeniusONE and nGenius
Configuration Manager (nGenius CM). See the nGenius Session Analyzer Privileges for nSA
privilege descriptions.

Table 6.1 - User Privileges

nGeniusONE Privilege Description

Allow access to nGA Flexible Access "Big Data" analysis
Analytics
Allows discovery of TAXII service Access the TAXII REST API. This privilege is required by any nGenius
and Adding of STAX Objects via CM user ID used by an external source to push information into
PUSH nGenius CM.
Configure Alerts - Admin Configure alerts and alert profiles
Configure Applications - Admin Add, modify, or delete all settings
Configure Business Type -Admin Choose applications to be viewable by users

NETSCOUT Server Administrator Guide 127

Table 6.1 - User Privileges (continued)

nGeniusONE Privilege Description

Configure Communities - Admin Add, modify, or delete communities
Configure Decryption Keys - Admin Configure and view Data Mining and pre-capture decryption
Configure Decryption Keys - User Configure and view Data Mining and pre-capture decryption as user
Configure Devices - Admin Configure, activate, deactivate, and relearn devices
Configure Devices Read Only View devices
Configure Locations - Admin Add, modify, or delete locations
Configure Services - Admin Configure services in nGeniusONE Service Configuration
Configure User Account Self-Service Add and modify own user account
Configure User Accounts - Admin Maintain user accounts and define privileges for 5 user roles
Configure User Authentication - Configure all AAA server types
Admin
Configure User Groups - Admin Create and manage user groups
Configure User Roles - Admin Modify roles for users and groups via privileges
Configure User Sessions - Admin Send message to user, close user session, force user logout
Configure- VMware - Admin Integrate nGeniusONE with NSX Manager, vCenter server, or both
Configure VMware - Read Only View only for nG1-NSX Manager and vCenter server integration
Configure Voice/Video - Admin Configure voice and video
Dashboard Configuration View health of application and network services and service domains
Database Configuration (includes Configure database backup, aging archiving
backup/archiving/aging)
dbONE Console Viewing View dbONE console
Deployment - Read Only Access to the Deployment module for viewing only
Deployment Database Configure Deployment database
Configuration
Deployment Statistics and Activity View Deployment database statistics and activity logs
Logs
Deployment Summaries View Deployment summaries
Device Alarm Viewing View generated alarms
Device Template Configuration Add, modify & delete device protocol templates
Discover My Network Access Find My Network module IP Address
Global Configuration Read Only View but not configure Global Settings
Grid Application Authority to launch Grid
Grid Sharing Assign and share access to Grid by owner
Grid-Administration Superuser control of Grid functions
Health - Device View View all Instrumentation Health screens
Health - Server View Launch and view Server Health module
Health - Support View Access the support page (<nG1_ip_add> :<port> /support)
Launch Interfaces Based nSI Launch mobile analysis session from nSI Interfaces panel
Session Tracing

NETSCOUT Server Administrator Guide 128

Table 6.1 - User Privileges (continued)

nGeniusONE Privilege Description

Masking - View Diameter SH Service Masks Diameter SH service data
Data (Uncheck for nSA workflows
only)
Masking - View Flow User Plane Masks Flow user plane metadata
Metadata (Uncheck for nSA
workflows only)
Masking - View SIP/XML Body Allows view of SIP/XML body
(Uncheck for nSA workflows only)
Masking - View User Content Allows view of user content
Masking - View User Identity Allows view of user identity
Masking - View User Plane Payload Allows view of user plan payload
(Uncheck for nSA workflows only)
Masking - View USSD Body Allows view of USSD body
(Uncheck for nSA workflows only)
Message Log Configuration View and manage Message Log
Message Log Viewing View Message Log
Monitor - Advanced Voice Statistics View advanced voice traffic metrics
Access
Monitor - Application Access View application traffic metrics
Monitor - Cable Modem Access View cable modem traffic metrics
Monitor - Call Server Access View voice, video & VoIP traffic metrics
Monitor - Card Processing Access View credit card transaction traffic metrics
Monitor - Certificate Access View SSL/TLS certificate information and expiration data
Monitor - CS Mobile Call Access View wireless metrics on circuit-switched network
Monitor - CS Mobile SMS Access View SMS metrics on circuit-switched wireless network
Monitor - CS Mobility Management View mobility metrics on circuit-switched network
Access
Monitor - Database Access View database traffic metrics
Monitor - DHCP Access View DHCP application traffic metrics
Monitor - Diameter Access View Diameter application metrics
Monitor - DNS Access View DNS application metrics
Monitor - eMBMS Access View eMBMS application metrics
Monitor - HL7 Access View HL7 application metrics
Monitor - Host Analysis - Search View Host Analysis metrics
Access
Monitor - LDAP Access View LDAP application metrics
Monitor - Link Access View Link traffic metrics
Monitor - MDF Access View Market Data Feed traffic metrics
Monitor - Media Access View voice, video, and RTP-based traffic metrics
Monitor - MQ Access View IBM WebSphere-derived traffic metrics

NETSCOUT Server Administrator Guide 129

Table 6.1 - User Privileges (continued)

nGeniusONE Privilege Description

Monitor - NetFlow Access View NetFlow metrics
Monitor - Network Access View authentication and link-related protocol metrics
Monitor - PFS Access View PFS metrics
Monitor - PDN Connection Access View Packet Data Network traffic metrics
Monitor - RADIUS Access View RADIUS application metrics
Monitor - RAN Access View Radio Access Control Network traffic metrics
Monitor - RTP Access View Real-Time Transfer Protocol traffic metrics
Monitor - Security Certificate View certificate metrics
Access
Monitor - SNMP Access View SNMP traffic metrics
Monitor - SSL Access View SSL metrics
Monitor - Threat Monitor View threat violations
Monitor - Trading Access View market trading traffic metrics
Monitor - Traffic Access View metrics on Traffic Monitor
Monitor - Universal Access View traffic metrics on Universal Monitor
Monitor - Voice Sessions Monitor View voice call service metrics for circuit-switched calls
Access
Monitor - VPN Access View VPN user-experience metrics
Monitor - Web Services Access View metrics for HTTP/URL-based apps
Monitored Element Group Add, modify & delete user-defined ME groups
Configuration
nBA - Allow access to Explorer Create and delete user-built dashboards
Dashboard Edit
nBA - Allow access to Explorer Drill down to any data point in Metric Viewer, Report, or Grid
Dashboard Explore
nBA - Allow access to Explorer Data Access Data Browser, save filters and columns
Browser
nBA - Allow Access to Explorer Access expanded report
Expanded Metric Report
nBA - Allow access to Explorer Access Configuration tab to map fields and create exception reports
Mapping and Exception Rule
configuration
nBA - Allow access to Explorer Access Metric Builder; create, edit, delete, export/import metrics
Metric Builder
nBA - Allow CEI Viewer View Customer Experience Index dashboard (not available now)
nBA - Allow Explorer access to View displayed subscriber IMSI data
display IMSI data
nBA - Allow Explorer access to View displayed subscriber MSISDN data
display MSISDN data
nBA - Allow VoLTE Administrator View the VoLTE Analytics dashboard (not currently available)
nBA - NETSCOUT Administrator Configure nBA

NETSCOUT Server Administrator Guide 130

Table 6.1 - User Privileges (continued)

nGeniusONE Privilege Description

nBA Administrator Configure nBA
nGenius Business Analytics Access to nBA
nGenius Pulse - Allow Access Access nGenius Pulse module
Notification Center Access Permits user access to Notification Center
nSA - Admin Privilege See nGenius Session Analyzer Privileges.
nSA - Configuration Privilege
nSA - DTMF Authorize
nSA - Ladder View Access
nSA - NFC Admin Privilege
nSA - NFC Privilege
nSA – Saved Session Read Only
nSA - Show MOS - CQ Not LQ
nSA - SMS Full Content Privilege
nSA - User Content Analysis
Privilege
nSA - User Content Capture
Privilege
nSA - User Plane Analysis Privilege
nSA - User Plane Capture Privilege
Omnis CI - Cyber Threat Configure proxy and feeds in the Cyber Threat Intelligence module
Intelligence
Omnis CI – Geo Footprint Access Access the Omnis Cyber Investigator Geo Foot Print module
Omnis CI - Host Investigation Access to the Omnis Cyber Investigator Host Investigation monitor
Access
Omnis CI - Network Investigation Access to the Omnis Cyber Investigator Network Investigation
Access monitor
Omnis CI - Risk Investigation Access Access to the Omnis Cyber Investigator Risk Investigation monitor
Omnis CI - Security Configuration Access to the Omnis Cyber Investigator Security Configuration
Admin module to configure (internal only)
Omnis CI - Security Configuration Access to the Omnis Cyber Investigator Security Configuration
Read Only module to view only (internal only)
OptiView XG Access Configure OptiView XG
Packet Analysis - Allow Data Authorizes Data Capture
Capture
Packet Analysis - General Access Access to Packet Analysis module
Packet Analysis - DataCcapture Display or clear data captures of all users
Override Configuration
Packet Analysis: Display NetFlow Display NetFlow views
Interface
Packet Analysis: Expert Data Mining Apply Expert Data Mining rules to interfaces
Rule Configuration

NETSCOUT Server Administrator Guide 131

Table 6.1 - User Privileges (continued)

nGeniusONE Privilege Description

Packet Analysis: General Access Use all packet analysis functions
from Local Server
Packet Analysis: HTTP Session Replay HTTP sessions
Reconstruction
Packet Analysis: Media Files Replay Replay audio & video sessions
Packet Analysis: Playback Configure audio & HTTP replay
Configuration
Packet Analysis - Save on Data Permits saving packets to device
Source
Packet Analysis: Save on Desktop Permits Packet Export decodes to desktop
Packet Analysis: Save on Server Permits Packet Export decodes to a server
Packet Analysis: Time Trigger Configure automatically launched data captures
Configuration
Packet Analysis: Trace Export and Export trace files to a client in the enterprise
Save
Preferences Configuration Modify Console Workspace & UMC preferences
RAN Administrator Access system administration, configuration, and monitoring tools in
the RAN Admin Tools application
RAN NetScout Administrator Access for NETSCOUT support personnel to additional administration
tools and configuration parameters
Reporting: Administration Globally configure all users' reports and NewsPapers
Reporting: NewsPaper Creation Add NewsPapers
Reporting: NewsPaper Viewing Launch and view Newspapers
Reporting: Public NewsPaper and Create NewsPapers, Reports, and Report Templates
Report Creation
Reporting: Report Access Access and view reports
Reporting: Report and NewsPaper Schedule reports & NewsPapers
Scheduling
Reporting: Report and Report Configure reports, templates, and customized drilldown sets
Template Configuration
Response Time Configuration Add, modify, delete all response time configs
Server Management - Admin Permit user access to list of servers
Server Management Cluster - Add/configure Local Servers
Admin
Server Process Remote Console Remotely log in to nG Server processes
Login
Service Access Control Assign services and domains to users in Service Configuration.
Service Dashboard Access Access and configure Service Dashboard
Session Analysis Drilldown Permit drilldown to Session Analysis module
Software Updates - Admin Configure IS software & decode packs, nG1/PM servers

NETSCOUT Server Administrator Guide 132

Table 6.1 - User Privileges (continued)

nGeniusONE Privilege Description

Subscriber Intelligence - Manage Perform packet jobs
Packet Jobs
Subscriber Intelligence - SCS and Perform SCS & Export configuration
Export Configuration
Subscriber Intelligence Drilldown Allow PM drill downs to Subscriber Intelligence
Subscriber Voice Access Access Subscriber Voice
TrueCall Client Login Allows TrueCall client login
TrueCall Configuration File Upload Allows access to TrueCall administrative functions
and Download
TrueCall Display CPNI information Allows display of CPNI data in TrueCall
TrueCall Enable Daily E-Mails Allows daily emails to be sent from TrueCall
TrueCall Enable Server E-Mails Allows server emails from TrueCall
UC Call Search Launch Perform UC Call Search
UC Media Streams Drilldown Permit Media Streams drill downs
Workspace Color Settings Globalize app swatch settings in Preferences
Workspace Privacy Conversion Convert shared to private workspaces in Server Management.

6.5.2 nGenius Session Analyzer Privileges

The following table describes nGenius Session Analyzer privileges accessed from Server
Management > Users > Roles in nGenius Configuration Manager. These privileges are applied to
nGenius Session Analyzer when nGenius CM authentication is selected in the Authentication
Source module.

In nGeniusONE or nGenius Configuration Manager User Management, you can find these

privileges by searching "nsa" in the Privileges filter, but the privileges with "nSA" in the prefix only
appear when an nSA instance is using the nGeniusONE/nGenius Configuration Manager server
for authentication. The masking privileges are shared with Packet Analysis and appear with nSA
workflow caveat text even when an nSA server is not attached. For information about UUMS
privileges applied by OAM authentication, see the UUMS Help.

nGenius Description
Configuration Manager
Privilege

NETSCOUT Server Administrator Guide 133

nSA - Admin Privilege View and access:

l Server Management, Deployment, Authentication Source,
Deployment, and Server Health modules on nGenius Session
Analyzer Server.
l Devices in the Input Filter page Probe list that are in a
provisional state.
l Devices in a provisional or maintenance state in a Session
Scheduler profile. During execution of a Session Scheduler
profile, any probe in maintenance or provisional state is
excluded from the scheduled capture.
l All scenarios, public and private, for all users.
l All non-Session Scheduler-created saved sessions, public and
private, for all users.
l Create, edit, or delete only API scenarios.
Adding, cloning, modifying, or deleting a public or private scenario
and assigning scenarios as public or private.
nSA - Configuration Privilege View and select:
l Devices in the Input Filter page Probe list that are in a
provisional state.
l Devices in a provisional or maintenance state in a Session
Scheduler profile. During execution of a Session Scheduler
profile, any probe in maintenance or provisional state is
excluded from the scheduled capture.
l Public and own private scenarios.
Can create own scenarios and assign as public or private. Modify or
delete own private and own public Scenarios; clone public and own
private scenarios. Can also clone API scenarios, but the clone API
scenario does not have any API access type.
nSA - DTMF Authorize Expand DTMF flows to analyze packet decodes and view DTMF digits.
nSA - Ladder View Access View and access the Session Trace Ladder Diagram pane.
l Enabled (checked): Session Details page displays three panes -
Session Details, Session Trace - Ladder Diagram, and Session
Trace - Table View.
l Disabled (unchecked): Session Details page displays only the
Session Details and Session Trace - Table View panes.
nSA - NFC Admin Privilege Configure profiles to schedule session traces for customers of
interest, and save them to a local nGenius Session Analyzer Server:
l Set up nGenius Session Analyzer Session Scheduler options:
start, end, frequency.
l Determine the monitored objects.
l List the IMSIs of interest
View all saved sessions created by Session Scheduler. All Session
Scheduler sessions are saved as private sessions.
nSA - NFC Privilege View all saved sessions created by Session Scheduler. All Session
Scheduler sessions are saved as private sessions.

NETSCOUT Server Administrator Guide 134

nSA - Saved Session Read Only Allow launch of nSA with a saved .nSA file in restricted, view-only
mode. This privilege disables these nSA options:
l New user queries
l Home button
l Access to other modules - Only the Session Analyzer Module is
accessible for saved .nSA session URL launch
When enabled, this privilege overrides all other nSA privileges.
nSA - Show MOS-CQ Not LQ View either MOS-CQ or MOS-LQ values for PDUs in the ladder
diagram for G10 probes:
l Enabled (checked): View MOS-CQ values.
l Disabled (unchecked): View MOS-LQ values.
nSA - SMS Full Content Privilege For SMS content:
l Enabled (checked): Allows the viewing of SIP messages
including SMS content.
l Disabled (unchecked): Allows the viewing of SIP messages with
user content concealed with asterisks (*).
nSA - User Content Analysis Export all user content (SMS, MSRP) data packets per flow to PCAP or
Privilege PCAPng.
nSA - User Content Capture For user content:
Privilege l Enabled (checked): Allows capture of SMS and MSRP content.
l Disabled (unchecked): User content concealed with asterisks
(*).
The User Plane Sessions module appears when this privilege is
enabled.
nSA - User Plane Analysis Privilege Expand flows in the Session Trace Ladder Diagram and view the
corresponding user plane PDUs. Export all user plane, media (RTP,
DTMF, Event Tones, T38) and non-media (HTTP) data packets per
flow to PCAP or PCAPng.
nSA - User Plane Capture Privilege Manage User Plane Capture and Media sessions:
l Configure filters to identify media (RTP, DTMF, Event Tones, T38)
and non-media(HTTP) streams to capture.
l Capture and monitor media (RTP, DTMF, Event Tones, T38) and
non-media (HTTP) streams.
The User Plane Sessions module appears when this privilege is
enabled.
Masking - View User Content On the Packet Decode page, unmask identifying information for all
applicable protocols. When disabled, a portion of the field is masked
(according to the masking value set for that user in (Server
Management>Users); allowing analysis to occur without
compromising the secure data.
Masking - View User Identity On the Packet Decode page, unmask sensitive subscriber
information in payload data, such as passwords or SIP-based SMS
messages. When disabled, the entire masked content is replaced
with an X.
Because Frame Header slicing conceals all content below the
transport layer, this privilege is not applicable when Frame Header
slicing enabled.

NETSCOUT Server Administrator Guide 135

Masking - View USSD Body View Unstructured Supplementary Service Data (USSD):
l Enabled (checked): View USSD values.
l Disabled (unchecked): Mask USSD values.
This option is disabled (unchecked) by default.
Masking - View SIP/XML Body View SIP XML data:
l Enabled (checked): View SIP XML values.
l Disabled (unchecked): Mask SIP XML values.
This option is disabled (unchecked) by default.
Masking - View Diameter SH Service View Diameter Sh interface service data:
Data l Enabled (checked): View Diameter Sh values.
l Disabled (unchecked): Mask Diameter Sh values.
This option is enabled by default for the Network Administrator role
and disabled by default for all other default roles.
Masking - View Flow User Plane View user plane flow metadata:
Metadata l Enabled (checked): View user plane flow metadata.
l Disabled (unchecked): Mask user plane flow metadata.
This option is disabled by default.
Masking - View User Plane Payload View user plane payload data:
l Enabled (checked): View user plane payload.
l Disabled (unchecked): Mask user plane payload.
This option is disabled by default.
View Inner and Outer IP Options These options are not privileges included in the User Management
Roles tab. They are per-user options on the Users tab that grant or
restrict IP viewing privileges.

6.5.3 Configuring Decode Options

nGeniusONE provides assorted means to protect user identity in monitored data by restricting
what is displayed to users of the nGeniusONE modules. The options described here are
applicable to all modules that display decodes. The Digit Masking is also applicable to Monitors,
Grid, and nGenius UC Server views.

Note: When nGeniusONE or nGenius Configuration Manager is functioning as the

Authentication Source for a child nGenius Session Analyzer server, these settings also apply
to users of that child server.

This section refers to settings made in the User Management module, including privileges
specified in the Roles tab and Decode related options accessed from the Users or Groups tabs,
as shown below. (The Data Capture override toggle allows users to delete other users' capture
files, and is not described further in this topic.)

l Masking Identity Information

l Masking Sensitive Information

NETSCOUT Server Administrator Guide 136

l Slicing Packets
l Masking IP Addresses (Service Provider only)
l Masking-related Privileges (Service Provider only)

IMPORTANT:
l The following applies to all of the settings described in this topic. For users with Frame
Header masking enabled and/or the Masking - View User Identity/ Masking - View
User Content privileges disabled, the following occurs:
o The Data Mining > Export tab is disabled.
o The Data Mining > Capture tab does not permit save directly from the tab; a decode
is required and save is permitted from the decoded result.
o The Trace Archive save to desktop icon is not available; a decode of the trace is
required (with save from the decode view being supported)
o Within the Decode interface, the identity details are masked in the Detail and Hex
panes.
o Users can save / export decodes from within a decode view. The masking is
preserved; the Xs shown for masked data are replaced with 0s (zero) in the saved file.
o Defaults for some of these options can be set even when the server is configured for
certain external authentication types. However, the digit masking option setting is
configurable only when the authentication method is set to Native.
l These options operate independently of masking and slicing configurations done
directly at the data source. For example, credit card PAN details can be masked at the
appliance independently of these settings using the agent utility's set iso8583
command. For more details on agent configuration options, refer to topics in the Agent
Configuration Utility Administrator Guide.

Masking Identity Information

nGeniusONE modules support partial masking of identifying information for all applicable
protocols unless the user privilege Masking - View User Identity is enabled (see User
Management>Roles). This partial masking supports diagnostics that require identification of
different users, but still protects their details. For full masking, refer to Masking Sensitive
Information .

By default, the right-most 4 characters of the applicable fields are masked. Digit masking can be
overridden by nGeniusONE administrator, per user or per group of users in the User
Management module. The digit masking is configured using the Users tab and can be
customized for individuals or groups. The example above shows Digit Masking set to 6
characters for this user, rather than the default of 4.

Masking Sensitive Information

While partial masking is provided by disabling the Masking - View User Identity privilege,
above, Packet Analysis modules also support full masking of specific fields containing sensitive
subscriber information in the content payload (e.g., SMS content, email addresses, passwords).
In this case, the full item is masked and does not use the Digit Masking setting indicated in the
section above. Masking of this sensitive information is toggled on or off with the user privilege

NETSCOUT Server Administrator Guide 137

Masking - View User Content. Use of this option allows analysis of the payload, while still
providing protection of identity for the sensitive information in specific fields. If masking of the
full payload is required, review Slicing Packets, below.

Slicing Packets
A third option can be employed in addition to the above. While the slicing method can be
customized for each application in Global Settings, administrators can override this for individual
users or groups of users. From User Management>Users tab, administrators can customize the
Decode Options for that user or group to use a different slice size or to use the frame header.

When the Frame Header option is selected, the decode slices the entire packet below the
transport layer. Note that this style of slicing is supported for the first transport layer of TCP- ,
UDP-, and SCTP-based traffic.

The example below shows a set of DNS fields after the UDP transport layer replaced with Xs
when the user has the Decode option set to Frame Header instead of a specific slice size. The
data is replaced with Xs, as shown below.

Masking IP Addresses (Service Provider Only)

For deployments enabled with the Service Provider business type that also include an nGenius
Session Analyzer server, the User Management screen includes options to manage masking of
addresses outside the payload. As depicted below, the User Management screen displays View
Inner IP / View Outer IP toggles to show or hide addresses for a specific user or group of users.
When either of these options is enabled in User Management, the number of bytes to mask for
IPv4/IPv6 can be customized.

NETSCOUT Server Administrator Guide 138

Note: When nGeniusONE or nGenius Configuration Manager is functioning as the

Authentication Source for a child nGenius Session Analyzer server, these IP address settings
are intended for use with nGenius Session Analyzer users only. Disabling these settings for
users that access nGeniusONE modules restricts their view of certain data and access to
certain IP-based operations only in Data Mining, Trace Archive analysis, and Packet Decode
drilldowns from monitors.

For Data Mining and Trace Archive modules, and Packet Decode drilldowns from other modules,
these settings have the following impact:
l IPv4 / IPv6 octets are masked with an X character. Number of octets is as specified (in
bytes) in User Management (depicted above).
l For saved CSV files, the X is replaced with a 0.
l The Data Mining > Export tab is disabled
l The following, which depend on IP addressing, are disabled:

NETSCOUT Server Administrator Guide 139

o Enhanced Decode
o Bounce charts
o Protocol Settings>Decode As
o View Options>IP Address Resolution
o From Chart View (4-pane) : Objects Tab
o Any filter options based on IP addressing

Masking-related Privileges (Service Provider Only)

For deployments that include an nGenius Session Analyzer (nSA) server, the following user
privileges are applicable for users of that product.

Note: When nGeniusONE or nGenius Configuration Manager is functioning as the

Authentication Source for a child nGenius Session Analyzer server, these privileges are
intended for use with nGenius Session Analyzer users only. Disabling these privileges for
users that access an nGeniusONE modules restricts their view of certain data and access to
certain IP-based operations only in Data Mining, Trace Archive analysis, and Packet Decode
drilldowns from monitors.

For guidance understanding the affect of these privileges refer to the nGenius Session Analyzer
help topics.
l Masking - View USSD Body (Uncheck for nSA workflows only)
l Masking - View SIP/XML Body (Uncheck for nSA workflows only)
l Masking - View Diameter SH Service Data (Uncheck for nSA workflows only)
l Masking - View Flow User Plane Metadata (Uncheck for nSA workflows only)
l Masking - View User Plane Payload (Uncheck for nSA workflows only)

6.6 Configuring Security

Following are a selection of options available for securing your nGeniusONE deployment:

Basic options:
l Change the user name and the password from the default name and password when
prompted during installation or upgrade.
l Change the default root user password using the passwd command from the OS
command line .
l If you have not already changed the nGeniusONE web client user names and passwords to
more secure versions, or if you want to modify either the user name or password, do so
from the User Management module of nGeniusONE.

Additional options:
l Configuring the Server for SSL Communication
l Enabling a Login Security Message
l Managing Passwords
l Configuring Authentication for Web Access

NETSCOUT Server Administrator Guide 140

o LDAP
o Native (Local)
o RADIUS
o SiteMinder
o TACACS+
o Windows/Active Directory
o OAM
o nGenius CM
l Configuring Decode Options
l Configuring Syslog Forwarding
l Changing the Database Password

6.6.1 Security Information (Linux)

This section describes security information for the nGeniusONE Server hardware. These security
measures are an effort to minimize any potential security vulnerabilities on the server and
reduce the risk of exposure to possible attack from outside or within your organization. The
security measures applied to the nGeniusONE Server hardware are derived from industry best-
practices for securing a CentOS or Red Hat Enterprise Linux Server operating system
environment.

The security features on the server consist of configuration settings (incorporated into the
system configuration) that greatly increase the security of the server, including:
l Removing unnecessary services, leaving only those services that are essential to server
operation
l Restricting access to only essential TCP/UDP ports
l Restricting user accounts
l Enabling rigorous auditing

Component Description
Operating System Configuration The boot, opt and "/" disk partitions are formatted as ext3, and the
swap space partition is formatted as swap.
Servers based on Dell R730 or later models, utilize CentOS Linux.
Earlier models utilized Red Hat Enterprise Linux.
Encrypted Database Password The nGeniusONE database password is encrypted and stored in the
db.properties file (by default). That password is not viewable in clear
text by an nGenius user, including the system administrator.
Additionally, nGenius users cannot view the password when executing
the PS command in the Linux operating environment.
Apache Web Server nGeniusONE software on the server hardware uses Apache for web
services. NETSCOUT evaluates each new release of Apache to
determine if additional security enhancements require an update to
the server.

NETSCOUT Server Administrator Guide 141

Component Description
Apache Tomcat servlet container nGeniusONE software on the server hardware uses Apache Tomcat as
a servlet container. NETSCOUT evaluates each new release of Tomcat
to determine if additional security enhancements require an update to
the server.
OpenSSL The nGeniusONE server uses OpenSSL.
Physical Security The nGeniusONE Server hardware includes a front panel door that
locks. This restricts physical access to the CD/DVD-ROM drive.
Enhanced Password Security nGeniusONE Server Hardware password security requires a minimum
password length of eight characters (and must include numbers).
Outbound Connections Filters are applied to permit outbound connections from the server
hardware for basic infrastructure services, such as DNS and SMTP.
Outbound FTP is allowed, along with access to HTTP, SSL, and SNMP.
Inbound Connections Filters are applied to permit inbound connections to the server
hardware for basic infrastructure services. Inbound access to HTTP,
SSL, and SNMP is allowed. Inbound FTP and Telnet are disallowed.

The overall threat to the server is very low if you follow best practices and implement effective
strategies when deploying the server. Typically, you should deploy the platform well inside your
Intranet (behind firewalls) and not exposed to the Internet.

6.6.2 Managing Passwords

6.6.2.1 Strengthen Password Constraints for Web Connections
The default password requirement for the server's web UI is a minimum length of eight (8)
characters. If needed, you can modify the minimum password length by adding a property to
three system files on the server.

To add and set the password length parameter:

1. Access the system command-line as the root user. If you have logged in as a different user
and assumed privileges with su, be sure to use su -l <root account> so that the full
environment is instantiated before you proceed.
2. Edit the indicated properties file.
3. # vi <nGenius install>/rtm/html/client.properties
a. Locate the section #client.properties in the file, then add this line:
rtm.user.password.minimumlength=16
b. Save and exit the file.
4. Edit the second properties file:
# vi <nGenius install>/rtm/html/umcclient.properties
a. Add the following line:
rtm.user.password.minimumlength=16
b. Save and exit the file.
5. For deployments using the legacy Performance Manager product, edit the preferences
properties file:

NETSCOUT Server Administrator Guide 142

# vi <nGenius install>/rtm/bin/preference.properties
a. Find the following line:
rtm.user.password.minimumlength=8
b. Change the line to:
rtm.user.password.minimumlength=16
c. Save and exit the file.
6. (Optional) The following parameters may optionally be used to strengthen the
password complexity. If desired, add and set the properties below to the above three
property files before restarting the server processes in the next step:
l To enforce alphanumeric validation:
rtm.user.password.enforce.AlphaNumericValidation=true
l To control the number of numbers in an AlphaNumeric password:
rtm.user.password.enforce.AlphaNumericValidation.minimum.number=
1
l To control the number of minimum lowercase characters in a password:
rtm.user.password.enforce.AlphaNumericValidation.minimum.lowerca
se=1
l To control the number of minimum uppercase characters in a password:
rtm.user.password.enforce.AlphaNumericValidation.minimum.upperca
se=1
l To enforce special character validation:
rtm.user.password.enforce.SpecialCharacterValidation=true
l To control the minimun number of special characters in a password:
rtm.user.password.enforce.SpecialCharacterValidation.minimum.spe
cialCharacter=1
l To control the maximum number of consecutive characters in a password:
rtm.user.password.enforce.consecutiveCharacter.maximum=2
l To control the maximum number of repeat characters in a password:
rtm.user.password.enforce.repeatCharacter.maximum=2
l To enforce case sensitive validation:
rtm.user.password.enforce.CaseSensitiveValidation=true
7. (Optional) Add the following properties in <nGenius
Install>/rtm/bin/serverprivate.properties to disable accounts for users who do not log in
and change their passwords within 24 hours:
l rtm.user.password.enforce.PasswordReset.days=10
l rtm.user.password.expiration.days=60
l rtm.user.password.expiration.notify=10
Until password expiration, password change is only required on first login. Users are not
disabled within 24 hours if these properties are not added.
8. Restart the server.

NETSCOUT Server Administrator Guide 143

6.6.2.2 Changing the Database Password

You create the database password when you install nGeniusONE software for the first time. Use
the procedure in this section if you need to change the password at a later time.

Note:
l This procedure requires you to supply the existing database password. If you do not
know your current password, contact Customer Support.
l Do not stop the nGeniusONE Server when changing the database password.
1. Access the system command-line as the root user. If you have logged in as a different user
and assumed privileges with su, be sure to use su -l <root account> so that the full
environment is instantiated before you proceed.
2. Navigate to the <nGeniusONE install>/rtm/bin directory.
3. Run PasswordChange.sh script.
4. When prompted, enter the current password.
5. Then, when prompted for the new password, provide a new password with the following
considerations:
l Use 1 to 15 alphanumeric characters (first character cannot be a number)
l Non-printing characters such as spaces or tabs are not allowed.
l PostgresSQL keywords are not allowed.
When you press enter, the password is encrypted and stored.

Example:
[root@DOCPM14 bin]# ./PasswordChange.sh
************************************************************************
**********
* ============================================ *
* nGenius Database Password Change Utility *
* ============================================ *
* *
* This utility allows you to change the database password. You must
supply the *
* current database password, then enter and validate the new database
password. *
* This utility requires that the database engine is currently running. *
* *
* (Type 'exit' at any prompt to exit from this utility.) *
************************************************************************
**********
[12:36:46](main)Debug:Debug initialized (level 1), logging disabled
Enter current database password:
Enter new database password: d:
Re-enter new database password:
Stored password is Encrypted in Version2
[12:36:52](main)ConnectionPoolImpl:Initialized connection Pool size,
count : 0
[12:36:52](main)ConnectionPool:Creating ConnectionPool Default Instance
Stored password is Encrypted in Version2

NETSCOUT Server Administrator Guide 144

The database password has been successfully updated.

6.6.3 Enabling a Login Security Message

Optionally, you can enable a security message to display when users access the nGeniusONE
URL. After enabling this dialog box, users must agree to specified consent terms before they can
access the nGeniusONE software. You can use the default dialog box message provided or enter
your own text. The dialog content can also be localized.

When enabled, the dialog box with default text strings and graphic resembles the screen below.
Users can move and resize the box in their browser windows.

1. From the system command line, open <nGeniusONE

install>/rtm/html/umcclient.properties file with any text editor. If you plan to add
translations for Japanese, Korean, and Chinese, the text editor must support both the
double-byte characters of these languages and the UTF-8 encoding of the properties file
itself.
2. The security message is off by default. Enable the consent dialog box by locating the
showConfirm= parameter and specifying its value as true.
3. Customize the title of the dialog box by entering your preferred text for the
confirmTitle=
Or, to enable Japanese, Korean, or Chinese versions of the title, instead modify the
appropriate parameter: confirmTitle_ja_JP, confirmTitle_ko_KR, or
confirmTitle_zh_CN.
parameter.
4. Customize the dialog box message by entering your preferred text for the
confirmMessage=.
To enable Japanese, Korean, or Chinese versions of the message, modify confirmMessage_
ja_JP, confirmMessage_ko_KR, or confirmMessage_zh_CN.
5. Customize the dialog box button by entering your preferred text for the confirmButton=
parameter.
To enable Japanese, Korean, or Chinese versions of the button text, modify
confirmButton_ja_JP, confirmButton_ko_KR, or confirmButton_zh_CN.

NETSCOUT Server Administrator Guide 145

6. Customize the dialog box width by adding your preferred width (in pixels) using
confirmDefaultWidth= nnn (The default width is 350 pixels. Users with long security
messages may use this parameter to modify the dialog box dimensions.)
7. Save and exit the umcclient.properties file.
8. (Optional) Replace the background image for the dialog box title with your own graphic as
follows:
a. Format your graphic as a .PNG file and name it: CompanyLogo.png.
b. Size the graphic to be 640x71 pixels for best results.
If necessary, you can adjust the graphic size; for example, to accommodate a lengthy
login statement. The graphic is anchored at the top left corner of the dialog box.
c. Place the file in the following folder (overwriting the default version):
<nGeniusONE install>/tomcat/content/webapps/common/assets
d. Clear your browser cache and refresh the browser.

After updates are complete, the nGeniusONE Server does not need to be restarted. However, a
browser refresh may be necessary to see the consent dialog box with the specified strings.

6.6.4 Configuring SSL/TLS

6.6.4.1 Generating SSL/TLS Certificates and Keys
Support for the SHA-256 signature algorithm is required for nGeniusONE in compliance with
decisions made by Internet Explorer, Google Chrome, and Mozilla Firefox to stop supporting
SSL/TLS and certificates for the SHA-1 signature algorithm as of January 1, 2017. In response to
these changes, all servers using NETSCOUT's self-signed certificate must be upgraded with a new
certificate using SHA-256. New SSL/TLS keys are created during this process. The method to do
so is described below.

Warning:
l NETSCOUT strongly recommends customers use their own self-signed certificates to
replace the default, self-signed certificates from NETSCOUT.
l Launch errors of the packet analysis window may ensue if you do not use a signature
algorithm stronger than SHA-1.

NSCertUtil

NETSCOUT's NSCertUtil tool makes it easy to manage — including add, delete, import, or
generate — certificates in nGeniusONE. Operating this automated tool requires selecting an
option from the menu and following the prompts, as described below. To select an additional
option, run the tool again.

The tool can:

l replace an existing NETSCOUT SHA-1 certificate with an SHA-256 certificate
l recognize and install a SHA-512 level security certificate
l configure the nGeniusONE server to use a signed certificate (can be of a .crt, .cer or .der
format)

NETSCOUT Server Administrator Guide 146

l import certificates to the ngeniusclient.truststore (can be of a .crt, .cer or .der format)

l allow a user to create self-signed certificates

Important: To avoid a Web display problem after installing a certificate using the nscertutil.sh
script, you must include the RSA password phase in the SSL key file when the RSA password is
required. Refer to Global Settings help on Configuring the Certificate App for instructions.

NSCertUtil Tool Functionality

Access this tool from the command-line of the server as follows:

Linux: <nGeniusONE install>/rtm/tools/nscertutil.sh

Windows: <drive>: <nGeniusONE install>\rtm\tools\nscertutil.bat.

The NSCertUtil tool displays as shown below.

************************************************************************
**********
           =========================================
NetScout Certificate Generation Utility
           =========================================
This utility will require information about your location, email,
server
to generate the certificate
(Type 'exit' to exit from this utility.)
************************************************************************
**********
       1. Create and import a self-signed certificate [Default]
       2. Import a .crt certificate
       3. Add a .crt certificate to truststore
       4. Upgrade to a SHA-256 Certificate
       5. Import a .cer certificate
       6. Add a .cer certificate to truststore
       7. Import a .der certificate
       8. Add a .der certificate to truststore***
Please type in the option (or exit) >

Configuring NETSCOUT SSL Certificates and Keys

Configuration options are as follows.

Replace an existing NETSCOUT SHA-1 certificate with an SHA-256 certificate

To replace an existing NETSCOUT Self Signed Certificate, select option 4:

“4. Upgrade to a SHA-256 Certificate”

This option will create and configure nGeniusONE with a new SHA-256 SSL certificate and SSL
key. After you run this option, stop and restart the server.

Note: this option does not use the FQDN of the server as part of the certificate.

NETSCOUT Server Administrator Guide 147

Configure a server with a signed SSL certificate and key

To configure a server with a signed certificate (.crt extension), select option 2:

“2. Import a .crt certificate”

To configure a server with a signed certificate (.cer extension), select option 5:

“5. Import a .cer certificate”

To configure a server with a signed certificate (.der extension), select option 7:

“7. Import a .der certificate”

Stop and restart the server after running this option.

Import a signed certificate to the truststore

If you have a distributed environment where each server has a signed certificate, you must add
each signed certificate to an ngeniusclient.truststore, which you must then copy to each server in
the environment.

To import a .crt certificate to a truststore, select option 3:

“3. Add a .crt certificate to truststore”

To import a .cer certificate to a truststore, select option 6:

“6. Add a .cer certificate to truststore”

To import a .der certificate to a truststore, select option 8:

“8. Add a .der certificate to truststore”

After this procedure is performed for all new certificates, the <nGeniusONE
install>/rtm/html/ngeniusclient.truststore must be copied to all the servers (<nGeniusONE
install>/rtm/html directory) in the environment. After the truststore has been copied to a server,
restart the server.

Generate a self-signed certificate

NETSCOUT strongly recommends customers use their own signed certificates to replace the
default self-signed certificates from NETSCOUT.

To generate a self-signed certificate using your own parameters, select option 1:

“1. Create and import a self-signed certificate [Default]”

This tool will prompt you to enter the following information for both the CA and the server itself:
l Country
l State Code
l City Name
l Organization Name
l Organization Unit
l Common Name

NETSCOUT Server Administrator Guide 148

l Email Address
l Days before the certificate expires
l Certificate Alias

Deployment Notes

In some environments, you may be required to install a ca-bundle.crt. If this is so, copy the
bundle to either:

Linux: <nGeniusONE install>/apache/conf/ssl.crt/ca-bundle.crt

Windows: <drive>:\ <nGeniusONE install>\apache\conf\ssl.crt\ca-bundle.crt

You must then un-comment the following line in the Linux <nGeniusONE
install>/apache/conf/extra/httpd-ssl.conf file or Windows <drive>:\ <nGeniusONE
install>\apache\conf\extra\httpd-ssl.conf file:
SSLCACertificateFile "conf/ssl.crt/ca-bundle.crt"

On a Linux system, change ownership and permissions using the following commands:
chown ngenius:ngenius <nGeniusONE install>/apache/conf/ssl.crt/ca-
bundle.crt
chmod 750 <nGeniusONE install>/apache/conf/ssl.crt/ca-bundle.crt

6.6.4.2 Configuring the Server for SSL Communication

NETSCOUT Server Administrator Guide 149

Procedure
1. For Windows: Log in to the Windows server with an account that has administrator
privileges. (Do not use a cloned version of the Administrator account.)
For Linux: Access the system command-line as the root user. If you have logged in as a
different user and assumed privileges with su, be sure to use su -l <root account> so that
the full environment is instantiated before you proceed.
2. Navigate to the <NETSCOUT install>/rtm/bin folder.
3. Run the following script:
Windows: # websecure.bat -protocol <HTTP|HTTPS> -port <port>
Linux: # ./websecure.sh -protocol <HTTP|HTTPS> -port <port>
Provide the protocol and port number you want the web service to use. The script
automatically restarts the server.
4. To verify your change, access the server with the new port number and/or by accessing
Server Management and viewing the port number in the General Information tab.
5. By default, NETSCOUT's servers ship with iptables configured to allow ports 80, 8080, 443,
and 8443. If you had customized your iptables to restrict any of these, modify it again to
accept the new port.
6. Repeat this procedure for all servers in the deployment, using the same port number.

Changing the Port in a Global Manager or Dedicated Global Manager Environment

Follow these steps to change the ports in a Global Manager (GM) or Dedicated Global Manager
(DGM) environment:

1. Navigate to the <NETSCOUT install>/rtm/bin folder on the GM or DGM.

Validation:

If the port change was successful, you will see a response such as:
HTTP/1.1 200 OK

NETSCOUT Server Administrator Guide 150

For example:
# curl -I https://10.20.160.14:8443/ -k
HTTP/1.1 200 OK

If SSL is not enabled, the following output is reported:

curl: (35) SSL connect error

Post-Upgrade Considerations for SSL Configurations

Keep in mind the following considerations regarding SSL certificates and private keys when
upgrading:
l If you have custom certificates that previously resided in the apache/conf/ssl.crt and
apache/conf/ssl.key folders, they are preserved and restored on an upgrade.
l If you have custom settings in the original ssl.conf file, those settings are preserved but not
restored. To restore these settings, you need to manually update the httpd-ssl.conf file
(located in the apache/conf/extra folder) with the desired settings.
l If you previously had user-created folders in the original Apache folder, they are preserved
in the apache_orig folder. If desired, you can move them to the new Apache folder:

Linux — <nGeniusONE install>/apache

l The original ngeniusclient.truststore and ngeniusserver.keystore files are preserved in the
following locations during an upgrade to v5.5:
<install directory>/rtm_BACKUP_FOR_
541/bin/admin/ngeniusserver.keystore
<install directory>/rtm_BACKUP_FOR_541/html/ngeniusclient.truststore

These files are automatically restored to their proper locations and no further steps are
required.

6.6.4.3 Changing the Web Access Port with websecure

NETSCOUT Server Administrator Guide 151

l If you do use ncertutil, and your server is a child to another server (such as a Standby or
Secondary server), NETSCOUT recommends managing your certificates from the
managing / primary server, and then copying that truststore to the other nodes in the
deployment.
l Supports well-known, nonstandard HTTP (80, 8080) and HTTPS (443, 8443) ports.
Websecure accepts a port number in the command line. Ports 80 and 8080 can be
configured only for HTTP, ports 443 and 8443 only for HTTPS.

Changing the Port in a Global Manager or Dedicated Global Manager Environment

Follow these steps to change the ports in a Global Manager (GM) or Dedicated Global Manager
(DGM) environment:

1. Navigate to the <NETSCOUT install>/rtm/bin folder on the GM or DGM.

NETSCOUT Server Administrator Guide 152

Validation:

If the port change was successful, you will see a response such as:
HTTP/1.1 200 OK

For example:
# curl -I https://10.20.160.14:8443/ -k
HTTP/1.1 200 OK

If SSL is not enabled, the following output is reported:

curl: (35) SSL connect error

6.6.5 Configuring Syslog Forwarding

This section provides guidance to configure forwarding of syslog events from your nGeniusONE
Server and InfiniStream appliances to an external Syslog server. You must configure the Syslog
server first, but can configure the nGeniusONE server and InfiniStream appliances in any order
after the Syslog Server is configured.

Use the following procedures to configure syslog forwarding. Setup requires steps on all
components be done in a specific order, so are presented in that sequence below.

1. Configure the Syslog Server

2. Configure nGeniusONE Syslog Forwarding
3. Configure InfiniStream Syslog Forwarding
4. Test and Troubleshoot Syslog Forwarding (Optional)
5. Log File Management (Optional)
6. Enable Operating System Audit Logging
7. Forwarding Alarms / Alerts to a Syslog Server (Optional)

6.6.5.1 Configure an External Syslog Server

This section includes steps for configuring a Fedora-based syslog server that uses stunnel to
provide TLS encryption services to syslog clients (such as the InfiniStream appliance). The
procedure is a guideline; refer to your server's documentation, if needed, to map the commands
to your specific syslog server.

Note: The procedure assumes that the InfiniStream appliance and nGeniusONE server are
configured to forward to either 514 for regular messages or 1111 for encrypted messages.

Steps must be performed in the indicated order

1. Configure Security for the Syslog Server

2. Configure and Enable stunnel Daemon

NETSCOUT Server Administrator Guide 153

3. Configure and Enable rsyslog Daemon

4. Enable Ports in Firewall
5. Next Steps

6.6.5.1.1 Configure Security for the Syslog Server

These steps are based on a Fedora kernel; adjust as needed for the type of operating system on
your actual syslog server.

1. Log into the external syslog server as a root user.

2. Navigate to /opt/certs/syslog (If this directory does not exist, create it.)
3. Run the following commands to create a new certificate for the syslog server::
# openssl exparam -genkey -out <syslog>.key -name prime256v1
# openssl reg -new -key <syslog>.key -out <syslog>.csr
4. Respond to the following prompts:
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
5. Submit the CSR to your Certificate Authority (CA) for signing. Once it is approved,
download the signed certificate along with the root and any intermediate certificates for
the complete certificate chain. Copy all the certificates to the /opt/certs/syslog directory.
6. While you are still in the /opt/certs/syslog folder, run the following command to create a
pem file for stunnel use.
# cat <syslog>.crt <syslog>.key > stunnel.pem
7. Copy the pem file to the stunnel directory:
# cp stunnel.pem /etc/stunnel/stunnel.pem

Note: The key created above is copied to the TOEs in later procedures, listed in Next Steps,
below.

6.6.5.1.2 Configure and Enable stunnel Daemon

This service is used for secure log transport between the syslog server and its forwarding clients
(the InfiniStream appliances and nGeniusONE server).

Note: The steps in this section must not be performed until the above procedure is
completed.

1. Log into the external syslog server as a root user.

2. Navigate to /etc/stunnel.
3. Edit stunnel.conf.
4. Ensure the following lines are present in the file as shown:

NETSCOUT Server Administrator Guide 154

cert = /etc/stunnel/stunnel.pem
ciphers=ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-
SHA256:ECDHEECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256
sslVersion = TLSv1.2
4. output = /var/log/stunnel.log
debug = 7
; Use it for client mode
client = no
[syslog]
accept=1111
connect=514
5. Save and exit the stunnel.conf file.
6. Create a new service script with the following commands:
# cd /etc/systemd/system
# touch stunnel.service
7. Edit the new file (stunnel.service) and enter the following lines:
[Unit]
Description=SSL tunnel for rsyslog
After=syslog.target network.target
[Service]
ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf
Type=forking
PrivateTmp=true
[Install]
WantedBy=multi-user.target
8. Save and exit the file.
9. Enable the stunnel daemon with the following commands:
# systemctl enable stunnel.service
# systemctl start stunnel.service
10. Verify the process is running:
# systemctl status stunnel.service
Loaded: loaded (/etc/systemd/system/stunnel.service; enabled)
Active: active (running) since Fri 2018-08-31 14:40:17 EDT; 5 days
ago

6.6.5.1.3 Configure and Enable rsyslog Daemon

This service is used for remote logging.

1. Log into the external syslog server as the root user.

2. Navigate to the /etc directory.
3. Edit the rsyslog.conf file as follows:
a. Open the file in a text editor
b. Allow rsyslog to listen on IP listener port 514 over TCP and UDP for incoming messages
by uncommenting the following lines (or adding the them if they are not already
present):

NETSCOUT Server Administrator Guide 155

# Provides UDP syslog reception

$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
$template HostAudit, "/var/log/%HOSTNAME%/syslog.log"
*.* ?HostAudit
c. Save and exit the file.
d. Restart the rsyslog daemon with the following commands:
# systemctl restart rsyslog.service
e. Verify the process is running:
# systemctl status rsyslog.service
Loaded: loaded (/etc/systemd/system/rsyslog.service; enabled)
Active: active (running) since Fri 2018-08-31 14:40:17 EDT; 5
days ago

6.6.5.1.4 Enable Ports in Firewall

Ports 514 and 1111 must be opened in the firewall on the syslog server.

1. Navigate to the /etc/sysconfig directory.

2. Open ports 514 and 1111 in the firewall settings as follows:
a. Open the iptables file in a text editor.
b. Add the following lines of text before the COMMIT line:
-A -INPUT -p tcp -m state --state NEW -m tcp --dport 1111 -j
ACCEPT
-A -INPUT -p tcp -m state --state NEW -m tcp --dport 514 -j
ACCEPT
-A -INPUT -p udp -m state --state NEW -m udp --dport 514 -j
ACCEPT
c. Save and exit the file.
3. Restart the indicated system services using the following commands:
# service iptables restart
# service rsyslog restart
# service stunnel restart

6.6.5.1.5 Next Steps

Proceed with configuring nGeniusONE servers and InfiniStream appliances in the cluster for
syslog forwarding. Do not remove the backup key material from the Syslog Server until the
procedures below are complete.
l Configure nGeniusONE Syslog Forwarding
l Configure InfiniStream Syslog Forwarding

NETSCOUT Server Administrator Guide 156

6.6.5.2 Configure nGeniusONE Syslog Forwarding

Audit messages are maintained in the nGeniusONE server's message log for 31 days, by default.
Messages older than 31 days are overwritten. When a syslog connection exists, messages are
written to the syslog server at the same time they are written to the nGeniusONE message log,
thereby preserving them on that external server.

The procedures below are used to configure the nGeniusONE server to send message log events
and operating system messages in /var/log/secure, /var/log/messages and /var/log/audit to a
syslog audit server. These steps establish a secure TLS connection for transferring system log
(audit log) events to an external syslog server.

Important: The procedures in this section require that the procedures to configure the
Syslog server have already been performed.

1. Log into the nGeniusONE server command line.

2. Edit the server properties file indicated below.
# vi /opt/NetScout/rtm/bin/serverprivate.properties
3. Add the following lines to enable syslog forwarding and SSL (TLS). Note that if you use a
hostname instead of IP Address for the host parameter, that hostname must be in a DNS
server known to this appliance.
log.syslog=true
syslogHost=hostname or IP address
syslogDestPort=1111
SSLsyslog=true
Where:
log.syslog = When set to true, enables logged events to be forwarded
syslogHost = Supports up to five addresses or hostnames, comma delimited, for TLS-
capable servers
syslogDestPort = port number on the receiving server. Must be the same port for all
servers if more than one is specified
SSLsyslog = true

6.6.5.2.1 Configure stunnel

The stunnel service is used for secure log transport between the syslog server and its forwarding
clients (the InfiniStream appliances and nGeniusONE server). Use the steps below to configure
stunnel and the remote system logging service for forwarding.

Note: The steps in this section must not be performed until the external Syslog Server is
configured.

1. Log into the nGeniusONE server command line.

2. Navigate to /etc/stunnel.
3. Create and edit the indicated configuration file:
# touch stunnel.conf

NETSCOUT Server Administrator Guide 157

4. Edit stunnel.conf in a text editor and insert the following lines. Note that if you use a
hostname instead of IP Address for the connect parameter, that hostname must be in a
DNS server known to this appliance.
cert = /etc/stunnel/stunnel.pem
ciphers=ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-
ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256
CAfile = /etc/stunnel/ca-bundle.crt
sslVersion = TLSv1.2

debug = 7
syslog = yes
pid = /var/run/stunnel.pid
socket = l:TCP_NODELAY=1
socket= r:TCP_NODELAY=1
client = yes

[syslog]
accept = 127.0.0.1:514
connect = <10.20.179.19>:1111
5. Save and exit the stunnel.conf file.
6. Install the nGeniusONE certificate to communicate with the syslog server.
a. Make a directory for the syslog server certificate:
# mkdir -p /opt/certs/syslog
b. Copy the certificate from the nGeniusONE web server to the stunnel directory:
# cp /opt/NetScout/apache/conf/ssl.crt/server.crt
/etc/stunnel/stunnel.pem
# cat /opt/NetScout/apache/conf/ssl.key/server.key >>
/etc/stunnel/stunnel.pem
# cp /opt/NetScout/apache/conf/ssl.crt/ca-bundle.crt
/etc/stunnel/ca-bundle.crt
7. Enable and start stunnel services
# systemctl enable stunnel.service
# systemctl start stunnel.service
# systemctl status stunnel.service
Loaded: loaded (/etc/systemd/system/stunnel.service; enabled)
Active: active (running) since Fri 2018-08-31 14:40:17 EDT; 5 days
ago

6.6.5.2.2 Configure rsyslog

1. Log into the nGeniusONE server command line.
2. Edit the /etc/rsyslog.conf file.
3. Locate the following line:
#### Modules ####
4. Insert these lines below the line you located in the previous step:
# CC mods

NETSCOUT Server Administrator Guide 158

*.* @@127.0.0.1:514
$ModLoad imfile
# auditd audit.log
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local7
$InputRunFileMonitor
$InputFileName /opt/Netscout/apache/logs/error_log
$InputFileTag tag1:
$InputFileStateFile stat-file1
$InputFileSeverity error
$InputFileFacility local5
$InputRunFileMonitor
# End CC mods
5. Now locate this line:
*.info;mail.none;authpriv.none;cron.none; /var/log/messages
6. Change it to the following syntax:
*.info;mail.none;authpriv.*;cron.none;local7.none;local5.*
/var/log/messages
7. Save and exit the file.
8. Restart the service and verify it is running, with the following commands:
# systemctl restart rsyslog.service
# systemctl status rsyslog.service
Loaded: loaded (/etc/systemd/system/rsyslog.service; enabled)
Active: active (running) since Fri 2018-08-31 14:40:17 EDT; 5 days
ago

6.6.5.2.3 Customize Log File Management (Optional)

You can optionally customize the rotation cycle and the location of the log files to accommodate
capacity and retention requirements. If desired, follow the procedures in Log File Management

6.6.5.3 Configure InfiniStream Syslog Forwarding

The procedures below are used to configure the InfiniStream appliance to send message log
events and operating system messages in /var/log/secure, /var/log/messages and /var/log/audit
to a syslog audit server. These steps establish a secure TLS connection for transferring system
log (audit log) events to an external syslog server.

Important: The procedures in this section require that the procedures to configure the
Syslog server have already been performed.

NETSCOUT Server Administrator Guide 159

6.6.5.3.1 Configure stunnel

1. Log in as an administrative user to the data source.
2. For all InfiniStream models 1410, 2410, 2695, 4795, 4895, 6695, 9785, 980X, 9885 only do
the following steps:
a. Create an initialization script for stunnel:
# cp /usr/lib/systemd/system/stunnel@.service
/etc/systemd/system
# cd /etc/systemd/system
# mv stunnel@.service stunnel.service
b. Edit the service definition to specify stunnel configuration file:
# vi stunnel.service
c. Replace this line:
ExecStart=/usr/bin/stunnel /etc/stunnel/%i.conf
With:
ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf
d. Save and exit the file.
3. Customize the stunnel.conf file.
a. Save the existing file and create a new, empty one:
# cd /etc/stunnel
# cp stunnel.conf stunnel.conf.orig
# rm stunnel.conf
# touch stunnel.conf
b. Edit stunnel.conf in a text editor and insert the following lines. Note that if you use a
hostname instead of IP Address for the connect parameter, that hostname must be in
a DNS server known to this appliance.
cert = /etc/stunnel/stunnel.pem
ciphers=ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-
SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-
SHA256
CAfile = /etc/stunnel/ca-bundle.crt
sslVersion = TLSv1.2

debug = 7
syslog = yes
pid = /var/run/stunnel.pid
socket = l:TCP_NODELAY=1
socket= r:TCP_NODELAY=1
client = yes

[syslog]
accept = 127.0.0.1:514
connect = <10.20.179.19>:1111
c. Save and exit the file.

NETSCOUT Server Administrator Guide 160

4. Install the InfiniStream appliance certificate to communicate with the syslog server. Copy
the certificate from the InfiniStream lighttpd folder to the stunnel directory.
# cp /etc/lighttpd/ssl/lighttpd.pem /etc/stunnel/stunnel.pem
# cp /opt/certs/ca-bundle.crt /etc/stunnel/ca-bundle.crt
5. Start stunnel services:
l For all appliances except 69xxC and 79xx:
a. Run the following:
# systemctl enable stunnel.service
# systemctl start stunnel.service
b. Verify the service is running:
# systemctl status stunnel.service
Loaded: loaded (/etc/systemd/system/stunnel.service; enabled)
Active: active (running) since Fri 2018-08-31 14:40:17 EDT; 5
days ago
l For 69xxC and 79xx appliances:
a. Run the following:
# chkconfig --add stunnel
# chkconfig stunnel on
# /etc/init.d/stunnel start
b. Verify the service is running:
# ps -ef |grep stunnel
root 6086 1 0 09:47 ? 00:00:00 /usr/sbin/stunnel
/etc/stunnel/stunnel.com

6.6.5.3.2 Configure rsyslog

1. Log in as an administrative user to the data source.
2. Navigate to the /etc directory.
3. Edit the rsyslog.conf file as follows:
a. Open the file in a text editor.
b. Add the following lines after the #### MODULES #### section of the file, as follows:
#### MODULES ####
# CC mods
*.* @@127.0.0.1:514
$ModLoad imfile
# auditd audit.log
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local7
$InputRunFileMonitor
# End CC mods
c. Locate the line below:

NETSCOUT Server Administrator Guide 161

*.info;mail.none;authpriv.none;cron.none; /var/log/messages
d. Change it to:
*.info;mail.none;cron.none;local7.none;authpriv.*
/var/log/messages
e. Save and exit the file.
4. Restart rsyslog system services:
l For all appliances except 69xxC and 79xx:
a. Run the following:
# systemctl restart rsyslog.service
b. Verify the service is running:
# systemctl status rsyslog.service
Loaded: loaded (/etc/systemd/system/rsyslog.service; enabled)
Active: active (running) since Fri 2018-08-31 14:40:17 EDT; 5
days ago
l For 69xxC and 79xx appliances:
a. Run the following:
# /etc/init.d/rsyslog restart
b. Verify the service is running:
# ps -ef |grep rsyslog
root 9340 1 0 10:12 ? 00:00:00 /sbin/rsyslogd -c 4

6.6.5.3.3 Test the Syslog Message Forwarding (Optional)

You can optionally test the above configuration now, or wait until all components of the
deployment are set up. When ready, refer to Test and Troubleshoot Syslog Forwarding.

6.6.5.3.4 Customize Log File Management (Optional)

You can optionally customize the rotation cycle and the location of the log files to accommodate
capacity and retention requirements. If desired, follow the procedures in Log File Management

6.6.5.4 Log File Management

The procedures in this section can optionally be used to mitigate impact of logging and to adjust
file retention according to requirements. The procedures are applicable for either nGeniusONE
or InfiniStream except where noted.

6.6.5.4.1 Modify Log File Location

The default log file location on nGeniusONE servers or InfiniStream appliances reside in the /var
directory, on the operating system disk. Use the procedure to move it to another disk.

1. Log into either the nGeniusONE server or InfiniStream appliance, as applicable.

2. Stop the indicated services:

NETSCOUT Server Administrator Guide 162

# service rsyslog stop

# service stunnel stop
# service auditd stop
3. Create the new log directory:
# cd /opt
# mkdir var
4. Copy the old log contents from the old directory to the new directory
# cd /var
# cp -f -R -p log /opt/var
5. Move the original log folder to a backup name, then create a link from the original location
on the operating system disk to the location on a different disk:
# mv log log.orig
# ln -s /opt/var/log log
6. Restart logging:
# service rsyslog start
# service stunnel start
# service auditd start
7. Repeat this procedure for either nGeniusONE servers or InfiniStream appliances in the
current deployment.

When you are certain that logging is occurring in the new location, you can remove the log.orig
directory from /var directories.

6.6.5.4.2 Configure Log File Rotation

Linux logs rotate according to settings in /etc/logrotate.conf. Typically, logs are saved for seven
days then deleted from the system and replaced by new log files. Perform these steps to
customize the logging strategy on all the nGeniusONE servers or InfiniStream appliances as
indicated.

1. Log into the either nGeniusONE or InfiniStream, as applicable.

2. Remove the logging status file:
# rm /var/lib/logrotate.status
3. Edit the logging configuration file:
# vi /etc/logrotate.conf
4. Locate and customize the indicated lines as follows:
# keep 4 weeks worth of backlogs
#weekly
daily
# keep 4 weeks worth of backlogs
#rotate 4
rotate 2
# create new (empty) log files after rotating old ones
create
# uncomment this if you want your log files compressed
#compress

NETSCOUT Server Administrator Guide 163

compress
5. When configuring this file on 69xx and 79xx model InfiniStream appliances, locate and
comment out the following lines by inserting a # symbol, as indicated below:
# system-specific logs may be also configured here.
#/var/log/messages {
# rotate 12
# daily
# postrotate
# /sbin/service syslog restart
# endscript
#}
#/var/log/stunnel.log {
# rotate 12
# daily
# postrotate
# /bin/kill -HUP `cat /var/run/stunnel.pid 2> /dev/null` 2>
/dev/null || true
# endscript
#}
#/var/log/snmptrap.log {
# rotate 12
# daily
# postrotate
# /sbin/service syslog restart
# endscript
#}
6. Save and exit the file.
7. On InfiniStream appliances only:
a. Edit the syslog daemon for log rotation:
# vi /etc/logrotate.d/syslog
8. Add /var/log/messages and /var/log/snmptrap.log to the following line as shown:
/var/log/cron
/var/log/maillog
/var/log/secure
/var/log/spooler
/var/log/messages
/var/log/snmptrap.log
{
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null
|| true
endscript
}
9. Save and exit the file.
10. Restart logging:
# service rsyslog start
11. Stop the application processes.

NETSCOUT Server Administrator Guide 164

l On the nGeniusONE server:

# /opt/NetScout/rtm/bin/stop
l On InfiniStream appliances:
# /opt/NetScout/rtm/bin/stopall

6.6.5.5 Forwarding Alarms / Alerts to a Syslog Server

You can enable the nGeniusONE server to forward all nGeniusONE alerts to the syslog of one or
more remote hosts using the procedure below. The server transmits a syslog protocol message
to a designated port of the remote device whose syslog daemon monitors this port and writes
messages to that server's syslog.

Note: If your deployment requires forwarding of OS-level events (handled separately from
nGeniusONE alarms) refer to the overall steps to Configuring Syslog Forwarding.

To forward alarms and alerts to the syslog of a remote host:

1. To see alerts sent from nGeniusONE to the syslog host, ensure that the destination
system is configured correctly. If necessary, refer to that system's documentation for
instructions.
2. Access the nGeniusONE server command-line as an administrative user.
3. Navigate to the <nGeniusONE install>/rtm/bin directory.
4. Open the serverprivate.properties file with a text editor.
5. Add the following lines:
AlarmForwarder.arcSightSupport=true
syslogHost=<xxx.xxx.xxx.xxx>
where <xxx.xxx.xxx.xxx> is the IP address of the remote server to which you want to
forward alerts. To forward alerts to additional hosts, use commas to separate a maximum
of five IP addresses.
Note: The forwarded alert message can be interpreted using CEF guidelines. Refer to the
example below.
6. (Optional) If you want to use secure syslog, add the following line:
SSLsyslog=true
7. (Optional) The default port on the destination syslog server is 514. To change this port,
add the following line and specify a port:
syslogDestPort=<port>
8. (Optional) The server forwards alerts by trying to create a socket first on port 2223 or, if
unavailable, on the next available port (for example, 2224, 2225 ...). If you want to forward
from a specific port, specify it by adding the following:
syslogSendPort=<port>
9. Save and close the file.
10. For distributed deployments, perform the same procedure on the Global Manager and
every Local Server.

NETSCOUT Server Administrator Guide 165

Example alert message

<14>Aug 31 13:59:01 10.20.100.100 CEF:0|NETSCOUT|nGeniusONE|5.5|ASI2x_
THRESHOLD_ALARM|ASI2x_THRESHOLD_ALARM|1|rt=1441054500000
cs1Label=SnmpTrapOid cs1=1.3.6.1.4.1.141.50.2.0.1 cs2Label=DataSource
cs2=1.3.6.1.2.1.2.2.1.1.0 dvc=10.20.100.100 cn1Label=Threshold cn1=0
cn2Label=Value cn2=710923 cn3Label=Interval cn3=300
cs3Label=DataSourceName cs3=10.20.100.100 cs4Label=URL
cs4=http://10.20.100.100:8080/console/?modID=idsitroom&modMsg=alertId:1-
346 msg=(ASI2xThresholdAlarm)Total Bit Rate for Aggregated Service:AQQ_
S2Agg has exceeded the config threshold over a 5 minute period
(threshold = 0.1 bits/sec; last delta = 710.9 Kb/sec; # of occurrences
= 1) externalId=1-346 app=null cs5Label=RouterAdderess cs5=10.20.100.100
cs6Label=Metric cs6=totalAppBitRate

Message fields

CEF Event Field Vendor-specific Event Data

CEF Version 0
Device Vendor NETSCOUT
Device Product nGeniusONE
Device Version 5.5
Signature ASI2x_THRESHOLD_ALARM
Name ASI2x_THRESHOLD_ALARM
Rt rt=1441054500000 (trap uptime/alarm trigger time in milliseconds)
cs1 SnmpTrapOid
cs2 DataSource
dvc Device IP Address
cn1 Threshold
cn2 Value
cn3 Interval
cs3 DataSourceName
cs4 URL
msg Alert description
externalID Server ID - Alert ID
app Application
cs5 Router Address
cs6 Metric

6.7 Working with Backups

NETSCOUT recommends that you back up your server database on a regular basis to prevent
loss due to power outage, abnormal shutdown, disk or system failure, or other unpredictable
events. You can use the Server Management utility to configure and schedule backups. Refer to
online help topics for guidance using Server Management to schedule backups.

See these sections:

NETSCOUT Server Administrator Guide 166

l 6.7.1 Creating a Blank Database with Existing Configurations

l 6.7.2 Restoring from a Full Backup

6.7.1 Creating a Blank Database with Existing Configurations

A configuration backup saves your configuration settings such as devices, physical interfaces,
Global Settings, user preferences, and custom protocols.

You might want to restore configuration settings if:

l You want the same configuration settings on another server.
l You want to re-initialize the database without re-entering the configuration settings.

Caution: The following process restores your configuration settings only, not data. It creates
a new blank database. Contact Customer Support if you have any questions or need
assistance before using the following procedure.

To create a blank database using backed up configuration files:

1. Stop the nGeniusONE Server.
2. Access the operating system command line and navigate to the <nGeniusONE
install>/rtm/database directory.
3. Execute dbreload.sh followed by the location of the datafiles_<date> directory. The
datafiles_<date> directory resides in the directory you specified when setting up the
configuration data backup, or the default (<nGeniusONE install>/database/config-backup).
Example:
# dbreload.sh /mybackups/datafiles_030206
The dbreload command creates a new blank database in the <nGeniusONE
install>/rtm/database directory.
4. To determine the status, run tail on the <nGeniusONE
install>/rtm/database/postgresql/pg_log/postgresql-<dayofweek>.log file and monitor for
the following message:
LOG: database system is ready to accept connections
5. After the database is successfully restored, stop the database by executing dbstop
command from the <nGeniusONE install>/rtm/bin directory.
6. Start the nGeniusONE Server. Your system has a blank database with the configuration
settings that you had saved in the configuration backup.

6.7.2 Restoring from a Full Backup

Use this procedure to restore data and configuration information from the last-completed full
backup.

Note: Because a database failure can result from disk-related errors, you must verify that the
system disk has no errors prior to restarting the nGeniusONE Server.

1. Stop the parent server and all associated child servers. Ensure that all nGeniusONE
processes have stopped.

NETSCOUT Server Administrator Guide 167

2. Locate your backup files. (You defined the path when you set up the original backup.)
Within the defined path, locate the <nGeniusONE install>/rtm folder. Note that the
example below and throughout this procedure assumes the backup path is "home/full-
bkup" -- replace this portion with the path for the backup on your own server. Example:
/home/full-bkup/NetScout/rtm.
3. Access the operating system command line and navigate to the <nGeniusONE install>/rtm
directory.
4. Copy the appropriate backup files from the backup location in Step 2 to the <nGeniusONE
install>/rtm directory.
# cp /home/full-bkup/NetScout/rtm/* <nGeniusONE install>/rtm
5. Ensure ownership of the copied files is ngenius:ngenius (for simplicity, this command can
be used for the whole folder):
# chown -R ngenius:ngenius <nGeniusONE install>/rtm/
6. For the configuration restore:
a. Locate the backup directory with configuration files. Example:
/home/full-bkup/NetScout/rtm/database/config-
backup/datafile*latest/
b. Copy those configuration data files to <nGeniusONE install>/rtm/nsaapp/config, using
the dbreload command:
# ./dbreload.sh /home/full-bkup/NetScout/rtm/database/config-
backup/datafile*latest/
c. Start the database by executing the dbstart from the <nGeniusONE install>/rtm/bin
directory. The following message displays:
Please wait while starting the nGeniusONE Server database...
d. To determine the restore status, run tail on the <nGeniusONE
install>/rtm/database/postgresql/pg_log/postgresql-<dayofweek>.log file and monitor
for the following message:
LOG: database system is ready to accept connections
e. After the database is successfully restored, stop the database by executing dbstop
command from the <nGeniusONE install>/rtm/bin directory.
7. Start the nGeniusONE Server.

6.8 Converting Servers

In the course of maintaining your deployment, you may encounter the need to convert a server
from one function to another. This chapter provides guidance for some of these cases. If your
specific requirement is not addressed, contact Customer Support for assistance.
l Changing Server Types (Global Manager and Standalone)
l Converting Secondary Servers
l Converting Standby Servers
l Testing Standby Conversion

NETSCOUT Server Administrator Guide 168

6.8.1 Converting nGeniusONE Servers

In the course of maintaining your deployment, you may encounter the need to convert a server
from one function to another. The procedure below can be used to convert an nGeniusONE
server types for distributed cluster configurations. The procedure below is applicable for Global
Managers and Standalone Servers. A separate procedure is required for conversion of Standby
servers; instead refer to Converting a Standby to a Primary Server

Important: This procedure makes use of a tool that is intended for use by qualified support
personnel only. Improper use of this tool may result in a loss of data. If needed, contact
Customer Support for guidance before performing these steps. NETSCOUT recommends
making a backup before making modifications.

Before you Begin

Review the following before you begin the procedure below.

l If you are converting Standby Servers:
A separate procedure is required. Refer to Converting a Standby to a Primary Server
l If you are converting a Standalone or Local Server to a Global Manager:
The data from the converted server remain intact and are stored on and managed by the
Local Server that is automatically then enabled on the Global Manager system.
l If you are converting from a Global Manager to a Standalone:
o Data in the Global Manager database remain intact after the conversion process. All
devices owned by the Global Manager prior to the conversion become owned by the
Standalone nGeniusONE Server.
o Before converting the Global Manager to a standalone system, you must remove all
Local Servers from the Global Manager to avoid corruption of the distributed server
environment.

Procedure
1. Access the system command-line as the root user. If you have logged in as a different user
and assumed privileges with su, be sure to use su -l <root account> so that the full
environment is instantiated before you proceed.
2. For a Global Manager to Standalone conversion do the following steps in Server
Management before you proceed to the next step:
l Access Server Management on the Global Manager and remove any of the remote
child / local servers that are managed by this server. This excludes the local server
residing directly on the Global Manager.
l If any of the child servers are NOT RUNNING, you must enable them to ensure they
properly disassociate from the Global Manager when you remove them.
3. Navigate to the <nGeniusONE install>/rtm/bin directory.
4. Ensure the nGeniusONE Server processes are running. If not, then start them.
5. Start the Server Map utility:
# ./nstool.sh com.netscout.database.util.ServerTool
The following menu options display:

NETSCOUT Server Administrator Guide 169

1. Change Server Type

2. Display the Server Map Table
3. Export Server Map Table
4. Import Server Map Table
5. Erase Server Map Table
6. Enter option 1 (Change Server Type).
0. Return to Previous
1. Set SERVER_TYPE to Standalone Server
2. Set SERVER_TYPE to (Distributed) Local Server
3. Set SERVER_TYPE to (Distributed) Global Manager
q. to Quit
7. Select the menu option corresponding to the type of server you want to change this one
to. For example, to change a Global Manager to a Standalone, select option 1 (Set SERVER_
TYPE to Standalone).
>1
OLD Server Type: SERVER_TYPE="Global Manager"
NEW Server Type: SERVER_TYPE="Standalone Server"
Warning: this will erase the Server_Map Table ('Y' to Continue)>y
OLD Server Type : SERVER_TYPE="Global Manager"
NEW Server Type : SERVER_TYPE="Standalone Server"
client.properties Binding Name set to:
ServiceManagerBindingName=ServiceManager
Stored password is Encrypted in Version2
Standalone Server found
Standalone ID is 1
New Entry Added to Server Map Table for IP : 10.20.160.14
-----------------------------------------------------------------
This option will set the server type in the Server Startup files
and make all Required changes to to the Server_Map table.
Select Item from Menu
0. Return to Previous
1. Set SERVER_TYPE to Standalone Server
2. Set SERVER_TYPE to (Distributed) Local Server
3. Set SERVER_TYPE to (Distributed) Global Manager
q. to Quit
>
8. If you converted from Global Manager to Standalone Server, select 0 to return to the
previous menu and clear the Server Map table. Use 0 to return to main menu, then option
5 to erase the map table. Respond with Y, to confirm erasing the table.
Example:
Select Item from Menu
0. Return to Previous
1. Set SERVER_TYPE to Standalone Server
2. Set SERVER_TYPE to (Distributed) Local Server
3. Set SERVER_TYPE to (Distributed) Global Manager
q. to Quit

>0
-----------------------------------------------------------------

NETSCOUT Server Administrator Guide 170

Select Item from Menu

1. Change Server Type
2. Display the Server Map Table
3. Export Server Map Table
4. Import Server Map Table
5. Erase Server Map Table

Warning: this will erase the Server_Map Table ('Y' to Continue)>y

Server Map Table has been Erased.
-----------------------------------------------------------------
Select Item from Menu
1. Change Server Type (ie. Local, Standalone, Global Manager)
2. Display the Server Map Table
3. Export Server Map Table
4. Import Server Map Table
5. Erase Server Map Table
q. to Quit
> q
9. (Windows platforms only). When you change the server type, you must run the following
script to reconfigure required services:
# <nGeniusONE install>\rtm\bin\InstallnGeniusService.bat
10. Restart the nGeniusONE Server. The server map table is rebuilt during the startup
process.
11. If you converted from a Standalone to a Global Manager, you can now add child servers to
it, using the Server Management utility.

6.8.2 Converting a Secondary Server to a Primary Server

For servers such as nGenius Session Analyzer or nGenius Subscriber Cache that have a
Secondary Server added to provide load balancing, you can use this procedure to convert the
function of the two servers. Although this is similar in behavior to converting a Standby server,
the function of the Secondary is not the same.

6.8.2.1 GUI-based Conversion

1. From the console of the Primary server, access the Server Management module.
2. From the Servers tab, select the Secondary server you want to promote to a Primary role.
The Secondary Server must be running.

NETSCOUT Server Administrator Guide 171

3. From the Server Operations drop-down menu, select option for Convert to Primary.

A dialog box displays, as below.

4. Verify the IP Address presented in this dialog box before proceeding to the next step. If
the correct IP Address is listed, click Yes.
5. When the conversion completes, a message box displays instructing you to refresh the
clients. Click OK to acknowledge the message. The list displays with the same server
names but the IP Addresses for the Primary and Secondary have been swapped, as shown
below.

NETSCOUT Server Administrator Guide 172

6. Ensure your users log out and back in. There is no need to restart servers for this
procedure.

6.8.2.2 Command-line Conversion

This method can be used to swap the function of a Secondary and Primary server pair, but must
be performed on both servers that are already set up as a pair.

1. Open a PuTTY window to the Primary Server and log in as the root user.
2. Navigate to the bin folder. For example:
# cd /<nGenius Session Analyzer install>/rtm/bin
3. Stop the server processes.
4. Verify all processes are stopped:
# ./PS
The output of this should only be the Xvfb process. If any other nGeniusONE processes
display, run the ./stop command again, or kill the processes.
5. Change to user ngenius with: su - ngenius. This is required to run the next script.
6. Re-navigate to the executable directory:
-bash-4.1 $ cd /<nGenius Session Analyzer install>/rtm/bin
7. Run the script below to change the role of the current server to the opposite of its current
role.
# ./convertsecondaryglobaltoprimaryglobal.sh
The conversion procedure runs and completes, after which the command prompt
displays.
8. Exit the shell for the ngenius user so that you are now the root user.
9. Start the server processes.
10. Repeat this procedure on the Secondary server.

You can now log into it as the primary server. The data that is reported as being under the name
of the primary continues to be reported with that server's alias, even though the IP address is
now that of the original secondary server.

NETSCOUT Server Administrator Guide 173

6.8.3 Converting a Standby to a Primary Server

For deployments that include a Standby Server, you can use the procedures below to convert a
Standby Server to assume the primary role, should that primary server become inoperable. The
procedure to use differs based on the nature of your deployment.

Important: Review the following notes before converting your server:

l If you are converting the Standby Server to test your recovery procedure, instead, refer
to: Testing the Standby Server.
l The GUI method is supported for converting the Standby Server for a remote Local
Server that is managed by a Global Manager. It is not applicable to convert Standbys
associated with the Local Servers located on the Global Manager itself, or with
Standalone nGeniusONE Servers or Dedicated Global Servers.
The manual method is required for Standalone Servers, Global Managers, and
Dedicated Global Managers, and can also be used for remote Local Servers.
l No further Standby replication occurs until you reconfigure Primary and Standby
Servers. (For example, until you add a Standby server to the converted server.) The
converted server uses replicated configuration data to resume normal polling and
logging activities.
l If you enabled access list security on an InfiniStream appliance, child server, or other
network device, be sure to add the Standby Server IP address to the list. If it is not
included, the device will not respond to the Standby Server when it is functioning as a
primary server. For more information about access lists, refer to the Agent
Configuration Utility Administrator Guide.
l After you convert a Standby Server to a primary server, the original primary server
(which should be offline or disabled if you are performing this task) should no longer
display in the Server Management interface. The original alias name of the primary
server is displayed, but with the IP address of the Standby Server.
l If the original primary server comes back on line, do not re-add it to the distributed
cluster. Stop the nGeniusONE server processes and contact Customer Support for
assistance.
l If you miss one of the steps on the steps in the conversion process, contact Customer
Support for assistance to correctly configure names and IP addresses.

6.8.3.1 GUI-based Conversion

This method is enabled only when you are logged in to a Global Manager or Dedicated Global
Manager and have selected a Standby server attached to a remote Local Server. Use of the GUI
is not applicable when you are converting a Standby that supports the head of a cluster. Use the
Manual method (above) for those cases.

Note: If you are converting the Standby Server to test your recovery procedure, instead, refer
to: Testing the Standby Server.

1. From the nGeniusONE Console, on the Global Manager or Dedicated Global Manager,

access the Server Management module.

NETSCOUT Server Administrator Guide 174

2. From the Servers tab, locate the Local Server with the Standby Server you want to
promote to a Primary role. Select the Standby Server that you want to promote to primary.
The Standby Server must be running and must be associated with a remote child server.

3. If you have selected a supported server type, the Server Operations drop-down menu
option for Convert to Primary is enabled. Select that option.

A dialog box displays, as below.

NETSCOUT Server Administrator Guide 175

4. Verify the IP Address presented in this dialog box before proceeding to the next step. Do
not click the Failback option, this is used only for testing purposes and is not applicable
when you need the Standby to truly assume the role of its primary server.
If the correct IP Address is listed, click Yes.
5. When the conversion completes, a message box displays instructing you to restart the
converted server. Click OK to acknowledge the message.
6. Restart the server(s).

6.8.3.2 Command-line Conversion

This method is the only one that can be used to convert Standby Servers for Standalone Servers,
for Global Managers, and Dedicated Global Managers. It can also be used to convert Standby
Servers for remote Local Servers.

Note: If you are converting the Standby Server to test your recovery procedure, instead, refer
to: Testing the Standby Server.

1. Open a PuTTY window to the Standby Server and log in as the root user.
2. Navigate to the bin folder.
# cd /<nGeniusONE install>/rtm/bin
3. Stop the nGeniusONE server processes.
4. Verify all processes are stopped:
# ./PS
The output of this should only be the Xvfb process. If any other nGeniusONE processes
display, run the ./stop command again, or kill the processes.
5. Change to user ngenius with: su - ngenius. This is required to run the next script.
6. Re-navigate to the executable directory:
-bash-4.1 $ cd /<nGeniusONE install>/rtm/bin
7. Run the script below and specify the IP Address of the server you want to become the
primary:
# ./convertstandbytoprimary.sh <Standby Server IP address> true
The conversion procedure runs and completes, after which the command prompt
displays.
8. Exit the shell for the ngenius user so that you are now the root user.
9. Start the nGeniusONE server processes.

6.8.4 Testing the Standby Server Conversion

NETSCOUT Server Administrator Guide 176

the failback mode indicated in this procedure, the roles of the Primary and Standby Server are
reversed with no data loss. The steps are repeated with the opposite IP address to revert the
conversion.

Note:
l Although a GUI-based method is available for certain configurations, the manual
method is supported for all standby configurations so is most suitable for testing
standby conversion.
l This procedure is intended for testing and presumes both the Primary and Standby
servers are online and running normally.
l This procedure is applicable for these server types:
o Local Server (remote as well as the LocalServer located on a Global Manager or
Dedicated Global Manager)
o Standalone nGeniusONE Server
o nGenius Configuration Manager

Syntax

This procedure uses a script with the following syntax:

convertstandbytoprimary.sh <standby server ip address> true

where

<ip address> is the address of the standby server that you want to become the primary
server

Procedure
1. Open a PuTTY window to the Primary Server and its associated Standby Server that you
plan to test. Place them side by side on your monitor.
2. In both windows, log into the operating system command line as the root user.
3. In both windows, navigate to the bin folder.
# cd /opt/NetScout/rtm/bin
4. In both windows, stop the nGeniusONE server processes:
# ./stop
5. In both windows, verify all processes are stopped:
# ./PS
The output of this should only be the Xvfb process. If any other nGeniusONE processes
display, run the stop command again, or kill the processes.
6. In both windows, switch to the ngenius user and instantiate the environment:
# su - ngenius
bash-4.1$
Use the - option with this command. You will now be in the install folder for your server
software (/opt/NetScout, by default) and a new shell command prompt displays.
7. In both windows, ensure you are in the bin folder.

NETSCOUT Server Administrator Guide 177

bash-4.1$ cd /opt/NetScout/rtm/bin
8. In both windows, run the script and specify the IP Address of the server you want to
become the primary:
bash-4.1$ ./convertstandbytoprimary.sh <Standby Server IP address>
true
The conversion procedure runs and completes, after which the command prompt
displays.
9. Exit the ngenius user shell and return to the root user shell:
bash-4.1$ exit
logout
#
Restart the nGeniusONE server processes on both servers as the root user:
# ./start
10. To verify the changes, do one of the following:
l Verify in Server Management:
Access Server Management from the nGeniusONE Console on the Standby server. The
Servers tab shows a row for each of the Primary and Standby servers, with the original
hostnames, but the IP addresses are swapped.
Example:
If you had started with the following configuration:

Server Type
⯈ GlobalManager1 Global
    10.20.100.161
o LocaltoMyGlobal1 Local
10.20.100.161
  ⯈BostonPrimary Local
    10.20.48.230
o BostonStandby Standby
10.20.50.216
  ⯈PlanoPrimary Local
    10.20.160.14
o PlanoStandby Standby
10.20.160.44

Then, if you were testing conversion for BostonStandby to BostonPrimary, and

had run the command ./convertstandbytoprimary.sh 10.20.50.216 true
on both servers, the Server list should now appear as below (Note that the server
names are unchanged; only the IP Addresses are changed).

NETSCOUT Server Administrator Guide 178

Server Type
⯈ GlobalManager1 Global
    10.20.100.161
o LocaltoMyGlobal1 Local
10.20.100.161
  ⯈BostonPrimary Local
10.20.50.216
o BostonStandby Standby
10.20.48.230
  ⯈PlanoPrimary Local
    10.20.160.14
o PlanoStandby Standby
10.20.160.44

l Verify manually:
On each server, open the file below:
<nGeniusONE install>/rtm/database/configxml/xml/server_map.xml
Locate the name of the primary server you are testing. The <server_config> block
below that will have an <address> block with the IP address of the Standby Server you
tested. Given the example above, you would see:
<server_info>
<id>1</id>
<name>BostonPrimary</name>
<type>Local</type>
<status>UP</status>
<master>0</master>
<Time_Zone>US/Eastern</Time_Zone>
<registryBindnigName>ServiceManager</registryBindnigName>
</server_info>
<server_config>
<address>10.20.50.216</address>
<port>8080</port>
<protocol>HTTP</protocol>
</server_config>

This test ran the script on the Primary server, which is not typical for a real scenario in
which the primary server has failed. This allows you to see both servers and leave them
running and part of the cluster rather than having them competing to both be the Primary
server. Because the settings were changed on both servers, you should now also see the
Standby Server's name with the IP Address of the original Primary server.
11. To revert the sequence and restore the servers to their original Primary and Standby roles:
a. In windows to both servers, still logged in as the user root, stop the nGeniusONE
server processes and verify they are stopped:
# ./stop

NETSCOUT Server Administrator Guide 179

# ./PS
b. In both windows, switch to the ngenius user and instantiate the environment, then
navigate to the bin directory:
# su - ngenius
bash-4.1$
bash-4.1$ cd /opt/NetScout/rtm/bin
c. Now, in both windows, run the script and specify the IP Address of the server you want
to become the primary. In this case, use the address of the current standby server,
which you had just changed from primary to standby and now want to revert it to
primary again:
# ./convertstandbytoprimary.sh <Current Standby Server IP
address> true
The conversion procedure runs and completes, after which the command prompt
displays.
d. Exit the ngenius user shell and restart the nGeniusONE server processes on both
servers:
bash-4.1$ exit
logout
#
#./start

If you miss one of the steps on the steps in the conversion process, contact Customer Support
for assistance to correctly configure names and IP addresses.

6.9 Working with Licenses

After you have set up your NETSCOUT deployment, you may need to obtain and install licenses.
Review the following sections to understand whether you require a license and, if so, the steps to
obtain and install it.
l Understanding License Types and Options
l Monitored Elements Supported per License
l Register Key to Generate License
l Installing the License (after installation)

6.9.1 Understanding License Types and Options

nGeniusONE server licensing options enable specific features as well as the number of
monitoring interfaces that can be associated with that server. In the descriptions below, "pack"
refers to the count of interfaces allowed per license type. For example, a 10 pack software option
license enables up to 10 interfaces from any number of monitoring data sources to be
associated with the managing server.

Note: Licensing is not required for nGenius Configuration Manager servers.

The following license types are applicable to nGeniusONE Servers:

NETSCOUT Server Administrator Guide 180

l Evaluation: This time-based license requires a generated serial number (based on the
software option code) and password, and a date reflecting the duration of the license.
When your evaluation is complete, you can remove this key and install a Permanent
license.
l Permanent: This type of license requires a generated serial number (based on the
software option code) and password, and a Host ID based on the MAC or IP address of the
component. Since the key is locked to the specific hardware, only install a permanent
license when you are ready to deploy in a production environment.
l Incremental: This license type supplements a permanent license to increase the number
of supported streams or interfaces. For nGeniusONE, incremental licensing is supported
for the 50-pack (225) option only, and upgrades for nGeniusONE-5, -10, and -25 license
options are to the nGeniusONE-50 option.
l Standby: License for a backup, failover server. For nGeniusONE, standby is supported for
the 50-pack (225) option only, but standby options vary and are available at other levels for
other products.
l Options: See below for details on common license codes and options.

The following sections contain license type exceptions and nuances that may be applicable to
your deployment. Contact your NETSCOUT representative for additional guidance, if needed.

Omnis 5G Adaptor
The Omnis 5G Adaptor for InfiniStreamNG instrumentation provides 5G processing support to
InfiniStreamNG instrumentation devices. This module is licensed per instrumentation class in
packs of 1, 5, or 25 for the 1-socket or 2-socket options for InfiniStreamNG or vSTREAM vCPU
blocks.

Cloud Adaptor Smart Edge Monitoring

This license enables Smart Edge Monitoring for InfiniStreamNG, Remote ISNG, and vSTREAM,
and is supported for nGeniusONE.

Available in license packs of 10, 50, and 100. Incremental licensing is supported for these
stackable options. Apply this central license on an nGeniusONE Global Manager, Dedicated
Global Manager, Standalone, or nGenius Configuration Manager. Standby licenses are included.

Do not apply this license on a Local Server in a Global deployment. To reprovision a device
after a license is attached, you must remove the device association with the modify operation.

The Cloud Adaptor is not supported for NETSCOUT CyberStream.

NETSCOUT Server Administrator Guide 181

Omnis Cyber Adaptor Support for ISNG

This license uses socket-based licensing to enable InfiniStreamNG to communicate and feed
Omnis Cyber Investigator for security purposes. Remote InfiniStreamNGs are also supported.
Omnis Cyber Adaptor licenses include these categories:
l One- and two-socket InfiniStreamNG devices.
l Remote InfiniStreamNGs

Available in license packs of 1 and 5. Incremental licensing is supported for these stackable
options. Apply this central license on an nGeniusONE Global Manager, Dedicated Global
Manager, Standalone, or nGenius Configuration Manager. Standby licenses are included.

Do not apply this license on a Local Server in a Global deployment. To reprovision a device
after a license is attached, you must remove the device association with the modify operation.

The Omnis Cyber Adaptor does not support nGenius Collector, vSTREAM virtual appliance, or
vSTREAM Agent.

ISNG RAN
License options are available for 1k, 10k, and 50k cells. Additionally, license options are available
for nGenius ASI Stream/nBA RAN Session Record Export. Incremental licensing is supported for
these stackable options.

For more information, refer to the Radio Access System Compliance Document.

nBA RAN Analytics

License options are available in packs of 1, 10, 50 for 1K, 10K, and 50K cells. Incremental licensing
is supported for these stackable options.

nGenius Collector Virtual Appliance

These codes are applicable for use only on a server with configured with an nGenius for Flows
license. Each pack equates to one collector, so a 5 pack allows 5 collectors to be added to an
nGenius for Flows server.

nGeniusONE Server Type I

nGeniusONE Server Type 1 servers may support nGenius UC Server and Global Manager
functionality.

If running nGeniusONE without Performance Manager on a 16 GB 4 CPU system, you must use
license option 222 or 308. nGeniusONE OVA (VMware) images use the 16GB 4 CPU option by
default. Fresh installs of nGeniusONE may also run on a 16 GB 4 CPU system.

NETSCOUT Server Administrator Guide 182

nGenius Session Analyzer

Type 1 license options are available in packs of 10, 25, and 50. Incremental licensing is supported
for these options, and these licensing options are stackable. Each server instance (Primary or
Secondary) requires an interface license be installed.

Note:nGenius Session Analyzer supports the vSTREAM virtual appliance. The Type 1 licensing
of the vSTREAM virtual appliance for nGenius Session Analyzer is similar to that nGeniusONE
and nGenius Business Analytics, where 8 vCPUs are one Type 1 interface. See vSTREAM virtual
appliance documentation for more information about vSTREAM virtual appliance licensing.

Apply this license on the authenticating nGenius CM or nGeniusONE server.nGenius

Session Analyzer does no additional Type1 check or enforcement on these RAN probes. If the
probes are listed in the nGenius Session Analyzer probe selection based on the nGenius CM
license check, then users can select and get records.

Note: There is no RAN-specific license based on cell counts for nGenius Subscriber
Cache/SCS. SCS uses Type 1 licenses. When an SCS user searches currently supported cached
subscriber digits, the retrieved content from the core is multi-protocol-correlated with ISNG
RAN content if the related nGenius Session Analyzer has an nSA RAN license.

PFS Monitor
A 2500-pack license allows a total of 2500 ports across different Packet Flow Operating System
(PFOS) devices. Install this centralized license on nGenius Configuration Manager and share with
all attached servers. Incremental licensing is supported for these options.

The former 50-pack licenses for PFS and PFS Standby, 400 and 401, are obsolete. Please
talk to your account team to convert your existing license to a 2500-pack license.

Subscriber Cache Server (SCS)/nGenius Subscriber Cache

NETSCOUT Server Administrator Guide 183

vSTREAM virtual appliance / vSTREAM virtual appliance Agent /

vSTREAM Agent/ vSCOUT
Refer to the respective Installation Guide and Release Notes for these products for guidance on
these licenses.

6.9.2 Monitored Elements Supported per License

Each license assigned to a single nGeniusONE Server (standalone, Local Server, or Global
Manager) accommodates a specific number of devices and interfaces.

To increase the number of elements you can monitor, you can purchase an additional license.

If you are upgrading from a previous software version or if you are importing devices from
another product, ensure that your license accommodates the required number of monitored
elements.

6.9.2.1 Viewing Interface Numbers and Limits

You can view interfaces on a device by navigating to Device Configuration and double-clicking the
device.

6.9.2.2 Determining License Type and Software Version

License and version information is useful if you need to contact NETSCOUT SYSTEMS Customer
Support. You can access licensing information in Server Management.

6.9.3 Register Key to Generate License

Use the procedure below for each of the coupons you have received:

NETSCOUT Server Administrator Guide 184

NETSCOUT Server Administrator Guide 185

8. Enter your host ID or IP address and Operating System.

9. Click the Submit button. The system generates a license.

6.9.4 Installing the License

After your software is installed, use this procedure to install licenses on the nGeniusONE server.
If you start the server before you complete licensing, the server will start, however, you will be
unable to log in. If this occurs, stop the server, license it, then restart the server. If you are
upgrading, skip this procedure.

NETSCOUT Server Administrator Guide 186

If your deployment includes multiple licenses (such as incremental packs), install the base license
first, then the repeat for each key.

Note:
l Before you begin, you must register the nGeniusONE license to obtain a key for use in
this procedure (see Registering a License).
l When the data sources are managed by child servers, install the key on the child
servers.
l When data sources are directly managed by the parent server, then a key is required on
that parent server.
1. Initiate the licensing utility:
l Windows — From Start > (All) Programs > NETSCOUT>nGenius Server, select Update
License
l Linux — From the <nGeniusONE install>/rtm/bin directory, execute ./LicenseCL.sh.
2. Enter the required information, clicking Next or pressing Enter after each entry:
l Permanent — Serial number, password, MAC or IP address, and software option
number
l Incremental — Serial number, password, MAC or IP address, and software option
number
l Evaluation — Serial number, password, and expiration date
3. (GUI installations) When licensing is complete, click OK.
4. Restart the server.

6.10 Changing Server Identity

6.10.1 Changing the Server Address or Hostname
If you must change the nGeniusONE Server IP address, domain hostname, or port number
NETSCOUT recommends that you do so with the assistance of Customer Support, particularly if
your environment is configured across a firewall. In any of these cases, you will be modifying a
map table of the server entries, and the /etc/hosts file.

For port number changes, refer instead to the following sections:

l For Client<->Server and Between Servers: websecure
l For Server <->Data Source: Modifying Server to Data Source Communication Port

Important:
l When server map table is modified on a parent server, the change is pushed to all child
servers. If you perform this procedure on a child server, you must also perform it on the
parent server.
l Changes to the /etc/hosts file are not replicated. When you change a server hostname
in /etc/hosts, you must also manually modify the /etc/hosts file on every server and
data source associated with the deployment.

NETSCOUT Server Administrator Guide 187

l If you only need to change the "friendly name" of the server, you can do that from the
parent server in the cluster. Access the Server Management GUI from the parent server
of the cluster, and make the change in the General Information tab. That server's name
update is then replicated to all children in the cluster.

For distributed deployments, or deployments with parent/child servers, always do the changes
on the parent first. This replicates the map file for you, which simplifies the steps and mitigates
potential errors.

1. Log in to the parent server command-line.

2. Access the system command-line as the root user. If you have logged in as a different user
and assumed privileges with su, be sure to use su -l <root account> so that the full
environment is instantiated before you proceed.
3. Stop the server.
4. Update /etc/hosts file with your changes (IP, host, domain) to have your required changes
to the nGeniusONE Server identity.
5. Save and exit the file.
6. If you changed the IP Address or if you changed the host name and want to change the
friendly name used for display in server UI, modify the server map table. The name
change is optional; the IP address change is not. In the latter case, you must modify the
map table.
7. Start the server.
8. Log into each child server and data sources and modify the /etc/hosts files accordingly.
9. Ensure all DNS servers used by these servers and data sources have matching changes.
10. To ensure all changes are propagated successfully, restart all servers in the deployment.

6.10.2 Changing the Web Access Port with websecure

NETSCOUT Server Administrator Guide 188

l Supports well-known, nonstandard HTTP (80, 8080) and HTTPS (443, 8443) ports.
Websecure accepts a port number in the command line. Ports 80 and 8080 can be
configured only for HTTP, ports 443 and 8443 only for HTTPS.

Changing the Port in a Global Manager or Dedicated Global Manager Environment

Follow these steps to change the ports in a Global Manager (GM) or Dedicated Global Manager
(DGM) environment:

1. Navigate to the <NETSCOUT install>/rtm/bin folder on the GM or DGM.

Validation:

NETSCOUT Server Administrator Guide 189

If the port change was successful, you will see a response such as:
HTTP/1.1 200 OK

For example:
# curl -I https://10.20.160.14:8443/ -k
HTTP/1.1 200 OK

If SSL is not enabled, the following output is reported:

curl: (35) SSL connect error

6.10.3 Changing the Web Access Port Manually

NETSCOUT recommends using the websecure script to change the port number on your server.
The script modifies an assortment of files that require updates when a port number is changed.
However, that script supports only 4 specific, but common, ports. If necessary, you may manually
modify the port number as follows:

1. Stop the nGeniusONE Server.

2. Locate the following files and back them up before proceeding:
<nGeniusONE install>/rtm/bin/pm_env.sh
<nGeniusONE install>/apache/conf/httpd.conf
<nGeniusONE install>/apache/conf/extra/httpd-ssl.conf
<nGeniusONE install> /config/common.properties
3. Modify the variables as required, saving and closing each file.
Important: A variable may appear more than one time in the file. You must modify each
occurrence of the noted variables.
l nGeniusONE install>/rtm/bin/pm_env.sh
NSAPACHEPORT=<port>
l nGeniusONE install>/apache/conf/httpd.conf
Listen <port>
l nGeniusONE install>/apache/conf/extra/httpd-ssl.conf
Listen <secure port>
l <nGeniusONE install> /config/common.properties
webserverport=<port>
4. After you modify the above files file, run <nGeniusONE install>/rtm/bin/nGConfigSync.sh
to propagate the change to all affected properties files, as required:
l <nGeniusONE install>/rtm/html/client.properties
l <nGeniusONE install>/rtm/bin/globalmanager.properties
l <nGeniusONE install>/rtm/bin/serverprivate.properties
l <nGeniusONE install>/rtm/bin/admin/serverpublic.properties
l <nGeniusONE install>/tomcat/bin/tomcat.properties
5. Start the nGeniusONE Server.

NETSCOUT Server Administrator Guide 190

6. Modify the corresponding settings in the Server Management GUI:

a. In Server Management, select the Servers tab.
b. Locate the server to be modified.
c. Click the name of the server.
d. In the General Information tab, enter the new web port number
e. Click OK.
7. Restart the server.
8. Specify the new host name and/or port number in the URL when you launch nGeniusONE
Server. For example:
http://<new hostname>:<new port number>/

6.10.4 Modifying Server to Data Source Communication Port

By default, nGeniusONE servers and NETSCOUT data sources use either port 8080 or 8443 for
communicate with each other. Use this information if you need to set the communication port to
a non-default value. If needed, you may also refer to the following documentation for data
source configuration:
l InfiniStream Hardware Appliance Administrator Guide
l InfiniStreamNG Qualified COTS Software Appliance Administrator Guide
l vSTREAM Installation Guide

Note:
l To change the port for Client<->Server or Server<->Server, refer instead to websecure.
l The data source and nGeniusONE Server must be configured with the same port for
communications.
l HTTP/S port override is supported for NETSCOUT data sources only and is grayed out
for devices such as routers or switches.
l For virtual data sources:
o For vSTREAM Agent deployments, an existing web server on the virtual machine may
already be using port 8080 or 8443, so it may be necessary to customize this
communication port.
o Automatic configuration of the data source in nGeniusONE occurs upon receiving a
new version of the Probe Advertisement Trap. When the server receives a trap for an
existing data source, it updates the data source's configuration. If the data source
does not exist, it is added based on the configuration, which includes the
communication port.
o In the event that traps are not supported in the cloud or errors occur during auto-
discovery, you can use this method to manually configure the port.

Server Procedure

To modify the HTTP/S communication port used between the server and data source:

NETSCOUT Server Administrator Guide 191

1. Access the system command-line as the root user. If you have logged in as a different user
and assumed privileges with su, be sure to use su -l <root account> so that the full
environment is instantiated before you proceed.
2. Update iptables:
a. Stop the server.
b. Update iptables to add the new port and optionally delete the old port.
c. Ensure you restart iptables before you proceed or reboot the servers.
d. If you did not reboot in the previous step, start the server.
Important: If this server is part of a distributed environment, repeat the iptable
changes on the managing server.
3. Modify the port number for the data source:
a. From the nGeniusONE Console, access Device Configuration.
b. Double-click the Device for which you want to modify the communication port.
c. In the Device Details pane, use the Communication Protocol menu to specify either
HTTP or HTTPS.
d. In the HTTP/HTTPS Port field, specify the custom port.
e. Click OK to save your configuration.
f. You are prompted with a message to reset the device. Click OK and reset the device.

InfiniStream and vSTREAM virtual appliance Procedure

For detailed guidance on modifying this and other settings for this data source, refer to the
appropriate administrator or installation guide, listed above. Generally, however, you perform
the following steps:

1. Edit the procmanager.env file

2. Locate the following lines and modify the port number, as needed:
For HTTP:
export NS_PROCMANAGER_PORT=8080
For HTTPS:
export NS_PROCMANAGER_PORT_SECURED=8443
3. Modify the data source's iptables to delete the old port and add the new port.

vSTREAM Agent Procedure

For detailed guidance on modifying vSTREAM Agent settings, refer to the vSTREAM

Installation Guide. Generally, though, you need to modify a variable and reset the agent.
Modification of iptables is not required for this data source type.

You can modify the HTTP_PORT or HTTPS_PORT variables using any of the following techniques:
l Use the set vstream_config HTTP_PORT or HTTPS_PORT <0..65535> command from the
Agent Configuration Utility command line.
l Edit the /NetScout/rtm/config/nsagent_config.cfg file directly.

NETSCOUT Server Administrator Guide 192

l Reconfigure settings in a new nsagent_config.cfg file, save it to /tmp, and restart the
vSTREAM Agent.

6.10.5 Configuring the Server to Use an IPv6 Address

If your deployment environment requires users to access the nGeniusONE server with an IPv6
address, follow the steps in these sections.

6.10.5.1 Configuring IPv6 for Linux

Follow these steps to configure a Linux server to use an IPv6 address.

1. Access the system command-line as the root user. If you have logged in as a different user
and assumed privileges with su, be sure to use su -l <root account> so that the full
environment is instantiated before you proceed.
2. Ensure the hostname and domain of the server are in the /etc/hosts file. (During
installation, these should have been added as the first entry in the file.)
3. Navigate to <nGeniusONE install>/rtm/bin.
4. Stop the server.
5. In the servermapupdater.sh file, set this line to "true":
PREFERIPV6ADDRESS="java.net.preferIPv6Addresses=true"
6. Save and exit the file.
7. Start the nGeniusONE Server.

6.10.5.2 Configuring IPv6 for Windows

Follow these steps to configure a Windows server to use an IPv6 address.

1. Log in to the Windows server with an account that has administrator privileges. (Do not
use a cloned version of the Administrator account.)
2. Stop the nGeniusONE server.
3. Navigate to the <nGeniusONE install>\rtm\bin folder.
4. In pm_env.bat set the USE_IPV6 variable to 'true.' The default is false.
set USE_IPV6=true
5. Start the nGeniusONE server.

6.10.6 Configuring the Server to Use a Hostname

If your deployment environment requires users to access the nGeniusONE server with a
hostname, rather than an IP address, set the following property. For distributed deployments,
this must be set manually on all nodes, it's not replicated.

NETSCOUT Server Administrator Guide 193

1. Access the system command-line as the root user. If you have logged in as a different user
and assumed privileges with su, be sure to use su -l <root account> so that the full
environment is instantiated before you proceed.
2. Ensure the hostname and domain of the server are in the /etc/hosts file. (During
installation, these should have been added as the first entry in the file.)
3. Navigate to <nGeniusONE install>/rtm/bin.
4. Stop the server.
5. In the serverprivate.properties file, set this line to "true":
server.autoRegister.userHostName=true
6. Save and exit the file.
7. Edit the pm_env.sh file, and ensure that <hostname> in the following line matches the
hostname to be used:
NSHOST=<hostname>
8. Save and exit the file.
9. Start the nGeniusONE Server.

6.10.7 Configuring DNS Resolution

nGeniusONE requires DNS be configured at three different points during your setup process:
l Basic Networking: When you first put the system on your network, the DNS hosts should be
added to the /etc/hosts file on all systems in your deployment (servers, clients, data
sources).
l Configuring the System: After installation, or when you are ready to customize the system,
you are prompted to provide the DNS hosts again. These ensure the system services are
enabled with DNS.
l Server Management: For DNS resolution of names within the software, you can use
nGeniusONE's Server Management module to configure DNS primary and secondary
servers, with appropriate failover parameters. Refer to Server Management online help for
guidance using that module.

6.11 Configuring Alerts

This chapter addresses customization of how the server handles alerts. Refer to the following
sections as applicable for your requirements:
l Scripts for Alert Actions
l Overriding Alert / Trap Destinations
l Forwarding Alerts to a Syslog Server
l Configuring SNMP Traps
l snmpv3script
l Enabling Certificate Expiration Alerts
l Resetting Alert Baselines

NETSCOUT Server Administrator Guide 194

6.11.1 Scripts for Alert Actions

The following CallBack scripts are listed in assorted configuration modules that allow you to set
alerts or alert triggers. These default scripts output the script name to a log file, along with a set
of parameter values. The log file name is specified in the script.

The following summarizes how the scripts may be used:

l The disk and memory scripts are intended for use with Device Alerts.
l nsscript is always triggered for an event, and should not be modified unless guided by
Customer Support.
l wdscript is called by the server itself when an abnormal server event occurs. The script
and some trigger thresholds are specified in the <nGeniusONE
install>/rtm/bin/watchdog.properties file. Neither the script nor property file should be
modified unless guided by Customer Support.

Example log entry:

IS-28:if4 172.21.72.28 2019-10-09 14:30:00.0 1 ASI2x_THRESHOLD_ALARM
failureRate 17.450000762939453 1.0 % Failure for Service:T1 (App:DNS)
has exceeded the config threshold over a 5 minute period (threshold = 1
%; last delta = 16.45 %; cumulative occurrences since start = 1)300 1-
1085554032642 RouterAddress=172.21.73.80, Metric=failureRate, App=DNS
DNS_TCP 4

Parameters

The same number of fields, in the same order, are sent as parameters to all CallBack scripts,
regardless of which module calls the script. Based on the type on the type of trigger and other
configurations, some fields may be blank. Following is a list of the parameters that may appear
in the log file.
l Monitored Element
l IP Address of the associated monitored element
l Timestamp of the event
l Severity
l Trap Type
l Trap Variable (the variable on which the alarm was set)
l Trap Value (the actual value of the variable)
l Trap Threshold (the threshold that was applied when the trap was configured)
l Trap Description (Example: ”r;Rising Threshold Reached”)
l Trap Interval (Example: The time interval over which the average value is computed for
comparison threshold value)
l Alert ID (The server reporting the alert, and the alert ID itself. The ID of the server is shown
in the server_map.xml file.
l Alert Evidence

NETSCOUT Server Administrator Guide 195

l Application Tag (Application Name is displayed if no value is specified in the Global

Settings Application List for that application)
l Interface Number

Given the following log entry, for an alert triggering nsscript:

IS-28:if4 172.21.72.28 2019-10-09 14:30:00.0 1 ASI2x_THRESHOLD_ALARM
failureRate 17.450000762939453 1.0 % Failure for Service:T1 (App:DNS)
has exceeded the config threshold over a 5 minute period (threshold = 1
%; last delta = 16.45 %; cumulative occurrences since start = 1) 300 1-
1085554032642 RouterAddress=172.21.73.80, Metric=failureRate, App=DNS
DNS_TCP 4

The fields are:

Monitored Element: IS-28:if4

IP Address: 172.21.72.28

Timestamp: 2019-10-09 14:30:00.0

Severity: 1

Trap type:ASI2x_THRESHOLD_ALARM

Trap variable: failureRate

Trap value: 17.450000762939453

Trap threshold: 1.0 %

Trap description: Failure for Service:T1App:DNS) has exceeded the config threshold over a 5
minute period (threshold = 1 %; last delta = 16.45 %; cumulative occurrences since start = 1)

Trap interval: 300

Alarm ID: 1-1085554032642

Alarm Evidence: RouterAddress=172.21.73.80, Metric=failureRate, App=DNS

Application Tag: DNS_TCP

Interface number: 4

Custom Scripts

If desired, you can use standard shell commands to create a shell script that parses the incoming
parameters and takes other actions such as logging separately or triggering an email. Here are
key rules for adding a custom script:
l To display in the menus for the configuration modules, the script must reside in the
<nGeniusONE install>/rtm/scripts folder. It must have a .sh extension (or .bat for Windows).
l The file must have ownership/permissions as the other scripts (executable and owned by
the ngenius user, not root)

Note: The KPI Alarm dialog displays all the scripts, although there is not a specific script for
logging KPI Alarms. Either select nsscript, or create a custom script as noted above.

NETSCOUT Server Administrator Guide 196

6.11.2 Overriding Alert / Trap Destinations

In a distributed deployment, you can override the alert destinations specified at a global level, to
send alerts to a different server.

Also refer to:

l Modifying the ngeniusnative.properties File
l Modifying the serverprivate.properties File

6.11.2.1 Forward Alerts for a Single Local Server

You can configure a Local Server to override the alert destinations defined in Global Settings to
send alerts to another server. For example, you might want to configure a local Network Node
Manager server to receive alerts from a specific Local Server. (All other Local Servers in the
server cluster would continue to forward alerts to the defined destinations.) Complete these
steps to override the alert destinations defined in Global Settings, define the new destination in
the serverprivate.properties file on the affected Local Server

Note: This does not override alert actions defined in Service Configuration, which may specify
particular emails and IP addresses.

1. On the Local nGeniusONE Server, navigate to the <nGeniusONE install>/rtm/bin folder.

2. Back up the serverprivate.properties file.
3. Open the file using a text editor.
4. Add this property:
alarmforward.trapDestination=<IP Address>
l Enter the address in octet format (for example: 10.20.30.40)
l Multiple addresses are not supported
5. Save and close the file.

6.11.2.2 Forward SNMP Traps from a Global Manager and Externally

To forward traps from a Global Manager that has a local running on the same server to an
external server.

1. On each remote Local Server, navigate to the <nGeniusONE install>/rtm/bin folder.

NETSCOUT Server Administrator Guide 197

7. Open the file using a text editor.

8. Add these properties:
AlarmListener.gmListener=true
AlarmListener.localServerList=xxxx,yyyy,…
where xxxx and yyyy are the list of Local servers that you want to forward FROM,
excluding the local on this Global Manager.
AlarmListener.forwardAddress=xxx.xxx.xxx.xxx
where xxx.xxx.xxx.xxx is the IP address of the third-party product you want to forward
TO.

6.11.2.3 Forward SNMP Traps to Dedicated Global Manager and Externally

You can forward all SNMP traps from InfiniStream appliances, and Local Servers to a
Dedicated Global Manager and on to a destination. This feature is not supported for
Standalone servers. This allows for forwarding all traps from a distributed nGeniusONE
installation from one source.

1. On each remote Local Server, navigate to the <nGeniusONE install>/rtm/bin folder.

2. Back up the serverprivate.properties file.
3. Open the file using a text editor.
4. Add these properties:
alarmForwardService.forwardDeviceAlarms=true
alarmForward.trapDestination=xxx.xxx.xxx.xxx
where:
l xxx.xxx.xxx.xxx is the IP address of the Dedicated or Global Manager.
l You can use a comma separated list to include multiple Global Managers.
5. Save and exit the file.
6. Now, configure forwarding of traps from a Dedicated Global Manager to one or more
third-party management tools:
a. On the managing server of the cluster, navigate to the <nGeniusONE
install>/rtm/bin folder.
b. Back up the ngeniusnative.properties file.
c. Open the file using a text editor.
d. Add these properties:
AlarmListener.gmListener=true
AlarmListener.localServerList=xxxx,yyyy,…
where xxxx and yyyy are the list of Local servers that you want to forward FROM.
AlarmListener.forwardAddress=xxx.xxx.xxx.xxx
where xxx.xxx.xxx.xxx is the IP address of the third-party product you want to
forward TO.

NETSCOUT Server Administrator Guide 198

6.11.3 Forwarding Alerts to a Syslog Server

Note: If your deployment requires forwarding of OS-level events (handled separately from
nGeniusONE alarms) refer to the overall steps to Configuring Syslog Forwarding.

To forward alarms and alerts to the syslog of a remote host:

Example alert message

NETSCOUT Server Administrator Guide 199

346 msg=(ASI2xThresholdAlarm)Total Bit Rate for Aggregated Service:AQQ_

S2Agg has exceeded the config threshold over a 5 minute period
(threshold = 0.1 bits/sec; last delta = 710.9 Kb/sec; # of occurrences
= 1) externalId=1-346 app=null cs5Label=RouterAdderess cs5=10.20.100.100
cs6Label=Metric cs6=totalAppBitRate

Message fields

CEF Event Field Vendor-specific Event Data

6.11.4 Configuring SNMP Traps

When an alarm condition occurs, the monitoring device sends an alarm notification message to
its managing server and any additional servers you specify. Use the procedure in this section to
configure forwarding of alarms as SNMP traps. ith administrative user roles can configure
forwarding of alarm messages.

Also see: snmpv3script

Configuring SNMP trap listeners:

Complete these steps to configure SNMP trap listeners in nGeniusONE:

1. From the nGeniusONE console, click Global Settings > Application Configuration.
2. Clickhe SNMP Trap Listeners Configuration button.

NETSCOUT Server Administrator Guide 200

3. Choose one of these options:

l Click Add Address to add one or more IP addresses.
l Click Modify Address to modify an existing IP address.
4. Enter or edit an IPv4 or IPv6 address and choose one of these options:
l Click Apply to add the IP address to the dialog box and keep the IP Address Edit or
IP Address Add dialog box available to continue your configuration.
l Click OK to add the IP address to the dialog box and remove the IP Address Edit or
IP Address Add dialog box.
5. Click OK to commit the change.
6. Click Apply to apply your changes to the system.

Note:If the nGeniusONE Server (Global Manager or standalone nGeniusONE Server) is using
two NICs, you must add the both IP addresses.

6.11.5 Using the SNMPV3UserConfig Script

This script allows you to configure forwarding of alarms as SNMPv3 traps. Also see Configuring
SNMP Traps.

Supported protocols are:

l MD5 or SHA-1 authorization protocols
l DES, 3DES, or AES128 privacy protocols

To use the script:

1. Access the nGeniusONE server command line.

2. Edit the serverprivate.properties file and ensure that the following parameter is
configured as shown:
serverBasedAlarmSNMPVersion=SNMPV3
3. Save and exit the file.
4. Navigate to the tools folder (<nGeniusONE install>/rtm/tools).
5. Run the following script to set the server's authentication protocol, password, and privacy
password to a file:
SNMPV3UserConfig.sh | .bat <username> <authProtocol> <authPW>
<privProtocol> <privPW>
For example:
SNMPV3UserConfig.bat/.sh admin MD5 myauthpassword AES128
myprivpassword

6.11.6 Enabling Certificate Expiration Alerts

The nGeniusONE suite provides an alarm mechanism that notifies you when SSL certificates in
your network are due to expire. Early notification helps you prevent website and service
disruptions.

NETSCOUT Server Administrator Guide 201

When you enable this alarm (through a property setting), the alarm engine works in the
background to check for impending certificate expiration. If any certificate has days remaining
less than a default or custom threshold, an alarm is generated.

You can see these alarms in the Notification Center under the category of “Certificate Expiration”
and drill down from them to the Certificate Monitor.

Enable Certificate Expiration alarms by entering the following serverprivate.properties

parameters in Table 1.2.

Table 6.4 - Alarm Properties

Function Description Parameter in serverprivate.properties Default

NETSCOUT Server Administrator Guide 202

Table 6.4 - Alarm Properties (continued)

Function Description Parameter in serverprivate.properties Default

Alarm Enable additional certificate.expiration.alarm.action.policy.name= Empty,
actions actions in alert action name defined in Alert Configuration therefore
response to the (Use backslashes as escape characters for no action is
certificate spaces) taken.
expiration alarm.
First, define an
action in Alert
Configuration
and then enter
the complete
name in this
property.
Clear trap Enable a clear- forwardAlarm.clearTrapAlarm=true False
alarm notification
for when:
l A certificate
with a
previous
uncleared
alarm has an
expiration
with days
remaining
greater than
the
threshold.
l The
maximum
lifetime for a
previously
generated
alarm has
been
exceeded.

6.11.7 Resetting Alert Baselines

Alert baselines are calculated using the performance of a metric over multiple days. You may
want to manually reset baselines if there has been a change the traffic on a probe that is
included in an Application Service with a baseline alert associated with it. This prevents alerts
from continuously triggering until a new baseline has been set, which can take multiple days.

A script is provided to manually reset baselines for an interface or a service. After an interface is
reset, old baselines are not shown in charts. Supply the interface or service and date for the
reset to take place.

Note the following:

NETSCOUT Server Administrator Guide 203

l In a distributed environment, the interfaces to be reset only need to be specified on the

global machine.
l Date and time are optional. If a date is provided, it must be in the future.
l After an interface has been set to reset, no baselines are calculated for it until after the
specified time for the reset (immediately when no date and time are provided).
l After a reset has been applied:
o old baselines are not shown in charts.
o alerts and situations for that interface are not triggered until new baselines are
generated.

To reset baselines:

Run /opt/Netscout/rtm/bin/nsResetBaselines.sh (or .bat on Windows)

Usage:
nsResetBaseline.sh [help|list|add][servicename <name>|serviceid <id>|device <ip_address
ifn>] <YYYY>-<MM>-<DD>T<hh>:<mm>

Where:
l add — Add an interface to the reset list.
l list — Show a list of devices and associated interfaces scheduled for reset.
l servicename <name> — Use to specify a service name to add.
l serviceid <id> — Use to specify a service ID to add.
l device <ip_address ifn> — Use to specify a device to add. When ifn is set to -1, it
acts as a wildcard to target all interfaces.
l Optional <YYYY>-<MM>-<DD>T<hh>:<mm> = The date and time (using server timezone)
you want to set on which the alert baselines will begin to be calculated—the baselines
before this time are removed and baselines shown in charts, alerts, and situations are
removed.
If the date and time are not specified, the current time that the script is run is used to
begin to calculate new baselines.
It may take multiple days after this specified date and time (or the current time if no
date and time are specified) for the calculations to complete and to show alert data.
o <YYYY> = Four numbers indicating the year.
o <MM> = Two numbers indicating the month of the year (example: April is 04).
o <DD> = Two number indicating the day of the month (example: the third of the month is
03).
o T -- Enter this character to separate the date from the time in the command line.
o <hh> = Two numbers indicating the hour of the day, in a 24-hour clock (example, 2:00 am
is 02).
o <mm> = Two numbers indicating the minute of the day, in the range from 00 to 59.

Examples:
nsResetBaseline.sh list
nsResetBaseline.sh add servicename LDAP1 2020-08-19T15:00

NETSCOUT Server Administrator Guide 204

nsResetBaseline.sh add serviceid 1234 2020-08-19T15:00

nsResetBaseline.sh add device 10.10.20.20 5 2020-08-19T15:00
nsResetBaseline.sh add device 10.10.20.20 5

6.12 Peforming Remote Upgrades

6.12.1 Upgrading Decode Pack Software Remotely
When upgrading the Decode Pack software, use the following Decode Pack installers for the
following NETSCOUT server versions:
l Linux
o 6.3.0 or higher – 64-bit installer
o 6.2.2 or lower – 32-bit installer
l Windows
o 6.3.2 or higher – 64-bit installer
o 6.3.1 or lower - 32-bit installer

Complete these steps to upgrade the Decode Pack software on your InfiniStream appliances:

1. Ensure that your environment meets all prerequisites; refer to NETSCOUT Server
Administrator Guide.
2. Choose one of these options (there is one option for nGeniusONE users):
l On the parent server, download the appropriate upgrade file to the nGeniusONE<install
directory>/rtm/pmupgrade directory. (Note that the download directory differs from
that for InfiniStream software.)
Upgrade files have this naming format:
dep-[major version]-[minor version]-[build]-[OS].bin
For example, a v15.1 build 166 upgrade file for Linux would be named: dep-15-1-166-
lin.bin
Note: MasterCare customers can download the binary upgrade files for the latest
version of software from the NETSCOUT Support site:
https://my.netscout.com/mcp/Pages/landing.aspx
You can find the software in the Sniffer Decode and Expert Pack section. Refer to the
appropriate software release notes for your appliance for specific instructions.
l Schedule automatic software download; refer to NETSCOUT Server Administrator Guide.
When using this method in a distributed server environment, you must download the
files to the Global Manager.
3. Go to nGeniusONE > Device Configuration > Upgrade > Decode Pack.
Installed Decode Packs are listed with their current status, name, IP address, model
number, version number and build, and description.

NETSCOUT Server Administrator Guide 205

4. Select one or more appliances to upgrade.

l A red icon in the Status column indicates the existence of an upgrade file with a
higher version than the appliance is currently running.
l A green icon indicates that the appliance is already upgraded to the latest file
version in the nGeniusONE Server upgrade file repository.
Note: If no status icons display in the Status column, no valid upgrade files reside in
the /rtm/pmupgrade directory.
5. Click Select File to Upgrade. The releases that have been copied to /rtm/pmupgrade
directory are listed in descending version order.
6. Select the decode pack version you want to upload, click Upgrade and click OK to confirm.
7. The software package is uploaded to the selected InfiniStream appliance(s).
The Task Progress Report arrow displays detailed, step-by-step information as the
upgrade progresses. In the case of multiple upgrades, progress displays for each
individual device.
Upgrade can take 10-15 minutes to complete. The Task Progress Report displays progress
for each appliance.
8. (Optional) Go to nGeniusONE Console > Device Configuration > Devices, select the
upgraded appliance, and click Information to verify that the upgrade was successful.

NETSCOUT Server Administrator Guide 206

6.12.2 Appliance Software Upgrade Parameters

The Device Configuration > Software Upgrade option allows you to preserve existing partitions
or create factory default partitions. You cannot remotely modify device partitions. For
information about modifying device partitions, see the InfiniStream Hardware Appliance
Administrator Guide.

See these sections about upgrading device software parameters:

l Individual Device
l Multiple Devices

Upgrading an Individual Device

When you upgrade an individual InfiniStream appliance, you can choose to preserve existing
partitions or create factory default partitions, as shown below. Allowable ranges and defaults
vary depending on the appliance total disk free space.

Table 6.6 - Individual Device Upgrade Options

Option Description
Preserve all existing partitions on all selected (Default) When selected preserves current partition
systems sizes for all selected appliances.
Note: Existing NETSCOUT (Raw) file system partitions
are not preserved.
Create factory default partitions on all selected When selected uses the default partition size for all
systems selected appliances.

Upgrading Multiple Devices

When you upgrade multiple InfiniStream appliances, you can choose to preserve existing
partitions or create factory default partitions on each device.

Table 6.8 - Multiple Device Upgrade Options

Option Description
Preserve all existing partitions (Default) When selected preserves current partition sizes for all selected
on all selected systems appliances.
Create factory default When selected uses the default partition size for all selected appliances.
partitions on all selected
systems

NETSCOUT Server Administrator Guide 207

6.12.3 Upgrading Data Source Software Remotely

Complete these steps to upgrade your data source software:

1. Ensure that your environment meets all prerequisites.

2. Choose one of these options (there is one option for nGeniusONE users):
l Download the appropriate upgrade file to the < nGeniusONE install>/rtm/tftpboot
directory on the nGeniusONE Server. In a distributed server environment, you can
perform the upgrade from the Global Manager or from the Local Server that owns the
appliance. Upgrade files have this naming format:
is-[major version]-[build]-[topology].bin
For example, a v5.4 build 500 upgrade file would be named: is-5400-500-eth.bin
Note: MasterCare customers can download the binary upgrade files for the latest
version of software from the NETSCOUT Support site:
https://my.netscout.com/mcp/Pages/landing.aspx
Refer to the appropriate software release notes for your appliance for specific
instructions.
l Schedule automatic software download. When using this method in a distributed
server environment, you must download the files to the Global Manager.
3. Go to nGeniusONE console > Device Configuration > Upgrade Software > Data Source.
Installed devices are listed with their current status, name, IP address, model number,
version number and build, and description.
4. Select one or more appliances to upgrade.
l A red icon in the Status column indicates the existence of an upgrade file with a
higher version than the appliance is currently running. You can upgrade the associated
device.
l A green icon indicates that the appliance is already upgraded to the latest file
version in the nGeniusONE Server upgrade file repository.
Note: All selected devices must share the same topology. For example: eth (Ethernet).
5. Click Select file to upgrade.
In the Software Package dialog box, each software package shows a unique version
number that includes the device type, release version, build number, and topology.
6. Select the appropriate upgrade file (the dialog box displays only those software packages
appropriate to the selected appliance) and click OK.
Note: If you are upgrading vSTREAM Agent), you must determine which package you
currently possess to select the correct package to upgrade. Supported packages are:
l vSTREAM Agent Agent on Linux via *.rpm (RHEL, CentOS, Fedora)
l vSTREAM Agent Agent on Linux via *.bin (Amazon Linux, Ubuntu, SUSE)
l vSTREAM Agent Agent on Windows Server via *.msi (2012 R2, 2016R2, 2018)
l vSTREAM Agent Agent on Windows Server via *.exe (2012 R2, 2016R2, 2018)
l vSTREAM Agent Docker
If you choose the wrong upgrade package, the upgrade is unsuccessful and an error
message is displayed.

NETSCOUT Server Administrator Guide 208

Note: To delete a software package, select it, click Delete, and confirm the deletion.
7. Click Upgrade.
The Upgrade Parameters dialog box is displayed.
8. Configure the upgrade parameters according to the type of upgrade you are performing:
l Individual appliance
l Multiple appliances

Note: If you are upgrading vSTREAM Agent, configuring upgrade parameters does not
apply; go to Step 9.

9. Click Upgrade and click OK to confirm.

The software package is uploaded to the selected device(s).
The Task Progress Report arrow displays detailed, step-by-step information as the
upgrade progresses. In the case of multiple upgrades, progress displays for each
individual device.
After a successful upload, the appliance saves its current configuration, runs the binary
upgrade executable, restores the configuration, and reboots. An upgrade can take 10-15
minutes to complete, including the automatic post-upgrade reboot of the device. You can
click Details to view the progress.
After the reboot, the upgraded device automatically requests a re-learn from
nGeniusONE. In the Upgrade dialog box, a red icon is shown next to the device name.
After the re-learn (usually within 60 seconds), the nGeniusONE Server updates the
Upgrade dialog box by removing the red icon and updating the appliance description
software version and build number.
10. (Optional) Refresh the Upgrade dialog box to view the new upgrade status for the
appliance along with decode pack version and build number (the dialog does not refresh
automatically). If you do not refresh, the information automatically updates at midnight.
11. (Optional) Go to nGeniusONE Console > Device Configuration > Devices, select the
upgraded device and click Information to verify that upgrade was successful.

Note: The first time the Agent starts after an upgrade, the CodecTable settings are
automatically backed up to CodecTable.V<n>. A new CodecTable is created that converts
previous codec settings, and also includes any new payload types. If you modified EVRC or
EVRC-B codecs, verify that your settings were carried forward. Copy any required changes
from the backed up CodecTable to the new CodecTable and restart the Agent to apply.

Troubleshooting
l If the upgrade file upload to the device fails (for example, due to network congestion or
slow connectivity), restart the upgrade.
l If the upload completes, but the upgrade fails on the device, you must manually upgrade
by logging directly into the device.

NETSCOUT Server Administrator Guide 209

l These files may be helpful diagnose issues:

o nGeniusONE Server:
Global Manager: <Install directory>/rtm/log/debuglog-globalm-xxx.txt
Local Server or standalone nGeniusONE Server: <Install directory>/rtm/log/debuglog-
xxx.txt
o InfiniStream: /opt/platform/nsupgrade/upgrade.log
l If the device is not automatically relearned, use the nGeniusONE Server Relearn option to
manually relearn—go to nGeniusONE Console > Device Configuration > Devices, select
the device and click Relearn.

6.13 Additional Tasks

6.13.1 Changing Time Source and Time Zone
You specify the time source and time zone when you initially configure the system. For Linux-
based deployments, if needed, you can re-run the configuration script to change the time source
and / or time zone. For Windows-based deployments, refer to Configuring the Server (Windows)
l For time source, nGeniusONE supports use of PTP v1/v2 and NTP to synchronize servers
and associated data sources.
l For time zones, a selection of time zones are offered when you run the script. For GMT,
select London as your time zone.

6.13.2 Troubleshooting Issues and Solutions

This section provides possible issues that you may encounter when installing and/or launching
the nGenius software.

Issue Possible Causes and Solutions

Installation
Installation fails due to If you installed server software on a custom-built server, rather than a server with
missing RPMs a kernel based on a NETSCOUT-provided ISO, the installation may fail due to
missing RPMs. In that case, the installer identifies the list of missing RPMs and
writes them to /tmp/missingrpm.txt.
Use this command to install the missing RPMs:
# sudo yum install -y $(cat missingrpm.txt)
After installing the missing RPMs, rerun the binary installation file.

NETSCOUT Server Administrator Guide 210

Issue Possible Causes and Solutions

Installation is sluggish, Before you installation, do the following:
appears to hang, or is l Review System Requirements
unsuccessful l Ensure you logged in with the correct privileges. For example, for Linux:
Access the system command-line as the root user. If you have logged in as a
different user and assumed privileges with su, be sure to use su -l <root
account> so that the full environment is instantiated before you proceed.
l Close all other programs.
Note: Initialization of the nGeniusONE installation may take several minutes
depending on your system specifications, including the DVD speed.
Error: Not enough You must have a minimum of 9 GB available space in your/tmp (Linux) or Temp
space in the /tmp (Windows) directory before installing nGeniusONE with the PM kit or 6 GB with
directory the nGeniusONE kit.
For Linux platforms, you can optionally set the IATEMPDIR environment variable
to an alternate directory.
Need to reinstall If you encounter problems during installation and need to reinstall, contact
Customer Support for assistance. When you contact Customer Support, have the
following log files available (located in the < Install>/log directory):
l InstallLog.txt — Displays information including the date and time of each
install/uninstall and the specific name and version of the software installed
or uninstalled.
l nGenius-debug.txt — Contains a visual tree of the complete installation,
enabling you to more easily identify areas of concern.
l _nGeniusONE_Install_<datestamp>.log — Displays installation details.
NETSCOUT Server and Services
Cannot connect to web Ensure that no third-party software conflicts with port 8080 (default).
server
Unable to contact or Ensure that:
log in to the server at l The web server and all services are running. If they are not, start the server
http://<HostName or (refer to Stopping and Restarting the System).
IPaddress>:<port> l The license is installed (refer to Installing the License).
l If login is prevented when using external authentication, review your
authentication setup.
Server fails to start or Ensure that:
stops unexpectedly l The license is installed (refer to Installing the License).
l (Windows only) The root directory name contains 29 or fewer characters with
no spaces.
l The server IP address is not expired (if using a DHCP server). NETSCOUT
recommends that the server be configured with a static IP address.
Invalid login messages You are logged out. Close all browser windows, reopen a browser, clear the
when nGeniusONE cache, and log back in.
Server is restarted

NETSCOUT Server Administrator Guide 211

Issue Possible Causes and Solutions

The nGenius processes Verify the following:
or software l The nGenius software is installed on a dedicated server
components generate l The software was installed with the required user privileges
warnings, behave l Any system screen saver is disabled
erratically, or do not l The database password is correct (refer to Changing the Database
start Password).
nGeniusONE on Confirm that all nGeniusONE Windows services are registered correctly. See D.2
Windows does not Windows Services.
automatically start
after server restart.
Some processes fail to Check processes and services:
start l Identify any processes not running. See D.3 Server Processes by Server Type
l For Windows, also confirm that the nGeniusONE services are registered
correctly. See D.2 Windows Services.
Notify NETSCOUT Customer Support of the following:
l Processes not running.
l Windows Services not registered correctly.
Server hangs or Review System Requirements
crashes
Cannot start the server If you have two NIC cards with different IP addresses, the server may be using the
wrong address. Verify the IP address to be used for the server is listed first in your
system hosts file, as described in Configure Basic Networking.
Need to stop the server Refer to the following sections/resources:
l Stopping and Restarting the System
l Server Processes
Note: If any processes fail to stop, contact Customer Support for assistance.
nGenius application Ensure that:
does not launch l The correct hostname and Host IP are listed in the hosts file Configure Basic
Networking
l The server IP address is not expired (if using a DHCP server). NETSCOUT
recommends that the nGeniusONE server be configured with a static IP
address.
l (Windows only) You did not use a cloned version of the Administrator
account when you installed the nGeniusONE server.
Database and Data
Password errors occur The following restrictions apply when creating or changing database passwords:
when creating a l 1 to 15 alphanumeric characters (first character cannot be a number)
database password l No non-printing characters such as spaces or tabs
l No PostgresSQL keywords
l Refer to Changing the Database Password.
Cannot interact with (Windows) Disable any continual-check-mode virus scanning software on the
database nGeniusONE Server.

NETSCOUT Server Administrator Guide 212

Issue Possible Causes and Solutions

Cannot collect data Ensure that:
l The data sources are collecting data.
l The correct hostname and Host IP are listed in the hosts file
l The product is properly licensed
l The system has enough memory.
Database backup does Database backup failures can be caused by various factors, such as:
not work l No database backup directory has been created.
l Incorrect path for the database backup directory
l No write permissions for the database directory
l Insufficient disk space
Licensing
License is invalid or Ensure that:
expired l The correct hostname and Host IP are listed in the hosts file
l The server IP address is not expired (if using a DHCP server). NETSCOUT
recommends the server be configured with a static IP address.
Receive the following If you have an evaluation license, the date that determines when your evaluation
error: Licensing Error: time ends is based on the client, not on the server.
“nGeniusONE Server For example, consider that your evaluation license ends on June 30th. If your
not currently licensed” nGeniusONE Server is located in the United States and your client system is in
India, the date for the nGeniusONE Server could be June 30th while your client
system in India is July 1st. Therefore, the client system in India can no longer
access the nGeniusONE Server.
Uninstalling
Uninstalling is Ensure you have stopped processes and have logged in as root (Linux) or with
unsuccessful Administrator privileges (Windows).
Product directories, Review procedures in Uninstalling NETSCOUT Software
files, and registry keys
are not removed
Miscellaneous
Invalid command or The installation location directory name should not contain any spaces.
path errors
Unauthorized access to (Windows only) Ensure that you convert the nGeniusONE Server hard disks to the
application files or lack NTFS file system
of file-level security
Port conflicts Ensure that you:
l Install nGeniusONE on a dedicated server.
l Make the required ports available to nGeniusONE.
Decode Pack upgrade Ensure you are using the proper Decode Pack installers.
errors l Linux:
o 6.3.0 or higher – 64-bit installer
o 6.2.2 or lower – 32-bit installer

l Windows
o 6.3.2 or higher – 64-bit installer
o 6.3.1 or lower - 32-bit installer

NETSCOUT Server Administrator Guide 213

6.13.3 Adjusting Memory Allocation

Memory allocated to the nGeniusONE server processes is automatically calculated based on the
amount of physical RAM detected and distributed to each of the different nGeniusONE server
processes. Memory allocation values should be modified only with guidance from NETSCOUT
Customer Support.

6.13.4 Configuring Localization

nGeniusONE is supported in American English, along with the languages listed below. Use the
instructions below to prepare nGeniusONE to display in one of the alternate supported
languages. Note htt this procedure is required before you install the software. If the software is
already installed, you must uninstall it, perform this procedure, then reinstall it.

For guidance configuring localized web login messages, refer to: Enabling a Login Security
Message

Note: If you need to uninstall the software, refer to Uninstalling NETSCOUT Software

Supported Languages
l English
l Japanese
l Korean
l Simplified Chinese

Configuring Localization

To ensure proper display of languages other than American English, you must perform the
following configuration before installing nGeniusONE on the server system.

1. Access the system command-line as the root user. If you have logged in as a different user
and assumed privileges with su, be sure to use su -l <root account> so that the full
environment is instantiated before you proceed.
2. Use the following command to determine what languages and character sets are installed:
# locale -a
3. From that list, identify the code that matches the one you wish to configure (of the above
supported sets).
4. Make a backup copy of the system internationalization file:
# cp /etc/sysconfig/i18n /etc/sysconfig/i18n.bak
5. Edit the original file and modify the LANG= line to match the code you selected above. For
example, given the file contents of:
LANG="en_US.UTF-8"
SYSFONT="latarcyrheb-sun16"
You may opt to change the language to Japanese using:
LANG="ja_JP.UTF-8"
SYSFONT="latarcyrheb-sun16"

NETSCOUT Server Administrator Guide 214

6. Save and exit the file.

7. Restart the system.
8. Reinstall the nGeniusONE software.

NETSCOUT Server Administrator Guide 215

7 nGeniusONE Feature Configuration

Use these sections to configure nGeniusONE-specific features and functionality:
l Global Settings
l Decryption
l Packet Analysis Extended File Names

7.1 Global Settings

Use these sections to configure features and functionality using the Global Settings module:
l Applications
l Locations
l Communities
l Voice/Video

7.1.1 Global Settings - Applications

Use the following sections to configure features and functionality using the Global Settings >
Applications.

7.1.1.1 Interpreting Diameter Application Message Names

nGeniusONE Console > Global Settings > Application Configuration > View: Messages shows
default, prepopulated messages for all applications. Be aware that Message names for the
Diameter application may differ for packets monitored over TCP versus SCTP and, in some cases,
are abbreviated.

Use the table below as a guide to understand the abbreviated message names, if needed, and
the:
l Short Message Name column corresponds to the Name designation in the nGeniusONE
Messages screen
l Description column loosely corresponds to the Long name designation in nGeniusONE.
These abbreviated message names are also displayed in the nGenius Performance
Manager (UMC).

Note: Applications/Messages appear with slightly different syntax in nGenius Performance

Manager versus nGeniusONE modules. The values in the Short Message Name column below
indicate the nGenius Performance Manager syntax which, for some messages includes a
prefix and suffix that indicate the protocol and transport type. Example: Given like D-
CapabilityExchg-S, the D- indicates Diameter and -S indicates SCTP). Such prefix/suffix
annotations are not present in the messages displayed in nGeniusONE.

NETSCOUT Server Administrator Guide 216

Diameter Short Message Description Parent

Command Name (Long name)
Code (Name)
(Parameter
in GUI)
257 D-CapabilityExchg- CER/A - Capabilities Exchange Procedures DIA_SCTP
S
257 D-CapabilityExchg- CER/A - Capabilities Exchange Procedures DIAMETER (TCP)
T
258 ReAuth ReAuth DIA_SCTP
258 D-ReAuth-T RAR/RAA - Policy DIAMETER (TCP)
265 D-Authentic-S AAR/AAA - Authentication Procedures DIA_SCTP
265 D-Authentic-T AAR/AAA - Authentication Procedures DIAMETER (TCP)
268 D-EAP-S DER/DEA - EAP Procedures DIA_SCTP
268 D-EAP-T DER/DEA - EAP Procedures DIAMETER (TCP)
271 D-Account-S ACR/A - Accounting Procedures DIA_SCTP
271 D-Account-T ACR/A - Accounting Procedures DIAMETER (TCP)
272 D-CreditCtrl-S CCR/CCA - Policy DIA_SCTP
272 D-CreditCtrl-T CCR/CCA - Policy DIAMETER (TCP)
274 D-AbortSession-S ASR/A - Abort Session Procedures DIA_SCTP
274 D-AbortSession-T ASR/A - Abort Session Procedures DIAMETER (TCP)
275 D-SessionTerm-S STR/STA - Session-Termination Procedures DIA_SCTP
275 D-SessionTerm-T STR/STA - Session-Termination Procedures DIAMETER (TCP)
280 D-Watchdog-S DWR/A - Device Watchdog Procedures DIA_SCTP
280 D-Watchdog-T DWR/A - Device Watchdog Procedures DIAMETER (TCP)
282 D-DisconnectPeer- DPR/A - Disconnect Peer Procedures DIA_SCTP
S
282 D-DisconnectPeer- DPR/A - Disconnect Peer Procedures DIAMETER (TCP)
T
285 LocInfo Location Info Request/Answer – IETF DIA_SCTP
285 LocInfo Location Info Request/Answer – IETF DIAMETER (TCP)
287 RegTern Registration Termination Request / Answer - DIA_SCTP
IETF
287 RegTern Registration Termination Request / Answer - DIAMETER (TCP)
IETF
288 PushProfile PushProfile Request/Answer - IETF DIA_SCTP
288 PushProfile PushProfile Request/Answer - IETF DIAMETER (TCP)
300 UserAuthorztnAck User Authorization Request/Answer DIA_SCTP
300 UA User Authorization Request/Answer DIAMETER (TCP)
301 D-SrvcAssign-S SAR/SAA - Server Assignment DIA_SCTP
301 D-SrvcAssign-T SAR/SAA - Server Assignment DIAMETER (TCP)
302 LocationInfoAck Location Info Request/Answer (LIR/LRA) – 3GPP DIA_SCTP

NETSCOUT Server Administrator Guide 217

302 LI Location Info Request/Answer (LIR/LRA) – 3GPP DIAMETER (TCP)

303 D-MMAuth-S MAR/MAA - Authenticaion Procedures DIA_SCTP
303 D-MMAuth-T MAR/MAA - Authentication Procedures DIAMETER (TCP)
304 RegTermAck Registration Termination Request/Answer DIA_SCTP
(RTR/RTA) – 3GPP
304 RT Registration Termination Request/Answer DIAMETER (TCP)
(RTR/RTA) – 3GPP
305 PushProfileAck Push Profile Request/Answer (PPR/PPA) – 3GPP DIA_SCTP
305 PP Push Profile Request/Answer (PPR/PPA) – 3GPP DIAMETER (TCP)
306 UserData User Data (UDR/UDA) DIA_SCTP
306 D-UserData-T User Data (UDR/UDA) DIAMETER (TCP)
307 PrU Profile Update Request/Answer (PUR/PUA) DIA_SCTP
307 PrU Profile Update Request/Answer (PUR/PUA) DIAMETER (TCP)
308 SN Subscriber Notification Request/Answer DIA_SCTP
(SNR/SNA)
308 SN Subscriber Notification Request/Answer DIAMETER (TCP)
(SNR/SNA)
309 PN Push Notification Request/Answer (PNR/PNA) DIA_SCTP
309 PN Push Notification Request/Answer (PNR/PNA) DIAMETER (TCP)
310 Bootstrapping Info Bootstrap Info Request/Answer DIA_SCTP
310 BI Bootstrap Info Request/Answer DIAMETER (TCP)
311 Message Process Message Process Request/Answer DIA_SCTP
311 MP Message Process Request/Answer DIAMETER (TCP)
316 D-UpdateLoc-S ULR/ULA - Location Mgmt Procedures DIA_SCTP
316 D-UpatedLoc-T ULR/ULA - Location Mgmt Procedures DIAMETER (TCP)
317 D-CancelLoc-S CLR/CLA - Location Mgmt Procedures DIA_SCTP
317 D-CancelLoc-T CLR/CLA - Location Mgmt Procedures DIAMETER (TCP)
318 D-AuthInfo-S AIR/AIA - Authentication Procedures DIA_SCTP
318 D-AuthInfo-T AIR/AIA - Authentication Procedures DIAMETER (TCP)
319 D-InSubData-S IDR/IDA - Subscriber Data Procedures DIA_SCTP
319 D-InSubData-T IDR/IDA - Subscriber Data Services DIAMETER (TCP)
320 D-DelSubData-S DSR/DSA - Subscriber Data Procedures DIA_SCTP
320 D-DelSubData-T DSR/DSA - Subscriber Data Procedures DIAMETER (TCP)
321 D-PurgeUE-S PUR/PUA - Location Mgmt Procedures DIA_SCTP
321 D-PurgeUE-T PUR/PUA - Location Mgmt Procedures DIAMETER (TCP)
322 Reset Reset Request/Answer DIA_SCTP
Request/Answer
322 RS Reset Request/Answer DIAMETER (TCP)
323 D-Notify-S NOR/NOA - Notification Procedures DIA_SCTP
323 D-Notify-T NOR/NOA - Notification Procedures DIAMETER (TCP)
324 D-ME-Id-Check-S ECR/A - ME-Identity-Check Procedures DIA_SCTP
324 D-ME-Id-Check-T ECR/A - ME-Identity-Check Procedures DIAMETER (TCP)

NETSCOUT Server Administrator Guide 218

500 RegAuth RegAuth DIA_SCTP

500 RegAuth RegAuth DIAMETER (TCP)
501 LocUpdate LocUpdate DIA_SCTP
501 LocUpdate LocUpdate DIAMETER (TCP)
995 Diameter Session Diameter Session Query-Request/Answer DIA_SCTP
Query-
Request/Answer
995 SQ Diameter-Session Query-Request/Answer DIAMETER (TCP)
998 Route Update Route Update Request/Answer DIA_SCTP
Request/Answer
998 RU Route-Update-Request/Answer DIAMETER (TCP)
999 Diameter Binding Diameter Binding Request/Answer DIA_SCTP
Request/Answer
999 DB Diameter-Binding-Request/Answer DIAMETER (TCP)
8388620 ProvideLocation Provide Subscriber Location DIAMETER (TCP)
8388621 LocationReport Subscriber Location Report DIAMETER (TCP)
8388635 D-SpendLimit-T SLR/SLA - Spending Limit Procedures DIAMETER (TCP)
8388636 D-SpendStatus-T SNR/SNA - Spending Status Notification DIAMETER (TCP)
Procedures
268$VDR_EAP- D-EAP-Auth-T DER/DEA - EAP Authentication Procedure DIAMETER (TCP)
AUTN
268$VDR_EAP- D-EAP-Identity-T DER/DEA - EAP Identity Procedure DIAMETER (TCP)
IDN
272$AVP_416_ D-CreditCtl-Init-T CCR/A - Policy Initiate Procedures DIAMETER (TCP)
INT_1
272$AVP_416_ D-CreditCtl-Upd-T CCR/A - Policy Update Procedures DIAMETER (TCP)
INT_2
272$AVP_416_ D-CreditCtl-Term-T CCR/A - Policy Terminate Procedures DIAMETER (TCP)
INT_3

7.1.1.2 Importing Custom Applications from One nGeniusONE Server to Another

Users with Network Administrator privileges can import custom applications from one same-
version nGeniusONE Server to another. Importing applications imports Application Group
associations, but not the Application Groups, which are created on, or imported to, the
destination server as an optional step in the import procedure.

Note: You do not need to import applications in these scenarios:

l After an upgrade—Custom applications are preserved during upgrade.
l In a distributed server environment—The Global Manager controls the configuration of
all devices, and applies your custom applications to each Local Server.

The import process does not overwrite existing applications—rules are applied to prevent you
from importing duplicate applications or overlapping ports. If an error occurs during an import,
the Task Progress dialog box reports the error in one of these log files, on a:

NETSCOUT Server Administrator Guide 219

l Standalone server—<nGeniusONE install>/tomcat/content/temp/importGlobalSettings.txt

l GM/DGM server—<nGeniusONE install>/tomcat/gmcontent/temp/importGlobalSettings.txt

Examine the log file to determine the reason for the import error. Example of an error logged in
the importGlobalSettings.txt file:
The following active protocols were not Imported
A_DiameterSQLqry , Probe
null , null

To resolve and successfully import applications, fix the error(s) and:

l Retry your import task.
l Add the application(s) manually.

Complete these steps to import custom applications from a source nGeniusONE server to a
destination same-version nGeniusONE server:

1. Export the custom applications from the source nGeniusONE Server.

2. Log on to the destination nGeniusONE Server.
3. (Optional) Choose one of these options to assign applications to an Application Group:
l On the destination nGeniusONE Server, create Application Groups using the same
names as any Application Groups that exist on the source nGeniusONE Server.
l Import Application Groups from the source nGeniusONE Server to the destination
nGeniusONE Server.
Note: Create matching Application Groups in the destination server before you start the
import. Name matching is not case sensitive. For example, MY_GROUP is equivalent to
my_group.
The import process associates each custom application with the same Application Group
with which it was associated on the source nGeniusONE Server—if the same group exists
on the destination nGeniusONE Server. If no matching group exists, the imported
application is associated with the "Other" application group.
4. From the destination nGeniusONE Server console, click Global Settings > Application
Configuration > Import applications, KPI settings and group associations.
5. Navigate to the export file you previously saved (see Step 1).
6. Verify that the filename displays in the File name field of the File Upload screen and cick
Open. Monitor the Task Progress Report status, which can be:
l Success—The import completes with no name modifications required, no duplicate
application encountered, and the imported application definitions were successfully
applied to the devices.
l Warning or Errors—When any of these issues occur:
o Names were modified
o Duplicate applications were encountered and not imported
o Application definitions were not successfully applied to the devices

NETSCOUT Server Administrator Guide 220

If Warning or Errors are shown in the Task Progress Report, click Details and
select the Warnings or Errors tab for more information. For name modifications,
or duplicate applications not being imported, the Details column displays the
directory where you can locate the ImportGlobalSettings.txt file, which provides
more information. When you finish viewing the details information, click Close.
7. Verify that the applications are imported—shown in Application Configuration.
8. Verfiy that the Application Group associations were successfully imported—display the
Application Configuration > Groups tab and select a group to display its members
(applications) in the Protocols pane.

7.1.1.3 Adding New Messages to Diameter Applications

You can add new messages in Global Settings to these applications only:
l Diameter
l Diameter_SCTP

These additional options are available:

l The Modify dialog box permits changing Long name and Parameter values (unlike other
default applications).
l The CLA command to add or modify application messages.
l The Export and Import of messages is supported.

Note: Because an XML mapping file corresponding to the modified application is not

automatically updated, you must edit the XML mapping file each time you add, modify, or
delete a custom Diameter or Diameter_SCTP application message.

You can use the procedure in this section to add Diameter and Diameter_SCTP application
messages. For those Diameter application messages whose ID is greater than 999, additional
configuration is required.

Note: In a distributed environment, create the message and execute the script on a Global
Manager.

1. Use the nGeniusONE Console and go to Global Settings > Application Configuration >
View: Messages.
2. Select either the Diameter or Diameter_SCTP application set and click to expand your
selection.

3. Click Add Application and enter (Command Code) values in the Add Application
fields, as shown in the example below. The Parameter value maps to the SessionKeyValue
referenced in the getCustomMessages.sql script.

NETSCOUT Server Administrator Guide 221

4. Click OK and Apply to save and apply your configuration.

5. Access the command line of the nGeniusONE Server, change directory to <nGeniusONE
install>\rtm\bin, and run the getCustomMessages.sh or .bat script (depending on your
operating system type) to display the new message and its MessageID.
6. As shown in this example, open the getCustomMessages.txt file to find the Message ID
(the fourth entry in the example list—32771):

7. On the nGeniusONE Server, use a text editor to access the <nGeniusONE

install>/rtm/epm/xml/ADM/mapping/message-id-mapping.xml file.
8. Make a copy of the message-id-mapping.xml file before editing the original.
9. Scroll to the bottom of either the Diameter TCP or Diameter_SCTP section of the file and
add one or more strings containing these new values:
l Message Name—The Short name field value you entered in the Add Application dialog
box. Any character is accepted.
l MessageID—The value returned by the getCustomMessages script.
l SessionKeyValue—The Parameter field value (mapping number) you entered in the
Add Application dialog box.
The MappingType or SessionKeyName values remain the same as those displayed in other
Diameter strings. Because values are delimited by spaces, do not use spaces in your
entries.
Example:

NETSCOUT Server Administrator Guide 222

<Message Name="Custom1101" MessageID="32771" MappingType="SESSION_KEY"

SessionKeyValue="1101" SessionKeyName="DIAMETER_COMMAND_CODE"/>
10. Save and close the message-id-mapping.xml file.
11. In a distributed system, copy the message-id-mapping.xml file to each server.

12. Refresh all affected servers to synchronize with the InfiniStream appliance.
13. Choose one of these options:
l If the Common Code value is less than 999, the configuration is complete; go to Step
16.
l If the Common Code value is greater than 999, go to Step 15.
14. Complete these steps:
a. Perform a packet decode on Diameter traffic to learn the ApplicationId, as shown
below.

b. On the InfiniStream, u se a text editor to access the <install_

directory>/config/diameter-application-id.cfg file with the ApplicationID associated
with the message.
c. Add the value reported in the packet capture performed earlier. For example:
16777998
d. Close and save the diameter-application-id.cfg file.
15. Reset the InfiniStream; refer to Command-Line Object: reset. Refer to the Agent
Configuration Utility Administrator Guide. Note: Upgrading the nGeniusONE Server
overwrites the diameter-application-id.cfg file, and displays this message in the Modify
Application dialog.

16. (Optional) To enable decode support for these messages, use the following procedure:
Note: Applicable only when both the data source and the nGeniusONE server are running
v6.2 or later.
a. From the system command line on the nGeniusONE server and the data source, verify
that this file is present (verify only; do not modify):
/opt/NetScout/rtm/pa/decodepack/config/config_diameter_dictionary.xml

NETSCOUT Server Administrator Guide 223

b. On the nGeniusONE server, add the following property in the <nGeniusONE

install/rtm/pa/prtclproperties.cfg file, or in the Decode As>Protocol Properties tab.
diameter.enable_dictionary=true
17. (Optional) Customize AVPs in the dictionary for v6.2 or later deployments.
a. Configure the diameter.enable_dictionary=true property as noted in the
previous step, above.
b. From the system command line of the nGeniusONE server create a file with the
following name in the indicated location:
filename: config_diameter_dictionary.xml
location: /opt/NetScout/rtm/pa/decodepack/custom/
Do not modify the existing file of the same name in the config directory.
c. Edit the file and create entries with the following syntax (refer to the config directory
version of the file for reference using this syntax; do not modify it).
<avp name="AVP_NAME1" code="XXXXX0" vendor-id="Vendor_id1">
<type type-name="IPAddress"/>
</avp>

<avp name="AVP_NAME2" code=" XXXXX1" vendor-id="Vendor_id2">

<avp name="AVP_NAME3" code=" XXXXX2" vendor-id="Vendor_id3">

<avp name="AVP_NAME4" code=" XXXXX3" vendor-id="Vendor_id4">

<avp name="AVP_NAME3" code=" XXXXX4" vendor-id="Vendor_id5">

<avp name="AVP_NAME4" code=" XXXXX5" vendor-id="Vendor_id6">

<grouped>
</grouped>
</avp>
d. Save and exit the file. AVPs listed in this file (in the custom directory) take precedence
over entries for the same AVP in the default file (config directory).
18. (Optional) If you want to launch Session Analysis or access the Diameter Monitor,
complete these steps:
a. On the nGeniusONE Server, use a text editor to access the <install_
directory>/NEI/config/mapping/diameter-command-code.xml file.
b. Make a backup copy of the diameter-command-code.xml file.
c. Open the original diameter-command-code.xml file, and add a line with a Lookup Key
and display string using the correct custom message information. For example:

NETSCOUT Server Administrator Guide 224

<Lookup key="1101" displayString="Custom1101"/>

d. Save and close the diameter-command-code.xml file. In a distributed system, copy the
diameter-command-code.xml file to each server.
e. Perform a Restart on the nGeniusONE Server.

7.1.1.4 Adding and Modifying Market Data Feed Applications

Complete these steps to add and modify Market Data Feeds (MDF) applications:

1. From the nGeniusONE console, go to Global Settings > Application Configuration >
View: Market Data Feed.
2. Choose one of these options:
l To modify an existing MDF application, select the application you want to modify, click
Modify Application, and go to Step 4.
l To add a single MDF application, select a Product (a protocol stack) from the list, click
Add Application, and go to Step 4.
l To add multiple MDF applications simultaneously, use the bulk import command.

Command to Bulk Import MDFs

Use this command to import multiple MDFs:
addMDFfeeds <username> <password> <seed file path>
Run the command in this directory:
<nGeniusONEinstall>/rtm/cla
Depending on whether the server uses Linux or Windows, refer to these examples:
Linux PM example:
./addMDFfeeds a nsdqfeed81.txt
./addMDFfeeds a netscout1 nysefeed81.txt
./addMDFfeeds a siacfeed.txt
Windows PM example (DOS console):
addMDFfeeds a netscout1 nsdqfeed81.txt
addMDFfeeds a netscout1 nysefeed81.txt
addMDFfeeds a netscout1 siacfeed.txt
3. Go to Step 8.
4. In the Add/Modify Application dialog box, configure the required information. Ensure that
you observe the special character usage rules.
5. Configure the monitoring options you want to apply.
6. (Optional) Configure Responsiveness and Packet Loss KPI alarms.
7. Click Add and Apply to save and apply your configuration.
8. (Optional) Log into the Agent Utility and enable xDRs (using the Toggle enable xDR
command) and extended FIS (using the Toggle Extended FIS command) to ensure that
the MDF monitor displays data. Refer to the Agent Configuration Utility Administrator Guide.

Note: You can delete user-configured (custom) MDF applications.

The MDF Monitor displays MDF application monitoring information.

NETSCOUT Server Administrator Guide 225

Configuring MDF Application Messages

Complete these steps to configure specific MDF application messages:

1. From the nGeniusONE console, go to Global Settings > Application Configuration >
View: Messages.
2. Expand the MDF Market/Product for which you want to view application messages.
3. Right-click on any of these messages (you cannot configure any other messages):
l Keep Alive
l Market Data
l MDF Latency
l Retransmission
l Retx Request
l Retx-req-ack
l Type A
l Type B
Note: All of these messages are shared with every MDF application. Type A and Type B
messages can be applied to create custom MDF application message types.
4. Choose any of these options from the right-click menu to configure the message:
l Modify > Short Name
l Reset Default Short Name
l Activate
l Deactivate
l Configure Responsiveness
l Configure KPI Alarm
5. Click Apply.

Use the MDF Monitor > Column Management to select and display KEI message metric
columns.

Configuring Latency Monitoring as Messages

Latency is:
l Computed as the difference between the packet time stamp and the exchange time stamp
encoded in the message payload.
l Reported for a subset of MDF applications—those that have microsecond timestamps
encoded in their packet payload.
l Configured as a message (MDF > MDF Latency) which must be activated and can be
configured for an alert (using Alert profiles in Service Configuration). Response Time,
Timeouts, and Successful/Failed transactions are reported for this message in the MDF
Monitor.

Complete these steps to configure latency monitoring as messages:

NETSCOUT Server Administrator Guide 226

1. Go to Global Settings > Application Configuration > View: Market Data Feed.

2. Select one of these applications (you cannot configure latency monitoring for any other
messages):
l SIAC NMS CTS
l SIAC NMS CQS
l NASDAQ OMDF UTDF
l NASDAQ OMDF UQDF
3. Click Add Application and configure the required information.
4. (Optional) Click the monitoring options icon Select monitoring options to configure
monitoring options you want.
5. Click Add and Apply to save and apply your configuration.
6. Log into the Agent Utility and enable xDRs (using the Toggle enable xDR command) and
extended FIS (using the Toggle Extended FIS command). Refer to the Agent
Configuration Utility Administrator Guide.
7. (Optional) CheckMDF latency (using Command-Line Object: efis) details.Refer to the Agent
Configuration Utility Administrator Guide.
8. (Optional) Configure an Alert profile in Service Configuration.

7.1.1.5 Accessing Custom Applications with Command Line Device Tools

By default, you can access the standard applications using:
l nGeniusONE Global Settings > Application Configuration (you can also access custom
applications using this method).
l The Command Line Device Tools.

If you want to use Command Line Device Tools to access custom applications, you must execute
the getProtocolList.sql script. The script updates the data file used by Command Line Device Tools
to include any custom applications you have configured. Execute the script while your database
is running.

Complete these steps to allow the Command Line Device Tools access to your custom
applications:

1. On the nGeniusONE server, navigate to the <nGeniusONE install>/rtm/bin directory.

2. Execute one of these commands:
l Windows—nGeniusSQL getProtocolList.sql protocol.dat -H
l Linux—./nGeniusSQL.sh getProtocolList.sql protocol.dat -H
3. If any custom applications were not imported to the Command Line Device Tools, examine
the importGlobalSettings.txt file for errors.

7.1.1.6 Configuring the Recording (Slice Size) for Applications

NETSCOUT Server Administrator Guide 227

NETSCOUT provides deep parsing of packet headers. Examining only control data in decodes
limits processing, discovers who and where traffic is routed, whether errors ensued in delivery,
and dispenses with unnecessary user data storage. Limiting slice size also enhances security by
allowing users with the Help Desk or Network Operator role to capture and view packet header
information, but not see actual packet content.

Complete these steps to configure Recording (slice size), per application:

1. From the nGeniusONE console, click Global Settings > Application Configuration.
2. Select the appropriate application. Shift-click, Ctrl-click, or click and drag to select multiple
applications.
3. Right-click the application and select Recording.
o Default — Apply default recording size (128 bytes). You can modify the default
slice size
a. Navigate to each of the following properties files on the server (refer to
NETSCOUT Server Administrator Guide):
client.properties (<nGeniusONE install>/rtm/html)
serverprivate.properties (<nGeniusONE install>/rtm/bin)
globalmanager.properties (<nGeniusONE install>/rtm/bin) — Global
Manager and Dedicated Global Server only
b. Create a backup copy of each file.
c. Using a text editor, add the following property to each file:

deviceutil.slicesize=<value>, where <value> can be in the range from 0 to

65535, and:
0 = None.
2047 = Full Optimized, if the application supports recording option of Full
Optimize; otherwise, it is a Custom slice size.
65535 = Full.
d. Save and close each file.
e. Restart the server.
o Full — Capture the entire packet; no slice size applied
o None — Do not capture packets
o Full Optimized (AST) — NETSCOUT 's deep parsing of packet headers captures
only control data to limit processing, discover who and where traffic is routed and
whether errors ensued in delivery, and dispenses with unnecessary user data
storage.
o Custom — Shows the Edit Custom Recording Size dialog box; enter the recording
size you want and select one of these recording start options:
Packet Start—The octets stored are always counted from the first byte of the
packet. Example: Using this option and a custom recording size of 100 for HTTP,
the 100 bytes will start from the ethernet header.

NETSCOUT Server Administrator Guide 228

Application Payload—The octets are always counted from the start of the
application payload in the packet. Example: Using this option and a custom
recording size of 100 configured HTTP, the 100 bytes will start from the HTTP
header. For example, a non-tunneled HTTP packet, the stored packet will have
the full ethernet header, IP header, and 100 bytes of HTTP.
Notes:

Custom settings are indicated by , followed by the slice size, in the

Recording column.
Recording (slice) size settings are not modified by upgrades.
4. Click Apply to save your changes.

Notes:
l Setting the Agent Utility change capture slice size command (refer to Change capture
slice size in the Agent Configuration Utility Administrator Guide) overrides the application
slice size set in Global Settings if the InfiniStream slice size is the smaller of the two
parameters. For example, for an HTTP packet, if the command line slice size is set to 100
bytes, and the Global Settings slice size is set to 50 bytes, the interface 3 HTTP packet
slice size setting will be 50 bytes.
l The set rtp_ast <ifn> <on | off> command (refer to Command-Line Object: rtp_ast in
the Agent Configuration Utility Administrator Guide) in InfiniStream enables per interface
override of the slice size configuration for Audio and Video traffic. If the slice size option
for Audio or Video is set to Full Optimized, with this command you can disable that
setting per interface on the appliance and capture full packets for that interface. Be
aware that when AST is enabled, Audio packets within RTP streams are recorded with
different slice sizes depending on their size. For example, a 222-byte packet is recorded
as a 128-byte slice while a 66-byte packet is recorded as a 58-byte slice. So to avoid a
situation where two InfiniStreams record RTP packets in different sizes with the same
Global Settings configuration of Full Optimized for the Audio application, be sure to
configure set rtp_ast <ifn>=on.
l You can limit slice slize for specific user accounts (refer to NETSCOUT Server Administrator
Guide).
l Mobile customers — For DHCP and DNS, the recording size setting must be set to Full to
correctly correlate GSM Mobile sessions in the GPRS/UMTS Intelligence view.
l Although you can you can set slice size settings for IuPS and S1AP children, the setting is
applied to the parent applications (RANAP and S1AP respectively) only.
l Be aware that setting an application's slice size to 0 will cause packet recording statistics
to be marked as rejected.
l To avoid incomplete capture errors when exporting WAV files, set the recording size for
Audio to Full.

7.1.1.7 Configuring Response Time Buckets for Applications

You must be assigned the Response Time Configuration privilege to modify response time
bucket boundaries—go to nGeniusONE Console > Server Management > User Management >
Roles.

NETSCOUT Server Administrator Guide 229

Understanding Responsiveness and Response Time Buckets

The Global Settings > Application Configuration View: <category> > the monitoring options
icon Select monitoring options > Responsiveness option allows you to configure upper limits
(boundaries) for these response time buckets, per application:
l 1 - Fast
l 2 - Expected
l 3 - Degraded
l 4- Service Level—Values that exceed this boundary fall into bucket 5 (Availability-High
Jitter).
l 5 - Availability (High Jitter)—Values that exceed this boundary fall into bucket 6 (Time Out-
Max Jitter).
l 6 - Time Out (Max Jitter)—Response times greater than that configured for bucket 5 fall into
bucket 6; you do not need to configure a boundary for bucket 6.

Note: The boundaries you set for the Service Level and Availability buckets define the
thresholds for KPI Responsiveness metrics and KPI Responsiveness alarms.

For non-cyclical Baseline and Threshold alerts based on average response time, the Warning and
Critical severity levels are determined by the response time bucket boundaries for applications in
the service:
l Response times greater than the Fast bucket boundary generate alerts labeled Warning.
l Response times greater than the Degraded bucket boundary generate alerts labeled
Critical.
l Refer to "Configuring Alert Profiles for Application and Network Services" in the
nGeniusONE Help for more information.

For KPI error code alerts, Warning and Critical severity levels and minimum transaction
thresholds are determined by KPI error codes defined for applications in Global Settings.

Response Time bucket boundaries are applied to Service Alerts and Reports. You can view
response times for locations, clients, servers, applications (or combinations of these) using
various response time views in the service monitors.

Understanding Ageout Monitoring

The the monitoring options icon Select monitoring options > Responsiveness option dialog
box does not specifically configure ageout values.

NETSCOUT Server Administrator Guide 230

l Applications that have external tables (request/responses are not received on the same IP
address/port pairs) age out based on that particular application's responsiveness
implementation—refer to Customizing Ageout / Timeout Intervals in the Agent
Configuration Utility Administrator Guide for those applications which use ageout and timeout
interchangeably.

Configuring Response Time Buckets

Complete these steps to configure response time bucket boundaries:

1. For the nGeniusONE server, use the Agent Configuration utility to ensure that the
Software Options > Response Time Monitor is set to on (enabled by default).
2. From the nGeniusONE console, select Global Settings > Application Configuration and
use the View drop down to choose an application category.
3. Navigate to and select one or more supported applications. (If the Responsiveness option
is inactive, one or more selected protocols are not supported.) Shift-click, Ctrl-right-click, or
click and drag to make multiple selections.
4. Click the monitoring options icon Select monitoring options > Responsiveness to
display the Responsiveness dialog box.
5. Use this table to enter response time boundary values:

Bucket Label* Default Boundaries (Milliseconds)

at Installation

1 Fast MDF Apps: 0-5

Trading Apps: 0-1
Enterprise Apps: 0-50
2 Expected MDF Apps: 6-25
Trading Apps: 2-5
Enterprise Apps: 51-200
3 Degraded MDF Apps: 26-100
Trading Apps: 6-25
Enterprise Apps: 201-1000
4 Service Level MDF Apps: 101-1000
Trading Apps: 26-100
Enterprise Apps: 1001-2000
5 Availability (High Jitter) MDF Apps: 1001-10000
Trading Apps: 101-1000
Enterprise Apps: 2001-10000
6 Timeouts (Max Jitter) Bucket 5 limit + 1ms
* Label displayed in Edit Response Time dialog box. For Voice and Video-RTP, buckets 5 and 6
represent (but are not labeled) High Jitter and Max Jitter.

Notes:

NETSCOUT Server Administrator Guide 231

l Although boundaries are entered in milliseconds, they are converted to

microseconds in monitor views displaying ASI data.
l For appliances configured to support ASI analysis, the buckets mentioned above
are mapped accordingly:

CDM ASI Buckets

Buckets
Bucket 1 Bucket 1
Bucket 2 Bucket 2
Bucket 3
Bucket 4 Bucket 3
Bucket 5

6. Click OK and Apply to save and apply your configuration.

7.1.1.8 Configuring Multimedia Messaging Service (MMS) Monitoring

Multimedia Messaging Service (MMS) is an application used to send multimedia content such as
graphics, photos, audio and video clips, or a combination of them, from mobile phones to other
mobile phones or email accounts. It extends the SMS (Short Message Service) application, used
for text messaging capability.

These MMS message types are supported for monitoring and alarming on Responsiveness and
Application Level KPIs (including application error codes):
l m-send (MMS Send)
l m-retrieve (MMS Retrieve)
l m-forward (MMS Forward)

Note:

Because MMS has unique packet types for the request/response, ensure you are familiar with
the way NETSCOUT computes response time for these MMS messages:
l m-send: Response time is calculated by matching the transaction-id found in the "M-
send-req" with the corresponding "M-send-conf" message PDU. The status field "X-
Mms_Response-Status" is used to classify the response as a success for failure for QoE
and KPI reporting.
l m-retrieve: Response time is calculated as the elapsed time between detection of the
HTTP Get request to detection of the HTTP Status packet. The status field "X-Mms-
Retrieve-Status", found in the "M-retrieve-conf" PDU residing in the HTTP status packet,
is used to classify the response as success or failure for QoE and KPI reporting.
l m-forward: Response time is calculated by matching the transaction-id found in the "M-
forward-req" with the corresponding "M-forward-conf" message PDU. The status field
"X-Mms-Response-Status", found in the "M-forward-conf" PDU, is used to classify the
response as a success or failure for QoE and KPI reporting.

NETSCOUT Server Administrator Guide 232

If a failure occurs at the MMSC server (such as server unavailability), the response for the
MMS transaction does not contain the MMS response header. In that case, the transaction is
identified as a failure, with an error code set to an applicable HTTP Error (such as 4XX or 5XX
errors). Refer to "Overview of Key Performance Indicators" topic in the nGeniusONE Help for
more information on KPIs and KPI errors.

Complete these steps to configure Multimedia Messaging Service (MMS) over HTTP monitoring:

1. Enable InfiniStream appliances to also classify MMS over HTTP; refer to Change http_
mode in the Agent Configuration Utility Administrator Guide.
2. From the nGeniusONE console, click Global Settings Applications > View: Enterprise.
3. Navigate to TCP > Well Known Apps > HTTP.
4. Verify that HTTP is enabled for Response Time monitoring.
5. Add MMSC servers that will evaluated for URLs and MMS:
Note: MMS classification is only performed on flows for which the Server IP address
matches the MMSC subnet defined here. If no MMSC subnet is defined, flows are
considered for URL classification only.
a. With the HTTP application selected, click Add Application to add the server as a child
of HTTP.
b. Enter this information in the Add Application dialog box fields:

For Address, use this sytnax: <message>, <ip_address1[/mask]>, <ip_address2

[/mask]>
where <message> is m-send, m-receive, or m-forward, followed by a comma
and <ipaddress> is an IPv4 or IPv6 address with or without a subnet mask. You can add
up to 5 comma-separated IP addresses for each message.

For Short Name, use a descriptive value that matches the message type, such as MMS
Send.

For Application Type: URL Application.

c. Click OK.
d. Repeat Step 5 for the two messages that remain (m-send, m-receive, or m-forward).
6. Click Apply to save your changes.

7.1.1.9 Configuring User-Defined KPI Error Codes for Applications

Note: Ensure you are familiar with configuring KPI Error Codes for applications before you
use the information in this topic.

If you want to monitor an application with more than, or instead of, the default KPI error codes,
complete these steps to configure custom (user-defined) KPI error codes:

NETSCOUT Server Administrator Guide 233

1. Choose one of these options to configure user-defined KPI error codes:

l Use the the monitoring options icon Select monitoring options > KPI Alarm option
to show the Edit KPI dialog box and and click the KPI Error Codes tab.
l Use the the monitoring options icon Select monitoring options > Error
Classification option to show the Configure Error Classification dialog box.

2. Click Add Error Codes to show the Select Error Codes dialog box. The Select Error
Codes dialog box contains a list of KPI codes supported for the selected application.

3. Click Add user defined error codes to show the Add User Defined Error codes
dialog box.
4. Use the Codes (Default) field to enter a custom KPI error code value for one or a range of
error codes.
You are not permitted to change the value of an existing error code nor a range of error
codes that overlap. If the error code format is anything other than ASCII, you must enter
characters appropriate for that format otherwise an inline help message prompts you to
rewrite the value. You can monitor a maximum of 40 Warning and 40 Critical
codes/ranges. You can monitor each code only once. For example, you cannot enable a
code and also include it in a range, and you cannot monitor one code for both Critical and
Warning severities.
5. Use the Description field to describe the custom KPI error code.
Note: For some applications the description associated with an error code can vary
depending on the application RFC version. Consequently the description shown in the
dialog box may differ from that which displays in other areas of nGeniusONE.
6. Click OK to add your custom KPI error codes to the Select Error Codes dialog box (you
might have to scroll to the bottom of the dialog box to view your new error codes).
7. Click OK.
8. Choose one of these options:
l If you chose to add KPI error codes with the KPI Alarm option in Step 1, go to Step 9.
l If you chose to add KPI error codes with the Error Classification option in Step1, go to
Step 10.
9. Use the the monitoring options icon Select monitoring options > Error Classification
option to show the Configure Error Classification dialog box.

10. Click Add Error Codes to show the Select Error Codes dialog box.
11. Scroll to and select your new KPI error code.
12. Click OK to add the error code to the Configure Error Classification dialog box.
13. (Optional) Use the Classification column to click the Failure classification and use the drop
down to choose Success or Information.
14. Repeat these steps as needed.
15. Click OK and Apply to save and apply your configuration.

Your custom (user-defined) KPI error code(s) is added to the system.

Considerations for Applications KPI Error Code Implementation

The following sections describe considerations you should be aware of for specific applications.

NETSCOUT Server Administrator Guide 234

Configuring Diameter Diagnostic Code Error Messages

Diameter diagnostic codes are operator-specific so you must add them manually to a
configuration file per monitoring appliance for reporting. Codes not added to this file are all
reported as 20799. These codes are then added — exactly as defined in the configuration file —
to the Error Classification dialog box on the nGeniusONE server, as described below.

Create the diameter-diagnostics-codes.cfg file in the <InfiniStream install>/rtm/config directory.

For more information, refer to Configure Diameter Diagnostic Codes in the Agent Configuration
Utility Administrator Guide.

Diameter diagnostics are shown in the Diameter and other Monitors.

Configuring SIP BYE and SIP CANCEL Reason and Status Error Messages

SIP BYE and SIP CANCEL Reason and Status error codes represent a class of messages that
NETSCOUT handles in a manner different from other error messages. While these messages are
fixed and pre-defined like others, they are qualified as "triplets" composed of a protocol, reason
code, and descriptive text string that make them unique and require different handling.

Configuration of these error messages is performed on the InfiniStream and the nGeniusONE
server, as follows:
l For SIP Reason and Status codes, create a .CSV file (sip_reason_codes.cfg) in the <
InfiniStream install>/rtm/config directory on the InfiniStream to map triplets to unique
NETSCOUT-provided error codes and execute the set sip_db 0 load_reason_code command.
Reason and Status codes can be added to the same configuration file. For more details
about Reason codes, refer to Configure SIP Reason Codes in the Agent Configuration Utility
Administrator Guide.. For more details about Status codes, refer to Configure SIP Status
Codes in the Agent Configuration Utility Administrator Guide.
l On the nGeniusONE server, add and/or re-classify one or more SIP error messages —
exactly as defined in the InfiniStream configuration file — to the Error Classification dialog
box on the nGeniusONE server, as described below.

SIP is displayed in the Application column of the Call Server,Advanced Voice

Statistics and other monitors.
l Reason codes are displayed in Call Server and other SIP-based modules' Information and
Error Code Distribution bar charts, as shown below.

NETSCOUT Server Administrator Guide 235

HTTPS Error Codes

Be aware that HTTPS error codes are simply SSL/TLS alerts and are now depicted as just
information messages, not failure messages.

7.1.1.10 Configuring H.323 RAS Application Monitoring

H.323 endpoints uses the Registration, Admission, and Status (RAS) signaling application to
communicate with and among Gatekeepers. H.323 RAS ships in a deactivated state. To monitor
the RAS application, you must first activate it and then enter the appropriate GateKeeper IP
addresses.

You must enter appropriate GateKeeper IP addresses to:

l Define RAS child applications for H.323 traffic for which RAS GateKeeper IPs are not
defined
l Generate Response Time and KPIs for parent RAS traffic

See the nGeniusONE Help for more information.

7.1.1.11 Configuring Application KPI Monitoring and Alarming

Before you configure application KPI monitoring and alarming, ensure you are familiar with
KPIs—refer to "Overview of Key Performance Indicators" in the nGeniusONE Help.

You can configure monitoring and alarming on these application KPI variables:

l Number of slow responses
l Timeouts
l Number of user events seen on the application

NETSCOUT Server Administrator Guide 236

l Number of server events seen on the application

l Retransmits/Packet loss
l Severity level—Warning and Critical
l Voice and Video Quality
l Application KPI error codes—Error codes must be defined on the parent application and
are inherited by application children. You can configure alarms to trigger for up to 40
KPI error codes for an application, where you specify these values for Warning and Critical
severity levels for each code:
o Threshold
o Minimum transaction count

You can also choose to forward alarms, send emails, and select a CallBack script from a list to be
notified about these alarms.

CDM KPI alarms are displayed in Service Delivery Manager (UMC) and the Performance Manager
Alarm Viewer.

Complete these steps to configure application KPI monitoring and alarming:

1. Ensure you have configured response time buckets for your applications—refer to
Configuring Response Time Buckets for Applications.
2. Ensure that power alarms are enabled on the data source. Refer to Agent Configuration
Utility documentation for instructions.
3. Ensure that KPI application error code monitoring is enabled on the data source. You can
adjust the table size (default 1,000 entries) and enable or disable monitoring per interface
(including aggregated interfaces) in the Agent Configuration Utility command line. Refer to
Agent Configuration Utility documentation for instructions.
4. Use the nGeniusONE console and click Global Settings >Application Configuration >
View: <category> and navigate to the application for which you want to configure KPI
monitoring and alarming.
5. Choose one of these options:
l To configure KPI monitoring for Voice and Video Quality applications, go to Voice and
Video Quality Configuration in the Agent Configuration Utility Administrator Guide.
l To configure KPI monitoring for other applications, go to Step 4.
6. Click the monitoring options icon Select monitoring options > KPI Alarm.

The Edit KPI dialog box is displayed.

7. Use the KPI Variables tab to configure thresholds, severities, and actions to take for the
events that trigger application KPI alarms (the KPI Variables tab allows you to enter
thresholds regardless of whether the application supports KPIs)—refer to "Configuring
Application KPI Variables" in the online help to configure the tab.
8. (Optional) Click the KPI Error Codes tab to configure application KPI error code alarms
(the tab is not active for unsupported applications)—refer to "Configuring Application KPI
Error Code Alarms" in the nGeniusONE Help to configure the tab.
9. Click OK and Apply to save and apply your configuration.

NETSCOUT Server Administrator Guide 237

Understanding the Responsiveness and KPI Variables Relationship

This illustration describes the relationship between what you configure in the Responsiveness
dialog box (Step 1) and the Global Settings > Application Configuration View: <category> > the
monitoring options icon Select monitoring options > KPI Alarm > Edit KPI dialog box
KPI Variables tab (Step 6 to 8):

7.1.1.12 Creating a File to Import Multiple HTTP and HTTPS Application

Configurations
You can create a file that you can use to efficiently import multiple:
l HTTP application configurations
l HTTPS application configurations
l Virtual interfaces.

Note: HTTP and HTTPS application configurations must be created in separate import files.

Complete these steps to create an import file:

NETSCOUT Server Administrator Guide 238

1. Open a text editor with which to create and edit a .CSV file.

2. Enter information for each application using the following format:
ApplicationType:LongName:ShortName:ExactMatch:AppGroup:ServerParame
ters:AdditionalPort
Definitions and Rules

Field Description
ApplicationType 0 or 1. 0 = URL application; 1 = Server application
Note: You can combine both types in the same file. You can add up to 4 URLs.
ShortName The URL address for which you want to monitor and log response time data.
Enter up to 32 characters.
For example: NETSCOUT
LongName You can enter up to 256 characters (including forward slashes).
For example, the following entry uses 22 characters:
www.netscout.com/sales

ExactMatch Enter true to enable Exact Match; enter false to disable Exact Match. When
enabled, Exact Match monitors the exact URL address you enter; when
disabled, sub-URLs are monitored as well. If you leave this field blank, the
default is false.
AppGroup Enter a user-defined application group name or one of the following pre-
defined application groups such as: Card Processing, Market Data Feeds,
Trade Order, Microsoft Protocols, Email, Other, Database, Web Applications,
Client Server, Virtual Private Network, Multimedia, Network Management,
Network Control Protocols, Network Services, Printing, Routing Protocols,
Security/Authentication Protocols, Undefined Applications, and Service
Enablers.
If you leave this field blank, the default Application Group is Web.
ServerParameters IP address of the server.
AdditionalPort Any port number you want to add to the already supported default port
number for the application.

Note: Parameters are separated by a colon (:). IP addresses are separated by a comma (,).
Example
0:www.my_company.com:MY_COMPANY
:false:WEB:10.20.120.45,10.20.120.46:1-2
0:www.abc.com:ABC:true:Entertainment:10.20.166.89
0:www.xyz.com:XYZ: :WEB
0:www.ghi.com:Ghi: :
Note: The following apply to the sample file:
l For the third entry, Exact Match is disabled.
l For the fourth entry, Exact match is disabled and the Application Group is Web.
3. Save as a text file using a .CSV or .DAT extension.
4. Import your application configurations.

NETSCOUT Server Administrator Guide 239

7.1.1.13 Configuring and Importing HTTP and HTTPS Applications for Monitoring
You can configure an HTTP and HTTPS application as:
l URL— You can monitor URLs the same way you monitor other applications; you can
receive real-time data, historical and performance reports for each URL defined. You can
also receive response time and availability Power Alarms.
l IP address (IPv4 or IPv6)—IPv6 addresses can be mixed with IPv4 addresses under the
same application. Only these netmasks are supported with IPv6: 7, 16, 32, 44, 48, 64, 80, 96,
and 112 - 128. Refer to IP Addresses in nGeniusONE Modules in the nGeniusONE online
help for more information on IP address support.
l Both URL and IP address—To monitor a specific URL running over a specific server.

Important: An application configured as a URL or Server Application Type cannot be

modified as the other type; you must create a new application configuration instead.

Office 365 Components

The nGeniusONE Server lists all Office 365 components as HTTP child applications even though
HTTPS is also supported.
The InfiniStream appliance manages HTTP/HTTPS ASI data parsing and filtering for the various
Office 365 components.

You can identify MSRPC over HTTP by the /rpc relative link that appears after the hostname in
the URL. Example: Chicago office clients at Acme Corp. appear on the network connecting to
http://chicago.acme.com/rpc/traffic, where:
l The /rpc argument visible in the URL indicates an Outlook Anywhere connection.
l The application URL or Hostname entry should match the URL/Hostname a client connects
to for Outlook Anywhere.

Server Name Indication (SNI) Support for HTTPS Configuration

A server IP address is not required when configuring HTTPS and configuring applications by URL,
IP address, or both.

Server Name Indication (SNI), an extension to the TLS protocol, indicates to which host name the
client is attempting to connect at the start of the handshaking process. SNI allows a server to
present multiple certificates on the same IP address and port number, allowing multiple secure
(HTTPS) websites (or any other service over TLS) to be served off the same IP address without
requiring all the sites to use the same certificate.

For clients and servers that support SNI, a single IP address can be used to serve a group of
domain names for which it is impractical to get a common certificate.

Complete these steps to configure HTTP and HTTPS applications:

1. Use the nGeniusONE console and click Global Settings > Application Configuration >
View: Enterprise.
2. Navigate to IP > TCP > Well Known Apps > HTTP or HTTPS.

NETSCOUT Server Administrator Guide 240

3. Choose one of these options:

l
Click HTTP or HTTPS > Add Application to add a new application configuration,
and go to Step 4.
l Click an existing application in the HTTP or HTTPS group that you want to modify and
click Modify Application, and go to Step 5.
l
Click HTTP or HTTPS > to upload multiple application configurations, then
go to Creating a File to Import Multiple HTTP and HTTPS Application Configurations
and complete Step 6.
Note: Combined URL and Server Addresses cannot exceed the 500-byte limit.
4. Choose one of these options:
l URL Application —Select this option to configure your application by URL, IP address,
or both.
l Server Application — Select this option to configure your application by IP address
only.
5. Configure the following depending on which option you selected above:

Select Procedure

NETSCOUT Server Administrator Guide 241

URL You can define child applications by URLs or IP addresses:

Application a. Configure URLs:
i. Enter the following:
Short name — A short name to display in views (for example,
NETSCOUT ). You can enter up to 32 characters.
Address:http(s):// — One URL address is permitted per child
application. Can be hybrid with nGenius Configuration Manager
or nGeniusONE. This argument is useful if you want to view any
URL and accompanying HTTP response codes. IPv6 addresses are
registered with HTTP and HTTPS URLs.

Important: Optionally, applications traveling over HTTPS can be

identified using a label rather than an IP address. Use the format
APP#entry to add an HTTPS (HTTP is no longer supported) child
application. For example: APP#netscout.
Application Port— This field is grayed out.

Application Tag — (Optional) Enter up to a maximum of 1024

characters of string text (special characters are supported). The
text you enter is appended to alert evidence.

Group — The application group you want to associate (default:

Web Applications).
Application Type — Select the URL Application button.
ii. (Optional) Select the Exact Match check box to monitor exact
matches only. With Exact Match disabled, sub-URLs are also
monitored. URLs not collected under the search term are
collected as HTTP.
Exact Match examples
Example: www.netscout.com/support
Exact Match ENABLED
Included:
www.netscout.com/support
NOT included:
www.netscout.com
www.netscout.com/index3.htm
www.netscout.com/765.jpg
www.netscout.com/support/images/987.jpg
Exact Match DISABLED
Included:
www.netscout.com/index3.htm
www.netscout.com/765.jpg
www.netscout.com/support/images/987.jpg
NOT included:
www.netscout.com
www.netscout.com/<other folder>

b. Configure Server Parameters — Click Add Address in the

Server Address panel to enter server addresses or subnets on which
to monitor traffic. To specify a server mask, enter the network class

NETSCOUT Server Administrator Guide 242

followed by the subnet mask. For example, if you enter 10.20.0.0/16,

all servers with an IP address that begins with 10.20 are monitored.
Note : Adding child SBA and Well Known Apps is supported for
HTTP/S parents.
c. Click Add to continue defining child applications, or OK then Apply to
save your changes. While awaiting acceptance, the pending icon
displays. When accepted, depending on the application type, these
icons display: URL based , and User Defined .
Server You can define child applications using IP addresses. This option is useful
Application to configure any URL on the server and capture associated HTTP response
codes.
a. Enter the following:
Short name — Enter a protocol name, up to 32 characters. For
example, enter HTTP1. Be sure to observe rules regarding special
characters.
Long name — Enter a more descriptive name for the protocol. You
can enter up to 128 characters. Be sure to observe rules regarding
special characters.
Parameter — A value often left blank or automatically populated.
Some applications require a particular value.
Additional Port — You can add up to 64 additional port numbers or
32 ports if containing a range for well-known application traffic
running on other ports (for example, 8080 or 2039). A range is
considered one port towards the maximum number of ports allowed.
Application Tag — (Optional) Enter up to a maximum of 1024
characters of string text (special characters are supported). The text
you enter is appended to alert evidence.

Group — The application group you want to associate (the default is

Web Applications).

Exact Match — Check box indicates that traffic will be classified

and displayed exactly by the address you specify. With Exact Match
disabled, sub-URLs are also monitored. URLs not collected under the
search term are collected as HTTP.
Application Type — Select the Server Application button.

Server Parameters — Click Add Address in the Server Address

panel to enter server IPv4 or IPv6 addresses or subnets on which to
monitor traffic. To specify a server mask, enter the network class
followed by the subnet mask. For example, if you enter 10.20.0.0/16,
all servers with an IP address that begins with 10.20 are monitored.
b. Click Add to continue defining child applications, or OK then Apply to
save your changes.

6. Enable monitoring options. See "Configuring Monitoring Option Settings for Applications"
in the online help.
7. Click OK and Apply to save and apply your configuration.

NETSCOUT Server Administrator Guide 243

7.1.1.14 Configuring Network Service over IP (NSIP) Applications for Monitoring

Network Service over IP (NSIP) is the Network Service used on the Base Station System (BSS)
serving the GPRS Support Node (SGSN) Gb interface. NSIP provides network services to the
BSSGP (BSS GPRS) entity.

Complete these steps to configure NSIP applications for monitoring:

1. Configure monitoring and, optionally, decryption for Gb links on a supported data source;
refer to Configure Gb Links in the Agent Configuration Utility Administrator Guide.
2. From the nGeniusONE Console, click Global Settings > Applications > View: Service
Provider.
3. Navigate to and expand the NSIP group.
4. Review the list of child applications and enable the Response Time and ASR check boxes
for NSIP applications in your environment. By default, when the Service Provider menu is
enabled, the NSIP parent and child applications are activated; however, Response Time
and ASRs may not be enabled for all child applications.
5. (Optional) Click the monitoring options icon Select monitoring options to customize
monitoring options such as Responsiveness and KPI Alarms.
6. (Optional) Configure port ranges; in some cases, your NSIP configuration may require a
broad range of ports be configured for NSIP monitoring:
l Recommended: Configure a application template and apply it only to the specific
appliances that are intended to monitor NSIP. This ensures that the custom port range
is only pushed to those appliances and not the others managed by the same Server.
Application templates can be created in the Device Application Settings feature in
Performance Manager (UMC).
l Not Recommended:Configure a range across all appliances monitored by this server
(not optimal as it limits ports available or required for other applications). Select the
NSIP parent application and click Modify. In the Additional Ports field, enter a port
range (for NSIP, typically the range is 30000 to 65000). You must enter at least one port
range in addition to the default port of 52400 and can configure up to a total of five
port ranges. If your port range overlaps with applications that utilize these ports, you
may have unexpected results when performing a decode. To work around that, use
the Decode As feature to force the decode on the expected application.

7.1.1.15 Creating a File to Import Multiple Server- and Client-Server-based

Application Configurations
You can create a file to import multiple Server- and/or Client-Server-based application
configurations at one time. When you import the file, all application configurations in the file are
imported at the same level—you must create separate files for IP, TCP, UDP, or SCTP level
applications.

Complete these steps to create an import file of multiple Server- and/or Client-Server-based
application configurations:

NETSCOUT Server Administrator Guide 244

1. Open a text editor with which to create the import file.

2. Enter one line of information in the import file for each application configuration,
formatted as shown:
Use this format for Server-based application configurations—
Short Name:Long Name:Port Range:Application Group:IP Addresses:Type
Definitions and Rules
Note:
l Depending on the application type, not all parameter fields shown below are
required.
l Enter one application per line.
l Enter the colon for all fields whether or not you enter a value for optional fields.
l Do not enter a port range value for IP level server-based applications. The Port
Range field does not apply to those applications. However, you must enter the colon
for the Port Range field.
Short name — A brief or abbreviated name for the server-based application.
Maximum 32 characters.
Long name — (Optional) A more descriptive name for the application. Maximum of
128 characters.
Server port range — For IP level server-based applications, enter the colon only.
Optional for TCP or UDP applications only. If no port range is specified, a port range of
1-65535 is used by default. You can enter multiple ports or port ranges separated by
commas.
Application Tag — Enter up to a maximum of 1024 characters of string text (special
characters are supported). The text you enter is appended to alert evidence.
Group — (Optional) You can associate your server-based application with an
Application Group to view the new application in the monitors. You can enter the name
of a predefined Application Group or the name of an application group you have
created. Leave the field blank or enter NONE if you do not want to associate the
application with a group.
Application Type — Server-based or Client-Server-based
Server Parameters — IP Address of the server to be accessed.
IP Addresses — (Optional for TCP or UDP only)
Enter a maximum of 63 IP addresses for the servers on which you want to monitor
traffic for the specified port range. To specify a server mask, enter the network class
followed by the subnet mask. For example, if you enter 10.20.0.0/16, all servers with an
IP address that begins with 10.20 are monitored for the specified port range. Separate
multiple address entries using commas.
Type — (Optional) Enter 0 (zero) or leave this field blank to designate the application as
Server-based. (For Client-Server-based applications, enter 1.) If you leave the field blank
you do not need to enter the colon following the Addresses field.
Examples
TCP or UDP Level

NETSCOUT Server Administrator Guide 245

ServerApp1:Myfirstserverapplication:100-
120,324:NONE:172.16.196.0/24
ServerApp2::::
ServerApp3::12-14,45-50::172.40.27.0/20,172.15.231.120/16:0
IP Level
ServerApp1:My first IP server application::EMAIL:10.155.166.70
ServerApp2:::GAMES:10.20.30.40/16
ServerApp3::::10.231.144.133

Use this format for Client-Server-based application configurations—

Short Name:Long Name:Server Port Range,0,Client Port Range:Application Group:Server IP
Addresses,0.0.0.0/0,Client IP Addresses:Type
Definitions and Rules
l Enter one application per line
l Enter the colon for all fields whether or not you enter a value for optional fields.
Short name — A brief or abbreviated name for the application. Maximum 32
characters.
Long name — (Optional) A more descriptive name for the application. Maximum of
128 characters.
Server port range and Client port range — Enter multiple ports or port ranges
separated by commas.
Separate the server port and client port using 0 (zero) as a delimiter.
Example:
100,200-204,0,444,4441
Server ports=100,200-204
Client ports =444,4441
Application Tag — Enter up to a maximum of 1024 characters of string text (special
characters are supported). The text you enter is appended to alert evidence.
Group — (Optional) You can associate your application with an Application Group to
view the new application in monitors. You can enter the name of a predefined
application group or the name of an application group you have created. Leave the
field blank or enter NONE if you do not want to associate the application with a group.
IP Addresses — Enter at least one server and one client IP address up to a maximum
of 31 addresses or subnets.

Separate the server IP addresses and client IP addresses using ,0.0.0.0/0, as a delimiter.
Example:
192.168.0.0/16,0.0.0.0/0,10.20.2.2,10.30.3.3
Server Address=192.168.0.0/16
Client addresses=10.20.2.2,10.30.3.3

NETSCOUT Server Administrator Guide 246

To specify a subnet mask, enter the network class followed by the subnet mask. For
example, if you enter 192.168.0.0/16, all servers with an IP address that begins with
192.168 are monitored for the specified port range. Separate multiple address entries
using commas.
Type — Enter "1" to designate the application as Client-Server-based. (For Server-
based applications, enter "0" or leave this field blank.)
Examples
TCPSrvBApp11:TCPServerBasedApp11:10-
10000,0,200:Email:172.22.0.0/16,0.0.0.0/0,10.20.2.2:1
TCPSrvBApp12:TCPServerBasedApp12:10-
10000,0,201:Email:172.16.0.0/16,0.0.0.0/0,10.20.2.3:1
TCPSrvBApp13:TCPServerBasedApp13:10-
10000,0,202:Database:172.25.0.0/16,0.0.0.0/0,10.20.2.4:1
TCPSrvBApp14:TCPServerBasedApp14:10-
10000,0,203:Database:172.34.0.0/16,0.0.0.0/0,10.20.2.5:1
3. Save the file with a .DAT extension and close the file.
4. Use the import procedure to import your application configurations.

7.1.1.16 Configuring the Certificate Application for Monitoring

The Certificate application:
l Allows you to configure certificate traits for all applications that appear under Global
Settings > Application Configuration > View: Enterprise > IP > TCP > Well Known Apps
> HTTP.
l Supplies the Certificate Monitor with information about any trusted or untrusted
certificates seen on the network over HTTPS. This automatic tracking of SSL/TLS certificates
and awareness of their expiration dates well ahead of time is a valuable and efficient tool
to avoid expirations and subsequent negative impact on business services.

Important: nGeniusONE provides an alarm mechanism that notifies you when SSL
certificates in your network are due to expire.

Be aware that Certificate data are not session based, for example, if 1,000 sessions per second
are transacted on a server:
l Only the first Certificate is recorded for that server.
l All other session-relevant packets are ignored.
l In the first packet received, the InfiniStream filters for "Subject/Server Certificate"; when
identified, subsequent certificates form intermediate and root certificates, which the
InfiniStream does not process.

Configuring Days to Expiration

To configure the Days to Expiration attribute, enable the Certificate application, check My
Network addresses/subnets, and view certificate metrics in the Certificate Monitor:

NETSCOUT Server Administrator Guide 247

1. Use the nGeniusONE Console to click Global Settings > Application Configuration >
View: Enterprise > IP > TCP > Well Know Apps > Certificate.
2. Right-click Certificate and click the Days to Expiration option from the drop-down menu.
3. Enter Warning and Critical values corresponding to those configured in Response Time
buckets 1 and 3, respectively, (or retain the default intervals shown).
4. Click OK.
5. Click Activate from the drop-down menu, and set any other configurable option.
6. Click OK and Apply to save and apply your configuration.
7. Ensure that the monitored SSL server IP address appears either in My Network (if My
Network is enabled.

8. Use Device Configuration to select the appropriate InfiniStream, click Remote

Login > [11] Enter Command-line mode, and issue the get ssl_cert command to ensure
that the Certificate application is enabled on the device's interfaces for monitoring all TCP-
based SSL applications.
9. Open the Certificate Monitor to display metrics, including Warning and Critical counts,
and number of Untrusted Certificates.

Days to Expiry Calculation

When there are multiple certificate entries for a single IP host, the days to certificate expiration is
calculated on the lowest value. Server Name Indicators (SNIs), which represent to which host
name the client is trying to connect with, are evaluated and the SNI with the shortest time
remaining is the basis for the Days to Expiry calculation.

Trusted/Untrusted Certificates

As part of untrusted Certificate Authority detection, nGeniusONE includes CA self-signed

detection. The implementation performs the following certificate validation:
l If the Issuer name of the first certificate in the chain is matched by "brute force" against the
subject name and found to be similar, the certificate is untrusted.

Caveat for RSA Password Phrase

To avoid a Web display problem after installing a certificate using the nscertutil.sh script, you
must include the RSA password phase in the SSL key file when the RSA password is required. An
SSL key without the RSA password phrase can disable the HTTP daemon.

Complete these steps:

1. In the <nGeniusONE install>/apache/conf/ssl.key directory, use a text editor to create a file

(for example, passphrase.sh) with the following text:
#!/bin/sh
echo "<put_the_passphrase_here>"
2. Change the ownership/permission of the passphrase.sh file to:
chmod 0750 passphrase.sh
chown ngenus:ngenius passphrase.sh

NETSCOUT Server Administrator Guide 248

3. In the httpd-ssl.conf file in the /opt/NETSCOUT/apache/conf/extra folder, change the

SSLPassPhraseDialog property to:
SSLPassPhraseDialog exec:/path/to/passphrase-script
For example:
SSLPassPhraseDialog exec:/opt/NETSCOUT/apache/conf/ssl.key/passphrase.sh
4. Restart nGeniusONE Services.

Supported Attributes

Because Certificate is a special protocol that does not conform to typical application
configuration, consider the following attributes.
l Activate/Deactivate. Certificate is enabled by default
l
Modify
l Long name (SSL Certificate by default), Application Tag, and Associate Group
(Security/Authentication Applications by default)
l Messages can be Activated or Deactivated, the Short name modified, and the Reset
Default Short Name effected. All other Message options are disabled.
l Days to Expiration replaces the Responsiveness option in the drop-down menu. This
option uses Response Time buckets 1 and 3 only for uploading to the InfiniStream
appliance. The default Critical setting of 30 days and Warning setting of 60 days indicate
any interval between 60 and 31 days of expiration displays amber status in the console
view and any interval of less than 30 days to expiration reflects red status. Any interval
greater than 61 days displays green status.

nscertutil Tool to Manage Certificates

nGeniusONE provides a tool, nscertutil, to manage certificates on the nGeniusONE server. Refer
to NETSCOUT Server Administrator Guide for more information.

7.1.1.17 Associating Applications with Application Groups

You can associate one or more application with an application group to better understand the
types of traffic flowing through your network. For example, you can group all web-related
applications and then view data for the group as a whole. You can associate each application
with only one group.

Note: For non-default application groups, you must use theGlobal Settings >Application
Configuration > Groups page to create the group before you can associate an application
with the group.

Complete these steps to associate an application(s) with an application group:

1. From the nGeniusONE console, go to Global Settings >Application Configuration and

use the View drop down list to select the application category to which your application(s)
you want to associate with groups are located.
2. Click an application or use Shift-click or Ctrl-click to select multiple applications.

NETSCOUT Server Administrator Guide 249

Note: Do not include informational parent applications such as Well Known Apps under
TCP and UDP in a group selection. Informational parent applications cannot be added to a
group.

3. Use the the monitoring options icon Select monitoring options drop-down and select
Associate Group.
4. Select the group you want to associate with the selected application(s) and click OK and
Apply to save and apply your configuration.

The Group column is updated with your configuration(s).

You can now use the Group column Show the filter to specify which group of
applications you want to view in the page.

7.1.1.18 Configuring Application Messages

You can use nGeniusONE Console > Global Settings >Application Configuration >
View: Messages to view and configure pre-defined, auto-generated application messages. The
parent applications (not children applications) and associated messages are shown.

Complete these steps to configure application messages:

1. Go to nGeniusONE Console > Global Settings > Application Configuration >

View: Messages.
2. Locate and select the application message you want to configure; use the Search
function if needed.

3. (Optional) Click Modify to show the Modify Application dialog box.

4. (Optional) Edit the Short name entry to correspond with your needs and click OK to save
your configuration.
5. (Optional) Click the monitoring options icon Select monitoring options to configure any
of these options (refer to "Configuring Monitoring Option Settings for Applications" in the
nGeniusONE Help for more information):
l Reset Default Short Name
l Activate/Deactivate
l Responsiveness
l KPI Alarm
6. Click Apply to save and apply your configuration to the system.

IP Fragmentation: Reassembly of SIP and Diameter Messages

nGeniusONE supports reassembly of in-order IP fragments for:

l IPv4 and IPv6 protocols
l TCP and UDP transport
l All fragments are tagged with a valid ASR ID if the Call ID is present in or before the
fragment

NETSCOUT Server Administrator Guide 250

l ASRs are reported only when all SIP message bytes are received. The Start time on ASR is
the time of the first fragment
l Diameter and SIP traffic; refer to Command-Line Object: frag_reassembly in the Agent
Configuration Utility Administrator Guide for more information.

Out-of-order message reassembly is supported for:

l IP and/or TCP fragmentation
l Tunneled scenarios, for example, inner IP and/or TCP fragmentation

7.1.1.19 Creating a SIP Application for Emergency Calls

Telephone calls placed to emergency (special) numbers, such as 911 in the United States, and
112 in Ireland, can be segregated and Key Performance Indicator (KPI) data computed against
them on a dedicated SIP server for clearer identification in the Call Server monitor. Because
emergency calls are potentially life impacting, operators want to ensure that they are treated
quickly and efficiently—having a special emergency call grouping is important.

You can create a specialized, sibling application to SIP in Global Settings. You can specify a
country code in the Parameter field of the Add Application dialog box to reference emergency
calls and aggregate them accordingly.

Complete these steps to configure the emergency call server function:

1. From the nGeniusONE Console, click Global Settings > Application Configuration >
View: Multimedia.

2. Select SIP or SIP_TCP and click Add Application.

The Add Application dialog box is displayed.
3. Use the Parameter field to enter one or more country emergency (special) numbers using
this sytax: sos_emer=xxx,xxx, where xxx is the emergency (special) number. For example,
sos_emer=911,112
4. Enter the remaining required and optional values needed in the Add Application dialog
box.
5. Click OK and Apply to save and apply your configuration.
SIP emergency calls display in the Application column of the appropriate monitor (for
example, Advanced Voice Statistics).

7.1.1.20 Working with Internet Categories

You can use nGeniusONE Console > Global Settings >Application Configuration >
View: Internet Categories to view and configure URL categories to gauge traffic usage in a more
granular fashion than viewing just HTTP or DNS traffic volumes. For example, you can associate
google.com to the Search category and associate cnn.com to the News category.

The Internet Categories screen displays Internet categories alphabetically and:

NETSCOUT Server Administrator Guide 251

l The Application Group with which they are associated.

l Their recording (slice size).

Configuring Internet Categories in nGeniusONE

1. Go to nGeniusONE Console > Global Settings > Application Configuration >
View: Internet Categories.
2. Select one or more categories.

3. (Optional) Click Activate/Deactivate All to either activate all categories or deactivate

all categories.
4. (Optional) Click the monitoring options icon Select monitoring options and choose any
of these options:
l Associate Group to associate an application group with the category(ies).
l Recording to choose a recording slice size (default = Full Optimized) for the category
(ies). None or Full Optimized slice size options are the two choices most applicable to
this feature: either turn the feature off entirely or select the minimal default Full
Optimized slice size of 2047 required to most efficiently classify the packet type.
l
Click Filter to narrow the categories.
5. Click Apply to save and apply your configuration to the system.

Using Internet Categories in Monitors

Total traffic volume, total number of packets, and utilization percentage statistics are displayed
per interface in the Traffic Monitor as well as Traffic Distribution by Location and Application and
Link Usage Over Time graphical views.

Knowing the type of traffic your employees are generating can be useful proactively for capacity
planning or reactively for determining adherence to corporate IT policy. For instance, this
functionality can tell you if that new third-party health Website is gaining traction and requires
more bandwidth on your network or your employees are inappropriately visiting gambling
websites.

Collecting anything more than flow data from servers external to your network is beyond your
control so responsiveness metrics are not collected. Also, each group constitutes multiple
sessions – their corresponding data cannot be tracked per session and are not meaningful in
aggregate.

Configuring Internet Categories on the InfiniStream

This feature is enabled by default; however, you can:

l Disable it on the InfiniStream.
l Change the lookup database capacity which is set automatically based on the memory
capacity of your InfiniStream appliance.

Refer to Command-Line Object: http in the Agent Configuration Utility Administrator Guide for
more information.

NETSCOUT Server Administrator Guide 252

7.1.2 Global Settings - Applications

Use the following sections to configure features and functionality using the Global Settings >
Communities.

7.1.2.1 Client Communities Overview

The Global Settings > Communities > Client Communities page allows you to configure client
communities for monitoring.

Ensure you are familiar with these guidelines before you configure Client Communities:
l Before you configure a Client Community, you must first add the subnet or IP address to
your My Network configuration; refer to My Network Overview.
l Exactly matching Server and Client community entries are not allowed so that a second,
matching IP address is not permitted.
l Define streams as specific communities otherwise data may be lumped into the Host
Group Other category and displays between the dashboard and monitors can be
mismatched.

How Client Communities Are Displayed in Monitors

Client IP addresses can be displayed under the Client Community column in the monitors
without having been configured as Client Communities or lumped into Host Group Other due to
the methodology used by nGeniusONE. Generally, Client Communities are classified and
displayed in this order:

1. User-defined entries.
2. Default Client Community Subnet entries.
Default Client Community Subnets are correlated with ASI tables and upon discovery are
removed from the Host Group Other category. The aggregated IP addresses encompassed
by the default group display as regular IP addresses with a subnet mask in the Client
Community column of various monitors.
3. Host Group Other entries.

The rules nGeniusONE follows for displaying Client Community IP addresses are:

1. A Client IP address is displayed without any masking or not included in Host Group Other
only if it was discovered as a server in some other flow or it was configured as a VIP List
entry in Global Settings. This is not dependent on the Default Client Community Subnet
enabled/disabled setting.
2. If the Client IP address is part of the Client Community configuration then the Community
ID name is displayed.
3. If the Default Client Community Subnet is disabled, the IP address is marked as Host
Group Other if conditions #1 and #2 are not satisfied.
4. If the Default Client Community Subnet is enabled, the netmask for the Client IP address is
displayed if conditions #1 and #2 are not satisfied.

NETSCOUT Server Administrator Guide 253

Displaying Host (IP Address), GeoIP, or IMSI/MSISDN Values in nGeniusONE

Monitor Community Fields
For easier identification and greater visibility, you can customize alternate values for addresses
or IDs displayed in Community fields of nGeniusONE monitors and enablers in these ways:
l Configure the Client (or Server) Communities on the server and the execute the set
community_type command on the InfiniStream appliance to direct nGeniusONE to display
IP Addresses, Host Names, or Host Group Other, by default, in Community fields of
NETSCOUT monitors. Refer to the Agent Configuration Utility Administrator Guide.
l Use the set community_type command with the GeoIP feature to internally defined
mapping—to translate IP addresses into geographical locations (state or country), which
does not require configuration on the nGeniusONE server. Refer to the Agent
Configuration Utility Administrator Guide.

Community Examples

These examples show how Community aggregation is applied:

To Which Subnet Does My Community Belong?

A given IP address can logically belong to more than one subnet. When this occurs, the IP
address is matched to the most specific subnet definition.

For example, consider the following list of subnets:

l Subnet 1 = 10.20.30.40/8
l Subnet 2 = 10.20.30.40/16
l Subnet 3 = 10.20.30.40/24

The address 10.20.30.15 could be considered a match for all three subnets because it matches
the first eight bits of subnet 1, the first 16 bits of subnet 2 and the first 24 bits of subnet 3.
However, because subnet 3 has the most specific definition, 10.20.30.15 is considered a match
with subnet 3. Using the same logic, the address 10.20.40.40 falls into subnet 2 and 10.50.50.50
falls into subnet 1.

Server or Client Communities = Aggregate Statistics for Specified Servers or Clients

192.168.11.0/26
192.168.12.0/26
192.168.13.0/26
192.168.14.52/26

7.1.2.2 My Network Overview

The Global Settings > Communities > My Network monitoring feature:
l Focuses monitoring on traffic flowing over the enterprise networks to identify or prevent
latency problems.

NETSCOUT Server Administrator Guide 254

l Displays network and subnet IP addresses configured to support ASI responsiveness

metrics from these tables:
o Key Server Indicator (KSI)
o Key Error Indicator (KEI)
o Key Performance Indicator (KPI)
o Key Traffic Indicator (KTI)—flow data.
l Addresses should be configured by System Administrators who know that the addresses
they add are ASI-related, because any non-ASI-related traffic metrics are not collected.
l Is disabled by default in new installations.
l Is not well suited for businesses that host an abundance of varied network ranges, because
manually entering every required IP subnet range can be exhaustive. If an IP subnet range
is omitted, critical business applications are not monitored and Service Assurance for that
customer can degrade.
l Provides a starting point from which to build your My Network entries. You can check the
My Network page Enable Private Network check box to support these standard, well-
known subnets:

Address Address Range IP Address/Subnet IP Address

Class Count
Class A 10.0.0.0 - 10.0.0.0/8 (255.0.0.0) 16,777,216
Networks 10.255.255.255
Class B 172.16.0.0 - 172.16.0.0/12 1,048,576
Networks 172.31.255.255 (255.240.0.0)
Class C 192.168.0.0 - 192.168.0.0/16 65,536
Networks 192.168.255.255 (255.255.0.0)

If these subnets do not include your interior networks, you can add them. Their address
ranges cover standardized subnets for private networks as defined in RFC 1918 for IPv4
networks, and RFC 4193 for IPv6 networks. These addresses are characterized as private
because they are not globally delegated, meaning they are not allocated to any specific
organization, and IP packets addressed by them cannot be transmitted onto the public
Internet.
l Allows you to configure up to 50 IP addresses per entry.
l Allows you to configure up to a total of 10,000 entries, combined with Client Community
and VIP List entries.
l Provides this default upgrade behavior:
o If My Network entries already exist upon an upgrade, My Network remains enabled.
o If no My Network entries exist upon an upgrade, the feature is disabled.

InfiniStream considerations for My Network include:

l Default InfiniStream behavior collects ASI responsiveness data—only if My Network entries
are added and applications are configured and downloaded or relearned from the
nGeniusONE server. Refer to Command-Line Object: asi_mode for information on
ASI mode configuration command options (asi_mode=ASI, asi_mode=CDM, or or asi_
mode=hybrid) for your InfiniStream. Refer to the Agent Configuration Utility

NETSCOUT Server Administrator Guide 255

Administrator Guide.
l If you want to use the InfiniStream primarily to support NETSCOUT products such as
nGenius Subscriber Intelligence, but you want to use nGeniusONE management features,
My Network functionality operates only when the InfiniStream is enabled for ASI data. If
the ASI mode is turned off, CDM data and xDRs are collected, but any My Network entries
are not enabled.

My Network Examples

In addition to the interior networks he is responsible for, Acme Widgets Network Administrator
Henry Price wants to keep tabs on third-tier networks that are outside his explicit control but
vital to the enterprise. To do this, he creates My Network entries for servers supporting
RightNow and Okta to set up monitoring of problem ticketing and cloud services that are vital to
the enterprise.

Then, to more finely focus monitoring of these third-tier networks, Henry adds a Cloud client
community encompassing all users on the company headquarters network. Because the HQ
address range lies within the My Network default 192.168.0.0/16 private network range, he does
not need to create a new My Network entry.

In a second example, Henry wants to monitor traffic load flowing through his Marketing
department servers at the Ann Arbor office so he adds a Server Community on the
10.30.201.67/8 subnet. Because the IP address ranges those application servers reside on are
situated outside of the three IPv4 default private networks nGeniusONE provides, Henry adds a
new My Network entry with an address range of his choice.

Henry needs to pay more scrutiny to the company’s phones, which have been bearing a heavier
than usual load and providing spotty service lately. So, Henry adds a VIP List community for
192.168.47.39, the IP address of the switch on which phone service is supported. Again, no entry
in My Network is required because the phone switch’s interior address lies within the default
private network range.

Frequent interruption of email service has prompted a deeper examination of the firm’s Email
servers and who might be overloading the system with large email attachments. In response to
this situation, Henry adds a server community on the appropriate subnet and a wide-ranging
client community which includes multiple subnets throughout the company. Because the
subnets are all internal, no My Network entries need be added.

Using Discover My Network

After configuring your My Network entries, you can use the Discover My Network module to:
l Access a comprehensive view of network activity based on individual MELs and
applications.
l Troubleshoot loads and failures using provided metrics for transactions, throughput,
application latency, TCP window size, and volume/packet/ageout counts, which are
provided along with charts for visual interpretation.
l Change the view to display media traffic with a high-level view for ad hoc network
impairments analysis.

NETSCOUT Server Administrator Guide 256

Note: Discover My Network displays results only on servers that are defined in My Network
and that when comparing the same application traffic in Discover My Network to Traffic
Monitor, values are much greater in the Traffic Monitor. So, use the Traffic Monitor to view
application data for all devices and Discover My Network for network-defined elements.

7.1.2.3 Server Communities Overview

The Global Settings > Communities > Server Communities page allows you to configure
server communities for monitoring.

Ensure you are familiar with these guidelines before you configure Server Communities:
l Before you configure a Server Community, you must first add the subnet or IP address to
your My Network configuration.
l When working with SCTP multi-homing environments, there can be difficulty searching for
metrics of a specific eNodeB (most commonly with S1MME and eNodeB elements). To
address this difficulty, you can use one of these methods:
o Configure server communities for each eNodeB containing both IP addresses. This
method aggregates transactions from both IPs on the eNodeB into a single row in the
service monitor making it much easier to find and troubleshoot issues. Because the total
number of eNodeBs in a network can be more than 10,000, the maximum number of
tracked servers nGeniusONE supports is 20,000, which is sufficient to handle this load.
o Access the <nGeniusONE install>/rtm/bin/serverprivate.properties file and modify the
globalsettings.hostgroups.maxServerCommunities property to lower the limit of
supported eNodeBs.
Notes: You should stop the nGeniusONE Server before you modify the property file.
To resolve IP addresses in cases where there are multiple IP addresses associated with
the same SCTP client/server combination, refer to Command-Line Object: sctp_mhome.
Refer to the Agent Configuration Utility Administrator Guide.
l Exactly matching Server and Client community entries are not allowed so that a second,
matching IP address is not permitted.
l nGeniusONE does not classify DHCP helper/relay agents as part of a Server Community.
These packets are classified in the Host Group Other category.
l Define streams as specific communities otherwise data may be lumped into the Host
Group Other category and displays between the dashboard and monitors can be
mismatched.

Displaying Host (IP Address), GeoIP, or IMSI/MSISDN Values in nGeniusONE

NETSCOUT Server Administrator Guide 257

l Use the set community_type command with the GeoIP feature to internally defined
mapping—to translate IP addresses into geographical locations (state or country), which
does not require configuration on the nGeniusONE server. Refer to the Agent
Configuration Utility Administrator Guide.

Community Examples

These examples show how Community aggregation is applied:

To Which Subnet Does My Community Belong?

A given IP address can logically belong to more than one subnet. When this occurs, the IP
address is matched to the most specific subnet definition.

For example, consider the following list of subnets:

l Subnet 1 = 10.20.30.40/8
l Subnet 2 = 10.20.30.40/16
l Subnet 3 = 10.20.30.40/24

Server or Client Communities = Aggregate Statistics for Specified Servers or Clients

192.168.11.0/26
192.168.12.0/26
192.168.13.0/26
192.168.14.52/26

7.1.2.4 VIP List Communities Overview

The Global Settings >Communities > VIP List page allows you to configure VIP List
communities for monitoring.

For VIP Lists composed of IP addresses, you can configure only single VIP List community IP
addresses, not subnets. After adding an entry, the configured IP address will display with a /32
subnet (255.255.255.255) appended for an IPv4 address and a /128 subnet for an IPv6 address
but these subnets signify a unique value matching only one IP address.

To render IP addresses or IDs more recognizable, you can customize them to display as Host,
GeoIP, or IMSI/IMEI values in the Community fields of nGeniusONE monitors and enablers. To do
so you may have to copy files to the nGeniusONE server or InfiniStream appliance. Be aware that
you may configure a GeoIP or User Community but not both. Refer to Customizing Community
Types in the Agent Configuration Utility Administrator Guide for more information.

A VIP List community of:

NETSCOUT Server Administrator Guide 258

l MSISDN entries are LTE-specific and usually number 12 digits. They typically consist of a 3-
digit Country Code, a 3-digit National Destination Code or Number Planning Area number,
and the Subscriber Number.
l IMSI entries are CDMA2K-specific and usually number 15 digits. They typically consist of a
3-digit Mobile Country Code, a 2- or 3-digit Mobile Network Code, and the Mobile
Subscription Identification Number.
l MSISDN entries can be monitored over:
o Mobile core links including: Gn, S2b, S5, and S11.
o Mobile access links including: Gb, IuPS, R-P, P-H, S1_MME, and S2a.

You can disable packet recording and XDR generation on InfiniStream appliances by configuring
a VIP List of MSISDN or IMSI phone numbers and associating those lists with mobile group IDs.
This feature is beneficial for mobile companies who choose not to store ASR data and record
packets for all mobile customers. Creating a VIP List to filter for only specified entries preserves
the confidentiality and security of other customer phone numbers. This support is also valuable
for focused tracking of field tests, VIP accounts (executive and B2B lists), and problematic
IMSI/MSISDN numbers.

Addresses entered in VIP List Communities must be equal to or contained by addresses in My

Network.

Note: Client, Server, and VIP List communities are applied after checking for My Network
entries. Community IDs associated with IMSI/MSISDN phone numbers for both Client and
Server Communities are saved in the KSI (Key Session Indicators) table.

Displaying Host (IP Address), GeoIP, or IMSI/MSISDN Values in nGeniusONE

You can configure IMSI or MSISDN IDs to map to telephone numbers and more easily
recognizable names—such as WestfordMarketing—either by configuring a VIP List community or
by using the set community_type command. Community IDs associated with IMSI/MSISDN
phone numbers for both Client and Server Communities are saved in the KSI (Key Session
Indicators) table.

7.1.2.5 Turning Off Packet Recording and XDR Generation by VIP List
Disabling packet recording and XDR generation on InfiniStream appliances is provided through
configuration of a VIP List community for only those MSISDN or IMSI phone numbers you want
to monitor by their associated VIP List mobile group IDs. When enabled (the command is
disabled by default), this functionality filters out packet recording and ASR-generation for data
only, not control data.

This feature is useful for mobile companies who choose not to store ASR data and record
packets for all mobile customers. Creating a VIP List to filter for only specified entries preserves
the confidentiality and security of other customer phone numbers. An added benefit is the
lessened monitoring impact due to fewer ASR and packet recording loads collected.

NETSCOUT Server Administrator Guide 259

Note: When you set the mobile_id community type on the InfiniStream appliance, the Global
Settings definition is not used (files on the InfiniStream appliance are used instead along with
a companion file (refer to Customizing Community Types in the Agent Configuration Utility
Administrator Guide) copied to the nGeniusONE server). But, VIP Lists are used when the Type
is set appropriately.

1. Use the nGeniusONE console and go to Device Configuration.

2. Select an InfiniStream from the device list and click Remote Login.
3. Use the Agent Configuration Utility to configure the mobile_id agent community type
setting (refer to Command-Line Object: community_type in the Agent Configuration Utility
Administrator Guide).
4. Use the nGeniusONE Console and go to Global Settings > Communities > VIP List.
5. Use the Type drop down list to select MSISDN or IMSI.

6. Click Add a VIP.

7. Click OK to save the VIP List to the nGeniusONE server and click Apply to apply your
configuration.

8. Go to Servers and Users > Business Types and check the Service Provider option
to ensure VIP List entries for mobile ids are configured correctly; otherwise the VIP List
type defaults to IP Address (rather than MSISDN or IMSI).

9. Go to Device Configuration and click Relearn on the specified InfiniStream

appliance to update the InfiniStream.

7.1.3 Global Settings - Locations

Use the following sections to configure features and functionality using the Global Settings >
Locations.

7.1.3.1 Getting Started with APN Virtual Interfaces Monitoring Configuration

An Access Point Name (APN):
l Is a virtual interface representing a packet data network to which a General Packet Radio
Services (GPRS) mobile device can be connected.
l Can be public, providing mobile access to the Internet.
l Can be private, providing mobile access to a company intranet, for example.

When a GPRS mobile phone sets up a PDP context, the access point is selected and an APN is
determined. APN examples
mycompany.abcd.gprs
internet
mymobile
zap.cingular.com

The access point is then used in a DNS query to a private DNS network. This process, called APN
resolution, provides the IP address of the Gateway GPRS Support Node (GGSN) which serves the
access point. A PDP context can then be activated.

NETSCOUT Server Administrator Guide 260

You must configure your nGeniusONE device to monitor APNs. nGeniusONE devices allow you to
associate APNs with a specific interface. You must configure APN monitoring on supported
devices and associate APN definitions with Gn, S11, S5/S8-GTPv2, S2a, Ph, or Pi physical links in
Device Configuration > Devices > Device Details. You can view APN statistics in service
monitors and drill down from there to nGenius Subscriber Intelligence.

Monitoring APN virtual interfaces allows you to:

l Segregate mobile inbound and outbound traffic for monitoring and reporting. For
example, Origin-Host and Destination host entries display as Mobility Management Entities
(MME) and Home Subscriber Servers (HSS), for example:
o IMS_MME-I-ec_0
o IMS_HSS1_W1
l Receive alarms triggered on monitored elements.
l Define link speeds to reflect bandwidth allocation for specific APN virtual interfaces
including DRA-APN.
l Track QoE and KPI Diameter entries.

When a physical interface or flow interface detects traffic matching an APN virtual interface
definition, it automatically creates a virtual interface to track the application, host, and
conversation statistics. Be aware that the number of APNs detected, and therefore the number
of APN interfaces you see in MEL displays, may not equal the number of APN definitions.

APN virtual interfaces support drilldowns into individual Diameter Routing Agents (DRAs) and
endpoints for QoE data such as Link, Application, Host and Conversation information based on
dbONE flows.

Note: APN Monitoring does not support duplicate names. Drill downs to packet data is not
supported.

The DRA-APN virtual interface is supported, and:

l Monitors APN, Origin-Host, and Dest-Host location keys at the same time.
l Is applicable for all IMS-related interfaces, including IMS-C, IMS-A, IMS-S, and IMS-X.
l Allows these location keys to be set on it:
o Origin Host—derived from the Origin-Host name [AVP Code 264] (Attribute-Value Pairs)
of the Diameter Request message. If Origin-Host is not present, the Origin-Realm name
(AVP Code 296) of the Request message will be used.
o Destination Host or Realm—derived from the Destination-Host AVP (AVP Code 293) of
the Diameter Request message. If Destination-Host AVP is not present, the Destination-
Realm name (AVP Code 283) of the Request message will be used. If the Request
message contains neither name, the destination host will be derived from the Origin-
Host name or Origin-Realm name of the Response message.
o APN—These AVPs (names) will be used to supply APN information:
The Called-Station-Id name (AVP Code 30) contains the APN the user is connected to.
The APN value will be derived from the Diameter Request message.
The Service-Selection name (AVP Code 493) contains the name of the service with which
mobility service is connected. The APN is derived from the Request/Response Diameter
message containing this name if the Called-Station-Id name is not present.

NETSCOUT Server Administrator Guide 261

o RAT Type and Handset.

Additionally, you can configure location key orientation (refer to Service Members). The Service
Configuration monitor supports optional configuration of location key orientation—with
source/destination direction—for Diameter DRAs. To select orientation settings for DIA=name
host location keys (refer to Configuring APN Virtual Interfaces in the Agent Configuration Utility
Administrator Guide), a drop down menu contains these options:
l Both—Groups Diameter messages with either a matching Diameter Origin-Host or
Destination-Host key name.
l Client—Groups Diameter messages with a matching Diameter Origin-Host key name.
l Server—Groups Diameter messages with a matching Diameter Destination-Host key name.

You can use these configuration tasks to begin monitoring APNs:

1. Configure APN monitoring on the device; refer to Configuring APN Monitoring in the Agent
Configuration Utility Administrator Guide.
2. Add up to 32000 APN group definitions per server:
l Add APN virtual interface definitions individually; refer toConfiguring APN Virtual
Interfaces and Configuring APN and DRA Virtual Interfaces to Monitor GTP in the Agent
Configuration Utility Administrator Guide
l Create a file to import APN virtual interface definitions.
l Import multiple APN virtual interface definitions.
3. (Optional) Modify APN virtual interface definitions.
4. Associate the APN virtual interface definition with the device physical interface; refer to
Associating APN Definitions with a Physical Interface in the Agent Configuration Utility
Administrator Guide.
5. (Optional) Enable automatic discovery of APNs/DRAs (for those not defined in Global
Settings); refer to Command-Line Object: apn_disc_opts.
6. (Optional) Configure APN virtual interface definitions to track QoE and KPI Diameter
entries; refer to Configuring APN Virtual Interfaces in the Agent Configuration Utility
Administrator Guide.

Refer to:
l Configuring APN Monitoring in the .for information about configuring APN monitoring on
the InfiniStream, including configuring mobile parametersAgent Configuration Utility
Administrator Guide and enabling automatic DRA discovery.
l Configuring APN Virtual Interfaces in the Agent Configuration Utility Administrator Guide.for
information about configuring APN virtual interfaces in nGeniusONE.

7.1.3.2 Creating Site Virtual Interfaces after Association with a Device

By default, a site virtual interface is created when an appropriately configured physical interface
or flow interface detects network traffic that matches a site definition. However, you can use the

NETSCOUT Server Administrator Guide 262

information in this topic to configure your system to create site virtual interfaces immediately
after association with an nGeniusONE device, even if no matching traffic exists, which allows you
to:
l Include the sites in monitored element groups.
l Include the sites in reports.
l Launch views based on the sites in nGeniusONE monitors (if no traffic is present, the views
are empty).

Note: The created sites are counted as active against your license.

To configure your system to create site virtual interfaces immediately after association with an
nGeniusONE device add this property to the <nGeniusONE
install>/rtm/bin/serverprivate.properties file (refer to Modifying the serverprivate.properties
File):
createsiteafterassoc=true

7.1.3.3 QoS Groups Monitoring Configuration Overview

You can configure Quality of Service (QoS) groups to prioritize network traffic based on different
levels of service assurances. An Administrator can assign:
l One type of traffic priority over other types of traffic.
l Levels of quality with respect to network bandwidth or end-to-end delay.

Some applications are critically sensitive to network congestion but many are not, for example:
l Voice and video applications are sensitive to network delay. If voice packets take too long
to reach their destination, the resulting speech sounds choppy or distorted. QoS can be
used to provide assured services to these applications.
l File Transfer Protocol (FTP) has a tolerance for network delay or bandwidth limitation. To
the user, FTP simply takes longer to download a file to the target system. Although
annoying to the user, this slowness does not normally impede the operation of the
application.

Differentiated Service and the Differentiated Service Code Point are used to prioritize traffic
flows in QoS enabled networks. nGeniusONE uses probes to monitor flows based on the DSCP
value of the flow. These flows display in real-time views.

QoS Data Collection and Monitoring

nGeniusONE manages QoS group configuration and downloads the configuration information to
the device(s).

These conditions apply to QoS group data collection and monitoring:

l A total of 64 QoS Levels (0 to 63) are available for QoS groups. Each QoS Level can be
assigned to only one QoS group. For example, if you create a QoS group named "GOLD,"
and add QoS levels 30, 40, and 50 to it, these levels cannot be assigned to any other QoS
group.

NETSCOUT Server Administrator Guide 263

l Each QoS group is associated with a speed, which can be applied to the probe for
utilization calculations. You can override QoS group speeds for specific probe interfaces at
Device Configuration > Devices > Modify Device > Locations.
l For QoS levels to work properly, you must know the type of traffic you are running (DSCP,
IPP, or MPLS). For example, if you set the QoS mode to DSCP using the command line (refer
to Enabling the Device to Monitor QoS in the Agent Configuration Utility Administrator Guide),
and your traffic is all IPP, your QoS levels are not correct.
l If the virtual interface mode (change vifn_mode) is set to VRF-SITE, when you enable the
QoS Groups option you must disable discovery.
l When you add QoS groups, the same settings are applied to all probes in the enterprise.
However, you can apply QoS speed overrides to individual probes and interfaces.

You can enable collection of QoS Class Identifiers on appropriate interfaces—to do so, you must
monitor data plane traffic on these interfaces with the values displaying as Location Keys in
Service Monitors.

QoS monitoring can help you answer questions like these:

l QoS has been implemented to prioritize the traffic and reduce bottlenecks. Are all the
routers configured correctly with the priority choices?
l QoS categories have been assigned with a set of assumptions and goals. Are the priority
choices right to optimize overall network performance?
l The QoS group has been in place for a number of months. How will the network be
reevaluated for future changes as new applications are added to the network?

You can monitor QoS at the interface level, a sub-level for VLAN, SITE, or at VRF-SITE virtual
interfaces.

7.1.3.4 Differentiated Service and the Differentiated Service Code Point

Differentiated service:
l Prioritizes the movement of applications over the network using a set of classification tools
and queuing mechanisms. Priority can be specified in different ways; for example, using:
o The IP Precedence bit settings in IP packets.
o Source address.
o Destination address.
l Is used for mission-critical applications to provide end-to-end QoS.
l Is appropriate for aggregate flows because it performs a relatively coarse level of traffic
classification.

The network tries to deliver a specific level of service based on the QoS specified by the
Differentiated Service Code Points (DSCP) in each packet. Network devices use DSCP to classify,
shape, and police traffic, and to perform intelligent queuing.

Differentiated Service Code Point

DSCP is:

NETSCOUT Server Administrator Guide 264

l A field in an IP packet that enables different levels of service to be assigned to network

traffic. This is achieved by marking each packet on the network with a DSCP code and
appropriating to it the corresponding level of service.
l The combination of IP Precedence and Type of Service fields. To work with legacy routers
that only support IP Precedence, DSCP values are used because they are compatible with IP
Precedence fields (refer to RFC 2474 at the RFC Editor Web Site for more information).
l A six-bit field with the default values displayed in this table:

Service Type DSCP IP Precedence

Network control 30 6
Guaranteed 28 5
Controlled load 18 3
All other traffic 0 0

Note: QoS values reported for UC-related views in all modules (Monitors, Dashboard,
Reports, Grid, and UC views) are always DSCP-based.

7.1.3.5 Understanding Point Codes

nGeniusONE allows you to configure signaling Origination Point Codes (OPCs) and Destination
Point Codes (DPC) for monitoring. Point Codes are a type of network node identification.
Signaling point codes pre-date the use of IP addresses; however, they are still widely used by
Service Providers in TDM-based networks.

NETSCOUTsupports:
l 24-bit ANSI point codes.
l 14-bit ITU point codes.
l 16-bit JAPAN point codes.

nGeniusONE 's implementation adds a virtual (cache) channel for point codes and populates the
channel when the system starts. When you configure new point codes, nGeniusONE:

1. Saves them to the database.

2. Updates GlobalProtocolCache, which other components use to query all location keys (for
example, handsets, APNs, cell sites).
3. Downloads the point codes to InfiniStreams that support this capability.

The point code syntax is <Network_Indicator>:<Point_Code> and delimited by a comma, where,

l <Network_Indicator> can be:
o 0 (National)
o 1 (National_Spare)
o 2 (International)
o 3 (International_Spare)

NETSCOUT Server Administrator Guide 265

l <Point_Code> can be:

o 1 - Decimal
o 2 - ANSI - 8-8-8
o 3 - ITU - 3-8-3
o 5 - JAPAN - 7-4-5

Example of point codes: Paris;0:1-1-1,1:2-2-2,0:12345,2:123

Maximum Values Permitted for Point Codes

Maximum point code values are:

l ITU = 16383.
l Japan = 16,777,216.
l ANSI = 65535.

The maximum value of each component in notation has these guidelines:

l In notation 8-8-8—1-2-3 is valid, but 512-1-2 is not (each component must be strictly less
than 256).
l The first component cannot be zero.
l In notation 3-8-3—1-2-3 is valid, but 8-1-2 is not (the first and last components must be
strictly less than 8).

7.1.3.6 Understanding the PLMN

A Public Land Mobile Network (PLMN) supports wireless telecommunications, interconnecting
with other PLMNs and fixed, wired Public Switched Telephone Networks (PSTNs). PLMNs
facilitate telephone communications, data, and Internet access by Internet Service Providers.

nGeniusONE identifies PLMN locations by:

l Mobile Country Code (MCC)
l Mobile Network Code (MNC)
l IP address (for users with hybrid MCC/MNC/IP address configurations).

For example, a PLMN ID "311 270" represents USA and Verizon Wireless.

Monitoring of inbound and outbound roaming is supported by the choice of Home, Visited, or
dual PLMN modes. Monitoring roaming allows you to:
l Track a subscriber's home PLMN from a visited PLMN.
l Authenticate a subscriber from the visited PLMN.
l Measure shared revenue generated by roaming charges between the visited and home
PLMN.

Home PLMNs are composed of the combined MCC and MNC of the home network as extracted
from the International Mobile Subscriber Identity (IMSI) number.

Visited PLMNs are composed of the combined MCC and MNC of the visited network as extracted
from a message, such as LA-RA.

NETSCOUT Server Administrator Guide 266

nGeniusONE handles PLMNs similar to how Site or Site-APN location keys are managed because
PLMN definitions are downloaded to the InfiniStream appliance as Sites. Optionally, PLMNs can
be identified by their IP address/subnet, and MCC/MNC values with the advantage of collecting
traffic under a single-instance location key. IPv4 and IPv6 addresses are supported.

These links are supported for Home and Visited PLMNs:

l Gp (Gn interface deployment)
l S6a (IMSI deployment)
l S11
l S2b
l S5/S8

For LTE/UMTS/GPRS traffic, nGeniusONE derives the:

l HPLMN ID from the IMSI.
l VPLMN (protocol-specific) from the:
o User Location Info field for the Gp link.
o Visited-PLMN-ID AVP (for the S6a link for Diameter only).

To classify roaming traffic, NETSCOUT combines IP addresses/subnets and MCC/MNC detection

because MCC/MNC alone is not able to characterize some GTP traffic. This is due to the fact that
some GRX/IPX roaming partners do not forward RAI or user location information that NETSCOUT
uses to identify PLMN-ID based sites. A PLMN in this case is identified by a source IP-based
lookup. This function affects only VPLMN-HPLMN and VPLMN-APN virtual interfaces because
HPLMN identification is based on IMSI, which is always mandatory.

Another benefit of grouping by IP subnets is that it allows non-GTP traffic to be identified,

including DNS and Diameter traffic.

This table describes PLMN modes that support home and visited PLMNs:

PLMN PLMN Type Virtual If Handling by nGeniusONE

Option # Type
27 HPLMN-APN Site-APN Site definition replaced by the
Home PLMN ID.
28 VPLMN-APN Site-APN Site definition replaced by the
Visited PLMN ID.
26 VPLMN- Site l Client Site replaced by
HPLMN Visited PLMN ID.
l Server Site replaced by
Home PLMN ID.

Use the Agent Configuration Utility to configure PLMN modes; refer to Change vifn_mode in the
Agent Configuration Utility Administrator Guide.

7.1.3.7 Understanding VLAN Services Monitoring

Stacked VLAN Services monitoring supports mapping your VLAN services to:

NETSCOUT Server Administrator Guide 267

l VLANs on your network.

l Discrete VLAN levels on your network.

You can define traffic in a virtual network by:

l Connection ports on the switch.
l MAC addresses.
l Source IP addresses.
l Protocol type, where all hosts are grouped using the same protocol on the network.

This allows you to order and monitor traffic in practical ways, by:
l Type of VLAN service.
l Department.
l Subnet.
l Physical location.

This table is an example of this practical ordering and monitoring method:

VLAN
Service Type Level 1 Level 2 Level 3 Level 4
Broadband DSL 1021 10-20 100 288
Broadband FTTH 100-200 30-40 1 188
Marketing 350 350 350 350
IPTV 444 444 444 444-555
65th Floor - Boston 27 57-89 68 32
192.168.55.91/64 36 5 49 45

VLAN services support guidelines are:

l The total number of service type entries supported is 1024.
l The total number of service levels per entry supported is 32.
l The range of VLANs supported is 1 to 4094.

Because the VLAN ranges required by different users on the network might overlap, assigning a
unique range of VLAN IDs to each user would restrict user configurations and could easily
exceed the VLAN limit of 4094. However, with stacked VLANs, a unique VLAN ID expands the
VLAN space for users who have multiple VLANs. From the perspective of a service provider, the
primary benefit of stacked VLANs is a reduced number of VLANs supported for the same number
of customers.

nGeniusONE supports:
l VLAN Services data for VLAN-configured virtual interfaces, which are displayed in all QoE
views of associated monitors.
l Drill downs to Packet Decode are available because VLAN tags are applied at the packet
level.

NETSCOUT Server Administrator Guide 268

The numbers in the example table above represent VLAN tags. VLANs are grouped as VLAN tags,
organized under four VLAN Levels, which are applied during configuration in Device
Management. After configuration, the VLAN tags are displayed in the Definition column of the
VLAN Services screen as a set of VLANs separated by colons, as shown in this example, cited
from the example table above:
350:350:350:350

The VLAN Services dialog also includes VLAN tag names and their unique auto-generated Group
ID. How you group VLANs can indicate their function. For example, this VLAN tag indicates VLAN
Level 1, 2, and 3 service at the 65th Floor - Boston facility, cited from the example table above:
27:57-89:68

7.1.3.8 Understanding the PLMN

nGeniusONE identifies PLMN locations by:

l Mobile Country Code (MCC)
l Mobile Network Code (MNC)
l IP address (for users with hybrid MCC/MNC/IP address configurations).

For example, a PLMN ID "311 270" represents USA and Verizon Wireless.

Home PLMNs are composed of the combined MCC and MNC of the home network as extracted
from the International Mobile Subscriber Identity (IMSI) number.

Visited PLMNs are composed of the combined MCC and MNC of the visited network as extracted
from a message, such as LA-RA.

These links are supported for Home and Visited PLMNs:

l Gp (Gn interface deployment)
l S6a (IMSI deployment)
l S11

NETSCOUT Server Administrator Guide 269

l S2b
l S5/S8

For LTE/UMTS/GPRS traffic, nGeniusONE derives the:

l HPLMN ID from the IMSI.
l VPLMN (protocol-specific) from the:
o User Location Info field for the Gp link.
o Visited-PLMN-ID AVP (for the S6a link for Diameter only).

To classify roaming traffic, NETSCOUT combines IP addresses/subnets and MCC/MNC detection

Another benefit of grouping by IP subnets is that it allows non-GTP traffic to be identified,

including DNS and Diameter traffic.

This table describes PLMN modes that support home and visited PLMNs:

PLMN PLMN Type Virtual If Handling by nGeniusONE

Use the Agent Configuration Utility to configure PLMN modes; refer to Change vifn_mode in the
Agent Configuration Utility Administrator Guide.

7.1.3.9 Understanding Cell Sites and Cell-ID Discovery

For nGeniusONE servers that manage data sources configured to collect mobile traffic that
contains cell site data, you can:
l Configure a custom name to be shown in nGeniusONE modules, instead of the Cell Site ID.
l Associate a Cell Site name with a specific LA-RA/BSID name. For example, if the same Cell
Site ID is associated with more than one physical or virtual interface, you can differentiate
the data by associating each interface with a separate name.
l Display Cell sites in nGeniusONE modules by Name or ID; cell names are shown in the
Traffic Monitor.

NETSCOUT Server Administrator Guide 270

Note: Cell Sites are applicable when the InfiniStream appliance is configured to monitor LA-
RA, TAC, or BSID virtual interfaces (refer to Change vifn_mode in the Agent Configuration
Utility Administrator Guide for more information).

Controlled Cell-ID Discovery

Due to the large number (100 to 200,000) of cell-ids which can accumulate quickly on an
nGeniusONE Server and slow performance, Controlled Cell-ID Discovery is used to discover cell
IDs.

You can configure Controlled Cell-ID Discovery to create a static list file—static_cellidlist.txt. The
static_cellidlist.txt file cell IDs can be matched with those IDs derived during the last hour of KTI
data stored in dbONE.

Only matched cell IDs are "discovered" and displayed in Device Configuration > <device_name>
> Modify > Locations, if these conditions are met:
l Traffic is running.
l dbONE has logged sufficient data from the InfiniStream appliance.

The nGeniusONE Server performs Controlled Cell ID discovery:

l At every automated re-learn at the top of the hour.
l Upon any manual re-learn.

The maximum number of cell IDs discovered by the nGeniusONE Server is 1000.

In a distributed server configuration, you must provide separate static_cellidlist.txt files on every
local nGeniusONE Server because each server links to different InfiniStreams, which in turn
monitor different cell IDs.

Complete these steps to enable Controlled Cell-ID Discovery:

1. Use a text editor to open the <nGeniusONE install>/rtm/bin/static_cellidlist.txt file.

2. Add a comma-separated list of cell IDs you want discovered up to a limit of 1000, for
example:
10011, 100012, 10013, 10061
3. Save and close the static_cellidlist.txt file.

7.1.3.10 Configuring APN and DRA Virtual Interfaces to Monitor GTP

This topic describes how to:
l Configure APN and Diameter Routing Agents (DRA) virtual interfaces to monitor GPRS
Tunneling Protocol (GTP).
l Enable tracking of QoE and KPI Diameter entries using Client/Server Origin hosts

Note: You must have Administrator privileges to perform these procedures.

Adding APN/DRA Virtual Interfaces

Complete these steps to add APN/DRA virtual interfaces:

NETSCOUT Server Administrator Guide 271

1. Use the nGeniusONE console and go to Global Settings > Locations > APN.

2. Click Add an APN group; you can add up to 32000 APN groups per server.
3. Enter a unique Name for the APN group. When an interface detects traffic matching the
APN definition, the name you enter displays in the list of Monitored Elements in the
service monitors. APN names can include a maximum of 32 alphanumeric characters
and/or spaces. Examples (including CMTS)
London
Boston
Internet
For CMTS virtuals, you must enter APN names in this format:
<vendor>;<Model #>
where:
l <vendor> is the first six characters of the MTA manufacturer's name.
l <Model #> is the complete MTA model number.
Important: All characters are case sensitive. The name must appear exactly as shown in
the DHCP DISCOVER packet.
For example:
Motoro;SBV1234
4. Enter the DTE and DCE Speed (Kbps).

5. Click Add an APN Address.

6. Enter the APN address as defined on the Gateway GPRS Support Node (GGSN). You can
add up to 64 entries, each with up to 64 characters. Examples (including CMTS)

If you are adding a DRA entry, use DIA=<name> as the address. You must enter the
DRA as it appears in the DRA for each Origin-Host, Destination-Host or corresponding
Realms you want to track. To ensure you identify any DRAs that you may have missed,
create an entry to track DRAs that you have not defined, using an using an APN name with
the address set to DIA=UNKNOWN_APN.
wap.o2.co.uk
internet.t-mobile.cz
internet
orangeinternet
For CMTS virtuals, you must enter APN addresses in this format:
<vendor>:<Model #>
where:
l <vendor> is the first six characters of the MTA manufacturer name.
l <Model #> is the complete MTA model number.
For example:
Motoro:SBV1234

NETSCOUT Server Administrator Guide 272

7. Click OK.
The nGeniusONE Server automatically generates an APN ID for internal use when
downloading the APN definition to a probe. The new values are displayed.
8. (Optional) Repeat Step 2 to Step 7 for any additional APNs you want to configure.
9. Click Apply when you finish configuring APN definitions to save your changes.
10. After adding one or more APN definitions, associate them with an appropriately-
configured physical interface in Device Configuration. Linking APNs with a specific
interface allows you to configure each interface on a probe to monitor a different virtual
interface type.

11. To configure APN monitoring on the InfiniStream, click Remote Login and continue
your configuration using the Agent Configuration Utility; refer to Configure
APN Monitoring in the Agent Configuration Utility Administrator Guide.
12. To configure DRA monitoring on the InfiniStream (Diameter traffic in a Service Provider
environment), click Remote Login and continue your configuration using the Agent
Configuration Utility; refer to Configuring DRA Monitoring in the Agent Configuration Utility
Administrator Guide.

Note: NETSCOUT recommends enabling automatic discovery of APNs/DRAs for those not
configured with the procedure described above. The set apn_disc_opts <ifn> command
captures these APNs/DRAs and enables manual exporting of the collected records to Global
Settings; refer to Command-Line Object: apn_disc_opts for more information. Refer to the
Agent Configuration Utility Administrator Guide.

Tracking QoE and KPI Diameter Entries

Complete these steps to configure APN interfaces to support tracking of QoE and KPI Diameter
entries using Client/Server Origin hosts:

1. Enable this feature on monitoring InfiniStream appliances:

l Ensure that the appropriate Diameter options are configured; refer to Command-Line
Object: diameter_opts. Refer to the Agent Configuration Utility Administrator Guide.
l Ensure that the appropriate IMS link options area configured; refer to Configure
IMS Links in the Agent Configuration Utility Administrator Guide.
l If you are monitoring Diameter over a link type other than IMS-Core, use the
appropriate mobile parameters script for that interface type; refer to Command-Line
Object: mobile_params. Refer to the Agent Configuration Utility Administrator Guide.
l Refer to Configure DRA Monitoring in the Agent Configuration Utility Administrator Guide
for more information.
2. On the nGeniusONE Server, configure APN settings:
a. Click Global Settings > Locations > APN.

b. Click Add an APN group for each DRA to track and enter the APN Name, DTE
Speed and DCE Speed field values.

c. Click Add an APN Address using DIA=<Origin-Host AVP> as the value. The
Origin-Host AVP (Attribute-Value Pairs) entry must be entered as it appears in the DRA.

NETSCOUT Server Administrator Guide 273

d. Click OK.
e. Enter an APN name with the address set to DIA=UNKNOWN_APN to ensure you
identify any DRAs that you may have missed (not defined).
f. Click OK and Apply to save and apply your configuration.
3. Click Device Configuration> Devices.

4. Select the InfiniStream appliance on which you configured the APN and click Relearn.

7.1.3.11 Configuring Multimedia Messaging Service (MMS) Monitoring

Note:

Complete these steps to configure Multimedia Messaging Service (MMS) over HTTP monitoring:

1. Enable InfiniStream appliances to also classify MMS over HTTP; refer to Change http_
mode in the Agent Configuration Utility Administrator Guide.

NETSCOUT Server Administrator Guide 274

2. From the nGeniusONE console, click Global Settings Applications > View: Enterprise.
3. Navigate to TCP > Well Known Apps > HTTP.
4. Verify that HTTP is enabled for Response Time monitoring.
5. Add MMSC servers that will evaluated for URLs and MMS:
Note: MMS classification is only performed on flows for which the Server IP address
matches the MMSC subnet defined here. If no MMSC subnet is defined, flows are
considered for URL classification only.
a. With the HTTP application selected, click Add Application to add the server as a child
of HTTP.
b. Enter this information in the Add Application dialog box fields:

For Address, use this sytnax: <message>, <ip_address1[/mask]>, <ip_address2

For Short Name, use a descriptive value that matches the message type, such as MMS
Send.

For Application Type: URL Application.

c. Click OK.
d. Repeat Step 5 for the two messages that remain (m-send, m-receive, or m-forward).
6. Click Apply to save your changes.

7.1.3.12 Getting Started with Handset Monitoring Configuration

Users granted the Network Administrator role can configure Handset groups. Handsets not
included in a group display as Handset Group Other in views. NETSCOUT provides a list of
approximately 900 handset groups.

Setting IMEI Range Handling for LTE

You can set LTE handset start/end IMEI ranges if you add this property to the <nGeniusONE
install>/rtm/bin/serverprivate.properties file:

globalsettings.handset.lterangesupport=true

To allow nGeniusONELTE ranges to download to the InfiniStream, nGeniusONE must have the
capability bit 84 set to ON.

Ensure you are aware of these guidelines:

l Start/end ranges are not mandatory, however:
o The maximum length of the Handset ID is 8 characters; the start/end range is 6
characters.
o Internal validation ensures that Handset ID + start + end ranges do not overlap.

NETSCOUT Server Administrator Guide 275

l For any LTE handset definition configured without a defined range, nGeniusONE reserves
the largest range. So if you define one without the range, you cannot define another one
with the same handset ID and a different range. Or, if you define one with a range, you
cannot define another one with same handset ID and without a range.
l If you want to use the CLA to set IMEI ranges, add the
globalsettings.handset.lterangesupport=true property to both the
serverprivate.properties and nGeniusCLA.properties files.

Note: You can execute this CLA command to create an output file:

./nGeniusCLA.sh -act handsetconfig -get_handset a.out

Refer to NETSCOUT Server Administrator Guide for more information.

You can use these configuration tasks to begin monitoring handset groups:

1. Configuring Handset Monitoring on the Appliance—refer to the Agent Configuration Utility

Administrator Guide.
2. Use any of these methods to configure handset groups:
l Add individual handset groups; refer to "Configuring Handset Groups" in the online
help.
l Import multiple handset groups at one time; refer to Importing Multiple Handset
Groups from a File.

7.1.3.13 Getting Started With Site Monitoring Configuration

Creating site virtual interface groups allows you to monitor remote site links that are enabled
with inaccessible topologies. Examples of inaccessible topologies on remote site links.
l Channelized Links
l Encryption/Compression
l IP-Enabled Frame
l MultiProtocol Label Switching (MPLS)
l Private IP
l Virtual Private Networks (VPN)

A site virtual interface is created when:

l An appropriately configured physical or flow interface detects network traffic that matches
a site definition (default behavior).
l You configure your system to create site interfaces immediately after association with an
nGeniusONE device, even if no matching traffic exists.

Using site virtual interfaces, you can:

l Segregate remote inbound and outbound office traffic for monitoring and reporting.
l Define link speeds to reflect bandwidth allocation for specific remote sites.

NETSCOUT Server Administrator Guide 276

When a probe physical interface or flow interface detects traffic matching a site definition, the
monitoring device automatically creates a virtual interface on that interface to track these
statistics (based on the subnet or subnet list):
l Application
l Protocol
l Host
l Conversation
l Quality of Service (QoS)

Site monitoring supports:

l Up to 100,000 site virtual interfaces per device
l Adding up to 256 subnets per site definition; maximum of 32,000 subnets across the
enterprise
l One to 31-bit subnet masks

Site monitoring does not support duplicate subnets and masks.

You can use these configuration tasks to begin monitoring sites:

1. Configuring Site Monitoring on the Data Source; refer to the Agent Configuration Utility
Administrator Guide.
2. Use one of these options to add site virtual interface definitions:
l Add site virtual interface definitions individually.
l Import multiple definitions.
3. (Optional) Modify the speed of a Site virtual interface, either globally or for individual
interfaces.
4. Associate the site virtual interface definitions with a device physical interface.

7.1.3.14 Configuring Media Applications for Monitoring

You can configure child applications supported for media applications:
l RTP
l RTCP
l MPEG2-TS
l MSB

These child applications are typically used to isolate specific voice/video services from the traffic
stream, in these implementations:
l Fax machine
l Answering server
l External calls (for example, via a gateway)
l Conference rooms
l Video Streaming service

NETSCOUT Server Administrator Guide 277

Configuration is performed in Global Settings for IPv4 or IPv6 Address-based monitoring. Each
child application will contain its own Response Time, Session (ASR), and packet slicing settings.
The selection of thresholds is as follows:
l Audio/Video or child of RTP —Audio or Video based on the codec.
l All other applications — Video thresholds are always used (for example, MPEG2-TS and
MSB).

Child applications can also be usable as Service Definitions; for example, to create different
dashboard tiles or reports for different child applications.

Refer to "Adding Extension Applications - Well Known Apps for" in the nGeniusONE Help for
configuration details.

Child Media Application Enhancements

To clarify how RTP, Audio, and Video applications relate to each other, the following changes are
effected:
l Response Time and Session (ASR) check boxes for Audio and Video are hidden since they
have no effect.
l Users can no longer configure Additional Ports for media applications (RTP, RTCP, Audio,
Video, Skype, MSB, MPEG2-TS) and their children.

Media child application enhancements are subject to the following caveats:

l Only child applications based on IP Address v4/v6 ranges (and not ports) are supported.
l In the UC conversation view, the switch between Audio and Video applications does not
apply to RTP child applications.
l nGeniusONE defining RTP traffic not as Audio but as IP_Other is due to a lag by
nGeniusONE in detecting the first two to three packets and not seeing near-continuous
sequence numbers for correct classification. This issue can be resolved by deactivating
these applications:
o UNISTIM (RUDP) to ensure IPTV traffic is correctly classified as MPEG2-TS and correctly
assessed
o GTP_V1/V2
o GTP_V1
o Each of the above actions require enabling the Service Provider business type in Global
Settings to confirm the view
For correct RTCP detection, nGeniusONE requires that the corresponding RTP traffic be
identified first. Be aware that if Command-Line Object: span_duplicate command is
enabled on the interface carrying RTP traffic, valid RTP packets may be dropped by default.
Enabling CRC (using span_duplicate) on all interfaces largely resolves this issue. Refer to
the Agent Configuration Utility Administrator Guide.
l Child applications will have the same priority as parent applications.
l Regarding media traffic between two IP Addresses defined for different child applications,
only the highest address will be prioritized and that child application used. In this instance,
Sites or Communities would be a better choice to segregate traffic. Child applications are
not suitable to split traffic by location.

NETSCOUT Server Administrator Guide 278

l If Response Time is disabled for RTP but enabled for child applications, InfiniStreams will
process media packets for RTP child applications, but will report only ASI, not CDM, data.
l To avoid the case where a monitor displaying a media stream returns the "Not Defined"
error message, refer to NETSCOUT Server Administrator Guide.

7.1.3.15 Configuring Response Time Buckets for Applications

You must be assigned the Response Time Configuration privilege to modify response time
bucket boundaries—go to nGeniusONE Console > Server Management > User Management >
Roles.

Understanding Responsiveness and Response Time Buckets

Note: The boundaries you set for the Service Level and Availability buckets define the
thresholds for KPI Responsiveness metrics and KPI Responsiveness alarms.

For KPI error code alerts, Warning and Critical severity levels and minimum transaction
thresholds are determined by KPI error codes defined for applications in Global Settings.

NETSCOUT Server Administrator Guide 279

Understanding Ageout Monitoring

The the monitoring options icon Select monitoring options > Responsiveness option dialog
box does not specifically configure ageout values.

Ageouts and Timeouts are reported and displayed separately in applicable Service Monitors to
better identify cases for which no response was received:
l Timeouts are reported when a response is received but is longer than the Bucket 5 interval.
l Ageout increments differently, depending on the socket age interval or, in the case of
transactional applications (occurring at the TCP Layer), when it reaches a threshold two
times as great as the Bucket 5 interval.
l Applications that have external tables (request/responses are not received on the same IP
address/port pairs) age out based on that particular application's responsiveness
implementation—refer to Customizing Ageout / Timeout Intervals in the Agent
Configuration Utility Administrator Guide for those applications which use ageout and timeout
interchangeably.

Configuring Response Time Buckets

Complete these steps to configure response time bucket boundaries:

Bucket Label* Default Boundaries (Milliseconds)

at Installation

1 Fast MDF Apps: 0-5

NETSCOUT Server Administrator Guide 280

5 Availability (High Jitter) MDF Apps: 1001-10000

Trading Apps: 101-1000
Enterprise Apps: 2001-10000
6 Timeouts (Max Jitter) Bucket 5 limit + 1ms
* Label displayed in Edit Response Time dialog box. For Voice and Video-RTP, buckets 5 and 6
represent (but are not labeled) High Jitter and Max Jitter.

Notes:
l Although boundaries are entered in milliseconds, they are converted to
microseconds in monitor views displaying ASI data.
l For appliances configured to support ASI analysis, the buckets mentioned above
are mapped accordingly:

CDM ASI Buckets

Buckets
Bucket 1 Bucket 1
Bucket 2 Bucket 2
Bucket 3
Bucket 4 Bucket 3
Bucket 5

6. Click OK and Apply to save and apply your configuration.

7.1.3.16 Importing Multiple Handset Groups from a File

You can import Handset Groups using a file you previously exported from another system or by
creating an import file, as described below.

Note:
l Names can include a maximum of 50 alphanumeric characters and/or spaces.
l Entries are validated and all special characters are supported., among others.
l If the import file contains a group name that currently exists in your system, the group
information is updated.
l The system automatically generates a Handset Group ID for internal use.

Handling Name/Model Entries Longer than nGeniusONE Defaults

To avoid a problem where nGeniusONE truncates handset names because they exceed the
internal schema limit of 30 characters for handset name and 20 characters for handset model,
you can re-balance the default setting by revising the serverprivate.properties file and performing
the following procedure:

1. Using a text editor, open the serverprivate.properties file in the /rtm/bin folder on the
nGeniusONE Server (DGM or Global Server in a distributed environment).

NETSCOUT Server Administrator Guide 281

2. Revise the lengths of these settings to reflect your needs. For example, you can increase
the model length and reduce the name length, as follows:
l globalsettings.handsetgroups.maximumModelIdLength=30
l globalsettings.handsetgroups.maximumNameLength=20
3. Save and close the file.
4. In Global Settings > Locations > Handset, delete the affected handset group.
5. Stop and restart the nGeniusONE Global Server (or Standalone Server). This step is
unnecessary on a Local Server.
6. Re-import the handset list to the Server.
7. If there are any Service/Dashboard entries created for the deleted handset group,
remove/de-select all location keys and re-associate them by modifying that Service.
8. Reset the InfiniStream which is monitoring these Handset location keys.

To import group definitions:

1. From the nGeniusONE console, click Global Settings > Locations > Handset.

2. Click Import handset definitions.

3. Browse to where the file is located, select and import the file. You can import a file you
previously exported from another system or a file you created manually.
4. Click Apply to save your configuration.
The Task Progress Report dialog displays to gauge the import's performance and total
number of handset groups imported.
5. Optional. Importing handset groups as described here will append new handsets to the
existing database by default. If you prefer to replace the existing file with new handsets,
edit the following additional property in the serverprivate.properties file:
o globalsettings.handset.handsetReplace=true

7.1.3.17 Radio Access Technology (RAT) Types

Radio Access Technology (RAT) is a component of mobile telecommunications used to
implement a Radio Access Network (RAN). InfiniStream appliances monitor Diameter traffic over
RANs and display metrics identifying RAT types serving wireless-connected user equipment
(UE)—hosts—such as mobile phones (handsets), computers or any device remotely connected to
the core network. The RAT type changes that occur to these devices on the network are also
monitored and displayed in nGeniusONE monitors.

In addition to RAT type support for Diameter (control plane) traffic, tracking RAT types for data
plane protocols over GTPv1, GTPv2 and PMIPv6 on Gn, S11, S5/S8, and S2a interfaces is also
provided. Site_APN virtuals are supported for RAT type data.

The SIP RAT type is enhanced in the UC-KPI table and ASRs when the mobile control plane is not
present or does not contain the RAT type value. The Media Monitor provides drilldown support
for RAT type metrics.

NETSCOUT-supported RAT types which may appear as location keys in the Service Monitors are
listed here.

NETSCOUT Server Administrator Guide 282

l RAT-UNDEFINED (0)
l RAT_WLAN (1)—Wireless LAN
l RAT_UTRAN (2)—Universal Terrestrial Radio Access Network, the radio technology used
between mobile terminals and the base stations of 3GPPTM systems
l RAT_GERAN (3)—GSM EDGE Radio Access Network, joins the base stations (the Ater and
Abis interfaces) and the base station controllers (A interfaces, etc.) The network represents
the core of a GSM network, through which phone calls and packet data are routed from
and to the PSTN and Internet to and from subscriber handsets. A mobile phone operator's
network comprises one or more GERANs, coupled with UTRANs in the case of a UMTS/GSM
network.
l RAT_GAN (4)—Generic Access Network, most commonly used to hand over connections
between wireless LANs and WANs using a GSM/Wi-Fi dual mode mobile phone
l RAT_HSPA_EV (5)—High Speed Packet Access
l RAT_EUTRAN (6)—The air interface of 3GPP's Long Term Evolution (LTE) upgrade path for
mobile networks
l RAT_CDMA2K_1X (7)—Code Division Multiple Access 2000 - a 3G, spread-spectrum
technology
l RAT_HRPD (8)—High Rate Packet Data, a high-speed CDMA-based wireless data technology
l RAT_UMB (9)—Ultra-Mobile Broadband, the brand name for 3GPP2 technology in North
America
l RAT_EHRPD (10)—A bridge between CDMA and LTE that allows CDMA towers to pass over
packets to the LTE network
l RAT_VIRTUAL (1)—Unknown
l RAT_PPP
l RAT_8023
l RAT_80211
l RAT_80216
l RAT_RTT

Note: RAT types 0 and 1 are generic RAT types that can apply to different IP-CAN types and is
not IP-CAN specific, RAT types 2 to 6 are 3GPP-specific RAT types, and RAT types 7 to 10 are
3GPP2-specific RAT types.

7.1.4 Global Settings - Voice/Video

Use the following sections to configure features and functionality using the Global Settings >
Voice/Video.

7.1.4.1 Configuring Voice and Video Quality for Monitoring

To help organizations ensure quality of service, you can monitor and alarm on Voice and Video
Quality by tracking MOS, Jitter, and Packet Loss Key Performance Indicators (KPIs) based on
unidirectional RTP flows.

NETSCOUT Server Administrator Guide 283

Supported Devices

Voice and Video Quality monitoring and alarming for RTP-Voice and Video Quality MOS or Jitter is
supported for nGeniusONE and the InfiniStream appliance as described in this table:

Device RTP (Jitter, MOS, RTCP Reports (Jitter, IPSLA test reports*
Packet Loss) Packet Loss)
InfiniStream yes yes no

*Voice and Video Quality setting is ignored; it uses IPSLA command line setting only.

RTCP-Jitter and Packet Loss are supported for all NETSCOUT devices.

Configuration Details

For complete configuration instructions, including appropriate options in the monitoring device
and Performance Manager configuration, refer to Voice and Video Quality Configuration in the
Agent Configuration Utility Administrator Guide.

7.1.4.2 Understanding Voice/Video Endpoint Profiles

Endpoint profiles control how the nGeniusONE Voice/Video engine assesses the associated
media. You can use either of the NETSCOUT -provided endpoint profiles (Generic and Microsoft
Skype for Business) or create new profiles. You cannot modify the Generic or Microsoft Skype for
Business profiles (refer to Endpoint Profile Default Values for endpoint profile default values).

The IANA (Internet Assigned Numbers Authority) considers an endpoint profile to be composed
of:
l The parameters that compose a media stream, including its codec.
l Specific criteria unique to each payload type.

Each payload type has a unique identifier, which can be used to retrieve an associated profile
and determine the codec. NETSCOUT extends the concept of a profile to better detect the codec
type used for streams with dynamic payload types.

To analyze a voice or video media stream, you must determine which codec is used to encode
the content of that stream. This is done by analyzing the media packets for the payload type
field. The payload type field value, which is either in a fixed (static) number range or a dynamic
range, is used to identify the codec associated with that media stream.

The codec and payload type varies depending on the type of traffic being transported. For
example:
l An enterprise with VoIP services, or a fixed-line VoIP service provider is likely to have traffic
with static payload types.
l A mobile network provider is likely to have traffic with static payload types and
dynamically-assigned payload types associated with adaptive multi-rate codecs, and
possibly video codecs.

NETSCOUT Server Administrator Guide 284

Voice/Video Payload and Codec Support Considerations

Review the following for Voice/Video payload and codec support considerations:
l Supported codecs, and relevant limitations, for UC views are described in "UC: Supported
Protocols & Codecs" in the nGeniusONE Help.
l Calls must be bi-directional to assess the payload.
l A codec must be payload-supported in both directions.
l Calls must be of a reasonable duration.
l Calls must contain a good quantity of active speech.
l Detection of SILK and Opus Audio codecs is supported over RTP only. Note that you must
configure Opus manually; otherwise, the default profile, which does not contain Opus, is
used.

This table describes the Global Settings > Voice/Video > Endpoint Profiles > Definitions page
options:

Option Description
Add a (profile) definition (10000 maximum allowed).

Modify the selected (profile) definition.

Copy the selected (profile) definition.

Delete the selected definition(s).

Make the selected profile the default definition.

Show/hide/reset the columns filter.

/ /
Import multiple endpoint profile definitions from a file.
Export multiple endpoint profile definitions to a file.
Profile Name Designation for the endpoint profile. Maximum definitions allowed: 10.
Default A check mark indicates the default endpoint profile.
Calibration Select from the drop-down menu: Generic, Microsoft Skype for Business 2010, or
Special.
Report RTCP Metrics Click the check box to enable reporting of RTCP Metrics and display in
nGeniusONE modules.
De-Multiplex Click the check box to enable this feature. Telepresence is the application of
Telepresence complex video technologies to give geographically separated participants a sense
of being together in the same location. It is the highest quality form of video
conferencing.

NETSCOUT Server Administrator Guide 285

De-Multiplex SSRC Click the check box to enable this feature. SSRC (Synchronization Source
Identifier) is a value provided in UDP/RTP packets for the context of RTP Time
Stamping to identify the synchronization source. There are two types of SSRC
mappings: static and dynamic. When configured to use dynamic mapping, the IDs
are chosen randomly with the intent that no two synchronization sources within
the same RTP session will have the same SSRC ID. SSRC's are mapped between
each media capture.

Codec Available in Audio or Video. Select a Codec type from the drop-down menu.
Priority Available in Audio or Video. Select a value from the drop-down menu to set a
priority for processing the codec, ranging from 0- Default, 1-High, to 10-Low, TBC-
Suppressed, and TBC-Forced. A Time Base Corrector improves the signal and/or
image quality. TBC is included in SIP metrics collected through ASRs.
PT Start Available in Audio or Video. PT Start and End steppers range from 96 to 127 and
increment by 1. The PT Start stepper must be LTE to the PT End and the PT End
stepper must be GTE to the PT Start.
PT End Available in Audio or Video. PT Start and End steppers range from 96 to 127 and
increment by 1. The PT Start stepper must be LTE to the PT End and the PT End
stepper must be GTE to the PT Start.
TimeStamp Clock Available in Audio or Video. The Timestamp stepper ranges from 0 to 1,000,000
and increments by 1000.
Resolution Available in Video only. Select a value from the drop-down menu. Default:
Min.(imum) Bitrate Available in Video only. Minimum Bit Rates range from 0-65536 and increment by
10. The Minimum Bit Rate must be the LTE Maximum Bit Rate unless the
maximum rate is 0 and the Maximum Bit Rate must be the GTE Minimum Bit Rate
unless the rate is 0.
Max.(imum) Bitrate Available in Video only. Maximum Bit Rates range from 0-65536 and increment by
10. The Minimum Bit Rate must be the LTE Maximum Bit Rate unless the
maximum rate is 0 and the Maximum Bit Rate must be the GTE Minimum Bit Rate
unless the rate is 0.

Endpoint Profile Default Values

Important: Default Endpoint Profile definitions and assignments cannot be imported again

or overwritten.

Refer to these default values for your deployment type:

Generic Profile Default Values

l Calibration Files: Generic
l Report RTCP Metrics: Checked
l De-multiplex Telepresence: Checked
l De-multiplex SSRC: Unchecked

Typical values for most audio mappings are:

NETSCOUT Server Administrator Guide 286

l Priority: 0
l PT Start: 96
l PT End: 127
l TimeStamp Clock: 0

Typical values for most video mappings are:

l PT Start: 96
l PT End: 127
l Resolution: CIF (352x288)
l TimeStamp Clock: 0
l Min bit-rate: 0
l Max bit-rate: 0

Microsoft Skype for Business Profile Default Values

Microsoft Skype for Business profiles share similar entries with the Generic profile excepting a
few specific forced/suppressed entries.
l Calbration File: Microsoft Skype for Business
l Report RTCP Metrics: Checked
l De-multiplex Telepresence: Unchecked
l De-multiplex SSRC: Checked

Typical values for most Microsoft Skype for Business audio codecs are:
l Priority: 0-Default
l PT Start: 96
l PT End: 127
l TS Clock Frequency: 0

Values for these audio codecs are as follows:

Codec Priority PT Start PT End TS Clock Frequency

G.722 Forced 117 117 8000
G.722.1 Forced 112 112 0
G.726-32 Forced 116 116 0
MS_RT_Audio_Narrowband Forced 115 115 0
MS_RT_Audio_Wideband Forced 114 114 0
Redundant_Audio_Data Forced 97 97 0
Siren_16k Forced 111 111 0
Opus Forced 106 106 0
Comfort Noise Forced 118 118 16000

Typical values for Microsoft Skype for Business video mappings are:

NETSCOUT Server Administrator Guide 287

l PT Start: 96
l PT End: 127
l Resolution: CIF (352x288)
l TimeStamp Clock: 0
l Min bit-rate: 0
l Max bit-rate: 0

Video Dynamic Payload Type Mappings Defaults

Codec Priority PT Start PT End TimeStamp Resolution Min Max

Clock Bitrate Bitrate
H.263P (223) 3 96 127 0 CIF 0 0
(352x288)
H.264 2 96 127 0 CIF 0 0
(352x288)
MPEG4_Visual 4 96 127 0 CIF 0 0
(352x288)
H264 (223) Forced 122 122 0 CIF 0 0
(352x288)
MS_RT_Video Forced 121 121 0 CIF 0 0
(227) (352x288)

This table describes the Global Settings > Voice/Video > Endpoint Profiles > Assignments
page options:

Option Description
Add an assignment (10000 maximum allowed).

Modify the selected assignment.

Delete the selected assignment(s).

Show/hide/reset the columns filter.

/ /
Import endpoint profile assignments.

Export endpoint profile assignments.

Profile Name The name of the endpoint profile.

Type Equipment type: Generic, Analog Telephone Adapter, Desktop phone, Soft
phone, Video Conferencing unit, Telepresence room, PSTN Gateway, Analog
Gateway, Session Border Controller, NAT Router, Media Bridge, or Voicemail
server.
Assignment The IP address that the endpoint profile is assigned.

NETSCOUT Server Administrator Guide 288

7.2 Decryption
For SSL/TLS traffic, InfiniStreamNG-based decryption only supports passive decryption through
static key-exchange (RSA). Active decryption requires the nGenius Decryption Appliance (nDA) to
decrypt dynamic key exchange based SSL/TLS traffic.

7.2.1 Static and Dynamic Key Exchange

Identify the key exchange used in SSL/TLS traffic by looking in the TLS Server Hello packet for the
cipher finally exchanged between client & server:

Static key exchange cipher strings include this prefix:

TLS_RSA_*

All other ciphers (such as TLS_DH*, and TLS_ECDH*) are not static key exchange and cannot be
decrypted by InfiniStreamNG.

7.2.2 Supported Protocols

InfiniStreamNG supports SSL/TSL decryption for these protocols:
l HTTP
l SIP
l FTP
l MSRP

See these sections:

l Configuring SSL and TLS Decryption
l Using the HSM to Configure SSL/TLS Decryption
l Importing Multiple SSL/IPSec Decryption Keys
l Locating and Extracting Private Key Keys

7.2.3 Configuring SSL and TLS Decryption

Secure Socket Link (SSL) decryption supports:
l Real-time capture of ASI and ASR traffic flows.
l Decoding of SSL and Transport Layer Security (TLS) packet data for application monitoring
and troubleshooting.

SSL/TLS:
l Are protocols that encrypt specific application data for the transport layer using
asymmetric cryptography to exchange keys, symmetric encryption to maintain privacy, and
message authentication codes to retain message integrity.

NETSCOUT Server Administrator Guide 289

l Payloads can be decrypted and data displayed for Monitor, Session Analysis and Packet
Analysis views.

Some applications that use SSL include:

l HTTP
l Applications using SSL encryption and RSA keys

nGeniusONE supports:
l Decryption of SSL/TLS packets only when a Web server uses a static-RSA key exchange and
certificate type—and these RSA encryption keys must be provided to nGeniusONE software
for decryption.
l Static-RSA keys are indicated by the TLS_RSA prefix, which can be found in the Cipher Suite
portion of the Hello part of the Handshake message. If the cipher suite does not begin with
TLS_RSA, nGeniusONE cannot decrypt it. Also see Locating and Extracting Private Key Keys.
l Reading static-RSA keys from HSM devices for FIPS-140 Level 2/3-compliant environments.
l A maximum of 50 Keys for TLS/SSL decryption.
l SSL/TLS decryption when the requirements in this table are met:

Requirement Description
SSL/TLS handshake SSL/TLS handshake packets that are established for each network
conversation are captured and processed in full by the InfiniStream.
l SSL/TLS handshake packets should include following messages:
o ClientHello
o ServerHello
o ClientKeyExchange
o ChangeCipherSpec

l SSL Resumed Sessions (based on Session ID or Session Ticket) are also

supported. For this SSL resumed session, previous full SSL handshake
should also be present and seen on the network.
SSL/TLS versions These versions are supported:
l SSL v3.0
l TLS v1.0, TLS v1.1, and TLS v1.2

NETSCOUT Server Administrator Guide 290

RSA key input Static-RSA encryption keys can be provided as input by using following
methods:
l Local Key Files
NETSCOUT supports two methods of Public/Private key usage for real-
time SSL/TLS packet decryption and decoding. The Local option enables
storage of Public and Private Keys for this purpose. SSL Private keys in
the un-encrypted .pem format are supported by nGeniusONE software.
They are persisted and stored locally on system disks in an encrypted
format.
l Hardware Security Module (HSM)
l Private Key are stored on FIPS-140 compliant HSM Servers. Regarding
HSM devices:
l The HSM option provides the means for using a Private Key, which is
stored on FIPS-140 compliant HSM Servers. Regarding HSM devices:
o nGeniusONE supports any PKCS#11-based HSM device and has

tested and certified such with Thales and SafeNet HSMs.

o HSM devices perform asymmetric decryption while InfiniStreams

perform symmetric decryption.

o SSL keys are never exported from an HSM device. Instead, the SSL

per session key (called the Pre-Master Secret) is decrypted using

the HSM device then this decrypted symmetric key is passed to the
InfiniStream for payload decryption.
o In HSM mode, none of these keys or cipher materials are stored

locally on system disks and are maintained only in volatile

memory.
Upon successful decryption, NETSCOUT collects ASI data of the respective
application over SSL.
RSA key size These static-RSA key sizes are supported:
l 1024-bit
l 2048-bit
l 4096-bit
Symmetric ciphers These symmetric ciphers are supported:
l DES
l 3DES
l AES-128
l AES-256
l AES-GCM

NETSCOUT Server Administrator Guide 291

Decryption scenarios Scenarios where decryption is supported include:

l Resumed SSL sessions
l SSL chunking/fragmentation
l Certificate fragmentation
l Saving decrypted payloads
Scenarios where decryption is not supported include:
l Encrypted SSL handshakes
l Out-of-sequence SSL packets
l Retransmitted packets
Additionally, SSL decryption is successfully performed for conversations
only when:
l Handshake packets used to establish the conversation have been
mined
Handshake failures When monitoring data, handshake failures (40) can occur due to failed link
negotiations between a client and the InfiniStream. This can be caused
when incompatible ciphers are exchanged upon establishing a session.
This condition triggers an alarm which is sent with the error until a cipher
specification change is tried through retransmission. But, lacking the
proper, up-to-date SSL keys (refer to Generating NETSCOUT SSL
Certificates and Keys in the online help), nGeniusONE cannot examine SSL
packets to determine exactly which version the source is passing
compared to which cipher the destination is utilizing. So, when
troubleshooting handshake failures, be sure that supported TLS/SSL
ciphers are in use within your network.

Configuration Step 1: Setting Privileges and Optional Settings

Complete these tasks:

1. (Optional) Locate and extract a private key (in the form of a certificate) from your Tomcat,
or Apache or Windows llS Web server and import it to your server (Local option only) in
the ssl.cfg file in the <nGeniusONEinstall>/rtm/pa/decodepack/ssl folder on either the
nGeniusONE server or InfiniStream. nGeniusONE securely stores private keys in an
encrypted format similar to RC4 and they cannot be exported nor purged from the
platform after a certificate expires.
Note: Although a successful key download to the InfiniStream is not recorded in any
nGeniusONE log file, you can confirm this action by noting the date and time stamp of the
ssl.cfg file.
Important: When converting a standalone or local server to a Global Manager, support
for Name-IP Address translations requires you to include the Common Name (CN)—the
Fully Qualified Domain Name —of the server in the private key.

Configuration Step 2: Enabling HTTPS SSL Decryption and HSM on the

InfiniStream
l Enable decryption of HTTPS SSL packets on your InfiniStream appliance; refer to
Command-Line Object: ssl_decrypt in the Agent Configuration Utility Administrator Guide.
You must restart your probe after you configure this setting.

NETSCOUT Server Administrator Guide 292

l (Optional) For Thales/SafeNet HSM users only, configure software on the InfiniStream
appliance (refer to Using the HSM to Configure SSL/TLS Decryption in the Agent
Configuration Utility Administrator Guide).

Configuration Step 3: Enabling SSL Decryption on the nGeniusONE Server

Configure the SSL certificate in the Device Management module using either the Local or HSM
option.

The Local option pushes down to and stores the private key (.PEM file) in the nGeniusONE
Server, then InfiniStream, then the Local decryption device.

In the case of a Global Manager, the .PEM file is pushed down to and stored in the client device,
then Global Manager, then all associated Local Servers, then all InfiniStreams . The HSM
(Hardware Security Module) option does not distribute PEM files but does distribute the private
key in a similar fashion using the PKCS11 protocol.

See the online help for these procedures to configure decryption keys:
l Configuring SSL Local Decryption Keys
l Configuring SSL HSM Decryption Keys

Configuration Step 4: Setting Children for Decryption

To decrypt applications such as HTTPS, SIPS, FTPS, or LDAPS, their non-secure counterparts, or
other TCP-, server-based protocols, add a child application specifying the SSL server IP address
and SSLDECRYPT# and Additional Port mandatory values. For the above-named applications, the
child should be a server application.

Important: nGeniusONE supports creating either an HTTPS or HTTP child but not both.

Perform the following steps to configure an HTTP, SIP, FTP, or LDAP child.

1. From the nGeniusONE Console, click Global Settings > Application Configuration >
View: Enterprise > IP > TCP > Well Known Apps.
2. Select the non-secure counterpart of these applications such as HTTP, SIP, FTP, or LDAP

and click Add Application.

3. In the dialog, add a Short and Long Name, the Group type.
4. Enter mandatory values SSLDECRYPT# in the Parameter field and 443 in the Additional
Port field. Using the SSLDECRYPT# parameter automatically processes this application for
the Certificate Monitor.
Important: SSL KEI errors are not collected when a child application of a TCP-bound parent
(SIP, FTP, LDAP2, POP3, IMAP4, NNTP, TELNET) defines the SSLDECRYPT# parameter. Only
application level codes are collected.

5. Select Server Application, click Add Application, and enter the server IP Address.
6. Click OK and Apply to save your configuration.

NETSCOUT Server Administrator Guide 293

Configuration Step 5: SSL/TLS Workflows

Once configured, SSL decryption is available in these workflows. See "Using the Packet Analysis >
Data Mining Module" in the online help for more information about performing decodes:
l Decode workflows launched by selecting Protocol Decode from the Packet Analysis menu.
l Decode workflows launched from the nSI.
l Decode workflows launched from the InfiniStream software.

(Optional) Configuration for the Certificate Monitor and for Monitoring SSL in the
Universal Monitor

Important: Configuring this feature will conflict with prior configuration if you have already
configured an HTTP child application.

To configure a child that travels over SSL (for example, SIPS, FTPS, or LDAPS) for viewing in the
monitors, perform theses steps:

1. In Global Settings >Application Configuration > View: Enterprise > IP >TCP/SCTP/UDP

> Well Known Apps.
2. Select the secure counterpart of these applications such as SIPS, FTPS, or LDAPS and click
Add Application.
3. Select Server Application and enter SSL# in the Parameter field if you want certificates
reported on these.
4. Enter any other appropriate values including the SSL server's IP Address and subnet.
5. Click OK and Apply to save and apply your configuration.
6. (Optional) See "Configuring Applications for Monitoring" in the nGeniusONE online help to
perform additional configuration of the Certificate application.

7.2.3.1 Locating and Extracting Private Key Keys

This section describes how to locate and extract the private key for several common web servers,
including Apache, Tomcat, or Windows IIS. If you are using a server other than these three,
consult your server’s documentation for assistance locating the private key.

To ensure that key requirements for the local .PEM file are met, be aware that the file mustnot be
password protected nor encrypted.

Choose one of the following Web Server options:

l Apache Web Server
The private key file for an Apache web server is named server.key. The easiest way to find it
is simply by performing a search on the server (for example, find / -name server.key on a
Linux system). Once you’ve located the file, open it in a text editor to verify that it is not
encrypted because encrypted keys are not supported by NETSCOUT . An encrypted file will
include a line reading Proc-Type: ENCRYPTED in the header and will need to be decrypted
before it can be used.

NETSCOUT Server Administrator Guide 294

You can decrypt an encrypted key file by using the openSSL utility, which is available from
www.openssl.org. For example, this command creates a decrypted copy of server.key
name decrypted_server.key:
openssl rsa -in server.key -out decrypted_server.key
Enter pass phrase for server.key: [passphrase]
l Tomcat Web Server
The private key for a Tomcat Web Server is stored in a keystore file typically named service-
keystore.ks. To get the private key, you must export it from the keystore. Use the following
procedure:
1. Download and install the free Portecle utility from the following location:
http://portecle.sourceforge.net/
2. Open the service-keystore.ks file in Portecle.
3. Locate the server’s key in the keystore, right-click it and choose Export from the context
menu that appears.
4. Set Key pair export types to Private Key and Certificates and select PEM as the
Export Format.
5. Enter the password for the private key when prompted.
6. Select the destination and filename for the private key when prompted.
l Windows IIS Web Server
To obtain the private key for a Windows IIS web server, you must export it from the server's
certificate as a .pfx file (PKCS#12) and then convert it to .pem format. Use the following
procedure:
1. Start by exporting the private key from the server's certificate as a .pfx file. Refer to
instructions in the How to back up a server certificate in Internet Information Services 5.0
Knowledge Base article on the Microsoft website at:
http://support.microsoft.com/kb/232136
2. Use the OpenSSL utility to convert the PKCS #12 file to PEM format. For example, the
following command converts IIS_Key.pfx to a file named server.key in PEM format:
openssl pkcs12 -nodes -in IIS_Key -out server.key

nGeniusONE stores private keys in the ssl.cfg file in the <nGeniusONE

install>/rtm/pa/decodepack/ssl folder on either the nGeniusONE server or InfiniStream. Private
keys are encrypted in a format similar to RC4 and they cannot be exported nor purged from the
platform after a certificate expires. Although a successful key download to the InfiniStream is not
recorded in any nGeniusONE log file, you can confirm this action by noting the date and time
stamp of the ssl.cfg file.

7.2.4 Using the HSM to Configure SSL/TLS Decryption

The Hardware Security Module (HSM) option is one of two methods NETSCOUT supports for
Public/Private key usage of real-time (classification) SSL/TLS packet decryption and decoding. The
Local option enables storage of Public and Private Keys for this purpose. The Hardware Security

NETSCOUT Server Administrator Guide 295

Module (HSM) option, on the other hand, provides the means for using a Private Key, which is
stored in an HSM device, for this purpose. NETSCOUT provides multiple slots with login
credentials for each.

HSM Overview

HSM devices support the PKCS#11 interface to interact with its server. NETSCOUT supports HSM
vendors SafeNet and Thales who have their own pkcs11 module which is provided with the client
to access its HSM server. The NETSCOUT decryption module communicates with the HSM server
using the pkcs11 library provided by the client. This security-enhanced method supports the
Federal Information Processing Standards (FIPS) required by U.S. government agencies and
contractors for decoding data.

As illustrated below, the HSM option employs a public-key cryptography (PKCS) driver installed
on the InfiniStream to apply the key toward decryption of the SSL payload without the key ever
leaving the HSM device where it is stored.

Configuration Step 1: Setting Up Thales/SafeNet on the InfiniStream

For Thales or SafeNet HSM users, choose one of these tasks to configure software on the
InfiniStream appliance.

Configuring Thales software

1. Install the Thales software on the InfiniStream. Refer to instructions available in Thales
documentation.

NETSCOUT Server Administrator Guide 296

2. Ensure this library file is resident in the /opt/nfast/pkcs11 directory:

/libcknfast.so
3. Ensure this library file is resident in the /opt/nfast/pkcs11_64bit directory:
/libcknfast.so
4. Add these lines to the <InfiniStream install>/rtm/pa/decodepack/ssl/ssl.cfg file:
HSM_PKCS_MODULE_64BIT=/opt/nfast/toolkits/pkcs11/libcknfast.so
HSM_PKCS_MODULE_32BIT=/opt/nfast/toolkits/pkcs11-
32bit/libcknfast.so
5. Stop and restart InfiniStream services in the <InfiniStream install>/rtm/bin directory:
./stopall
./start

Configuring SafeNet software

1. Install the SafeNet LUNASA software on the InfiniStream. Refer to instructions available in
SafeNet documentation.
2. Copy the pkcs11-safenet.tar.gz file to the /opt directory on the InfiniStream.
3. Run this command: tar xvfz /opt/pkcs11-safenet.tar.gz
4. Ensure these libraries are in the /usr/lunasa/lib directory:
l libCryptoki2_64.so
l libCryptoki2.so
5. Add these lines to the <InfiniStream install>/rtm/pa/decodepack/ssl/ssl.cfg file:
HSM_PKCS_MODULE_64BIT=/usr/lunasa/lib/libCryptoki2_64.so
HSM_PKCS_MODULE_32BIT=/usr/lunasa/lib/libCryptoki2.so
6. Stop and restart InfiniStream services in the <InfiniStream install>/rtm/bin directory:
./stopall
./start

Configuration Step 2: Setting User Privileges in nGeniusONE Server

1. Authorize SSL privileges for decryption and adding certificates/keys. Privileges can be
assigned to different roles reflecting the nature and importance of the task at hand. For
example, for decryption, you may want to assign users a SYSADMIN or NTWKADMIN-level
role. For adding certificates/keys, you may want to assign a lower-level privilege such as
APPROVR.
a. Use the nGeniusONE Console and go to Servers and Users >User Management >
Roles.
b. Select the appropriate role.
c. Check the Configure Decryption Keys - Admin check box.
Important:
l Enabling that check box per user requires that the individual user doing that
configuration have an administrative user role, or corresponding administrative
privileges to modify user accounts.

NETSCOUT Server Administrator Guide 297

l Note that in a distributed environment, this feature is enabled on the Global

Manager, not a Local Server.
d. Click OK.

Configuration Step 3: Setting HSM in nGeniusONE Server

Configure the SSL certificate in Global Settings using the HSM option. While the Local option
pushes down to and stores the private key (.PEM file) in the nGeniusONE Server, then
InfiniStream, then the Local decryption device, the HSM (Hardware Security Module) option does
not distribute PEM files but does distribute the private key in a similar fashion using the PKCS11
protocol.

See "Configuring SSL HSM Decryption Keys.

Configuration Step 4: Enabling Decryption of HTTPS SSL Packets on the

InfiniStream
Refer to Command-Line Object: ssl_decrypt in the Agent Configuration Utility Administrator Guide
for instructions to enable decryption of HTTPS SSL packets on your InfiniStream appliance. Be
sure to restart your probe after configuring this setting.

Configuration Step 5: Setting Up an HTTPS Child App in nGeniusONE

Server
Specify the URL of an HTTPS child application you want to decrypt. You must add an HTTPS child
application and specify a server IP address in Global Settings to complete decryption
configuration on the nGeniusONE server. The HTTPS child should be a URL application.

To configure an HTTPS child:

1. Go to Global Settings >Application Configuration > HTTPS.

2. Click Add Application.

3. Enter the appropriate values and click the URL Application radio button. Ensure that the
URL string matches the host name exactly as it appears in the host field.
4. Click OK.

Configuration Step 6: SSL/TLS Workflows

Once configured, SSL decryption is available in the following workflows:
l Decode workflows launched by selecting Protocol Decode from the Packet Analysis menu.
l Decode workflows launched from the nSI.
l Decode workflows launched from the InfiniStream software.

Refer to Using the Packet Analysis > Data Mining Module in the nGeniusONE online help for
more information about performing decodes.

NETSCOUT Server Administrator Guide 298

7.2.5 Importing Multiple SSL/IPSec Decryption Keys

Importing keys in bulk for SSL/IPSec de-ciphering simplifies configuration on the nGeniusONE
server. This feature eliminates the requirement to add keys one-by-one and lessens the risk of
configuration errors. The process can be used for both Local and HSM SSL varieties as well as
IPSec.

Multiple key import is available from the Decryption Keys tab in Global Settings but only when
the privileges Decryption — Admin and Decryption — User are enabled for the particular user role.

Be aware that exporting decryption keys is not supported at this time. Additional security is
provided by encryption for HTTPS client-to-server communications and password encryption in
the database. Keys are imported over HTTPS by default if you have an SSL certificate.

Import file
A particular import file need not be a certain type; it is only required that it be comma-delimited.
Any import file not passing validation generates an error message back to the user.

Import File Formats

TLS Local

The format of a TLS Local file is as follows:

Server:Server IP:SSL Port:Application Port:key

Each new line must be separated by backslash-n:

Example
TLS119,2405:0200:0631:1581:0000:0000:0000:001b,5061,5060,-----BEGIN RSA
PRIVATE KEY-----
\nMIIJKAIBAAKCAgEA+U3LFJ7FXFe1lVPs2XJd91UQbYd0xYvvsXZvBnQ2FU1PRjnn\nUfpq
FlOmPg1cylp+mPtUBhHrD52/0y3hNoD8OKYhd2XG25Ruf73G8KVr3ktCqag5\nM8lOqngBZq
QJj/cccIVvW5xzNUXiqMYOZsjJC4F
...
\n9zAhYxGE0KSLJFvDV7e3PtWgJFaKpKuaWg3DmpU6g4hLTmd4b7fl2sFCngM=\n-----END
RSA PRIVATE KEY-----

SSl HSM

The format of an SSL HSM file is as follows:

Server,Server IP,SSL Port,Application Port,Key Label,Slot Type (if not
id; assumed to be label),Slot Id or Label, Password

Example
HSM_test1,10.64.80.184,8443,8080,Stuff,id,123,Stuff
HSM_test2,10.64.80.184,8443,8080,Stuff,id,123,Stuff

NETSCOUT Server Administrator Guide 299

SSL IPSec

SSL IPSec requires that a "NULL" value be provided for Encryption and Authentication when
either one or both will not to be used. The corresponding key value will be ignored when NULL is
provided.

The format of an IPSec file is as follows:

Protocol,Source IP,Dest IP,SPI,Encryption,Encryption Key,Authentication,
Authentication Key

Example
IPV4,10.64.80.184,10.64.80.185,1234,NULL,,NULL,
IPV4,10.64.80.184,10.64.80.185,0x1234,NULL,,NULL,
IPV6,2001:0db8:85a3:0000:0000:8a2e:0370:7334,2002:0db8:85a3:0000:0000:8a
2e:0370:7334,*,NULL,,NULL,
IPV4,10.64.80.184,10.64.80.185,*,3DES-CBC,1234567890123456,NULL,
IPV4,10.64.80.184,10.64.80.185,12345,NULL,,ANY 192 bit
authentication,1234567898975075708

Configuration
1. From the nGeniusONE Console, click Servers and Users > User Management > Roles.
2. Select a role from the list for the user to be assigned this task and in the Privileges pane,
scroll down to and check the Configure Decryption Keys - Admin check box.
3. Click OK. Ensure that the user directed to handle key decryption is assigned this role.
4. After configuring these settings, log out and log back into the nGeniusONE Server to effect
the change.
5. From the nGeniusONE Console, click Global Settings > Decryption Keys, and the SSL
Local, SSL HSM, or IPsec tabs.

6. Click Import. A pop-up screen appears from which you can browse to select the
import file. Follow the prompts to complete the import.
Important: for SSL Local imports, the Key field in the dialog that would usually display the
file name that the key was stored in for imported keys will show FromImport. This field is
not translated — it is expressed in English. If you edit one of these keys and do not change
the key to a file name then when it is saved, the key will remain what it was before the
edit. But, If you change the field from FromImport to a file name then the key will be read
from that file upon saving it. You can not type in the field , therefore there is no chance
you can change a non-imported key to FromImport. You must select a file from a popup
menu.
Note: For SSL HSM imports, the password need only be entered once unlike from the GUI
which requires two entries to ensure that no typos occur.

7.3 Packet Analysis Extended File Names

Packet Analysis may have extended file names in 6.2.2 and later releases. To disable extended
file names, set the extendFileName enable="0" in < nGeniusONE
Install>rtm/pa/config/profiles/profile.xml:

NETSCOUT Server Administrator Guide 300

If a profile.xml file also exists in < nGeniusONE Install>rtm/pa/config/profiles/shared, set

extendFileName enable="0" in it as well.

NETSCOUT Server Administrator Guide 301

© NETSCOUT CONFIDENTIAL & PROPRIETARY
8 nGenius Session Analyzer
nGenius Session Analyzer is a related product suite but with a separate installer that
automatically configures the servers so it is not necessary to specify Global or Standalone. Use
the Server Management GUI to configure secondary for the primary, managing server.

nGenius Session Analyzer provides analytics of session data but does not directly manage data
sources. Instead, it must be integrated with another server that provides this data. The parent
server can be either an nGeniusONE or nGenius Configuration Manager server, or an
OAM server. When integrated, the applicable data sources on those servers are visible to the
nGenius Session Analyzer server and also provide authentication and configuration parameters.

Since integrating this server type also requires authentication, the integration is done in the
Servers and Users > Authentication Source module on the nGenius Session Analyzer server,
rather than being adding as a child server in the nGenius Configuration Manager or nGeniusONE
Server Management module. You can add a second nGenius Session Analyzer server to create a
distributed cluster.

nGenius Session Analyzer is built on the nGeniusONE framework and therefore follows the same
installation process. nGenius Session Analyzer deployment and licensing exceptions are covered
in this chapter along with nSA-specific configuration. Only Linux is supported for nGenius
Session Analyzer servers. See these sections for basic server requirements and installation
instructions:
l Preparation
l Installation and Upgrade

See the following nSA-specific sections:

l nGenius Session Analyzer Servers and License Distribution
l nGenius Session Analyzer Deployment Models and Guidelines
l Configuring nGenius Session Analyzer
l nGenius Session Analyzer Log Files

8.1 nGenius Session Analyzer Servers and License Distribution

The following sections describe nGenius Session Analyzer server types and license distribution.

NETSCOUT Server Administrator Guide 302

8.1.1 Primary and Secondary Servers

The Primary server services the query, in addition to load-balancing the queries with other
Secondary servers (if available). There is only one Primary server in the system. Any additional
servers are Secondary servers. Add Secondary servers for more simultaneous sessions and for
resiliency. Each server supports 50 additional simultaneous sessions.

8.1.2 Number of Type 1 Licenses Needed

The Type 1 count does not determine the number of servers. The number of servers solely
depends on the number of simultaneous user sessions needed. nGenius Session Analyzer in
nGenius CM mode treats InfiniStreamNG(Geo) and vSTREAM licensing the same as in
nGeniusONE:
l InfiniStreamNG(Geo) Type 1 count is dynamic; only active interfaces are counted.
l vSTREAM is based on 8 vCPU blocks. Each 8 vCPU block is a Type 1 license.

There is no Type 1 dynamic count for all other G10, GeoBlade, 14U, 12U, 3U, and 2U legacy
probes. All static Type 1 counts, active or not, are counted as shown in the following table.

Figure 8.1 - Static Geo and SpI Interface Count on nGenius CM

OAM authentication does not employ the Type 1 dynamic count. All probes are statically counted
as shown in the following table. There is no dynamic count, even for InfiniStreamNG(Geo).

NETSCOUT Server Administrator Guide 303

Figure 8.2 - Static Interface Count on OAM

See License Enforcement for SpIprobe 14U, 3U, and 2U for information about SpIprobe
licensing.

8.1.3 Type 1 License

nGenius Session Analyzer server licensing is applied on the nGenius Session Analyzer server
using a Type 1 license. Ensure the Type 1 license count covers all nGenius Configuration Manager
or nGeniusONE probes accessed by nGenius Session Analyzer. Each nGenius Session Analyzer
server requires a Type 1 License pack (50/25/10). Licenses are stackable, which means different
license pack counts can be combined.

Licenses are applied on nGenius Session Analyzer servers and not on authenticating nGenius
Configuration Manager or nGeniusONE servers for these reasons:
l Support of OAM-based deployments
l Support legacy instrumentation (G10/GeoBlade/14U/3U/2U) and their licensing

Each server can do 50 simultaneous user sessions (queries) and needs at least one Type 1
license pack (10/25/50 pack). All Type 1 licenses are pooled and applied at the Primary, even
though they are distributed across servers.

Figure 8.3 - nGenius Session Analyzer License Distribution

NETSCOUT Server Administrator Guide 304

8.1.4 Server Resilience

NETSCOUT recommends backup servers and Type1 licenses for redundancy to meet the needed
resilience in case Primary or Secondary servers fail.The following sections provide examples to
describe Primary and Secondary server resilience.

8.1.4.1 Primary Server Resilience

If the Primary Server fails, one of the Secondary servers must be explicitly reconfigured as the
Primary server. In the following example (Figure 8.4), the system had the following licenses and
simultaneous sessions prior to the Primary server failing:
l Type 1 license: 85 Type1
l Simultaneous sessions: 150

After the Secondary is reconfigured as the Primary, the system has:

l Type1 License: 35 Type1
l Simultaneous sessions: 100

Figure 8.4 - Primary Server Resilience Example

8.1.4.2 Secondary Server Resilience

If any Secondary server goes down , queries are sent to other servers. In the following example
(Figure 8.5), the system had the following licenses and simultaneous sessions prior to one of the
Secondary servers failing:
l Type 1 licenses: 85
l Simultaneous sessions: 150

After the Secondary server fails, the system has:

l Type 1 License: 75 Type1
l Simultaneous sessions: 100

NETSCOUT Server Administrator Guide 305

Figure 8.5 - Secondary Server Resilience Example

8.1.5 RAN License Distribution

Type 1 licenses are required along with nSA RAN licenses based on cell counts (1K/10K/50K cells).
Each nSA Server needs at least one Type 1 license pack.

Figure 8.6 - nSA RAN Licensing

In the following example, the nGenius Configuration Manager server with nSA RAN licenses has
failed and the Standby nGenius Configuration Manager with Standby nSA RAN licenses has
assumed control.

Figure 8.7 - nSA RAN Resilience

8.1.6 License Enforcement for SpIprobe 14U, 3U, and 2U

nGenius Session Analyzer enforces Type 1 license counts for the 14U, 3U, and 2U
instrumentation:
l SpIprobe 14Us are statically counted as 8 Type 1 licenses.
l SpIprobe 3Us and 2Us are statically counted as 4 Type 1 licenses.

NETSCOUT Server Administrator Guide 306

This static enforcement of Type 1 licenses for 14U, 3U, and 2U applies to both nGenius CM and
OAM mode. Only probes that pass the license requirement and enforcement appear in the
nGenius Session Analyzer Input Filter Home (Page 0).

The Interface count increments with each probe by probe ID. System administrators cannot
choose the interfaces assigned for each license. Licenses are assigned in order by probe ID. All
probes are sorted regardless of probe type by probe ID. Users cannot see the number of probes
beyond the number of licensed interfaces.

8.1.6.1 Adding Licensed SpIprobes to nSA

To add licensed SpIprobes to nGenius Session Analyzer, run the
/home/geo/tools/bin/UpdateProbeType script on the SpIserver.
cd $SPI_TOOLS_HOME/bin
./UpdateProbeType

Run UpdateProbeType when installing SpIprobe license enforcement for the first time,
upgrading to 6.3.2, and when adding new probes. After the probe type is in the DbGeoNodeExt
database on the SpIserver, SpIAdapter sends it to nGenius CM and OAM. All setup probes are
sent to SpIAdapter, whether enabled or disabled. See the SpIserver SpIstation Installation and
Upgrade Guide for more information about running scripts on SpIservers.

8.2 nGenius Session Analyzer Deployment Models and Guidelines

Deploying nGenius Session Analyzer in nGenius CM mode is the preferred model. The
InfiniStream(Geo) component can only be managed by nGenius CM or OAM, but not on both
simultaneously.

8.2.1 Option 1 - Deployment with InfiniStreamNG Only

The following example shows nGenius Session Analyzer deployed with nGenius CM and
InfiniStreamNG appliances only.

NETSCOUT Server Administrator Guide 307

Figure 8.8 - nSA Deployment Option 1

8.2.2 Option 2 - Deployment in nGenius CM with Legacy Probes

The following example shows nSA deployed in nGenius CM with legacy probes managed by
OAM.

NETSCOUT Server Administrator Guide 308

Figure 8.9 - nSA Option 2

8.2.3 Option 3 - Deployment with Legacy Probes and RAN

If InfiniStream(Geo) visibility is needed in any Iris applications coexisting with the nGenius
Session Analyzer deployment, then InfiniStream(Geo) and nGenius Session Analyzer must be
managed by OAM. Although supported, this scenario is not the preferred model:
l No active development in OAM
l nGeniusONE drill to nSA not supported in OAM mode
l 5G standalone only supported in nGenius CM mode

NETSCOUT Server Administrator Guide 309

Figure 8.10 - nSA Option 3

8.2.4 nGenius Session Analyzer in Cloud Environments

Cloud Environments are supported across the nGenius platform. VMWare is the officially
supported environment. From the nGenius Session Analyzer context, there is nothing specifically
required for Virtual Machine (VM) environments. VM environments are similar to regular Linux
server environments.

You can install the needed Linux image in your VM environment and then install the released
Linux images of nSA or SCS on those VMs as any other Linux machine. For example, you can
create an AWS instance-type that matches nSA or SCS requirements, install a Linux image onto
that (for instance, AWS EC2 VM), and then install the nSA/SCS code onto that VM the same as any
other Linux machine. The following table displays nSA VM server requirements.

8.3 Configuring nGenius Session Analyzer

Use these sections to configure nGenius Session Analyzer-specific features and functionality:
l Configuring nSA Nodes and Devices
l Migrating from OAM to nGenius Configuration Manager
l Replicating Files from an nSA Primary to Secondary Server
l Configuring MPC Rulesets
l Configurable nGenius Session Analyzer User Interface Options
l Configuring nGenius Session Analyzer Drilldown from nGeniusONE
l nGenius Session Analyzer Visibility to G10/GeoBlade in nGenius CM Mode

NETSCOUT Server Administrator Guide 310

l Configuring Failure and Timeout Indication in nGenius CM Authentication Mode

l Configuring nGenius Session Analyzer Services
l Enabling Access of SpIprobes in nGenius CM Mode
l Configuring PCAPng Export for Scheduled Capture
l Configuring nGenius Subscriber Cache Digit Types
l Configuring DigitMasking_Default.xml

8.3.1 Configuring nSA Nodes and Devices

Use the authenticating nGeniusONE or nGenius Configuration Manager UI to configure data
sources.

Access these modules in nGenius Configuration Manager or nGeniusONE:

1. Business Types to set the business type category to Service Provider.

2. Device Configuration to add devices to your server and enable the necessary interface
and mobile parameters.
3. Global Settings > Locations > nSA Nodes to add nodes to monitor.
4. Global Settings > Application Configuration to configure the applications you want to
monitor.
5. User Management to define users and roles.

8.3.1.1 Configure Data Sources

This procedure provides general guidelines for configuring nGenius Session Analyzer with
nGenius CM authentication and InfiniStreamNG(Geo) in dual mode.

1. Log in to the authenticating nGenius Configuration Manager or nGeniusONE server and

click Device Configuration.
2. Click Add (+), select InfiniStream as the device type, and provide the details for a dual-
mode InfiniStreamNG(Geo). See the InfiniStreamNG (Geo Mode) Deployment Guide for more
information.
3. Right-click the dual-mode InfiniStreamNG(Geo) and select Remote Login.
4. In the Remote Console, select option [11] to enter command-line mode.
5. Set the Ethernet monitoring interface port and mobile parameters. the following example
uses the 5G N1 interface. See the Agent Configuration Utility for CDM/ASI Administrator Guide
for more information.
set curr_interface 3
set mobile_params n1
6. Click Global Settings, Locations, and then nSA Nodes.
7. Click the Add Node button, select the node type from the Type menu, add an IP range,
and then name and save your node.
8. Restart the nGenius Session Analyzer server.

NETSCOUT Server Administrator Guide 311

9. Return to the nGenius Configuration Manager or nGeniusONE Console and select Global

Settings and then Application Configuration.
10. Click the Add (+) button to add any necessary applications.
11. Return to the Console and click User Management.
12. Click the Roles tab and search "nsa" to verify you have the necessary nSA privileges.

See the nGeniusONE or nGenius Configuration Manager Help for more info about the Device
Configuration, Locations, User Management, and Application Configuration modules.

8.3.1.2 Configuring nSA Nodes

On an authenticating nGeniusONE or nGenius Configuration Manager server, use the Global
Settings > Locations > nSA Nodes to configure nGenius Session Analyzer-related network
servers and nodes for monitoring. See the nGeniusONE or nGenius Configuration Manager Help
for more information about the nSA Nodes interface.

The default maximum number of nodes that can be configured is 45000. You can change this
default by adding the globalsettings.networknodes.maximumNumberOfNetworkNodes property
with a new value to the <NETSCOUT Install>/rtm/bin/serverprivate.properties file; for example:
globalsettings.networknodes.maximumNumberOfNetworkNodes=70000

The absolute maximum that can be defined is 380000, and you can set the default to a number
lower than 45000.

8.3.1.3 Use Case: Configuring and Monitoring 5G NGAP with nSA

This use case provides an end-to-end workflow example that can apply for other types of traffic
besides NGAP. For other types of traffic, select the nodes, applications, and mobile parameters
specific to those traffic types.

8.3.1.3.1 Overview

Users attach to 5G with the Next Generation Radio Access Network (NG-RAN), which relies on the
NG Application Protocol (NGAP) for signaling between NG-RAN nodes and Access and Mobility
Management Functions (AMFs). NGAP carries Non Access Stratum (NAS) messages across N1/N2
interfaces to request new sessions.

Use nGenius Session Analyzer to monitor and troubleshoot NGAP 5G access issues using
nGenius CM authentication with InfiniStreamNG(Geo) in dual mode. See "Installing GeoProbe
Software" in the InfiniStreamNG (Geo Mode) Deployment Guide for more information.

8.3.1.3.2 Problem

A user cannot place 5G calls on your network.

NETSCOUT Server Administrator Guide 312

8.3.1.3.3 Solution

Configure NGAP data sources, and then use nGenius Session Analyzer to monitor and
troubleshoot NGAP issues to determine their root causes.

8.3.1.3.4 Workflow

Use the authenticating nGeniusONE or nGenius Configuration Manager UI to configure the data

sources and the nGenius Session Analyzer UI to configure an NGAP scenario and monitor traffic.

Access these modules in nGenius Configuration Manager or nGeniusONE:

1. Business Types to set the business type category to Service Provider.

2. Device Configuration to add devices to your server and enable the necessary interface
and mobile parameters.
3. Locations > nSA Nodes to add nodes to monitor.
4. Application Configuration to configure the applications you want to monitor.
5. User Management to define users and roles.

Access these modules in nGenius Session Analyzer:

1. Authentication Source to specify nGenius CM authentication.

2. Scenario Builder to create a reusable NGAP monitoring scenario.

8.3.1.3.5 Configure NGAP Data Sources

This procedure shows how to set up and monitor NGAP traffic while using nGenius Session
Analyzer with nGenius CM authentication and InfiniStreamNG(Geo) in dual mode.

1. Log in to the authenticating nGenius Configuration Manager or nGeniusONE server and

click the Business Types icon.
2. Select the Service Provider option and click OK.
3. On the Console, click Device Configuration.
4. Click Add (+), select InfiniStream as the device type, and provide the details for a dual-
mode InfiniStreamNG(Geo). See the InfiniStreamNG (Geo Mode) Deployment Guide for more
information.
5. Right-click the dual-mode InfiniStreamNG(Geo) and select Remote Login.
6. In the Remote Console, select option [11] to enter command-line mode.
7. Set the Ethernet monitoring interface port and mobile parameters to enable the 5G N1
interface. See the Agent Configuration Utility for CDM/ASI Administrator Guide for more
information.
set curr_interface 3
set mobile_params n1
8. Click Global Settings, Locations, and then nSA Nodes.
9. Click the Add Node button, select "AMF" from the Type menu, add an IP range, and then
name and save your node.
10. Repeat the previous step, but select "gNB-CUCP."

NETSCOUT Server Administrator Guide 313

11. Restart the nGenius Session Analyzer server.

12. Return to the nGenius Configuration Manager or nGeniusONEConsole and select Global
Settings and then Application Configuration.
13. Under Applications, expand NG-AP and verify these applications are present:
l 5GMM
l 5GSM
14. Return to the Console and click User Management.
15. Click the Roles tab and search "nsa" to verify you have the necessary nSA privileges.

See the nGeniusONE or nGenius Configuration Manager Help for more info about the Device
Configuration, Locations, User Management, and Application Configuration modules.

8.3.1.3.6 Monitor and Troubleshoot NGAP Traffic

This procedure shows how to monitor and troubleshoot NGAP traffic with nGenius Session
Analyzer scenarios. See the nGenius Session Analyzer Help for more information about creating
and using scenarios.

1. Log in to nGenius Session Analyzer and click Authentication Source, select nGenius CM,
provide the information for the authenticating nGeniusONE or nGenius
Configuration Manager authenticating server, click OK.
2. Return the Console and click the Scenario Builder module.
3. Select Session Analysis from the Add Scenario menu.
4. Create an NGAP monitoring scenario:
a. Name the scenario.
b. Select probe(s) with the N1 interface mobile parameter enabled.
c. Search and select NGAP from the Application menu.
5. To narrow your search, click the Advanced tab and expand the menus to select specific
status events, session types, response codes, or transaction types of concern.
6. Click Save.
7. On the Console, click the Session Analyzer module.
8. Select the NGAP scenario, duration for your capture, and then click Launch Session.
9. When the Session Details page opens, search failed sessions and use the "Response
Codes" column to determine whether failure causes are due to the user equipment or
your network:
l User Equipment (UE) failure code examples - Illegal UE, UE Security Capabilities
Mismatch, UE ID Cannot Be Derived by Network
l Network failure or incompatibility code examples - PLMN Not Allowed, No Suitable
Cells In Tracking Area, MAC Failure
10. Select the sessions you want and drill to Packet Analysis for further inspection.
11. Inspect packets in the Packet Decode page.
12. If the issue is user-oriented, guide the user to the solution. If network-oriented, contact
the appropriate network personnel to isolate and fix the issue(s).

NETSCOUT Server Administrator Guide 314

8.3.2 Migrating from OAM to nGenius Configuration Manager

You can migrate an nSA OAM deployment to nGenius Configuration Manager (nGenius CM) (see
nGenius Session Analyzer Deployment Models and Guidelines). Follow these steps to migrate an
nSA OAM deployment to a deployment using nGenius CM authentication mode.

1. Remove the InfiniStreamNG(Geo) associations from OAM. See the OAM Help for more
information.
2. Add the InfiniStreamNG(Geo) appliances to the nGenius CM server. See Configuring nSA
Nodes and Devices and the nGeniusONE or nGenius Configuration Manager Help.
3. On the nSA server, change from OAM authentication to nGenius CM authentication. See
Authentication: nGenius CM.
4. Update configurations in nGenius Configuration Manager. See a general OAM-to-nGenius
Configuration Manager mapping in the following table. Not all mappings are one-to-one.
Some OAM plist configuration is enabled by default and some is done with the RESTful
API for nGeniusONE. See "Updating GEO Properties for nCM Deployments" in the
InfiniStreamNG(Geo Mode) Guide and the Guide to the RESTful API for nGeniusONE
Configuration for more information.
Table 8.1 - OAM-to-nGenius Configuration Manager Mapping

OAM nGenius Configuration Manager

Admin > System Config > Device Configuration
Probes Configuring nSA Nodes and Devices
See also the nGeniusONE or nGenius Configuration Manager Help.
Admin > System Config > Global Settings > Locations > nSA Nodes
Topology > Managed Configuring nSA Nodes and Devices
Objects > Nodes
See also the nGeniusONE or nGenius Configuration Manager Help.
Admin > System Config > Configuring Failure and Timeout Indication in nGenius CM
Applications > ISA Authentication Mode
Configuration
l Failure Categories
l Failure Configuration
l Indicator Configuration
Admin > System Config > MPC -Configuring MPC Rulesets
Applications > ISA Admin Digit Stripping - See the InfiniStream(Geo Mode) Deployment Guide.
l ISA Correlation Rules
l ISA Digit Stripping

NETSCOUT Server Administrator Guide 315

Table 8.1 - OAM-to-nGenius Configuration Manager Mapping (continued)

OAM nGenius Configuration Manager

Admin > System > Advanced Application Configuration > Applications
Properties <nSA Install>/rtm/configdata/editableGeoProperties.xml
Editable plist properties Use the RESTful API for nGeniusONE to configure property changes
Files under /iris_kpi_ formerly made in /iris_kpi_db/configManager/changes. See
db/configManager/changes "Updating GEO Properties for nCM Deployments" in the
on the InfiniStreamNG(Geo) InfiniStreamNG(Geo Mode) Guide and the Guide to the RESTful API for
nGeniusONE Configuration for more information.
See the nGeniusONE or nGenius Configuration Manager Help for
information about using the Application Configurations module.
Admin > User Management Servers and Users > User Management
nGenius Session Analyzer Privileges

5. Restart the nSA server to apply the new configurations. See Stopping and Restarting the
System.

8.3.3 Replicating Files from an nSA Primary to Secondary Server

If nGenius Session Analyzer servers are configured in a cluster, a list of files can be configured to
be replicated from the Primary nSA server to the Secondary server(s). The list of files to be
replicated is configured in <NETSCOUT Install>/rtm/nsaapp/config/replication-config.xml. Set the
flag to enable replication feature and configure the frequency of the replication task in
NETSCOUT/rtm/nsaapp/config/localConf/nsaLocalCommonConf.xml:
<prop key="file.replication.enabled">
<boolean>true</boolean>
</prop>

If you change the file(s) configured in replication-config.xml, the changed files are automatically
replicated from primary nSA server to all Secondary nSA servers. When the nSA Primary server is
restarted, all secondary nSA instances receive file replicas.

If the Secondary nSA server is added after files are changed on the Primary nSA server, those
changes are not automatically replicated to the newly added Secondary nSA server.

The files on the Primary nSA server must be updated with a new timestamp to trigger the
replication task to the Secondary servers. The task is executed at the next scheduled time, which
is every 5 minutes by default and is defined in file.replication.periodicity. Use the touch
command to update the timestamps of the files to be replicated. For example, to replicate files in
the <NETSCOUT Install>/rtm/nsaapp/config/localConf directory:
cd /opt/NetScout/rtm/nsaapp/config/localConf
find . -type f -exec touch {} +

NETSCOUT Server Administrator Guide 316

You can also manually copy the files that need replication from the Primary to the Secondary
server.

8.3.4 Configuring MPC Rulesets

Multi-Protocol Correlation (MPC) rulesets are text files containing syntax for correlation of
multiple protocols across session and call legs. nSA MPC rulesets use exactly the same format as
those used with Iris Session Analyzer (ISA). There are two default MPC rulesets files provided
with the system. Modifying these two default MPC ruleset files is not recommended. These
default MPC ruleset files are:
l defaultSpiMpcRules
l defaultIrisMpcRules

MPC ruleset files are located on the nSA Server in the following directory:
<NETSCOUT Install>/rtm/nsaapp/config/geoMpc

If you require new MPC ruleset files, NETSCOUT recommends adding those additional MPC
rulesets within separate files titled with meaningful names so they can easily be identified and
selected in nGenius Session Analyzer.

8.3.4.1 Adding a new MPC Ruleset File to nGenius Session Analyzer

Add your new MPC ruleset file on the nSA Server in the following directory:

<NETSCOUT Install>/rtm/nsaapp/config/geoMpc

In this example, a new MPC ruleset file named “New_MPC_Ruleset_Test” has been added:

The next step is to change the owner and permissions of your new MPC ruleset file to match the
default MPC ruleset files:
chown ngenius:ngenius <filename>
chmod 750 <filename>

After running these chown commands, the new MPC ruleset file includes execute permissions.

8.3.4.2 Load New Ruleset into nGenius Session Analyzer

There are two ways to load your new MPC Ruleset files into nSA:

NETSCOUT Server Administrator Guide 317

l Use the nsaConfigReload utility. This method allows to reload immediately all the MPC
Ruleset files that are located in the directory (NETSCOUT
Install>/rtm/nsaapp/config/geoMpc) to make them available for selection in the nSA
l Wait for the next restart of the nSA Server. When the nSA Server is restarted, it loads
all the MPC Ruleset files in <NETSCOUT Install>/rtm/nsaapp/config/geoMpc to make them
available for selection in the MPC Ruleset list on the nSA user interface.

8.3.4.2.1 Using the nsaConfigReload Utility to Load New MPC Rulesets

To launch the nsaConfigReload utility, use a web browser and the following URL:

https://<nsa server-IP:8443>/nsaapp/nsaConfigReload.jsp

1. Select GEO_MPC_RULES
2. Click Reload/Refresh.

3. "GEO_MPC_RULES" changes to "GEO_MPC_RULES Reloading in progress…"

4. The new ruleset is available in the nGenius Session Analyzer MPC Ruleset list.

NETSCOUT Server Administrator Guide 318

8.3.4.3 Exclude Certain Digit Values in MPC Searches

To exclude certain digit values in MPC searches, configure the digit type and value pairs within
the mpcDigitExcludeList property in the nsaLocalGEOConf.xml file. One digit type may have
multiple values separated by commas. No wildcard or range is supported. Refer to the MPC
ruleset to get the correct digit types.

Example: mpcDigitExcludeList Property Configuration

NETSCOUT Server Administrator Guide 319

8.3.5 Configuring nGenius Session Analyzer Services

Configure services for the nGenius Session Analyzer User Event Distribution pane in the
services.xml file that resides in the <nSA Install>/rtm/nsaapp/config/geoServiceDef/ directory.
Each service has multiple conditions with an AND relationship, which means the session record
has to match all conditions.

Multiple values for conditions are supported for p-ani and network-ip . Use this format to
configure multiple values:
<array type="string"> <string>a</string><string>b</string></array>

An OR relationship applies to those string values inside an <array> block, which means as long as
one of the values is present in the session record for the corresponding field, that record is
considered to be matched.

8.3.5.1 Service Description Field

The contents of the service description field are displayed in a tooltip that appears when the user
hovers over a service bar in the User Event Distribution pane. The tooltip shows the service
name and service description along with counts. Use the string tags in serviceDescription prop
keys to add service descriptions. For example:
<prop key="serviceDescription">
<string>Voice over WiFi</string>
</prop>

If you do not add a service description to the services.xml file, the service name is used as the
description.

8.3.5.2 Customizing Services.xml

When customizing services.xml, use a unique prop key for each new service. Currently, the
naming convention for system default services is a unique number after “Service" (for example,
Service1, Service2, etc.). To ensure a unique prop key when defining a new service, use a
different naming convention such as a prefix with an underscore (for example, UserDefined_
Service1).

8.3.5.3 Services.xml Example

The following example shows the sections and some of the available parameters in the
nGenius Session Analyzer Install>/rtm/nsaapp/config/geoServiceDef/services.xml file.
<?xml version="1.0" encoding="UTF-8"?>
<!-- Upgrade related caveat:
To retain a service across upgrades, without any changes, create the service with a unique
key (compared to the Service1, Service2 used by default here).
For services whose key occurs in both existing and new build, the details will be compared
and merged if required,
with the ones in the existing build taking priority.
Similarly, to retain a new condition he has applied for an existing service (within

NETSCOUT Server Administrator Guide 320

conditions and failureConditions),

he is advised to use a unique key(compared to condition1, condition2 used by default here).
-->
<properties xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.0">
<prop key="Services">
<array type="prop">


<prop key="Service1">
<properties>

<prop key="serviceName">
<string>VoWiFi</string>
</prop>
<prop key="serviceDescription">
<string>Voice over WiFi</string>
</prop>

<prop key="conditions">
<array type="prop">

<prop key="condition1">
<properties>

<prop key="type">
<string>ApplicationId</string>
</prop>




<prop key="values">
<array type="string">
<string>SIP</string>
</array>
</prop>
</properties>
</prop>
<prop key="condition2">
<properties>
<prop key="type">
<string>Transactions</string>
</prop>
<prop key="value">
<string>Invite</string>
</prop>
</properties>

NETSCOUT Server Administrator Guide 321

</prop>
<prop key="condition3">
<properties>
<prop key="type">
<string>StatusEvents</string>
</prop>
<prop key="value">
<string>Gm VoLTE</string>
</prop>

<prop key="isPresent">
<boolean>false</boolean>
</prop>
</properties>
</prop>
<prop key="condition4">
<properties>
<prop key="type">
<string>PaniAccessType</string>
</prop>
<prop key="values">
<array type="string">
<string>IEEE-802.11</string>
<string>IEEE-802.11a</string>
<string>IEEE-802.11b></string>
<string>IEEE-802.11g</string>
<string>IEEE-802.11n</string>
</array>
</prop>

<prop key="isPresent">
<boolean>true</boolean>
</prop>
</properties>
</prop>
</array>
</prop>
</properties>
</prop>
<prop key="Service2">
<properties>

<prop key="serviceName">
<string>NGHP</string>
</prop>
<prop key="serviceDescription">
<string>Next Generation Home Phone</string>
</prop>

NETSCOUT Server Administrator Guide 322

<prop key="conditions">
<array type="prop">

<prop key="condition1">
<properties>

<prop key="type">
<string>ApplicationId</string>
</prop>

<prop key="value">
<string>SIP</string>
</prop>
</properties>
</prop>
<prop key="condition2">
<properties>
<prop key="type">
<string>Transactions</string>
</prop>
<prop key="value">
<string>Invite</string>
</prop>
</properties>
</prop>
<prop key="condition3">
<properties>
<prop key="type">
<string>StatusEvents</string>
</prop>
<prop key="value">
<string>Gm VoLTE</string>
</prop>

<prop key="isPresent">
<boolean>false</boolean>
</prop>
</properties>
</prop>
<prop key="condition4">
<properties>
<prop key="type">
<string>IPADDR</string>
</prop>
<prop key="values">
<array type="string">
<string>10.70.100.52</string>
<string>10.70.101.52</string>
<string>10.70.102.52</string>

NETSCOUT Server Administrator Guide 323

8.3.6 Configurable nGenius Session Analyzer User Interface Options

Some nGenius Session Analyzer user interface options do not appear unless they are enabled.
The color of Ladder Diagram DCNR messages is configurable.

8.3.6.1 General Options

You can configure these properties in the <nGenius Session Analyzer
Install>/rtm/nsaapp/config/localConf/nsaLocalGEOConf.xml file:
l Show Duplicate PDUs option in the View Options dialog box. Set
geo.server.detectDuplicatePDUs to "true" or "false" to enable or disable.
l Retrieve Messages Out of Time setting on the Scenario Management page primary tab.
Enables retrieval of PDUs for session records outside the initial query time range. Set
geo.server.messagesFromInitialRangeOnly global to "true" or "false" to enable or
disable. The default of this setting is false.
l Drop Non Indexed Digits check box. MPC queries that include non-indexed digits can
slow probe and appliance query retrieval time. nGenius Session Analyzer includes a
configurable option to display a Drop Non Indexed Digits check box that exclude non-
indexed digits when enabled. Set the geo.server.drop.non.indexed.digits property to
"true" or "false" to enable or disable. The default of this setting is false.

8.3.6.2 Maximum Number of Records per Session

NETSCOUT recommends to not exceed the maximum of 3000 records per session and pause
increment of 2000 records. The following table describes properties for configuring limits per
session and capture.

Property Description Maximum Default

geo.server.maxRecordsPerSession Maximum total number of 3000 1500
records returned per
search from all probes.

NETSCOUT Server Administrator Guide 324

Property Description Maximum Default

geo.server.recordPauseIncrement Number of records initial 2000 1000
queries can return to the
user. If this limit is reached,
the server must discard
records before retrieving
more.
geo.server.perCaptureMpcSearchLimit MPC search limit for a 500000 500000
capture, MPC stopped
when this limitation is hit.
geo.server.perCaptureMpcFlowControlLimit Per capture flow limit. 300000 30000
geo.server.exportFileTimeout General file export timeout 7200 2700
timer to prevent endless
loops and provide better
control of capture
timeouts. This timer begins
when a user starts the Save
All operation, starts an
export with the nGenius
Session Analyzer API, or
when a Session Scheduler
export begins.
Set this property to a value
greater than zero to enable
the timeout for up to 7200
seconds.

To change geo.server.recordPauseIncrement to 2000, the minimum system memory

requirement is 256 GB.

On the InfiniStreamNG(Geo), the com.tektronix.iris.isa.plist/socketBufferLimitPerTraceSession

property must be configured to 83886080 (80 MB) to support 3000 session records. See the
InfiniStream(Geo) Deployment Guide for more information about configuring plist properties on
the InfiniStreamNG(Geo).

8.3.6.3 Enabling Transaction Navigation on the Session Trace Pane

Enabling the Session Trace pane "Show Transaction Navigation" option depends on the nGenius
Session Analyzer authentication source.

8.3.6.3.1 nGenius CM Authentication

Follow these steps to enable the option on the nGenius Session Analyzer server:

1. Open <nGenius Session Analyzer

Install>/rtm/nsaapp/config/localConf/nsaLocalCommonConf.xml
2. Set FailedMessageSupport to “true.”
3. Restart the nGenius Session Analyzer server.

NETSCOUT Server Administrator Guide 325

8.3.6.3.2 OAM Authentication

Set FailedMessageSupport to “true" on the OAM server. See the OAM TekAdmin Guide for more
information.

8.3.6.4 5G DCNR Ladder Diagram Options

For easy identification, nGenius Session Analyzer displays 5G Dual Connectivity with New Radio
DCNR (DCNR) messages in a different color code on the Ladder Diagram. For other protocols,
nGenius Session Analyzer color codes the arrow tips of the messages. For S1AP, Diameter, and
GTPv2 messages 5G DCNR messages, nGenius Session Analyzer colors the arrow body from the
default gray to a different color. The color for 5G DCNR messages is configurable in
<nGenius Session Analyzer
Install>/tomcat/nsacontent/webapps/nsaapp/config/modules/nSA/private/color-palette.xml. The
following section shows the DCNR section of color-palette.xml.
<ColumnBasedColorList> 
<dcnr>#FFE5B4</dcnr> 
</ColumnBasedColorList> 
</ColorPalette>

UI configurations do not persist between upgrades. XML files in

/tomcat/nsacontent/webapps/nsaapp/config/* are overwritten.

8.3.6.5 Configuring Sessions per Tab

By default, nGenius Session Analyzer displays a maximum of 4 sessions per tab. You can set this
value to a maximum of up to 8 sessions in the MaxCaptureAllowed section of
<nSAInstall>/tomcat/nsacontent/webapps/nsaapp/config/modules/nSA/private/ui-private-
properties.xml:



<MaxCaptureAllowed>4</MaxCaptureAllowed>

Caution: Increasing the number of sessions impacts client machine performance and
may produce a lag in nGenius Session Analyzer response time.

If you provide a value higher than 8, the maximum value is set to 8. The MaxCaptureAllowed
property applies to sessions launched from the Session Analyzer Home input filter (page 0) and
the Saved Sessions module.

When the user launches all sessions from the Saved Sessions module, the maximum limit error
appears on the Session Summary (page 1). When the user launches all sessions from the Session
Analyzer Home input filter (page 0), the error appears on page 0.

Sessions from page 0 and the Saved Sessions module may be open simultaneously. When that is
the case, the error appears on:

NETSCOUT Server Administrator Guide 326

l Page 0 if the exceeding session is launched from page 0.

l Page 1 if the exceeding session is launched from the Saved Sessions module.

UI configurations do not persist between upgrades. XML files in

/tomcat/nsacontent/webapps/nsaapp/config/* are overwritten.

8.3.6.6 User Activity Timeout

The user activity timeout is one hour by default. To change this default, create the
console.useractivity.timeout property in <nSAInstall>/rtm/html/client.properties. For example, if
you want to change the timeout to 30 minutes, set the property to 30:
console.useractivity.timeout=30

In this example, a warning appears and the user is logged out after 30 minutes.

For multi-instance deployments, you must define the property on every nGenius Session
Analyzer server instance to change the one-hour default setting.

8.3.6.7 Session Scheduler Visibility

Use this property in <nSA Install>/rtm/nsaapp/config/localConf/nsaLocalCommonConf.xml to
display or hide the nGenius Session Analyzer Session Scheduler module:
<prop key="nfcOn">
<boolean>true</boolean>
</prop>

The property is set to "true" by default.

8.3.7 Configuring nGenius Session Analyzer Drilldown from nGeniusONE

nGeniusONE users can launch nGenius Session Analyzer by clicking the Launch Session Analyzer
icon from the Session page in the following nGeniusONE monitors:
l Advanced Voice Statistic (AVS) Monitor
l Diameter Monitor
l Universal Monitor (UM)
l Packet Data Network (PDN) Monitor
l Network Access Monitor (NAM)

8.3.7.1 nGeniusONE Drilldown Scenarios

To enable drilldown from nGeniusONE, nGenius Session Analyzer administrators must create
scenarios with public visibility. See "Adding a Scenario for Drilldown from nGeniusONE" in the
nGenius Session Analyzer Help.

NETSCOUT Server Administrator Guide 327

8.3.7.2 nGeniusONE Server Properties

To assign the URL and scenario that nGeniusONE accesses for the nGenius Session Analyzer
launch, configure the following section in <nGeniusONE Install>/rtm/html/umcclient.properties:
nsa_server=https://XXX.XX.XX.XX:8443
nsa_scenario_owner=<Owner of the scenario, typically the administrator>
nsa_scenario_name=<Name of the scenario, typically defined by the administrator>
nsa_prepend_wildcard=<*,false>
nsa_time_buffer=<x milliseconds>
nsa_searchBy=<Start Time, End Time, Active Time by Activity Time, Active Time by Monitoring
Time>

If nsa_searchBy is not configured, the drill defaults to Active Time by Activity Time.

8.3.8 nGenius Session Analyzer Visibility to G10/GeoBlade in nGenius CM Mode

To provide complete visibility across the network, nGenius Session Analyzer using nGenius
Configuration Manager (nGenius CM) or nGeniusONE can display 17.6.2.2 and later G10 and
GeoBlade probes along with InfiniStreamNGs and ISNG RANs. G10s and GeoBlades are
controlled and configured by OAM, but nGenius CM can provide visibility to them. To enable this
visibility:
l On the authenticating nGenius Configuration Manager or nGeniusONE server, configure
the following in <NETSCOUT install>/rtm/bin/serverprivate.properties:
o webServicePort=11055, the web service port to the cache service on irisOAM server. If
not configured, the default is 11055
o irisOAMhost=<server url>, the host name with full domain name of the irisOAM server.
o ncmPropertyUseProbeCache=true, whether or not to maintain a probe cache. If not
configured, the default is false
o ncmPropertyProbeRefreshMin=10, if probe cache is used, the refresh interval in
minutes. If not configured, the default is 5.

To enable G10 and GeoBlade visibility in nGenius CM authentication mode when using nGenius
Subscriber Cache (SCS):
l On the OAM interface, activate SCS for OAM-managed probes with the
com.tektronix.iris.isa-sr2d.plist/SubscriberCacheEnabled plist property. See the OAM
TekAdmin Guide for more information.
l On InfiniStreamNG(Geo) appliances managed by nGenius Configuration Manager or
nGeniusONE, enable SCS with the XML file in the /iris_kpi_db/configManager/changes
directory. See Configuring nGenius Subscriber Cache Digit Types for more information.
l Ensure nGenius Subscriber Cache (SCS) servers have enough SCS probe licenses enabled to
display all probes (see Monitored Elements Supported per License).
l If the default ScsPort (11117) is not used on the SCS primary server, configure
fileCollector.oam.probe.port in <SCS Install>/rtm/scs/config/localConf/scsLocalConf.xml.
l Align all digit types with one another in OAM, SCS, and nSA:

NETSCOUT Server Administrator Guide 328

o OAM - com.tektronix.iris.isa-sr2d.plist/SubscriberCacheDigitsConfig/1/digitids (OAM

TekAdmin Guide)
o SCS - scs.digitTypes in <SCS Install>/rtm/scs/config/localConf/scsLocalConf.xml (see
Configuring nGenius Subscriber Cache Digit Types).
o nSA - geo.server.scsDigitTypes in <nSA
Install>rtm/nsaapp/config/localConf/nsaLocalGEOConf.xml (see 8.3.12 Configuring
nGenius Subscriber Cache Digit Types).
l On the nGenius Subscriber Cache (SCS) user interface:
o Configure nGenius CM authentication.
o Add nGenius Session Analyzer servers are to nGenius Subscriber Cache (SCS) Server
Management.
o Ensure the intended probes and digit types are configured in the Subscriber Cache
Configuration module on the nGenius Subscriber Cache server.
See the nGenius Subscriber Cache (SCS) Help for more information.

8.3.9 Configuring Failure and Timeout Indication in nGenius CM Authentication

Mode
nGenius Session Analyzer uses icons to help users identify sessions that have failed or timed out.
In OAM mode, nGenius Session Analyzer reads the plist and enforces the indicators configured
on the OAM ISA Configuration tab (see OAM Help). For nGenius CM mode:
l Configure failure indicators in the <prop key="geo.server.indicator-
configuration.configs"> section of <nSA
Install>/rtm/nsaapp/config/localConf/nsaLocalGEOConf.xml.
l Find the values for each application protocol in <nSA
Install>/rtm/nsaapp/config/commonPlist/com.tektronix.iris.appid.

8.3.9.1 Example Indicator Configuration Section

The following section shows an example failure indication configuration with commented help
text in bold.
<prop key="geo.server.indicator-configuration.configs">

<properties>
<prop key="all"> 
<properties>
<prop key="-1"> 
<properties>
<prop key="failed"> 
<string>failed</string> 
</prop>
<prop key="timedout">

NETSCOUT Server Administrator Guide 329

<string>timedout</string> <!-- If probe marked the status as

Timeout-->
</prop>
</properties>
</prop>

<prop key="230"> 
<properties>
<prop key="normal">
<string>failed,timedout</string>
</prop>
</properties>
</prop>
</properties>
</prop>

<prop key="spi">
<properties>
<prop key="243">
<properties>
<prop key="normal">
<string>failed,timedout</string>
</prop>
</properties>
</prop>
</properties>
</prop>
</properties>
</prop>

8.3.10 Enabling Access of SpIprobes in nGenius CM Mode

With the SpIAdapter feature, you can configure nGeniusONE or nGenius Configuration Manager
authenticating servers to allow nGenius Session Analyzer in nGenius CM mode to access
SpIprobes. To display SpIprobes in nGenius Session Analyzer, you must have a user account
called "geo" configured in GeoProbe SpImain System Administration. For more information
about adding a user with the SpImain window, see "Adding a User" in the GeoProbe Getting
Started and System Administrator Guide.

To enable SpIprobe access for nSA in nGenius CM mode, create a section with the properties
described in the table below in <Install directory>/rtm/bin/serverprivate.properties on the
authenticating nGeniusONE or nGenius Configuration Manager server.

NETSCOUT Server Administrator Guide 330

Table 8.2 - SpIAdapter Configuration Properties

Name Default Note

spiAdapterHost empty string Single IP address or multiple IP
addresses separated by comma.
spiAdapterVersion 2
spiTopologyPollingInterval 3600 (second)
spiAdapterPort 9992
spiTopologyPort 9993

Example: SpIAdapter Configuration Properties in serverprivate.properties

These properties do not exist in the file until manually added. By default, ports, version, and
interval are set in the code, so setting host only in the properties file is enough.
spiAdapterHost=<SpIserver IP address>

8.3.11 Configuring PCAPng Export for Scheduled Capture

You must specify a relative local configuration path in nGenius Session Analyzer for Session
SchedulerPCAPng export. If you do not specify the maximum capture size in the nGenius Session
Analyzer API, the maximum capture size in the local configuration is used to limit the maximum
capture packet size in GB per session, per export request. In this case, the local configuration
uses the maxFileSize property to limit the maximum size per file in GB. The
maxExportPcapngPerServer property is the max number of export all User Plane PDUs
operation being simultaneously running on the server.

Configure PCAPng export parameters in these files in <nSA Install>/rtm/nsaapp/config/localConf/

l nsaLocalGEOConf.xml - capture sizes and limits
l nsaLocalCommonConf.xml - export location and storage threshold

8.3.11.1 nsaLocalGEOConf.xml
Configure maximum export capture size, maximum file size, maximum size of the sum of all files,
and the maximum number of all PDUs simultaneously per server instance from the UI, API, and
Session Scheduler.
<prop key="geo.server.maxExportCapSize">
<string>20</string>
</prop>

<prop key="geo.server.maxFileSize">
<string>2</string>

<prop key="geo.server.maxExportPcapngPerServer">
<string>50</string>
</prop>

NETSCOUT Server Administrator Guide 331

8.3.11.2 nsaLocalCommonConf.xml
Designate the location and storage threshold of the directory to export scheduled capture
PCAPng files.

</prop>

8.3.12 Configuring nGenius Subscriber Cache Digit Types

The following sections show how to configure digit types when nGenius Subscriber Cache uses
nGenius CM authentication. For information about configuring digit types for OAM
authentication, see "Configuring nGenius Subscriber Cache Digit Types" in the OAM TekAdmin
Guide.

The digit types available for nGenius Subscriber Cache are configurable. The table below shows
the digit IDs used to define the supported digit types.

Table 8.5 - Digit IDs

Digit ID Subscriber ID Type

1 CallingParty
2 CalledParty
13 IMSI
14 MSISDN
15 IMEI
55 IpPlusPort
75 IPADDR
268 SubscriberNumber
32767 Application

NETSCOUT Server Administrator Guide 332

Beginning with the 6.3.2 release, nGenius Subscriber Cache digit types are configured by
executing API commands from the authenticating nGeniusONE or nGenius
Configuration Manager server. Refer to the following guides:
l InfiniStreamNG(Geo Mode) Guide - "Updating GEO Properties for nCM Deployments" for
JSON and XML API input examples.
l Guide to the RESTful API for nGeniusONE Configuration for more information about using the
API.

8.3.13 Configuring DigitMasking_Default.xml

The default masking configuration file, DigitMasking_Default.xml, is installed on the
nGenius Session Analyzer server after nGenius Session Analyzer package installation. The
location is <nGenius Session Analyzer Install>/rtm/nsaapp/config/geoMaskingConf.
DigitMasking_Default.xml defines IP address inner and outer types, and the types of IP
addresses that can be masked. This masking configuration is per server. If DigitMasking_
Default.xml is changed, reload the masking configuration at https://<nGenius Session Analyzer
Server IP HTTPS>:8443/nsaapp/nsaConfigReload.jsp.

During installation, the following applies to the "Display Flow User Plane Metadata" privilege for
existing users:
l Users with privilege: "View Inner IP" and "View Outer IP" are set to true.
l Users without privilege: "View Inner IP" is set to false and "View Outer IP" is set true.

8.3.13.1 IP Address Masking in DigitMasking_Default.xml

These rules apply to how IP addresses are mask based on DigitMasking_Default.xml:
l Inner IP address subtypes are defined in <InnerIpAddressSubTypeNames>. These subtype
definitions are used to mask inner IP addresses in session records. And they are controlled
by the "View Inner IP" user configuration if it's set to false.
l IP address subtypes other than those defined in <InnerIpAddressSubTypeNames> are
considered as outer IP address sub types. These subtypes not defined as inner subtypes
are used to mask outer IP addresses in session records, and they are controlled by "View
Outer IP" user configuration if it is set to false.
l Inner IP address node types are defined in <InnerIpAddressNodeTypeNames>. These node
type definitions are used by IP masking in message details, and they are controlled by
"View Inner IP" user configuration if it is set to false.
l IP address node types other than those defined in <InnerIpAddressNodeTypeNames> are
considered as outer IP address node types. These node types not defined as inner node
types are used to mask outer IP addresses in message details, and they are controlled by
the "View Outer IP" user configuration if it is set to false.

8.3.13.2 Changing Masking Behavior Defined in DigitMasking_Default.xml

Update existing DigitMasking_Default.xml as needed if the customer wants a different masking
behavior:

NETSCOUT Server Administrator Guide 333

l To switch an IP address type between inner and outer, add or remove the type to or from
InnerIpAddressSubTypeNames for session record masking, and add or remove the type to
or from InnerIpAddressNodeTypeNames for message details masking.
l To exclude an inner IP address from masking, include the subtype name in
<excludedIpAddressSubTypeNames> under <InnerIpAddressDigitMasking>, and put the
node type name in <excludedIpAddressNodeTypeNames> under
<InnerIpAddressDigitMasking>.
l To exclude an outer IP address from masking, include the subtype name in
<excludedIpAddressSubTypeNames> under <OuterIpAddressDigitMasking>, and put the
node type name in <excludedIpAddressNodeTypeNames> under
<OuterIpAddressDigitMasking>.

Example: If the customer does not want to mask DOWNLINK_IP, add DOWNLINK_IP into
<excludedIpAddressSubTypeNames>.
<InnerIpAddressDigitMasking>

<excludedIpAddressSubTypeNames>
<value>DOWNLINK_IP</value> 
</excludedIpAddressSubTypeNames>

</InnerIpAddressDigitMasking>

Example: If the customer does not want to mask Gm UE IP Pool in

InnerIpAddressNodeTypeNames, add Gm UE IP Pool into
<InnerIpAddressDigitMasking>/<excludedIpAddressNodeTypeNames>.
<InnerIpAddressDigitMasking>

</InnerIpAddressDigitMasking>

Example: If the customer does not want to mask HSS IP Address, that is not defined in
InnerIpAddressSubTypeNames, add HSS into
<OuterIpAddressDigitMasking>/<excludedIpAddressSubTypeNames>.
<OuterIpAddressDigitMasking>

</OuterIpAddressDigitMasking>

Example: If the customer does not want to mask SGW node type, that is not defined in
InnerIpAddressNodeTypeNames, add SGW into the section
<OuterIpAddressDigitMasking>/<excludedIpAddressNodeTypeNames>.
<OuterIpAddressDigitMasking>

NETSCOUT Server Administrator Guide 334

<value>SGW</value>

</excludedIpAddressNodeTypeNames>

</OuterIpAddressDigitMasking>

8.3.13.3 DigitMasking_Default.xml Example

The following example shows the sections and some of the available parameters in the
nGenius Session Analyzer Install>/rtm/nsaapp/config/geoMaskingConf/DigitMasking_Default.xml
file.
<?xml version="1.0" encoding="UTF-8"?>

<Configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="DigitMasking_Default.xsd" >
<DigitMasking>
<DigitNames>
<digitNameToMask value="Enum"/>
<digitNameToMask value="DHCP Client ID"/>
<digitNameToMask value="IMSI"/>
<digitNameToMask value="MSISDN"/>
<digitNameToMask value="IMEI"/>
<digitNameToMask value="IMEISV"/>
<digitNameToMask value="MEID"/>
<digitNameToMask value="GUTI"/>
<digitNameToMask value="STMSI"/>
<digitNameToMask value="CallingParty"/>
<digitNameToMask value="CalledParty"/>
<digitNameToMask value="RedirectingNumber"/>
...

</DigitNames>

<attributeToMask key = "ASCII" value="VALUE"/>

</attributesToMask>

</DigitMasking>

NETSCOUT Server Administrator Guide 335

</FullContentMaskNames>

</NormalContentMaskNames>

</ContentNames>

<!-- any IP address sub type other than what is defined in

InnerIpAddressSubTypeNames, will be considered as outer sub type -->

<value>SUBSCRIBER_IP</value>
<value>CLIENT</value>
<value>SERVER</value>
<value>MEDIA_IP</value>
<value>UPLINK_IP</value>
<value>DOWNLINK_IP</value>

</InnerIpAddressSubTypeNames>

<value>SUBSCRIBER IP Node</value>
<value>Gm UE IP Pool</value>
<value>CLIENT</value>
<value>SERVER</value>

</InnerIpAddressNodeTypeNames>

NETSCOUT Server Administrator Guide 336

<value>IPADDR</value> <!-- This IPADDR includes all inner IPADDR + sub

types, i.e. IPADDR(SUBSCRIBER_IP), IPADDR(CLIENT), IPADDR(SERVER), IPADDR(MEDIA_IP), IPADDR
(UPLINK_IP), IPADDR(DOWNLINK_IP)-->
<value>MSIP</value>
<value>SubscriberIpAddr</value>
<value>Client IP</value>
<value>Server IP</value>
<value>IpPlusPort</value>

</IpAddressNames>

<attributeToMask key = "IP_PLUS_NODE" value="IP"/>

</attributesToMask>

<!-- will be excluded from

masking -->

</excludedIpAddressSubTypeNames>

<!-- will be

excluded from masking -->

</excludedIpAddressNodeTypeNames>

</InnerIpAddressDigitMasking>

NETSCOUT Server Administrator Guide 337

<value>IPADDR</value> <!-- This IPADDR includes all outer IPADDR + sub

types, i.e. IPADDR(MME) -->

</IpAddressNames>

<attributesToMask> <!-- The outer IP attributeToMask should be same as

inner IP's -->

<attributeToMask key = "IP_PLUS_NODE" value="IP"/>

</attributesToMask>

<!-- will be excluded from

masking -->

</excludedIpAddressSubTypeNames>

<!-- will be

excluded from masking -->

</excludedIpAddressNodeTypeNames>

</OuterIpAddressDigitMasking>

</Configuration>

8.3.14 Mapping Global Title Translation Digit Types

nGenius Session Analyzer with InfiniStreamNG(Geo) supports:
l Global Title mapping to pointcodes for full nSA visibility and capabilities for all legs.
l Global Title search capability

See these sections:

l GTT Configuration
l Display Nodes in the Ladder Diagram

NETSCOUT Server Administrator Guide 338

8.3.14.1 GTT Configuration

Configure Global Title Translation (GTT) digits specific to your network in the
globalTitleToPointcode.xml file found in the
<NETSCOUTInstall>/rtm/nsaapp/config/geoTopologyCache/ directory on the nGenius Session
Analyzer server. The GTT configuration is retained upon upgrade. The following section shows an
example GTT configuration for guidance. Use values relevant to your network when configuring
this feature.

Example: GTT Configuration

<?xml version="1.0" encoding="UTF-8"?>
<properties version="0.1">

<!-- Sample global title to point code below.

</properties>

8.3.14.2 Display Nodes in the Ladder Diagram

To display BSC, RNC, MSC, and MGW node names in the Ladder Diagram:

NETSCOUT Server Administrator Guide 339

l nGenius CM - Go to Global Settings > Locations > Point Code and add and configure a
node. See the nGenius Configuration Manager Help for more information.
l OAM - Go to System Config > Topology > Managed Objects > Nodes and configure a
node in the Node Details pane. See the OAM Help for more information.

8.3.15 User Plane Capture Configuration

When an nSA User Data Capture session is initiated from its User Plane Sessions module, nSA
overrides the InfiniStreamNG(Geo) configuration and captures the full user plane data and user
content for the specified duration (configurable maximum of 72 hours). After that duration, nSA
reverts to the probe configuration.

From the InfiniStreamNG(Geo) perspective, the base probe configuration is overridden just for
User Data Capture subscribers/sessions and any related user plane data or user content. For all
other nSA sessions, the InfiniStream(Geo) configuration controls the capture.

For example, if the InfiniStreamNG(Geo) is set to capture RTP headers only with the "geo_probe
rtp_header_only_capture = on" setting:
l If User Data Capture is not running for any nSA session, then only RTP headers are
captured for all sessions.
l If User Data Capture is initiated for some nSA sessions but not others, then all RTP packets
are captured for the UDC-initiated sessions and only RTP headers are captured for the
other sessions.

For a full description of nGenius Session Analyzer user plane privileges configurable in nGenius
CM User Management, see "User Data Capture" in the nGenius Session Analyzer Product Overview
document. The nSA Help contains brief descriptions of each privilege.

User Plane Capture XML File

Releases prior to 6.3.1 require a change file for nGenius CM authentication mode to enable User
Plane Capture in the isa plist. To enable User Plane Capture, create an xml file in /iris_kpi_
db/configManager/changes as shown below and follow the procedure in "Updating GEO plists
for nCM Deployments" of the InfiniStreamNG(Geo Mode) Deployment Guide. For releases 6.3.1 and
after, the userPlaneCaptureEnabled is set to "true" by default.
<changes>
<change key="com.tektronix.iris.isa.userPlaneCaptureEnabled">
<properties>
<prop key="userPlaneCaptureEnabled">
<boolean>true</boolean>
</prop>
</properties>
</change>
</changes>

8.4 Log, Backup, and Config Files

See these sections for file locations and retention after upgrades:

NETSCOUT Server Administrator Guide 340

l 8.4.1 nGenius Session Analyzer Log Files

l 8.4.2 Backed-Up File Locations
l 8.4.3 Post-Upgrade Configuration File Retention

NETSCOUT Server Administrator Guide 341

8.4.1 nGenius Session Analyzer Log Files

All logs reside in the <product install>/rtm/log/ directory. The primary logs associated with the
application include scs, nGenius, or nsa in the file name. The rest are from the infrastructure and
are equally important. These log types also reside in the <product install>/rtm/log directory:
l config_tomcatnsa.log
l debuglog-pm-[day-of_week].txt
l dpinstall.log
l InstallLog.txt
l loadbalancerdebuglog-[day-of_week].txt
l nGenius-debug.txt
l nGenius_Session_Analyzer_Install_[MM_DD_YYYY_HH_MM_SS].log
l nsacontentdebuglog-[day-of_week].txt
l patchinstall.log
l Sniffer_Decode_and_Expert_Pack_Install_[MM_DD_YYYY_HH_MM_SS].log

8.4.2 Backed-Up File Locations

Certain folders and files on the nGenius Session Analyzer Server are backed up in the process of
upgrading. Table 8.9 lists the backed up folders and files and provides names and locations of
the backups.

Table 8.9 - Backed-up File Locations

File/Folder Backed Up to:

<nSA Install>/rtm/bin <nSA Install>/rtm_BACKUP_FOR_{version}/bin
<nSA Install>/rtm/nsaapp/config <nSA Install>/rtm/nsaapp/config_bak
<nSA Install>/config/common.properties <nSA Install>/rtm_BACKUP_FOR_
{version}/common.properties
<nSA Install>/rtm/pa/prtclproperties.cfg <nSA Install>/rtm_BACKUP_FOR_
{version}/prtclproperties.cfg
<nSA Install>/tomcat/bin/tomcat.properties <nSA Install>/rtm_BACKUP_FOR_
{version}/tomcat.properties
<nSA Install>/rtm html/client.properties <nSA Install>/rtm_BACKUP_FOR_{version}
html/client.properties
<nSA Install>/rtm html/ngeniusclient.truststore <nSA Install/rtm_BACKUP_FOR_{version}
html/ngeniusclient.truststore

NETSCOUT Server Administrator Guide 342

8.4.3 Post-Upgrade Configuration File Retention

During upgrade builds, nGenius Session Analyzer retains files with user-configurable
parameters. The table below lists files in <nSA install>/rtm/nsaapp/config and describes whether
they are retained or overwritten.

Table 8.10 - Configuration File Retention

File Name Format File Retained

nsa-config.xml XML Yes
You cannot add new parameters. You can only
modify values for existing parameters.
localConf/nsaLocalCommonConf.xml XML Yes
You cannot add new parameters. You can only
modify values for existing parameters.
localConf/nsaLocalGEOConf.xml XML Yes
You cannot add new parameters. You can only
modify values for existing parameters.
localConfig/export/exportConfig.xml XML Yes
You cannot add new parameters. You can only
modify values for existing parameters.
replication-config.xml XML No
Overwritten with default from new build. Do not
modify.
ehcache.xml XML No
Overwritten with default from new build. Do not
modify.
geoMpc/defaultIrisMpcRules and Text No
geoMpc/defaultSpiMpcRules Overwritten with defaults from new build. Do not
modify.
geoMpc/* Text Yes
User-specific MPC rule text files are retained from
the old build.
geoMaskingConf/DigitMasking_ XML No
Default.xml Overwritten with default from new build. Do not
modify.
geoMaskingConf/*.xml XML Yes
Files from old build retained, except
DigitMasking_Default.xml.

NETSCOUT Server Administrator Guide 343

Table 8.10 - Configuration File Retention (continued)

File Name Format File Retained

geoServiceDef/services.xml XML Yes
Changes from the old services.xml are merged
with the new/modified services from the new
services.xml.
If you want to retain a service created across
upgrades without any changes, create the service
with a unique key (compared to the Service1,
Service2 used by default). If you want to retain a
new condition for an existing service (within
conditions and failureConditions), use a unique
key(compared to condition1, condition2 used by
default).
If both old and new services file have the same
key for a service, then the <prop
key="serviceName">, <prop key="conditions">,
<prop key="conditionOperator"> and <prop
key="failureConditions"> for that service are
compared between the 2 files. Any tag that
repeats (e.g. <prop key="condition1">) for the 2
files, the values will be retained from old file. And
if any conditions are introduced in the new file,
they are appended.
If you intentionally delete a service or a condition
in the old file, the deletion remains during the
upgrade. The order of services in services.xml is
important. The order in which you add services in
the old services.xml is retained during the
upgrade.
geoServiceDef/*.xml XML Yes
Files retained from old build, except services.xml.
These additional service definition files may exist
if specified in scenario files.
geoTopologyCache/* XML Yes
These files are provided by nGenius CM or OAM.
The files in this directory supplied by the new
build are defaults and are not valid. The old build
stores backup copies of configuration received
from nGenius CM or OAM.
geoPassThrough/* XML Yes
These files are provided by nGenius CM or OAM.
The files in this directory supplied by the new
build are defaults and are not valid. The old build
stores backup copies of configuration received
from nGenius CM or OAM.

NETSCOUT Server Administrator Guide 344

Table 8.10 - Configuration File Retention (continued)

File Name Format File Retained

geoFileBasedConf/pointcodes.xml XML No
Overwritten with default from new build. Do not
modify.
geoFileBasedConf/* XML or Yes
Text XML or text Digit Stripping Rule files are retained
from the old build.
Default from the build is empty
(digitStripping.xml). By default, the digitStripping
comes from OAM in OAM mode.
In nGenius CM mode these Digit Stripping Rule
files can be used (and specified in nsa-
config.xml).
geoScenarios/*.xml XML Yes
These files are retained from the old build. Use
the files to load scenarios from files instead of
those created on the nGenius Session Analyzer
GUI, which by default are loaded from the
database.
localConf/*.xml XML Yes
Files from old build are retained, except
nsaLocalCommonConf.xml and
nsaLocalGEOConf.xml.
localConfig/export/NSDisclaimer.txt Text Yes
File from old build retained. It may have been
customized for that deployment.

NETSCOUT Server Administrator Guide 345

NETSCOUT Server Administrator Guide 346

9 nGenius Subscriber Cache (SCS)

nGenius Subscriber Cache, also known as Subscriber Cache Server (SCS), is related to
nGeniusONE but has a separate installer. The installer automatically configures the server so it is
not necessary to specify Global or Standalone. On each type, you can use the Server
Management GUI to configure secondary to the primary, managing server.

nGenius Subscriber Cache is used to provide optimized retrieval of subscriber data when
integrated with an nGenius Session Analyzer or ISA server. From Server Management, on this
server, you can add either a Secondary nGenius Subscriber Cache server or an nGenius Session
Analyzer. The latter procedure creates a trusted relationship for providing data to that caching
server. For the Primary/Secondary relationship, both nGenius Session Analyzer servers must
point to the same nGenius Subscriber Cache server.

nGenius Subscriber Cache (SCS) is built on the nGeniusONE framework and therefore follows the
same installation process. nGenius Subscriber Cache deployment and licensing exceptions are
covered in this chapter along with SCS-specific configuration. Only Linux is supported for
nGenius Subscriber Cache servers. See these sections for basic server requirements and
installation instructions:
l Preparation
l Installation and Upgrade

See the following SCS-specific sections:

l nGenius Subscriber Cache (SCS) Resilience
l nGenius Subscriber Cache Licensing
l nGenius Subscriber Cache (SCS) Sizing
l Configuring nGenius Subscriber Cache (SCS)
l nGenius Subscriber Cache (SCS) Logs

9.1 nGenius Subscriber Cache (SCS) Resilience

Each SCS server caches the digits configured to cache in a HashMap mapping probes to digits.
There are no standbys for SCS servers. When a server fails, that section of the cache is
unavailable until the server is restored. Users can still query the system, but they will not get the
benefit of that part of SCS. When an administrator brings that SCS server back up, the cache is
quickly built back up on that server. The digits are not lost and are retained in each probe.
Probes sync back up and update that SCS server with the full cache. In other words, they do not
need to rebuild the cache from new traffic. The earlier cache, along with any new digit
information, gets reimaged from the probes.

9.2 nGenius Subscriber Cache Licensing

nGenius Subscriber Cache (SCS) uses the same licensing model as nGenius Session Analyzer but
includes these requirements:
l Type 1 License separate from nSA Type 1 licenses.
l Separate server from the nSA server.

NETSCOUT Server Administrator Guide 347

l Cannot coexist with an nSAserver in the same appliance.

l Keep SCS Type 1 count the same as nSA so the same set of probes are being listed and
cached on both.
l As there are no RAN digits currently cached, there is no RAN licensing for SCS.
l SCS Server appliance must be designed based on the type and amount of traffic that needs
indexing.

9.3 nGenius Subscriber Cache (SCS) Sizing

SCS server sizing is based on the number of digits you want to cache and the number of
subscribers in the traffic. The default digit types cached are Called Party, Calling Party, IMSI,
MSISDN, IMEI, Subscriber Number, IpPlusPort, and IP Address. However, you can configure digit
types as needed for each deployment.

SCS server sizing is based on the number of digits types to be cached and the number of entries
per digit type. Currently the SCS supports 8 digit types. In the worst case, one subscriber has all
the 8 digits types, which means 1 million subscribers will have 8 million digits entries. Generally,
a 2-socket server with 384 GB of RAM can support 800 million digit entries, which translates to
100 million subscribers.

Consult the Sizing team at MBServiceProviderIns@netscout.com for more SCS sizing and
appliance information.

9.4 Configuring nGenius Subscriber Cache (SCS)

Use these sections to configure features and functionality for nGenius Subscriber Cache, also
known as Subscriber Cache Server (SCS):
l 9.4.1 Trusted Key for nGenius Session Analyzer and ISA Servers
l Configuring nGenius Subscriber Cache Digit Types
l 9.4.4 nGenius Subscriber Cache File Collector Configuration
l 9.5 nGenius Subscriber Cache (SCS) Logs

9.4.1 Trusted Key for nGenius Session Analyzer and ISA Servers
By default, when you add an nGenius Session Analyzer or ISA child server to an nGenius
Subscriber Cache server, a shared encrypted key is used to secure communications between
nGenius Subscriber Cache and the child servers. You must copy this key to any nGenius Session
Analyzer or ISA child servers you add, and these points apply:
l To generate and copy a new trusted key, use the Shared Secret Key field and Generate
button on the General Information tab for an nGenius Session Analyzer or ISA child server
in nGenius Subscriber Cache Server Management.
l Any regeneration of the key needs another manual update to the configuration parameter
on the nGenius Session Analyzer or ISA child servers.
l The trusted key is retained across upgrades.

NETSCOUT Server Administrator Guide 348

l If there are multiple nGenius Session Analyzer servers in a cluster, each one needs to be
added to nGenius Subscriber Cache individually and its corresponding shared secret key
copied over to that nGenius Session Analyzer server.
l The trusted key is unique per nGenius Session Analyzer server and is not part of the
configuration files replicated from Primary nGenius Session Analyzer to Secondary nSA
Servers.
l Validation at nGenius Subscriber Cache is based on a combination of the nGenius Session
Analyzer or ISA IP address and the trusted key.
l nGenius Session Analyzer and ISA send the trusted key in RESTful API requests to nGenius
Subscriber Cache.

9.4.1.1 Copy Trusted Key to nGenius Session Analyzer Server

Any time you generate a new shared secret key for nGenius Session Analyzer in the nGenius
Subscriber Cache Server Management module, you must copy it to the
trustedKeyForSCSCommunication section of this file on the nGenius Session Analyzer server:

<nGenius Session Analyzer Install>/rtm/nsaapp/config/localConf/nsaLocalServerSpecificConf.xml

Example: nSALocalServerSpecificConf.xml Trusted Key Configuration

<?xml version="1.0" encoding="UTF-8"?>
<properties description="Stores nSA Configuration specific to one nSA Instance. Shouldn't be
replicated across nSA cluster"
version="0.1"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<prop key="trustedKeyForSCSCommunication">

<string>efoTiHHzZFTns0QwNnNN4iAw120z6F8dGoC3A/DHFeM=</string>
</prop>

</properties>

9.4.1.2 Copy Key to ISA

Any time you generate a new shared secret key for ISA in the nGenius Subscriber Cache Server
Management module, you must copy the trusted key from the ISA child server page in nGenius
Subscriber Cache Server Management page and paste it into the
trustedKeyForScsCommunication property field for the server under
com.tektronix.iris.server.isa/clusterInstances. See OAM documentation for more information.

9.4.2 Configuring nGenius Subscriber Cache Digit Types

NETSCOUT Server Administrator Guide 349

The digit types available for nGenius Subscriber Cache are configurable. The table below shows
the digit IDs used to define the supported digit types.

Table 9.1 - Digit IDs

Digit ID Subscriber ID Type

1 CallingParty
2 CalledParty
13 IMSI
14 MSISDN
15 IMEI
55 IpPlusPort
75 IPADDR
268 SubscriberNumber
32767 Application

9.4.3 Configuring nGenius Subscriber Cache File Retention

Use the following sections in the <SCS Install> /rtm/scs/config/localConf/scsLocalConf.xml file to
configure SCS file retention times. See also nGenius Subscriber Cache File Collector
Configuration.

9.4.3.1 Digit Cache Default Observation Capacity Property

9.4.3.2 SCS Delete Aged Files

<prop key="scs.delete.aged.files.older.than">
<!--
- An integer in days. The file aging process will use this to delete expired
files.
- If less or equal to zero, the file aging agent will NOT start or if runnin,
it will stop.
this value should be less than the value of the property

NETSCOUT Server Administrator Guide 350

digitCache.default.observation.capacity to be GDPR compliance -->

9.4.4 nGenius Subscriber Cache File Collector Configuration

Access the nGenius Subscriber Cache file collector configuration settings in the <SCS Install>
/rtm/scs/config/localConf/scsLocalConf.xml file. The following table describes configurable file
collector parameters and displays their default values.

Table 9.5 - File Collector Configuration

Parameter Name Default Comments

Value
fileCollector.probe.port 80 Port number to use to connect to the probes. This is used
for connecting to InfiniStream probes or when using
nGenius CM authentication.
fileCollector.numTransferThreads 5 Max number of concurrent threads available for
transferring files from the probes.
fileCollector.maxRetries 10 Max number of times that the FileCollector attempts to
retrieve a file from a probe.
fileCollector.waitTimeIncrement 30 Amount of time in minutes that the FileCollector waits
between retries. This is incremental because this amount
of time is multiplied by the number of times it has already
tried before.
For example, if it is the first retry, it will wait 1*30=30 min. If
it is the second retry, it will wait 2*30=60 min. So on and so
forth.
fileCollector.connection.timeout 60000 Amount of time to wait for a connection to the probe to be
established. Unit is in milliseconds
fileCollector.retention.days 32 Number of days that will be retained in the transfer
directory for each probe.

9.5 nGenius Subscriber Cache (SCS) Logs

All nGenius Subscriber Cache logs reside in the <nGenius Subscriber Cache Install>/rtm/log/
directory. The primary logs associated with the nGenius Subscriber Cache application include
nGenius Subscriber Cache, nGenius, or nsa in the file name. The rest are from the infrastructure
and are equally important. These log types reside in the <nGenius Subscriber Cache
Install>/rtm/log directory:
l Aging
l Configuration upgrade
l Create FK index, function, and schema
l Database initialization logs
l Debug
l Diagnostic

NETSCOUT Server Administrator Guide 351

l Digit Cache
l Event
l Load balancer
l Memory
l nGenius content
l nSA content
l NS logs
l PA logs
l Postgres
l Query
l Remote admin
l Statistics
l Xerror
l XML

NETSCOUT Server Administrator Guide 352

© NETSCOUT CONFIDENTIAL & PROPRIETARY
A NETSCOUT Servers
This chapter provides additional guidance on servers and related products that may be used
with nGeniusONE.
l Global Managers
l Dedicated Global Managers
l Standalone Servers
l Local Servers
l nGenius Configuration Manager
l Options for Virtual Environments
l Standby Servers
l nGenius for Flows Servers

A.1 Products Based on nGeniusONE Architecture

These servers are described in their respective sections and not in this chapter:
l nGenius Session Analyzer
l nGenius Subscriber Cache (SCS)

A.2 Related products with Discrete Architecture

l nGenius Business Analytics
l nSI
l Pulse

A.3 Legacy Products

l Installing and Accessing the nGenius (Performance Manager) Client

NETSCOUT Server Administrator Guide 353

A.4 nGeniusONE Servers

A.4.1 Global Managers
This server type is used in deployments for centralized, consistent management of devices in
remote locations and for analysis of data across those remote server nodes. This server type is
not supported as a child of any other server, including other Global Managers. Review the
following to understand the server relationships that can be constructed with this server type.

A.4.1.1 Default Nodes

The default configuration of a Global Manager has two server instances displayed in Server
Management. The LocalServer is automatically installed when you select Global Manager during
installation. These Global and Local instances serve different purposes and are always present
on a Global Manager.
l The Global instance handles numerous processes including warehousing of data and
backups and cluster management
l The Local instance handles device configuration and other functions, including replicating
data to a Standby, if configured.

A.4.1.2 Adding a Child Node

Using Server Management, you can add a child node to your cluster. The children you add must
all be Standalone servers, not other Global Managers (If you need to add another Global, first
convert it to a Standalone server).

The following server types can be added as child nodes to a Global Manager cluster, from Server
Management, with data rolling back up to the parent server.
l From the Global row:
You can add a child server to be a cluster member. Select type Local then add a
Standalone to convert it to a remote "local" server.
l From the Local server row associated with the Global:
You can add a Standalone server as the type Standby, to function as a failover for the
Global Manager itself.
l From the Local server row for any remote cluster node (not applicable for related servers
with unique architecture):
You can add a Standalone server as the type Standby, to function as a failover for that
node of the cluster.

A.4.1.3 Adding a Related Server

These server types have a discrete architecture from nGeniusONE but can be added Global row
of Server Management. These leverage nGeniusONE for devices, configuration, and licensing,
Select the applicable type from the menu:

NETSCOUT Server Administrator Guide 354

l nGenius Business Analytics

l nGenius Subscriber Intelligence
l nGenius PULSE

A.4.1.4 Adding a Global Manager as an Authentication Source

From the Authentication Source module on the following server types, you can specify a Global
Manager server to provide authentication, some configuration, and device management.
l Omnis Cyber Investigator
l nGenius Session Analyzer
l nGenius Subscriber Cache

A.4.2 Dedicated Global Managers

This server type provides similar functionality to a Global Manager and is initially installed as a
standard Global Manager. Its function as a "Dedicated" server is then enabled using a particular
license. The significant difference between a Global Manager (GM) and Dedicated Global
Manager is that the latter does not directly manage devices. Instead, it is specifically intended to
manage remote Standalone servers that directly manage their own devices. it does not manage
other Global Managers; rather it has less functionality than a Global Manager since it does not
manage devices directly.

Following are key notes about a Dedicated Global Manager:

l A DGM is installed as a Global Manager; the license you configure determines whether it is
enabled with Global Manager (GM) or Dedicated Global Manager (DGM) capability.
l A DGM has two server instances displayed in Server Management, just like a GM. Here is
how the LocalServer differs on a GM versus DGM:
o On a GM, the GM's own LocalServer can be selected in Device Configuration as a server
to manage devices.
o On a DGM, the LocalServer is not displayed as a server selection in Device Configuration.
Instead, you must pick a remote "Local" server.
l A GM/DGM cannot be added as a child to another server.
l A GM/DGM can be used as an Authentication Source for any server that includes nGenius
CM as an authentication mode.

Since the primary difference between a GM and DGM is device management, you can use the
same guidance for Global Managers when building a cluster with a DGM.

A.4.3 Standalone Servers

You can use a standalone server in smaller deployments that do not require centralized
configuration of a cluster of servers. For the latter, you would use a Global Manager (GM) or
Dedicated Global Manager (DGM). Alternatively, if you ARE setting up a cluster, you would set up
your remote child nodes as a Standalone server, add the devices to them, then integrate them to
the cluster head (GM or DGM).

NETSCOUT Server Administrator Guide 355

Following are key notes about Standalone servers:

l During installation of certain products, you may be offered the option to install the
software as Global or Standalone. If you are setting up a server to act as a Standby for a
Standalone server, a Global Manager, or Dedicated Global Manager, this is the type to
select (Standalone).
l If you have set up a server as a Global or Dedicated Global Manager, you can convert it to a
standalone, at a later date. You can use the same procedure to convert a Standalone to a
Global or Dedicated Global Manager.
l When a Standalone has been made a child node or a Standby node, it is displayed in the
parent server's Server Management GUI, but the parent is not displayed locally. If needed,
you can identify the parent server, in the following file: <nGeniusONE
install>rtm/database/configxml/xml/server_map.xml.

A.4.3.1 Default Nodes

A Standalone server has one server instance displayed in Server Management. This is displayed
as Standalone unless it has been added as a child to a cluster. In the latter case, the server type is
then changed to be a Local. Note that after a Standalone is added as a child to a cluster, you
cannot add any child nodes to it. That activity is performed from the parent server.

A.4.3.2 Adding a Child Node

The following server types can be added as a child nodes to a Standalone server, from Server
Management.
l You can add another Standalone server as the type Standby, to provide redundancy.

A.4.3.3 Adding a Related Server

These server types have a discrete architecture from nGeniusONE but can be added Standalone
row of Server Management. These leverage nGeniusONE for devices, configuration, and
licensing, Select the applicable type from the menu:
l nGenius Business Analytics
l nGenius Subscriber Intelligence
l nGenius PULSE

A.4.3.4 Adding Standalone as an Authentication Source

From the Authentication Source module on the following server types, you can specify a
Standalone server to provide authentication, some configuration, and device management.
l Omnis Cyber Investigator
l nGenius Session Analyzer
l nGenius Subscriber Cache

NETSCOUT Server Administrator Guide 356

A.4.4 Local Servers

When you add a Standalone to a parent server, it is reflected there as a "remote" Local Server,
rather than as a standalone.

Every nGeniusONE server has a server process running locally, to manage core server functions
on that system. In some cases, such as Standalone, the process is not separately identified in
Server Management.

Local Servers associated with Global Manager Servers are always present for servers installed
and configured as Global Managers (not Dedicated Global Managers). They are not explicitly
installed but are automatically installed with Global Manager installations. This Local Server type
provides device management functions for the Global Manager server itself. It does not manage
other servers, so the list of server types that can be added to it is limited to a Standby Server.

A.4.5 Standby Servers

A Standby Server provides redundant functionality to ensure continuous operations if your
primary server becomes unavailable. After you integrate a Standby Server, it obtains and backs
up statistical and configuration data from the primary server from that point forward.

Data are replicated in the following ways:

l Monitored elements and device / application configuration settings are replicated every 15
minutes.
l Logged data are replicated from immediately after logging is completed on the primary
server.
l Property files are compressed and copied to the Standby Server daily

The following types of data are backed up:

l Monitored elements
l Device settings
l User roles and settings
l Global Settings
l Alarm policies
l Data capture filters (but no saved data capture files)
l Link layer, application, host, and conversation statistics
l dbONE flows (applications and conversations)
l Properties files

Use the following as a guide for understanding the requirements to set up your Standby server
and work with it in your deployment.
l Integrating a Standby Server
l Testing the Standby Server Conversion
l Converting a Standby to a Primary Server
l Troubleshooting Standby Servers

NETSCOUT Server Administrator Guide 357

A.4.5.1 Integrating a Standby Server

To add a Standby Server to your deployment, you will need matching software and new licenses.
Refer to the content below for an overview of requirements and setup steps to consider in
addition to the standard installation and configuration procedures. Data replication mechanisms
are also summarized.

Note: A Standby server is not supported for use as an Authentication Source, although its
address must be listed as accessible for any user or group (in User Management), should the
server need to be converted to a primary. If you have converted a Standby server to assume
the role of the Primary server it was backing up, you may need to re-configure any servers
that were relying on the primary as an Authentication Source. This is particularly the case if
the configuration of the Primary as an authentication source was done with an IP address
rather than a host name.
l Setting up a Standby Server
l Adding a Standby Node
l Replicating Data & Configurations
l Accessing the Standby Server

If needed, refer to:

l Testing the Standby Server Conversion
l Converting a Standby to a Primary Server
l Troubleshooting Standby Servers

A.4.5.1.1 Setting up a Standby Server

Use the installer for the product it will be backing up (such as nGeniusONE or nGenius
Configuration Manager or Omnis Cyber Investigator) to install and configure a like-type server.
After the server is installed, configured, and on the network, you can add it to your deployment.
Review the following before you begin:
l Obtain a unique hostname and IP Address (NETSCOUT recommends static, rather than
DHCP, addressing) before you begin the installation.
l The server must be installed and configured with the same software version as the one it is
backing up. The software versions must match.
l If your installer offers a Global option, do not select that - otherwise you will need to first
convert it to a Standalone before adding it as a Standby. nGenius Configuration Manager,
for example, has only one type, so no selection is needed.
l Obtain licenses that match in scope to the server to be backed up, but for Standby
functionality
Licenses specifically for a Standby Server, but that complement the configuration of the
server it is backing up. For example, if you have an nGeniusONE 225 license, which includes
the nGeniusONE Server and UC and 50 Type 1 interfaces, then the corresponding Standby
Server could be licensed with a 226 license which includes the same but for Standby.
l Users for the primary server must be given access to the Standby host in User
Management

NETSCOUT Server Administrator Guide 358

l if access lists are configured on any data sources, those must be configured to allow the
Standby host address
l Web access ports must be configured the same as that of the server being backed up
1. Prepare installation and configuration worksheets with the following considerations:
2. Install an nGeniusONE server with the same version of software as the server it will be
backing up.
3. Obtain and install Standby Server licenses.
4. Configure the server as a Standalone server type, if applicable for your type of server.
5. Add the server to your cluster (refer to the next section).
6. Access the User Management module and ensure that the Standby Server is displayed in
the Server Access list. This ensures that if conversion of the Standby is performed later,
those users already have permission to access the web GUI.

A.4.5.1.2 Adding a Standby Node

After you have set up a Standby Server (see the previous section), you can use Server
Management to add it as a Standby node to your deployment.
l From the Standalone server row of an single node server, select type Standby and add the
Standalone server you configured above. (Standalone servers do not have a Local instance,
so you add directly to the top node.)
l From any Local server row in a Global Manager or Dedicated Global Manager deployment,
you can add a Standalone server as the type Standby. You use this method to add a
Standby for backing up the LocalServer of the Global or Dedicated Global Manager, or
backing up the remote Local server of a cluster node.
l From the ConfigManager row of an nGenius Configuration Manager server, select
type NCM Standby and add the server you configured using the nGenius
Configuration Manager installer.
l Note that the above are the only types supported for addition of a Standby type. Other
servers that may be displayed Server Management list, like nGenius Business Analytics are
not applicable for a Standby server.

Procedure:

1. Access the Server Management module. (For distributed deployments, access from the
parent server in the cluster. This avoids having to replicate the server map to the parent
server.)
2. Select the row for the server that you want to back up with your new Standby Server.
l To back up a Global Manager or Dedicated Global Manager, you select the
LocalServer row, not the parent "Global" row.
l To back up a remote child server node, select the Local Server row
3. Click the Add Server icon to display the corresponding dialog box.
4. Use the following as a guide to populate the dialog box:
Server Type: Select Standby Server (If you do not see this option, it is not supported
for server you selected above)

NETSCOUT Server Administrator Guide 359

Server Name: This is an alias / friendly name you can provide to identify the server. It
can contain spaces, but not special characters.
IP Address/Host: Provide an IPv4, IPv6 address or a fully qualified domain name.
Web Port: This port number must be the same web port specified for the server being
backed up.
User Login Information: This is the web user account you provided during
installation, that is used to administer the system.
Alarm Suppression Time: This is the amount of time before Standby Alarms are re-
issued
Backup Check Timeout: Timeout for backup to hear from Primary
5. When ready, click OK to save the settings. You can monitor progress of the server being
added by selecting the Server Management Operations Progress tab at the bottom of
the Server Management GUI.
6. After the Standby Server has been added, allow time for replication to occur before
performing any conversion tests or replicating additional data.
7. Access the User Management module and ensure that the Standby Server is displayed in
the Server Access list. This ensures that if conversion of the Standby is performed later,
those users already have permission to access the web GUI.

A.4.5.1.3 Replicating Data & Configurations

When you first add the Standby Server, property files, configurations, and so on, are replicated.
Data from that moment forward are replicated on a scheduled basis.
l Ad hoc: The following are replicated whenever you make a change and reset the primary
and/or standby server:
o Server Map table: Identity of all server nodes in the cluster
l Every 15 minutes:
o Database content, including application configurations, devices, service definitions, and
so on.
o User records
l Nightly: The following files contain a list of configuration files, property files, and assorted
scripts that are replicated nightly:
o <nGeniusONE install>/rtm/bin/reppropertyfilesbackup.dat
o <nGeniusONE install>/rtm/bin/propertyfilesbackup.dat

Older Data

Data prior to the point in time when you add the Standby Server are not copied to the
Standby Server. You can manually move older, existing data and reports to the Standby
Server by executing scripts on the primary server. If needed, you can copy data with the
following procedure.

Important: Depending on your environment, copying existing data to the Standby Server can
take time. For very large environments this process can take several hours. Therefore you
may want to perform this task during periods of low traffic.

NETSCOUT Server Administrator Guide 360

1. After you have added a Standby Server to the primary server, restart both servers.
Restarting the servers replicates the data to the Standby Server.
2. Wait for the above replication to complete.
3. On the primary server navigate to the <nGeniusONE install>/rtm/bin directory.
4. Run the following scripts, as needed:
For dbONE flow data
# fdsdatareplicator.sh
To include reports run the following after the above has completed.
# reportsnewsreplicator.sh

Note: Log files containing relevant information are written to the <nGeniusONE
install>/rtm/log folder and with names matching the script.

A.4.5.1.4 Accessing the Standby Server

After the server has been installed and configured, users can log into the web interface as if it
were a standard nGeniusONE server. This capability allows administrators to validate that
backups are occurring correctly. Most functionality is disabled or limited to read-only access.
These restrictions are in place to prevent database modifications and to ensure true redundancy
between the primary and Standby Servers.

For example:
l Most configuration modules are not available since configurations are intentionally copied
from the parent server. Configuration modules that are displayed are read only.
l Most analysis modules are available. However, the Standby Server is not intended to
function as a cluster member for distributed analysis. It is intended for backup.
l The Trace Archive and Data Mining modules are not displayed as those are intended for
use with packet data, often directly from the data sources. Standby Servers do not have
direct access to data sources until they have been converted.
l The System Information column on the nGeniusONE console is not populated since usage
metrics are not applicable for a standby server.

A.4.5.2 Troubleshooting Standby Servers

If either the primary or Standby Server experiences a problem and becomes unavailable, no data
replication occurs. Use the information in the following scenarios as troubleshooting guidelines:
l Primary and Standby Server are not communicating
Verify that the standby server is configured identically to the primary, other than being
installed as a Standalone server. It must have the same nGeniusONE software release and
build version, and must be configured with the same port numbers.

l Primary server is down and Standby Server is up

When the primary server is down, it can neither collect nor transfer data to the Standby
Server.

NETSCOUT Server Administrator Guide 361

If the primary server has failed, the Standby Server will immediately send an email
notification and place messages in the Message Log, Loggerdebug, and Flowloggerdebug
log files stating that the primary server is down and no data are being received. The server
continues to send emails every hour until the problem is corrected. You can resume
operations by converting the Standby Server to be a primary server.
If the primary server problem is caused by hardware failure, contact your hardware
supplier. If the problem is caused by nGeniusONE software failure, contact Customer
Support.

l Primary server is up and Standby Server is down

When the Standby Server is down, it cannot receive replicated data from the primary
server.
The primary server will immediately send an email notification and place messages in the
Message Log, Loggerdebug, and Flowloggerdebug log files stating that the Standby Server
is down and no data are being replicated. The server continues to send emails every hour
until the problem is corrected.
If the Standby Server problem is caused by hardware failure, contact your hardware
supplier. If the problem is caused by a failure in nGeniusONE software, contact Customer
Support.

l Two primary servers are running simultaneously

If you convert a Standby Server to be primary and the former primary server becomes
available again, both servers will be polling the same devices and no data will be replicated.
Both servers will send email notifications and place messages in the log files. Immediately
stop nGeniusONE processes on both servers. Then convert the servers again, but this time
specify the address of the original primary server so the that both servers identify the
correct primary as the lead and original standby server as the backup.
l Devices are not communicating with the converted Standby Server
If you enabled access list security on an InfiniStream appliance, child server, or other
network device, be sure to add the Standby Server IP address to that list. If it is not
included, the device will not respond to the Standby Server when it is functioning as a
primary server. For more information about access lists, refer to the Agent
Configuration Utility Administrator Guide.
l Users are unable to log into converted Standby Server
Ensure that the user accounts have been set up with permission to access both server
addresses (the original IP and the standby IP address).
l Unable to modify settings on the Standby Server
To ensure that the Standby Server is performing correctly, a System Administrator can
access the web configuration of it in a limited read-only mode. Most settings on the
Standby Server cannot be modified. If the primary server should become unavailable, you
access the Standby Server and convert it to a primary. Then it will have full functionality
and resume with normal nGeniusONE operations.

NETSCOUT Server Administrator Guide 362

A.4.5.3 Testing the Standby Server Conversion

You can test the Standby Server to be sure that it is operating correctly by converting the
Standby to Primary (as long as the server licenses are compatible) and then reversing the
process to reconvert the servers to their original configuration. When you convert a server using
the failback mode indicated in this procedure, the roles of the Primary and Standby Server are
reversed with no data loss. The steps are repeated with the opposite IP address to revert the
conversion.

Syntax

This procedure uses a script with the following syntax:

convertstandbytoprimary.sh <standby server ip address> true

where

<ip address> is the address of the standby server that you want to become the primary
server

NETSCOUT Server Administrator Guide 363

bash-4.1$
Use the - option with this command. You will now be in the install folder for your server
software (/opt/NetScout, by default) and a new shell command prompt displays.
7. In both windows, ensure you are in the bin folder.
bash-4.1$ cd /opt/NetScout/rtm/bin
8. In both windows, run the script and specify the IP Address of the server you want to
become the primary:
bash-4.1$ ./convertstandbytoprimary.sh <Standby Server IP address>
true
The conversion procedure runs and completes, after which the command prompt
displays.
9. Exit the ngenius user shell and return to the root user shell:
bash-4.1$ exit
logout
#
Restart the nGeniusONE server processes on both servers as the root user:
# ./start
10. To verify the changes, do one of the following:
l Verify in Server Management:
Access Server Management from the nGeniusONE Console on the Standby server. The
Servers tab shows a row for each of the Primary and Standby servers, with the original
hostnames, but the IP addresses are swapped.
Example:
If you had started with the following configuration:

NETSCOUT Server Administrator Guide 364

Then, if you were testing conversion for BostonStandby to BostonPrimary, and

NETSCOUT Server Administrator Guide 365

a. In windows to both servers, still logged in as the user root, stop the nGeniusONE
server processes and verify they are stopped:
# ./stop
# ./PS
b. In both windows, switch to the ngenius user and instantiate the environment, then
navigate to the bin directory:
# su - ngenius
bash-4.1$
bash-4.1$ cd /opt/NetScout/rtm/bin
c. Now, in both windows, run the script and specify the IP Address of the server you want
to become the primary. In this case, use the address of the current standby server,
which you had just changed from primary to standby and now want to revert it to
primary again:
# ./convertstandbytoprimary.sh <Current Standby Server IP
address> true
The conversion procedure runs and completes, after which the command prompt
displays.
d. Exit the ngenius user shell and restart the nGeniusONE server processes on both
servers:
bash-4.1$ exit
logout
#
#./start

If you miss one of the steps on the steps in the conversion process, contact Customer Support
for assistance to correctly configure names and IP addresses.

A.4.5.4 Converting a Standby to a Primary Server

Important: Review the following notes before converting your server:

NETSCOUT Server Administrator Guide 366

l If you enabled access list security on an InfiniStream appliance, child server, or other
network device, be sure to add the Standby Server IP address to the list. If it is not
included, the device will not respond to the Standby Server when it is functioning as a
primary server. For more information about access lists, refer to the Agent
Configuration Utility Administrator Guide.
l After you convert a Standby Server to a primary server, the original primary server
(which should be offline or disabled if you are performing this task) should no longer
display in the Server Management interface. The original alias name of the primary
server is displayed, but with the IP address of the Standby Server.
l If the original primary server comes back on line, do not re-add it to the distributed
cluster. Stop the nGeniusONE server processes and contact Customer Support for
assistance.
l If you miss one of the steps on the steps in the conversion process, contact Customer
Support for assistance to correctly configure names and IP addresses.

A.4.5.4.1 GUI-based Conversion

Note: If you are converting the Standby Server to test your recovery procedure, instead, refer
to: Testing the Standby Server.

1. From the nGeniusONE Console, on the Global Manager or Dedicated Global Manager,

access the Server Management module.
2. From the Servers tab, locate the Local Server with the Standby Server you want to
promote to a Primary role. Select the Standby Server that you want to promote to primary.
The Standby Server must be running and must be associated with a remote child server.

NETSCOUT Server Administrator Guide 367

3. If you have selected a supported server type, the Server Operations drop-down menu
option for Convert to Primary is enabled. Select that option.

A dialog box displays, as below.

NETSCOUT Server Administrator Guide 368

5. When the conversion completes, a message box displays instructing you to restart the
converted server. Click OK to acknowledge the message.
6. Restart the server(s).

A.4.5.4.2 Command-line Conversion

Note: If you are converting the Standby Server to test your recovery procedure, instead, refer
to: Testing the Standby Server.

A.4.6 Options for Virtual Environments

NETSCOUT provides several different ways to install nGeniusONE software in virtual
environments. The tables below summarize the available options, including their optimal use
cases, installation files, and which documentation you can refer to for further information.

NETSCOUT Server Administrator Guide 369

l Virtual nGeniusONE – These installers include all features associated with nGeniusONE
Console. They do not include features found in the Performance Manager1 or Unified
Management Consoles. This installer has a cloud-friendly resource footprint; requiring a
minimum of only 4 vCPUs and 16 GB of RAM to manage up to 10 Type 1 interfaces.
Table A.1 - nGeniusONE Virtual Installers: Cloud-friendly Footprint

nGeniusONE Variety Installation File Documentation

nGeniusONE Application Installer nG1-6320-xxxx-lin.bin (Linux) Virtual nGeniusONE
Installs as an application on a virtual machine nG1-6320-xxxx-win.exe Installation Guide
running a supported version of RedHat (Windows)
Enterprise Linux, CentOS, or Microsoft
Windows in the public or private cloud.
Virtual nGeniusONE Appliance vnG1_6320-xxxx.ova
Installs as a custom-built virtual appliance. vnG1_6320-xxxx.qcow2
Separate images available for the following
environments:
o VMware (.ova)
o OpenStack/Ubuntu (.qcow2)
Virtual nGeniusONE - AWS Connect to NETSCOUT site in AWS
Installs as a custom-built virtual appliance Marketplace and deploy using
from AWS Marketplace. provided CloudFormation
templates
Virtual nGeniusONE – Azure Connect to NETSCOUT site in
Installs as a custom-built virtual appliance Azure Marketplace and deploy
from Azure Marketplace. using provided ARM templates.

l nGeniusONE with Peformance Manager – In this use case, nGeniusONE server is

installed, including both the legacy Performance Manager client and nGeniusONE. This can
be used in cloud deployments, but requires more resources than Virtual nGeniusONE,
described above.
Table A.2 - nGeniusONE Virtual Installers: Full Product

nGeniusONE Variety Installation File Documentation

nGeniusONE with Performance Manager pm-6320-xxxx-lin.bin (Linux) This guide
Software-Only pm-6320-xxxx-win.exe (Windows)
Installs as an application. The same
installation files used to install the
nGeniusONE server on a custom-built
physical server can also be used to install
nGeniusONE on a custom-built virtual
machine meeting NETSCOUT’s minimum
system requirements.

1If running nGeniusONE without Performance Manager on a 16 GB 4 CPU system, you must use license option 222 or
308. nGeniusONE OVA (VMware) images use the 16GB 4 CPU option by default. Fresh installs of nGeniusONE may also
run on a 16 GB 4 CPU system.

NETSCOUT Server Administrator Guide 370

Table A.2 - nGeniusONE Virtual Installers: Full Product (continued)

nGeniusONE (Full) Virtual Appliance PM-nG1_6320-xxx_VM.ova nGeniusONE Virtual Appliance

Installs as a custom-built virtual (server) (VMware) (OVA) Installation Guide
appliance in a supported VMware
environment (private cloud).

A.4.7 nGenius Configuration Manager

A management-only server option is available to support centralized configuration capabilities
for related servers based on the nGeniusONE architecture. An nGenius Configuration Manager
server can be integrated to provide centralized management of devices, authentication, and
users for the server types indicated below, such as nGenius Business Analytics (nBA), nGenius
Session Analyzer (nSA), or nGenius Subscriber Cache (SCS) servers. This server type is not used to
provide a centralized view of data across distributed servers, which requires data warehousing
on the parent server.

The process of installing and configuring an nGenius Configuration Manager server is the same
as a standard nGeniusONE server, with a couple of differences. This product has a different
installer and does not require licensing, since it is not providing analytic functions. Following are
key notes about an nGenius Configuration Manager
l Memory and CPU requirements are less for this server type than an nGeniusONE server, as
this server does not perform analytics. A minimum of 16GB of memory and 8 CPUs is
recommended.
l The installer is available only from the product pages for the server types it supports. You
can, for example, download the install are from the nGenius Business Analytics (nBA)
product page.
l A license is not required to for an nGenius Configuration Manager. However, licenses are
required for the child server functionality that this server manages.
o For nBA, the licenses installed on that server must be replicated to the nGenius
Configuration Manager. Instructions for licensing are provided in the nBA | nAS
Installation and Upgrade Guide.
o For nSA and nGenius Subscriber Cache, the license is installed on that server. The
nGenius Configuration Manager does not require that license to be copied locally.

A.4.7.1 Default Nodes

The default configuration of an nGenius Configuration Manager has one server instance
displayed in Server Management. The ConfigManager is used to add a child node or Standby
node.

A.4.7.2 Adding a Child Node

The nGenius Configuration Manager server is used for configuration only deployments. It is not
used to manage data clusters, like a Global Manager or Dedicated Global Manager. For that
reason, the only "child node" you can add in Server Management is a Standby. There is no "Local
Server" on this server type.

NETSCOUT Server Administrator Guide 371

l From the ConfigManager row:

You can add a Standalone server as the type NCM Standby, to provide redundancy for the
nGenius Configuration Manager itself.

A.4.7.3 Adding a Related Server

You can add the following server type to from the nGenius Configuration Manager Server
Management GUI:
l nGenius Business Analytics

A.4.7.4 Adding as an Authentication Source

From the Authentication Source module on the following server types, you can specify an
nGenius Configuration Manager server to provide authentication, some configuration, and
device management.
l nGenius Session Analyzer
l nGenius Subscriber Cache

A.5 nGenius for Flows Servers

This product is an nGeniusONE server licensed specifically for monitoring flow collectors and
MIB-II devices. It follows the same structure as for Standalone, Global Manager, and Dedicated
Global Manager servers. An nGenius for Flows server is set up as one of those types, then
enabled with an nGenius for Flows license. It is not intended to be an authentication source for
other servers.

Data-feed child servers: The following server types can be added from the Server
Management GUI.
l Standby
l nBA
l nSI
l Pulse

A.5.1 NetFlow Overview

A flow is a unidirectional sequence of unicast packets between given source and destination
endpoints. The following seven elements define a unique flow. If a flow has one or more
elements different from another flow, then it is considered a new flow.
l Source IP Address
l Destination IP address
l Source port number (TCP, UDP)
l Destination port number (TCP, UDP)
l Layer 3 protocol type (IP, ICMP)

NETSCOUT Server Administrator Guide 372

l Type of Service (ToS) byte (0-7)

l Input logical interface

NetFlow and sFlow are technologies used to monitor IP traffic flows in routed and switched
environments.

nGenius Collectors (3300 Series) support the following:

l NetFlow versions 1, 5, 7, and 9
l Vendor formats, such as IPFIX and JFlow, that conform to NetFlow
l sFlow versions 2, 3, 4, and 5

When configured to generate NetFlow datagrams, routers and switches can be directed to send
the data to the nGenius Collectors, dedicated high-density NetFlow and IP SLA collection devices,
gather NetFlow datagrams and IP SLA test data from Cisco routers and/or switches for display in
nGeniusONE, nGenius Performance Manager, and nGenius Performance Manager for Flows.

A.5.2 IP SLA Test Types

The interface that is used to poll any specific SAA device is interface 11.

By default, the SAA devices are searched every hour for new tests. This discovery interval may be
modified to be any number of seconds from one minute to one hour. Discovery may also be
done upon demand. Refer to the agent administrator guide for details.

The number of SAA devices and IP SLA tests supported depends on whether or not the device is
collecting NetFlow or sFlow data. The following table shows the number of tests and devices
supported:

NetFlow or sFlow Supported Devices Supported Tests

On 500 500
Off 500 500

The firmware supports the ability to discover and poll IP SLA tests configured on a Cisco SAA-
enabled device running IOS version 12.4 or higher. The following table shows the test types that
are supported and the metrics that are measured:

Test Type Reported Metrics CDM

Port
IP SLA ICMP A round-trip measuring how long it takes the target device to respond to an 51006
Echo ICMP echo. The responder can be any TCP host or any SAA-enabled device.
IP SLA DNS Difference in time between when the client sends a DNS request and when it 51003
receives a reply. Supports forward and reverse lookups.
IP SLA TCP Difference in time between when the client sends the initial SYN and when the 51011
Socket client sends the final ACK in the connect sequence. The responder can be any
Connect TCP host or SAA-enabled device.

NETSCOUT Server Administrator Guide 373

Test Type Reported Metrics CDM

Port
IP SLA UDP Measures round-trip delay, average jitter, and MOS. Packet loss is also reported. 51010
Jitter (Voice The responder must be an SAA-enabled device.
and Video) Note: Enable Response Time and ASR properties for the RTP application in
Global Settings.
IP SLA DHCP Measures the round-trip time taken to discover a DHCP (Dynamic Host 51002
Configuration Protocol) Server and obtain a lease from it.
IP SLA Web Measures the amount of time it takes to retrieve the specified Web page. Only 51012
Page base page is retrieved. It also measures the TCP connect time. HTTP specific
Retrieval errors are not reported.

A.5.3 IP SLA Requirements

You must meet the following configuration to monitor IP SLA test data:
l nGenius for Flows
l An nGenius Collector with:
o IP SLA discovery enabled (disabled by default). For details on configuring the nGenius
Collector, refer to the appropriate documentation.
o The proper interface number for the nGenius Collector. Refer to the appropriate
nGenius Collector administrator guide.
l One or more of the IP SLA Operations configured on your SAA device. Refer to your Cisco
documentation for details.
l Enable the Response Time property for the IP SLA Active Agent applications in Global
Settings
l Enable Response Time and ASR properties for the RTP application in Global Settings

A.5.4 IP SLA Overview

IP SLA is the Cisco implementation of active agent technology, which evaluates network and
server performance devices by sending data across the network to measure performance
between network locations and across network paths. It uses timestamp information to calculate
performance metrics, such as jitter, network and server response times, packet loss, and Mean
Opinion Score.

Response time metrics are measured and reported for a variety of IP SLA Test Types.

There are several steps you must take to get started monitoring IP SLA. For more information on
configuring your environment to support IP SLA testing, see the nGenius Collector Administrator
Guide.

Note: You must also meet configuration requirements to obtain and view IP SLA test data.

NETSCOUT Server Administrator Guide 374

A.5.5 Getting Started With IP SLA

The nGeniusONE software allows you to monitor and log network application response time
based on discovered IP SLA tests.

1. Meet probe and software requirements.

2. Add the nGenius Collector (3300 Series) to the nGenius for Flows Server.
3. Activate IP SLA Test Types.
4. Configure the SAA Device IP Address and Read Community string.
5. (Optional) Import multiple SAA Device Configurations.

A.5.6 Activating IP SLA Test Types

By default all IP SLA test types and ports are active. Tests that have been deactivated are grayed
out in the list.

Use the procedure in this topic to activate a previously deactivated test:

1. Click Global Settings.

2. Select the Applications tab, Enterprise list.
3. Locate and expand the Active Agent node to view the list of IP SLA test types and ports.
4. Select All from the view drop-down list to ensure that all tests display.

5. To activate a test type, from the Select monitoring options drop-down menu, click
Activate.
6. Click Apply.

A.5.7 Creating a File to Import SAA Device Configurations

You can save time when configuring several SAA devices for an nGenius Collector by creating and
importing a CSV file.

To create the file:

1. Create a new text file using a text editor.

2. Enter the required information using the following syntax (one entry per line):
<Device IP address>,Read Community
Example
10.20.36.60,public
10.62.1.1,public
10.2.3.4,public
3. Save the file as CSV and close it.
4. Import the file.

NETSCOUT Server Administrator Guide 375

A.5.8 Changing Router Duplex State

Accurate utilization views require correct NetFlow duplex settings. The nGeniusONE Server
assumes router interfaces to be full duplex. If any flow source interfaces on the router are half-
duplex, you must manually change the router duplex state.

To change the router duplex state:

1. Use the nGeniusONE Console and go to Device ConfigurationDevices.

2. Double-click the router for which you want to change the state.
3. Select the interface.
The Fdx check box displays the duplex setting for each router interface (a check indicates
full duplex mode).
4. Click the Fdx check box to toggle the interface between full and half duplex, as
required.
Note: If you cannot toggle the Fdx check box, the nGeniusONE Server was able to learn
the correct duplex state from the router. You do not need to modify the setting.
5. Click Apply to save the new setting.

A.5.9 NetFlow and sFlow Collection Overview

Flow collection is based on receiving flow records from enabled devices.

nGenius Collectors support the following:

l NetFlow versions 1, 5, 7, and 9
l Vendor formats, such as JFlow and IPFIX, that conform to NetFlow
l sFlow versions 2, 3, 4, and 5

NetFlow and sFlow are enabled directly on the routers and switches themselves, but require an
nGenius Collector to receive flow data. nGenius Collectors can be configured to act as collection
devices for flow data.

nGenius Collectors (3300 Series) support collection of NetFlow and IP SLA data. By default, when
you add an nGenius Collector to nGenius for Flows, its associated routers are added
automatically, provided the Read/Write communities are Public. If the communities are other
than Public, you can manually add the router to the nGenius Collector from Device
Configuration.

Each nGenius Collector can support up to 10 NetFlow-enabled devices with a combined

maximum number of 1000 interfaces. Alternatively, the nGenius Collector can be deployed to
support an unlimited number of flow-enabled devices with a combined maximum number of
1000 interfaces. Using the extd_vifn_mode command (refer to Command-Line Object: extd_vifn_
mode in the Agent Configuration Utility Administrator Guide for more information), you can
increase the virtual interface support on nGenius Collectors to 5000.

The flow information collected on each device is sent to the management interface of a nGenius
Collector, and each flow source (interface on a switch/router) is mapped to an independent
virtual interface in the Collector. The Collector dynamically creates the flow virtual interfaces as it
receives flow export for those interfaces.

NETSCOUT Server Administrator Guide 376

Statistics available for NetFlow and sFlow virtual interfaces include:

l Utilization
l Average Packet Size
l Application Statistics
l IP Hosts and Conversations
l Application Layer Host and Conversation data

Note:nGenius Collectors support sFlow versions 2, 3, 4, and 5. sFlow v5 includes two

variations of formatting, a regular format and an extended interface format; both are
supported. However, ifIndex values of greater than 64K (65535) are not supported in sFlow
collections. IfIndex values above the 1-65535 range are collected in the default ifIndex 0
virtual interface associated with the exporting device.

A.6 Related Products with Discrete Architecture

A.6.1 nGenius Business Analytics
nGenius Business Analytics (nBA) is a platform for business self-service analytics and data
enablement projects based on the InfiniStreamNG ASI smart data platform.

You can integrate an nGeniusONE server or standalone nGenius Configuration Manager server

to your nGenius Business Analytics deployment. Detailed setup instructions for nGenius
Business Analytics are provided in the nBA | nAS Installation and Upgrade Guide . The complete
setup steps are not provided here as configuration and installation of that product is beyond the
scope of this document. Briefly, however, the steps are:
l Add an nGenius Business Analytics server. Follow guidance for Integrating a Related Server
l After you have added the server, refer to the nBA | nAS Installation and Upgrade Guide for
instructions on adding nGenius Business Analytics licenses to your server.
l After the licenses are enabled, the >nBA/nAS tab is displayed for supported devices in the
server's Device Configuration module. Use that tab to complete configuration for your
deployment. Refer to the server online help and the above mentioned guide for more
details.

A.6.2 nSI
A.6.2.1 About nGenius Subscriber Voice / nGenius Subscriber Intelligence+
For nSV licensed nGeniusONE servers, retrieve data from nSV servers to populate the Voice
Monitors. Use the following procedure.
1. Log in to the nGeniusONE Server as root.
2. Using crontab -e, add the following string to the nGeniusONE list of scheduled jobs. In the
string, <nSV_ip_addr> represents the address of your nGenius Subscriber Voice Server.
*/5****/opt/NetScout/asi_pull/pull_config_ng.sh --remotehost=<nSV_
ip_addr>
3. Save the change.

NETSCOUT Server Administrator Guide 377

To permit nGeniusONE to provide ASI data to nGenius Subscriber Intelligence, add the nSI server
address in the nGeniusONE Server Management.

A.6.3 Pulse
A.6.3.1 Integrating nGeniusPULSE
nGeniusPULSE is an infrastructure testing solution that monitors the availability and health of
servers and network devices. It extends the service-centric approach of nGeniusONE by enabling
identification of causes for network and application and performance issues observed in
nGeniusONE. Integration of the two servers enables single sign-on from nGeniusONE for direct,
contextual launch to nGeniusPULSE.

This chapter describes the tasks required for integrating the two servers that you have already
installed, configured, and placed on your network.
l Configuring nGeniusONE for Integration
l Configuring nGeniusPULSE for Integration
l Using nGeniusONE with nGeniusPULSE

Visit the NETSCOUT Customer Support website at https://my.NETSCOUT.com for nGeniusPULSE

documentation and additional information about nGeniusONE and nGeniusPULSE integration.

A.6.3.2 Configuring nGeniusONE for Integration

Configure your nGeniusONE Global Manager or Standalone Server by adding the
nGeniusPULSE server, specifying IP subnets for your enterprise, and selecting applications that
will define the servers monitored by nGeniusPULSE.

A.6.3.2.1 Adding the nGeniusPULSE Server

To add the nGeniusPULSE server to your nGeniusONE Server:

1. Access Server Management from the nGeniusONE console.

2. From the Servers tab, select a server row.
3. Click the Add Server button.
4. From the displayed menu, select nGeniusPULSE as the Server Type (If nGeniusPULSE is not
displayed, exit and check that you selected a supported server type as indicated above).
5. In the dialog box, enter a Server Name, IP Address/Host name, and port for the
nGeniusPULSE server.
Note: Use port 80 for HTTP and 443 for HTTPS. If you use HTTPS, the nGeniusPULSE
server should have a signed HTTPS certificate installed to avoid security warnings or
browser issues.
6. Click OK to add the server.
7. Log out from the client browser and log in again to update the nGeniusONE Console and
display the nGeniusPULSE launch points. A server restart is not required.

NETSCOUT Server Administrator Guide 378

A.6.3.2.2 Configuring My Network

Ensure that you have added subnet IP addresses for your enterprise as follows:

1. Access Global Settings > Communities from the nGeniusONE console.

2. Click the My Network tab.
3. Click the Add a my network button.
4. Enter an IP address and click OK. You can enter a maximum of 50 addresses/ranges per
community.
5. Click Apply.

A.6.3.2.3 Configuring nGeniusPULSE Monitoring

nGeniusONE Administrators can select those applications important to their operations in

conjunction with their My Network list of selected subnets. The nGeniusPULSE Server then
accesses the nGeniusONE Server to import a filtered list of servers matching those settings.

Configure nGeniusPULSE Server monitoring as follows:

1. Launch Global Settings > Application Configuration from the nGeniusONE console.
2. Click the Pulse tab.
Note: The Pulse tab displays in Global Settings only after a trusted nGeniusPULSE Server
has been added in Server Management.
3. Select the applications that you want to monitor for infrastructure-related problems.

By default, most applications included in specialized nGeniusONE monitors are

preselected in the Pulse tab, as shown below. These selections facilitate drilldowns for
common applications from nGeniusONE to nGeniusPULSE.
4. When finished, click Apply.
5. After making your selections, a list of server subnets in which these applications run is
available to the nGeniusPULSE server for import and monitoring.

Refer to the nGeniusONE online help for additional information about all of the preceding tasks.

NETSCOUT Server Administrator Guide 379

A.6.3.3 Configuring nGeniusPULSE for Integration

Configure your nGeniusPULSE Server to import application server IP addresses from
nGeniusONE and to discover the network devices that you want nGeniusPULSE to monitor.

The nGeniusPULSE Server imports a list of application servers from the nGeniusONE Server
(maximum of 25,000). These servers are defined according to the applications you specify in
nGeniusONE . For additional information, refer to Configuring nGeniusONE for Integration

A.6.3.3.1 Configure nGeniusONE Communication

Modify the nGeniusPULSE property file to enable communication with nGeniusONE , importing
of the application server list, and drilldowns.

1. Log into the nGeniusPULSE server as a root user.

2. Open the file /etc/ipm/ng1import/ng1.config.properties on your nGeniusPULSE server
for editing.
Note: if you are logged in as the nGPadmin user rather than root, you must use the sudo
commandto modify this file:
# sudo vi /etc/ipm/ng1import/ng1.config.properties
3. Modify the following required parameters to enable communication between this server
and the nGeniusONE Server. Do not modify any other parameters unless directed by
Customer Support.

Parameter Purpose Default

ng1Server The nGeniusONE hostname or IP address
ng1Port The nGeniusONE port. This must match the port Fresh installs:
number that the nGeniusONE server uses to 8443
communicate with all servers in the cluster Upgrade from
(typically 80, 8080, 443, or 8443) pre-6.3.1 release:
previous value
useHttps Communication method. The nGeniusPULSE and false
nGeniusONE servers must use the same method.
Note: If you set this to true, you must install the
nGeniusONE certificate in the nGeniusPULSE store.
disableCertificateCheck When useHttps is set to true, trust the SSL false
certificate that the nGeniusONE server is using and
use TLS to communicate with nGeniusONE.

4. Save and exit the file.

A.6.3.3.2 Defining nGeniusPULSE Monitoring

Use nGeniusPULSE Infrastructure Discovery to define the IP Scope of network devices that you
want nGeniusPULSE to monitor.

NETSCOUT Server Administrator Guide 380

1. Connect to the nGeniusPULSE server as an administrative user.

2. Create Server and Network Device IP Scopes for a Collector (Administration / Collectors).
This enables nGeniusPULSE to discover servers and network devices with ICMP, WinRM,
and SNMP (requires WinRM or SNMP polling credentials to be configured first).
3. Select Administration/Collectors.
4. Select a Collector (there is only one Collector on a Standalone nGeniusPULSE system).
5. Click Create.
6. Enter the IP Scope for the nGeniusONE subnets that include the application servers you
want to monitor in nGeniusPULSE. The scope must be in one of the following formats:
l Individual IP address (10.20.3.4/32)
l IP Subnet (10.20.3.4/31)
l IP Range (10.20.3.0 – 10.20.3.13)
7. Click Save.
8. Create Sites with IP Scopes to assign certain IP address ranges to a logical Site.
a. Select Administration/Sites.
b. Click Create.
c. Enter the name of the Site, Description (optional), and an IP Scope(s) of servers and/or
network devices. nGeniusPULSE will only import servers and network devices from
nGeniusONE for those that fall into a Site.
d. Click Save.
9. Servers and Network Devices to be imported from nGeniusONE MUST be also defined in
an IP Scope within a Site (Administration / Sites).
10. (Optional) Add a Description.
11. Ensure that the IP Scope type is set to Include.
12. Click Save.

After configuring nGeniusPULSE, it polls the nGeniusONE server at regular intervals for any new
application servers.

Refer to the nGeniusPULSE online help for additional information about the preceding tasks.

A.6.3.4 Using nGeniusONE with nGeniusPULSE

After configuration is complete, use the various launch points available in nGeniusONE to drill
down to nGeniusPULSE. For general investigations, you can launch directly from the
nGeniusONE Console. For more focused troubleshooting, follow the drilldown from the
nGeniusONE applications that support nGeniusPULSE. These include Traffic Monitors, most
Service Monitors, and Service Dependency, enabling you to track issues from a service to a
specific infrastructure element. Each workflow opens nGeniusPULSE in a separate browser tab
or window with no separate login required.

Note

NETSCOUT Server Administrator Guide 381

l If the communication between nGeniusONE and nGeniusPULSE is configured for HTTPS

versus HTTP, NETSCOUT recommends that users navigate to the nGeniusPULSE server to
view and accept certificates as reported by the browser, before drilling into nGeniusPULSE
from nGeniusONE.
l If the number of server subnets from nGeniusONE exceeds nGeniusPULSE monitoring
capacity (25,000 elements), you might see blank or incomplete charts when drilling down
from nGeniusONE applications.
l In nGeniusPULSE version 3.x, servers and network devices that have multiple IP addresses
(multi-home servers or secondary IP addresses) MAY display an error (“No Matching Server
or Device…”), since the nGeniusPULSE searches on the primary address, not the secondary
IPs.
l When drilling down from nGeniusONE , the account is created with the user role according
to this table (whether you have an existing account in nGeniusPULSE or not; your
previously assigned role may be overwritten):

nGeniusONE User Role nGeniusPULSE User Role

SYSADMIN System Admin
NTWKADMIN Admin
APROVR, HELPDSK, NTWKOPER, and NPVIEWER User

If you are assigned two nGeniusONE user roles, upon drilling down to nGeniusPULSE, you
are assigned the higher nGeniusPULSE user role. For example, if you are assigned both the
SYSADMIN and NTWKADMIN user roles in nGeniusONE , and drill down to nGeniusPULSE,
you are assigned the System Admin user role for nGeniusPULSE.
The assigned role cannot be changed. nGeniusPULSE inherits the nGeniusONE password in
a secure manner to enable single sign-on.
All users on nGeniusPULSE must have unique usernames and email addresses in order to
be created. New users from nGeniusONE that have a duplicate email address will fail to be
added to nGeniusPULSE.

nGeniusONE Console Drilldowns

The nGeniusONE Console displays an icon and launch point for nGeniusPULSE, shown below.

Drilldown from the Console opens the nGeniusPULSE dashboard with a Sites Overview, from
which you can begin investigating troublespots, as necessary.

NETSCOUT Server Administrator Guide 382

Traffic Monitor Drilldowns

Traffic Monitor is a nGeniusONE component used for:

l Analyzing anomalous conditions affecting network performance such as
unexpected/unidentified application traffic and link health based on specific indicators.
l Analyzing network performance based on behavior of specific applications / application
groups, or application behavior in certain network locations.

If an nGeniusPULSE server is integrated with nGeniusONE, your drilldown to nGeniusPULSE

provides infrastructure metrics, such as CPU and Memory, for the time and device context
passed from the monitor.

Service Monitor Drilldowns

Service Monitors help operators determine where and when an issue occurred, which
application and server were involved, and which users were affected. Various service monitors
are available for applications and metrics associated with a specific business or use-case.

Service Monitors that support drilldown to nGeniusPULSE pass context for a selected server to
related infrastructure metrics in nGeniusPULSE . (Drilldown is not available for Host Analysis,
Discover My Network, RTP Monitor, Media Monitor, and MDF Monitor.)

An example use case starts when users report that their Citrix access is timing out. To
troubleshoot, you can view Citrix services in the Service Dashboard and observe the high
percentage of timeouts for a particular service:

NETSCOUT Server Administrator Guide 383

After drilling down to the Universal Monitor, you see that the Singapore Users community is
experiencing the highest timeouts. To learn whether these timeouts are infrastructure-based,
select a server and launch nGeniusPULSE.

The nGeniusPULSE view reveals high memory utilization for this server, causing the timeouts for
users. With this evidence, you can begin correcting the server memory problem.

NETSCOUT Server Administrator Guide 384

Service Dependency Drilldowns

Service Dependency provides a visual map to show the interdependencies between servers that
deliver a service, as well as how those servers are performing. If an nGeniusPULSE server is
integrated with nGeniusONE , you can select a server node in Service Dependency and click the
nGeniusPULSE icon to drill down to view additional infrastructure metrics for that server in
nGeniusPULSE.

An example use case starts when Oracle E-Business Suite users in Washington report slow
response times. To troubleshoot, you can view Oracle services in the Service Dashboard and
observe the slow response time for the Washington service.

After drilling down to Service Dependency to investigate the servers involved with the degraded
response time, you can see elevated latency on the server node. To find out if the response time
problem is due to infrastructure issues, select the node and click the nGeniusPULSE icon.

The nGeniusPULSE view reveals excessive CPU utilization for this server, which is leading to
degraded response time for users. You can now begin addressing the server CPU resources.

NETSCOUT Server Administrator Guide 385

A.6.4 nGenius TrueCall

A.6.4.1 About nGenius TrueCall
This product is a mobile geoanalytics platform that provides network data that enables
operators to drive new technologies, such as LTE, VoLTE, small cells, SON and HetNet; improve
network performance; target geomarketing services; and optimize the customer experience.

TrueCall leverages network signaling events or individual call detail records to create powerful
maps and reports of device and network performance, including detailed drill-down visibility into
each individual call in the network.

For details working with this server type, refer to documentation for the TrueCall product suite.

A.7 nGenius Performance Manager

A.7.1 Installing and Accessing the nGenius (Performance Manager) Client
For deployments that still make use of the legacy Performance Manager Client, review this
section for guidance.

Note:
l This client is installed automatically with Windows-based nGeniusONE
installers. However, NETSCOUT strongly recommends you install the client software on
a separate system for users performing analytic rather than administrative tasks.
l Before you run the installer, review the client browser and JVM requirements.

NETSCOUT Server Administrator Guide 386

l The server must be installed and licensed before you can download and use this
application.

A.7.1.1 Installing the nGenius Client

The nGenius (Performance Manager) Client is automatically installed with the Windows-based
nGeniusONE server installation. Optionally, review a sample install sequence (for Windows)
before you proceed.

To install the client software on user systems:

1. From the client system, open a web browser and navigate to http://<nGeniusONE
server>:<port number>/splash
2. From the left hand navigation pane, locate Downloads and select Client Install.
3. Select the download file appropriate for your platform (Windows, Linux or generic UNIX).
The Windows and Linux installers include a JVM, which is required for this application.
4. Launch the installer:
l For Windows: Run the setup.exe program and respond to prompts for the
installation path and defaults.
l For Linux: Run the setup using: sh setup.bin -i console. Respond to installation
prompts, including whether use select a JVM already installed on the system.
l For Unix: Ensure the client system has a JVM installed. Then run the installer with: sh
./setup.bin, responding to prompts.
5. Respond to installer prompts for the following:
l Language Selection
l Introduction
l Choose Install Folder
l Choose Link Folder
l Choose JVM (Linux/UNIX only (Refer to the requirements for java version)
l Choose Browser (Refer to the requirements for supported browsers)
l Pre-installation Summary
6. After the installer completes, click Done to exit.

A.7.1.2 Accessing the nGenius Client (Windows)

This section reviews the launch options for the Windows-based nGenius Client.

1. After the installation is completed, you can launch it from the Start menu location you
selected during the installation. By default, this is C:\NetScout\nGenius Client\nGenius
Client:

2. A login window displays, allowing you to specify the server address and port.

NETSCOUT Server Administrator Guide 387

3. Select your login method:

a. If you check the Direct Login box, provide credentials and the module (analysis or
administration) to launch, then click Connect. The module you specified is displayed
(illustration below shows analysis and administrative modules).

b. If you do not select Direct Login, then click Connect, the splash page for the server
displays. This allows you to log in from a web browser and perform some basic
activities from the web, or launch a java-based nGenius Client module (such as Console

NETSCOUT Server Administrator Guide 388

Workspaces) to that server.

NETSCOUT Server Administrator Guide 389

A.7.1.3 Uninstalling the nGenius Client (Windows)

This client is installed automatically with Windows-based nGeniusONE installers and is not
removed when you remove the nGeniusONE server software. This allows you to manage the
server software and uninstall/reinstall it, if needed, without losing your local installation of the
client. If needed, you can uninstall the client from the same menu used to launch it.

NETSCOUT Server Administrator Guide 390

© NETSCOUT CONFIDENTIAL & PROPRIETARY
B Tools & Utilities
This chapter provides an overview of tools and utilities that may be available on your
nGeniusONE server product. See these sections:
l B.1 Dell Tools
l B.2 NETSCOUT Tools
l B.4 Splunk Dashboard App

B.1 Dell Tools

This chapter provides an overview of utilities available on NETSCOUT products based on the Dell
PowerEdge platform.
l iDRAC : Dell Integrated Remote Access Controller
l DSET : Dell System E-Support Tool
l OMSA: Dell OpenManage Server Administrator
l PERC: Dell PowerEdge Raid Controller

More details on all of these tools are provided on the Dell website.

B.1.1 Working with iDRAC

For NETSCOUT-built servers based on the Dell PowerEdge platform, include an Integrated Dell
Remote Access Controller (iDRAC) for remote administration and troubleshooting. By connecting
the iDRAC’s onboard Ethernet port to an out-of-band management network, you can then
connect to these servers from a remote computer using the built-in web-based user interface
(UI).

NETSCOUT Server Administrator Guide 391

The version of iDRAC varies based on the server model, as listed below, although this document
provides an overview of the general functionality available from the iDRAC service.
l Access the iDRAC Web Interface
l Using the Virtual Console
o Using the Virtual Console
o Use the Virtual Console for Software Updates
o Use Virtual Media to Reimage a System
l Use BIOS to Change iDRAC Settings
l Access Other iDRAC Features

NETSCOUT Server Administrator Guide 392

B.1.1.1 iDRAC Requirements

This section provides details on supported browser configurations, required ports, and
supported physical connections for iDRAC usage. Details are provided in the following sections.

Note:
l NETSCOUT recommends that you set your monitor resolution to 1280x1024 pixels or
higher.
l Browsers must be configured to allow pop-ups in order to launch the Virtual Console.
l The iDRAC connection does not use a certificate so you will be prompted each time to
approve the connection.
l Additional Notes for Internet Explorer:
o Browsers must have SSL 3.0 enabled.
o Ensure that the browser is enabled to download encrypted content.
o If you prefer not to use the Java plugin with Internet Explorer and instead use the
(Native) ActiveX plug-in, ensure that you have added the iDRAC IP or hostname to the
Trusted Sites list.

B.1.1.1.1 Network Requirements

Use the information in this section to understand the environmental conditions required to use
the iDRAC interface.

Physical Connections

When making physical connections for the dedicated iDRAC port, keep in mind the following:
l The iDRAC port speed is 10/100/1000 Mbps.
l The iDRAC port has a default IP address of 192.168.0.120.
l You can directly connect the iDRAC port to the Ethernet port of a PC using an Ethernet
crossover cable.
l DHCP is supported, but not recommended.
l If you directly connect the iDRAC port to a Cisco switch, be sure to enable Spanning Tree
PortFast and disable the negotiation of the Dynamic Trunking Protocol on the Cisco switch
port to which you connect the iDRAC port.

Network Listener Ports

The iDRAC interface uses specific network ports that you may need to open in your firewall for
successful communications.

Note: Ports marked with an asterisk (*) are configurable on the iDRAC.

iDRAC Server Connection Ports

Port Number Function

22* Secure Shell (SSH)
23* Telnet

NETSCOUT Server Administrator Guide 393

Port Number Function

80* HTTP
443* HTTPS
623 RMCP/RMCP+
5900* Virtual Console keyboard/mouse, Virtual Media Service, Virtual Media Secure
Service, and Virtual Console video

iDRAC Client Ports

Port Number Function

25 SMTP
53 DNS
68 DHCP-assigned IP address
69 TFTP
162 SNMP trap
636 LDAPS
3269 LDAPS for global catalog (GC)

B.1.1.1.2 User Account Requirements

For the activities described in this document, you will need login credentials for an iDRAC
account with Administrator or Operator group privileges. The root user has Administrator
privileges by default. The default iDRAC user group privileges are:
l Administrator —Login, Configure, Configure Users, Logs, System Control, Access Virtual
Console, Access Virtual Media, System Operations, and Debug
l Operator —Login, Configure, System Control, Access Virtual Console, Access Virtual Media,
System Operations, and Debug
l Read Only —Login
l None —No assigned permissions

User accounts are accessible from the following locations:

l In the Web UI Overview > iDRAC Settings > User Authentication > Local Users tab
l In BIOS under iDRAC Settings > User Configuration.

If the firmware has been reset, you may try a password of calvin

For more information refer to the iDRAC pages on Dell’s website (noted at the beginning of this
chapter).

B.1.1.2 Use BIOS to Change iDRAC Settings

You can use BIOS to verify some important settings that can be changed if the iDRAC firmware is
reset. Under most circumstances, you should use the iDRAC web interface.

Note: NETSCOUT recommends that you not use the web-based iDRAC interface to
reconfigure the iDRAC IP settings. Doing so runs the risk of losing connectivity during the IP
reconfiguration, resulting in an unreachable system. Instead, use system BIOS.

NETSCOUT Server Administrator Guide 394

Procedures in this section include:

l Access iDRAC Settings in BIOS
l Change the iDRAC Password
l Configure iDRAC Network Settings
l Restore iDRAC Defaults

B.1.1.2.1 Access iDRAC Settings in BIOS

You can use the Virtual Console to access BIOS when you are monitoring a system. However,
there are cases where you may lose connectivity if you are connected remotely. Use these
instructions to log in directly to the appliance.

1. Establish a direct physical connection to the server hardware, either using a keyboard and
monitor or a laptop connected to the serial port.
2. Turn on or restart the server hardware.
3. Press F2 during the boot sequence to enter the system BIOS. If the operating system
begins to load before you press F2, wait for the system to boot completely before
restarting the system and trying again. When BIOS has booted, the System Setup Main
Menu displays with options for System BIOS, iDRAC Settings, and Device Settings.

4. Within this utility, use the following for navigation and selection:
l Arrow keys—move up and down within a menu or list; left or right to toggle an
alternative selection
l Enter key—apply a typed or selected value; display options in a selector list (use arrow
keys to navigate to a desired selection; Enter again to pick the entry)
l Tab key—navigate between the upper banner of the screen (Help/About/Exit), the
editable area of the screen, and the lower banner (Exit/Back/Finish); navigate between

NETSCOUT Server Administrator Guide 395

options for Yes/No in a dialogue

l Space bar—display the options in a selector list (use the arrow keys to navigate the list
and the Enter key to pick an entry)
5. Use arrow keys to navigate to the iDRAC Settings link and press Enter. The iDRAC
Settings pane displays.

B.1.1.2.2 Change the iDRAC Password

If firmware factory reset occurs, the default iDRAC password could have been reset to the Dell
default, calvin. If you cannot connect with your original password or with “calvin,” you may need
to Restore iDRAC Defaults and then reconfigure iDRAC Settings. Otherwise, if you know your
password and want to change it:

1. Access iDRAC Settings in BIOS.

2. Navigate to User Configuration and press Enter to open display the settings for the
default iDRAC user.

NETSCOUT Server Administrator Guide 396

3. Use the down arrow key to select the Change password field.
4. Type the new password and press Enter.
5. When prompted to re-enter the password, type it again and press Enter, or tab to the OK
button and press Enter.
6. Press Esc to exit the User Configuration screen. Your changes are not applied until you
completely exit BIOS. The iDRAC Setting screen is displayed.
7. If you have no other changes, press ESC again to exit iDRAC Settings. A dialog box prompts
you to confirm that you want to save your changes. Tab to and select Yes.
8. If you press Esc on this dialog box, the effect is the same as a No response—the previous
settings are restored.) A dialogue displays a confirmation that your settings are saved if
you selected Yes or restored if you pressed Esc or selected No.
9. From the System Setup Menu you are now ready to exit the utility and apply your saved
values to the system. Press Esc or tab to and select Finish. A dialogue displays asking you
to confirm that you want to exit BIOS.
10. Select Yes.

NETSCOUT Server Administrator Guide 397

The system automatically reboots with your new settings in place.

B.1.1.2.3 Configure iDRAC Network Settings

Use the procedure in this section to configure the iDRAC’s ethernet port.

1. Access iDRAC Settings in BIOS.

2. Navigate to Network and press Enter.
3. Use arrow keys to navigate to Network, then press Enter. The menu that displays allows
you to configure the network parameters. Use arrow and tab keys to navigate the list of
configuration options. Of the several options you are provided for customization, be sure
to review and adjust the following:
l Enable NIC—Ensure the NIC for the iDRAC port is Enabled.
l NIC Selection—If this is set to any of the LOM options, change it to Dedicated.
l Auto Negotiation—Ideally, leave this On so that the port speed is ensured to match
the connected network.
l Register DRAC on DNS—optional.
l DNS DRAC Name—optional; if not set, the users must know the IP address to access
the web DRAC UI.
l Auto Config Domain Name—optional.
l Static DNS Domain Name—if auto config is not set, then type the domain name here
l IPv4 Settings—If the appliance resides in an IPv4 environment, set the following:
o Enable IPv4—Enabled (default)
o Enable DHCP—Disabled (default). NETSCOUT recommends using a static address,
not DHCP.

NETSCOUT Server Administrator Guide 398

o Static IP Address—192.168.0.120 (default)

o Static Gateway: Default is 0.0.0.0 (default)
o Static Subnet Mask—255.255.255.0
o Static Preferred DNS Server—0.0.0.0 (default)
o Static Alternate DNS Server—0.0.0.0 (default)
l IPv6 Settings—If appropriate for your environment, you can also configure IPv6:
o Enable IPv6—Disabled (default)
o Enable Auto-configuration—Disabled (default). NETSCOUT recommends using a
static address, not DHCP.
o Static IP Address 1— :: (default)
o Static Prefix Length— 1
o Static Gateway— :: (default)
l IPMI Settings:
o Enable IPMI Over LAN: Enabled (default)
o Channel Privilege Level Limit: Administrator (default)
o Encryption Key: All zeros (default)
l VLAN Settings:
o Enable VLAN ID: Disabled (default). If this option is enabled, only traffic matching
the VLAN ID specified in the VLAN ID field below is accepted
4. Press Esc to exit the Network menu and return to the main BIOS menu for iDRAC Settings.
5. (Optional) Set the default behavior for virtual media connections here rather than using
the web iDRAC UI.
a. Tab to the Media and USB Port Settings entry and press Enter.
b. Tab to the desired setting and modify as desired:
l Detach—Virtual media are not allowed to be mapped to the server.
l Attach—Virtual media can be attached to the server but are not automatically
mapped
l Auto attach (default)—Virtual media are automatically attached to the server and
mapped as virtual drives.
c. Press Esc to return to the iDRAC BIOS menu.
6. Press Esc when you are finished configuring iDRAC Settings. The BIOS menu displays.
7. If you have no other changes, press Esc again. A dialog displays, asking you to confirm that
you want to exit BIOS.
8. Select Yes. The system automatically reboots with your new settings in place.

NETSCOUT Server Administrator Guide 399

B.1.1.2.4 Restore iDRAC Defaults

If you forget your iDRAC password, or some other condition necessitates a BIOS reset, you can
revert the iDRAC firmware to factory default settings.

1. Access iDRAC Settings in BIOS.

2. Turn on or restart the server hardware.
3. Press F2 to boot the system into BIOS. If the operating system begins to load before you
press F2, wait for the system to boot completely before restarting the system and trying
again. When BIOS has booted, the System Setup Main Menu displays with options for
System BIOS, iDRAC Settings, and Device Settings.
4. Use arrow keys to navigate to the iDRAC Settings link and press Enter.
5. Use arrow keys to scroll through the iDRAC Settings list of options to the Reset iDRAC
configurations to defaults.
6. Press Enter to select the item. The following warning message is displayed:
Resetting to factory defaults restores from non-volatile storage
settings. Do you want to continue?
< NO >
< YES >
7. Navigate to the Yes option and press Enter.
8. This action will reset the iDRAC password to the Dell default: calvin. It will also reset any
configuration changes you had previously made, such as setting IPMI over LAN and the IP
Address, Subnet Mask, and Gateway.

B.1.1.3 Access the iDRAC Web Interface

After you configure the iDRAC settings, you can remotely access the server hardware using the
web-based interface.

1. Open a supported web browser.

2. In the Address field, enter the IP address you configured when you set up the system for
your environment, then press Enter.
3. The iDRAC Login screen displays.

NETSCOUT Server Administrator Guide 400

4. Enter the iDRAC user name and password.

5. After you have successfully logged in, the main web-based interface displays. From here
you can perform a variety of remote management tasks in the tabs at the top of the user
interface.

B.1.1.4 Using the Virtual Console

B.1.1.4.1 Launch the iDRAC Virtual Console

You can use the iDRAC web-based interface to open a virtual console to the server hardware.
This allows you to interact with the server hardware as if you had a directly connected keyboard
and monitor.

NETSCOUT Server Administrator Guide 401

Note:NETSCOUT recommends that you do not use the web-based iDRAC user interface to
reconfigure the iDRAC IP settings. Doing so runs the risk of losing connectivity during the IP
reconfiguration, resulting in an unreachable system. Instead, use the system BIOS to change
IP settings.

Common uses for the Virtual Console are:

l Reimage or upgrade the server hardware.
l Watch and interact with a boot sequence in real time, or use the Boot Capture feature from
the System >Logs tab of the web interface to play back boot sequences.
l Use the Virtual Console File > Capture to File menu option to take screen shots of the
Console display for use by Customer Support.

To open a Virtual Console to the server hardware, perform the following steps:

1. Access the iDRAC Web Interface.

2. Log in with an account that includes Administrator or Operator privileges. (The default
login account “root” has Administrator privileges.)
3. Now, you can launch the Virtual Console from either of the following pane locations:
l Overview > Server: Click the Launch link in the Virtual Console Preview panel.
l Overview > Virtual Console: Click the Launch Virtual Console link at the top of the
page.
4. A Java applet or ActiveX plugin launches and installs. A dialog indicates the status of the
connection to the Virtual Console Server. After the connection is complete, the dialog
closes and the Virtual Console window displays a login prompt to the server . You can use
this display to interact with the hardware as though you were directly connected.

NETSCOUT Server Administrator Guide 402

Note: When you are accessing the iDRAC interface from a Linux operating system, an X11
console may not be viewable on the local monitor. Press Ctrl-Alt-F1 at the iDRAC Virtual
Console to switch Linux to a text console. You may need to disable your browser pop-up
blocker for the iDRAC IP address.

B.1.1.4.2 Use Virtual Media to Reimage a System

You can use the iDRAC Virtual Console’s Virtual Media option to reimage the nGeniusONE
hardware. This section describes how to make media available from your local client system to
the server hardware.

Before you begin, obtain the software for upgrade or reimaging and ensure it is present on your
local client machine:
l ISO Image– Download these files from your NETSCOUT MasterCare account and mount to
your local client machine; interact with them as you would a DVD.
l Restore DVD – Insert the Restore DVD in the local client machine.
l Application CD, Bin Files or RPM files- For these file types, you do not need to use the
Virtual Media method. Instead, Use the Virtual Console for Software Updates.

B.1.1.4.2.1 Verify Virtual Media Settings are Enabled

1. Access the iDRAC Web Interface.
2. Click on the Server link in the left navigation pane of the user interface.
3. Click on the Attached Media tab in the main body of the user interface.
4. Ensure the setting for Attach Mode is set to Attach or Auto Attach. Click Apply if you
had to change the setting.

B.1.1.4.2.2 Map Drives/ISOs

1. Using the Virtual Console
2. Press Enter, if needed, to display a login prompt, then log in with appropriate credentials.
3. From the Virtual Console window, click the Virtual Media menu and select the entry to
Connect Virtual Media (iDRAC8) or Launch Virtual Media (iDRAC7)

NETSCOUT Server Administrator Guide 403

4. Select the Virtual Media > Map CD/DVD option. This command lets you map either a
CD/DVD drive or a local image file (.iso or .img). A mapping dialog appears where you can
browse to the drive or image file to be mapped.
l If you are using an ISO image, click the Browse button (iDRAC8) or Add Image
(iDRAC7) and use the navigation dialog to locate and Open the ISO located on your
client system.
l If you are using a CD or DVD and have not already inserted it to your system, do so
now and then navigate as above.
5. Complete the mapping association:
l For iDRAC7:
From the list of drives in the Client View window, enable the Mapped check box
associated with the CD/DVD or ISO that you want to use. The selection is automatically
connected to the server hardware for use.
Note: Leave this Virtual Media Dialog open until the software is no longer required by
the server hardware.

NETSCOUT Server Administrator Guide 404

l For iDRAC8:
a. After you have navigated to the drive or image file to be mapped, click the Map
Device button.

B.1.1.4.2.3 Set Media for Boot and Begin the Restore

After the selected drive/image is mapped to the server hardware, you prepare it for use as a
boot drive as thoug it were located in the server hardware itself.

1. From the Next Boot > menu, select Virtual CD/DVD/ISO. This ensures that the system
will boot from the image file or drive you just mapped in the previous steps, allowing you
to reimage the target server from the drive or image file located on your local machine.

NETSCOUT Server Administrator Guide 405

2. Click OK on the warning regarding the next boot device selection.

3. Return to the iDRAC web browser, refresh the Server >Attached Media tab, and check
the block for Virtual Media.
4. The Connection Status is now Connected.
5. From the Virtual Console Power menu, select Reset System (warm boot).

The system reboots and begins to install the new image.

6. When the server hardware boots from the Restore DVD, the Console briefly displays “No
Signal.”
7. When the option to Reimage an existing system is highlighted, press Enter (after a brief
delay, the reimage will continue automatically).

NETSCOUT Server Administrator Guide 406

8. When prompted, select either a static or DHCP addressing model to be used. After a brief
delay, the default of static will be set and the reimage will continue automatically.
Note: At the end of the reimage, a Complete screen opens and displays a Reboot button.
Do not click the Reboot button yet because your installation will begin again.
9. Return to the Virtual Console and enable Next Boot > Normal Boot. This ensures that
the system will use its normal boot sequence for future boots.
10. Use the Virtual Media > Disconnect Virtual Media option to disconnect your local
image/drive.
11. Return the Virtual Console screen and press Enter on the Complete screen. The system
reboots.
12. At this stage, your system is ready to use the nGeniusONE installer to complete the
restore process.

B.1.1.4.3 Use the Virtual Console for Software Updates

For most maintenance cases, you can use the iDRAC Virtual Console like a local shell window. It is
not necessary to use a DVD drive or ISO unless you need to reimage the system. For example, a
standard software update can be run from the system command line (bin files, rpm files), so you
can use the Virtual Console's itself without the Virtual Media option.

1. Obtain Software.
2. If you are using a DVD, insert it into the DVD drive local to the server, or copy the file to
your local client system and then use WinSCP or another method to copy the file to the
/opt directory of the remote server hardware.
3. Access the iDRAC Web Interface.
4. Click the Server link in the left navigation pane of the web interface.
5. Click the Console tab in the main body of the interface.
6. Click the link to Launch Virtual Console.
7. Log into the server hardware with appropriate credentials.
8. Follow guidance in the chapter on Installation and Upgrade.

B.1.1.5 Access Other iDRAC Features

You can monitor the system and perform a variety of tasks directly from the default landing page
of the iDRAC web interface. You may the following additional iDRAC features useful for
troubleshooting your server hardware.

Server > Alerts

Use the Alerts tab to configure traps and/or Email notifications based on a wide variety of
system conditions and platform events.

NETSCOUT Server Administrator Guide 407

Server > Logs

You can use the web-based interface’s Logs tab to view a System Event Log for the server
hardware. This log can be saved to a file for submission to Technical Support personnel, if
requested. You can also use this tab to replay the last three boot cycles.

Server > Power/Thermal

Use the Power tab to view the server hardware’s current power status or to power cycle, power
up, or shut down the server hardware. Power cycling operations are available in the Server >
Power/Thermal > Power Configuration > Power Control sub-tab.

Monitoring Server Health

The Server > Properties tab includes a Summary sub-tab with Server Health status indicators
for all sensors with a link to drill down to more detail on each. You can also access the system
event logs and perform a collection of common operational tasks, including launching the Virtual
Console.

B.1.2 Managing Systems with OMSA

OpenManage Server Administrator provides a comprehensive, one-to-one systems management
solution in two ways: from an integrated, web browser-based graphical user interface (GUI) and
from a command line interface (CLI) through the operating system. OMSA is designed for system
administrators to manage systems locally and remotely on a network. For complete information
about Dell OpenManage Server Administrator, refer to the Dell OpenManage Server
Administrator documentation.

Note:
l OMSA starts automatically when you start the system.
l The default username and password are the credentials for the root user (as for SSH
logins).
l The tool is installed in:
./dell/advdiags/dset/bin/omsa/sbin/srvadmin-services.sh
l For details working with OMSA, refer to resources on the Dell website:
o https://www.dell.com/support/home/us/en/04/product-support/product/dell-
openmanage-server-administrator-9.0.1/docs
o https://topics-cdn.dell.com/pdf/dell-openmanage-server-administrator-9.0.1_users-
guide3_en-us.pdf

Following are typical commands and uses of OMSA on nGeniusONE Server .

l Check the status of OMSA:
srvadmin-services.sh status
Start OMSA:
srvadmin-services.sh start
Stop OMSA:

NETSCOUT Server Administrator Guide 408

srvadmin-services.sh stop
l To connect to OMSA, launch a web browser and enter:
https://<hostname>:1311
l To disable the OMSA WebUI that runs port 1311.
a. SSH into nGeniusONE server and run the following command. This disables the OMSA
processes from the chkconfig.
# srvadmin-services.sh disable
b. Edit /etc/init.d/stealth and comment out service dsm_om_connsvc restart by
putting a # sign in front of the line.
c. Save and exit the file.
d. Reboot the server.

B.1.3 Collecting System Information with DSET

Customers with nGeniusONE servers based on the Dell PowerEdge platform may be asked to
use this tool to collect hardware, storage and operating system information into a single system
configuration report that Customer Support can use for troubleshooting. DSET is a small, non-
intrusive tool that can collect information about Linux modules, services, network settings, and
system logs. It can also be used to collect extended hardware information such as processors,
memory, PCI cards, ESM log, BIOS/firmware versions, system health (fan/voltage levels), storage
configuration information (RAID controllers, hard drives).

DSET generates the report in ZIP archived/compressed format and saves the file in the root
home directory. The name of the zip file includes “DSET,” “Report,” and the name of the server, as
illustrated in the output example below.

Note:
l DSET is installed in /opt/dell/advdiags/dset.
l Use of this tool requires root privileges.
l To view the report, unzip the file using dell as the password, then open the output
dsetreport.htm file in a web browser.
unzip <reportname> -d <anydirectory>
l For details working with DSET, refer to resources on the Dell website:
o https://www.dell.com/support/manuals/us/en/04/dell-systm-esuprt-tool-
v3.7/dset37ug-v1/dell-system-e-support-tool-dset-version-370-users-guide
o https://topics-cdn.dell.com/pdf/dell-systm-esuprt-tool-v3.7_users-guide_en-us.pdf

v3.7

dellsysteminfo -s --idracIPaddress -r --reportname

dellsysteminfo -s --10.20.218.60 -r --/tmp/foo.zip

Example:
./dellsysteminfo

NETSCOUT Server Administrator Guide 409

root@newLocal srvadmin]# dellsysteminfo

Dell System E-Support Tool
@Copyright Dell Inc. 2004-2007 Version 1.5 build 120
NOTE: Customer information has not been specified yet.
This information is optional but it can assist Dell Technical Support.
Enter your company name: NETSCOUT
Enter an e-mail address: user@netscout.com
* Getting Linux operating system configuration information ...
Gathering Boot Information ...
Gathering Module Information ...
Gathering Memory Information ...
Gathering Storage Information ...
Gathering Network Information
Gathering Summary Information ...
* Collecting Dell OpenManage information ... [Please wait]
* Gathering chassis information...
* Gathering System Summary Information...
* Gathering Motherboard Information...
* Gathering DRAC Information...
* Gathering storage information...
Note: Scanning for supported SCSI or RAID controllers... [please wait]
* Collecting storage information...
* Gathering OpenManage logs...
* Collecting various OpenManage logs...
* Collecting various system logs and configuration files ...
* Compressing report...
A compressed, encrypted ZIP report archive was saved at: /root/DSET_
Report_for_NETSCOUT[newLocal-SvcTag-G5YGVC1-PER710].zip
Syntax: unzip <reportname> -d <anydirectory>
* Report creation completed successfully

B.1.4 Using the PERC Utility to Rebuild a Virtual Drive

The storage configuration on NETSCOUT’s Dell-based appliances includes the OS and storage on
a single volume, set up in a redundant RAID-5 configuration. This configuration will continue to
operate if one disk fails, so you should be able to operate continuously (although without
redundancy) while you are awaiting a replacement drive, if one fails. With guidance from
Customer Support, you can insert the replacement disk that will be rebuilt automatically into the
RAID-5 array.

However, in the event more than one drive in the array fails (as may occur if you are running the
system while waiting for a replacement disk), you may need to rebuild the volume. Your
appliance includes a BIOS level utility to support this. Use the procedure below to rebuild the
virtual disk, after which you can proceed with reinstalling the OS and application software.

Important: This procedure initializes the volume, any data on the target volume is
destroyed.

For more comprehensive guidance, refer to Dell Documentation:

NETSCOUT Server Administrator Guide 410

l https://topics-cdn.dell.com/pdf/poweredge-rc-h330_users-guide_en-us.pdf
l https://topics-cdn.dell.com/pdf/dell-sas-hba-12gbps_reference-guide_en-us.pdf

B.1.4.1 PERC BIOS Navigation Tips

l TAB (and Shift + TAB) and Arrow keys for navigation
l Space Bar key to toggle options
l ENTER key to select
l Ctrl-N and Ctrl-P to move between the tabs of the utility
l ESC key to exit to the previous screen or exit the utility
l F1 for help

B.1.4.2 Rebuilding the Virtual Drive

The procedure below is illustrated using the PERC H730P Mini BIOS Configuration Utility
provided with R730-based appliances. For other models, this procedure can be used as a
guideline.

1. Access the appliance using a direct physical console or the iDRAC Virtual Console.
2. Reboot the appliance. (From the iDRAC Virtual Console, use the Power menu option to
Reset System or Power Cycle System, as needed).
3. During the boot sequence, watch carefully for the BIOS prompts and press Ctrl-R to enter
the PERC Mini BIOS Configuration Utility. The first tab (VD Mgmt) should be active. If it is
not, use Ctrl-P to navigate to it.
4. The row with Virtual Disk 0 should be highlighted. Use arrow keys to navigate up and
select the parent row. (This is the Controller for this Virtual disk set; see example in screen
shot below).
5. Press the F2 key to display a contextual menu of available operations (the options
available vary depending on the current screen and selected value).
6. Use the arrow keys to select Clear Config, then press the Enter key.

NETSCOUT Server Administrator Guide 411

7. A dialog warns you that selecting this option will delete all the virtual disks. Tab to the Yes
button, then press the Enter key. The unconfigured Virtual Disks are listed as shown
below, with the first disk highlighted:

NETSCOUT Server Administrator Guide 412

8. Ensure the correct number of disks is displayed. If you do not find the correct number,
contact Customer Support before proceeding. Otherwise, use arrow keys to navigate up
and select the PERC Mini controller again.
Note: The number of drives listed depends on the configuration of your system; for
example, a 3TB configuration has six 500GB disks, a 5TB configuration has six 931GB
disks, and a 10TB configuration has five 2TB disks.
9. Press the F2 key to display the operations menu.

10. Select the menu option to Create new VD (Virtual Disk), then press the Enter key. A new
screen displays with configuration options.

NETSCOUT Server Administrator Guide 413

11. If it is not already highlighted, use the Tab key to navigate to the RAID Level field, which
should be set to RAID-0. Press the Enter key to display a pick list of RAID options. Use
arrow keys to scroll down and highlight RAID-5. Press the Enter key.
12. Press Tab to navigate to the Physical Disks configuration block.
13. When the first disk is highlighted, press the Space Bar to place an “X” in the box
immediately to the left of the Drive ID and to advance to the next drive. Do this for each
disk to include in the RAID array. You can also use arrow keys to navigate the list.
14. Press Tab to navigate to the VD Name field, then type Virtual Disk 0. (Note: The “VD Size”
field is automatically filled in).
15. Press Tab to navigate to the OK button, then press Enter.

NETSCOUT Server Administrator Guide 414

16. A reminder message displays, recommending that the volumes be initialized. (This is not
done automatically). Tab to the OK button and press Enter to acknowledge the message
and continue.
17. From the main VD Mgmt tab, use arrow keys to navigate to the row with the new Virtual
Disk 0, if it is not already selected.

NETSCOUT Server Administrator Guide 415

18. Press the F2 key to open the configuration menu.

19. Select Initialization.
20. Select Start Init.
Note: Do not select “Fast Init.”
21. A dialog warns that this procedure will destroy data on the disk. Tab to YES, then press
Enter to proceed. Allow the volume to completely initialize before performing any other
tasks. This will take up to 4 hours. The current operation (Init.) and progress are reported
in the upper right section of the screen under Virtual Disk 0 – see the highlighted portion
of the figure below:

NETSCOUT Server Administrator Guide 416

Note: The Virtual Disk must be COMPLETELY initialized BEFORE proceeding with further
operations.
22. After initialization is complete, a dialog displays to confirm Initialization completed with
OK highlighted. Press Enter to confirm.
23. Verify that your configuration matches the expected number of disks and capacity. The
figure below shows the configuration for a 5TB system – six Physical Disks and a total
capacity of 4655.00 GB. Similarly, for other server models:
3TB systems – six Physical Disks and a total capacity of 2326.65 GB.
10TB systems – five Physical disks and a total capacity of 7450.00 GB.

NETSCOUT Server Administrator Guide 417

24. Press the Esc key, tab to OK, and press Enter to confirm that you want to exit the RAID
utility.
25. If you are accessing the BIOS from a local, physical console, use Ctrl-Alt-Del to reboot the
server. If you are accessing from an iDRAC Virtual Console, use the Power menu and select
the Reset System option.
26. Monitor the reboot and verify that the server finds one Virtual Drive as depicted below.

NETSCOUT Server Administrator Guide 418

B.2 NETSCOUT Tools

This chapter provides an overview of utilities that may be available on your nGeniusONE server
product.
l exportcliv2
l nGeniusSQL
l nscertutil
l techsupp
l websecure

B.2.1 exportcli
B.2.1.1 Using the exportcliv2 Utility
nGeniusONE provides the exportcliv2 utility to export packets stored on monitoring data
sources. The exportcliv2 utility:
l Allows you to export packets that are stored on InfiniStream appliances using the Manage
port (eth0).
l Executable is available at: <InfiniStream or nGeniusONE install>/rtm/pa/bin.
l Can be downloaded to, and used on, your Desktop, or any third-party server, by
downloading packages from: <InfiniStream or nGeniusONE install>/rtm/pa/util.

Note: NETSCOUT recommends that you read this entire topic before you attempt to export
packets.

NETSCOUT Server Administrator Guide 419

Usage Guidelines

The exportcliv2 utility has this syntax:

<path># ./exportcliv2 [ -c <config_file>] -u <username> [-p <password>] [-h] [-F <path>/<file_

name>] [-f "<filter_regex>"] [-S <slice_size>] [-L <pcap_file_limit>] [-z <trace_type>] [-t <time_split>] [-D
<disk_tol>] [-C] [-o] -d <export_file_name> -n <data_source_ip_address> -i <ifn> -B <start_time> -E
<end_time>

Usage Example 1a - Using a filter file, with short form syntax options and explicit interface
parameters:
# ./exportcliv2 -u administrator -h -F filter_file -d /root/datafile -
n 192.168.1.1 -i 3 -B 11:00 -E 12:00

Usage Example 1b - Using regular expression (regex) format, with short form syntax options and
implicit interface parameters:
# ./exportcliv2 -u administrator -h -f "ip==1.2.3.4 and port==80"
/root/datafile 192.168.1.1 3 13:05:30 13:10:30

Usage Example 1c – Using trace conversion and size based file split, with long form syntax
options and implicit interface parameters:
# ./exportcliv2 --username=administrator --tracetype=pcap-ng --
filelimit=100 /home/datafile 192.168.1.1 3 13:05:30 13:10:30

Usage Example 2a – Using continuous export for 10 days in future, disk tolerance and time
based file split, with short form syntax options and implicit interface parameters:
# ./exportcliv2 --u administrator -C -D 100 -t 300 /home/datafile
192.168.1.1 3 2020-01-01/06:00 2020-01-11/06:00

Usage Example 2b – Using continuous export for infinite future time, disk tolerance and time
based file split, with short form syntax options and explicit interface parameters:
# ./exportcliv2 --u administrator -C -D 100 -t 300 -d /home/datafile -
n 192.168.1.1 -i 3 -B 11:00 -E -1

Usage Example 3a - Using a configuration file (see Creating a Configuration File for the -c Syntax
Option), with short form syntax option:
# ./exportcliv2 -c zeewires.txt 192.168.1.1 3 10:00 11:00

Usage Example 3b - Using a configuration file (see Creating a Configuration File for the -c Syntax
Option), with long form syntax option:
# ./exportcliv2 --configfile=fullquery.cfg

To stop a currently executing export operation, press the Ctrl c keyboard combination.

The following table describes the exportcliv2 command syntax options, some of which have a
short form and a long form. When you use long form options:
l In a command line—each has a two dash prefix (--).
l Inside a configuration file—each omits the prefix and has an equal sign suffix (=). See
Creating a Configuration File for the -c Syntax Option.

NETSCOUT Server Administrator Guide 420

Option Description

Short Form Long Form

Not applicable --version (Optional) Use alone to identify the version number of the exportcliv2 tool
that you are using. Example:
# ./exportcliv2 --version
ExportCLIv2 Version: 16.5.550
-c --configfile (Optional) Precedes the complete path of a configuration file. A
configuration file allows you to specify:
l Command line syntax option, in long form only, in a convenient text
file for reusability.
l Packet modification operations—VLAN stripping, slicing, chopping,
stripping, and masking.
Refer to Creating a Configuration File for the -c Syntax Option for
information on configuration files.
-u --username Precedes an nGeniusONE user name—<username>.
-p --password (Optional) Precedes an nGeniusONE user (-u) password—<password>.
If you do not include the password in your exportcliv2 command
execution, the system prompts you for the password.
-h --ssl (Optional) If you:
l Use -h or --ssl in the command, or ssl=1 in a configuration file, SSL is
on. The InfiniStream appliance uses SSL/port 443 between the
exportcliv2 utility and the specified InfiniStream appliance for data
communication.
l Do not use -h or --ssl in the command, or ssl=0 in a configuration file,
SSL is off.
-F --filterfile (Optional) Precedes the directory path and file name—<path>/<file_
Note: You name>—of a filter file with which you want to filter export results. The
cannot use filter file resides on the same device as the exportcliv2 utility. You can
this option if include up to four filters in a single filter file with split PCAP (see Multiple
you are using Filter Support with Split PCAP for more information).
the -f option.
-f --filterregex (Optional) Precedes a filter specified in regular expression (regex) format.
Note: You Examples:
cannot use l "ip==10.2.3.4 and port==80"
this option if l "(ip==10.2.3.4 or ip==10.2.3.5) and port==80"
you are using Filters can be created using any regular expression elements (see Support
the -F option. Guidelines). The regular expression format is identical to the format used
in the nGeniusONE Packet Analysis module.
You can copy filters you create in the Packet Analysis Filter Constructor UI
to the exportcliv2 command line; however, the benefit of using the -f
option is that it removes the need to first create and save filters in Packet
Analysis for subsequent use in the exportcliv2 tool.
Note: The exportcliv2 tool supports up to four conversation filters (a
single conversation filter can be: IP1+IP2+Port1+Port2) using the -f option.

NETSCOUT Server Administrator Guide 421

Option Description

Short Form Long Form

-S --slicesize (Optional) If you:
l Use -S or --slicesize in the command, or --slicesize=<num> in a
configuration file, you must specify a slice size that you want to apply
to the exported packets.
l Do not use -S or --slicesize, or --slicesize=<num> in a configuration file,
you cannot specify a slice size, and the user-assigned slice size
specified in nGeniusONE is applied.
-L --filelimit (Optional) Precedes a number that indicates the maximum number of
MBs which you want the output .pcap file to be broken up. For example, if
you enter -L 100, the exported PCAP file is broken up into one or more
100MB PCAP files.
-z --tracetype (Optional) Specifies the trace type you want to export, where <trace_type>
can be:
l pcap-nano (default). For this type, the output file has the .pcap
extension.
l pcap-micro. For this type, the output file has the .pcap extension.
l pcap-ng. For this type, the output file has the .pcapng extension.
-t --timesplit (Optional) Split the output trace file at the interval of timesplit in units of
seconds.
-D --disktol (Optional) Set the disk tolerance, in GB. Packet export is stopped if
available disk space is less than the specified value.
-C --continuous (Optional) Use this switch to enable continuous packet export (default =
disable).
-o --overwrite (Optional) Precedes a previously saved output .pcap file name that you
want to overwrite. By default, an overwrite of .pcap files is not allowed.
-d --datafile The directory path and filename in which the exported packets are to
reside. Example: <InfiniStream install>/rtm/data/trace.pcap.
The exported packet file format is NanoSec PCAP format, if you do not use
the -z syntax option to specify pcap-micro or pcap-ng format.
This parameter can be specified on command line without option specifier
as well, as in usage Example 1b.
-n -- The IP address of the InfiniStream appliance on which are the packets you
networkaddr want to export. The IP address must be in dotted decimal format.
This parameter can be specified on command line without option specifier
as well, as in usage Example 1b.
-i --interface The interface number, or comma separated list of interfaces, of the
InfiniStream appliance from which you want to export packets. Examples:
l 3
l 3,4,5
This parameter can be specified on command line without option specifier
as well, as in usage Example 1b.

NETSCOUT Server Administrator Guide 422

Option Description

Short Form Long Form

-B --begintime The time you want to begin the packet export, up to the millisecond level,
in a variety of formats. For example, the time can be specified in any of
these ways:
l Unix Time in Epoch, example:
                    1095379198015
l Date/Time String, examples:
                    2004-09-16/23:59:58
                    2004-9-16/23:59:58.015
                    23:59:58.015
                    23:59:58
                    23:59
Note: The timezone applied to your export command is the local time of
the host environment.
-E --endtime The time you want to end the packet export (use the same format as
specified for <start_time>).
If you want to run packet export continuously using option -C, you can set
this value to -1 indicating no future end time. Refer to Continuous Packet
Export (24/7) for more information.
This parameter can be specified on command line without option specifier
as well, as in usage Example 1b.
-V --verbose (Optional) If you set this to N/n, it stops displaying the progress output on
the console (default = Y).

Continuous Packet Export (24/7)

The exportcliv2 utility supports processing the packets continuously and can be run as a 24/7
task.

This feature can be enabled by using option -C.

Because continuous export creates a large output trace file, it is a best practice to split the
output trace file by size or time using options (-L or -t).

In addition, you can use the –D option to set the disk tolerance level to limit the packet export.

Example 1: Finite Future Time

Usage Example 2a above shows that continuous export is turned on by specifying option -C, it
splits the output tracefile at the interval of 300 seconds (specified by -t 300) and stops the export
if available disk space is less than 100 GB (specified by -D 100).

Note:The end time has a finite difference of 10 days from start time. The start time itself can
be past, current, or future.

Example 2: Infinite Future Time

Usage Example 2b above shows that continuous export is turned on by specifying option -C, it
splits the output tracefile at the interval of 300 seconds (specified by -t 300) and stops the export
if available disk space is less than 100 GB (specified by -D 100).

NETSCOUT Server Administrator Guide 423

Note: The end time is specified by -1 which indicates that export should run forever. The start
time itself can be past, current, or future.

Packet Modification Operations

You can add any of these optional packet modification operations to a configuration file, where
the operations are performed sequentially (according to how they are listed in your
configuration file) on the packets after they are exported:

Packet Modification Operation Description

slicing=<num_of_bytes> Slices the exported packets into the
number of bytes you specify.
Example: slicing=128 indicates that
exported packets are sliced into 128
bytes.
chopping=<num_of_bytes> Chops the specified number of bytes
you specify from the end of the
exported packets.
Example: chopping=4 indicates that
4 bytes are removed from the end of
the exported packets.
stripping=<offset_num>/<num_of_bytes> Removes the number of bytes you
specify from the exported packets,
starting at the offset you specify.
Example: stripping=70/4 indicates
that 4 bytes are removed, starting at
offset 70, from the exported packets.
masking=<offset_num>/<num_of_bytes>/<replace_with_char> Replaces the number of bytes you
specify with the character you
specify, starting at the offset you
specify. For example, this allows you
to hide IMSI and IMEI information
from end users.
Example: masking=50/12/x indicates
that 12 bytes are each replaced with
the character x, starting at offset 50,
within the exported packets.
vlan_stripping=<1|0> Enables or disables VLAN stripping. A
maximum of 8 cascaded VLANs are
supported with these VLAN tags:
l 0x8100
l 0x9100
l 0x88A8
VLAN stripping works only with those
tags; if you are using a different
VLAN tag, contact Customer Support.
Example: vlan_stripping=1 indicates
that VLAN stripping is enabled and
applied to the exported packets.

NETSCOUT Server Administrator Guide 424

Creating a Configuration File for the -c Syntax Option

Using the -c (or --configfile) option allows you to:
l Create and execute a shortened version of the exportcliv2 command line. In the
configuration file, you list syntax options and values using the long forms only (without the
-- prefix and with the = suffix)—see Configuration File Examples.
l Include non-mandatory packet modification options in your command execution. Any
packet modifications you include are performed after the packets are exported. The packet
modifications are executed in sequential order according to their placement in the
configuration file. Refer to Packet Modification Operations for more information.
l Add block specifier {process} before enlisting set of packet modification operations in the
configuration file. See Example 2 below.

Configuration File Examples

Examples of valid configuration file names are: abc.cfg, myconfig, zeewires.txt.

Example 1 - Configuration file zeewires.txt:

    username=administrator
    password=password
    ssl=1
    overwrite=1
    filterfile=export.eflt
    tracetype=pcap-micro

In Example 1, the username and password are specified, SSL is on, overwrite it on, the filter file is
specified, and the packets are exported as micro PCAP type.

Example 2 - Configuration file myconfig:

    username=administrator
    password=password
    ssl=0
    overwrite=1
    filterfile=export02.eflt
{process}
    vlan_stripping=1
    chopping=4

In Example 2, the username and password are specified, SSL is off, overwrite it on, a different
filter file is specified than seen in Example 1, the packets are exported as nano PCAP type
(default value), Block specifier {process} is added for packet modification operations, VLAN
stripping is on, and 4 bytes are chopped from each packet.

Example 3 - Configuration file fullquery.cfg:

    username=administrator
    password=password
    overwrite=1
    continuous=1
    datafile=/root/export/filename
    networkaddr=10.10.10.66
    interface=3

NETSCOUT Server Administrator Guide 425

    begintime=01:00
    endtime=-1
    timesplit=300
    disktol=100

In Example 3, the username and password are specified, overwrite is on, continuous export is
enabled, the file name on the InfiniStream that will contain the exported packets is specified, the
address of the InfiniStream that the exported packets will be exported from is specified, the
interface number of the InfiniStream is specified, the start time is specified, the end time
indicates infinite future time, the exported packets will be split every 300 seconds, and the disk
tolerance is set at 100 GB.

Multiple Filter Support with Split PCAP

Instead of multiple export jobs, you can apply multiple filters (up to four) with a single exportcliv2
execution so that one PCAP file is created for each filter. Packets are processed only once, which
provides better performance when applying multiple filters. To enable this tool enhancement,
new tags are used:
l PCAP file name tag: pcap=<"pcap_filename">
l Filter ID tag: filterid=<"id">

This sample filter configuration, with the new tags that support multiple filters in the same
export query, shows two filters:

The sample filter configuration would produce two exportcliv2 command output files:
l <export_filename>-test1.pcap
l <export_filename>-test2.pcap

Support of Interface Number as a Filter

In addition to the above multiple filter support, you can export data for the same time duration
for different interfaces, along with different filters on each interface, with this filter configuration:

NETSCOUT Server Administrator Guide 426

Support Guidelines
l The exportcliv2 utility is supported on:
o Windows 7 or Windows Server 2008, or higher, based server.

Note: Windows required prerequisite—The Windows system should have installed

Microsoft Visual C++ 2015 Redistributable Package (x86) [2015 vcredist_x86.exe] to avoid
Windows systems errors.
o Linux-based server running RedHat 6.0 and higher, Fedora 18.0 and higher, or CentOS
6.0 and higher.
l The exportcliv2 tool natively supports 64-bit operating systems.
l The Windows executable file is digitally signed with the NETSCOUT Digital certificate.
l These filter terms are not supported in the exportcliv2 tool and in the Packet Analysis Filter
Constructor:
o ipv4.tos
o ipv6.tos
The filter term ip.tos is supported.

Authentication Guidelines

If your nGeniusONE server is configured in secure HTTPS/SSL mode, you must be aware of these
authentication guidelines before you perform export actions:
l The exportcliv2 utility uses nGeniusONE authentication. It discovers the nGeniusONE IP
address for authentication based on the InfiniStream appliance IP address provided in the
command line that you specify, and then applies user role settings (for example, slice-size
settings, etc.) specific to the username.

NETSCOUT Server Administrator Guide 427

l If nGeniusONE is configured to run on HTTPS/SSL and on a specific custom port, you must
configure the information in the <InfiniStream install>/config/pmauth.config file on the
InfiniStream appliance.
l To use InfiniStream appliance-based authentication when the nGeniusONE server is
unavailable, change ALLOWLOCALFAILOVER to TRUE in the <InfiniStream
install>/config/pmauth.config file on the InfiniStream appliance. Ensure that the user
name is configured in InfiniStream.

Default:
<PMAUTH>
<USEPMAUTH>FALSE</USEPMAUTH>
<PMIP></PMIP>
<PMPORT>8080</PMPORT>
<SNMPPORT>162</SNMPPORT>
<PMPORTSECURE>8443</PMPORTSECURE>
<ALLOWLOCALFALLBACK>TRUE</ALLOWLOCALFALLBACK>
<ALLOWLOCALFAILOVER>FALSE</ALLOWLOCALFAILOVER>
</PMAUTH>

exportcliv2 Filtering Examples

Optionally, you can use the nGeniusONE console Packet Analysis > Data Mining module to
enter filter strings which allows you to verify that your filter syntax is correct (the filter field
background appears green), and then you can copy those filter strings and paste them in your
exportcliv2 command executions.

Example—Filtering for IPv4

1. (Optional) Create a filter for IPv4 in the nGeniusONE Packet Analysis > Data Mining
module:

NETSCOUT Server Administrator Guide 428

2. (Optional) Save as joe_ipv4.

3. (Optional) Click joe_ipv4, then click to download the file as an .eflt file, then save the
file to your desktop.
4. Execute your exportcliv2 command in one of these ways:
l Using the filter string enclosed in quotation marks:
# ./exportcliv2 -u administrator -f "ip==10.1.1.1 AND port==1047
OR ip==10.1.1.2 AND port==1047" -h 192.168.1.1 3 2016-3-
1/18:00:00.000 2016-3-1/18:00:00.100
l Using the filter string enclosed in quotation marks and using symbols for the Boolean
operators:
# ./exportcliv2 -u administrator -f "ip==10.1.1.1 && port==1047
|| ip==10.1.1.2 && port==1047" -h 192.168.1.1 3 2016-3-
1/18:00:00.000 2016-3-1/18:00:00.100
l Using the file saved to your desktop (-F option is used):
# ./exportcliv2 -u administrator -F joe_ipv4.eflt -h 192.168.1.1
3 2016-3-1/18:00:00.000 2016-3-1/18:00:00.100

Example—Filtering for IPv6

1. (Optional) Create a filter for IPv6 in the nGeniusONE Packet Analysis > Data Mining
module:

NETSCOUT Server Administrator Guide 429

2. (Optional) Save as joe_ipv6.

3. (Optional) Click joe_ipv6, then click to download the file as an .eflt file, then save the
file to your desktop.
4. Execute your exportcliv2 command in one of these ways:
l Using the filter string enclosed in quotation marks:
# ./exportcliv2 -u administrator -f "ip==ff02::1:2 OR
ip==ff02:0:0:0:0:0:1:2" -h 192.168.1.1 3 2016-3-1/18:00:00.000
2016-3-1/18:00:00.100
l Using the filter string enclosed in quotation marks and using symbols for the Boolean
operators:
# ./exportcliv2 -u administrator -f "ip==ff02::1:2 ||
ip==ff02:0:0:0:0:0:1:2" -h 192.168.1.1 3 2016-3-1/18:00:00.000
2016-3-1/18:00:00.100
l Using the file saved to your desktop (-F option is used):
# ./exportcliv2 -u administrator -F joe_ipv6 -h 192.168.1.1 3
2016-3-1/18:00:00.000 2016-3-1/18:00:00.100

Example—Filtering for VLAN

Execute your exportcliv2 command, filtering for vlan:

# ./exportcliv2 -u administrator -f "vlan==620" -h 192.168.1.1 3 2016-3-
1/18:00:00.000 2016-3-1/18:00:00.100

NETSCOUT Server Administrator Guide 430

B.2.2 nGeniusSQL
B.2.2.1 nGeniusSQL Command-line Scripts
NETSCOUT provides a means to use scripted SQL queries to obtain information about devices,
interfaces, servers, associated with your nGeniusONE server.

1. From the nGeniusONE server system, open a shell window or terminal console.
For Windows:
Log in to the Windows server with an account that has administrator privileges. (Do not
use a cloned version of the Administrator account.)
For Linux:
Access the system command-line as the root user. If you have logged in as a different user
and assumed privileges with su, be sure to use su -l <root account> so that the full
environment is instantiated before you proceed.
2. Navigate to the <nGeniusONE Install>/rtm/bin directory.
3. Enter the following command:
For Windows:
# nGeniusSQL.bat sqlscripts\postgressql\<reportname>.sql result.txt
For Linux:
# ./nGeniusSQL.sh sqlscripts/postgressql/<reportname>.sql
result.txt
Where <reportname> is the script for the report you want to generate. You must provide
an output file name.
4. The results are written to the specified file in CSV format.

Available Scripts

The following scripts, stored on the server in <nGeniusONE

Install>/rtm/bin/sqlscripts/postgresscripts>, may be used. Scripts of similar names in other
folders should not be used unless advised by Customer Support.

Report Description
AllTableSize List size of tables in the data warehouse
DatabaseVersion Lists database version
DeviceCapabilities Lists devices and what they can monitor, for example, QoS,
RMON, etc.
DeviceDetails Lists all devices in the nGeniusONE Server including device names
and IP addresses.
DeviceDetailsSecure Lists all devices in the nGeniusONE Server including device name,
IP address, and community strings.
DeviceInventory Lists all device types.
ExternalAuthServers
GlobalSettings Lists details for all applications monitored by the nGeniusONE
Server.

NETSCOUT Server Administrator Guide 431

Report Description
InterfaceDetails Lists all interfaces by device with descriptions.
InterfaceInventory Lists all interface types with descriptions.
MonitoredElements Lists all types of monitored elements and server processes.
Nfcprofiles
nGOneReport Lists report names, owners, and other report parameters.
NsaMetaInfo
pgStatActivity
ProbeInterfaceDetails Lists interface IP addresses and type details.
Scenes Lists names and details for UMC-based reports and templates.
ServerMap Lists server details such as port numbers and build numbers.
showLocks
showPID_Query Lists IDs for various server process queries, such as selecting
location keys or user names.
SwitchInterfaceDetails Lists interface name, IP addresses and other parameters.
Users Lists current user names and corresponding details.

B.2.3 ngconfigsync
B.2.3.1 Using the nGConfigSync Script
After you modify a property in the common.properties file, run the nGConfigSync utility to
propagate the change to all affected properties files. Changes are propagated to the following
files as required:
l <nGeniusONE install>/rtm/html/client.properties
l <nGeniusONE install>/rtm/bin/globalmanager.properties
l <nGeniusONE install>/rtm/bin/serverprivate.properties
l <nGeniusONE install>/rtm/bin/admin/serverpublic.properties
l <nGeniusONE install>/tomcat/bin/tomcat.properties

Execute the nGConfigSync Utility

1. Stop the nGeniusONE Server.

2. Open a DOS command prompt or Linux terminal window and navigate to the
<nGeniusONE install>/rtm/bin directory. If you are running this utility for a NewsStand
Server, navigate to the <nGeniusONEinstall>/newsstand/bin directory.
3. Execute nGConfigSync.bat (Windows) or nGConfigSync.sh (UNIX).
Note: The nGConfigSync utility automatically backs up each of the five properties files.
Each time you run the utility, it overwrites any existing backup file. For example,
serverprivate.properties is copied to serverprivate.properties.backup when the utility is
run.
4. When the nGConfigSync utility finishes, restart the nGeniusONE Server. The parameter(s)
you changed are updated in the appropriate properties files.

NETSCOUT Server Administrator Guide 432

B.2.4 nscertutil
B.2.4.1 Using nscertutil
The nscertutil tool manages certificates on thenGeniusONE server. Located in the <nGeniusONE
install>/rtm/tools directory, nscertutil allows users to:
l Create and import a self-signed certificate
l Import a certificate from a custom CA (Certificate Authority)
l Import a certificate from a known CA
l Validates if the key and certificate match.
l Prevents importing duplicate aliases into the truststore.
l Supports the PKCS#1 key.

For Linux servers, use the nscertutil.sh script. For Windows users, use nscertutil.bat.
l Option 1 prompts you to enter the following information for the CA: Country, State Code,
City Name, Organization Name, Organization Unit, Host Name, Email Address and number
of days until expiration. For the certificate, you will be prompted to enter the following
information: Country, State Code, City Name, Organization Name, Organization Unit, Host
Name, Email Address and Alias. The tool supports the option of importing output files into
the appropriate directories/files in nGeniusONE .
l Option 2 lets you import a custom CA.crt, certificate and key into nGeniusONE .
l Option 3 lets you import a signed certificate and key into nGeniusONE.
l Options 5-8 let you add or import crt. or der. and clarify the format for each (ASCII Base64
and binary for cer. or .der).
l Option lets you 11 delete a certificate from the truststore.
l Option lets you 12 display any of the certificates in the truststore in human-readable
format.
l All servers in the deployment must use the same port number.
l If you are changing the server to a secured port, you must install a certificate. Use the
nscertutil tool to create and/or install a certificate.
l If you do use ncertutil, and your server is a child to another server (such as a Standby or
Secondary server), NETSCOUT recommends managing your certificates from the managing
/ primary server, and then copying that truststore to the other nodes in the deployment.

B.2.5 nstool
B.2.5.1 Working with the Server Map Table
The server map table contains the structure of your cluster in XML format, with key details for
each node. Most of these details are onfigured in Server Management, which is the
recommended place to make changes to the cluster / server identity. If you need to change the
type of server, say from Standalone to Global, you can use the procedure below to modify the
structure. You can also view the structure for informational purposes. The XML tags are self
explanatory and can be helpful for the following:

NETSCOUT Server Administrator Guide 433

l Identify the parent node of a child server. When a Standalone has been made a child node
or a Standby node, that child is displayed in the parent's Server Management GUI. So, from
the parent, the entire cluster is visible. The child node's Server Management GUI is
restricted to its own local environment, however, so the parent node for it is not displayed.
Since many configurations on a child node are read-only, such as Global Settings, you must
make those changes on the parent. If needed, you can view this file to locate the child's
parent server - search for the IP address of your child, then looking for the <parent_id> tag
in this file.
l Identify which server in a cluster has reported a logged alarm. The alarm ID includes a
server ID as part of the value (such as 1-1085554032642)

Since this critical file is in XML format, modifications to it must be validated. The utility below is
allows you to export, edit, and reimport with validation. If you only need to view the file, you can
skip using the utility and VIEW it (do not modify it) here: <nGeniusONE
install>rtm/database/configxml/xml/server_map.xml.

Important:
l Do NOT manually modify the production copy of the XML. If you believe the production
copy of the file is incorrect, you can delete it and restart the server processes. This
regenerates the file.
l Changes made with this procedure on the managing server are replicated to the child
servers.
l For a deployment with more than one server, start with the parent server first.
Otherwise you need to copy the modified map file to every child server and clear the old
map and import the modified map on every server in the cluster.
l Do NOT use this method to modify the port or any other entries in the file other than
the name and address. To modify a port number, instead refer to: websecure
1. Access the system command-line as the root user. If you have logged in as a different user
and assumed privileges with su, be sure to use su -l <root account> so that the full
environment is instantiated before you proceed.
2. Update /etc/hosts file with your changes to the nGeniusONE Server identity.
3. Save and exit the file.
4. Navigate to the <nGeniusONE install>/rtm/bin directory.
5. Stop the server.
6. Start the Server Map utility to export the current configuration:
# ./nstool.sh com.netscout.database.util.ServerTool
The following menu options display:
1. Change Server Type
2. Display the Server Map Table
3. Export Server Map Table
4. Import Server Map Table
5. Erase Server Map Table
7. Enter option 3 (Export Server Map Table).
The exported file is saved to <nGeniusONE install>/rtm/bin/Server_Map.xml.
8. (Optional) Copy this file to a backup location.

NETSCOUT Server Administrator Guide 434

9. Open Server_Map.xml using a text editor, and locate the <server config> blocks with the
name and/or address that you want to change. Note that if you are modifying the values
for a Global Manager or Primary Server, you may need to locate the <server_config>
block for its companion LocalServer (with the same IP address), and repeat the edits.
Following is an example file, with some relevant blocks highlighted for readability.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ServerMap xsi:schemaLocation="http://www.netscout.com/server_map.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<server>
<server_info>
<id>1</id>
<name>GlobalManager</name>
<type>Global</type>
<status>UP</status>
<master>1</master>
<Time_Zone>US/Eastern</Time_Zone>
<registryBindnigName>MasterServiceManager</registryBindnigName>
</server_info>
<server_config>
<address>10.20.160.14</address>
<port>8080</port>
<protocol>HTTP</protocol>
</server_config>
<parents_details>
<parent_id>-1</parent_id>
<secondary_global_ids/>
</parents_details>
<Description>Global Manager</Description>
<Additional_Params>AlaramSupTime=3600,BackupCheckTimeout=3600</Additional_
Params>
<version_details>
<server_version>
<server_major_version>6.2.1.0</server_major_version>
<server_minor_version> Build 494 </server_minor_version>
</server_version>
<decode_version>
<decode_major_version>19.2</decode_major_version>
<decode_minor_version> Build 189 </decode_minor_version>
</decode_version>
</version_details>
<Licenses>
<License name="SDM" Eval="10-31-19"></License>
<License name="nEI" Eval="10-31-19"></License>
<License name="analytics" Eval="10-31-19"></License>
<License name="n1PM" Eval=""></License>
<License name="ng1UC" Eval=""></License>
</Licenses>
</server>

NETSCOUT Server Administrator Guide 435

<server>
<server_info>
<id>2</id>
<name>LocalServer</name>
<type>Local</type>
<status>UP</status>
<master>0</master>
<Time_Zone>US/Eastern</Time_Zone>
<registryBindnigName>ServiceManager</registryBindnigName>
</server_info>
<server_config>
<address>10.20.160.14</address>
<port>8080</port>
<protocol>HTTP</protocol>
</server_config>
<parents_details>
<parent_id>1</parent_id>
<secondary_global_ids/>
</parents_details>
<Description>Local Server</Description>
<Additional_Params>AlaramSupTime=3600,BackupCheckTimeout=3600</Additional_
Params>
<version_details>
<server_version>
<server_major_version>6.2.1.0</server_major_version>
<server_minor_version>Build 494</server_minor_version>
</server_version>
<decode_version>
<decode_major_version>19.2</decode_major_version>
<decode_minor_version>Build 189</decode_minor_version>
</decode_version>
</version_details>
<Licenses>
<License name="SDM" Eval="10-31-19"></License>
<License name="nEI" Eval="10-31-19"></License>
<License name="analytics" Eval="10-31-19"></License>
<License name="n1PM" Eval=""></License>
<License name="ng1UC" Eval=""></License>
</Licenses>
</server>
<server>
<server_info>
<id>3</id>
<name>MySuperStandby</name>
<type>Standby</type>
<status>UP</status>
<master>0</master>
<Time_Zone>US/Eastern</Time_Zone>

NETSCOUT Server Administrator Guide 436

<registryBindnigName>ServiceManager</registryBindnigName>
</server_info>
<server_config>
<address>10.20.160.13</address>
<port>8080</port>
<protocol>HTTP</protocol>
</server_config>
<parents_details>
<parent_id>2</parent_id>
<secondary_global_ids/>
</parents_details>
<Description>server_note</Description>
<Additional_Params>AlaramSupTime=3600,BackupCheckTimeout=3600</Additional_
Params>
<version_details>
<server_version>
<server_major_version>6.2.1.0</server_major_version>
<server_minor_version>Build 494</server_minor_version>
</server_version>
<decode_version>
<decode_major_version>19.2</decode_major_version>
<decode_minor_version>Build 189</decode_minor_version>
</decode_version>
</version_details>
<Licenses>
<License name="analytics" Eval="10-31-19"></License>
<License name="n1PM" Eval=""></License>
<License name="nEI" Eval="10-31-19"></License>
<License name="ng1UC" Eval=""></License>
<License name="SDM" Eval="10-31-19"></License>
</Licenses>
</server>
</ServerMap>

10. Save and exit Server_Map.xml.

11. Restart the Server Map utility to erase the current map and import the modified map.
# ./nstool.sh com.netscout.database.util.ServerTool
The following menu options display:
1. Change Server Type
2. Display the Server Map Table
3. Export Server Map Table
4. Import Server Map Table
5. Erase Server Map Table
12. Enter option 5 (Erase Server Map Table) to erase the current server map from the
database.
13. Enter option 4 (Import Server Map Table) to import the server map you exported and
modified, above. The file must be named exactly as above and located in the bin folder.
The option to import does not allow you to specify a path and filename.

NETSCOUT Server Administrator Guide 437

14. Enter q to to exit nstool.

15. Restart the server. Wait about 15 minutes to verify replication to the child servers. If you
performed this procedure on a child server, copy the file to all other servers in the cluster
and repeat the steps to erase and import.
16. Log into each child server and data sources and modify the /etc/hosts files accordingly.
17. Ensure all DNS servers used by these servers and data sources have matching changes.

B.2.6 snmpv3script
B.2.6.1 Using the SNMPV3UserConfig Script
This script allows you to configure forwarding of alarms as SNMPv3 traps. Also see Configuring
SNMP Traps.

Supported protocols are:

l MD5 or SHA-1 authorization protocols
l DES, 3DES, or AES128 privacy protocols

To use the script:

1. Access the nGeniusONE server command line.

B.2.7 techsupp
B.2.7.1 Using the techsupp Tool
The nGeniusONE Server software uses log files to record transactions and events that occur
within the system. NETSCOUT provides a tool to generate a file that includes all log files and
system specifications, which Customer Support can use to help resolve issues.

Note: If the log files are very large, it's normal for the script to generate warning messages
and take several minutes to process.

To run the techsupp tool:

NETSCOUT Server Administrator Guide 438

1. For Windows:
Log in to the Windows server with an account that has administrator privileges. (Do not
use a cloned version of the Administrator account.)
For Linux:
Access the system command-line as the root user. If you have logged in as a different user
and assumed privileges with su, be sure to use su -l <root account> so that the full
environment is instantiated before you proceed.
2. Navigate to the <nGeniusONE install>/rtm/bin directory.
3. Execute the tool:
Windows — techsupp.bat [norm | html]
Linux — ./techsupp.sh [norm | html]
Where
l The norm option copies compressed logs into the <nGeniusONE install>/rtm/bin
directory
l The html option copies compressed logs into the <nGeniusONE install>/rtm/html
directory, then accessed by navigating to https://<nGeniusONE
install>/:8443/logfiles.html.
The filename reflects the date and time it was created. In the following example using
norm on a Linux server, the file was created on 05/20/2016 (20160520) at 1:21 p.m. (1321).
Gathering logs completed
Location: <nGeniusONE install>/rtm/bin
Filename: 20160520-1321-SERVER13-PMlogs.tar.gz
4. Contact Customer Support and attach the compressed output file to the ticket.

B.2.8 websecure
B.2.8.1 Changing the Web Access Port with websecure
Use the websecure script to change the port number for use with web communications between
user systems and the server. This script updates all related nGeniusONE configuration files and
is applicable for changing the server's web access port to 80, 8080, 443, 8443, or any non-well-
defined port greater than 1023. If you set a non-well-known port greater than 1023, firewall
changes are required. If your environment requires changing the web server to use any other
port, contact Customer Support.

NETSCOUT Server Administrator Guide 439

Changing the Port in a Global Manager or Dedicated Global Manager Environment

Follow these steps to change the ports in a Global Manager (GM) or Dedicated Global Manager
(DGM) environment:

1. Navigate to the <NETSCOUT install>/rtm/bin folder on the GM or DGM.

NETSCOUT Server Administrator Guide 440

Validation:

If the port change was successful, you will see a response such as:
HTTP/1.1 200 OK

For example:
# curl -I https://10.20.160.14:8443/ -k
HTTP/1.1 200 OK

If SSL is not enabled, the following output is reported:

curl: (35) SSL connect error

B.3 Ansible
NETSCOUT provides a base set of Ansible playbooks that lets you use Ansible to automate
deployment of nGeniusONE software to multiple hosts with a single command. You can use the
nGeniusONE Ansible Playbook to deploy nGeniusONE software to virtual or physical hosts
running any supported Linux versions.

B.3.1 Constraints
Consider these constraints for using Ansible with nGeniusONE:
l 6.3.2 is the baseline release. The Ansible package can be used for a fresh install of 6.3.2 or
an upgrade from 6.3.1 to 6.3.2.
l Only nGeniusONE, nGenius Performance Manager, and nGenius Configuration Manager
standalone are supported.
l Only Linux OS is supported. Windows OS is not supported.
l Ansible knowledge. NETSCOUT recommends that users acquire some basic Ansible
knowledge to optimize Ansible usage with nGeniusONE. See https://docs.ansible.com/.

B.3.2 Terminology
Term Definition
Ansible Simplest way to automate apps and IT infrastructure. Application Deployment +
Configuration Management + Continuous Delivery.
Inventory A collection of hosts that user wanted to manage via Ansible
Playbook A set of one or more tasks that Ansible executes on inventory
Controller The host from which the user runs Ansible playbooks
./ansible Path to which user extracted Ansible.

See these sections about using Ansible to automatically install nGeniusONE to multiple hosts :

NETSCOUT Server Administrator Guide 441

l nGenius Ansible Package

l Ansible Controller Prerequisites
l Setting up Ansible
l Ansible Playbooks

B.3.3 nGenius Ansible Package

Access the Ansible solution for nGenius products on the MasterCare Portal. The package name
uses this format:
nG1_Ansible_<product version>_<build#>.tar.gz

nGeniusONE deployment with Ansible follows the standard NETSCOUT recommendation that
the Global Manager is used as the controller in an nGeniusONE deployment, but Ansible can be
installed on any server and used as a controller. Acquire the Ansible nG1_Ansible_<product
version>_<build#>.tar.gz file and transfer it to your controller host. The package can be
deployed, unzipped/ untarred to any path except the <nGeniusONE Install> directory or the
products install path.

B.3.4 Ansible Controller Prerequisites

The following prerequisites are required to be installed on the Ansible controller prior to
executing any playbooks.

Prerequisites How to Install

Python Check if you already have python 2.6 or higher, or 3.5 or higher
installed. If so, you can proceed.

python --version

#If your Python version is less then the required versions of 2.6
or 3.5 then update ...
# Start by making sure your system is up-to-date:
# This step is recommended by the Ansible documentation
yum update

# If your python version is 2.x

yum update python
# If your python version is 3.x
yum update python3

#If no python is installed then install python 3

yum install python3

NETSCOUT Server Administrator Guide 442

Ansible #Check if you already have ansible installed and if not install
it.

ansible --version

#To get Ansible for CentOS 7, first ensure that the fedora 7 EPEL
repository is installed
yum install https://dl.fedoraproject.org/pub/epel/epel-release-
latest-7.noarch.rpm

#To get Ansible for Oracle Linux 8 or Red Hat 8, first ensure
that the fedora 8 EPEL repository is installed
yum install https://dl.fedoraproject.org/pub/epel/epel-release-
latest-8.noarch.rpm

# Install ansible
yum install ansible

B.3.5 Setting up Ansible

Use the following sections to set up Ansible:
l Inventory File
l SSH Keys
l ansible.cfg
l Variables
l Package

B.3.5.1 Inventory File

An inventory file is how Ansible manages all remote hosts it configures. There are two options to
updating the inventory file:
l Manually with the topology knowledge of the system
l Playbook

The inventory file resides in ./ansible/inventory.txt as in the following example.

Example: ./ansible/inventory.txt
# inventory file

#supported groups: globalmanager localserver standby standalone

#trusted servers are not supported
#Note the local connection for the GM as the ansible solution is
installed on the GM and therefore does not require a ssh connection to
access it
#If the GM will not be the home of the ansible solution then adjust
accordingly

NETSCOUT Server Administrator Guide 443

#[controller]
#control ansible_connection=local

[globalmanager]
ng_gm_1 ansible_host=1.2.3.4 ansible_connection=local

[localserver]
ng_local_1 ansible_host=1.2.3.5
ng_local_2 ansible_host=1.2.3.6

[standby]
ng_standby_1 ansible_host=1.2.3.7
ng_standby_2 ansible_host=1.2.3.8

[standalone]
ng_standalone_1 ansible_host=1.2.3.9
ng_standalone_2 ansible_host=1.2.3.10
[standalonetype:children]
localserver
standby
standalone
[globalmanagertype:children]
globalmanager
[standalonetype:vars]
servertype=Standalone Server
[globalmanagertype:vars]
servertype=Global Manager

B.3.5.2 SSH Keys

Ansible accesses remote hosts via an SSH connection without requiring a
login/password.Instead, a public SSH key must be copied to each inventory host.

The first step is to generate an ssh key on the controller. This key is stored to the ~/.ssh folder
ssh-keygen -t rsa

The next step is to copy the public key to each remote host.
# Run below from controller on each NG1 server
ssh-copy-id <remote host IP>

Next, verify that your ssh setup is set. Below assumes you are in the ./ansible folder and your
inventory file is valid.
$ansible -m ping all

B.3.5.3 ansible.cfg
The ./ansible/ansible.cfg file defines properties used by Ansible and helps to reduce the number
of command line arguments.
[defaults]

NETSCOUT Server Administrator Guide 444

# Setting inventory path here allows user to not have to define -i <path
to inventory file> on the command line
inventory = ./inventory.txt

#By default ansible will ssh to remote system as root, in the case that
is not allowed then comment out remote_user and uncomment become_user
# which means playbook will ssh as the current user and then su to root
once connected
remote_user=root

# This avoids that pesky ssh connection confirmation message

host_key_checking=false

B.3.5.3.1 Alternate User

The Ansible commands can either be executed on the controller either as root or as an alternate
user. If the commands are not run as root, the same alternate username must be present on all
the servers in the inventory, and SSH keys must be set for that user. The sudoers files on all
servers, including the controller, must also be configured to allow the alternate user to execute
any command as root. The controller will SSH into the remote servers as the user executing the
command, but the command is executed using sudo on the remote server. This allows all
required nGeniusONE operations to be executed as root.

The mechanism for running commands as an alternate user is configured in the ansible.cfg file:
[privilege_escalation]
become=True
#become_method=sudo
#become_user=root
#become_ask_pass=False.

By default, become=True, which causes commands to be executed as become_user (root by

default) on the remote server. See the Ansible Documentation for further
details: https://docs.ansible.com/ansible/latest/user_guide/become.html

Running as a non-root user has the advantage that an audit log is kept for commands executed
via sudo.

B.3.5.4 Variables
Ansible variables are defined in ./ansible/vars/variables.yml as in the following examples.
# By default the package will be copied from the controller to the
remote host into the /opt folder. User can change this default behavior
by updating below variable
package_location: /opt

# Lists all required Installer command line options -DCLOUD=true -DMIN_

CHECK=true -DOS_TYPE=true are the current required options. -silent is
also required which is already hardcoded in the playbook.
installer_commandline_args: -DCLOUD=true -DMIN_CHECK=true -DOS_TYPE=true

NETSCOUT Server Administrator Guide 445

# Force Install - If user wants to re-run the same build. The

upgrade.yml playbook by default will fail to install the same build. To
force the same build installation set force_install: true and limit the
playbook to the group/host you want to target.
ansible-playbook --limit ng_local_1 ./playbooks/upgrade.yml
force_install: false

# Installation directory
netscout_home: /opt/NetScout

# Installater file name.

package_name: nG1-6320-*-lin.bin

B.3.5.4.1 REST API Variables

Variables for authentication of REST API calls are stored in ./ansible/vars/rest-auth.yml. By

default, REST calls will be authenticated using Basic Authentication with the default administrator
username and password stored in plain text in this file. The following playbooks can be used to
change the authentication used:
l set-rest-basic-auth.yml - can be used to set the username and password used for REST API
authentication. The password will be stored as an encrypted value using Ansible Vault.
l get-user-rest-key.yml - can be used to retrieve a user key to be used for REST API
authentication. The user key will be stored as an encrypted value using Ansible Vault.

When executing these playbooks, the user will be prompted to enter an Ansible Vault password
to be used when storing the encrypted value. After the encrypted value is stored to the variables
file, the Ansible Vault password will be needed when executing playbooks that make REST API
calls. The "--ask-vault-pass" option can be specified when running the ansible-playbook
command to cause the user to be prompted for the Ansible Vault password that was used when
storing the encrypted values. Please see the Ansible documentation for other options for
supplying the Ansible Vault password.

Here is an example of adding the --ask-vault-pass option to playbook execution:

$ ansible-playbook playbooks/add_user.yml --extra-vars "hostname=1.2.3.4
host_port=8443" --ask-vault-pass
Vault password:
...

B.3.5.5 Package
The Ansible package folder is in ./ansible/packages. Place your pm or nG1 bin file in this folder.

If you have not upgraded in some time, you may need to do one or more upgrade hops to get to
the final version and then place all necessary packages in this folder as all its contents are copied
to the remote hosts.

NETSCOUT Server Administrator Guide 446

B.3.6 Ansible Playbooks

Ansible playbooks are collections of tasks executed on remote hosts. The following playbook
sections describe all playbooks supported for nGeniusONE, Performance Manager, and nGenius
Configuration Manager:
l start.yml
l stop.yml
l install.yml
l deploy.yml
l upgrade.yml
l full_install.yml
l full_upgrade.yml
l REST API Configuration Playbooks

There may be a use case to apply a playbook to one or a set of servers defined in the inventory
file.
The following example limits the playbook to remote hosts to all servers under the localserver
group tag in the inventory file.
$ansible-playbook --limit localserver <playbook name>

For a full list of inventory wildcard options see the ansible documentation.

B.3.6.1 start.yml
The start.yml playbook starts the server given that it is already installed on the provided hosts.
This playbook does nothing if the server is already started.

This playbook passes only when all processes are successfully started or the server is already
started.
#Usage below assumes inventory is defined and ssh access to all hosts is
working.
#This will start all hosts in the inventory file defined under
globalmanager, localserver, standby

$ansible-playbook ./playbooks/start.yml#Usage below assumes inventory is

defined and ssh access to all hosts is working.

#This will start all hosts in the inventory file defined under
globalmanager, localserver, standby

$ansible-playbook ./playbooks/start.yml

B.3.6.2 stop.yml
The stop.yml playbook stops all the servers defined in the inventory file. This playbook does
nothing if the server is already stopped. This playbook fails if there are ngenius processes
running on the host even after running the stop script.

NETSCOUT Server Administrator Guide 447

#Usage below assumes inventory is defined and ssh access to all hosts is
working.

$ansible-playbook ./playbooks/stop.yml

B.3.6.3 uninstall.yml
The uninstall.yml playbook uninstalls the nGeniusONE server if all the processes are stopped on
that server. This playbook fails if ngenius processes are still running on that server.

Caution: This playbook removes the <install path>/NetScout folder once the uninstall is
complete. Ensure you back up prior if you need to maintain any data from this path

#Usage below assumes inventory is defined and ssh access to all hosts is
working.
$ansible-playbook ./playbooks/uninstall.yml

B.3.6.4 install.yml
The install.yml playbook installs nGeniusONE on all the servers defined in the inventory file. It
determines if nGeniusONE is already installed by checking if the
/var/adm/NetScout/nGeniusReg.properties file exists.

If the file exists, this playbook fails with the message, "nGeniusONE is installed already, please
un-install prior to installing a new build," for the host.

Install.yml scans <install path>/NetScout/log/nGeniusONE_Install_<timestamp>.log for errors

and if found will mark the task as failed along with a message to check the file on the remote for
further details.

It also looks for the following files under /tmp directory and marks the task as a failure.

/tmp/missingfileexist.txt
/tmp/no_spaceinvar.txt
/tmp/no_enough_mem.txt
/tmp/no_enough_proc.txt
/tmp/abort_install.log
/tmp/ports_in_use.log
#Usage below assumes inventory is defined and ssh access to all hosts is
working.
$ansible-playbook ./playbooks/install.yml

B.3.6.5 deploy.yml
The deploy.yml playbook transfers one or more package files from the ./ansible/packages/*
folder to each targeted host.

Define the following property in ./ansible/vars/variables.yml.

package_name: nG1-6320-<build_num>-lin.bin

NETSCOUT Server Administrator Guide 448

The default remote host 'copy to' location is /opt, but this is configurable via the package_
location variable defined in ./ansible/vars/variables.yml
#Usage below assumes inventory is defined and ssh access to all hosts is
working.
#This first example will deploy the package to all hosts defined in the
inventory file
$ansible-playbook ./playbooks/deploy.yml

By default the controller uploads the package file to only one host at a time to avoid overloading
the network. Set the maximum number of hosts the package is uploaded to simultaneously with
the throttle_package_upload value defined in ./ansible/vars/variables.yml
# throttle_package_upload - Limit the number of servers the package file
will be uploaded to simultaneously.
throttle_package_upload: 1

B.3.6.6 upgrade.yml
The upgrade.yml playbook upgrades an existing nGeniusONE on all the servers defined in the
inventory file. This playbook fails if ngenius processes are still running on that server.

The playbook verifies if the netscout_home defined in variables.yml matches with the PERFMGR_
PATH in /var/adm/NetScout/nGeniusReg.properties file. If they are different the task fails on the
remote host.

This playbook fails if the installed nGeniusONE version, build, and the current package being
installed are the same. If it is required to install the same build again, the property force_install:
true has to be set in variables.yml.

upgrade.yml scans <install path>/NetScout/log/nGeniusONE_Install_<timestamp>.log for errors

and, if found, marks the task as failed along with a message to check the file on the remote for
further details.

It also looks for the following files under /tmp directory and mark the task as failure.

B.3.6.7 full_install.yml
Prior sections documented how a user can perform an install step by step. The full_install.yml
combines all the building blocks into one playbook that executes the following steps that were
covered in more detail in the previous sections:

NETSCOUT Server Administrator Guide 449

l stop.yml - Stops the application assuming it is installed and running otherwise it does
nothing and moves to the next step
l uninstall.yml - Uninstalls the appliction assuming it is installed otherwise it does nothing
and moves to the next step
l deploy.yml - Copies the product packaging to the remote host
l install.yml - Installs the product
l Note: This playbook does not call start.yml to start the server. Its expected the user will
need to apply licenses or properties manually first; therefore, start.yml must be called
manually after full_install.yml
#Usage below assumes inventory is defined and ssh access to all hosts is
working.
$ansible-playbook ./playbooks/full_install.yml
#Apply licenses or properties manually before start
$ansible-playbook ./playbooks/start.yml

B.3.6.8 full_upgrade.yml
Prior sections documented how a user can perform an upgrade step by step. The full_
upgrade.yml combines all the building blocks into one playbook that executes the following
steps that were covered in more detail in the previous sections:
l stop.yml - Stops the application assuming it is installed and running otherwise it does
nothing and moves to the next step
l deploy.yml - Copies the product packaging to the remote host
l upgrade.yml - Upgrades the product
l start.yml - Starts the server.
o Its possible that customer may have a new license or a property to configure during the
upgrade. If so user can call stop.yml, perform maintenance, and start.yml after the
install is completed.
#Usage below assumes inventory is defined and ssh access to all hosts is
working.
$ansible-playbook ./playbooks/full_upgrade.yml
#To apply licenses or properties manually
$ansible-playbook ./playbooks/stop.yml
#Apply licenses or properties manually and start
$ansible-playbook ./playbooks/start.yml

B.3.6.9 REST API Configuration Playbooks

Some limited nGeniusONE configuration is supported by this Ansible solution. REST API
authentication is flexible and supports both BASIC AUTH via user name and password, or via a
session key. In each case the user's password or key is encrypted via Ansible Valut. The following
configuration sections describe adding users, devices, and servers.

NETSCOUT Server Administrator Guide 450

B.3.6.9.1 get-user-rest-key.yml

The get-user-rest-key.yml playbook configures REST API calls to be authenticated with a user key.
The user key to be used is retrieved using a REST API call using the nGeniusONE username and
password you supply.

The following variables must be defined on the command line when using this playbook:
l hostname - The IP address or hostname of the server from which the user key should be
retrieved.
l host_port - The HTTPS port to use for the REST call to retrieve the user key.

You are prompted for the nGeniusONE username and password to be used when retrieving the
user key, and the username of the user whose key needs to be retrieved.

You are also prompted to enter an Ansible Vault password to be used to encrypt the user key.
The Ansible Vault password is needed later when executing playbooks that make REST API calls.
The username and the encrypted user is stored in the vars/rest-auth.yml file.

Example: Ansible Vault Password

$ ansible-playbook playbooks/get-user-rest-key.yml --extra-vars
"hostname=1.2.3.4 host_port=8443"
Enter the username whose key needs to be retrieved: testuser4
Enter the username to call the REST API: administrator
Enter the password for the above username:
...
TASK [encrypt post response]
************************************************************************
*******************************************************************
New Vault password:
Confirm New Vault password:
...

B.3.6.9.2 set-rest-basic-auth.yml

The set-rest-basic-auth.yml playbook configures REST API calls to be authenticated using Basic

Authentication. You are prompted for the username and password to be used for subsequent
REST API calls.

You will also be prompted to enter an Ansible Vault password to be used to encrypt the
password. The Ansible Vault password will be needed later when executing playbooks that make
REST API calls.

The username and the encrypted password are stored in the vars/rest-auth.yml file.

Example: set-rest-basic-auth.yml:
$ ansible-playbook playbooks/set-rest-basic-auth.yml
Enter username to be used for REST API calls: administrator
Enter the password to be used for REST API calls:
...
TASK [encrypt password]
************************************************************************
************************************************************************

NETSCOUT Server Administrator Guide 451

New Vault password:

Confirm New Vault password:
...

B.3.6.9.3 add-user.yml

The add-user.yml playbook makes a REST API call to add a user(s) to the nGeniusONE.

Fill out user information in JSON format in the file located at ./json/add_user.json. This file is used
as the request body for RESTful POST API call. See the nGeniusONE RESTful API guide for the
proper JSON format for adding a user(s).

The following variables must be defined on the command line when using this playbook:
l hostname - The IP address or hostname of the server we are adding users too. This is
generally the nG1 Global Manager or Standalone server.
l host_port - The HTTPS port to use for the REST call to retrieve the user key.

The vault password must be supplied when using encrypted credentials stored in vars/rest-
auth.yml as set by set-rest-basic-auth.yml or get-user-rest-key.yml. The vault password must
match the new vault password created when set-rest-basic-auth.yml or get-user-rest-key.yml
was executed.

Example: Encrypted Credentials

# Note the --ask-vault-pass parameter below is required if you have chosen to encrypt the REST
Authentication info via set-rest-basic-auth.yml or get-user-rest-key.yml

$ ansible-playbook playbooks/add_user.yml --extra-vars "hostname=1.2.3.4 host_port=8443" --

ask-vault-pass

Vault password:

...

B.3.6.9.4 add-device.yml

The add-device.yml playbook makes a REST API call to add a user to nGeniusONE.

Information for the user to be added must be filled out JSON format in the file located at
./json/add_user.json which will be used as the request body for RESTful POST API call. See nG1
RESTful API guide for proper format of json for adding a device(s).

The following variables must be defined on the command line when using this playbook:
l hostname - The IP address or hostname of the server. This is generally the nG1 Global
Manager or Standalone server. This is not the local server which would be defined in add_
user.json
l host_port - The HTTPS port to use for the REST call to retrieve the user key.

# Note the --ask-vault-pass parameter below is required if you have chosen to encrypt the REST
Authentication info via set-rest-basic-auth.yml or get-user-rest-key.yml

NETSCOUT Server Administrator Guide 452

$ ansible-playbook playbooks/add_device.yml --extra-vars "hostname=1.2.3.4 host_port=8443" --

ask-vault-pass

Vault password:

...

B.3.6.9.5 add-server.yml

The add-server.yml playbook will make a REST API call to add a server to the nG1.

Information for the server to be added must be filled out JSON format in the file located at
./json/add_server.json which will be used as the request body for RESTful POST API call. See nG1
RESTful API guide for proper format of json for adding a server(s).

The following variables must be defined on the command line when using this playbook:
l hostname - The IP address or hostname of the server from which the user key should be
retrieved. In general this is the NG1 Global Manager your adding a server too.
l host_port - The HTTPS port to use for the REST call to retrieve the user key.

# Note the --ask-vault-pass parameter below is required if you have chosen to encrypt the REST
Authentication info via set-rest-basic-auth.yml or get-user-rest-key.yml

$ ansible-playbook playbooks/add_server.yml --extra-vars "hostname=1.2.3.4 host_port=8443" --

ask-vault-pass

Vault password:

...

B.4 Splunk Dashboard App

The Splunk NETSCOUT nGeniusONE app enables viewing a summary of security assurance alerts
and notifications from nGeniusONE and nGenius for Flows standalone and non-standalone
servers.

This section describes how to install, configure, and upgrade the Splunk nGeniusONE
application. The Splunk nGeniusONE App supports Splunk v7.2.3 and v8.0.2. Contact your
NETSCOUT Sales Representative for information on obtaining Splunk application files.

See the following sections:

l Configuring nGeniusONE Notification Center Violations
l Installing the Splunk nGeniusONE App on the Splunk Search Head
l Configuring the Launch Point for the nGeniusONE URL
l Configuring the Splunk Forwarder on the Syslog Server
l Configuring Collection on the Splunk Search Head - Receiving Violation Events from
Notification Center over Port 514

NETSCOUT Server Administrator Guide 453

B.4.1 Configuring nGeniusONE Notification Center Violations

To forward Notification Center events from nGeniusONE to your syslog server, you must add this
line to the <nGeniusONE Install>/rtm/bin/serverprivate.properties file:

tpAlarm.syslog.forward.host=<ip_address> or <FQDN>

In Global and Local distributed nGeniusONE deployments, syslog forwarding must be configured
on each Global and Local Server.

Notification Center events use UDP port 514 by default. To change it, use <ip_address>:<port_
number>, where <port_number> is the port to which you want Notification Center events sent.

B.4.2 Installing the Splunk nGeniusONE App on the Splunk Search Head
Complete these steps to install the Splunk nGeniusONE App on the Splunk Search Head:

1. Download and save these compressed files on your local computer:

l nGeniusONE.6.3.2.tgz - Defines the dashboard visualization layout.
l nGeniusONE-TA.6.3.2.tgz - Defines the collection/database fields for parsing of
nGeniusONE events/logs.
2. In the Splunk application left navigation pane, click the Manage Apps icon . The Apps
page appears.
3. Click Install app from file. The Upload an app page appears.
4. Click Browse to navigate to and select the nGeniusONE.6.3.2.tgz file.
5. Click Upload to upload the nGeniusONE.6.3.2.tgz file. The Restart Required dialog box
appears.
6. Click Restart Later. The Apps page appears.
7. Click Install app from file. The Upload an app page appears.
8. Click Browse to navigate to and select the nGeniusONE-TA.6.3.2.tgz file.
9. Click Upload to upload the nGeniusONE-TA.6.3.2.tgz file. The Restart Required dialog box
appears.
10. Click Restart Now. The "Are you sure you want to restart Splunk?" message appears.
11. Click OK. The "Restarting Splunk Enterprise...Restart in progress. Please wait." message
appears. When the restart process is completed, the Splunk login page appears.
12. Enter your username and password and click Sign In. The Upload page may appear.
13. Click splunk> in the upper left of your Splunk window. The nGeniusONE App is available in
the left pane Apps list.

B.4.3 Configuring the Launch Point for the nGeniusONE URL

Complete these steps to configure and launch the nGeniusONE UI URL:

NETSCOUT Server Administrator Guide 454

1. In the Splunk application, click nGeniusONE in the left pane Apps list.
2. Click nGeniusONE in the tool bar. The Default page appears with a text area below the
"Enter and edit navigation menu XML configuration" title.
3. Inside the text area, find this line:
<a href="/manager/nGeniusONE
/data/ui/nav/default?uri=%2FservicesNS%2Fnobody%2FnGeniusONE%2Fdata
%2Fui%2Fnav%2Fdefault&action=edit&ns=nGeniusONE">Launch
nGeniusONE</a>
4. Replace the found line with this line:
<a href="https://<nG1_server_ip_address>:8443/">nGeniusONE</a>
where <nG1_server_ip_address> is the IP address of your nGeniusONE server.
5. Click Save.

B.4.4 Configuring the Splunk Forwarder on the Syslog Server

Complete these steps on the syslog server to configure the Splunk Forwarder, which forwards
data from the syslog server to the Splunk server:

1. Edit the <Splunkforwarder_install_root>/etc/apps/search/local/inputs.conf file to ensure

that it has these contents:
[monitor:///var/log/messages]
disabled = false
index = main
sourcetype = netscout:ngeniusone
2. Edit the <Splunkforwarder_install_root>/etc/system/local/inputs.conf file to ensure that it
has these contents:
[default]
host = <forwarder_host_name>
[monitor:///var/log/messages]
disabled = 0
Note: <forwarder_host_name> = syslog server IP address or FQDN
3. Edit the <Splunkforwarder_install_root>/etc/system/local/outputs.conf file to add the IP
address of the server containing the Splunk Search Head:
[tcpout:default-autolb-group]
disabled = false
server = <Splunk_Search_Head_server_ip_address>:9997
[tcpout-server:<Splunk_Search_Head_server_ip_address>:9997]

Note: <Splunk_Search_Head_server_ip_address> = Splunk Search Head server IP address

4. Ensure your edited files are saved. Your configurations on the syslog server are complete.
5. Execute this command to restart the forwarder: <Splunkforwarder_install_
root>/bin/splunk restart

Verify these port settings on the syslog server:

NETSCOUT Server Administrator Guide 455

l The syslog server is listening on UDP port 514 (so it can process nGeniusONE events).
l The firewall on the syslog server allows UDP port 514 (so it can receive nGeniusONE
events).

B.4.5 Configuring Collection on the Splunk Search Head - Receiving Violation Events
from Notification Center over Port 514
Complete these steps to configure the receiving of Notification Center violations over port 514.

If you specifically configured a port other than 514 for violation events (see B.4.1 Configuring
nGeniusONE Notification Center Violations), ensure you use this procedure to configure that
port instead of port 514.

1. Open the Splunk App and use the tool bar options to navigate to Settings > DATA > Data
Inputs. The Data inputs page appears.
2. Click UDP in the Local inputs list. The UDP page appears.

Note: If UDP port 1514 exists in the UDP port list, use the associated Status column and click
Disable for port 1514.

Note: If UDP port 514 exists and has netscout:ngeniusone as the Source type, this
configuration procedure is not needed; do not continue this procedure.

3. Choose one of these options:

l If the UDP Port column contains port 1514, go to Step 10.
l If the UDP Port column does not contain port 514, go to Step 4.
4. Click New Local UDP. The Add Data > Select Source page appears.
5. Click UDP and enter 514 in the Port field.
6. Click Next to access the Input Settings page.
7. Enter netscout:nsa in the Select Source Type field.
8. Click Review to review your UDP port addition.
9. Click Submit to complete your UDP port addition; go to Step 12.
10. In the UDP page, for port 1514 (with netscout:ngeniusone as the Source type), click Clone
in the Actions column for that entry
11. Enter the information in bold for the fields:
l UDP port: 514
l Source name override: netscout:ngeniusone
12. Execute this command to restart the Splunk App: <Splunkforwarder_install_
root>/bin/splunk restart

NETSCOUT Server Administrator Guide 456

© NETSCOUT CONFIDENTIAL & PROPRIETARY
C Ports
Use this reference chapter to assist in planning and troubleshooting your deployment.
l Port Requirements : This section provides a table of ports required for operation of an
nGeniusONE server deployment.
l Network Port Topology: This page is a diagram illustrating the required ports and optional
ports, and may be useful for firewall planning.

Procedures for modifying the HTTP/S ports are provided separately in:
l For Client<->Server and Server<->Server: websecure
l For Server <->Data Source: Modifying Server to Data Source Communication Port

C.1 Port Requirements

Required ports for the server are enabled, by default. Depending on your deployment, additional
ports may need to be opened in any firewalls between the server and the needed service. To
assist in firewall and security planning, this section describes the ports used for communication
to and from the server and assorted systems in your deployment (data sources, authentication
servers, time servers, and so on). This section also lists ports used internally to the server. While
visible when using netstat, those ports must not be disabled since they are used for interprocess
communications.

Important: Some ports are pre-configured in the server's iptables file. Other are used
dynamically and are not explicitly called configured in iptables. HTTP/S is used for most
communications in the deployment and that port can be customized (see below links).
NETSCOUT recommends you not modify or disable any other ports unless guided by
Customer Support.
l For Client<->Server and Server <-> Servers: websecure
l For Server <->Data Source: Modifying Server to Data Source Communication Port

C.1.1 Required / Core Ports

The following ports are required to be open in any firewall between the indicated system (clients
for SSH and web access, for example), and the server or data sources.

Note: Older software versions used any one of 80, 443, 8080, or 8443 for HTTP/S
communications. However, recent server releases are configured to use either 8080 or 8443.

NETSCOUT Server Administrator Guide 457

Ports Transport Traffic Purpose Server Data

Source
NA IP ICMP Receipt of status from associated • •
devices and child servers
22 TCP / UDP SSH Administrative command line • •
access for management of servers
and/or data sources
8080 TCP HTTP/S l Web access to nGeniusONE UI • N/A
8443 for users and administrators
l Transport / communication
between servers in a clustered
configuration
See below for software update ports.
8080 TCP HTTP/S This port is listened to by the data N/A •
8443 source's procmanager process.
It is used for communication and
data transport between servers and
data source. Although this is
HTTP/S, the this port can be
configured to a different value than
that used by client:server and
server: server. Modifying this port
requires steps on both the server
and the data sources in the
deployment.
See below for software update ports.
TRAPS
161 TCP / UDP SNMP Data source receives MIB polling N/A •
requests from server on this port.
162 UDP SNMP Server receives trap information • N/A
from the data sources on this port.
Use of power alarms requires 395
be disabled for traps
395 UDP NETCP Server receives power alarms and • •
custom data on this port
On data source needs to be open
for server acknowledgment of
alarm.

NETSCOUT Server Administrator Guide 458

Ports Transport Traffic Purpose Server Data

Source
REMOTE SOFTWARE UPDATES
443 TCP HTTP This port must be open in the N/A N/A
firewall between the server and
https://my.NETSCOUT.com to
support receipt of software and/or
decode pack updates. This is an
optional method of auto-
downloading software to support
remote upgrades over the port
below. Manual download/staging is
supported.
8080 | TCP HTTP/S Server transmit software to servers • •
8443 and data sources. Modifying this
port requires steps on both the
server and the data sources in the
deployment.

C.1.2 Required Client Console Ports

Use the following table as a guide for which ports to leave open for access from client
applications.

Ports Transport Traffic Purpose Server Data Source

22 TCP / UDP SSH Client access for • •
management of servers
and/or data sources
8080 TCP HTTP/S Web GUI access for • N/A
8443 nGeniusONE and related
products
8080 TCP Deployments integrated with • •
8443 nGenius Subscriber
Intelligence use this port for
two purposes:
l Drilldowns from
nGeniusONE or nGenius
Session Analyzer to
launch nGenius
Subscriber Intelligence
l Transport of data and
ASRs directly from the
data source to the
nGenius Subscriber
Intelligence Console
4242 TCP Deployments using the legacy N/A •
InfiniStream Console for data
mining and administration of
data sources require this port
open on the data source

NETSCOUT Server Administrator Guide 459

C.1.3 Optional IPMI / Remote Management Ports

Hardware-based servers and data sources shipped from NETSCOUT include remote
management modules (RMM). These support client/server access for administration and
through a web server hosted in firmware.
l For servers based on the Dell PowerEdge platform, the iDRAC module requires ports as
indicated below. The specific ports may vary based on the iDRAC version in your specific
server model. Also listed are ports used by other Dell tools, such as OMSA and DSET.
l For purpose-built appliances, the ports used by the IPMI module are also listed below.
More details on working with IPMI are available in the documentation for the specific data
source.

C.1.3.1 Dell / OMSA / DRAC

Port Traffic/Purpose
Listen ports:
22 SSH
23 Telnet
80 / 443 HTTP/S
161 (UDP) SNMP
634 RMCP/RMCP+
1311 Dell OpenManage
5900 vConsole/vMedia
5901 VNC
iDRAC outbound as a client:
25 SMTP
53 (UDP) DNS
68 (UDP) DHCP
69 TFTP
162 (UDP) SNMP
636 LDAPS
2049 NFS
3269 LDAPS for global catalog

C.1.3.2 IPMI
Port Traffic/Purpose
22 SMASH via SSH
80 / 443 HTTP/S
623 (UDP) IPMI/ Virtual Media
901 (UDP) Video
5120 Virtual ISO or CD-ROM redirection
5123 Virtual floppy redirection
5900 Remote Console
8889 WS-Management

NETSCOUT Server Administrator Guide 460

C.1.4 Optional External Authentication Servers

NETSCOUT products use local authentication by default. Use the table below for reference, when
your deployment is configured to use an external service for authentication. Note that data
sources support external authentication using the managing nGeniusONE server as the
authentication server proxy. The authentication requests from the data source to server occur
over the HTTP/S port that the server uses already to communicate with the data source (see
required ports above). Detailed configuration steps for setting up your data source to use
external authentication are provided in InfiniStream Hardware Appliance Administrator Guide.

Ports Purpose Server Data Source

49 Cisco ACS/TACACS/ISE • N/A
9540
139 Active Directory • N/A
445
389 LDAP • N/A
636 LDAPS
1812 RADIUS • N/A
1813
44442 SiteMinder • N/A
8080 nGeniusONE • •
8443

C.1.5 Optional External Services

For reference, the ports applicable for supported external services are listed below.

Ports Traffic Purpose

25 SMTP (Servers only) Outgoing mail for
alarms/alerts
53 DNS Name Service
123 NTP Time Service
319 PTP Time Service
320
111 NFS NFS
2049
514 RCP, SCP External Syslog
1111 (encrypted)

C.1.6 Required Internal-only / Loopback Ports

The following ports are used for internal purposes and may only be shut down if guided to do so
by Customer Support. The information is provided here for reference and understanding to
assist administrators performing security audits.

NETSCOUT Server Administrator Guide 461

Server

Port Purpose
111 rpc Required for handling remote procedure calls
1099 rmi Used for internal lookups
5432 postgres Required database processes
6005 Xvfb Required for graphical operations
14300 paservice Required for certificate handling and packet analysis activities
1901-2074 assorted Required for internal process communication only
6005
8000-9100

Data Source

Port Purpose
111 Supports remote procedure calls
1024 Supports communication between localconsole utility and nsprobe agent process on data
1501 source

1600 Required for communication between nsprobe and procmanager processes

C.2 Network Port Topology

The image below illustrates required and optional ports for a minimal deployment.

NETSCOUT Server Administrator Guide 462

© NETSCOUT CONFIDENTIAL & PROPRIETARY
D Processes
During certain maintenance procedures, you need to stop server processes and verify whether
they are still running before you proceed. Additionally, Customer Support may ask you to verify
certain processes are running, while troubleshooting. This chapter provides a summary of the
specific processes and their purpose, and for which server products they appear.

Use the sections and legend below to identify the processes for the servers in your deployment.
l Server Process Descriptions
l Server Processes by Server Type

D.1 Server Process Descriptions

The table describes the processes that may be running on your server, depending on its licensing
and configuration. For a list of which to expect on different servers, refer to Server Processes by
Server Type.

Abbreviations:

l STA: nGeniusONE Standalone Server

l CLO: nGeniusONE for Cloud; small foot-print virtual server
l SBY: nGeniusONE Standby Server
l NGF: nGenius for Flows
l GM: nGeniusONE Global Manager
l DGM: nGeniusONE Dedicated Global Manager
l NCM: nGenius Configuration Manager
l OCI: Omnis Cyber Investigator
l NSA: nGenius Session Analyzer
l SCS: nGenius Subscriber Cache

PROCESS NAME DESCRIPTION / NOTES

Core Processes
NGeniusNativeService.exe l Starts related nGeniusONE processes for Windows installations
NGeniusService.exe l Starts related nGeniusONE processes for Windows installations

NETSCOUT Server Administrator Guide 463

PROCESS NAME DESCRIPTION / NOTES

NSnGeniusNative l Provides support for traps from devices
l Provides ICMP messaging when checking whether devices are
reachable
l Used when upgrading data sources
NSRemoteAdmin l Supports remote server administration (start, stop, upgrade)
l Detects and attempts to restart failed processes
NSRmiregistry l Handles inter-process communication between a server's
processes
httpd (Apache.exe on l Supports web client access (multiple instances)
Windows)
postgres l Postgres database engine (multiple instances)
l Hosts configuration data set
Xvfb l Performs graphical operations for charts (Linux only)
l Runs as root
Note: This process is always running, even after a stop
nspmhwmon l Pretests for hardware type, then runs Linux nshwmon
l Runs as root
dengine l Supports decoding trace files (multiple instances)
paservice l Handles data mining and decode operational requests
l Supports synchronization of certificates for SSL encrypted
packets to Standby servers, or on demand for decode operations
Analytic / Logging Processes
NSNG1Content l Handles configuration of and requests for
authentication/authorization
l Supports client-server communication
l Supports service configuration
l Updates server map tables
l Supports user management
l Supports synchronization of decode engine files
l Retrieves and prepares data for display in console modules
NSWebxContent l Displays real-time data in reports
l Manages automatic relearning of devices
l Used to store configuration data for devices and servers
l Presents data to Flex-based modules (legacy application)
NSASI2xCatchupL l Fills in gaps in data
l Polls directly from data source (similar to NSASI2xLogger but
covers longer periods)
NSASI2XLogger l Polls and logs for data from ASI tables on data sources
NSHealthLogger l Logs platform health for data sources that are enabled to report
health
l Does NOT log server health

NETSCOUT Server Administrator Guide 464

PROCESS NAME DESCRIPTION / NOTES

NSLogger l Polls data and logs link layer statistics for Etherstats MIB
l Polls and logs MIB-II data on routers and switches
l Polls and logs Cisco class-based QoS MIB and cisco data source
Health
l Logs alarms to database
NSASI2XSWarehouse l Warehouses raw data
l Creates rollups of data (such as daily, hourly)
NSWebxServiceWa l Warehouses data across interfaces for applications, application
services and so on
NSAnalytics l Manages baselining for anomaly detection for services (as
defined in Service Configuration Module) (ASI only)
l Performs roll-up of Application and QoE data for legacy
applications (CDM only)
l Detects statistical anomalies in data logged to the database (ASI
and CDM)
NSASIIndexing l Indexing of warehouse tables for core data such as IP address,
applications, locations, top level attributes, and so on
l Does not index composited data, such as defined by service
definitions
l Runs on Standby because copied data must be re-indexed.
NEITomcat l Handles ASR requests and correlates the records, if applicable
NSSituation l Analyzes data and monitors for situation event thresholds
l Triggers alarms for situation violations to display in Notification
Center
NSUCContent l Supports the Unified Communications Server application
functionality
l This process only appears on servers enabled with a UC license
NSWebxReportGen l Generates scheduled reports
l Occurs on DGM to handle cross-deployment reporting
Distributed Server Processes
NSWebxGMAnalyti Distributed support specific to analytics (not configuration):
l Performs rollup replication for data from child servers
l Runs global analysis for generating Aggregate Analytics alarms
NSWebxGMContent l Similar functionality to NSNG1Content, but with support for
replicating global data and configurations
Legacy Application Support
NSWebXPresent l Prepares data for presentation to legacy application modules
l Handles client data requests
NSCDMFlowLogger l Polls and logs data from data sources configured for CDM
l Logs flows to the CDM Flow database
NSFlowRollup l Creates rollups of conversation data (such as daily, hourly) for use
by legacy applications
NSWarehouse l Warehouses data for CDM data sets

NETSCOUT Server Administrator Guide 465

PROCESS NAME DESCRIPTION / NOTES

NSFDSIndexing l Creates index files of host addresses for raw conversation flows
l Runs on Standby because copied data must be re-indexed
Specialized Server Support
Omnis Cyber Investigator
NSArborThreatAn l Handles configuration of and requests for
authentication/authorization
l Supports client-server communication
l Updates Server Map tables
l Supports user management
l Retrieves data and prepares for display in console modules,
including health
nGenius Session Analyzer
NSNSAContent l Hosts the NSA-specific application modules
NSLoadBalancer l Load balances user sessions in deployments with
Primary/Secondary servers.
nGenius Subscriber Cache
NSSCSContent l Hosts the SCS application modules

NSLoadBalancer l Load balances user sessions in deployments with

Primary/Secondary servers.
NSDigitCache(1-N) l Processes to create and manage queries for cached session data

NETSCOUT Server Administrator Guide 466

D.2 Windows Services

nGeniusONE-based Windows server installations require the Windows services in the following
table during startup. Follow these steps to access and verify Windows services.

1. Go to Control Panel > All Control Panel Items > Administrative Tools > Services
2. Confirm that all nGeniusONE Windows services are registered correctly.
Table D.1 - nGeniusONE Windows Services

Windows Service Startup Type Notes

Name
NGeniusNative If not set to Automatic, double-click the service and select
NGeniusServer Automatic Automatic from the General tab Startup type menu.
NSApache
NSPostgreSQL Manual Started and stopped by NGeniusServer service and other
utilities such as EA_set_default and dbreload when
needed.

D.3 Server Processes by Server Type

The table below lists the processes that may be running on your server, depending on its
licensing and configuration. For more details on these processes, refer to Server Process
Descriptions.

Abbreviations:

l STA: nGeniusONE Standalone Server

PROCESS NAME STA CLO SBY NGF GM DGM NCM SCI NSA SCS
Core Processes
NGeniusNativeService.exe
• • • • •
(Windows only)
NGeniusService.exe
• • • • •
(Windows only)
NSnGeniusNative • • • • • • • • •

NETSCOUT Server Administrator Guide 467

PROCESS NAME STA CLO SBY NGF GM DGM NCM SCI NSA SCS
NSRemoteAdmin • • • • • • • • • •
NSRmiregistry • • • • • • • • • •
httpd (Apache.exe
• • • • • • • • • •
on Windows)
postgres • • • • • • • • • •
Xvfb • • • • • • • • • •
nspmhwmon • • • • • • • • •
dengine • • • • • • • •
paservice • • • • • • • • • •
Analytic / Logging Processes
NSNG1Content • • • • • • • • •
NSWebxContent • • • • • • • • • •
NSASI2xCatchupL • • • • •
NSASI2XLogger • • • • •
NSHealthLogger • • • • • •
NSLogger • • • •
NSASI2XSWarehouse • • • • • • • •
NSWebxServiceWa • • • • •
NSAnalytics • • • • •
NSASIIndexing • • • • • • •
NEITomcat • • • • • • •
NSSituation • • • • •
NSUCContent • • • • • •
NSWebxReportGen • • • • •
Distributed Server Processes
Present only when the server is licensed accordingly.
NSWebxGMAnalyti • • • • •
NSWebxGMContent • • • • • • • •
Legacy Application Support
Applicable only for deployments configured to support CDM flows.
NSWebXPresent • • • • •
NSCDMFlowLogger • • •
NSFlowRollup • • • •
NSWarehouse • • • •
NSFDSIndexing • • • • •
Specialized Server Support
Applicable only for the indicated servers.
NSArborThreatAn •
NSNSAContent •
NSLoadBalancer • •

NETSCOUT Server Administrator Guide 468

PROCESS NAME STA CLO SBY NGF GM DGM NCM SCI NSA SCS
NSSCSContent •
NSDigitCache(1-N) •

NETSCOUT Server Administrator Guide 469

© NETSCOUT CONFIDENTIAL & PROPRIETARY
E Properties Files
The following sections describe server property files used to configure various server settings
and product features:
l Modifying the client.properties File
l Modifying the serverprivate.properties File
l Modifying the serverpublic.properties File
l Modifying the umcclient.properties File
l Procedures using Property Files

E.1 Modifying the client.properties File

This topic describes parameters that can be configured in the above file. After you make changes
in and exit this file, the changes take effect according to the restart requirement specified below.
In some case, use of a parameter requires configuration in more than one property file. Where
applicable, a link is provided to a related topic pertaining to customization of that feature.

Note: In many cases, parameters have a default that is applied internally even when not present
in the property file. Removing a parameter from a file has the effect of setting it to the default.

File Location: <nGeniusONE install>/rtm/html/client.properties

Restart requirement: Certain parameters require only a client logout; others require a server
process restart.

Scope: Settings in this file apply to the current nGeniusONE modules and also legacy modules
such as nGenius Performance Manager.

NETSCOUT Server Administrator Guide 470

Parameter Description Default /

Syntax
rtm.user.password.minimumlength Modifications to these 16
parameters must be done in
rtm.user.password.enforce.AlphaNumericValidation more than one file. Refer to true

rtm.user.password.enforce.AlphaNumericValidation.minimum.number the following for more 1

guidance:
rtm.user.password.enforce.AlphaNumericValidation.minimum.lowercase Managing Passwords. 1

rtm.user.password.enforce.AlphaNumericValidation.minimum.uppercase 1

rtm.user.password.enforce.SpecialCharacterValidation true

rtm.user.password.enforce.SpecialCharacterValidation.minimum.specialCh 1
aracter
rtm.user.password.enforce.consecutiveCharacter.maximum 2

rtm.user.password.enforce.repeatCharacter.maximum 2

rtm.user.password.enforce.CaseSensitiveValidation true
avs.viewtype Advanced Voice Statistics v0
Monitor can be toggled to
present results in different
modes.
v0 : Displays SIP for all
transport (SIP, SIP_T(CP),
SIP_SCTP), as SIP
v2: Displays rows for SIP
transport
console.useractivity.timeout Set the number of minutes 15
after which a user display is
prompted and logged out
due to inactivity.
deviceConfig.UUID.enable= Enables or disables (default) false
visibility of:
l UUID column and
associated data in
Device Configuration >
Devices listing page.
l UUID entry field in
Device Configuration >
Devices > Modify
Device page.
l UUID and associated
data in Deployment >
Activity Logs.

NETSCOUT Server Administrator Guide 471

Parameter Description Default /

Syntax
deviceutil.slicesize=<value> Manually add this property 128
to the file to change the
default slice size in Global
Settings. If you modify this
parameter, also modify the
same in the following:
l serverprivate.properties
l globalmanager.properti
es
grid.view.max=<value> Add this property to set the 10
maximum allowed number
of views in a Grid.
grid.override.filtercount=<value> Add this property to allow false
selection of up to 20 MEs for
all Grid views (except
Change Management).
launch.OptiViewtracedownloader.enabled Set to true to enable display false
of the Optiview module on
the nGeniusONE console.
monitor.chart.smalllinemarkers= Set to true to enable small true
markers when more than 12
data points are showing. Set
to false to keep all markers
at the regular size, no matter
how many are showing.
serviceManager.userAccount.userInactivityPeriod Manually add to the file to 30
modify the inactivity period.
Time is in days. This value
must also be updated in
serverprivate.properties.
si.server.ipaddress IP address of the nGenius <ipaddress>
Subscriber Intelligence
server to which drilldowns
are desired.
si.server.port Port number that the above 443
nGenius Subscriber
Intelligence server is
listening on.

NETSCOUT Server Administrator Guide 472

Parameter Description Default /

Syntax
si.useserveraddressfromflows On drilldown to nGenius true
Subscriber Intelligence from
the All Flows view or
handset views that pass
"Node IP" in context, the
Server IP address is included
by default in the contextual
data passed to Subscriber
Intelligence. If you prefer to
pass the Client IP address,
set this property to false.
siteminder.Authentication.enabled Additional steps are true
required. Refer to
SiteMinder
uc.callsearch.row.links In UC Call Search, enable true
launch of Session Analysis
tab by clicking
user/extension value.
Also see Modifying the
vvmserver.properties File
userList.show.npViewer When set to true, enables false
the npviewer user account.
webserverport Do not manually modify: Fresh
l websecure install: 8443
l Modifying Server to Upgrade
Data Source from pre-
Communication Port 6.3.1
release:
previous
value

E.2 Modifying the serverprivate.properties File

Note: In many cases, parameters have a default that is applied internally even when not present
in the property file. Removing a parameter from a file has the effect of setting it to the default.

Location <NETSCOUT install>/rtm/bin/serverprivate.properties

Restart requirement: Server processes

Scope: Settings in this file apply to the current modules and also legacy modules.

Replication requirement:

NETSCOUT Server Administrator Guide 473

l Certain parameters in this file must be replicated to other configuration files on the same
server. This can be automated with the nGConfigSync.sh / nGConfigSync.bat file. That script
only modifies the local server, see note below.
l Changes made in this property file are not replicated to child servers in the cluster. You
must manually replicated changes here to all child servers in the cluster except to the
Standby Server, to which changes are replicated automatically.

Parameter Description Default /

Syntax
Authentication & Security Parameters
ldap.enable.samaccountname.attr.login Enables SAM. false
ldap.tls.enable Enable TLS 1.2 for LDAP. false
ldap.users.common.domain=<domain_name> Enables a SAM domain name. Domain
example: acme
ldap.user.principalclass.name=sAMAccountName Enables a sAM Account Name. Account
name example: samjones
smuserheader Additional steps are required. Refer to EIN
SiteMinder
smgroupheader Additional steps are required. Refer to Groups
SiteMinder
serviceManager.userAccount.inactivitySchedulablefre Manually add to the file to modify the 1440
quency frequency with which inactivity is checked.
serviceManager.userAccount.lockupPeriod Sets the length of time, in seconds, user 1800
account is locked from logging in from the
same client machine after a specified
number of unsuccessful password entries.
The specified number of unsuccessful
entries is set by the
serviceManager.userAccount.maxLoginAtt
empts parameter.
Note: This parameter is not activated
unless the

serviceManager.userAccountLockup.enabl
ed is set to true
serviceManager.userAccount.maxLoginAttempts Sets the number of unsuccessful entries of 6
the password on logging in before the user
account is locked for logging in from the
same client machine. The above parameter
sets the interval before the account is
unlocked.
Note: This parameter is not activated
unless the

serviceManager.userAccountLockup.enabl
ed is set to true

NETSCOUT Server Administrator Guide 474

Parameter Description Default /

Syntax
serviceManager.userAccount.userInactivityPeriod Manually add to the file to modify the 30
inactivity period. Time is in days. This value
must also be updated in client.properties.
serviceManager.userAccountLockup.enabled Manually add to the file to enable/disable true
the feature that locks a user account from
login from the client machine on which a
user has unsuccessfully attempted to enter
the password. By default, this feature is
enabled. If enabled, the related parameters
determine the number of unsuccessful
attempts that trigger the account being
locked (for the same client machine), and
the length of time the account is locked.
session.aliveinterval A user is assumed to be logged out if the 10
time difference between the current time
and the last time that it sent an "alive"
message is greater than the time specified
against this key (in minutes).
tacacs.plus.remote.local.address.set Use these options to populate the rem_ false
addr field with the following IP address loopback
types:
l client - client's IP address.
l true or server - nGeniusONE server's
IP address.
l false or loopback - server loopback IP
address. This is the default behavior if
no property is set or an invalid value is
found.
Alarm, Traps, Email, Syslog Parameters
alarm.pfs.types Enables the display of the following alarms N/A
in the Alarm Viewer: Login/Logout,
Configuration Changed, Port Status,
Packets Dropped, Interface Statistics, Port
Utilization, SFP Plugin/Plugout, SFP
Temperature, SFP Tx Power, SFP Rx Power
AlarmEmail.NPNAlarm.EmailAddresses=<emailaddres Manually add this property to the file. N/A
s> When added to the file, this property
directs all nPN related alarms including
PlatformAlarm, ServerHealthAlarm,
DeviceUnreachableAlarm, and
DeviceHealthAlarm, to the email addresses
specified and only to those addresses; the
email addresses configured in the Server
Management interface no longer receive
nPN alarms.
Separate multiple entries using commas.

NETSCOUT Server Administrator Guide 475

Parameter Description Default /

Syntax
alarmEmailService.emailPFSAlarms When set to true, this property enables all false
Packet Flow Switch-related alarms to be
delivered by email.
alarmforward.trapDestination In a Distributed Server environment, you N/A
can configure a Local Server to override the
alarm destinations defined in Device
Manager and send alarms to another
server. For example, you might want to
configure a local Network node Manager
server to receive alarms from a specific
Local server.
To modify this property, add it to the
serverprivate.properties file on the affected
Local Server:
alarmforward.trapDestination=<IP
Address>
Specify one address only, in octet format.
Note: This setting overrides the addresses
listed in Device Management for the
modified Local Server only.
AlarmForwarder.arcSightSupport To modify this property, add it to the file. false
When set to true, server based alarms are
forwarded to the ArcSight server. Alarm
forwarding is based on writing to the syslog
on the remote machine where the ArcSight
server resides.
You must also set the following additional
properties:
l syslogHost=xxx.xxx.xxx.xxx (syslog
server IP address)
l alarmForwardService.forwardDeviceAl
arms=true
Refer to ArcSight integration
documentation for more information.
alarmForwarder.alarmEvidenceTypes Customize evidence options for service N/A
alerts. Valid settings are comma delimted:
router,metric,app,msgname,type,lockey,sv
cagg,svcname
AlarmForwarder.communityString Manually add to the file to set the SNMP N/A
trap packet community string to a value
other than Public.
AlarmForwarder.destinationPort Manually add to the file to change the N/A
destination port for forwarded alarms. You
can add this property when forwarding
alarms to a third-party system.

NETSCOUT Server Administrator Guide 476

Parameter Description Default /

Syntax
alarmForwardService.forwardDeviceAlarms To modify this property, add it to the file. N/A
When set to true, all probe-based alarms
are forwarded to third-party
devices/software with a context-sensitive
URL embedded in the alarm description.
Must be set to true to forward alarms to an
ArcSight server.
Note: This setting overrides the Forward
Alarm setting in the KPI Variables dialog
box. For example, if this property is set to
true, and the Forward Alarm setting is
deselected (unchecked), alarms are
forwarded.
alarmForwardService.forwardDeviceUnreachableAlar When set to true, the nGeniusONE Server false
m forwards Device Unreachable alarms to
third party devices/software.
alarmForwardService.forwardPFSAlarms When set to true, the nGeniusONE Server false
forwards Packet Flow Switch alarms to
third party device/software.
minimum.certificate.validity.in.days Enter a positive number to enable the -1
alarms and specify the expiration
threshold. See Enabling Certificate
Expiration Alarms.
certificate.check.time.HH.In24HrFormat Specify the time of day (hour HH, in a 24 06
hour clock) when the certificate expiration
check runs (06 is 6am; 18 is 6pm). Enabling
Certificate Expiration Alarms
certificate.check.time.MM Specify the minutes for the specified hour 00
in certificate.check.time.HH.In24HrFormat
when the certificate expiration check runs.
Enabling Certificate Expiration Alarms
minimum.certificate.alarm.separation.in.days Specify the minimum number of days that 7
must elapse between successive uncleared
alarms for an associated certificate and
server. This setting controls the frequency
of alerts for each associated certificate and
server. Enabling Certificate Expiration
Alarms
certificate.expiration.alarm.action.policy.name=alert Enable additional actions in response to N/A
action name defined in Service Configuration the certificate expiration alarm. First, define
an action in Service Configuration and then
enter the complete name in this property.
(Use backslashes as escape characters for
spaces.) Enabling Certificate Expiration
Alarms

NETSCOUT Server Administrator Guide 477

Parameter Description Default /

Syntax
minimum.certificate.notbefore.in.hours=-1 Set a positive value to trigger an alarm if a -1 (not enabled).
server is using a certificate before its start Units are in hours
time. The value set corresponds to the
number hours early that will trigger the
alarm.
forwardAlarm.clearTrapAlarm Set to true if you want the system to send a false
clear-alarm notification when the alert is
inactive for 15 minutes.
Note: You must also enable clear trap
notifications (via
send.email.notices.for.clear.traps) to
receive emails for clear traps.
Also see Enabling Certificate Expiration
Alarms.
globalsettings.netscout.trap.port=162 Manually add to the file to prevent N/A
duplicate emails and alarms from being
sent when alarm thresholds are crossed.
You must also reset the SNMP trap port list.
HDalarm.1minute Manually add to the file and set to false to
base virtual interface alarms on 15-minute
data rather than 1-minute data.
In addition, you must add the following
property and set it to true:
alarmgeneration.HDalarm
Note: When you configure a 15-minute
interval the default interval is 900 seconds
(minutes) rather than 60 seconds.
mail.smtp.auth=true Manually add this property to the file to N/A
enable email delivery across SMTP
domains. To authenticate the user add the
SMTP Domain based user and password in
Server Management Email settings
send.email.notices.for.clear.traps Set to true to control email notifications for true
clear traps.
Note: Clear traps themselves have to
be enabled as well (via
forwardAlarm.clearTrapAlarm=true) to
receive emails for clear traps.
serverAlarm.ServerAlarmManager.emailSenderAddres The email address, optionally entered none
s during installation, of the email sender.
serverAlarm.ServerAlarmManager.enabled Enables (true) or disables (false) the true
generation of server alarms.
serverAlarm.ServerAlarmManager.interval The time interval after which memory 900
utilization and free disk space is checked to
generate an alarm. Default is 15 minutes.

NETSCOUT Server Administrator Guide 478

Parameter Description Default /

Syntax
serverAlarm.ServerAlarmManager.recipientEmailaddr The email address, optionally entered N/A
ess during installation, of the person who
receives the alarm notification.
serverAlarm.ServerAlarmManager.serverAlarmDiskEm The scripts that are executed when a server diskemergentscrip
ergentScript warning or emergency alarm is generated. t
The script file should be stored in
<nGeniusONE install>/rtm/scripts.
l Warning — A potential problem exists
that requires attention (Default=75%)
l Emergency — The nGeniusONE Server
is forcibly stopped (Default=90%)
serverAlarm.ServerAlarmManager.serverAlarmDiskWa Script executed when a disk warning alarm diskwarningscript
rningScript is generated
serverAlarm.ServerAlarmManager.serverAlarmMemor Script executed when a memory memoryemergent
yEmergentScript emergency alarm is generated script
serverAlarm.ServerAlarmManager.serverAlarmMemor Script executed when a disk warning is memorywarningsc
yWarningScript generated ript
serverAlarm.ServerAlarmManager.smtpHost The host name or IP address, optionally none
entered during installation, of the email
server that generates the email messages.
serveralarm.ServerDiskAlarm.DiskPercentFullEmergen A critical alarm is generated if the defined 90
cy threshold (percentage) is exceeded.
serveralarm.ServerDiskAlarm.DiskPercentFullWarning A warning alarm is generated if the defined 75
threshold (percentage) is exceeded.
serveralarm.ServerMemAlarm.memoryThresholdEme A critical alarm is generated if the defined 90
rgent threshold (percentage) is exceeded.
serveralarm.ServerMemAlarm.memoryThresholdWar A warning alarm is generated if the defined 75
ning threshold (percentage) is exceeded.
serveralarm.ServerThreadAlarm.SC- Threshhold warning value for the default 30
D.ThresholdWarning thread group.
serveralarm.ServerThreadAlarm.SC- Threshhold warning value for the database 30
DB.ThresholdWarning group.
serverBasedAlarmSNMPVersion With a script, this property forwards alarms SNMPV3
formatted as SNMPV3 traps using either
MD5 or SHA-1 authorization protocols and
DES, 3DES, and AES128 privacy protocols.
situation.analysis.email.recipient.list After the property is enabled, recipients address1,address2,
receive a single email for any situation that etc.
occurs. The email contains a description
and a PDF attachment for the situation
evidence. See Forwarding Situations
Automated Failover Parameters
standby.auto.fail.over.enable Enable or disable automated failover. false

NETSCOUT Server Administrator Guide 479

Parameter Description Default /

Syntax
standby.auto.fail.over.parent.connectivity.check Enable or disable (true/false) the true
automated failover check that the Parent
Local Server is up and synchronized with
the Standby Server.
If the Parent Local Server's connectivity
check fails 3 consecutive times and the
primary status has synched configuration
data with the Standby Server, the control
passes to the Standby Server.
standby.auto.fail.over.database.query.execute Enable or disable (true/false) database true
query execution on the Primary Local
Server.
The Health Check Light Service (HCLSS)
running on the Standby Server checks the
availability of the Primary Local Server by
sending a database request.
standby.auto.fail.over.dbone.query.execution Enable or disable (true/false) DBOne query true
execution of Primary Local Server health
for the last 1 hour.
standby.auto.fail.over.health.check.schedule.interval Configure the Primary Server health check 120
frequency in seconds.
standby.auto.fail.over.local.servers.validation.percent Percentage of Local Servers that report an 50
age outage for the Primary Server.

If the percentage is greater than this

property's configured value, the Local
Server responds with a negative result for
the Primary Server's health check call,
which means the Local Servers were not
able to reach the Primary Dedicated Global
Manager. In this case, the Standby Server
will be converted to the Dedicated Primary
Global Manager.
If a percentage less than this property's
configured number of Local Servers
respond with a negative response, there is
no conversion.

NETSCOUT Server Administrator Guide 480

Parameter Description Default /

Syntax
General Parameters
createsitesafterassoc By default, a Site virtual interface is created N/A
only when a physical or flow interface
(configured for Site Monitoring) detects
network traffic that matches a Site
definition.
Optionally, manually add this property and
set to true to configure your system to
create all associated Site interfaces
immediately following association with the
nGeniusONE device, even if no matching
traffic exists.
dashboard.analytics.response.time.in.microsecond Change latency from milliseconds to true
microseconds
deviceutil.slicesize=<value> Manually add this property to the file to 128
change the default slice size in Global
Settings. If you modify this parameter, also
modify the same in the following:
l client.properties
l globalmanager.properties
enable.proxy.based.routing=true Configure proxy support for software
mcp.proxy.host=<IP Address of proxy server> update packages to be downloaded from a
mcp.proxy.host.port=<port on the proxy server MasterCare account. Refer to "Uploading
Software Updates" in the online help.
globalsettings.handset.handsetReplace=true Add this property and set to true to enable false
replacing existing handset IDs with new
handset IDs when using the Global Settings
UI to import handsets. If the property is not
set to true, then new handset IDs are
appended after the existing handsets.
globalsettings.handsetgroups.maximumModelIdLengt 30
h
globalsettings.handsetgroups.maximumNameLength 20
icmpping.enabled Enables (true) or disables (false) the ICMP true
ping.
irisOAMhost Used on the nGenius CM authentication irisOAMhost=<ser
server to enable display OAM-managed ver url>, the host
G10s and GeoBlades in nGenius Session name with full
Analyzer. Host name with full domain domain name of
name of the irisOAM server. the irisOAM
server.
logger.status_message Enables logging of status messages. When OFF
enabled, these messages also appear in the
server's Activity Log module.

NETSCOUT Server Administrator Guide 481

Parameter Description Default /

Syntax
ncmPropertyProbeRefreshMin Used on the nGenius CM authentication 5
server for displaying G10s and GeoBlades
in nGenius Session Analyzer. If probe cache
is used, the refresh interval is in minutes. If
not configured, the default is 5.
ncmPropertyUseProbeCache=true Used on the nGenius CM authentication false
server for displaying G10s and GeoBlades
in nGenius Session Analyzer when using
nGenius CM authentication. Enables
whether or not to maintain a probe cache.
Values are true or false. If not configured,
the default is false.
ng1.display.errorcodeanddescription=<value> Manually add this property to the file to 0 — Displays the
configure the way in which you want to error description
display error code information in only.
nGeniusONE; <value> can be:
l 0 — Displays the error description
only. For undefined errors, "Error
Code: Undefined" is displayed.
l 1 — Displays the error code only.
l 2 — Displays both the error code and
the error description. For undefined
errors, "Error Code: Undefined" is
displayed.
ngreporting.configureYaxis=<value> Enable the user to select whether a true
dynamic or static scale is used for the y-axis
in reports. This is enabled by default. Set to
false to disable.
pa.customer.filter.location Location of packet analysis custom filter <nGeniusONE
files. install>
/rtm/pa/filters
PAHOME Location where packet analysis filters and <nGenius install>
data captures are stored. /rtm/pa
reporting.generateAlarm Manually add this property to the file and
set to false to disable all alarms for
reports.
sa.forwardemail.mode=true Forwards an Email when a Global or Local false
Server lose its connection with a Local or
Global Server, respectively. Associated
alerts are displayed in the Notification
Center and Server Health module.

NETSCOUT Server Administrator Guide 482

Parameter Description Default /

Syntax
Manually add both properties and set to N/A
sd.searchdiscover.locationkey.defaulttextcheck.name. true to enable Search & Discover to display
skip=true names and descriptions for sub interfaces
sd.searchdiscover.locationkey.defaulttextcheck.alias.s (VLAN name/alias) as configured in Device
kip=true Configuration. When not set, only the
VLAN-ID is displayed in Enterprise search
results.
sd.searchdiscover.timeoutvalue Override timeout when conducting long n
term searches
search.discover.enable.networkservice.for.host.search Enable to allow searches for hosts, false
=<value> conversations, and locations to return
Network Services that the service members
belong to.
server.autoRegister.userHostName Refer to Configuring the Server to Use a false
Hostname ; two files must be modified to
use this parameter.
situation.analysis.metric.serverResets.enabled=true Enables Server TCP Resets metric for false
situations.
Default configuration is Critical: 10, Stdev:
2, minTrans: 10.
ssl.weakVersionCodes= This property determines which SSL 1,2,3,8,9,10
versions are considered weak for the
purposes of inclusion in the SSL Versions
view in the SSL Summary report.
The following table maps the code to use in
this property to the SSL version list:

1 FRESH_SSL 1.0
2 FRESH_SSL 2.0
3 FRESH_SSL 3.0
4 FRESH_TLS 1.0
5 FRESH_TLS 1.1
6 FRESH_TLS 1.2
7 FRESH_TLS 1.3
8 RESUMED_SSL 1.0
9 RESUMED_SSL 2.0
10 RESUMED_SSL 3.0
11 RESUMED_TLS 1.0
12 RESUMED_TLS 1.1
13 RESUMED_TLS 1.2
14 RESUMED_TLS 1.3

NETSCOUT Server Administrator Guide 483

Parameter Description Default /

Syntax
webserverport Do not manually modify: Fresh install: 8443
l websecure Upgrade from pre-
l Modifying Server to Data Source 6.3.1 release:
Communication Port previous value
webServicePort Used on the nGenius CM authentication 11055
server to enable display OAM-managed
G10s and GeoBlades in nGenius Session
Analyzer.
The web service port to the cache service
on irisOAM server. If not configured, the
default is 11055.
nGenius Session Analyzer / nGenius Subscriber Cache Parameters
spiAdapterHost Refer to: <SpIserver
Enabling Access of SpIprobes in nGenius IP address>
spiAdapterVersion CM Mode 2
spiTopologyPollingInterval 3600
spiAdapterPort 9992
spiTopologyPort 9993
spiTopologyPollingInterval 3600

E.3 Modifying the serverpublic.properties File

Note: In many cases, parameters have a default that is applied internally even when not present
in the property file. Removing a parameter from a file has the effect of setting it to the default.

File Location: <nGeniusONE install>/rtm/bin/admin/serverpublic.properties

Restart requirement: Server processes

Scope: Settings in this file apply to the current nGeniusONE modules and also legacy modules.

Replication requirement:
l Certain parameters in this file must be replicated to other configuration files on the same
server. This can be automated with the nGConfigSync.sh / nGConfigSync.bat file. That script
only modifies the local server, see note below.
l Changes made in this property file are not replicated to child servers in the cluster. You
must manually replicated changes here to all child servers in the cluster, except standby
(automatic).

NETSCOUT Server Administrator Guide 484

Parameter Description Default / Syntax

alarmForwardService.forwardDeviceAlarms=true false Forwards SNMP traps to a Global Manager
with a Local or Standalone server.
alarmForward.trapDestination=xxx.xxx.xxx.xxx "" Forwards SNMP traps to a third-party
management platform. More than one
address is allowed in comma separatef
format.
Backup.Aging.sybaseBackupDB 10 (instances) Number of instances of configuration files
(rtm/database/config-backup, stealth.db,
and stealth.log) that are retained. When the
value is exceeded, the oldest instance of
each is deleted.
#devicemanager.snmpprotocol=v1 v2 To force v1, uncomment the property
checkMemoryForClientViews true Enables a system memory check when you
attempt to launch views in the nGeniusONE
Server. If the system memory exceeds either
of two thresholds set
inserverprivate.properties, a warning
displays indicating that the view cannot be
launched.
Note: In a distributed server environment, it
is possible for the view to launch and receive
data from only those Local Servers whose
system memory has not exceeded the
threshold. In this case, the status bar
indicates that a server has reached a
memory threshold. If all Local Servers have
exceeded the threshold when you attempt to
launch a view, the warning displays and the
view is not launched.
debug.level 1 Sets the nGeniusONE Server debug level
written to the debuglog-<day>.txt file.
Levels
l level= 0 — No debug outputs
l level=1 — Only important error and
informative messages (recommended
level)
l level=2 — Level one plus some extra
messages from the service frameworks
and services
l level=3 — All debug messages
debug.logfileName debuglog Default sets the file name as debuglog-
<day>.txt.
debug.logtofile true Enables (true) or disables (false) logging
debug messages to the debuglog-<day>.txt
file.

NETSCOUT Server Administrator Guide 485

Parameter Description Default / Syntax

debug.timestamp.format HH:mm:ss Format of the debug timestamp.
Options:
l debug.timestamp.format=HH:mm:ss
(Hours, minutes, seconds)
l debug.timestamp.format=MM/dd 'at'
kk:mm:ss
(Adds month and day)
debug.writethreadname false When true, the thread name is written to the
debug log
DeviceSync.interval 60 Interval in minutes at which devices must be
synchronized with the database
errorlog.level 2 Sets the auto-logging level of xerror
messages written to the xerrorlog-<day>.txt
file.
Error levels
l level=0 - Logs all (low, high, fatal,
xsuccess)
l level=1— Logs low, high,fatal
l level=2 — Logs high, fatal
l level=3 — Logs fatal
eventlog.level 2 Sets the logging level of system events
written to the eventlog-<day>.txt file.
Levels
l level=0 — Logs all events
l level=1 — Logs only warning events
l level=2 — Logs only fatal events
event.logfilename eventlog Default sets the file name as eventlog-
<day>.txt.
host.groups.other true True (default)— Enables automatic creation
of a Host Group Other group when any of
the Host Group views are launched in the
nGeniusONE Server for a CDM Flow-enabled
probe. The Host Group Other group contains
an aggregated value from all hosts that are
not associated with any other group.
False — The Host Group Other group is not
created when Host Group views are
launched.
memory.logfilename memorylog Default sets the file name as memorylog-
<day>.txt.
memory.logtofile true Enables (true) or disables (false) logging
memory usage to the memorylog-<day>.txt
file.
memorylog.interval 15 Interval in seconds for logging memory
usage in the memorylog-<day>.txt file. Do
not set to less than the default 15 seconds.

NETSCOUT Server Administrator Guide 486

Parameter Description Default / Syntax

netcp.relearn.delay.seconds 60 Interval in seconds for device
synchronization to relearn the probes if the
NETSCOUT control protocol trap is received.
sa.alarms.enable=false N/A Manually add to the file to disable nPN
alarms. You can re-enable alarms by setting
the property to true.
session.scheduleinterval 1 Interval in minutes in which the nGeniusONE
Server checks the state of all logged-in
clients.
statistics.logfileName statisticslog Default sets the file name as statisticslog-
<day>.txt.
statistics.logtofile true Enables (true) or disables (false) logging
statistics messages to the statisticslog-
<day>.txt file.
webserverport Do not manually Fresh install: 8443
modify: Upgrade from pre-6.3.1 release: previous
l websecure value
l Modifying
Server to Data
Source
Communication
Port
xerror.logfileName xerrorlog Specifies the file name of the xerror log.
Default sets the file name as xerrorlog-
<day>.txt.
xerror.logtofile true Enables (true) or disables (false) logging
xerror exception messages to the xerrorlog-
<day>.txt file.

E.4 Modifying the umcclient.properties File

Note: In many cases, parameters have a default that is applied internally even when not present
in the property file. Removing a parameter from a file has the effect of setting it to the default.

File Location: <nGeniusONE install>/rtm/html/umcclient.properties

Restart requirement: client logout; server restart is not required

Scope: The properties in this file are primarily applicable to legacy clients such as nGenius
Performance Manager. As of v6.2.2, the nGenius Session Analyzer software uses this file as well.

NETSCOUT Server Administrator Guide 487

Parameter Description Default / Syntax

rtm.user.password.minimumlength Modifications 16
rtm.user.password.enforce.AlphaNumericValidation to these true
parameters
rtm.user.password.enforce.AlphaNumericValidation.minimum.number 1
must be
rtm.user.password.enforce.AlphaNumericValidation.minimum.lowercase done in more 1
rtm.user.password.enforce.AlphaNumericValidation.minimum.uppercase than one file. 1
rtm.user.password.enforce.SpecialCharacterValidation Refer to the true
following for
rtm.user.password.enforce.SpecialCharacterValidation.minimum.specialChar 1
more
acter
guidance:
rtm.user.password.enforce.consecutiveCharacter.maximum Managing 2
rtm.user.password.enforce.repeatCharacter.maximum Passwords 2
rtm.user.password.enforce.CaseSensitiveValidation true
Login Messages
confirmTitle NETSCOUT Security
Message
confirmMessage USE OF THIS COMPUTER
SYSTEM CONSTITUTES A
CONSENT TO
MONITORING AT ALL
TIMES.
passwordExpireDays Consider changing your
password. Your
password would expire
in numberOfDays day(s).
passwordChanged Password changed
successfully, Please login
with new password
confirmButtonOk OK
confirmButton Agree
confirmTitle_ja_JP NETSCOUT セキュリティメッ
セージ
confirmMessage_ja_JP このコンピュータシステムの
使用は、常時監視すること
に同意することになります。
confirmButton_ja_JP OK
passwordExpireDays_ja_JP パスワードを変更してくださ
い。パスワード期限はあと
numberOfDays 日です。
passwordChanged_ja_JP パスワードを変更しました。
新しいパスワードでログイン
して下さい。
confirmButton_ja_JP 同意
confirmTitle_ko_KR NETSCOUT 보안 메세지

NETSCOUT Server Administrator Guide 488

Parameter Description Default / Syntax

confirmMessage_ko_KR 이 컴퓨터 시스템을 사용
하는 모든 시간동안 모니
터링을 되는 것에 대해서
동의하는 것으로 간주 됩
니다.
confirmButton_ko_KR OK
passwordExpireDays_ko_KR 암호 변경 하는 것을 고려
하십시오. 당신의 암호
는numberOfDays에 만료
됩니다.
passwordChanged_ko_KR 암호가 성공적으로 변경
되었습니다, 새로운 암호
로 로그인 하십시오.
confirmButton_ko_KR 동의
confirmTitle_zh_CN NETSCOUT 安全消息
confirmMessage_zh_CN 使用这个计算机系统建
造一个全时间段监控的
规则。
confirmButton_zh_CN OK
passwordExpireDays_zh_CN 请更换密码。你的密码
将在 numberOfDays day
(s)天后过期。
passwordChanged_zh_CN 密码更换成功，请用新密
码登录。
confirmButton_zh_CN 同意
confirmTitle_zh_TW NETSCOUT 安全性訊息
confirmMessage_zh_TW 使用此計算機系統即同
意一直監控。
confirmButton_zh_TW OK
passwordExpireDays_zh_TW 考慮更改密碼。您的密
碼將在 numberOfDays天
後到期。
passwordChanged_zh_TW 密碼更改成功，請使用新
密碼登錄
confirmButton_zh_TW 同意
Configuring nGenius Session Analyzer Drilldown from nGeniusONE
nsa_server https://XXX.XX.XX.XX:844
3
nsa_scenario_owner admin
nsa_scenario_name All
nsa_prepend_wildcard false
nsa_time_buffer 5000

NETSCOUT Server Administrator Guide 489

Parameter Description Default / Syntax

nsa_searchBy If not Start Time, End Time,
configured, Active Time by Activity
the drill Time, Active Time by
defaults to Monitoring Time
Active Time
by Activity
Time.

E.5 Modifying the vvmserver.properties File

Note: In many cases, parameters have a default that is applied internally even when not present
in the property file. Removing a parameter from a file has the effect of setting it to the default.

File Location: <nGeniusONE install>/rtm/bin/vvmserver.properties

Restart requirement: Refresh of the client web browser is optimal for most options; server
restart typically not required for these.

Scope: The settings in this file are applicable primarily to nGenius UC Server modules.

Parameter Description Default/Syntax

audio_export Enable audio export. Multiple Not enabled by default. Syntax, when configured
steps are required. Refer to according to procedure at left, is:
Configuring Export of WAV Files l ALL: Any phone number or IP Address
for nGenius UC Server l LIST: restrict export to specific numbers
singlecall.conference.legs.max Override maximum number 25
conference call legs (separate
from call legs) that can bemined/
displayed in the Single Call view.
Integer values between 2-100
are supported.
callsearch.merge.extension.digits By default, Call Search can 6
merge results when the last 6
digits (not characters) are the
same Use this parameter to
override the number of digits
used in this scenario. Integer
values between 4-20 are
supported.

NETSCOUT Server Administrator Guide 490

Parameter Description Default/Syntax

callsearch.emergency.number Add this parameter to include up None
to 10 emergency number strings Example:
can be displayed in the Keyword #callsearch.emergency.number=911
field of the Call Search home #callsearch.emergency.number=112
tab.
l Value must be at between 2
to 40 characters in length
l The following symbols are
not allowed: * ? < > and
quotes
l Spaces are allowed, without
quotes
(Example: Emergency
Services)
l A maximum of 10 numbers
may be added
l Validation of duplicates is
not performed

E.6 Procedures using Property Files

The following sections describe server property files used to configure various server settings
and product features:
l Enabling Certificate Expiration Alarms
l Forwarding Situations
l Using the nGConfigSync Script
l Configuring Export of WAV Files for nGenius UC Server

E.6.1 Enabling Certificate Expiration Alarms

The nGeniusONE suite provides an alarm mechanism that notifies you when SSL certificates in
your network are due to expire. Early notification helps you prevent website and service
disruptions.

You can see these alarms in the Notification Center under the category of “Certificate Expiration”
and drill down from them to the Certificate Monitor.

Enable Certificate Expiration alarms by entering the following serverprivate.properties

parameters in Table 1.2.

NETSCOUT Server Administrator Guide 491

Table E.1 - Alarm Properties

Function Description Parameter in serverprivate.properties Default

Minimum Enable alarms for minimum.certificate.validity.in.days=-1 -1 means
certificate all certificates Enter a positive number to enable the alarms that
validity and set the and specify the expiration threshold. certificate
number of days expiration
before expiration checking is
as the alarm disabled.
threshold.
Time of day Specify the time certificate.check.time.HH.In24HrFormat=06 Every day at
of day (hour HH certificate.check.time.MM=00 06:00 (every
and minute MM) 24 hours.
when the
certificate
expiration check
runs.
Maximum Specify the minimum.certificate.alarm.separation.in.days=7 7 (days)
lifetime for minimum
alarm number of days
that must elapse
between
successive
uncleared alarms
for an associated
certificate and
server. This
setting controls
the frequency of
alerts for each
associated
certificate and
server.
Alarm Enable additional certificate.expiration.alarm.action.policy.name= Empty,
actions actions in alert action name defined in Alert Configuration therefore
response to the (Use backslashes as escape characters for no action is
certificate spaces) taken.
expiration alarm.
First, define an
action in Alert
Configuration
and then enter
the complete
name in this
property.

NETSCOUT Server Administrator Guide 492

Table E.1 - Alarm Properties (continued)

Function Description Parameter in serverprivate.properties Default

Clear trap Enable a clear- forwardAlarm.clearTrapAlarm=true False
alarm notification
for when:
l A certificate
with a
previous
uncleared
alarm has an
expiration
with days
remaining
greater than
the
threshold.
l The
maximum
lifetime for a
previously
generated
alarm has
been
exceeded.

E.6.2 Forwarding Situations

For servers that support situation analysis, you can configure forwarding of data from the
current situation as a PDF attachment in an email.

To enable emails for situations, set the following property with email addresses in the
serverprivate.properties file: situation.analysis.email.recipient.list=address1,address2,etc..

For example: situation.analysis.email.recipient.list=johndoe@xyz.com,janedoe@xyz.com

After the property is enabled, recipients will receive a single email for any situation that occurs.
The email contains a description and a PDF attachment for the situation evidence.

Note: You must also provide your Outgoing SMTP Server the nGeniusONEserver's Server
Management Email Settings tab.

E.6.3 Using the nGConfigSync Script

After you modify a property in the common.properties file, run the nGConfigSync utility to
propagate the change to all affected properties files. Changes are propagated to the following
files as required:
l <nGeniusONE install>/rtm/html/client.properties
l <nGeniusONE install>/rtm/bin/globalmanager.properties
l <nGeniusONE install>/rtm/bin/serverprivate.properties

NETSCOUT Server Administrator Guide 493

l <nGeniusONE install>/rtm/bin/admin/serverpublic.properties
l <nGeniusONE install>/tomcat/bin/tomcat.properties

Execute the nGConfigSync Utility

1. Stop the nGeniusONE Server.

E.6.4 Configuring Export of WAV Files for nGenius UC Server

By default, export of audio is not enabled in UC views. Use this procedure to enable users to
retrieve and save a WAV version of the audio associated with the selected media in the Streams
view and Single Call view.

Note: This feature is supported with the following conditions:

l The codec for the selected stream is G.711, G.729/G.729B;
export of video is not supported
l The monitoring device is InfiniStream appliance (media packets
are not available from UC Collectors.
l Dynamic payloads are supported only when signaling occurs on
same interface as the media packets.
1. Access User Management > Roles and ensure the users have the following privileges
enabled:
l Packet Analysis - General Access
l Packet Analysis - Save on Desktop
l Packet Analysis - Media Replay
2. Access Global Settings>Applications>Multimedia and ensure that Audio has Recording
(slice size) set to Full.
3. Access the server OS command line and edit <nGeniusONE
install>/rtm/bin/vvmserver.properties.
l To enable export based on any phone number or IP Address, add this line:
audio_export=ALL

NETSCOUT Server Administrator Guide 494

Save and exit the file.

l To restrict export based on specific numbers, add this line:
audio_export=LIST
4. After you save and exit the file, create the restriction list:
a. If it does not exist already, create <nGeniusONE install>/rtm/configdata/uc_audio_
export_list.txt.
b. Edit the file to add one complete phone number or IP address per line. The numbers
are used as exact matches, not suffix wildcarding as is done with the UC Call Search.
This value can contain letters, numbers, underscores, forward slash, hyphen, dot,
colon, comma, semi-comma, @, #, and space. The "+" character is also allowed for
international prefixing (Example: If you enter +123456, only the calls with the exact
string including the "+" are exported; likewise if you enter 123456, calls that contain a
leading ‘+’ are not exported). IPv4 and IPv6 addresses are supported; hostnames are
not supported. Note that the number for only one side of the call is required for a
match.
c. Save and exit the file. The server re-reads this file every minute, allowing you to update
this file as needed without restarting services.

Users can now log out and back in to use the Export to WAV option from the export menu of
Single Call view and Streams view.

NETSCOUT Server Administrator Guide 495

© NETSCOUT CONFIDENTIAL & PROPRIETARY
F Hardware
F.1 Appliance Details: Dell R740 Server
NETSCOUT currently ships nGeniusONE servers based on the Dell R740 platform. General details
are provided below. For more information, refer to:
l https://topics-cdn.dell.com/pdf/poweredge-r740_Owners-Manual_en-us.pdf
l https://www.dell.com/support/home/us/en/04/product-support/product/poweredge-
r740/docs#doc-types

Before installing this appliance, please refer to compliance and safety warnings, available online
at: http://www.dell.com/learn/us/en/uscorp1/regulatory-compliance

F.1.1 Hardware Overview

This appliance is a 2U device with dual-redundant power supplies, storage for the operating
system and data (storage configuration varies based on appliance type and model), four Gibabit
Ethernet LAN interfaces, and a dedicated remote management port.

Rear

NETSCOUT Server Administrator Guide 496

Front

F.1.2 Status Indicators

The front panel of the appliance has status indcators on the left and on the drives. A brief
explanation is below. More details are available at the online links listed above.

System Status (Left Panel)

Status: These icons Illuminate amber if there is an issue with the corresponding component.

System Health / System ID :

l Solid blue: System is on, it is healthy and the System ID mode is not active
l Blinking blue: System ID mode is active; press Health Indicator button to change mode
l Solid amber: System is in fail-safe mode
l Blinking amber: Indicates that the system is experiencing a fault

Drive Status

In addition to the drive status icon on the left panel of the appliance, each disk has an activity
and status indicator. In this case, the database icon represents activity. The heartbeat icon
represents status, with the following meanings:
l Solid green: Drive is online
l Off: Drive may be ready for removal. Note that during initial boot, other drives in the array
may be initializing so this indicator remains off until all drives are initialized.
l Flashing green - slowly: Drive is rebuilding
l Flashing green - twice per second: identifying drive or preparing for removal
l Flashing green, then amber, then off: Predicted drive failure
l Flashing green - for three seconds, amber for three seconds, then off after six

NETSCOUT Server Administrator Guide 497

seconds: Rebuilding stopped

l Flashing amber- four times per second: Drive failed

F.1.3 Environmental Specifications

The following table provides a summary of key environmental criteria for this platform.

Feature Value
Chassis 2U rack mountable chassis without bezel
(W 17.1" x D 26.72 x H 3.4")
Height 3.4 in (86.36 mm)
Width 17.09 in (434 mm)
Depth 26.72 in (678.8 mm)
Weight 63.05 lbs (28.6 kg)
(Maximum Configuration)
Temperature (Operating) 10°C to 35°C (50°F to 95°F)
Recommended ambient temperature is 30°C
Power Supplies 100-240 VAC/10-5A, 50/60Hz
(per module) Maximum consumption 2891 BTU/hr

NETSCOUT Server Administrator Guide 498

UD - nBA - Metric User Guide - 630
100% (1)
UD - nBA - Metric User Guide - 630
51 pages
Ookla Cell Analytics
No ratings yet
Ookla Cell Analytics
2 pages
Difference Between Frequency Range - IBW
No ratings yet
Difference Between Frequency Range - IBW
1 page
Introduction To NetAct
100% (1)
Introduction To NetAct
22 pages
nG1 EE LabGuide v634
No ratings yet
nG1 EE LabGuide v634
101 pages
Truecall 1
No ratings yet
Truecall 1
82 pages
Ngenius Business Analytics: System Administration Guide
No ratings yet
Ngenius Business Analytics: System Administration Guide
50 pages
Ngenius Packet Flow Extender (PFX) V6.X Reference: 733-1338 Rev. B March 5, 2020
100% (1)
Ngenius Packet Flow Extender (PFX) V6.X Reference: 733-1338 Rev. B March 5, 2020
34 pages
Ultima™ Mentor Required Data Inputs For NSN Infrastructure PDF
No ratings yet
Ultima™ Mentor Required Data Inputs For NSN Infrastructure PDF
20 pages
NePA WalkThrough
100% (1)
NePA WalkThrough
8 pages
Truecall
100% (1)
Truecall
30 pages
Ngenius Pfs Fabric Manager Software 4.3.1 Release Notes: 733-1233 Rev. A
No ratings yet
Ngenius Pfs Fabric Manager Software 4.3.1 Release Notes: 733-1233 Rev. A
32 pages
Ngenius Business Analytics: Release Notes
No ratings yet
Ngenius Business Analytics: Release Notes
16 pages
Ngeniusone V6.3: Release Notes
No ratings yet
Ngeniusone V6.3: Release Notes
36 pages
TrueCall OS Platform SW Req 63
No ratings yet
TrueCall OS Platform SW Req 63
11 pages
NCE V100R020C10 Troubleshooting
No ratings yet
NCE V100R020C10 Troubleshooting
26 pages
LTE MO Class
No ratings yet
LTE MO Class
7 pages
List of Error Codes
No ratings yet
List of Error Codes
13 pages
Nokia NetAct Roadmap
67% (3)
Nokia NetAct Roadmap
5 pages
Packet Switching Presentation 2021
No ratings yet
Packet Switching Presentation 2021
28 pages
Breezecompact Lte: System Manual System Manual
No ratings yet
Breezecompact Lte: System Manual System Manual
152 pages
5GC000431 Cell Switch-Off Component Carrier For Energy Efficiency
No ratings yet
5GC000431 Cell Switch-Off Component Carrier For Energy Efficiency
21 pages
Northbound Management Feature Description (SRAN15.1)
No ratings yet
Northbound Management Feature Description (SRAN15.1)
36 pages
The Five Myths of LTE Optimization
No ratings yet
The Five Myths of LTE Optimization
12 pages
KPI
0% (1)
KPI
671 pages
Training Document - Imanager U2000-CME V200R016 - eNodeB Initial Deployment Guide
No ratings yet
Training Document - Imanager U2000-CME V200R016 - eNodeB Initial Deployment Guide
21 pages
NIMS-USM-OAM5 0 0 - v3 04 PDF
No ratings yet
NIMS-USM-OAM5 0 0 - v3 04 PDF
57 pages
Causes & Counters
No ratings yet
Causes & Counters
186 pages
XCAP User Guide 5.22.xx (Rev0) - 190313
No ratings yet
XCAP User Guide 5.22.xx (Rev0) - 190313
50 pages
ZTE Signaling Flow
No ratings yet
ZTE Signaling Flow
40 pages
Model Number Key Serial Number Prefixes: NETSCOUT Data Source Hardware Model History
No ratings yet
Model Number Key Serial Number Prefixes: NETSCOUT Data Source Hardware Model History
19 pages
TMF642 Alarm Management API User Guide v4.0.0
No ratings yet
TMF642 Alarm Management API User Guide v4.0.0
134 pages
5G Technology in Private Networks
No ratings yet
5G Technology in Private Networks
23 pages
ZTE UMTS RAN Sharing Feature Guide
50% (2)
ZTE UMTS RAN Sharing Feature Guide
97 pages
L11B eNodeB BaselineParam
No ratings yet
L11B eNodeB BaselineParam
18 pages
nGeniusONE Online Help - Using The Ngenius CLA
No ratings yet
nGeniusONE Online Help - Using The Ngenius CLA
17 pages
Eden Net Sleeping Cells Resolution Help
No ratings yet
Eden Net Sleeping Cells Resolution Help
44 pages
SFD TrueCall CDMA-EVDO 63
No ratings yet
SFD TrueCall CDMA-EVDO 63
78 pages
M2000 Northbound CORBA Interface Developer Guide
No ratings yet
M2000 Northbound CORBA Interface Developer Guide
151 pages
20 Questions Answers IP Routing
100% (1)
20 Questions Answers IP Routing
11 pages
Keysight - Traffic Monitoring and Evolution To 5G
100% (1)
Keysight - Traffic Monitoring and Evolution To 5G
30 pages
Diameter Result Codes
No ratings yet
Diameter Result Codes
5 pages
PCHR Drop Cause
No ratings yet
PCHR Drop Cause
29 pages
Engergy Saving Mode For BCCH TRX PDF
100% (1)
Engergy Saving Mode For BCCH TRX PDF
19 pages
LTE KPIs Ericsson
No ratings yet
LTE KPIs Ericsson
6 pages
Drive testing The Ultimate Step-By-Step Guide
From Everand
Drive testing The Ultimate Step-By-Step Guide
Gerardus Blokdyk
No ratings yet
Diameter Protocol A Complete Guide
From Everand
Diameter Protocol A Complete Guide
Gerardus Blokdyk
No ratings yet
Voice over LTE Standard Requirements
From Everand
Voice over LTE Standard Requirements
Gerardus Blokdyk
3/5 (1)
Ngenius Decryption Appliance V1.6P: Release Notes
No ratings yet
Ngenius Decryption Appliance V1.6P: Release Notes
10 pages
Infinistream Certified/Hardware Appliance V6.3: Release Notes
No ratings yet
Infinistream Certified/Hardware Appliance V6.3: Release Notes
24 pages
AEM 6.9.0.0 User Guide PDF
No ratings yet
AEM 6.9.0.0 User Guide PDF
456 pages
AEM 7.0.0.0 User Guide
No ratings yet
AEM 7.0.0.0 User Guide
390 pages
Netscout Tap Connect Guide 733-0604 PDF
No ratings yet
Netscout Tap Connect Guide 733-0604 PDF
76 pages
Arbor Support and Maintenance ASMG EN 12.2022
No ratings yet
Arbor Support and Maintenance ASMG EN 12.2022
18 pages
SpectraSecure v1.4 UG
No ratings yet
SpectraSecure v1.4 UG
28 pages
Software TMS 9.3.5 Installation On Hardware 2020-11-17
No ratings yet
Software TMS 9.3.5 Installation On Hardware 2020-11-17
24 pages
UD - nBA - Metric User Guide - 634
No ratings yet
UD - nBA - Metric User Guide - 634
55 pages
Netscout Arbor Support Maintenance Guide
No ratings yet
Netscout Arbor Support Maintenance Guide
18 pages
NGeniusPULSE Virtual Install Guide
No ratings yet
NGeniusPULSE Virtual Install Guide
24 pages
Software TMS 9.7.0.0 Installation On Hardware 2022-11-21 PDF
No ratings yet
Software TMS 9.7.0.0 Installation On Hardware 2022-11-21 PDF
26 pages
Reporting System Database Schema
No ratings yet
Reporting System Database Schema
132 pages
Reporting System Guide
No ratings yet
Reporting System Guide
65 pages
Starter Evaluation Guide
No ratings yet
Starter Evaluation Guide
30 pages
Atp Analyzer 5.5 Idg
No ratings yet
Atp Analyzer 5.5 Idg
96 pages
Npoint 2000H User Guide
No ratings yet
Npoint 2000H User Guide
3 pages
B Qradar Admin Guide PDF
No ratings yet
B Qradar Admin Guide PDF
414 pages
Shadow Tech
No ratings yet
Shadow Tech
669 pages
17E00406 Data Communication & Network Analysis
No ratings yet
17E00406 Data Communication & Network Analysis
3 pages
30 Introduction To Digital Technology Culture - 240221 - 105710
No ratings yet
30 Introduction To Digital Technology Culture - 240221 - 105710
11 pages
P1bin1-Fr-044 Log Sheet For Released Learners' Record-Certificate
No ratings yet
P1bin1-Fr-044 Log Sheet For Released Learners' Record-Certificate
10 pages
Configurando Siebel Apps
No ratings yet
Configurando Siebel Apps
630 pages
AI-102 Official Course Study Guide
100% (1)
AI-102 Official Course Study Guide
24 pages
By ICT Industry Skills Council
No ratings yet
By ICT Industry Skills Council
27 pages
Ae0ce108
No ratings yet
Ae0ce108
8 pages
CEMS Harvard Referencing Des 2021
100% (1)
CEMS Harvard Referencing Des 2021
35 pages
Ezil - ETH+ZIL Mining
No ratings yet
Ezil - ETH+ZIL Mining
1 page
Master Fernanda Gu Zhoujie
No ratings yet
Master Fernanda Gu Zhoujie
117 pages
ISBN Registration 1
No ratings yet
ISBN Registration 1
6 pages
Compare Contrast Essay
No ratings yet
Compare Contrast Essay
5 pages
User Manual Leave and Attendance
No ratings yet
User Manual Leave and Attendance
18 pages
Module Hand Book
No ratings yet
Module Hand Book
14 pages
5th Class All 2nd Term
No ratings yet
5th Class All 2nd Term
5 pages
Adobe InScope
No ratings yet
Adobe InScope
2 pages
Mad 1 - 7 Record
No ratings yet
Mad 1 - 7 Record
38 pages
Basics of New Media
No ratings yet
Basics of New Media
17 pages
Ultimate Guide To TikTok + Reels
No ratings yet
Ultimate Guide To TikTok + Reels
15 pages
Module 6 Business Letter
No ratings yet
Module 6 Business Letter
36 pages
Mix All Hits by Megalodon
No ratings yet
Mix All Hits by Megalodon
219 pages
CSE391 v2 OBE - Programming For The Internet Course Outlines
No ratings yet
CSE391 v2 OBE - Programming For The Internet Course Outlines
3 pages
Emptech-Lesson-3 Contextualized Online Search and Research Skills
No ratings yet
Emptech-Lesson-3 Contextualized Online Search and Research Skills
3 pages
Intellisight User Manual EN
No ratings yet
Intellisight User Manual EN
15 pages
Use of Communication Facilities in The Hotel
No ratings yet
Use of Communication Facilities in The Hotel
3 pages
Database Documentation For Carely
No ratings yet
Database Documentation For Carely
4 pages
Cisco Nexus 3232C - 215-15147 - A0
No ratings yet
Cisco Nexus 3232C - 215-15147 - A0
9 pages
TACN2
No ratings yet
TACN2
50 pages
AWS CSOA Exam Scenarios
No ratings yet
AWS CSOA Exam Scenarios
62 pages

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.