Professional Documents
Culture Documents
Revision A
COPYRIGHT
TRADEMARK ATTRIBUTIONS
McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others.
Installation Guide
Contents
Preface
About this guide . . . . . . . . . . . . Audience . . . . . . . . . . . . Conventions . . . . . . . . . . . Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
5 5 5 6
7
. . . . . . . 7 . . . . . . . 8 . . . . . . . 9 . . . . . . . 10
11
. 11 . 11 . 12 12 13 . 14 . 16 . 16 . 17 18
19
19 20 21 21 22 22 . 23 . 23 24 . 24
25
Download and expand the legacy archive . . . . . . . . . . . . . . . . . . . . . . . . 25 Install the products on legacy servers . . . . . . . . . . . . . . . . . . . . . . . . . 26 Upgrade to 9.2.0 on legacy appliances . . . . . . . . . . . . . . . . . . . . . . . . . 27
29
Configure McAfee DLP appliances using Setup Wizard . . . . . . . . . . . . . . . . . . . 29 Configure McAfee DLP appliances after installation . . . . . . . . . . . . . . . . . . . . 35 Add McAfee DLP products to McAfee DLP Manager . . . . . . . . . . . . . . . . . . . . 35
Installation Guide
Contents
Configuring McAfee DLP Prevent . . . . . . . . . . . . . . . . . MTA requirements for McAfee DLP Prevent . . . . . . . . . . . Configure McAfee DLP Prevent . . . . . . . . . . . . . . . Add LDAP servers to McAfee DLP Manager . . . . . . . . . . . . . Add McAfee Logon Collector to McAfee DLP Manager . . . . . . . . . . Add syslog servers to McAfee DLP systems . . . . . . . . . . . . . Resynchronize McAfee DLP systems with an NTP server . . . . . . . . Testing the system . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. 36 37 . 37 . 38 40 . 41 . 41 . 42
43
. 43 . 45 45 46 . 47 . 48 . 53 . 54 . 56 . 56 . 57 . 57 58 . 58 . 60 . 61 61 . 61 . 62 . 63 . 63
65
66 66 66 67 67 68 68 68 69 69 70 70 71 71 72 72 73
. . . . . . . . . . . .
Index
75
Installation Guide
Preface
This guide provides the information you need to install your McAfee product. It contains all of the necessary information for installing McAfee Data Loss Prevention software, including detailed steps and verification of the installation and configuration process in both the new hardware platform and legacy appliances. It also includes integration with McAfee ePolicy Orchestrator and McAfee Data Loss Prevention Endpoint to configure a unified policy installation. When the process is completed, the user will have a fully functional McAfee DLP hardware and software implementation that is properly configured.
Audience
McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Administrators People who implement and enforce the company's security program. Security officers People who determine sensitive and confidential data, and define the corporate policy that protects the company's intellectual property.
Conventions
This guide uses the following typographical conventions and icons. Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis. Bold User input or Path
Code
Text that is strongly emphasized. Commands and other text that the user types; the path of a folder or program. A code sample. Words in the user interface including options, menus, buttons, and dialog boxes. A live link to a topic or to a website. Note: Additional information, like an alternate method of accessing an option. Tip: Suggestions and recommendations.
Installation Guide
Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data. Warning: Critical advice to prevent bodily harm when using a hardware product.
Installation Guide
McAfee Data Loss Prevention Manager manages all of the McAfee DLP products from a centralized console, then displays incidents and events found by them on its dashboards. In the unified policy design, rules can be configured to find incidents and violations anywhere on an intranet in network traffic, in repositories containing structured or unstructured data, and on endpoints. Actions can also be added to any rule to handle any problem as soon as it is detected. Contents McAfee Unified DLP deployment Management options Installation scenarios
The McAfee DLP Monitor capture engine analyzes all content on a network, classifies it into types, and stores the resulting objects on capture partitions. Some traffic can be filtered out to improve performance. McAfee DLP Prevent monitors all email and webmail and applies actions to resolve any problems.
Installation Guide
McAfee DLP Discover monitors file systems and repositories, locates significant data, and reports data that is in violation of policy. McAfee DLP Endpoint finds significant events occurring at endpoints and reports any policy violations. Endpoint rules and events are managed through the same workflow as the other products in the McAfee DLP solution.
Management options
McAfee Data Loss Prevention Manager displays incidents and events on McAfee DLP Manager or McAfee ePolicy Orchestrator dashboards. Depending on the installation, there are three options for managing McAfee Data Loss Prevention. If McAfee DLP is installed on a Linux appliance, McAfee DLP Manager is used as the management console. You can log on to the console with a Mozilla Firefox or Microsoft Internet Explorer browser using the address https://<server IP>. If McAfee DLP is installed in ePolicy Orchestrator, log on to the McAfee ePO console using the address https://<server IP:8443>. Mozilla Firefox 3.0.x and Microsoft Internet Explorer 7 browsers are supported. If McAfee DLP is run as a virtual appliance, use the VMware vSphere Client to log on to the console.
Virtual appliance installations are beyond the scope of this guide. See the McAfee Data Loss Prevention 9.2 Virtual Appliance Installation Guide for more information.
Installation Guide
Figure 1-2
Installation Guide
Installation scenarios
McAfee Data Loss Prevention software can be installed on Linux appliances or as an ePolicy Orchestrator application on a Windows server operating system. McAfee Data Loss Prevention software comes in both Linux and Microsoft Windows versions. The Linux version can be run as a virtual appliance.
Virtual appliance installation is documented in McAfee Data Loss Prevention 9.2 Virtual Appliance Installation Guide.
For complete system requirements, see chapter 6, Installing McAfee DLP Endpoint. See also Verify system requirements on page 43
10
Installation Guide
This Quick Start serves as a high-level road map for setting up your McAfee DLP system. McAfee DLP Manager is shipped pre-installed; the other products in the suite (McAfee DLP Monitor, McAfee DLP Discover, and McAfee DLP Prevent) must be installed on-site. McAfee DLP Monitor must be set up to capture network traffic, so it requires additional configuration steps. Contents Adding devices and servers Check the shipment Plan your installation Rack mount the appliances Connect a management console Configure McAfee DLP Manager Select an integration mode for McAfee DLP Monitor Complete the setup
Installation Guide
11
Intel Diagnostic Tool (IDT) USB Product notes for IDT (CD media) Safety document Warranty document Recovery media
Devise a protection strategy by evaluating the type of information you need to protect. Your objectives will determine which policies you activate. Determine who will be the primary administrator of the system.
12
Installation Guide
1 2 3 4
Ethernet port 0 Ethernet port 1 Management port Ethernet port 2 Capture port 0 Ethernet port 3 Capture port 1
1 2 3 4
Ethernet port 0 Ethernet port 1 Management port Ethernet port 2 Capture port 0 Ethernet port 3 Capture port 1
1 2 3 4
Ethernet port 0 Ethernet port 1 Management port Ethernet port 3 Capture port 1 note reversed configuration Ethernet port 2 Capture port 0 note reversed configuration
By default, each appliance is configured with the IP address 192.168.1.2, but a new IP address and other network parameters are required to integrate it into the network.
Installation Guide
13
You must connect a laptop to the management port so you can convey this information to the appliance. Assign the laptop an IP address that is different, but on the same subnet, so it can access the management port. Task 1 2 3 Connect a laptop to the management port of the appliance using the supplied Ethernet cable. Change the laptop to an address in the 192.168.1.X/24 IP range for example, 192.168.1.10. Open a web browser and connect to the DLP appliance. https://192.168.1.2 The DLP user interface starts. 4 Log on to the McAfee DLP appliance. The default logon is admin/mcafee. The End User License Agreement appears. 5 Select the license agreement checkbox and click I Accept. The Setup Wizard starts. 6 On the Network Configuration page, enter all of the IP addresses, and the host and domain names needed to integrate the appliance into the network. If you are configuring a McAfee DLP Manager, skip to the next topic. 7 Advance through the Setup Wizard pages to the Review page. The interim pages will be completed only on the McAfee DLP Manager appliance. 8 Click Submit, then Exit Wizard. When this step is complete, the appliance will have a new IP address and will be integrated into the network. Restarting is not necessary. If you have configured McAfee DLP Discover or McAfee DLP Prevent appliances, setup is complete. If you are configuring McAfee DLP Manager, proceed to the next step. If you are configuring McAfee DLP Monitor, proceed to the following step.
14
Installation Guide
Task 1 2 On the Time Configuration page, change the time zone. Select Manual to set NTP to local time. On this first configuration, you will not yet be able to set the NTP server because the default IP address (192.168.1.2) will not allow it to be located. The NTP server can be defined only when the system is restarted and integrated into the network. 3 On the Policy Activation page, select the checkboxes of the policies that will generate incidents that are relevant to your protection strategy. If you are in a region that is not listed, you will be able to activate policies that are directly relevant to your location after the system is installed. 4 5 6 7 On the Administrator Setup page, enter the email address of the primary administrator and change the password from the default. On the Email and Email Server Setting page, enter the IP address or host name of the email server. On the Review page, verify your settings, click Cancel, or click Previous to change them. When you have confirmed your settings, click Submit, then Exit Wizard. At this point, the McAfee DLP Manager setup is almost complete. After all other products are integrated into the network, sync McAfee DLP Manager to the network by completing the final step in this document.
Installation Guide
15
Setting up the hardware Select an integration mode for McAfee DLP Monitor
1 2 3 4 5
Capture ports WAN router traffic mirrored to McAfee DLP Monitor port LAN LAN switch WAN
This method requires a change on the LAN switch, but no downtime is required because network traffic is not disrupted.
With this configuration, some packets might be dropped under heavy loads. As a result, the number of packets seen by McAfee DLP Monitor might not match the number seen by the ports being monitored.
16
Installation Guide
Setting up the hardware Select an integration mode for McAfee DLP Monitor
Using interface show commands on the switch, verify that traffic is being received on the switch port to which McAfee DLP Monitor is connected. Save the configuration on the switch. Common configuration If a SPAN port is configured on a Cisco switch, the WAN router would be connected to interface "GigabitEthernet1/0/1". The DLP appliance would be connected to interface "GigabitEthernet1/0/2".
Switch: configure terminal Switch(config)# interface GigabitEthernet1/0/2 Switch(config-if)# port monitor GigabitEthernet1/0/1 Switch(config-if)# end Switch# show port monitor Monitor Port Port being monitored --------------------- ------------------------GigabitEthernet1/0/2 GigabitEthernet1/0/1 Switch# write memory
1 2 3 4 5 6 7
Capture ports Analyzer ports Network tap LAN LAN switch Router WAN
Installation Guide
17
This method requires physical disconnection and reconnection of network cables, so it disrupts traffic. A service window is required.
With this configuration, full traffic capture is done even under heavy load conditions.
Configuration is complete. If you want to integrate the DLP system into McAfee ePolicy Orchestrator 4.5 or 4.6, you can do it now.
18
Installation Guide
A McAfee DLP installation on the Model 4400 contains two released images, each of which contains an operating system (except for the kernal) and DLP software. Primary and secondary images are initially duplicate installations. When the system is upgraded, the primary and secondary disks can contain different versions of the same product.
The system automatically boots from the latest installed version.
Contents Download and expand the archive Boot options Upgrade the products Apply a hotfix Convert an installation to another DLP product Restoring the drives
Task 1 2 3 4 Open the McAfee Service Portal by typing support.mcafee.com into the address bar of a web browser. From the Products & Solutions menu, select Product Downloads, or locate and click the link under the Corporate Support heading. In the Download My Products field, enter your grant number. Scroll down the page, then select the McAfee Network DLP product and version.
Installation Guide
19
5 6
Select and save the appropriate *.tgz file to your desktop. Log on as root to the model 4400 appliance and create a product directory under data. The directory name you select should identify the product to be installed for example, imanager, imonitor (iguard), idiscover, iprevent.
Extract the contents of the archive, using the -C option to expand it into the product directory. [root@4400 data]# tar zxf <product>.tgz -C <product>.
Boot options
Unlike the legacy DLP appliances, the model 4400 hardware platform runs the McAfee Linux Operating System. It contains a boot loader package that allows users to switch between installations. McAfee DLP uses Gnu GRUB (GRand Unified Bootloader) to install the primary and secondary images on the model 4400 appliances.
Figure 3-1
The default Disk Boot option is used only to boot the operating system of the appliance.
During the upgrade process, the configuration data in the /data directory and the kernel/boot loader information in the boot directory are copied over to the new installation.
20
Installation Guide
Table 3-1 Boot options Option McAfee NDLP Disk Boot McAfee NDLP Primary Image Install McAfee NDLP Secondary Image Install Definition Reboots the system from the operating system disk. Does not reinstall the operating system or the product software. Loads the primary image to the system. Replaces the existing operating system and product software, but retains the data in the /data and /boot directories. Loads the secondary image to the system. Replaces the existing operating system and product software, but retains the data in the /data and /boot directories.
Task 1 2 Log on to the appliance as root. Go to the product installation directory under the /data directory. # cd /data/<product> 3 Run the installation script with the product name and the path to the product directory. # ./install_new_pri iguard /data/monitor When the installation is complete, a message appears stating which image will boot next. 4 Restart the system.
Task 1 2 Log on to the appliance as root. Go to the product installation directory under the /data directory. # cd /data/<product>
Installation Guide
21
Run the installation script with the product name and the path to the product directory. # ./install_new_sec iguard /data/monitor When the installation is complete, a message appears stating which image will boot next.
Task 1 2 Log on to the appliance as root. Go to the product installation directory under the /data directory. # cd /data/<product>
22
Installation Guide
Run the setnextboot script to select one of three boot options: primary, secondary, or boot from the operating system on the appliance. # ./setnextboot [reboot_only | pri | sec] The script sets up the selected option. When the option is set, a message appears stating which image will boot next.
Apply a hotfix
Apply a hotfix by running a script that installs the hotfix RPM. Before you begin You need not check the version or product before installing the hotfix. The RPM ensures that the package is being installed on the right platform, product, and version. The hotfix script copies the Hotfix RPM to data/hotfix/<current version> and adds an installation entry to /data/hotfix/<current_version>/install_hotfix<stingray_version>.sh. In rare instances, a kernel RPM might be released. If this occurs, installation of the release image automatically updates the boot loader for the corresponding kernel version.
Installation Guide
23
Installing or upgrading the software on Model 4400 Convert an installation to another DLP product
Task 1 2 Log on to the appliance as root. Run the hotfix script with an option that identifies the current hotfix package. # install_hotfix.ksh <hotfix_rpm> The name of the package follows a convention Hotfix-<product name>-<Bugzilla number>-<Perforce change number>-<version number>-(sequence number>-x86-64.rpm. For example, a package using this naming convention might be Hotfix-iguard-750875-55025-9.2.0-01.x86-64.rpm. 3 Reboot the system. When the system is booted up, the RPM will also install
24
Installation Guide
A McAfee DLP installation on the model 1650 and 3650 appliances contains the software for a single product. The software is installed or upgraded by running two installation scripts. The platform script installs the operating system components, and it is customized to the hardware used by entering a platform type option. A Stingray script installs the McAfee DLP application.
The installation and upgrade procedures for the management console (McAfee DLP Manager) and all of its managed devices (McAfee DLP Discover, McAfee DLP Monitor, and McAfee DLP Prevent) are the same. McAfee DLP Endpoint must be installed separately.
Contents Download and expand the legacy archive Install the products on legacy servers Upgrade to 9.2.0 on legacy appliances
Task 1 2 3 4 5 Open the McAfee Service Portal by typing support.mcafee.com into the address bar of a web browser. From the Products & Solutions menu, select Product Downloads, or locate and click the link under the Corporate Support heading. In the Download My Products field, enter your grant number. Scroll down the page, then select the McAfee Network DLP product and version. Select and save the appropriate *.bz2 file to your desktop.
Installation Guide
25
Installing or upgrading software on model 1650 and 3650 appliances Install the products on legacy servers
Log on as root to the model 1650 or 3650 appliance and create a product directory under data. The directory name you select should identify the product to be installed for example, imanager, imonitor (iguard), idiscover, iprevent.
Extract the contents of the archive, using the -C option to expand it into the product directory. [root@4400 data]# tar jxf <product>.bz2 -C <product>.
Task 1 2 Log on to the McAfee DLP device as root. Go to the directory containing the product software. # cd /data/<product> 3 Install the platform.
Enter ./install_platform to display the current platform type, along with other options.
26
Installation Guide
Installing or upgrading software on model 1650 and 3650 appliances Upgrade to 9.2.0 on legacy appliances
Log on to the McAfee DLP device as root, go to the installation directory, and verify the installation with the command: # cat /data/stingray/etc/version If the Release field contains 9.2.0, installation is complete.
Task 1 2 Log on to the appliance as root. Check the current version. # cat /data/stingray/etc/version 3 Make a directory for the patch, check its location, then expand the archive into the new directory. # mkdir -p /data/patch_9.0.4/686712_i<product> # ls -l /tmp patch_686712_45025_02_i<product>.tar.gz # tar zxvf /tmp patch_686712_45025_02_i<product>.tar.gz -C /data/patch_9_0_4/686712 _i<product> 4 Go to the patch directory, then find and read the README file. # cd /data/patch_9_0_4/686712_i<product> # ls -l # cat README Follow the installation steps in the README file. 5 6 Restart if prompted, or continue to the next step when prompted. Make a directory for the hotfix, check its location, then expand the archive into the new directory. # mkdir -p /data/hotfix # ls -l /tmp hotfix_719847_45561_01.tar.gz # tar zxvf /tmp hotfix_719847_45561_01.tar.gz -C /data/hotfix
Do not install the hotfix until the upgrade to 9.2.0 is complete.
Installation Guide
27
Installing or upgrading software on model 1650 and 3650 appliances Upgrade to 9.2.0 on legacy appliances
Go to the hotfix directory, run the hotfix installation script, and reboot. # cd /data/hotfix # ./install_hotfix # reboot
28
Installation Guide
All McAfee DLP appliances can be registered to McAfee DLP Manager and managed from that console. After the appliances are configured, servers that extend the functionality of the system can be added. At the very least, an NTP server must be added during the installation process. Most McAfee DLP enterprise configurations have LDAP servers configured, and McAfee Logon Collector is often used in addition to resolve the identities of specific users. After installation of McAfee DLP Monitor, McAfee strongly recommends adding capture filters to customize the system. Some default filters are provided to filter out extraneous data that would ordinarily be captured, but each installation has a unique protection strategy that requires different settings. Consult the McAfee Total Protection for Data Loss Prevention 9.2.0 Product Guide for more information. Contents Configure McAfee DLP appliances using Setup Wizard Configure McAfee DLP appliances after installation Add McAfee DLP products to McAfee DLP Manager Configuring McAfee DLP Prevent Add LDAP servers to McAfee DLP Manager Add McAfee Logon Collector to McAfee DLP Manager Add syslog servers to McAfee DLP systems Resynchronize McAfee DLP systems with an NTP server Testing the system
Task 1 Open a web browser and start the application using the IP address. # https://xxx.xxx.xxx.xxx
Installation Guide
29
Configuring McAfee DLP appliances and adding servers Configure McAfee DLP appliances using Setup Wizard
At the logon prompt, type the default user name and password. admin/mcafee
3 4
On the End User License Agreement page, select the checkbox and click I Accept. On the Network Configuration page, assign the hostname, domain and IP addresses of the gateway and DNS servers, then click Next.
Figure 5-1 Network configuration You must enter a fully-qualified domain name into the Hostname field.
30
Installation Guide
Configuring McAfee DLP appliances and adding servers Configure McAfee DLP appliances using Setup Wizard
On the Time Configuration page, set the time zone, select the NTP server, and click Next.
You might want to set the NTP server manually in some cases.
Installation Guide
31
Configuring McAfee DLP appliances and adding servers Configure McAfee DLP appliances using Setup Wizard
On the Policy Activation page, select the policies that are needed for you to implement your protection strategy, then click Next.
Figure 5-3 Policy activation If you have to change this configuration later, you can activate or deactivate policies from the Policies page. For example, you might want to use international policies that are available on that page.
32
Installation Guide
Configuring McAfee DLP appliances and adding servers Configure McAfee DLP appliances using Setup Wizard
On the Administrator Setup page, type in an email address for the primary administrator and set a password, then click Next.
Installation Guide
33
Configuring McAfee DLP appliances and adding servers Configure McAfee DLP appliances using Setup Wizard
If additional configuration is needed after installation, logon to the application after rebooting, then click the Configure link on the System page.
If you are setting up McAfee DLP Prevent, type in the IP address of a smart host, then click Next.
34
Installation Guide
Configuring McAfee DLP appliances and adding servers Configure McAfee DLP appliances after installation
10 If the settings are correct, click OK to restart the appliance. If additional configuration is needed after installation, log on to the application after restarting, then click the Configure link on the System page.
Task 1 2 3 4 5 In ePolicy Orchestrator, select Menu | Data Loss Prevention | DLP Sys Config | System Administration | Devices. On your Linux-based appliance, select System | System Administration | Devices. Select a device and click Configure. Change parameters on the System Configuration page. Click Update after each change is made.
Adding a McAfee DLP appliance wipes the current configuration of that machine, but captured data, cases, and incidents will not be lost. Unless you have previously deployed policies to All Devices, you will have to edit them to add the device. If a device is registered with McAfee DLP Manager, the device cannot be brought back to standalone mode after deregistering it, and it will have to be reinstalled.
On some networks you can choose a port configuration. The McAfee DLP appliance is a Gigabit network device, so it is possible to bring it down.
Installation Guide
35
Configuring McAfee DLP appliances and adding servers Configuring McAfee DLP Prevent
The Add Device page is also used to add an ePolicy Orchestrator server (ePolicy Orchestrator GUI IP Address) and database (ePolicy Orchestrator Database IP or hostname). If the ePolicy Orchestrator device checkbox is selected, the options change.
If Incident Copy Only is selected from the Type menu, there is no integration with unified policy, and you must use the McAfee DLP Endpoint Policy Manager to update the policy.
Task 1 2 3 4 In ePolicy Orchestrator, select Menu | Data Loss Prevention | DLP Sys Config | System Administration | Devices. On your Linux-based appliance, select System | System Administration | Devices. Select Actions | New Device. Enter the Device IP or hostname and Password. Use the root user account for association. McAfee recommends that you change the root password on the appliance before adding it to McAfee DLP Manager. If you change the IP address, the network service needs to be restarted. Stingray automatically restarts the appliance to register the change. 5 6 7 Click Add. Click OK to confirm or Cancel the registration. Wait for the Status icon in the device list to turn green. The CPU usage display indicates that the registration tasks being performed. McAfee DLP Manager does not display any CPU activity, because it serves only as a collection point for the data. Other machines are capturing and indexing data and the processor indicates the CPU utilization. It should not go over 7080%. If registration seems to be taking a long time, try refreshing the page. When devices are added successfully, their status icons will turn green.
36
Installation Guide
Configuring McAfee DLP appliances and adding servers Configuring McAfee DLP Prevent
McAfee DLP Prevent can be configured with many different email and webmail systems. McAfee Email and Web Gateway products are supported, and it has also been tested with some third party systems, such as Blue Coat Systems products.
McAfee Email Security Appliance is set to handle up to 30 concurrent SMTP connections - but McAfee DLP Prevent exceeds this limit. To get these two appliances to work together, you must modify the ESA configuration files.
Must be capable of sending either all or a portion of outgoing traffic to the McAfee DLP Prevent application. McAfee DLP Prevent is not typically used to inspect incoming email. Examples of a requirement where only a portion of the traffic needs to be scanned might be in environments where only traffic with attachments is to be scanned, or where scanning is limited to traffic directed to public sites (for example, Yahoo). Must be capable of inspecting email headers of messages entering the MTA. Must be capable of taking actions based on specified match expressions for email headers. The specific header strings received from McAfee DLP Prevent are the X header X-RCIS-Action header with values ALLOW, BLOCK, QUART, ENCRYPT, BOUNCE, REDIR and NOTIFY. Based on entering port or some other metric, must be capable of distinguishing between all emails arriving from the McAfee DLP Prevent appliance, then applying header inspection and header-based action rules exclusively to incoming email from McAfee DLP Prevent. Must be capable of ensuring that emails arriving from the McAfee DLP Prevent appliance are not routed back to the McAfee DLP Prevent appliance. This can be done either by using port / srcIP-based mail routing, checking to see if an X-RCIS-Action header already exists in an email scheduled to be routed to the McAfee DLP Prevent appliance, or by some other means. Must be capable of implementing all of the McAfee DLP Prevent-based actions. If the MTA does not have all of the required capabilities, inter-operation is still possible but in that case, the actions that can be set when rules are created must be limited to those supported by the MTA. Must be able to inter-operate with an email encryption appliance (if this capability is needed) and instruct the encryption appliance to encrypt specific messages based on header information or other metrics.
2 3
Installation Guide
37
Configuring McAfee DLP appliances and adding servers Add LDAP servers to McAfee DLP Manager
Task 1 2 3 4 5 In ePolicy Orchestrator, select Menu | Data Loss Prevention | DLP Sys Config | System Administration | Devices. On your Linux-based appliance, select System | System Administration | Devices. Select the McAfee DLP Prevent appliance and click its Configure link. On the System Configuration page, scroll down to Email and Email Server Setting. Type in the IP address of the smart host and your email address. Host names are not supported. A smart host is configured only if SMTP email is being processed, and configuring more than one is not supported. 6 Click Send test mail and Update. When you receive the test mail, you will know that the smart host is set up correctly.
38
Installation Guide
Configuring McAfee DLP appliances and adding servers Add LDAP servers to McAfee DLP Manager
Do one of the following: Enter the Domain of the LDAP server. If you use this option, you must log on to an administrative account on the LDAP server. The system will then query the Domain Name Server to find the domain controller for the Active Directory domain.
In the Authorization Server field, enter the name or IP address of the server. If you are using SSL (Secure Sockets Layer) to encrypt the connection, you must enter the FQDN (fully qualified domain name) cited in the uploaded certificate. Unlike the LDAP server domain name, you can use any valid account that has permission to read from the LDAP server (an administrative account is not necessary). If you have already entered the domain name of the LDAP server, any information you enter here will be ignored.
6 7 8
Type in the Server Port to be used for the connection. In the Timeout and Retries fields, set intervals for connection (in seconds). Type in the Loginid Attribute.
Use samaccountname to retrieve user names from the server.
Installation Guide
39
Configuring McAfee DLP appliances and adding servers Add McAfee Logon Collector to McAfee DLP Manager
10 Identify the local domain components in the Base DN field (for example, dc=mydomain,dc=com). Use an administrative account whose password does not expire to maintain the connection, but a non-administrative account name is acceptable when using an authorization server. 11 Enter the number of records you want to retrieve at one time in the Server Results limit field. Before entering a value higher than 10, consult the administrator of the Active Directory server to find out how many records can be served per request. 12 Select the SSL checkbox to encrypt the connection and enable LDAPS (LDAP over SSL). A secure connection is not required, but is strongly recommended. Accept any available certificate, or select one by uploading it. If you upload, you must find the FQDN name of the authorization server in the encrypted file by logging on to the back end of the McAfee DLP appliance and running the following.
# openssl x509 -noout -in <filename>.cer -subject
Read from left to right to get the name of the authorization server:
tyche.reconnex.net
Enter the name into the Authorization Server field. 13 Select a Scope to set the directory depth to be accessed on the server. 14 Click Apply.
40
Installation Guide
Configuring McAfee DLP appliances and adding servers Add syslog servers to McAfee DLP systems
10 Enter the IP address of the McAfee Logon Collector into the Export NetDLP Certificate field. 11 Select the Paste from Clipboard option and paste the Base 64 text into the box. Alternatively, you can export the certificate from McAfee Logon Collector to your desktop, then Browse to it from the Import MLC Certificate | From File field. 12 Click Apply. This authenticates the McAfee Logon Collector to McAfee DLP Manager. 13 Click the Export link to save the NetDLP certificate to your desktop. The file name is netdlp_certificate.cer. 14 Open a web browser, enter the IP address of the McAfee Logon Collector in the address bar, and log on. 15 Select Menu | Configuration | Trusted CA. 16 Click New Authority. 17 Browse to the netdlp_certificate.cer file you saved to your desktop. 18 Click Open, then click Save. This authenticates the DLP Manager to McAfee Logon Collector. 19 Open a Remote Desktop session on the McAfee Logon Collector server and restart it. When the server comes up, the SSL connection between the servers is complete.
Installation Guide
41
Configuring McAfee DLP appliances and adding servers Testing the system
Task 1 2 Log on as root to the McAfee DLP appliance. Stop the NTP daemon.
# service ntpd stop # chkconfig --level 2345 ntpd off
The service command will control the service while the system is running; the chkconfig commands will control what happens at boot time.
If policies are not activated during the setup phase, their rules cannot be matched to network data. The default is Previous 24 hours to keep the system from producing unmanageable numbers of results.
The system might have been set up On the System | Capture Filters page, remove to block traffic that is needed to meet filters that might be blocking traffic. your protection strategy. For example, the RFC 1918 filter blocks internal IP addresses. If data is being captured, you will be able to find keywords that are commonly found in your network traffic for example, your company name. On the Basic Search page, type in a common keyword that can be found in captured data.
Does changing the dashboard view display different results? Are existing filters blocking significant results?
Data-in-Motion, Data-at-Rest, and Data-in-Use On the System page, check to see if the dashboards display results in network corresponding products are installed. traffic, repositories and endpoints. When filters are set, only the configured results are visible on the dashboard. On the Incidents page, click Clear All in the Filter by frame.
42
Installation Guide
Configure the McAfee ePO server before installing McAfee DLP Endpoint. After installation, several steps are required to complete the installation. Contents Verify system requirements Configure the server Install McAfee ePolicy Orchestrator Install McAfee ePolicy Orchestrator Installing McAfee DLP WCF service Repository folders User and permission sets Install the McAfee Data Loss Prevention Endpoint extension Initialize the DLP Policy console Upgrade the license Check in the McAfee DLP Endpoint package to ePolicy Orchestrator Deploying McAfee DLP Endpoint Uninstalling McAfee DLP Endpoint
Installation Guide
43
The following operating system software is supported: Table 6-2 Operating systems supported Computer type Servers Software Windows 2003 Server Standard (SE) SP1 or later 32- or 64-bit Windows 2003 Enterprise (EE) SP1 or later 32- or 64-bit Windows 2008 Server Enterprise 32- or 64-bit Managed workstations Windows XP Professional SP1 or later 32-bit Windows Vista SP1 or later 32-bit only Windows 7 32- or 64-bit Windows 2003 Server 32- or 64-bit Windows 2008 Server 32-bit Windows 2008 Server R2 64-bit
The user installing McAfee DLP Endpoint software on the servers must be a member of the local administrators group. The following software is required on the server running the McAfee DLP Endpoint policy console and McAfee DLP Monitor: Table 6-3 Server software requirements Software McAfee ePolicy Orchestrator Version 4.5 Patch 3 or later 4.6 and 4.6 Patch 1 McAfee Agent 4.5 Patch 3 or later 4.6 McAfee ePO Help System McAfee DLP Windows Communication Foundation (DLP WCF) Microsoft .NET download the McAfee DLP Endpoint 9.2 Help extension (). This is part of the McAfee DLP Endpoint software version 9.2.x package, but is installed separately. It should be installed immediately after installing McAfee ePO. 3.5 SP 1 or 4.0
Agent handlers on remote servers no longer require the .NET Framework.
2005 or 2008, Advanced Express or Enterprise, 32- or 64-bit Install the version that matches the version of Microsoft SQL Server you are using.
The McAfee DLP Endpoint software version 9.2.x package includes the following: McAfee Data Loss Prevention Endpoint (McAfee Agent plugin) McAfee DLP Endpoint extension (contains the components installed through ePolicy Orchestrator)
44
Installation Guide
5 6
Verify that Microsoft .NET Framework 3.5 SP1 or 4.0 is installed. Set the server to a static IP address.
We recommend using a subnet separate from your company's production network for initial testing. If you are setting up a production environment, set the servers static IP address within that range.
Installation Guide
45
Pay attention to the following points when installing ePolicy Orchestrator: 1 In the McAfee ePO installation wizard, use the following settings. Installation wizard screen Installation Options Setup Requirements Setting Select Install Server and Console When installing on Windows 2003 Server, we recommend using the SQL Server 2005 Express installer included in the McAfee ePO installer. Another configuration option is to create an ePolicy Orchestrator instance on an existing SQL Server 2005 or 2008 server and select it. This is the preferred option when installing on Windows 2008 Server.
After verification that you want to install the software, the SQL installation continues without user input. If prompted to install SQL Server 2005 Backward Compatibility, you must install it.
We recommend using a SQL Server account. If preferred, an NT account can also be used.
During the installation, you might see a warning about trusted sites. Write down the recommended additions to the Microsoft Internet Explorer trusted sites list before clicking OK. You will need to add them later.
46
Installation Guide
Pay attention to the following points when installing ePolicy Orchestrator: 1 In the McAfee ePO installation wizard, use the following settings. Installation wizard screen Installation Options Setup Requirements Setting Select Install Server and Console When installing on Windows 2003 Server, we recommend using the SQL Server 2005 Express installer included in the McAfee ePO installer. Another configuration option is to create an ePolicy Orchestrator instance on an existing SQL Server 2005 or 2008 server and select it. This is the preferred option when installing on Windows 2008 Server.
After verification that you want to install the software, the SQL installation continues without user input. If prompted to install SQL Server 2005 Backward Compatibility, you must install it.
We recommend using a SQL Server account. If preferred, an NT account can also be used.
During the installation, you might see a warning about trusted sites. Write down the recommended additions to the Microsoft Internet Explorer trusted sites list before clicking OK. You will need to add them later.
Installation Guide
47
connection between the administration workstation and WCF always uses Windows authentication. If you have selected Windows authentication, and the logged on user is a member of the WAAG, connection to the database proceeds without further checking. The user must be defined in the SQL database. See Adding a user in SQL Server.
Figure 6-2 WCF service remote from the ePO database server
48
Installation Guide
Tasks Add a user in Microsoft SQL Server on page 49 To use either Windows or SQL authentication with the McAfee DLP WCF service or the ePolicy Orchestrator database, an authorized user must be defined in the Microsoft SQL database. The authorized user can be either a Windows or a SQL user. Typically, an account with the minimal permissions required is created. Run the McAfee DLP WCF installer on page 53 The McAfee DLP Windows Communication Foundation (WCF) service is used to communicate between ePolicy Orchestrator, McAfee DLP Endpoint, and the McAfee DLP Monitor.
In McAfee DLP Manager product suite, Windows authentication is not supported because communication is between the ePolicy Orchestrator database (Microsoft SQL) and the McAfee DLP network product suite database (MySQL).
The credentials you set in the following procedure are used on the Add New Device page to connect McAfee DLP Manager to ePolicy Orchestrator.
Installation Guide
49
Task 1 2 Open SQL Server Management Studio (Express) and connect to the EPOSERVER instance. In the Object Explorer, right-click the database name then select Properties.
On the Security page, select either Window Authentication mode or SQL Server and Windows Authentication mode, according to which type of authentication you want to use. Click OK.
Select Security | Logins. Right-click in the Logins page, then select New Login.
50
Installation Guide
On the General page of the Login Properties window, select SQL Server authentication and type the logon name ndlpuser and a password. Set the default database to ePO4_SERVER and the default language to English. Click OK.
6 7
On the Server Roles page, select the sysadmin checkbox. On the User Mapping page of the Login Properties window, in the Users mapped to this login section, select ePO4_SERVER and verify that the new logon user is listed in the User column, and that public is checked in the database role membership section. Click OK. Under User Mapping, define the database role memberships by selecting the db_owner and public checkboxes. Select Databases | ePO4_SERVER | Security | Users. Double-click the logon user name.
8 9
10 On the Securables page, click Add. Select Specific objects, and click OK. 11 In the Select Objects window, click Object Types and select Databases. Click OK.
Installation Guide
51
13 If you do not see all six effective permissions, browse through the Explicit Permissions list to locate each of them and click Grant. Click OK. Repeat steps 9-13 to verify the Effective Permissions. 14 Click OK.
52
Installation Guide
Add the logged on user to the Microsoft SQL database as a Windows or SQL user, according to which form of authorization you plan to use. Log off of ePolicy Orchestrator. Task 1 Browse to and run the McAfee DLP WCFServiceInstaller.msi installer. Verify that the McAfee DLP Windows Communication Foundation service installer version matches the McAfee DLP Endpoint software version you are installing. 2 In step 4 of the installation wizard (WCF Service Settings), do the following: a b Use the default WCF Server Port value. If you must change the server port, consult your McAfee representative for instructions. We recommend setting up a group or groups in Windows Active Directory with the names of users authorized to log on to the database. You must change the default Web Access Authorized Groups entry from Everyone to a group or user with authorized access, as described in WCF installation options. If you are using the confidential data redaction feature, select Obfuscate Sensitive Data in RSS Feed.
c 3
In step 5 of the installation wizard (Microsoft SQL Database), do the following: a b Review the defaults for Database Server and Database Name. Type other values if necessary. Select Windows Authentication or SQL Authentication and fill in the associated fields.
Repository folders
Before you begin installation of McAfee DLP Endpoint software, prepare your system as described below. Two folders and network shares must be created, and their properties and security settings must be configured appropriately. The folders do not need to be on the same computer as the McAfee DLP Endpoint Database server, but it is usually convenient to put them there. We suggest the following folder paths, folder names, and share names, but you can create others as appropriate for your environment.
Installation Guide
53
c:\dlp_resources\ c:\dlp_resources\evidence c:\dlp_resources\whitelist Evidence folder Certain protection rules allow for storing evidence, so you must designate, in advance, a place to put it. If, for example, an email is blocked, a copy of the email is placed in the Evidence folder. Whitelist folder Text fingerprints to be ignored by the DLP Endpoint are placed in a whitelist repository folder. An example is boilerplate text such as disclaimers or copyright. McAfee DLP Endpoint software saves time by skipping these chunks of text that are known to not include sensitive content.
3 4
Click the Security tab, then click Advanced. On the Permissions tab of the Advanced Security Settings for evidence dialog box, deselect Allow inheritable permissions. A confirmation message explains the effect this change will have on the folder.
Click Remove. The Permissions tab on the Advanced Security Settings dialog box shows all permissions eliminated except administrators.
Setting permissions for administrators is required for the whitelist folder. It is optional for the evidence folder, but can be added as a security precaution. Alternately, you can add permissions only for those administrators who deploy policies.
54
Installation Guide
6 7 8
Double-click Administrators entry to open the Permission Entry dialog box. Change the Apply onto option to This folder, subfolders and files. Click OK. Click Add to select an object type. In the Enter the object name to select text box, type Domain Computers, then click OK to display the Permission Entry dialog box. In the Allow column, select: Create Files/Write Data and Create Folders/Append Data for the evidence folder. List Folder/Read Data for the whitelist folder.
Verify that the Apply onto option says This folder, subfolders and files, then click OK. The Advanced Security Settings dialog box now includes Domain Computers. 10 Click OK twice to close the dialog box.
4 5
Click the Security tab, then click Advanced. On the Permissions tab, deselect the Include inheritable permissions from the object's parent option. A confirmation message explains the effect this change will have on the folder.
Click Remove. The Permissions tab in the Advanced Security Settings window shows all permissions eliminated.
7 8
Click Add to select an object type. In the Enter the object name to select field, type Domain Computers, then click OK. The Permission Entry dialog box is displayed.
In the Allow column, select: Create Files/Write Data and Create Folders/Append Data for the evidence folder. List Folder/Read Data for the whitelist folder.
Verify that the Apply onto option says This folder, subfolders and files, then click OK.
Installation Guide
55
The Advanced Security Settings window now includes Domain Computers. 10 Click Add again to select an object type. 11 In the Enter the object name to select text box, type Administrators, then click OK to display the Permission Entry dialog box. Set the required permissions.
Adding administrators is required for the whitelist folder. It is optional for the evidence folder, but can be added as a security precaution. Alternately, you can add permissions only for those administrators who deploy policies.
Sensitive data redaction and the McAfee DLP Monitor permission sets
To meet the legal demand in some markets to protect confidential information in all circumstances, McAfee DLP Endpoint software offers a data redaction feature. Fields in the McAfee DLP Monitor containing confidential information are encrypted to prevent unauthorized viewing. The feature is designed with a "double key" release. This means that to use the feature, you must create two permission sets: one to view the monitor and another to view the encrypted fields. Both roles are required to use the feature.
Click Save.
56
Installation Guide
3 4 5
Click Save. In the Data Loss Prevention field for the new permission set, click Edit. Select the required permissions and click Save.
Figure 6-4 Editing a permission set for McAfee DLP Endpoint To turn off the sensitive data redaction feature, select User can view DLP Monitor in the monitor section.
Installation Guide
57
Installing McAfee DLP Endpoint Install the McAfee Data Loss Prevention Endpoint extension
Task 1 2 In ePolicy Orchestrator, select Menu | Software | Extensions, then click Install Extension. Click OK. The extension is installed. The following applications are installed: 3 McAfee DLP Endpoint policy console (in ePolicy Orchestrator | Data Protection) McAfee DLP Monitor (in ePolicy Orchestrator | Data Protection) DLP Event Parser
Click OK.
The McAfee DLP Endpoint Management Tools installer and McAfee DLP Endpoint policy console initialization wizard use ActiveX technology. To prevent the installer from being blocked, verify that the following are enabled in Internet Explorer Tools | Internet Options | Security | Custom level: Automatic prompting for ActiveX controls Download signed ActiveX controls
Task 1 After the McAfee DLP Endpoint Management Tools installation has completed, the McAfee DLP Endpoint policy console begins loading. If you have an existing policy, you are prompted to convert it to the new XML format. Click Convert and skip to step 4. If no previous policy exists, the message DLP global policy is unavailable. Loading default policy appears. Click OK to continue. When the message Agent configuration is unavailable. Loading a default agent. appears, click OK. When the McAfee DLP Endpoint policy console First Time Initialization wizard appears, complete the following steps:
2 3 4
58
Installation Guide
Option Description 1 of 8 2 of 8 Click Next. By default, the file system discovery crawler places sensitive files in quarantine. Though we do not recommend it, you can delete these files instead by selecting the Support discovery delete option.
This option is not available until you update to the full McAfee Data Loss Prevention Endpoint software installation.
For troubleshooting, when you need to review an easily readable version of the policy, select Generate verbose policy. For most installations, we recommend leaving these checkboxes unselected. In very large organizations where the rollout of McAfee DLP Endpoint 9.2 is staged over time, earlier versions of the plug-in need to coexist. Select the appropriate Backward compatibility mode: No compatibility (all endpoints are version 9.2) McAfee DLP Endpoint Agent 9.1 and later McAfee DLP Endpoint Agent 9.0 and later McAfee DLP Endpoint Agent 3.0 and later
The compatibility option McAfee DLP Endpoint Agent 3.0.5 or current version refers to a specific hotfix. Unless you specifically know that you are using this hotfix, choose DLP Agent 3.0 compatibility for all version 3 endpoints.
DLP Agent 2.2 Patch 4 is no longer supported. Select your directory access protocol: Microsoft Active Directory or OpenLDap. When using Microsoft AD in very large organizations where search times could be excessive, select Restrict AD searches to default domain. When you have completed all changes, click Next. 3 of 8 . Type user names, or click Add to search for user names (optional). Click Next.
We recommend creating a role-based group such as DLP Manual Tagging Users, and using the group when configuring Access Control. This step is not available when installing McAfee Device Control
4 of 8
Type a password and confirmation (required). McAfee DLP Endpoint software version 9.2 requires strong passwords, that is, at least 8 characters with at least one each uppercase, lower case, digit, and special character (symbol). If you are upgrading, this is not implemented until you change a password. If you don't want endpoint key generation events reported to the database, deselect the checkbox. If you want to use short challenge/response (8 digits instead of 16), select the checkbox. See the McAfee Data Loss Prevention Endpoint Product Guide for more information on Agent bypass. Click Next.
Installation Guide
59
Option Description 5 of 8 Browse to the Whitelist storage share, then click Next. The UNC whitelist path is required to apply the policy to ePolicy Orchestrator. Size limits are displayed, but cannot be changed in the Initialization wizard. Modify the default notification messages (optional). Select each event type in turn, and type the message in the text box. Click Next. Browse to the evidence storage share and click Next. The evidence storage path is required to apply the policy to ePolicy Orchestrator. Set the required Evidence Replication option. See the Release notes: New Features for more information on this option. Click Next. Click Finish.
6 of 8 7 of 8
8 of 8 5
The Initialization Wizard dialog box appears with the message, Apply initial configuration? If you have not skipped any required steps, you can click Yes and apply the initial policy. If you have skipped required steps, click No to complete the initialization.
A password and the evidence storage share are required to complete initialization. The other steps indicated as required are necessary to complete the policy. They can be skipped during initialization and completed at a later time. If you did not apply the policy, select File | Save to save the policy to a file.
Click Finish.
60
Installation Guide
Installing McAfee DLP Endpoint Check in the McAfee DLP Endpoint package to ePolicy Orchestrator
Go to the Miscellaneous tab. Only the Agent Popup service, Device Blocking, and Reporting Service modules are selected. Select the remaining modules you require to enable them and click OK.
Do not enable modules you don't use. They increase the McAfee DLP Endpoint agent size and slow its operation unnecessarily.
The policy changes are applied to ePolicy Orchestrator. 10 In ePolicy Orchestrator, issue a wake-up call to deploy the policy change to the workstations.
Review the details on the screen, then click Save. The package is added to the master repository.
Installation Guide
61
Task 1 Create a classification rule: a b c d e In the McAfee DLP Endpoint policy console navigation pane under Content Protection, select Classification Rules. Right-click in the Classification Rules window and select Add New | Content Classification Rule. Rename the rule Email Classification Rule. Double-click the rule icon to modify the rule. In step 1 of the rule creation wizard, select either of the options (ANY or ALL) then scroll down the text patterns list and select Email Address. Click Next three times, skipping to step 4. In step 4 of the rule creation wizard, click Add New to create a new category. Name it Email Category, click OK to accept the new category, then click Finish. Right-click the rule icon and select Enable.
f 2
Create a protection rule: a b c d e f In the McAfee DLP Endpoint policy console navigation pane under Content Protection, select Protection Rules. Right-click in the Protection Rules window and select Add New | Removable Storage Protection Rule. Double-click the rule icon to modify the rule. Click through to step 2 of the rule creation wizard and add the Email Category created when creating the classification rule in the Included column. Click through to step 7 of the rule creation wizard. Select Monitor, then click Finish. Right-click the rule icon and select Enable.
On the Tools menu, select Run Policy Analyzer. You should receive warnings, but no errors. If you receive errors, they probably come from improper initialization, such as not specifying an evidence folder or override password. You can re-run the initialization from the Tools menu to correct this.
If you select a level under My Organization, the right-hand pane displays the available workstations. You can also deploy McAfee DLP Endpoint to individual workstations.
62
Installation Guide
In the Name field, type a suitable name, for example, Install DLP Endpoint. Typing a description is optional. Change the Schedule type to Run immediately. Click Next. Review the task summary. When you are satisfied that it is correct, click Save. The task is scheduled for the next time the McAfee Agent updates the policy. To force the installation to take place immediately, issue an agent wake-up call. After McAfee DLP Endpoint has been deployed, restart the managed computers.
3 4
This task describes the local uninstall option. Task 1 In the McAfee DLP Endpoint policy console, select Tools | Generate Agent Uninstall Key. This step can also be performed with the McAfee DLP Help Desk tool, using the Generate Uninstall Key tab. 2 3 4 5 Fill in the user information in Step 1. Type the uninstall challenge code. (Step 2) Type the agent override key password or select Use password from current policy. (Step 3) Click Generate Key to create the uninstall key for the user. This Release Code is sent to the user to enter into the request bypass dialog box.
Installation Guide
63
64
Installation Guide
Integrate McAfee DLP Endpoint into the McAfee DLP Manager network product suite by installing it on ePolicy Orchestrator 4.5 or 4.6 and connecting it to McAfee DLP Manager.
Once you have integrated the network products and McAfee DLP Endpoint in a unified solution, you won't be able to access the existing standalone McAfee DLP Endpoint global policy. Any policy management will have to be done through McAfee DLP Manager.
The integration is achieved by uniting the McAfee DLP Endpoint global policy within a unified policy design. When the unified installation is complete, communication between the McAfee DLP system and its endpoints are handled by the McAfee Agent DLP client.
McAfee DLP Endpoint works with McAfee DLP Manager through ePolicy Orchestrator, so you must configure all three products to unify the system under the network product suite.
The McAfee Agent DLP client routes policy updates to the clients and collects events from them. If evidence collecting is enabled in the policy, events are sent to the event parser, then stored in an evidence folder, which is normally located on the ePolicy Orchestrator. If McAfee DLP Manager is configured to report endpoint events, they are copied to the ePolicy Orchestrator database by the McAfee DLP client software, then displayed on the Data-in-Use dashboards.
Installing McAfee Logon Collector is optional, but is especially useful for enterprises that monitor large numbers of endpoints. McAfee Endpoint Encryption for Files and Folders might also be useful to decrypt events reported on the Data-in-Use dashboard.
Contents Setting up Unified DLP on ePolicy Orchestrator Connecting McAfee DLP Manager and the ePolicy Orchestrator server Configuring McAfee DLP Endpoint on McAfee DLP Manager Installation and configuration complete
Installation Guide
65
Integrating McAfee DLP Endpoint into a unified policy system Setting up Unified DLP on ePolicy Orchestrator
2 3 4 5
Log on to the ePolicy Orchestrator and go to Menu | Software | Extensions. Click Install Extension. Browse to the netdlp.zip file and click OK. Click OK.
66
Installation Guide
Integrating McAfee DLP Endpoint into a unified policy system Setting up Unified DLP on ePolicy Orchestrator
In the Security tab, type in a list of authorized users and groups to enable manual tagging of files on agent machines. For example, type in Everyone to give Manual Tagging Authorization to all users. This sets up the agent to support manual tagging through McAfee DLP Manager. Selecting the Allow Manual Tagging checkbox when creating tags on the Endpoint Configuration page makes the tags visible to trusted users, who can use them to classify documents on their desktops.
Click Save.
Task 1 2 3 4 In ePolicy Orchestrator, select Menu | Data Loss Prevention | DLP Sys Config | System Administration | Devices. On your Linux-based appliance, select System | System Administration | Devices. From the Actions menu, select New Evidence Server. In the Add New Evidence Server window, enter the required information in the following format.
Installation Guide
67
Integrating McAfee DLP Endpoint into a unified policy system Connecting McAfee DLP Manager and the ePolicy Orchestrator server
Hostname \\<server name> IP Address <IP address> Username <domain name\user name Password ********
Click Add.
68
Installation Guide
Integrating McAfee DLP Endpoint into a unified policy system Connecting McAfee DLP Manager and the ePolicy Orchestrator server
Task 1 2 3 In ePolicy Orchestrator, select Menu | Data Loss Prevention | DLP Sys Config | User Administration | DB User. On McAfee DLP Manager, select System | User Administration | DB User. On the ePO User Information page, enter and confirm a password. The ePolicy Orchestrator User Name is not configurable. 4 Type an IP Address for the ePolicy Orchestrator user's account and Add it to the Selected IP Addresses box. Repeat if more than one ePolicy Orchestrator user is needed. 5 Click Apply.
Installation Guide
69
Integrating McAfee DLP Endpoint into a unified policy system Configuring McAfee DLP Endpoint on McAfee DLP Manager
Task 1 2 3 4 5 6 7 8 9 In ePolicy Orchestrator, select Menu | Data Loss Prevention | DLP Sys Config | System Administration | Devices. On your Linux-based appliance, select System | System Administration | Devices. From the Actions menu, select Add New Device. Select the ePO device checkbox. Select Actions | New Device. Enter the information gathered from the ePolicy Orchestrator Registered Server Builder | 2 Details page. Click Add. Click OK to confirm or Cancel the registration. Wait for the Status icon in the device list to turn green. If the icon turns red, the netdlp.zip extension is probably not installed on ePolicy Orchestrator. The CPU usage display indicates that the registration tasks being performed. McAfee DLP Manager does not display any CPU activity, because it serves only as a collection point for the data. Other machines are capturing and indexing data and the processor indicates the CPU utilization. It should not go over 7080%. If registration seems to be taking a long time, try refreshing the page.
If the ePolicy Orchestrator server loses connection to the database, you cannot use https:// servername:port/core/config to reconnect to the database. Refer to KB66320 in the McAfee Knowledgebase for more information.
70
Installation Guide
Integrating McAfee DLP Endpoint into a unified policy system Configuring McAfee DLP Endpoint on McAfee DLP Manager
When these operations are complete, you can define unified rules on the Policies page, then view the Incidents | Data-in-Use dashboard to verify that the endpoint events are being generated and reported.
Click the Columns icon, then add or remove columns to display exactly the information that is needed.
Installation Guide
71
Integrating McAfee DLP Endpoint into a unified policy system Configuring McAfee DLP Endpoint on McAfee DLP Manager
The most significant reason for maintaining earlier versions of the endpoint product is the need for staged updates. A group of clients might be updated to the new version, but support for older clients still in use might still be needed. The need for digital rights management, which controls use of digital content not authorized by the content provider, might be an additional consideration. This feature of McAfee DLP Endpoint (also known as McAfee Host DLP) is not supported in McAfee DLP Manager, so network and endpoint applications might have to be run separately. But if McAfee DLP Endpoint 9.1 is installed and digital rights management is not needed, No compatibility should be selected. This means that the new features in that release will be available in the network product suite. Features like Document Scan Scope and Password Protected Files will appear in the user interface only if the 9.1 version of the McAfee Agent client is accessible through McAfee DLP Manager.
Click Submit.
The ability to classify documents with tags encourages users to take independent action to protect files within their areas of responsibility. For example, users at medical facilities might be trusted to apply HIPAA tags to patient records that must be kept confidential by law.
72
Installation Guide
Integrating McAfee DLP Endpoint into a unified policy system Installation and configuration complete
If the Allow Manual Tagging checkbox is not selected, file tagging can still be done manually but only by administrative users, who can tag or remove files individually or in groups.
Task 1 2 3 4 5 In ePolicy Orchestrator, select Menu | Data Loss Prevention | DLP Sys Config | System Administration | Endpoint Configuration | Tag Labels. On your Linux-based appliance, select System | System Administration | Endpoint Configuration | Tag Labels. Select a tag. Select the Allow Manual Tagging checkbox. Click Save.
Installation Guide
73
Integrating McAfee DLP Endpoint into a unified policy system Installation and configuration complete
74
Installation Guide
Index
A
about this guide 5 administrators, defining 56
M
managing DLP 8 McAfee ServicePortal, accessing 6 Microsoft SQL, adding a user 49 Microsoft SQL, installing 53
B
backward compatibility 58
P
permission set options 57 permission sets, defining 57 policy, initializing 58
C
configuration, server 45 conventions and icons used in this guide 5
D
default rule, defining 61 DLP administrators, defining 56 DLP endpoint checking in to ePolicy Orchestrator 61 DLP Endpoint deploying 62 deployment verification 63 uninstalling 63 DLP Help extension, installing 58 DLP Policy console, installing 58 documentation audience for this guide 5 product-specific, finding 6 typographical conventions and icons 5
R
redaction 53, 56 roles and permissions 53
S
server configuration 45 server software requirements 43 ServicePortal, finding product documentation 6 supported operating systems 43 system requirements 43
T
Technical Support, finding product information 6
U
uninstalling DLP Endpoint 63
E
ePolicy Orchestrator installing 45, 46 evidence folder 53 evidence folder, configuring on Windows Server 2003 54 evidence folder, configuring on Windows Server 2008 55
V
verifying the installation 63
W
WCF, installation options 47 WCF, installing 53 WCF, troubleshooting 52 whitelist folder 53 whitelist folder, configuring on Windows Server 2003 54 whitelist folder, configuring on Windows Server 2008 55
H
hardware requirements 43
I
installation 10
L
license, Device Control and DLP 60
Installation Guide
75
700-3811A00