Symantec Data Loss PreventionInstallationGuide for...

Symantec™ Data LossPrevention Installation Guidefor Windows

Version 12.5

Symantec Data Loss Prevention Installation Guidefor Windows

The software described in this book is furnished under a license agreement and may be usedonly in accordance with the terms of the agreement.

Documentation version: 12.5e

Legal NoticeCopyright © 2014 Symantec Corporation. All rights reserved.

Symantec, the Symantec Logo, the Checkmark Logo and are trademarks or registeredtrademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Othernames may be trademarks of their respective owners.

This Symantec product may contain third party software for which Symantec is required toprovide attribution to the third party (“Third Party Programs”). Some of the Third Party Programsare available under open source or free software licenses. The License Agreementaccompanying the Software does not alter any rights or obligations you may have under thoseopen source or free software licenses. Please see the Third Party Legal Notice Appendix tothis Documentation or TPIP ReadMe File accompanying this Symantec product for moreinformation on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use, copying,distribution, and decompilation/reverse engineering. No part of this document may bereproduced in any form by any means without prior written authorization of SymantecCorporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIEDCONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIEDWARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ORNON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCHDISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALLNOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTIONWITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THEINFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGEWITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer softwareas defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software and Documentation by the U.S.Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation350 Ellis StreetMountain View, CA 94043

http://www.symantec.com

http://www.symantec.com

Technical SupportSymantec Technical Support maintains support centers globally. Technical Support’sprimary role is to respond to specific queries about product features and functionality.The Technical Support group also creates content for our online Knowledge Base.The Technical Support group works collaboratively with the other functional areaswithin Symantec to answer your questions in a timely fashion. For example, theTechnical Support group works with Product Engineering and Symantec SecurityResponse to provide alerting services and virus definition updates.

Symantec’s support offerings include the following:

■ A range of support options that give you the flexibility to select the right amountof service for any size organization

■ Telephone and/or Web-based support that provides rapid response andup-to-the-minute information

■ Upgrade assurance that delivers software upgrades

■ Global support purchased on a regional business hours or 24 hours a day, 7days a week basis

■ Premium service offerings that include Account Management Services

For information about Symantec’s support offerings, you can visit our website atthe following URL:

www.symantec.com/business/support/

All support services will be delivered in accordance with your support agreementand the then-current enterprise technical support policy.

Contacting Technical SupportCustomers with a current support agreement may access Technical Supportinformation at the following URL:


Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should be atthe computer on which the problem occurred, in case it is necessary to replicatethe problem.

When you contact Technical Support, please have the following informationavailable:

■ Product release level

■ Hardware information



■ Available memory, disk space, and NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registrationIf your Symantec product requires registration or a license key, access our technicalsupport Web page at the following URL:


Customer serviceCustomer service information is available at the following URL:


Customer Service is available to assist with non-technical questions, such as thefollowing types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates, such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade assurance and support contracts

■ Information about the Symantec Buying Programs

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

■ Issues that are related to CD-ROMs, DVDs, or manuals



Support agreement resourcesIf you want to contact Symantec regarding an existing support agreement, pleasecontact the support agreement administration team for your region as follows:

[email protected] and Japan

[email protected], Middle-East, and Africa

[email protected] America and Latin America

mailto:[email protected]



Technical Support ............................................................................................... 4

Chapter 1 Planning the Symantec Data Loss Preventioninstallation ...................................................................... 11

About installation tiers ................................................................... 11About single sign-on ..................................................................... 12About hosted Network Prevent deployments ...................................... 13About Symantec Data Loss Prevention system requirements ................ 14Symantec Data Loss Prevention required items .................................. 15Standard ASCII characters required for all installation

parameters ........................................................................... 16Performing a three-tier installation—high-level steps ............................ 16Performing a two-tier installation—high-level steps .............................. 19Performing a single-tier installation—high-level steps ........................... 20Symantec Data Loss Prevention preinstallation steps .......................... 22Verifying that servers are ready for Symantec Data Loss Prevention

installation ............................................................................ 23

Chapter 2 Installing an Enforce Server .............................................. 26

Installing an Enforce Server ............................................................ 26Verifying an Enforce Server installation ............................................. 35

Chapter 3 Importing a solution pack ................................................. 37

About Symantec Data Loss Prevention solution packs ......................... 37Importing a solution pack ............................................................... 38

Chapter 4 Installing and registering detection servers .................. 41

About detection servers ................................................................. 41Detection servers and remote indexers ............................................. 44Detection server installation preparations .......................................... 44Installing a detection server ............................................................ 45Verifying a detection server installation ............................................. 49Registering a detection server ......................................................... 49

Contents

Chapter 5 Configuring certificates for secure communicationsbetween Enforce and detection servers ................... 52

About the sslkeytool utility and server certificates ................................ 52About sslkeytool command line options ............................................. 53Using sslkeytool to generate new Enforce and detection server

certificates ............................................................................ 55Using sslkeytool to add new detection server certificates ...................... 58Verifying server certificate usage ..................................................... 59

Chapter 6 Performing a single-tier installation ............................... 61

Installing a single-tier server ........................................................... 61Verifying a single-tier installation ...................................................... 69

Chapter 7 Installing Symantec DLP Agents ...................................... 71

DLP Agent installation overview ...................................................... 71About secure communications between DLP Agents and Endpoint

Servers ................................................................................ 72Generating agent installation packages ....................................... 73Agent installation package contents ........................................... 75Working with endpoint certificates .............................................. 77

Identify security applications running on endpoints .............................. 79About Endpoint Server redundancy .................................................. 79Using the Elevated Command Prompt with Windows ........................... 80Process to install the DLP Agent on Windows .................................... 81

Installing the DLP Agent for Windows manually ............................ 82Installing DLP Agents for Windows silently ................................... 82Confirming that the Windows agent is running .............................. 84What gets installed for DLP Agents installed on Windows

endpoints ....................................................................... 84Process to install the DLP Agent on Mac ........................................... 86

Packaging Mac agent installation files ......................................... 87Installing the DLP Agent for Mac manually ................................... 89Installing DLP Agents on Mac endpoints silently ........................... 90Confirming that the Mac agent is running ..................................... 91What gets installed for DLP Agents on Mac endpoints .................... 91

About uninstallation passwords ....................................................... 92Creating passwords with the password generation tool ................... 93Adding uninstallation passwords to agents ................................... 93Using uninstallation passwords ................................................. 94Upgrading agents and uninstallation passwords ........................... 95

8Contents

Chapter 8 Post-installation tasks ....................................................... 96

About post-installation tasks ........................................................... 96About post-installation security configuration ...................................... 96

About server security and SSL/TLS certificates ............................. 97About Symantec Data Loss Prevention and antivirus

software ........................................................................ 101Corporate firewall configuration ............................................... 103Windows security lockdown guidelines ...................................... 104Windows Administrative security settings ................................... 105

About system events and syslog servers ......................................... 112Enforce Servers and unused NICs ................................................. 112Performing initial setup tasks on the Enforce Server ........................... 113

Chapter 9 Starting and stopping Symantec Data LossPrevention services ..................................................... 115

About Data Lost Prevention services .............................................. 115About starting and stopping services on Windows ............................. 116

Starting an Enforce Server on Windows .................................... 116Stopping an Enforce Server on Windows ................................... 117Starting a Detection Server on Windows .................................... 117Stopping a Detection Server on Windows .................................. 117Starting services on single-tier Windows installations ................... 118Stopping services on single-tier Windows installations .................. 118

Chapter 10 Uninstalling Symantec Data Loss Prevention ............. 120

Uninstalling a server or component from a Windows system ................ 120About Symantec DLP Agent removal .............................................. 121

Removing DLP Agents from Windows endpoints using systemmanagement software ..................................................... 122

Removing a DLP Agent from a Windows endpoint ....................... 123Removing DLP Agents from Mac endpoints using system

management software ..................................................... 124Removing a DLP Agent from a Mac endpoint ............................. 124

Appendix A Installing Symantec Data Loss Prevention with theFIPS encryption option ............................................... 125

About FIPS encryption ................................................................. 125Installing Symantec Data Loss Prevention with FIPS encryption

enabled .............................................................................. 126Configuring Internet Explorer when using FIPS ................................. 126

9Contents

Index ................................................................................................................... 128

10Contents

Planning the SymantecData Loss Preventioninstallation

This chapter includes the following topics:

■ About installation tiers

■ About single sign-on

■ About hosted Network Prevent deployments

■ About Symantec Data Loss Prevention system requirements

■ Symantec Data Loss Prevention required items

■ Standard ASCII characters required for all installation parameters

■ Performing a three-tier installation—high-level steps

■ Performing a two-tier installation—high-level steps

■ Performing a single-tier installation—high-level steps

■ Symantec Data Loss Prevention preinstallation steps

■ Verifying that servers are ready for Symantec Data Loss Prevention installation

About installation tiersSymantec Data Loss Prevention supports three different installation types: three-tier,two-tier, and single-tier. Symantec recommends the three-tier installation. However,your organization might need to implement a two-tier installation depending on

1Chapter

available resources and organization size. Single-tier installations are recommendedfor branch offices, small organizations, or for testing purposes.

To implement the single-tier installation, you install the database, theEnforce Server, and a detection server all on the same computer.

Typically, this installation is implemented when a small organization orbranch office needs a local deployment of Symantec Data LossPrevention. If you choose this type of installation, the Symantec DataLoss Prevention administrator needs to be able to perform databasemaintenance tasks, such as database backups.

See “Performing a single-tier installation—high-level steps” on page 20.

See “Installing an Enforce Server” on page 26.

See “Registering a detection server” on page 49.

Single-tier

To implement the two-tier installation, you install the Oracle databaseand the Enforce Server on the same computer. You then install detectionservers on separate computers.

Typically, this installation is implemented when an organization, or thegroup responsible for data loss prevention, does not have a separatedatabase administration team. If you choose this type of installation,the Symantec Data Loss Prevention administrator needs to be able toperform database maintenance tasks, such as database backups.

See “Performing a two-tier installation—high-level steps” on page 19.

Two-tier

To implement the three-tier installation, you install the Oracle database,the Enforce Server, and a detection server on separate computers.Symantec recommends implementing the three-tier installationarchitecture as it enables your database administration team to controlthe database. In this way you can use all of your corporate standardtools for database backup, recovery, monitoring, performance, andmaintenance. Three-tier installations require that you install the OracleClient (SQL*Plus and Database Utilities) on the Enforce Server tocommunicate with the Oracle server.

See “Performing a three-tier installation—high-level steps” on page 16.

Three-tier

About single sign-onSymantec Data Loss Prevention provides several options for authenticating usersand signing users on to the Enforce Server administration console. The SymantecData Loss Prevention installation program helps you configure several of theseoptions when you install the Enforce Server. These installation options include:

■ Password authentication with forms-based sign-on.

12Planning the Symantec Data Loss Prevention installationAbout single sign-on

This is the default method of authenticating users to the Enforce Serveradministration console. When using password authentication, users sign on tothe Enforce Server administration console by accessing the sign-on page intheir browser and entering their user name and password. You can enablepassword authentication in addition to certificate authentication.

■ Certificate authentication.Symantec Data Loss Prevention supports single sign-on using client certificateauthentication. With certificate authentication, a user interacts with a separatepublic key infrastructure (PKI) to generate a client certificate that Symantec DataLoss Prevention supports for authentication. When a user accesses the EnforceServer administration console, the PKI automatically delivers the user's certificateto the Enforce Server computer for authentication and sign-on. If you choosecertificate authentication, the installation program gives you the option to enablepassword authentication as well.

If you want to enable certificate authentication, first verify that your client certificatesare compatible with Symantec Data Loss Prevention. See the Symantec Data LossPrevention SystemRequirements and Compatibility Guide. Certificate authenticationalso requires that you install the certificate authority (CA) certificates that arenecessary to validate client certificates in your system. These certificates must beavailable in .cer files on the Enforce Server computer. During the Symantec DataLoss Prevention installation, you can import these CA certificates if available.

If you want to use password authentication, no additional information is requiredduring the Symantec Data Loss Prevention installation.

See “About authenticating users” in the Symantec Data Loss PreventionAdministration Guide for more information about all of the authentication and sign-onmechanisms that Symantec Data Loss Prevention supports.

See the Symantec Data Loss Prevention Administration Guide for information aboutconfiguring certificate authentication after you install Symantec Data Loss Prevention.

About hosted Network Prevent deploymentsSymantec Data Loss Prevention supports deploying one or more Network Preventdetection servers in a hosted service provider network, or in a network location thatrequires communication across a Wide Area Network (WAN). You may want todeploy a Network Prevent server in a hosted environment if you use a serviceprovider's mail server or Web proxy. In this way, the Network Prevent server canbe easily integrated with the remote proxy to prevent confidential data loss throughemail or HTTP posts.

13Planning the Symantec Data Loss Prevention installationAbout hosted Network Prevent deployments

The Enforce Server and all other detection servers must reside in the corporatenetwork and communicate over a LAN. Only Network Prevent for Email and NetworkPrevent for Web can be deployed to a hosted environment.

When you choose to install a detection server, the Symantec Data Loss Preventioninstallation program asks if you want to install Network Prevent in a hostedenvironment.

Note: Mobile Prevent and Mobile Email Monitor are not supported in a hostedenvironment.

See “Installing a detection server” on page 45.

If you choose to install a Network Prevent detection server in a hosted environment,you must use the sslkeytool utility to create multiple, user-generated certificatesto use with both internal (corporate) and hosted detection servers. This ensuressecure communication from the Enforce Server to the hosted Network Preventserver, and to all other detection servers that you install. You cannot use the built-inSymantec Data Loss Prevention certificate when you deploy a hosted NetworkPrevent detection server.

See “Using sslkeytool to generate new Enforce and detection server certificates”on page 55.

The Symantec Data Loss Prevention Installation Guide describes how to install andconfigure the Network Prevent server in either a LAN environment or a hostedenvironment.

About Symantec Data Loss Prevention systemrequirements

System requirements for Symantec Data Loss Prevention depend on:

■ The type of information you want to protect

■ The size of your organization

■ The number of Symantec Data Loss Prevention servers you choose to install

■ The location in which you install the servers

See the Symantec Data Loss Prevention System Requirements and CompatibilityGuide for detailed information.

14Planning the Symantec Data Loss Prevention installationAbout Symantec Data Loss Prevention system requirements

Symantec Data Loss Prevention required itemsRefer to the Symantec Data Loss Prevention System Requirements andCompatibility Guide for detailed requirements information. Before you installSymantec Data Loss Prevention, make sure that the following items are available:

■ Your Symantec Data Loss Prevention software.Download and extract the Symantec Data Loss Prevention software ZIP files.Extract these ZIP files into a directory on a system that is accessible to you.The root directory into which the ZIP files are extracted is referred to as theDLPDownloadHome directory. Refer to the Acquiring Symantec Data LossPrevention Software document for more information.

■ Your Symantec Data Loss Prevention license file.Download your Symantec Data Loss Prevention license file into a directory ona system that is accessible to you. License files have names in the formatname.slf. Refer to the Acquiring Symantec Data Loss Prevention Softwaredocument for more information.

■ The Oracle database software. You can find this software in the Symantec DataLoss Prevention installation package.Install Oracle software before installing the Enforce Server. See the SymantecData Loss Prevention Oracle 11g Installation and Upgrade Guide for details.

■ The following third-party components, if required:

■ Network Monitor servers require either a dedicated NIC or a high-speedpacket capture adapter. See the Symantec Data Loss Prevention SystemRequirements and Compatibility Guide for requirements.

■ Windows-based Network Monitor servers require WinPcap software. WinPcapsoftware is recommended for all detection servers. Locate the WinPcapsoftware at the following URL:http://www.winpcap.org/See the Symantec Data Loss Prevention System Requirements andCompatibility Guide for version requirements.

■ Wireshark, available from Wireshark. During the Wireshark installationprocess on Windows platforms, do not install a version of WinPcap lowerthan 4.1.1.

■ For two-tier or three-tier installations, a remote access utility may be required(for example, Remote Desktop for Windows systems, or PuTTY or a similarSSH client for Linux systems).

■ Windows-based Discover servers that are scanning targets on UNIXmachines require Windows Services for UNIX (SFU) 3.5.

15Planning the Symantec Data Loss Prevention installationSymantec Data Loss Prevention required items

http://www.winpcap.org/

http://www.wireshark.org

SFU enables you to access UNIX services from Windows. You can downloadthis software from Windows Services for UNIX Version 3.5 at the MicrosoftDownload Center.Install SFU on Discover servers that will scan UNIX machines.

■ Mobile Prevent requires specially configured VPN and proxy servers. Seethe Symantec Data Loss Prevention Administration Guide.

■ Adobe Reader (for reading Symantec Data Loss Prevention documentation).

StandardASCII characters required for all installationparameters

Use only standard, 7-bit ASCII characters to enter installation parameters duringthe installation process. Extended (hi-ASCII) and double-byte characters cannotbe used for account or user names, passwords, directory names, IP addresses, orport numbers. Installation may fail if you use characters other than standard 7-bitASCII.

Note also that installation directories cannot contain any spaces in the full pathname. For example, c:\Program Files\SymantecDLP is not a valid installationfolder because there is a space between "Program" and "Files."

Performing a three-tier installation—high-level stepsThe computer on which you install Symantec Data Loss Prevention must containonly the software that is required to run the product. Symantec does not supportinstalling Symantec Data Loss Prevention on a computer with unrelated applications.

See the Symantec Data Loss Prevention System Requirements and CompatibilityGuide for a list of required and recommended third-party software.

Table 1-1 Performing a three-tier installation—high-level steps

DescriptionActionStep

See “Symantec Data LossPrevention preinstallation steps”on page 22.

Perform the preinstallation steps.Step 1

See “Verifying that servers areready for Symantec Data LossPrevention installation”on page 23.

Verify that your servers are readyfor installation.

Step 2

16Planning the Symantec Data Loss Prevention installationStandard ASCII characters required for all installation parameters

http://www.microsoft.com/downloads/details.aspx?familyid=896C9688-601B-44F1-81A4-02878FF11778&displaylang=en

Table 1-1 Performing a three-tier installation—high-level steps (continued)


In a three-tier installation yourorganization’s databaseadministration team installs,creates, and maintains theSymantec Data Loss Preventiondatabase.

See the Symantec Data LossPrevention Oracle 11g Installationand Upgrade Guide for informationabout installing Oracle.

Install Oracle and create theSymantec Data Loss Preventiondatabase.

Step 3

The user account that is used toinstall Symantec Data LossPrevention requires access toSQL*Plus to create tables andviews.

See the Symantec Data LossPrevention Oracle 11g Installationand Upgrade Guide for informationabout installing the Oracle clientsoftware.

Install the Oracle Client (SQL*Plusand Database Utilities) on theEnforce Server computer to enablecommunication with the Oracleserver.

Step 4

See “Installing an Enforce Server”on page 26.

Install the Enforce Server.Step 5

See “Verifying an Enforce Serverinstallation” on page 35.

Verify that the Enforce Server iscorrectly installed.

Step 6

See “Importing a solution pack”on page 38.

See “About Symantec Data LossPrevention solution packs”on page 37.

Import a solution pack.Step 7

17Planning the Symantec Data Loss Prevention installationPerforming a three-tier installation—high-level steps

Table 1-1 Performing a three-tier installation—high-level steps (continued)


If you are installing NetworkPrevent in a hosted environment,you must create user-generatedcertificates for the Enforce Serverand all detection servers in yourdeployment. This ensures thatcommunication between theEnforce Server and all detectionservers is secure.

Symantec recommends that yougenerate new certificates for anymulti-tier deployment. If you do notgenerate new certificates, Enforceand detection servers use adefault, built-in certificate that isshared by all Symantec Data LossPrevention installations.

See “Using sslkeytool to generatenew Enforce and detection servercertificates” on page 55.

Generate server certificates forsecure communication.

Step 8

See “Installing a detection server”on page 45.

Install a detection server.Step 9

See “Registering a detectionserver” on page 49.

Register a detection server.Step 10

See “About post-installation tasks”on page 96.

Perform the post-installation tasks.Step 11

See “About post-installationsecurity configuration” on page 96.

For more detailed administrationtopics (including how to configurea specific detection server) see theSymantec Data Loss PreventionAdministration Guide.

Start using Symantec Data LossPrevention to perform initial setuptasks; for example, change theAdministrator password, and createuser accounts and roles.

Step 12

18Planning the Symantec Data Loss Prevention installationPerforming a three-tier installation—high-level steps

Performing a two-tier installation—high-level stepsThe computer on which you install Symantec Data Loss Prevention must onlycontain the software that is required to run the product. Symantec does not supportinstalling Symantec Data Loss Prevention on a computer with unrelated applications.


Table 1-2 Performing a two-tier installation—high-level steps





Verify that your servers are readyfor installation.

Step 2

See the Symantec Data LossPrevention Oracle 11g Installationand Upgrade Guide.


Step 3

See “Installing an Enforce Server”on page 26.

Install the Enforce Server.Step 4

See “Verifying an Enforce Serverinstallation” on page 35.


Step 5




19Planning the Symantec Data Loss Prevention installationPerforming a two-tier installation—high-level steps

Table 1-2 Performing a two-tier installation—high-level steps (continued)


If you are installing NetworkPrevent in a hosted environment,you must create user-generatedcertificates for the Enforce Serverand all detection servers in yourdeployment. This ensures thatcommunication between theEnforce Server and all detectionservers is secure.

Symantec recommends that yougenerate new certificates for anymulti-tier deployment. If you do notgenerate new certificates, Enforceand detection servers use adefault, built-in certificate that isshared by all Symantec Data LossPrevention installations.

See “Using sslkeytool to generatenew Enforce and detection servercertificates” on page 55.

Generate server certificates forsecure communication.

Step 7

See “Installing a detection server”on page 45.

Install a detection server.Step 8


Register a detection server.Step 9


Perform the post-installation tasks.Step 10




Step 11

Performing a single-tier installation—high-level stepsSingle-tier installations are for branch offices or small organizations, or for testing,training, and risk assessment purposes.

20Planning the Symantec Data Loss Prevention installationPerforming a single-tier installation—high-level steps

The computer on which you install Symantec Data Loss Prevention must onlycontain the software that is required to run the product. Symantec does not supportinstalling Symantec Data Loss Prevention on a computer with unrelated applications.


Table 1-3 Performing a single-tier installation—high-level steps





Verify that the server is ready forinstallation.

Step 2

See the Symantec Data LossPrevention Oracle 11g Installationand Upgrade Guide.


Step 3

See “Installing a single-tier server”on page 61.

Install the Enforce Server and adetection server on the samecomputer.

Step 4

See “Verifying a single-tierinstallation” on page 69.


Step 5





Register the detection server.Step 8




Step 9

21Planning the Symantec Data Loss Prevention installationPerforming a single-tier installation—high-level steps

Symantec Data Loss Prevention preinstallation stepsThis section assumes that the following tasks have been completed:

■ You have verified that the server meets the system requirements.See “About Symantec Data Loss Prevention system requirements” on page 14.

■ You have gathered the required materials.See “Symantec Data Loss Prevention required items” on page 15.

To prepare to install a Symantec Data Loss Prevention server

1 Review the Release Notes for installation, Windows versus Linux capabilities,and server-specific information before beginning the installation process.

2 Turn off the Microsoft Auto Update feature. Contact your Symantecrepresentative before installing any new patches. Symantec verifies newMicrosoft patches and publishes a technical bulletin at the Symantec Data LossPrevention Knowedgebase when it is safe to apply new patches to SymantecData Loss Prevention servers.

3 Obtain the Administrator user name and password for each system on whichSymantec Data Loss Prevention is to be installed.

4 Obtain the static IP address(es) for each system on which Symantec Data LossPrevention is to be installed.

5 Verify that each server host name that you will specify has a valid DNS entry.

6 Verify that you have access to all remote computers that you will use duringthe installation (for example, by using Terminal Services, Remote Desktop, oran SSH client).

7 Verify the Microsoft Windows server installation.

See “Verifying that servers are ready for Symantec Data Loss Preventioninstallation” on page 23.

8 Copy the following files from DLPDownloadHome to an easily accessible directoryon the Enforce Server:

■ The Symantec Data Loss Prevention installer:ProtectInstaller64_12.5.exe.This file can be found in the DLPDownloadHome\DLP\12.5\

New_Installs\x64 directory.

■ Your Symantec Data Loss Prevention license file.License files have names in the format name.slf.

■ The appropriate solution pack file. Solution pack files have names endingin *.vsp.

22Planning the Symantec Data Loss Prevention installationSymantec Data Loss Prevention preinstallation steps

Solution pack files can be found in theDLPDownloadHome\DLP\12.5\Solution_Packs directory.See “About Symantec Data Loss Prevention solution packs” on page 37.

■ Symantec DLP Agent installersThese files can be found in the following locations:

■ Mac installer:DLPDownloadHome\DLP\12.5\Endpoint\Mac\x86_64\AgentInstall.pkg

■ Windows 64-bit:DLPDownloadHome\DLP\12.5\Endpoint\Win\x64\AgentInstall64.msi

■ Windows 32-bit:DLPDownloadHome\DLP\12.5\Endpoint\Win\x86\AgentInstall.msi.

These files are only available if you licensed Endpoint Prevent.

9 If you plan to use Symantec Data Loss Prevention alerting capabilities, youneed the following items:

■ Access to a local SMTP server.

■ Mail server configuration for sending SMTP email. This configurationincludes an account and password if the mail server requires authentication.

Verifying that servers are ready for Symantec DataLoss Prevention installation

Before installing Symantec Data Loss Prevention, you must verify that the servercomputers are ready.

To verify that servers are ready for Symantec Data Loss Prevention installation

1 Verify that all systems are racked and set up in the data center.

2 Verify that the network cables are plugged into the appropriate ports as follows:

■ Enforce Server NIC Port 1.Standard network access for Administration.If the Enforce Server has multiple NICs, disable the unused NIC if possible.This task can only be completed once you have installed the Enforce Server.See “Enforce Servers and unused NICs” on page 112.

■ Detection servers NIC Port 1.Standard network access for Administration.

■ Network Monitor detection servers NIC Port 2.

23Planning the Symantec Data Loss Prevention installationVerifying that servers are ready for Symantec Data Loss Prevention installation

SPAN port or tap should be plugged into this port for detection. (Does notneed an IP address.)If you use a high-speed packet capture card (such as Endace or Napatech),then do not set this port for SPAN or tap.

3 Log on as the Administrator user.

4 Assign a static IP address, subnet mask, and gateway for the AdministrationNIC on the Enforce Server. Do not assign an IP address to the detection serverNICs.

5 Make sure that the management NIC has the following items enabled:

■ Internet protocol TCP/IP

■ File and Printer Sharing for Microsoft networks

■ Client for Microsoft Networks

Disabling any of these can cause communication problems between the EnforceServer and the detection servers.

6 From a command line, use ipconfig /all to verify assigned IP addresses.

7 If you do not use DNS, check that thec:\windows\system32\drivers\etc\hosts file contains the server name andIP addresses for the server computer. If you modify this file, restart the serverto apply the changes.

8 If you are using DNS, verify that all host names have valid DNS entries.

9 Ping each Symantec Data Loss Prevention server computer (using both IPand host name) to verify network access.

10 Verify that ports 443 (SSL) and 3389 (RDP) are open and accessible to theclient computers that require access.

11 Turn on remote desktop connections for each Symantec Data Loss Preventionserver computer. In Windows, right-click My Computer. Click Properties andthen select Remote > Allow users to connect remotely to this computer.Verify that you can use Remote Desktop to log onto the server from a localworkstation.

12 Verify that port 25 is not blocked. The Symantec Data Loss Prevention serveruses port 25 (SMTP) for email alerts.


13 Verify that the Network Monitor detection server NICs receive the correct trafficfrom the SPAN port or tap. Install the latest version of Wireshark and use it toverify traffic on the server.

For Endace cards, use dagsnap -o out.pcap from a command line. Thenreview the dagsnap output in Wireshark.

For Napatech cards, there is a "statistics" tool with option -bch=0xf to observethe "Hardware counters" for all channels/ports.

14 Ensure that all servers are synchronized with the same time (to the minute).Ensure that the servers are updated with the correct Daylight Saving Timepatches.

See “Symantec Data Loss Prevention required items” on page 15.

See “Symantec Data Loss Prevention preinstallation steps” on page 22.

For Network Prevent for Email detection server installations, verify the following:

■ Use an SSH client to verify that you can access the Mail Transfer Agent (MTA).

■ Verify that the firewall permits you to Telnet from the Network Prevent for EmailServer computer to the MTA on port 25. Also ensure that you can Telnet fromthe MTA to the Network Prevent for Email detection server computer on port10026.


Installing an Enforce Server


■ Installing an Enforce Server

■ Verifying an Enforce Server installation

Installing an Enforce ServerThe instructions that follow describe how to install an Enforce Server.

Before you install an Enforce Server:

■ Complete the preinstallation steps.See “Symantec Data Loss Prevention preinstallation steps” on page 22.

■ Verify that the system is ready for installation.See “Verifying that servers are ready for Symantec Data Loss Preventioninstallation” on page 23.

■ Ensure that the Oracle software and Symantec Data Loss Prevention databaseis installed on the appropriate system.

■ For single- and two-tier Symantec Data Loss Prevention installations, Oracleis installed on the same computer as the Enforce Server.

■ For a three-tier installation, Oracle is installed on a separate server. For athree-tier installation, the Oracle Client (SQL*Plus and Database Utilities)must be installed on the Enforce Server computer to enable communicationwith the Oracle server.

See the Symantec Data Loss Prevention Oracle 11g Installation and UpgradeGuide for details.

■ Before you begin, make sure that you have access and permission to run theSymantec Data Loss Prevention installer software:ProtectInstaller64_12.5.exe.

2Chapter

If you intend to run Symantec Data Loss Prevention using Federal InformationProcessing Standards (FIPS) encryption, you must first prepare for FIPS encryption.You must also run the ProtectInstaller with the appropriate FIPS parameter.

See “About FIPS encryption” on page 125.

Note: The following instructions assume that the ProtectInstaller64_12.5.exe

file and license file have been copied into the c:\temp directory on the EnforceServer computer.

To install an Enforce Server

1 Symantec recommends that you disable any antivirus, pop-up blocker, andregistry protection software before you begin the Symantec Data LossPrevention installation process.

2 Log on (or remote log on) as Administrator to the Enforce Server system onwhich you intend to install Enforce.

3 Go to the folder where you copied the ProtectInstaller64_12.5.exe file(c:\temp).

4 Double-click ProtectInstaller64_12.5.exe to execute the file, and click OK.

5 In the Welcome panel, click Next.

6 After you review the license agreement, select I accept the agreement, andclick Next.

7 In the Select Components panel, select the type of installation you areperforming and then click Next.

There are four choices:

■ EnforceSelect Enforce to install Symantec Data Loss Prevention on an EnforceServer for two- or three-tier installations. When you select Enforce, theIndexer is also automatically selected by default.

■ DetectionSelect Detection to install a detection server as part of a two- or three-tierinstallation.

■ IndexerSelect Indexer to install a remote indexer.

■ Single TierSelect Single Tier to install all components on a single system.

27Installing an Enforce ServerInstalling an Enforce Server

Single-tier systems are for branch offices or small organizations, or fortesting, training, and risk assessment.

Because these are the instructions for installing an Enforce Server, chooseEnforce.

8 In the License File panel, browse to the directory containing your license file.Select the license file, and click Next.

License files have names in the format name.slf.

9 In the Select Destination Directory panel, accept the default destinationdirectory, or enter an alternate directory, and click Next. The default installationdirectory is:

c:\SymantecDLP

Symantec recommends that you use the default destination directory.References to the "installation directory" in Symantec Data Loss Preventiondocumentation are to this default location.

Enter directory names, account names, passwords, IP addresses, and portnumbers that you create or specify during the installation process using standard7-bit ASCII characters only. Extended (hi-ASCII) and double-byte charactersare not supported.

Note: Do not install Symantec Data Loss Prevention in any directory thatincludes spaces in its path. For example, c:\Program Files\SymantecDLP isnot a valid installation folder because there is a space between “Program” and“Files.”

10 In the Select Start Menu Folder panel, enter the Start Menu folder where youwant the Symantec Data Loss Prevention shortcuts to appear.

The default is Symantec Data Loss Prevention.

11 Select one of the following options and then click Next.

■ Create shortcuts for all usersThe shortcuts are available in the same location for all users of the EnforceServer.

■ Don’t create a Start Menu folderThe Symantec Data Loss Prevention shortcuts are not available from theStart menu.


12 In the System Account panel, create the Symantec Data Loss Preventionsystem account user name and password and confirm the password. Thenclick Next.

This account is used to manage Symantec Data Loss Prevention services.The default user name is “protect.”

Note: The password you enter for the System Account must conform to thepassword policy of the server. For example, the server may require allpasswords to include special characters.

13 In the Transport Configuration panel (this panel only appears when duringsingle-tier installations), enter an unused port number that Symantec Data LossPrevention servers can use to communicate with each other and click Next.The default port is 8100.

14 In the Oracle Database Server Information panel, enter the location of theOracle database server. Specify one of the following options in the OracleDatabase Server field:

■ Single- and two-tier installation (Enforce and Oracle servers on the samesystem): The Oracle Server location is 127.0.0.1.

■ Three-tier installation (Enforce Server and Oracle server on differentsystems): Specify the Oracle server host name or IP address. To installinto a test environment that has no DNS available, use the IP address ofthe Oracle database server.

15 Enter the Oracle Listener Port, or accept the default, and click Next.


16 In the Oracle Database User Configuration panel, enter the Symantec DataLoss Prevention database user name and password. Confirm the passwordand enter the database SID (typically “protect”), then click Next.

If your Oracle database is not the correct version, you are warned and offeredthe choice of continuing or canceling the installation. You can continue andupgrade the Oracle database later.

See the Symantec Data Loss Prevention Oracle 11g Installation and UpgradeGuide.

If you are re-using a database that was created for an earlier Symantec DataLoss Prevention installation, the Symantec Data Loss Prevention databaseuser ("protect" user by default) may not have sufficient privileges to install theproduct. In this case, you must manually add the necessary privileges usingSQL*Plus. See the Symantec Data Loss Prevention Upgrade Guide for yourplatform.

Note: Symantec Data Loss Prevention requires the Oracle database to usethe AL32UTF8 character set. If your database is configured for a differentcharacter set, you are notified and the installation is canceled. Correct theproblem and re-run the installer.

17 In the Additional Locale panel, select an alternate locale, or accept the defaultof None, and click Next.

Locale controls the format of numbers and dates, and how lists and reportsare alphabetically sorted. If you accept the default choice of None, English isthe locale for this Symantec Data Loss Prevention installation. If you choosean alternate locale, that locale becomes the default for this installation, butindividual users can select English as a locale for their use.

See the Symantec Data Loss Prevention Administration Guide for moreinformation on locales.

18 Select one of the following options in the Initialize DLP Database panel:

■ For a new Symantec Data Loss Prevention installation, make sure that theInitialize Enforce Data box is checked and then click Next.You can also check this box if you are reinstalling and want to overwritethe existing Enforce schema and all data. Note that this action cannot beundone. If this check box is selected, the data in your existing SymantecData Loss Prevention database is destroyed after you click Next.

■ Clear the Initialize Enforce Data check box if you want to perform arecovery operation.


Clearing the check box skips the database initialization process. If youchoose skip the database initialization, you must specify the uniqueCryptoMasterKey.properties file for the existing database that you wantto use.

19 In the Single Sign On Option panel, select the sign-on option that you wantto use for accessing the Enforce Server administration console, then clickNext:

DescriptionOption

Select this option if you want users toautomatically log on to the Enforce Serveradministration console using clientcertificates that are generated by yourpublic key infrastructure (PKI).

If you choose certificate authentication,import the certificate authority (CA)certificates that are required to validateusers' client certificates. You also need tocreate Enforce Server user accounts tomap common name (CN) values incertificates to Symantec Data LossPrevention roles. See the Symantec DataLoss Prevention Administration Guide formore information.

Certificate Authentication

Select Password Authentication Only ifyou want users to log onto the EnforceServer administration console usingpasswords that were entered at the sign-onpage.

Password Authentication Only

Note: If you are unsure of which sign-on mechanism to use, select None touse the forms-based sign-on mechanism. Forms-based sign-on with passwordauthentication is the default mechanism used in previous versions of SymantecData Loss Prevention. You can choose to configure certificate authenticationafter you complete the installation, using instructions in the Symantec DataLoss Prevention Administration Guide.


20 If you selected either Symantec Protection Console or None as your log onoption, skip this step.

In the Import Certificates panel, select options for certificate authentication,then click Next:

DescriptionOption

Select Import Certificates if you want toimport certificate authority (CA) certificatesduring the Enforce Server installation. CAcertificates are required to validate clientcertificates when you choose CertificateAuthentication sign on. If the necessaryCA certificates are available on the EnforceServer computer, select ImportCertificates and click Browse to navigateto the directory where the .cer files arelocated.

Uncheck Import Certificates if thenecessary certificates are not available onthe Enforce Server computer, or if you donot want to import certificates at this time.You can import the required certificatesafter installation using instructions in theSymantec Data Loss PreventionAdministration Guide.

Import Certificates

Select Certificate Directory

Select this option if you want to supportpassword authentication with forms-basedsign-on in addition to single sign-on withcertificate authentication. Symantecrecommends that you select option this asa backup option while you configure andtest certificate authentication with your PKI.You can disable password authenticationand forms-based sign-on after you havevalidated that certificate authentication iscorrectly configured for your system.

Allow Form Based Authentication


21 If you chose to initialize the Enforce Server database, skip this step.

If you chose to re-use an existing Enforce Server database, the installer displaysthe Key Ignition Configuration panel. Click Browse and navigate to selectthe unique CryptoMasterKey.properties file that was used to encrypt thedatabase.

Note: Each Symantec Data Loss Prevention installation encrypts its databaseusing a unique CryptoMasterKey.properties file. An exact copy of this fileis required if you intend to reuse the existing Symantec Data Loss Preventiondatabase. If you do not have the CryptoMasterKey.properties file for theexisting Enforce Server database, contact Symantec Technical Support torecover the file.

Click Next to continue the installation.


22 If you chose to re-use an existing Enforce Server database, skip this step.

In the Administrator Credentials panel, specify information according to thesign-on option that you selected:

DescriptionOption

If you chose an option to support passwordauthentication with forms-based log on,enter a password for the Enforce ServerAdministrator account in both thePassword andRe-enter Password fields.

The Administrator password must containa minimum of eight characters. You canchange the Administrator password fromthe Enforce Server administration consoleat any time.

Note: These fields are not displayed if youselected Certificate Authentication butyou did not select Allow Form BasedAuthentication. In this case, you must logon to the Enforce Server administrationconsole using a client certificate thatcontains the administrator's common namevalue.

Password

Re-enter Password

If you chose to support certificateauthentication, enter the Common Name(CN) value that corresponds to the EnforceServer Administrator user. The EnforceServer will assign administrator privilegesto the user who logs on with a clientcertificate that contains this CN value.

Note: This field is displayed only if youselected Certificate Authentication.

Common Name (CN)

23 Click Next.

The installation process begins. After the Installation Wizard extracts the files,it connects to the database using the name and password that you enteredearlier. The wizard then creates the database tables. If any problems with thedatabase are discovered, a notification message displays.

The Installing panel appears, and displays a progress bar.


24 Confirm your participation in the Symantec Data Loss Prevention SupportabilityTelemetry program, and provide the appropriate information.

The Symantec Data Loss Prevention Supportability Telemetry Program cansignificantly improve the quality of Symantec Data Loss Prevention. For moreinformation, click the Supportability and Telemetry Program Details link.

25 Select the Start Services check box to start the Symantec Data LossPrevention services after the after the completion notice displays.

The services can also be started or stopped using the Windows Services utility.

26 Click Finish.

Starting all of the services can take up to a minute. The installation programwindow may persist for a while, during the startup of the services. After asuccessful installation, a completion notice displays.

27 Restart any antivirus, pop-up blocker, or other protection software that youdisabled before starting the Symantec Data Loss Prevention installation process.

28 Verify that the Enforce Server is properly installed.

See “Verifying an Enforce Server installation” on page 35.

29 Import a Symantec Data Loss Prevention solution pack immediately afterinstalling the Enforce Server, and before installing any detection servers.

See “About Symantec Data Loss Prevention solution packs” on page 37.

30 Back up the unique CryptoMasterKey.properties file for your installationand store the file in a safe place. This file is required for Symantec Data LossPrevention to encrypt and decrypt the Enforce Server database.

Note: Each Symantec Data Loss Prevention installation encrypts its databaseusing a unique CryptoMasterKey.properties file. An exact copy of this fileis required if you intend to reuse the existing Symantec Data Loss Preventiondatabase. If the CryptoMasterKey.properties file becomes lost or corruptedand you do not have a backup, contact Symantec Technical Support to recoverthe file.

Verifying an Enforce Server installationAfter installing an Enforce Server, verify that it is operating correctly before importinga solution pack.

35Installing an Enforce ServerVerifying an Enforce Server installation

To verify the Enforce Server installation

1 Confirm that Oracle Services (OracleOraDb11g_home1TNSListener andOracleServicePROTECT) automatically start upon system restart.

2 If you selected the option Start Services, then confirm that all of the SymantecData Loss Prevention Services are running under the System Account username that you specified during installation.

Note that on Windows platforms, all services run under the System Accountuser name (by default, “protect”), except for the Vontu Update services, whichrun username_update (by default, “protect_update”).

Symantec Data Loss Prevention includes the following services:

■ Vontu Manager

■ Vontu Incident Persister

■ Vontu Notifier

■ Vontu Update

■ Vontu Monitor Controller

3 If the Symantec Data Loss Prevention services do not start, check the log filesfor possible issues (for example, connectivity, password, or database accessissues).

■ The Symantec Data Loss Prevention installation log isc:\SymantecDLP\.install4j\installation.log.

■ Symantec Data Loss Prevention operational logs are inc:\SymantecDLP\Protect\logs.

■ Oracle logs can be found in c:\app\Administrator\admin\protect onthe Oracle server computer.

4 Once you have verified the Enforce Server installation, you can log on to theEnforce Server to view the administration console. Using the administrationconsole, go to System > Settings > General accept the EULA, enter yourcompany information, and confirm that all of your licenses have been correctlyactivated.

See the Symantec Data Loss Prevention Administration Guide for informationabout logging on to, and using, the Enforce Server administration console.

36Installing an Enforce ServerVerifying an Enforce Server installation

Importing a solution pack


■ About Symantec Data Loss Prevention solution packs

■ Importing a solution pack

About SymantecData Loss Prevention solution packsYou import a solution pack to provide the initial Enforce Server configuration. Eachsolution pack includes policies, roles, reports, protocols, and the incident statusesthat support a particular industry or organization.

Solution packs have file names ending in *.vsp (for example, Energy_v12.5.vsp).

Solution pack files are available in the following directory:

DLPDownloadHome\DLP\12.5\Solution_Packs\.

Symantec provides the solution packs listed in Table 3-1.

Table 3-1 Symantec Data Loss Prevention solution packs

File nameName

Data_Classification_Enterprise_Vault_v12.5.vspData Classification for Enterprise VaultSolution Pack

Energy_v12.5.vspEnergy & Utilities Solution Pack

EU_UK_v12.5.vspEU and UK Solution Pack

Federal_v12.5.vspFederal Solution Pack

Financial_v12.5.vspFinancial Services

Health_Care_v12.5.vspHealth Care Solution Pack

3Chapter

Table 3-1 Symantec Data Loss Prevention solution packs (continued)

File nameName

High_Tech_v12.5.vspHigh Tech Solution Pack

Insurance_v12.5.vspInsurance Solution Pack

Manufacturing_v12.5.vspManufacturing Solution Pack

Media_Entertainment_v12.5.vspMedia & Entertainment Solution Pack

Pharmaceutical_v12.5.vspPharmaceutical Solution Pack

Retail_v12.5.vspRetail Solution Pack

Telecom_v12.5.vspTelecom Solution Pack

Vontu_Classic_v12.5.vspGeneral Solution Pack

See the solution pack documentation for a description of the contents of eachsolution pack.

Solution pack documentation can be found in the following directory:

DLPDownloadHome\DLP\12.5\Docs\Solution_Packs\.

This directory was created when you unzipped either the entire software downloadfile or the documentation ZIP file.

You must choose and import a solution pack immediately after installing the EnforceServer and before installing any detection servers. You only import a single solutionpack. You cannot change the imported solution pack at a later time.

See “Importing a solution pack” on page 38.

Importing a solution packYou import a Symantec Data Loss Prevention solution pack on the Enforce Servercomputer. The following rules apply when you import a solution pack:

■ You must import the solution pack immediately after you install the EnforceServer and before you install any detection server. (If you performed a single-tierinstallation, you must import the solution pack immediately after the installationis complete.)

■ Only import a solution pack that was created for the specific Enforce Serverversion you installed. Do not import a solution pack that was released with aprevious version of the Symantec Data Loss Prevention software.

38Importing a solution packImporting a solution pack

For example, do not import a version 11.x solution pack on a version 12.5 EnforceServer.

■ Do not attempt to import more than one solution pack on the same EnforceServer, as the solution pack import fails.

■ Do not import a solution pack on an Enforce Server that was modified after theinitial installation; the solution pack import fails.

■ After you import a solution pack, you cannot change the installation to use adifferent solution pack at a later time.

To import a solution pack

1 Decide which solution pack you want to use.


Note: You must use a version 12.5 solution pack; earlier versions are notsupported.

2 Log on (or remote log on) as Administrator to the Enforce Server computer.

3 Copy the solution pack file from DLPDownloadHome\DLP\12.5\Solution_Packs\

to an easily accessible local directory.

4 In Windows Services, stop all Symantec Data Loss Prevention services exceptfor the Notifier service. The Notifier service must remain running.

Stop the following services:

■ Vontu Update


■ Vontu Manager

■ Vontu Monitor (if a single-tier installation)


See “About Data Lost Prevention services” on page 115.

5 From the command-line prompt, change to the \SymantecDLP\protect\bin

directory on the Enforce Server. This directory contains theSolutionPackInstaller.exe application. For example:

cd c:\SymantecDLP\Protect\bin


6 Import the solution pack by running SolutionPackInstaller.exe from thecommand line and specifying the solution pack directory path and file name.The solution pack directory must not contain spaces.

For example, if you placed a copy of the Financial_v12.5.vsp solution packin the \SymantecDLP directory of the Enforce Server, you would enter:

SolutionPackInstaller.exe import c:\SymantecDLP\Financial_v12.5.vsp

7 Check the solution pack installer messages to be sure that the installationsucceeded without error.

8 Restart the Symantec Data Loss Prevention services you stopped.

Make sure the Vontu Notifier service is also running. If the Notifier service isnot running, start Notifier first, and then start the other Symantec Data LossPrevention services:

■ Vontu Notifier

■ Vontu Manager

■ Vontu Monitor (if a single-tier installation)


■ Vontu Update



9 After you have completed importing the solution pack, do one of the followingdepending on the type of installation:

■ On three-tier or two-tier installations install one or more detection servers.See “About detection servers” on page 41.See “Installing a detection server” on page 45.

■ On a single-tier installation register a detection server.See “Registering a detection server” on page 49.See “Verifying a detection server installation” on page 49.


Installing and registeringdetection servers


■ About detection servers

■ Detection servers and remote indexers

■ Detection server installation preparations

■ Installing a detection server

■ Verifying a detection server installation

■ Registering a detection server

About detection serversThe Symantec Data Loss Prevention suite includes the types of detection serversdescribed in Table 4-1. The Enforce Server manages all of these detection servers.

Table 4-1 Detection servers

DescriptionServer Name

Network Monitor inspects the network communications forconfidential data, accurately detects policy violations, andprecisely qualifies and quantifies the risk of data loss. Dataloss can include intellectual property or customer data.

Network Monitor

4Chapter

Table 4-1 Detection servers (continued)


Network Discover identifies unsecured confidential data thatis exposed on open file shares and Web servers.

Network Protect reduces your risk by removing exposedconfidential data, intellectual property, and classifiedinformation from open file shares on network servers ordesktop computers. Note that there is no separate NetworkProtect server; the Network Protect product module addsprotection functionality to the Network Discover Server.

Network Discover

Network Prevent for Email prevents data security violationsby blocking the email communications that containconfidential data. It can also conditionally route traffic withconfidential data to an encryption gateway for secure deliveryand encryption-policy enforcement.

Note: You can optionally deploy Network Prevent for Emailin a hosted service provider network, or in a network locationthat requires communication across a Wide Area Network(WAN) to reach the Enforce Server.

See “About hosted Network Prevent deployments”on page 13.

Network Prevent for Email

Network Prevent for Web prevents data security violationsfor data that is transmitted by Web communications andfile-transfer protocols.

Note: You can optionally deploy Network Prevent for Webin a hosted service provider network, or in a network locationthat requires communication across a Wide Area Network(WAN) to reach the Enforce Server.

See “About hosted Network Prevent deployments”on page 13.

Network Prevent for Web

Mobile Email Monitor provides data loss prevention for thecorporate bring-your-own-device (BYOD) environment bymonitoring mail sent to mobile devices, such as iPads andiPhones. It enables monitoring of ActiveSync email thatoriginates in the corporate network and is downloaded to thenative email application on these devices. A Symantec DataLoss Prevention administrator can identify what sensitiveinformation was downloaded to devices that are subsequentlylost or stolen.

Mobile Email Monitor

42Installing and registering detection serversAbout detection servers



Mobile Prevent for Web connects mobile devices to yourcorporate network through Wi-Fi access or through cellular3G connectivity. Network traffic for webmail, third-partyapplications such as Yahoo and Facebook, and corporateemail applications, including Microsoft Exchange ActiveSync,is sent through the HTTP/S protocol. Corporate email is sentthrough Microsoft ActiveSync as HTTP/S protocol information.Microsoft ActiveSync receives the information from thecorporate proxy server after it has gone through detectionand then sends the message to the corporate ExchangeServer. Messages sent through common applications suchas Facebook or Dropbox are either blocked or the sensitiveinformation is redacted from the message, depending on yourpolicies.

Note: You cannot deploy Mobile Prevent for Web in a hostedservice environment.

Mobile Prevent for Web

Endpoint Prevent monitors the use of sensitive data onendpoint systems and detects endpoint policy violations.Endpoint Prevent also identifies unsecured confidential datathat is exposed on endpoints.

Endpoint Prevent

A Classification Server analyzes email messages that aresent from a Symantec Enterprise Vault filter, and provides aclassification result that Enterprise Vault can use to performtagging, archival, and deletion as necessary. The DiscoveryAccelerator and Compliance Accelerator products can alsouse classification tags to filter messages during searches oraudits.

Note: The Classification Server is used only with theSymantec Data Classification for Enterprise Vault solution,which is licensed separately from Symantec Data LossPrevention. You must configure the Data Classification forEnterprise Vault filter and Classification Server tocommunicate with one another. See the Enterprise VaultData Classification Services Integration Guide for moreinformation.

Classification

43Installing and registering detection serversAbout detection servers



The Single Tier Server enables the detection servers thatyou have licensed on the same host as the Enforce Server.The single-tier server performs detection for the followingproducts (you must have a license for each): Network Monitor,Network Discover, Network Prevent for Email, NetworkPrevent for Web, and Endpoint Prevent.

Single Tier

See “Detection servers and remote indexers” on page 44.

See “Detection server installation preparations” on page 44.


See “Verifying a detection server installation” on page 49.


Detection servers and remote indexersRemote Indexing components should not reside on the same system that hosts adetection server. This restriction applies to two- and three-tier installations.

Indexing components are always installed with the Enforce Server, including onsingle-tier Symantec Data Loss Prevention installations.

The process of installing a remote indexer is similar to installing a detection server,except that you choose Indexer in the Select Components panel. See theSymantec Data Loss Prevention Administration Guide for detailed information oninstalling and using a remote indexer.


Detection server installation preparationsBefore installing a detection server:

■ You must install the Enforce Server (or a single-tier Symantec Data LossPrevention installation) and import a solution pack before installing a detectionserver.

■ Complete the preinstallation steps on the detection server system.See “Symantec Data Loss Prevention preinstallation steps” on page 22.

■ Verify that the system is ready for detection server installation.

44Installing and registering detection serversDetection servers and remote indexers

See “Verifying that servers are ready for Symantec Data Loss Preventioninstallation” on page 23.


■ Before you begin, make sure that you have WinPcap. On the Internet, go to thefollowing URL:http://www.winpcap.orgSee theSymantec Data Loss Prevention SystemRequirements and CompatibilityGuide for version requirements.

Note: The WinPcap software is only required for the Network Monitor Server.However, Symantec recommends that you install WinPcap no matter which typeof detection server you plan to install and configure.

■ Before you begin, make sure that you have Wireshark, available fromwww.wireshark.org. During the Wireshark installation process on Windowsplatforms, do not install a version of WinPcap lower than 4.1.1.

■ Before you begin, make sure that you have Windows Services for UNIX (SFU)version 3.5 (SFU35SEL_EN.exe).SFU is required for a Network Discover Server to run a scan against a targeton a UNIX machine. SFU can be downloaded from Microsoft.


Installing a detection serverFollow this procedure to install the detection server software on a server computer.Note that you specify the type of detection server during the server registrationprocess that follows this installation process.

See “About detection servers” on page 41.

Note: Symantec recommends that you disable any antivirus, pop-up blocker, andregistry-protection software before you begin the detection server installationprocess.


file has been copied into the c:\temp directory on the server computer.

45Installing and registering detection serversInstalling a detection server

http://www.winpcap.org

http://www.wireshark.org

http://technet.microsoft.com/en-us/interopmigration/bb380242.aspx

To install a detection server

1 Make sure that installation preparations are complete.

See “Detection server installation preparations” on page 44.

2 Log on (or remote logon) as Administrator to the computer that is intended forthe server.

3 If you are installing a Network Monitor detection server, install WinPcap on theserver computer. Follow these steps:

■ On the Internet, go to the following URL:http://www.winpcap.org/archive/

■ Download WinPcap to a local drive.

■ Double-click on the WinPcap .exe and follow the on-screen installationinstructions.

■ Enter yes, then click OK.

■ Double-click on the pcapstart.reg file in the \12.5_Win\Third_Party\

directory to add WinPcap to the Windows registry.

4 Copy the Symantec Data Loss Prevention installer(ProtectInstaller64_12.5.exe) from the Enforce Server to a local directoryon the detection server.

ProtectInstaller64_12.5.exe is included in your software download(DLPDownloadHome) directory. It should have been copied to a local directoryon the Enforce Server during the Enforce Server installation process.

5 Click Start > Run > Browse to navigate to the folder where you copied theProtectInstaller64_12.5.exe file.

6 If you are installing a FIPS-enabled detection server, run the Symantec DataLoss Prevention installer from a command line by entering the followingcommand:

ProtectInstaller64_12.5.exe -VJCEProviderType=FIPS

If you are not installing a FIPS-enabled detection server, double-clickProtectInstaller64_12.5.exe to execute the file, and click OK.

See “Installing Symantec Data Loss Prevention with FIPS encryption enabled”on page 126.

The installer files unpack, and the Welcome panel of the Installation Wizardappears.


http://www.winpcap.org/archive/

7 Click Next.

The License Agreement panel appears.

8 After reviewing the license agreement, select I accept the agreement, andclick Next.

The Select Components panel appears.

9 In the Select Components panel, select Detection and click Next.

10 In the Hosted Network Prevent panel, select the Hosted Network Preventoption only if you are installing a Network Prevent for Email or Network Preventfor Web server into a hosted environment, or to an environment that connectsto the Enforce Server by a WAN. If you are installing a hosted Network Preventserver, you will also need to generate and install unique certificates to secureserver communication.

See “About hosted Network Prevent deployments” on page 13.


11 In the Select Destination Directory panel, accept the default destinationdirectory, or enter an alternate directory, and click Next. For example:

c:\SymantecDLP

Symantec recommends that you use the default destination directory. However,you can click Browse to navigate to a different installation location instead.

Directory names, IP addresses, and port numbers created or specified duringthe installation process must be entered in standard 7-bit ASCII charactersonly. Extended (hi-ASCII) and double-byte characters are not supported.

Note: Do not install Symantec Data Loss Prevention in a folder or path thatincludes spaces. For example, c:\Program Files\SymantecDLP is not a validinstallation location.


The default is Symantec DLP.

13 Select one of the following options:




14 In the System Account panel, create the Symantec Data Loss Preventionsystem account user name and password, and confirm the password. Thenclick Next.

This account is used to manage the Symantec Data Loss Prevention services.

The password you enter for the System Account must conform to the passwordpolicy of the server operating system. For example, the server on which youinstall Symantec Data Loss Prevention may require that all passwords includespecial characters.

The Transport Configuration panel appears.

15 Enter the following settings and then click Next.

■ Port. Accept the default port number (8100) on which the detection servershould accept connections from the Enforce Server. If you cannot use thedefault port, you can change it to any port higher than port 1024, in therange of 1024–65535.

■ Network Interface (bind address). Enter the detection server networkinterface to use to communicate with the Enforce Server. If there is onlyone network interface, leave this field blank.

The Installing panel appears, and displays a progress bar. After a successfulinstallation, the Completing panel appears.

16 Check the Start Services box, to start the Symantec Data Loss Preventionservices and then Click Finish.


Note that starting all of the services can take up to a minute. The installationprogram window may persist for a while, during the startup of the services.

17 Restart any antivirus, pop-up blocker, or other protection software that youdisabled before starting the Symantec Data Loss Prevention installation process.


18 Verify the detection server installation.


19 Use the Enforce Server administration console to register the server with theEnforce Server.

During the server registration process, you select the type of detection server.



Verifying a detection server installationAfter installing a server, verify that it is correctly installed before you register it.


To verify a detection server installation

1 If you selected the option Start Services, then confirm that the Vontu Monitorand Vontu Update services are running.

2 If the Symantec Data Loss Prevention services do not start, check log files forpossible issues (for example, connectivity, password, or database accessissues).

■ The Symantec Data Loss Prevention installation log isc:\SymantecDLP\.install4j\installation.log

■ Symantec Data Loss Prevention operational logs are inc:\SymantecDLP\Protect\logs

Registering a detection serverBefore registering a server, you must install and verify the server software.



After the detection server is installed, use the Enforce Server administration consoleto register the detection server as the type of detection server you want.

To register a detection server

1 Log on to the Enforce Server as Administrator.

2 Go to System > Servers > Overview.

The System Overview page appears.

49Installing and registering detection serversVerifying a detection server installation

3 Click Add Server.

4 Select the type of detection server to add and click Next.

The following detection server options are available:

■ For Network Monitor Server select Network Monitor.

■ For Network Discover Server select Network Discover.If you want to install Network Protect, make sure you are licensed forNetwork Protect and select the Network Discover option. Network Protectprovides additional protection features to Network Discover.

■ For Network Prevent for Email Server select Network Prevent for E-mail.

■ For Network Prevent for Web Server select Network Prevent for Web.If your Symantec Data Loss Prevention license includes both Mobile Preventand Network Prevent for Web, you register a single detection server calledNetwork and Mobile Prevent for Web.

■ For Mobile Prevent, select Mobile Prevent for Web.If your Symantec Data Loss Prevention license includes both Mobile Preventfor Web and Network Prevent for Web you register a single detection servercalled Network and Mobile Prevent for Web.

■ For Endpoint Prevent and Endpoint Discover select Endpoint Prevent.

■ For Classification Server select Classification.

■ For Single-Tier Servers, select Single Tier Server.

See “About detection servers” on page 41.

The Configure Server screen appears.

5 Enter the General information. This information defines how the servercommunicates with the Enforce Server.

■ In Name, enter a unique name for the detection server.

■ In Host, enter the detection server’s host name or IP address. (For asingle-tier installation, click the Same as Enforce check box to autofill thehost information.)

■ In Port, enter the port number the detection server uses to communicatewith the Enforce Server. If you chose the default port when you installedthe detection server, then enter 8100. However, if you changed the defaultport, then enter the same port number here (it can be any port higher than1024).

The additional configuration options displayed on the Configure Server pagevary according to the type of server you selected.

50Installing and registering detection serversRegistering a detection server

6 Specify the remaining configuration options as appropriate.

See the Symantec Data Loss Prevention Administration Guide for details onhow to configure each type of server.

7 Click Save.

The Server Detail screen for that server appears.

8 If necessary, click Server Settings or other configuration tabs to specifyadditional configuration parameters.

9 If necessary, restart the server by clickingRecycle on the Server Detail screen.Or you can start the Vontu services manually on the server itself.


10 To verify that the server was registered, return to the System Overview page.Verify that the detection server appears in the server list, and that the serverstatus is Running.

11 To verify the type of certificates that the server uses, select System > Servers> Alerts. Examine the list of alerts to determine the type certificates thatSymantec Data Loss Prevention servers use:

■ If servers use the built-in certificate, the Enforce Server shows a warningevent with code 2709: Using built-in certificate.

■ If servers use unique, generated certificates, the Enforce Server shows aninfo event with code 2710: Using user generated certificate.

51Installing and registering detection serversRegistering a detection server

Configuring certificates forsecure communicationsbetween Enforce anddetection servers


■ About the sslkeytool utility and server certificates

■ About sslkeytool command line options

■ Using sslkeytool to generate new Enforce and detection server certificates

■ Using sslkeytool to add new detection server certificates

■ Verifying server certificate usage

About the sslkeytool utility and server certificatesSymantec Data Loss Prevention uses Secure Socket Layer/Transport Layer Security(SSL/TLS) to encrypt all data that is transmitted between servers. Symantec DataLoss Prevention also uses the SSL/TLS protocol for mutual authentication betweenservers. Servers implement authentication by the mandatory use of client andserver-side certificates. By default, connections between servers use a single,self-signed certificate that is embedded securely inside the Symantec Data LossPrevention software. All Symantec Data Loss Prevention installations at all customersites use this same certificate.

5Chapter

Symantec recommends that you replace the default certificate with unique,self-signed certificates for your organization’s installation. You store a certificateon the Enforce Server, and on each detection server that communicates with theEnforce Server. These certificates are generated with the sslkeytool utility.

Note: If you install a Network Prevent detection server in a hosted environment,you must generate unique certificates for your Symantec Data Loss Preventionservers. You cannot use the built-in certificate to communicate with a hosted NetworkPrevent server.

Symantec recommends that you create dedicated certificates for communicationwith your Symantec Data Loss Prevention servers. When you configure the EnforceServer to use a generated certificate, all detection servers in your installation mustalso use generated certificates. You cannot use the generated certificate with somedetection servers and the built-in certificate with other servers. Single-tierdeployments do not support generated certificates. You must use the built-incertificate with singler-tier deployments.

See “About sslkeytool command line options” on page 53.


See “Using sslkeytool to add new detection server certificates” on page 58.

See “About server security and SSL/TLS certificates” on page 97.

About sslkeytool command line optionsThe sslKeyTool is a command-line utility that generates a unique pair of SSLcertificates (keystore files). The sslKeyTool utility is located in directory\SymantecDLP\Protect\bin directory (Windows) or/opt/SymantecDLP/Protect/bin (Linux). It must run under the Symantec DataLoss Prevention operating system user account which, by default, is “protect.” Also,you must run the sslKeyTool utility directly on the Enforce Server computer.

Table 5-1 lists the command forms and options that are available for the sslKeyTool

utility:

53Configuring certificates for secure communications between Enforce and detection serversAbout sslkeytool command line options

Table 5-1 sslKeyTool command forms and options

DescriptionCommand and options

You use this command form the first time you generateunique certificates for your Symantec Data Loss Preventioninstallation.

This command generates two unique certificates (keystorefiles) by default: one for the Enforce Server and one forother detection servers. The optional -dir argumentspecifies the directory where the keystore files are placed.

The optional -alias argument generates additionalkeystore files for each alias specified in the aliasFile. Youcan use the alias file to generate unique certificates foreach detection server in your system (rather than using asame certificate on each detection server).

sslKeyTool -genkey [-dir=<directory>-alias=<aliasFile>]

This command lists the content of the specified keystorefile.

sslKeyTool -list=<file>

You use this command form to add new detection servercertificates to an existing Symantec Data Loss Preventioninstallation.

This command generates multiple certificate files fordetection servers using the aliases you define in aliasFile.You must specify an existing Enforce Server keystore fileto use when generating the new detection server keystorefiles. The optional -dir argument specifies the directorywhere the keystore files are placed.

If you do not specify the -dir option, the Enforce Serverkeystore file must be in the current directory, and themonitor certificates will appear in the current directory. Ifyou do specify the -dir argument, you must also placethe Enforce Server keystore file in the specified directory.

sslKeyTool -alias=<aliasFile>-enforce=<enforceKeystoreFile>[-dir=<directory>]

Table 5-2 provides examples that demonstrate the usage of the sslKeyTool

command forms and options.

54Configuring certificates for secure communications between Enforce and detection serversAbout sslkeytool command line options

Table 5-2 sslKeyTool examples

DescriptionExample

This command generates two files:

■ enforce.timestamp.sslKeyStore

■ monitor.timestamp.sslKeyStore

Unless you specified a different directory with the -dirargument, these two keystore files are created in the bindirectory where the sslkeytool utility resides.

sslkeytool -genkey

Without the directory option -dir, the Enforce Servercertificate must be in the current directory. The newdetection server certificate(s) will be created in the currentdirectory.

sslkeytool -alias=Monitor.list.txt-enforce=enforce.date.sslkeystore

With the directory option -dir=C:\TEMP, the EnforceServer certificate must be in the C:\TEMP directory. Thenew detection server certificate(s) will be created in theC:\TEMP directory.

Note: Use the absolute path for the -dir option unlessthe path is relative to the current directory.

sslkeytool -alias=Monitor.list.txt-enforce=enforce.date.sslkeystore-dir=C:\TEMP

See “About the sslkeytool utility and server certificates” on page 52.




Using sslkeytool to generate new Enforce anddetection server certificates

After installing Symantec Data Loss Prevention, use the -genkey argument withsslKeyTool to generate new certificates for the Enforce Server and detectionservers. Symantec recommends that you replace the default certificate used tosecure communication between servers with unique, self-signed certificates. The-genkey argument automatically generates two certificate files. You store onecertificate on the Enforce Server, and the second certificate on each detectionserver. The optional -alias command lets you generate a unique certificate file foreach detection server in your system. To use the -alias you must first create analias file that lists the name of each alias create.

55Configuring certificates for secure communications between Enforce and detection serversUsing sslkeytool to generate new Enforce and detection server certificates

Note: The steps that follow are for generating unique certificates for the EnforceServer and detection servers at the same time. If you need to generate one or moredetection server certificates after the Enforce Server certificate is generated, theprocedure is different. See “Using sslkeytool to add new detection server certificates”on page 58.

To generate unique certificates for Symantec Data Loss Prevention servers

1 Log on to the Enforce Server computer using the "protect" user account youcreated during Symantec Data Loss Prevention installation.

2 From a command window, go to the directory where the sslKeyTool utility isstored:

On Windows this directory is c:\SymantecDLP\Protect\bin.

3 If you want to create a dedicated certificate file for each detection server, firstcreate a text file to list the alias names you want to create. Place each aliason a separate line. For example:

net_monitor01

protect01

endpoint01

smtp_prevent01

web_prevent01

classification01

Note:The -genkey argument automatically creates certificates for the "enforce"and "monitor" aliases. Do not add these aliases to your custom alias file.

4 Run the sslkeytool utility with the -genkey argument and optional -dirargument to specify the output directory. If you created a custom alias file, alsospecify the optional -alias argument, as in the following example:

Windows:

sslkeytool -genkey -alias=.\aliases.txt -dir=.\generated_keys

This generates new certificates (keystore files) in the specified directory. Twofiles are automatically generated with the -genkey argument:

■ enforce.timestamp.sslKeyStore

■ monitor.timestamp.sslKeyStore


The sslkeytool also generates individual files for any aliases that are definedin the alias file. For example:

■ net_monitor01.timestamp.sslKeyStore

■ protect01.timestamp.sslKeyStore

■ endpoint01.timestamp.sslKeyStore

■ smtp_prevent01.timestamp.sslKeyStore

■ web_prevent01.timestamp.sslKeyStore

■ classification01.timestamp.sslKeyStore

5 Copy the certificate file whose name begins with enforce to the keystoredirectory on the Enforce Server.

On Windows the path is c:\SymantecDLP\Protect\keystore.

6 If you want to use the same certificate file with all detection servers, copy thecertificate file whose name begins with monitor to the keystore directory ofeach detection server in your system.


If you generated a unique certificate file for each detection server in yoursystem, copy the appropriate certificate file to the keystore directory on eachdetection server computer.

7 Delete or secure any additional copies of the certificate files to preventunauthorized access to the generated keys.

8 Restart the Vontu Monitor Controller service on the Enforce Server and theVontu Monitor service on the detection servers.

When you install a Symantec Data Loss Prevention server, the installation programcreates a default keystore in the keystore directory. When you copy a generatedcertificate file into this directory, the generated file overrides the default certificate.If you later remove the certificate file from the keystore directory, Symantec DataLoss Prevention reverts to the default keystore file embedded within the application.This behavior ensures that data traffic is always protected. Note, however, that youcannot use the built-in certificate with certain servers and a generated certificatewith other servers. All servers in the Symantec Data Loss Prevention system mustuse either the built-in certificate or a custom certificate.

Note: If more than one keystore file is placed in the keystore directory, the serverdoes not start.



See “About sslkeytool command line options” on page 53.

See “About the sslkeytool utility and server certificates” on page 52.


Using sslkeytool to add new detection servercertificates

Use sslkeytool with the -alias argument to generate new certificate files for anexisting Symantec Data Loss Prevention deployment. When you use this commandform, you must provide the current Enforce Server keystore file, so that sslkeytoolcan embed the Enforce Server certificate in the new detection server certificatefiles that you generate.

To generate new detection server certificates provides instructions for generatingone or more new detection server certificates.

To generate new detection server certificates

1 Log on to the Enforce Server computer using the "protect" user account thatyou created during Symantec Data Loss Prevention installation.

2 From a command window, go to the bin directory where the sslkeytool utilityis stored.

On Windows the path is c:\SymantecDLP\Protect\bin.

3 Create a directory in which you will store the new detection server certificatefiles. For example:

mkdir new_certificates

4 Copy the Enforce Server certificate file to the new directory. For example:

Windows command:

copy ..\keystore\enforce.Fri_Jul_23_11_24_20_PDT_2014.sslkeyStore

.\new_certificates

5 Create a text file that lists the new server alias names that you want to create.Place each alias on a separate line. For example:

network02

smtp_prevent02

58Configuring certificates for secure communications between Enforce and detection serversUsing sslkeytool to add new detection server certificates

6 Run the sslkeytool utility with the -alias argument and -dir argument tospecify the output directory. Also specify the name of the Enforce Servercertificate file that you copied into the certificate directory. For example:

Windows command:

sslkeytool -alias=.\aliases.txt

-enforce=enforce.Fri_Jul_23_11_24_20_PDT_2014.sslkeyStore

-dir=.\new_certificates

This generates a new certificate file for each alias, and stores the new files inthe specified directory. Each certificate file also includes the Enforce Servercertificate from the Enforce Server keystore that you specify.

7 Copy each new certificate file to the keystore directory on the appropriatedetection server computer.


Note: After creating a new certificate for a detection server(monitor.date.sslkeystore), the Enforce Server certificate file(enforce.date.sslkeystore) is updated with the context of each new detectionserver. You need to copy and replace the updated Enforce Server certificateto the keystore directory and repeat the process for each new detection servercertificate you generate.

8 Delete or secure any additional copies of the certificate files to preventunauthorized access to the generated keys.

9 Restart the Vontu Monitor service on each detection server to use the newcertificate file.

Verifying server certificate usageSymantec Data Loss Prevention uses system events to indicate whether serversare using the built-in certificate or user-generated certificates to securecommunication. If servers use the default, built-in certificate, Symantec Data LossPrevention generates a warning event. If servers use generated certificates,Symantec Data Loss Prevention generates an info event.

Symantec recommends that you use generated certificates, rather than the built-incertificate, for added security.

59Configuring certificates for secure communications between Enforce and detection serversVerifying server certificate usage

If you install Network Prevent to a hosted environment, you cannot use the built-incertificate and you must generate and use unique certificates for the Enforce Serverand detection servers.

To determine the type of certificates that Symantec Data Loss Prevention uses

1 Start the Enforce Server or restart the Vontu Monitor Controller service on theEnforce Server computer.

2 Start each detection server or restart the Vontu Monitor service on eachdetection server computer.

3 Log in to the Enforce Server administration console.

4 Select System > Servers > Alerts.

5 Check the list of alerts to determine the type certificates that Symantec DataLoss Prevention servers use:

■ If servers use the built-in certificate, the Enforce Server shows a warningevent with code 2709: Using built-in certificate.

■ If servers use unique, generated certificates, the Enforce Server shows aninfo event with code 2710: Using user generated certificate.

60Configuring certificates for secure communications between Enforce and detection serversVerifying server certificate usage

Performing a single-tierinstallation


■ Installing a single-tier server

■ Verifying a single-tier installation

Installing a single-tier serverBefore performing a single-tier installation:

■ Complete the preinstallation steps.See “Symantec Data Loss Prevention preinstallation steps” on page 22.

■ Verify that the system is ready for installation.See “Verifying that servers are ready for Symantec Data Loss Preventioninstallation” on page 23.

■ For single-tier Symantec Data Loss Prevention installations, the Oracle softwareis installed on the Enforce Server. You must install the Oracle software andSymantec Data Loss Prevention database before installing the single-tier server.See the Symantec Data Loss Prevention Oracle 11g Installation and UpgradeGuide.


Symantec recommends that you disable any antivirus, pop-up blocker, andregistry-protection software before you begin the Symantec Data Loss Preventioninstallation process.

6Chapter


file, license file, and solution pack file have been copied into the c:\temp directoryon the Enforce Server.

To install the single-tier server

1 Log on (or remote log on) as Administrator to the computer that is intended forthe Symantec Data Loss Prevention single-tier installation.

2 Install WinPcap on the system before installing the detection server. Followthese steps:

■ On the Internet, go to the following URL:http://www.winpcap.org/archive/

■ Download WinPcap to a local drive.

■ Double-click on the WinPcap .exe and follow the on-screen installationinstructions.

■ Enter yes, then click OK.

■ Double-click on the pcapstart.reg file in the \12.5_Win\Third_Party\

directory to add WinPcap to the Windows registry.

3 Copy the Symantec Data Loss Prevention installer(ProtectInstaller64_12.5.exe) from DLPDownloadHome to a local directoryon the Enforce Server computer.

4 Click Start > Run > Browse to navigate to the folder where you copied theProtectInstaller_12.5.exe file.

5 Double-click ProtectInstaller_12.5.exe to execute the file, and click OK.

6 The installer files unpack, and a welcome notice appears. Click Next.

7 In the License Agreement panel, select I accept the agreement, and clickNext.

8 In the Select Components panel, select the Single Tier installation option,and click Next.

9 In the License File panel, browse to the directory containing your license file.Select the license file, and click Next.

License files have names in the format name.slf.

62Performing a single-tier installationInstalling a single-tier server

http://www.winpcap.org/archive/

10 In the Select Destination Directory panel, accept the Symantec Data LossPrevention default destination directory and click Next.

c:\SymantecDLP

Symantec recommends that you use the default destination directory. However,you can click Browse to navigate to a different installation location instead.

Directory names, account names, passwords, IP addresses, and port numberscreated or specified during the installation process must be entered in standard7-bit ASCII characters only. Extended (hi-ASCII) and double-byte charactersare not supported.

Note: Do not install Symantec Data Loss Prevention in a folder or path thatincludes spaces. For example, c:\Program Files\SymantecDLP is not a validinstallation location.


12 Select one of the following options and then click Next:



13 In the System Account panel, create the Symantec Data Loss Preventionsystem account user name and password and confirm the password. Thenclick Next.

This account is used to manage Symantec Data Loss Prevention services.The password you enter for the System Account must conform to the passwordpolicy of the server operating system. For example, the server may require allpasswords to include special characters.

14 In the Transport Configuration panel, accept the default port number (8100)on which the detection server should accept connections from the EnforceServer. You can change this default to any port higher than port 1024. ClickNext.


15 In theOracle Database Server Information panel, enter theOracle DatabaseServer host name or IP address and the Oracle Listener Port.

Default values should already be present for these fields. Since this is asingle-tier installation with the Oracle database on this same system, 127.0.0.1is the correct value for Oracle Database Server Information and 1521 is thecorrect value for the Oracle Listener Port.

Click Next.

16 In the Oracle Database User Configuration panel, enter the Symantec DataLoss Prevention database user name and password, confirm the password,and enter the database SID (typically “protect”). Then click Next.

See the Symantec Data Loss Prevention Oracle 11g Installation and UpgradeGuide.

If your Oracle database is not the required version, a warning notice appears.You can click OK to continue the installation and upgrade the Oracle databaseat a later time.

17 In the Additional Locale panel, select an alternate locale, or accept the defaultof None, and click Next.

Locale controls the format of numbers and dates, and how lists and reportsare alphabetically sorted. If you accept the default choice of None, English isthe locale for this Symantec Data Loss Prevention installation. If you choosean alternate locale, that locale becomes the default for this installation, butindividual users can select English as a locale for their use.

See the Symantec Data Loss Prevention Administration Guide for moreinformation on locales.

18 In the Initialize DLP Database panel, select one of the following options:

■ For a new Symantec Data Loss Prevention installation, select the InitializeEnforce Data option.You can also selection this option if you are reinstalling and want to overwritethe existing Enforce schema and all data. Note that this action cannot beundone. If this check box is selected, the data in your existing SymantecData Loss Prevention database is destroyed after you click Next.

■ Clear the Initialize Enforce Data check box if you want to perform arecovery operation.Clearing the check box skips the database initialization process. If youchoose skip the database initialization, you will need to specify the uniqueCryptoMasterKey.properties file for the existing database that you wantto use.


19 In the Single Sign On Option panel, select the sign-on option that you wantto use for accessing the Enforce Server administration console, then clickNext:

DescriptionOption

Select this option if you want users toautomatically log on to the Enforce Serveradministration console using clientcertificates that are generated by yourpublic key infrastructure (PKI).

If you choose certificate authentication, youwill need to import the certificate authority(CA) certificates required to validate users'client certificates. You will also need tocreate Enforce Server user accounts tomap common name (CN) values incertificates to Symantec Data LossPrevention roles. See the Symantec DataLoss Prevention Administration Guide formore information.

Certificate Authentication

Select Password Authentication Only ifyou want users to log onto the EnforceServer administration console usingpasswords entered at the sign-on page.

Password Authentication Only

Note: If you are unsure of which sign on mechanism to use, select None touse the forms-based sign-on mechanism. Forms-based sign-on with passwordauthentication is the default mechanism used in previous versions of SymantecData Loss Prevention. You can choose to configure certificate authenticationafter you complete the installation, using instructions in the Symantec DataLoss Prevention Administration Guide.


20 If you selected None as your log on option, skip this step.

In the Import Certificates panel, select options for certificate authentication,then click Next:

DescriptionOption

Select Import Certificates if you want toimport certificate authority (CA) certificatesduring the Enforce Server installation. CAcertificates are required to validate clientcertificates when you choose CertificateAuthentication sign on. If the necessaryCA certificates are available on the EnforceServer computer, select ImportCertificates and click Browse to navigateto the directory where the .cer files arelocated.

Uncheck Import Certificates if thenecessary certificates are not available onthe Enforce Server computer, or if you donot want to import certificates at this time.You can import the required certificatesafter installation using instructions in theSymantec Data Loss PreventionAdministration Guide.

Import Certificates

Select Certificate Directory

Select this option if you want to supportpassword authentication with forms-basedsign-on in addition to single sign-on withcertificate authentication. Symantecrecommends that you select this as abackup option while you configure and testcertificate authentication with your PKI.You can disable password authenticationand forms-based sign-on after you havevalidated that certificate authentication iscorrectly configured for your system.

Allow Form Based Authentication


21 If you chose to initialize the Enforce Server database, skip this step.

If you chose to re-use an existing Enforce Server database, the installer displaysthe Key Ignition Configuration panel. Click Browse and navigate to selectthe unique CryptoMasterKey.properties file that was used to encrypt thedatabase.

Note: Each Symantec Data Loss Prevention installation encrypts its databaseusing a unique CryptoMasterKey.properties file. An exact copy of this fileis required if you intend to reuse the existing Symantec Data Loss Preventiondatabase. If you do not have the CryptoMasterKey.properties file for theexisting Enforce Server database, contact Symantec Technical Support torecover the file.

Click Next to continue the installation.


22 If you chose to re-use an existing Enforce Server database, skip this step.

In the Administrator Credentials panel, specify information according to thesign-on option that you selected and click Next:

DescriptionOption

If you chose an option to support passwordauthentication with forms-based log on,enter a password for the Enforce ServerAdministrator account in both thePassword andRe-enter Password fields.

The Administrator password must containa minimum of eight characters. You canchange the Administrator password fromthe Enforce Server administration consoleat any time.

Note: These fields are not displayed if youselected Certificate Authentication butyou did not select Allow Form BasedAuthentication. In this case, you must logon to the Enforce Server administrationconsole using a client certificate thatcontains the administrator's common namevalue.

Password

Re-enter Password

If you chose to support certificateauthentication, enter the Common Name(CN) value that corresponds to the EnforceServer Administrator user. The EnforceServer assigns administrator privileges tothe user who logs on with a client certificatethat contains this CN value.

Note: This field is displayed only if youselected Certificate Authentication.

Common Name (CN)

23 Click Next.

The installation process begins. After the Installation Wizard extracts the files,it connects to the database using the name and password that you enteredearlier. The wizard then creates the database tables. If any problems with thedatabase are discovered, a notification message displays.

The Installing panel appears, and displays a progress bar.


24 Confirm your participation in the Symantec Data Loss Prevention SupportabilityTelemetry program, and provide the appropriate information.

The Symantec Data Loss Prevention Supportability Telemetry Program cansignificantly improve the quality of Symantec Data Loss Prevention. For moreinformation, click the Supportability and Telemetry Program Details link.

25 Select the Start Services check box to start the Symantec Data LossPrevention services after the completion notice displays.


26 Click Finish.

Starting all of the services can take up to a minute. The installation programwindow may persist for a while, during the startup of the services. After asuccessful installation, a completion notice displays.

27 Verify the Symantec Data Loss Prevention single-tier installation.

See “Verifying a single-tier installation” on page 69.

28 You must import a Symantec Data Loss Prevention solution pack immediatelyafter installing and verifying the single-tier server, and before changing anysingle-tier server configurations.


29 After importing a solution pack, register the detection server component of thesingle-tier installation.


30 Back up the unique CryptoMasterKey.properties file for your installationand store the file in a safe place. This file is required for Symantec Data LossPrevention to encrypt and decrypt the Enforce Server database.

Note: Each Symantec Data Loss Prevention installation encrypts its databaseusing a unique CryptoMasterKey.properties file. An exact copy of this fileis required if you intend to reuse the existing Symantec Data Loss Preventiondatabase. If the CryptoMasterKey.properties file becomes lost or corruptedand you do not have a backup, contact Symantec Technical Support to recoverthe file.

Verifying a single-tier installationAfter installing Symantec Data Loss Prevention on a single-tier system, verify thatit is operating correctly before importing a solution pack.

69Performing a single-tier installationVerifying a single-tier installation

To verify a single-tier installation

1 If you selected the option Start Services, then confirm that all of the SymantecData Loss Prevention Services are running under the System Account username that you specified during installation.

Note that on Windows platforms, all services run the System Account username except for the Vontu Update services, which run username_update.

Symantec Data Loss Prevention includes the following services:

■ Vontu Manager


■ Vontu Notifier

■ Vontu Update

■ Vontu Monitor


2 If the Symantec Data Loss Prevention services do not start, check the log filesfor possible issues (for example, connectivity, password, or database accessissues).

■ The Symantec Data Loss Prevention installation log isc:\SymantecDLP\.install4j\installation.log

■ Symantec Data Loss Prevention operational logs are inc:\SymantecDLP\Protect\logs

■ Oracle logs can be found in c:\app\Administrator\admin\protect onthe Oracle server computer.

Once you have verified the Enforce Server installation, you can log on to the EnforceServer to view the administration console.

See the Symantec Data Loss Prevention Administration Guide for information aboutlogging on to, and using, the Enforce Server administration console.

You must import a Symantec Data Loss Prevention solution pack immediately afterinstalling and verifying the single-tier server, and before changing any single-tierserver configurations.


After importing a solution pack, register a detection server.


70Performing a single-tier installationVerifying a single-tier installation

Installing Symantec DLPAgents


■ DLP Agent installation overview

■ About secure communications between DLP Agents and Endpoint Servers

■ Identify security applications running on endpoints

■ About Endpoint Server redundancy

■ Using the Elevated Command Prompt with Windows

■ Process to install the DLP Agent on Windows

■ Process to install the DLP Agent on Mac

■ About uninstallation passwords

DLP Agent installation overviewThe following section describes the process to install DLP Agents.

Note: Before you begin the Symantec DLP Agent installation process, confirm thatyou have installed and configured an Endpoint Server. See “Detection serverinstallation preparations” on page 44.

See “About Endpoint Server redundancy” on page 79.

7Chapter

Table 7-1 Agent installation steps

More informationActionStep

See “About secure communicationsbetween DLP Agents and EndpointServers” on page 72.

Create the agent installation package.

You create the agent installation packageusing the Enforce Server administrationconsole.

1

See “Identify security applicationsrunning on endpoints” on page 79.

See “Using the Elevated CommandPrompt with Windows” on page 80.

See “About Endpoint Serverredundancy” on page 79.

Prepare endpoints for the installation.

You prepare endpoints by completing thefollowing:

■ Update settings on security software■ Change the command prompt to run

in elevated mode on the Windowsendpoint on which to execute theinstallation.

■ Consider how to best set up EndpointServers to manage DLP Agents.

2

See “Process to install the DLPAgent on Windows” on page 81.

See “Process to install the DLPAgent on Mac” on page 86.

Install agents.

You install agents to Windows and Macendpoints depending on yourimplementation.

3

About secure communications between DLP Agentsand Endpoint Servers

Symantec Data Loss Prevention supports bidirectional authentication and securecommunications between DLP Agents and Endpoint Servers using SSL certificatesand public-key encryption.

Symantec Data Loss Prevention generates a self-signed certificate authority (CA)certificate on installation or upgrade. The DLP Agent initiates connections to oneof the Endpoint Servers or load balancer servers and authenticates the servercertificate. All certificates used for agent to server communications are signed bythe self-signed CA.

See “Working with endpoint certificates” on page 77.

Symantec Data Loss Prevention automatically generates the SSL certificates andkeys needed for authentication and secure communications between DLP Agentsand Endpoint Servers. You use the Enforce Server administration console togenerate the agent certificate and keys. The system packages the agent certificates

72Installing Symantec DLP AgentsAbout secure communications between DLP Agents and Endpoint Servers

and keys with the agent installer for deployment of DLP Agents. The certificatesand keys are generated for the agent during installation.

See “Generating agent installation packages” on page 73.

Generating agent installation packagesYou use the System > Agents > Agent Packaging screen to generate theinstallation package for DLP Agents.

See “About secure communications between DLP Agents and Endpoint Servers”on page 72.

The packaging process creates a ZIP file that contains the agent installer, SSLcertificate and keys, and installation scripts to install DLP Agents. You generate asingle agent installation package for each endpoint platform where you want todeploy DLP Agents.

For example, if you want to install multiple agents on Windows 64-bit endpoints,you generate a single AgentInstaller_Win64.zip package. If you specify morethan one installer for packaging, such as the Windows 64-bit agent installer andthe Mac 64-bit agent installer, the system generates separate agent packages foreach platform.

Note: Before you start generating the agent installation packages, confirm that theagent installer has been copied to the Enforce Server local file system. See“Symantec Data Loss Prevention preinstallation steps” on page 22.

Table 7-2 provides instructions for generating agent installation packages. Theinstructions assume you have deployed an Endpoint Server.

Table 7-2 Generating the agent installation package


Log on to the Enforce Server administration console as an administratorand navigate to the System > Agents > Agent Packaging page.

Navigate to the AgentPackaging page.

1

Browse to the folder on the Enforce Server where you copied the agentinstaller files:

Windows 64-bit: AgentInstall64.msi

Windows 32-bit: AgentInstall.msi

Mac 64-bit: AgentInstall.pkg

See “Symantec Data Loss Prevention preinstallation steps” on page 22.

Select one or more DLP Agentinstallation files.

2


Table 7-2 Generating the agent installation package (continued)


Typically you enter the common name (CN) of the Endpoint Server host,or you can enter the IP address of the server.

Be consistent with the type of identifier you use (CN or IP). If you usedthe CN for the Endpoint Server when deploying it, use the same CN forthe agent package. If you used an IP address to identify the EndpointServer, use the same IP address for the agent package.

Alternatively, you can enter the CN or IP address of a load balancer server.

Enter the server host name.3

The default port is 10443. Typically you do not need to change the defaultport unless it is already in use or intended for use by another process onthe server host.

Enter the port number for theserver.

4

Click the plus sign icon to add additional servers for failover. You canspecify up to 20 Endpoint Servers in total. The first server listed is primary;additional servers are secondary and provide backup if the primary isdown.

See “About Endpoint Server redundancy” on page 79.

Add additional servers(optional).

5

A password is required to use the Endpoint tools to administer DLPAgents. The Endpoint tools password is case-sensitive. The password isencrypted and stored in a file on the Enforce Server. If you have to changethis password, you must regenerate the agent package and redeploy theagents. You should store this password in a secure format of your ownso that it can be retrieved if forgotten.

See the topic "About Endpoint tools" in the Symantec Data LossPrevention Administration Guide.

Enter the Endpoint toolspassword.

6

The system validates that the passwords match and displays a messageif they do not.

Re-enter the Endpoint toolspassword.

7

The default installation directory for Windows 32- and 64-bit agents is%PROGRAMFILES%\Manufacturer\Endpoint Agent. Change thedefault path if you want to install the Windows agent to a different locationon the endpoint host.

The target directory for the Mac agent is set by default.

Enter the target directory forthe agent installation (Windowsonly).

8


Table 7-2 Generating the agent installation package (continued)


The use of an agent uninstall password is supported for Windows 32-and 64-bit agents. The uninstall password is a tamper-proof mechanismthat requires a password to uninstall the DLP Agent.

See “About uninstallation passwords” on page 92.

For information on uninstalling Mac agents, refer to the topic "Removinga DLP Agent from a Mac endpoint" in the Symantec Data Loss PreventionInstallation Guide.

See “Removing a DLP Agent from a Mac endpoint” on page 124.

Enter the uninstall passwordkey (optional, Windows only).

9

This action generates the agent installer package for each platform thatyou selected in step 3.

If you are generating more than one package the generation process maytake a few minutes.

Click Generate InstallerPackages.

10

When the agent packaging process is complete, the system prompts youto download the agent installation package. Save the ZIP file to the localfile system. Once you have done this you can navigate away from theAgent Packaging screen to complete the process.

If you generated a single agent package, the ZIP file is named one of thefollowing corresponding to the agent installer you uploaded:

AgentInstaller_Win64.zip

AgentInstaller_Win32.zip

AgentInstaller_Mac64.zip

If you upload more than one agent installer, the package name isAgentInstallers.zip. The ZIP file contains separate ZIP files namedas above containing the agent package for each platform you selectedin step 3.

See “Agent installation package contents” on page 75.

Save the agent package ZIPfile.

11

Once you have generated and downloaded the agent package, you useit to install all agents for that platform.

See “ DLP Agent installation overview” on page 71.

Install DLP Agents using theagent package.

12

Agent installation package contentsYou generate the agent installation package for Windows and Mac agents at theSystem > Agents > Agent Packaging screen.



The agent installation package for Windows agents contains the endpoint certificates,installation files, and the package manifest.


Table 7-3 AgentInstaller_Win32.zip and AgentInstaller_Win64.zip

installation package contents

DescriptionFile name

Windows agent installerAgentInstall.msi or AgentInstall64.msi

Agent certificate and encryption keys


endoint_cert.pem

endpoint_priv.pem

endpoint_truststore.pem

Use to install the agent silentlyinstall_agent.bat

Use to upgrade the agentupgrade_agent.bat

Package metadataPackageGenerationManifest.mf

The Mac agent package contains endpoint certificates, installation files, the packagemanifest, and a file to generate the installation script for the Mac OS.


Table 7-4 AgentInstaller_Mac64.zip installation package contents

DescriptionFile

Mac agent installerAgentInstall.pkg

Mac agent installation properties configuration fileAgentInstall.plist

Use to generate the installation script for the Mac OScreate_package

Agent certificate and encryption keys


endoint_cert.pem

endpoint_priv.pem


Provides installation stepsInstall_Readme.rtf

Package metadataPackageGenerationManifest.mf


Working with endpoint certificatesSymantec Data Loss Prevention automatically generates the SSL certificates andkeys needed for authentication and secure communications between DLP Agentsand Endpoint Servers.

See “About secure communications between DLP Agents and Endpoint Servers”on page 72.

When you install or upgrade the Enforce Server, the system generates the DLProot certificate authority (CA) certificate. This file is versioned and the version isincremented if the file is regenerated. You can view which CA version is currentlyin use at the System > Settings > General screen. The password for the DLP rootCA is randomly generated and used by the system. Changing the root CA passwordis reserved for internal use.

When you deploy an Endpoint Server, the system generates the server public-privatekey pair signed by the DLP root CA certificate. These files are versioned. Whenyou generate the agent package, the system generates the agent public-privatekey pair and the agent certificate, also signed by the DLP root CA.


The DLP root CA certificate and the server key pair are stored on the Enforce Serverhost file system in directory \SymantecDLP\protect\keystore (Windows) or/opt/SymantecDLP/protect/keystore (Linux). These files must remain in thisdirectory for proper agent-server connectivity. If you remove or rename one or bothof the server keys, the system regenerates them when you recycle the EndpointServer. In this scenario you do not have to regenerate the agent certificates becausethe certificate authority is unchanged.

Do not rename or remove the DLP root CA certificate from the keystore directory.If you do you, you will need to regenerate the agent installation package andredeploy all agents because the DLP root CA is changed. To avoid this, you shouldback up the CA certificate and server keys, and secure them as you would othercritical files.

Table 7-5 lists and describes the CA certificate and server keys generated by thesystem for secure agent-server communications.


Table 7-5 SSL certificates and keys for Endpoint Servers

DeploymentGenerationDescriptionFile name

Stored in the keystoredirectory on the EnforceServer host.

Regeneration of the CAincrements the versionnumber in the file name, forexample:

certificate_authority_v2.jks

certificate_authority_v3.jks

If the CA is regenerated, youmust regenerate the serverand agent keys and redeploythe agents.

Initial: On install orupgrade of the EnforceServer.

Regeneration: If the CA isnot in the keystore or isrenamed, on restart of theVontu Monitor Controllerservice.

DLP root CA certificatecertificate_authority_vX.jks

Stored in the keystoredirectory on the EnforceServer host.

The number after "monitor"(###) is a server identifier. Itis unique to each EndpointServer.

Regeneration of the serverkeystore and truststoreincrements the versionnumber in the files, forexample:

monitor###_keystore_v2.jks

monitor###_truststore_v2.jks

If the server keys areregenerated, you do not haveto regenerate the agentinstallation package.

Initial: On deployment ofthe Endpoint Server.

Regeneration: If a serverkey is not in thekeystore or is renamed,on restart of the EndpointServer.

Endpoint trust store for theagent to trust the servercertificate (server publickey)

monitor###_truststore_vX.jks

Server certificate, signedby the DLP root CA, and itsprivate key

monitor###_keystore_vX.jks

Table 7-6 lists the SSL certificate and keys, and the passwords, generated duringthe agent installation packaging process.


Table 7-6 SSL certificates and keys for DLP Agents

DeploymentGenerationDescriptionFile name

Deployed with the agent toeach endpoint host.

During the agentinstallation packageprocess.

Self-signed endpoint agentcertificate

endpoint_cert.pem

Agent trust store for theserver (root CA public key)


Private key for the endpointagent

endpoint_priv.pem

Identify security applications running on endpointsBefore you install the Symantec DLP Agent, identify all security applications thatrun on your endpoints. Configure those applications to allow the Symantec DLPAgents to function fully. Some applications generate alerts when they detect theinstallation or initial launch of a Symantec DLP Agent. Such alerts reveal thepresence of Symantec DLP Agents and they sometimes let users block theSymantec DLP Agent entirely.

Note: See the Symantec Data Loss Prevention System Requirements andCompatibility Guide for information about configuring third-party software to workwith the Symantec DLP Agent.

Check the following applications:

■ Antivirus software

■ Firewall software

Make sure that your antivirus software and firewall software recognize the SymantecDLP Agents as legitimate programs.

About Endpoint Server redundancyYou can configure the DLP Agent to connect to multiple Endpoint Servers. EndpointServers can be connected using a load balancer. Multiple Endpoint Servers enableincidents and events to be sent to the Enforce Server in a timely way if an EndpointServer becomes unavailable. For example, assume that an Endpoint Serverbecomes unavailable because of a network partition. The DLP Agent, after aspecified amount of time, connects to another Endpoint Server to transmit theincidents and events that it has stored. The Symantec DLP Agent makes a best

79Installing Symantec DLP AgentsIdentify security applications running on endpoints

effort to fail over to a different Endpoint Server only when the current EndpointServer is unavailable. If the original Endpoint Server is unavailable, the agentattempts to connect to another Endpoint Server in the configured list. By default,the DLP Agent tries to reconnect to the original Endpoint Server for 60 minutesbefore it connects to another Endpoint Server. In a load-balanced Endpoint Serverenvironment, the connection interval is managed by the load balancer.

When a DLP Agent connects to a new Endpoint Server, it downloads the policiesfrom that Endpoint Server. It then immediately begins to apply the new policies. Toensure consistent incident detection after a failover, maintain the same policies onall Endpoint Servers to which the DLP Agent may connect.

For Endpoint Discover monitoring, if a failover occurs during a scan, the initialEndpoint Discover scan is aborted. The DLP Agent downloads the Endpoint Discoverscan configuration and policies from the failover Endpoint Server and immediatelyruns a new scan. The new scan runs only if there is an active Endpoint Discoverscan configured on the failover Endpoint Server.

You must specify the list of Endpoint Servers when you install the DLP Agents. Theprocedure for adding a list of Endpoint Servers appears under each method ofinstallation. You can specify either IP addresses or host names with the associatedport numbers. If you specify a host name, the DLP Agent performs a DNS lookupto get a set of IP addresses. It then connects to each IP address. Using host namesand DNS lookup lets you make dynamic configuration changes instead of relyingon a static install-time list of stated IP addresses.

Using the Elevated Command Prompt with WindowsIf you install agents on endpoints that run Windows 7/8/8.1, you must run thecommand prompt in Elevated Command Prompt mode.

To initiate the Elevated Command Prompt mode on Windows 7

1 Click the Start menu.

2 In the Search programs and files field, enter command prompt.

The Command Prompt program appears in the results list.

3 Hold the Shift key and right-click the Command Prompt entry in the resultslist. Select either Run as Administrator or Run as different user.

4 If you selected Run as different user, enter the credentials for a user that hasadministrator privileges.

To initiate the Elevated Command Prompt mode on Windows 8/8.1

1 Display the Command Prompt.

80Installing Symantec DLP AgentsUsing the Elevated Command Prompt with Windows

■ In Desktop mode, right-click on the Windows icon and select CommandPrompt (Admin), then click the Start menu.

■ In Metro mode, enter cmd in the Search programs and files field.

2 Hold the Shift key and right-click Command Prompt in the results list.

3 Select Run as Administrator.

Process to install the DLP Agent on WindowsYou can install one DLP Agent at a time, or you can use systems managementsoftware (SMS) to install many DLP Agents automatically. Symantec recommendsthat you install one DLP Agent using the manual method before you install manyDLP Agents using your SMS. Installing in this manner helps you troubleshootpotential issues and ensure that installing using your SMS goes smoothly.

Note: If you plan to install DLP Agents running Windows 8 or Windows 8.1, verifythat Admin Security mode is set to Disabled on the administrator account. Thissetting allows administrators to complete tasks such as running endpoint tools andinstalling agents.

Before you install DLP Agents on Windows endpoints, confirm that you havecompleted prerequisite steps. See “ DLP Agent installation overview” on page 71.

Table 7-7 Process to install agents on Windows endpoints

Additional informationActionStep

See “Installing the DLP Agent forWindows manually” on page 82.

Install an agent manually.

Install a single agent to test theconfiguration or to create a test scenario.

1

See “Installing DLP Agents forWindows silently” on page 82.

Install the agents using your SMS.

You install agents in this method to installmany agents at one time.

2

See “Confirming that the Windowsagent is running” on page 84.

Confirm that the agents are running.3

See “What gets installed for DLPAgents installed on Windowsendpoints” on page 84.

(Optional) Review the Windows agentinstallation package.

These components include drivers thatprevent tampering and keep the agentrunning.

4

81Installing Symantec DLP AgentsProcess to install the DLP Agent on Windows

Installing the DLP Agent for Windows manuallyTable 7-8 provides instructions for installing the 12.5 DLP Agent for Windowsmanually.

Note:These steps assume that you have generated the agent installation package.See “Generating agent installation packages” on page 73.

Table 7-8 Instructions for installing the DLP Agent for Windows manually


You run the AgentInstall.bat located in the agentinstallation package ZIP file.

Run the DLP Agentinstaller batch file.

1

Once installed, the DLP Agent initiates a connectionwith the Endpoint Server. Confirm that the agent isrunning by going to Agent > Overview and locating theagent in the list.

See “Confirming that the Windows agent is running”on page 84.

Confirm that the agent isrunning.

2

Installing DLP Agents for Windows silentlyYou can use a silent installation process by using systems management software(SMS) to install DLP Agents to endpoints. You must always install the agentinstallation package from a local directory. If you do not install from a local directory,some functions of the DLP Agent are disabled.

These steps assume that you have generated the agent installation package. See“Generating agent installation packages” on page 73.

Note:Do not rename the InstallAgent.bat file for any reason. If you rename thisfile, your systems management software cannot recognize the file and the installationfails.


To perform a silent installation

1 Specify the InstallAgent.bat file in your systems management softwarepackage.

2 Specify the InstallAgent.bat installation properties.

When you install the Symantec DLP Agent, your systems management softwareissues a command to the specified endpoints. The following is an example ofwhat the command might look like:

msiexec /i InstallAgent.bat /q INSTALLDIR="C:\ProgramFiles\Manufacturer\Symantec DLP Agent\" ARPSYSTEMCOMPONENT="1"ENDPOINTSERVER="epserver:8001" SERVICENAME="ENDPOINT"WATCHDOGNAME="WATCHDOG" UNINSTALLPASSWORDKEY="password"TOOLS_KEY="<tools key password>"ENDPOINT_CERTIFICATE="endpoint_cert.pem"ENDPOINT_PRIVATEKEY="endpoint_priv.pem"ENDPOINT_TRUSTSTORE="endpoint_truststore.pem"ENDPOINT_PRIVATEKEY_PASSWORD="<endpoint private key password>"VERIFY_SERVER_HOSTNAME="No" STARTSERVICE="Yes"ENABLEWATCHDOG="YES" LOGDETAILS="Yes" /log C:\installAgent.log

The following table outlines each command and what it does.

The Windows command for executingMSI packages.

msiexec

Specifies the name of the package./i

Specifies a silent install./q

Optional properties to msiexec.ARPSYSTEMCOMPONENT

Properties for the agent installationpackage.

ENDPOINTSERVER, SERVICENAME,INSTALLDIR, UNINSTALLPASSWORDKEY,and WATCHDOGNAME

Properties that reference the files and thepasswords that are associated with theagent certificates.

TOOLS_KEY, ENDPOINT_CERTIFICATE,ENDPOINT_PRIVATEKEY,ENDPOINT_TRUSTSTORE,ENDPOINT_PRIVATEKEY_PASSWORD, andVERIFY_SERVER_HOSTNAME.

3 Specify any optional properties for the msiexec utility.


Confirming that the Windows agent is runningAfter you install the agents, the Symantec DLP Agent service automatically startson each endpoint. Log on to the Enforce Server and go to System > Agents >Overview. Verify that the newly installed or upgraded agents are registered (thatthe services appear in the list).

The watchdog service is deployed with the DLP Agent on Windows endpoints. Thewatchdog is a service that ensures that the DLP Agent is running and active. Thisrelationship is reciprocal. If the DLP Agent does not receive regular requests fromthe watchdog service, it automatically restarts the watchdog service. This reciprocalrelationship ensures that the DLP Agent is always running and active.

Users cannot stop the watchdog service on their workstations. Preventing usersfrom stopping the watchdog service allows the DLP Agent to remain active on theendpoint.

What gets installed for DLP Agents installed on Windows endpointsThe DLP Agent installation places a number of components on endpoints. Do notdisable or modify any of these components or the DLP Agent may not functioncorrectly.

Table 7-9 Installed components

DescriptionComponent

Detects any activity in the endpoint file systemand relays the information to the DLP Agentservice.

This driver is installed at<Windows_dir>\System32\drivers. Forexample,c:\windows\System32\drivers. All otheragent files are installed into the agentinstallation directory.

Driver (vfsmfd.sys)


Table 7-9 Installed components (continued)


Intercepts network traffic (HTTP, FTP, andIM protocols) on the endpoint. After theSymantec Data Loss Prevention Agentanalyzes the content, the tdifd12.sysdriver allows or blocks the data transfer overthe network.


Driver (tdifd12.sys)

Monitors the process creation anddestruction, and send notifications to the DLPAgent. The driver monitors the applicationsthat are configured as part of ApplicationMonitoring; for example, CD/DVDapplications.


Driver (vrtam.sys)

Monitors activity on Citrix XenApp andXenDesktop.


Driver (SFsCtrx12.sys)

Receives all information from the driver andrelays it to the Endpoint Server. Duringinstallation, the DLP Agent is listed under thetask manager as edpa.exe.

Users are prevented from stopping or deletingthis service on their workstation.

Symantec DLP Agent service


Table 7-9 Installed components (continued)


Automatically checks to see if the DLP Agentis running. If the DLP Agent has beenstopped, the watchdog service restarts theDLP Agent. If the watchdog service has beenstopped, the DLP Agent service restarts thewatchdog service.

Users are prevented from stopping or deletingthis service.

Watchdog service

The DLP Agent service creates the following files:

■ Two log files (edpa.log and edpa_ext0.log), created in the installation directory.

■ Each DLP Agent maintains an encrypted database at the endpoint called theDLP Agent store. The DLP Agent store saves two-tier request metadata, incidentinformation, and the original file that triggered the incident, if needed. Dependingon the detection methods used, the DLP Agent either analyzes the contentlocally or sends it to the Endpoint Server for analysis.

■ A database named rrc.ead is installed to maintain and contain non-matchingentries for rules results caching (RRC).

Process to install the DLP Agent on MacYou can install one DLP Agent to a Mac endpoint at a time, or you can use systemmanagement software (SMS) to install many DLP Agents automatically. Symantecrecommends that you install one DLP Agent using the manual method before youinstall many DLP Agents using your SMS. Installing in this manner helps youtroubleshoot potential issues and ensure that installing using your SMS goessmoothly.

Before you install DLP Agents on Mac endpoints, confirm that you have completedprerequisite steps. See “ DLP Agent installation overview” on page 71.

86Installing Symantec DLP AgentsProcess to install the DLP Agent on Mac

Table 7-10 Process to install agents on Mac endpoints

More informationActionStep

See “Packaging Mac agentinstallation files” on page 87.

Package the Mac agent installation files.

You compile the Mac agent installation files intoone PKG file. You later use this file to manuallyinstall an agent, or to insert in your SMS to installagents to many Mac endpoints.

You can also add endpoint tools to the packageand add a custom package identifier.

1

See “Installing the DLP Agentfor Mac manually”on page 89.

Install an agent manually.

You install a single agent to test the configuration.

2

See “Installing DLP Agents onMac endpoints silently”on page 90.

Install the agents using your SMS.

You install agents using this method to install manyagents at one time.

3

See “Confirming that the Macagent is running” on page 91.

Confirm that the Mac agent service is running.4

See “What gets installed forDLP Agents on Macendpoints” on page 91.

(Optional) Review the installed Mac agentcomponents.

These components include the drivers that preventtampering and keep the agent running.

5

Packaging Mac agent installation filesYou use the create_package tool to bundle the Mac agent installation-related filesinto a single package. You place this package in your SMS software to perform asilent installation. You also use the create_package tool to assign a package IDand to bundle endpoint tools with the agent installation.

The following steps assume that you have generated the agent installation packageand completed all prerequisites. See “About secure communications between DLPAgents and Endpoint Servers” on page 72.


To package the Mac agent installation files:

1 Locate the AgentInstaller_Mac64.zip agent installation package. Unzip thecontents of this file to folder on a Mac endpoint; for example use/tmp/MacInstaller.

See “Agent installation package contents” on page 75.

2 Use the Terminal.app to run the following commands:

Defines the path where the Mac agent installationfiles reside.

$ cd /tmp/MacInstaller

Calls the create_package tool.$ ./create_package

3 (Optional) Include a custom package identifier by replacing $

./create_package with the following command:

You can choose to register the DLP Agent installerreceipt data with a custom package identifier.Replace <com.company.xyz> with informationspecific to your deployment.

$ ./create_package -i<com.company.xyz>

4 (Optional) Include installation and maintenance tools. After the agent installs,administrators can use these tools on Mac endpoints. Place tools you want toinclude in the PKG in the same directory where the PKG file is located; for exampleuse /tmp/MacInstaller. You can include the following tools:

■ agent.ver adds agent package versioning information.See “Packaging Mac agent installation files” on page 87.

■ start_agent restarts the Mac agents that have been shut down onthe Agent List screen.

■ uninstall_agent uninstalls the DLP Agent from Mac endpoints.See “Removing a DLP Agent from a Mac endpoint” on page 124.

These tools are found in theSymantecDLPMacAgentInstaller_12.5.zip file.


Installationtools


■ vontu_sqlite3 lets you inspect the agent database.■ logdump creates agent log files.

These tools are found in theSymantecDLPMacAgentTools_12.5.zip file.


Maintenancetools

Execute the following command to include tools:

Calls the create_package tool to bundle the agenttools.

$ ./create_package -t./Tools

After you execute the command, a message displays the package creationstatus.

A file named AgentInstall_WithCertificates.pkg is created in the locationyou indicated. Based on the examples above,AgentInstall_WithCertificates.pkg is created at /tmp/MacInstaller.

5 (Optional) If you opted to register the DLP Agent with a custom packageidentifier, execute the following command to verify the custom package identity:

$ pkgutil --pkg-info <com.company.xyz>

Replace com.company.xyz with information specific to your deployment.

See “Installing DLP Agents on Mac endpoints silently” on page 90.

Installing the DLP Agent for Mac manuallyTable 7-11 provides steps for installing the DLP Agent for Mac manually.

Normally you perform a manual installation when you test the agent installationpackage. If you do not plan to test the agent installation package, you install Macagents using an SMS. See “Installing DLP Agents on Mac endpoints silently”on page 90.

Note: The following steps assume that you have generated the agent installationpackage and completed all prerequisites. See “About secure communicationsbetween DLP Agents and Endpoint Servers” on page 72.


Table 7-11 Instructions for installing the DLP Agent on a Mac endpoint


For example, unzip the file to /tmp/MacInstaller.Locate the agent installationpackage ZIP(AgentInstaller_Mac64.zip),and unzip it to the Mac endpoint.

1

Run the following command on the target endpoint:

$ sudo installer -pkg/tmp/AgentInstall/AgentInstall.pkg -target /

Replace /tmp/MacInstaller with the path where you unzipped theagent installation package.

Install the Mac Agent from thecommand line using the Terminalapplication.

2

To verify the Mac agent installation, open the Activity Monitor and searchfor the edpa process. It should be up and running.

The Activity Monitor displays processes being run by logged in user andedpa runs as root. Select View All Processes to view edpa if you arenot logged in as root user.

You can also confirm that agent was installed to the default directory:/Library/Manufacturer/Endpoint Agent.

Verify the Mac agent installation.3

If you experience installation issues, use the Console application tocheck the log messages.

Review the Mac Agent installer logs at /var/log/install.log.

In addition, you can rerun the installer with -dumplog option to createdetailed installation logs. For example, use the command sudoinstaller -pkg /tmp/AgentInstall/AgentInstall.pkg-target / -dumplog.

Replace /tmp/MacInstaller with the path where you unzipped theagent installation package.

(Optional) Troubleshoot theinstallation.

4

See “What gets installed for DLP Agents on Mac endpoints” on page 91.(Optional) Review informationabout the Mac agent installation.

5

Installing DLP Agents on Mac endpoints silentlyYou can use a silent installation process by using systems management software(SMS) to install DLP Agents to endpoints. You must always install the agentinstallation package from a local directory. If you do not install from a local directory,some functions of the DLP Agent are disabled.


These steps assume that you have generated the agent installation package andpackaged the Mac agent installation files.


See “Packaging Mac agent installation files” on page 87.

To perform an unattended installation

1 Enable the SMS client on the Mac endpoints.

2 Obtain root user access to the Mac endpoints.

3 Specify the AgentInstall_WithCertificates.pkg package in your systemsmanagement software.

4 Specify a list or range of network addresses where you want to install the DLPAgent.

5 Start the silent installation process.

Note: If messages indicate that the installation failed, review the instal.log filethat is located in the /tmp directory on each Mac endpoint.

Confirming that the Mac agent is runningTo verify that the Mac agent is running, open the Console application and locatethe launchd service. The launchd service is deployed during the agent installationand begins running after the installation completed.

Launchd is the service that automatically restarts the agent daemon if an endpointuser stops or kills the agent. Users cannot stop the launchd service on theirworkstations. Preventing users from stopping the launchd service allows the DLPAgent to remain active on the endpoint.

See “What gets installed for DLP Agents on Mac endpoints” on page 91.

What gets installed for DLP Agents on Mac endpointsWhen the DLP Agent is installed on a Mac endpoint, a number of components areinstalled. Do not disable or modify any of these components or the DLP Agent maynot function correctly.


Table 7-12 Installed components


The installation process places the EDPA files here:/Library/Manufacturer/Endpoint Agent.

The com.symantec.manufacturer.agent.plist file containsconfiguration settings for the Endpoint Agent daemon. This file is locatedat /Library/LaunchDaemons/.

Endpoint Agentdaemon (EDPA)

Each DLP Agent maintains an encrypted database at the endpoint. Thedatabase stores incident metadata in the database, contents on the hostfile system, and the original file that triggered the incident, if needed.The DLP Agent analyzes the content locally.

Encrypteddatabase

The DLP Agent logs information on completed and failed processes.Log files

This database maintains and contains non-matching entries for rulesresults caching (RRC).

Database(rrc.ead)

About uninstallation passwordsThe uninstallation password prevents unauthorized users from removing the DLPAgent from an endpoint. If an unauthorized user tries to remove the agent withoutthe password, the agent cannot be removed.

When you create or assign the password during agent installation, it cannot bechanged unless the agent is removed and then reinstalled. When you want toremove an agent from an endpoint, the uninstallation password parameter pop-upwindow requests the uninstallation password. If you remove agents from a largenumber of endpoints using an agent management system, the password must beincluded in the uninstallation command line.

By default, there is a limit to how many times an administrator can enter the wrongpassword. If the limit is exceeded, the uninstallation process quits and the processmust be restarted.

You generate a secure uninstallation password by using theUninstallPwdKeyGenerator tool.

You can generate more than one password if you want to assign different passwordsto different groups of endpoints.

See “Creating passwords with the password generation tool” on page 93.

See “Adding uninstallation passwords to agents” on page 93.

See “Upgrading agents and uninstallation passwords” on page 95.

92Installing Symantec DLP AgentsAbout uninstallation passwords

See “Using uninstallation passwords” on page 94.

Creating passwords with the password generation toolUse the uninstallation password generator tool to create a unique password key.

The name of the uninstallation password generator tool isUninstallPwdKeyGenerator.

The uninstallation password prevents unauthorized users from removing theSymantec DLP Agent. The UninstallPwdKeyGenerator tool works with thePGPSdk.dll file to create unique passwords. The tool and the file must be locatedin the same tools directory to function. TheUninstallPwdKeyGenerator tool and thePGPSdk.dll file are located in the Administrator tool directory by default.

Note: The UninstallPwdKeyGenerator tool only works in Microsoft Windowsenvironments. You cannot use this tool with any other operating system.

To create an uninstallation password

1 From a command window, navigate to the Symantec Data Loss Preventionkeystore directory.

2 Enter the following command:

UninstallPwdKeyGenerator.exe -xp=<uninstall password>

where <uninstall password> is the password that you want to use. Choosea unique password key.

A password key is generated. Enter this key in the command line when you installthe agent.

See “Adding uninstallation passwords to agents” on page 93.

Adding uninstallation passwords to agentsUninstallation passwords prevent unauthorized users from removing the DLP Agentfrom an endpoint.

Passwords can only be added to DLP Agents during agent installation or upgrade.If you have existing agents you want to protect, you must remove the agent andthen reinstall the agent with the password.

Passwords are generated using the UninstallPwdKeyGenerator.exe tool.



You can add the uninstallation password by including the password parameter inthe agent installation command line for a system management software (SMS)program that you are using.

See “Process to install the DLP Agent on Windows” on page 81.

You cannot add the uninstallation password to agents through the installation wizard.

To add the uninstallation password to an agent installation

◆ Add the uninstallation password parameter in the agent installation commandline

UNINSTALLPASSWORDKEY="<password key>"

where <password key> is the password that you created with the passwordgeneration tool.

A sample agent installation command line might look like the following example:

msiexec /i AgentInstall.msi /q

INSTALLDIR="%ProgramFiles%\Manufacturer\Endpoint Agent\"

ENDPOINTSERVER="hostname" PORT="8000" KEY="" UNINSTALLPASSWORDKEY=

"<password key>" SERVICENAME="EDPA" WATCHDOGNAME="WDP"

See “Using uninstallation passwords” on page 94.

Using uninstallation passwordsWhen you want to uninstall a DLP Agent that is password protected, you must enterthe correct password before the uninstallation continues. If you uninstall your agentsmanually, a pop-up window appears on the endpoint that requests the password.You must enter the password in this window. If you are using system managementsoftware, include the password parameter in the command string.

If you want to uninstall a group of agents, specify the uninstallation password in theagent uninstallation command line.

To enter the uninstallation password using a command line

◆ Enter the following parameter in the uninstallation command line;

UNINSTALLPASSWORD="<password>"

where <password> is the password that you specified in the passwordgenerator.

An agent command line looks like the following example:

msiexec /uninstall <product code> /q UNINSTALLPASSWORD="<password>"




Upgrading agents and uninstallation passwordsYou can upgrade any agents that are protected by uninstallation passwords withoutaffecting the password. If you do not want to change the password, do not includethe password parameter to the upgrade command line. The pre-existinguninstallation password is included in the upgraded agent automatically. Only includethe password parameter if you want to change the password or if you want to adda new password to an agent.

To add or change a password while upgrading an agent

◆ Add the following password parameter to the upgrade command line:

UNINSTALLPASSWORDKEY=<password key>

where <password key> is the password key that you created using thepassword generation tool.




Post-installation tasks


■ About post-installation tasks

■ About post-installation security configuration

■ About system events and syslog servers

■ Enforce Servers and unused NICs

■ Performing initial setup tasks on the Enforce Server

About post-installation tasksYou must perform certain required tasks after a product installation or upgrade iscomplete. There are also some optional post-installation tasks that you might wantto perform.

See “About post-installation security configuration” on page 96.

See “About system events and syslog servers” on page 112.

See “Enforce Servers and unused NICs” on page 112.

See “Performing initial setup tasks on the Enforce Server” on page 113.

About post-installation security configurationSymantec Data Loss Prevention secures communications between all SymantecData Loss Prevention servers. This task is accomplished by encrypting thetransmitted data and requiring servers to authenticate with each other.

Symantec Data Loss Prevention also secures data communications andauthenticates between the Endpoint Server and Symantec DLP Agent.

8Chapter

Although the default installation is secure, Symantec recommends that you changeyour system's default security settings to use unique certificates or keys.

See “About browser certificates” on page 98.

See “Symantec Data Loss Prevention directory and file exclusion from antivirusscans” on page 102.

See “Corporate firewall configuration” on page 103.

About server security and SSL/TLS certificatesSymantec Data Loss Prevention uses Secure Socket Layer/Transport Layer Security(SSL/TLS) to encrypt all data that is transmitted between servers. It also uses theSSL/TLS protocol for mutual authentication between servers. Servers implementauthentication by the mandatory use of client and server-side certificates.

The Enforce Server administration console web application enables users to viewand manage incidents and policies and to configure Symantec Data Loss Prevention.You access this interface with a web browser. The Enforce Server and browsercommunicate through a secure SSL/TLS connection. To ensure confidentiality, allcommunication between the Enforce Server and the browser is encrypted using asymmetric key. During connection initiation, the Enforce Server and the browsernegotiate the encryption algorithm. The negotiation includes the algorithm, key size,and encoding, as well as the encryption key itself.

A "certificate" is a keystore file used with a keystore password. The terms "certificate"and "keystore file" are often used interchangeably. By default, all the connectionsbetween the Symantec Data Loss Prevention servers, and the Enforce Server andthe browser, use a self-signed certificate. This certificate is securely embeddedinside the Symantec Data Loss Prevention software. By default, every SymantecData Loss Prevention server at every customer installation uses this same certificate.

Although the existing default security meets stringent standards, Symantec providesthe keytool and sslkeytool utilities to enhance your encryption security:

■ The keytool utility generates a new certificate to encrypt communicationbetween your web browser and the Enforce Server. This certificate is unique toyour installation.See “About browser certificates” on page 98.See “Generating a unique browser certificate” on page 99.

■ The sslkeytool utility generates new SSL server certificates to securecommunications between your Enforce Server and your detection servers. Thesecertificates are unique to your installation. The new certificates replace the singledefault certificate that comes with all Symantec Data Loss Prevention

97Post-installation tasksAbout post-installation security configuration

installations. You store one certificate on the Enforce Server, and one certificateon each detection server in your installation.

Note: Symantec recommends that you create dedicated certificates forcommunication with your Symantec Data Loss Prevention servers. When youconfigure the Enforce Server to use a generated certificate, all detection serversin your installation must also use generated certificates. You cannot use thebuilt-in certificate with some detection servers and the built-in certificate withother servers.

Note: If you install a Network Prevent detection server in a hosted environment,you must generate unique certificates for your Symantec Data Loss Preventionservers. You cannot use the built-in certificate to communicate with a hostedNetwork Prevent server.

See “About the sslkeytool utility and server certificates” on page 52.See “Using sslkeytool to generate new Enforce and detection server certificates”on page 55.

See “About post-installation tasks” on page 96.

You may also need to secure communications between Symantec Data LossPrevention servers and other servers such as those used by Active Directory or aMail Transfer Agent (MTA). See the Symantec Data Loss Prevention AdministrationGuide for details.

About browser certificatesA web browser using a secure connection (HTTPS) requires an SSL certificate.The SSL certificate can be self-signed or signed by a certificate authority. With acertificate, the user authenticates to other users and services, or to data integrityand authentication services, using digital signatures. It also enables users to cachethe public keys (in the form of certificates) of their communicating peers. Becausea certificate signed by a certificate authority is automatically trusted by browsers,the browser does not issue a warning when you connect to the Enforce Serveradministration console. With a self-signed certificate, the browser issues a warningand asks if you want to connect.

The default certificate installed with Symantec Data Loss Prevention is a standard,self-signed certificate. This certificate is embedded securely inside the SymantecData Loss Prevention software. By default, all Symantec Data Loss Preventioninstallations at all customer sites use this same certificate. Symantec recommendsthat you replace the default certificate with a new, unique certificate for your


organization’s installation. The new certificate can be either self-signed or signedby a certificate authority.

See “Generating a unique browser certificate” on page 99.


Generating a unique browser certificate

By default, connections between the Enforce Server and the browser use a single,self-signed certificate. This certificate is embedded securely inside the SymantecData Loss Prevention software.

The keytool utility manages keys and certificates. This utility enables users toadminister their own public and private key pairs and associated certificates for usein self-authentication.

To generate a unique Enforce Server self-signed certificate for your installation

1 Collect the following information:

■ Common Name: The fully qualified DNS name of the Enforce Server. Thismust be the actual name of the server accessible by all the clients.For example, https://Server_name.

■ Organization Name: The name of your company or organization.For example, Acme, Inc.

■ Organizational unit : The name of your division, department, unit, etc.(Optional)For example, Engineering

■ City: The city, town, or area where you are located.For example, San Francisco

■ State: The name of your state, province, or region.For example, California or CA

■ Country: Your two-letter country code.For example, US

■ Expiration: The certificate expiration time in number of days.For example: 90

2 Stop all the Vontu services on the Enforce Server.


3 On the Enforce Server, go to the \SymantecDLP\jre\bin directory.

The keytool software is located in this directory.


4 Use keytool to create the self-signed certificate (keystore file). This keystorefile can also be used to obtain a certificate from a certificate authority.

From within the \bin directory, run the following command with the informationcollected earlier:

keytool -genkey -alias tomcat -keyalg RSA -keysize 1024

-keystore .keystore -validity NNN -storepass protect

-dname "cN=common_name, O=organization_name,

Ou=organization_unit, L=city, S=state, C=XX"

Where:

■ The -alias parameter specifies the name of this certificate key. This nameis used to identify this certificate when you run other keytool commands.The value for the -alias parameter must be tomcat.

■ The -keystore parameter specifies the name and location of the keystorefile which must be .keystore located in this directory. This is specified byusing -keystore .keystore

■ The -keyalg parameter specifies the algorithm to be used to generate thekey pair. In this case, the algorithm to specify is RSA.

■ The -keysize parameter specifies the size of each key to be generated.For example, 1024.

■ The -validity parameter specifies the number of days the certificate isgood for. For example, -validity 365 specifies that the certificate is goodfor 365 days (or one year). The number of days you choose to specify forthe -validity parameter is up to you. If a certificate is used for longer thanthe number of days specified by -validity, an "Expired" message appearsby the browser when it accesses the Enforce Server administration console.The best practice is to replace an expired certificate with a new one.

■ The -storepass parameter specifies the password used to protect theintegrity of the keystore. The value for the -storepass parameter must beprotect.

■ The dname parameter specifies the X.500 Distinguished Name to beassociated with this alias. It is used as the issuer and subject fields in aself-signed certificate. The parameters that follow are the value of the dname

parameter.

■ The -CN parameter specifies your name. For example, CN=linda wu

■ The O parameter specifies your organization's name. For example, O=AcmeInc.


■ The Ou parameter specifies your organization's unit or division name. Forexample, Ou=Engineering Department

■ The L parameter specifies your city. For example, L=San Francisco

■ The S parameter specifies your state or province. For example,S=California

■ The C parameter specifies the two-letter countrycode of your country. Forexample, C=US

■ If you are asked for a keypass password, hit Return to make the keypasspassword the same as the storepass password.

An updated .keystore file is generated.

5 (Optional) Rename or move the existing .keystore file from the\Protect\tomcat\conf directory.

6 Copy the updated .keystore file into thec:\SymantecDLP\Protect\tomcat\conf directory.

7 Restart the Vontu services on the Enforce Server.


As an alternative to using a self-signed certificate, you can use a certificate issuedby an internal or external certificate authority (CA). Consult your certificate authorityfor instructions on how to obtain a CA-signed certificate. Certificate authoritiesprovide a root certificate and a signed certificate. When using certificates signedby a CA, they need to be imported into the Enforce Server using the followingcommands:

keytool -import -alias root -keystore .keystore -trustcacerts -file root_certificate

keytool -import -alias tomcat -keystore .keystore -trustcacerts -file signed_certificate


About Symantec Data Loss Prevention and antivirus softwareSymantec recommends installing antivirus software on your Symantec Data LossPrevention servers. However, antivirus software may interpret Symantec Data LossPrevention activity as virus-like behavior. Therefore, certain files and directoriesmust be excluded from antivirus scans. These files and directories include theSymantec Data Loss Prevention and Oracle directories on your servers. If you donot have antivirus software installed on your Symantec Data Loss Prevention servers(not recommended), you can skip these antivirus-related post-installation tasks.



See “Oracle directory and file exclusion from antivirus scans” on page 103.


Symantec Data Loss Prevention directory and file exclusionfrom antivirus scansWhen the Symantec Data Loss Prevention application accesses files and directories,it can appear to antivirus software as if it were a virus. Therefore, you must excludecertain directories from antivirus scans on Symantec Data Loss Prevention servers.

Using your antivirus software, remove the following Enforce Server directories fromantivirus scanning:

■ \SymantecDLP\Protect\incidents

■ \SymantecDLP\Protect\index

■ \SymantecDLP\Protect\logs (with subdirectories)

■ \SymantecDLP\Protect\temp (with subdirectories)

■ \SymantecDLP\Protect\tomcat\temp

■ \SymantecDLP\Protect\tomcat\work

Using your antivirus software, remove the following detection server directoriesfrom antivirus scanning:

■ \drop

■ \drop_pcap

■ \icap_spool

■ \packet_spool

■ \SymantecDLP\Protect\incidents

■ \SymantecDLP\Protect\index

■ \SymantecDLP\Protect\logs (with subdirectories)

■ \SymantecDLP\Protect\temp (with subdirectories)

Consult your antivirus software documentation for information on how to excludedirectories and files from antivirus scans.

See “About Symantec Data Loss Prevention and antivirus software” on page 101.

See “Oracle directory and file exclusion from antivirus scans” on page 103.



Oracle directory and file exclusion from antivirus scansWhen the Symantec Data Loss Prevention application accesses files and directories,it can appear to antivirus software as if it were a virus. Therefore, you must excludecertain directories from antivirus scans on Symantec Data Loss Prevention servers.

Using your antivirus software, exclude the following Oracle directories from antivirusscanning:

■ C:\app\Administrator\oradata\protect

■ C:\app\Administrator\product\11.2.0\dbhome_1

Most of the Oracle files to be excluded are located in these directories, but additionalfiles are located in other directories. Use the Oracle Enterprise Manager (OEM) tocheck for additional files and exclude their directories from antivirus scanning. UseOEM to view the location of the following database files:

■ Data files, which have the file extension *.DBF

■ Control files, which have the file extension *.CTL

■ The REDO.LOG file

Exclude all the directories with these files from antivirus scanning.

See “About Symantec Data Loss Prevention and antivirus software” on page 101.



Corporate firewall configurationIf the Enforce Server is installed inside your corporate LAN behind a firewall andyour detection servers are installed in the DMZ your corporate firewall settings needto:

■ Allow connections from the Enforce Server on the corporate network to thedetection servers in the DMZ. Configure your firewall to accept connections onthe port you entered when installing the detection servers. By default, the EnforceServer and the detection servers communicate over port 8100. You can configurethe servers to use any port higher than 1024. Use the same port number for allyour detection servers.

■ Allow Windows Remote Desktop Client connections (TCP port 3389). Thisfeature can be useful for setup purposes.


Symantec Data Loss Prevention servers communicate with the Enforce Server overa single port number. Port 8100 is the default, but you can configure SymantecData Loss Prevention to use any port higher than 1024. Review your firewall settingsand close any ports that are not required for communication between the EnforceServer and the detection servers.

Windows security lockdown guidelinesYou should complete a set of hardening procedures after you install or upgrade aSymantec Data Loss Prevention server. Adapt these guidelines to suit yourorganization’s standards for secure communications and hardening procedures.

The following Windows services must be running:

■ Alerter

■ COM+ Event System

■ DCOM Server Process Launcher

■ Defwatch for Symantec (may not always be present)

■ DNS Client

■ Event log

■ Interix Subsystem Startup (for UNIX Services for Windows for RAs)

■ IPSEC Services

■ Logical Disk Manager

■ Network connections

■ OracleOraDb11g_home1TNSListenerThe service name is different if you use a non-default Oracle home directory.

■ OracleServicePROTECT (on the Enforce Server only)

■ Plug and play

■ Protected Storage

■ Remote procedure call (RPC)

■ Removable Storage

■ Security Accounts Manager

■ Server (required only for Enforce if EDMs are used)

■ Symantec AntiVirus

■ System Event Notification


■ Task Scheduler

■ TCP/IP NetBIOS Helper Service

■ Terminal Services

■ User Name Mapping (for UNIX Services for Windows for RAs)

■ Vontu Incident Persister (for Enforce Server only)

■ Vontu Manager (for Enforce Server only)

■ Vontu Monitor (for detection servers only)

■ Vontu Notifier (for Enforce Server only)

■ Vontu Update

■ Windows Management (Instrumentation)

■ Windows Management (Instrumentation Driver Extensions Workstation)

■ Windows Time (required if no alternative Enforce/detection server system clocksynchronization is implemented)

■ Workstation (required for Alerter Service)

The following Windows services should be disabled:

■ Dist. File System

■ Dist. Link Tracking Client

■ Dist. Link Tracking Server

■ Dist. Transaction Coordinator

■ Error Reporting Service

■ Help & Support

■ Messenger

■ Print Spooler

■ Remote Registry

■ Wireless Config

Consult your Windows Server documentation for information on these services.

Windows Administrative security settingsThe following tables provide recommended administrative settings available on aMicrosoft Windows system for additional security hardening.

Consult your Windows Server documentation for information on these settings.


The following Local Policy settings are described in the following tables:

■ Table 8-1 lists the Account Lockout Policy settings.

■ Table 8-2 lists the Password Policy settings.

■ Table 8-3 lists the local Audit Policy settings.

■ Table 8-4 lists the User Rights Assignment settings.

■ Table 8-5 lists the Security Options settings.

Table 8-1 Security settings > Account Policies > Account Lockout Policy

Recommended security settingsPolicy

0Account lockout duration

3 invalid logon attemptsAccount lockout threshold

15 minutesReset account lockout counter after

Table 8-2 Security settings > Account Policies > Password Policy

Recommended security settingsPassword policy

24 passwords rememberedEnforce password history

60 daysMaximum password age

2 daysMinimum password age

10 charactersMinimum password length

EnabledPassword must meet complexity requirements

DisabledStore passwords using reversible encryption

Table 8-3 Security settings > Local Policies > Audit Policy

Recommended security settingsLocal audit

Success, FailureAudit account logon events

Success, FailureAudit account management

Success, FailureAudit directory service access

Success, FailureAudit logon events

Success, FailureAudit object access

Success, FailureAudit policy change


Table 8-3 Security settings > Local Policies > Audit Policy (continued)

Recommended security settingsLocal audit

Success, FailureAudit privilege use

No auditingAudit process tracking

Success, FailureAudit system events

Table 8-4 Security settings > Local Policies > User rights assignment

Recommended security settingsUser rights assignment

Administrators, Backup OperatorsRestore files and directories

Administrators, Power Users, BackupOperators

Shut down the system

Synchronize directory service data

AdministratorsTake ownership of files or other objects

Everyone, Administrators, Users, PowerUsers, Backup Operators

Access this computer from the network

Act as part of the operating system

Add workstations to domain

LOCAL SERVICE, NETWORK SERVICE,Administrators

Adjust memory quotas for a process

Administrators, Users, Power Users, BackupOperators

Allow log on locally

Administrators, Remote Desktop UsersAllow log on through Services

Administrators, Backup OperatorsBack up files and directories

Everyone, Administrators, Users, PowerUsers, Backup Operators

Bypass traverse checking

Administrators, Power UsersChange the system time

AdministratorsCreate a page file

Create a token object

Administrators, SERVICECreate global objects

Create permanent shared objects


Table 8-4 Security settings > Local Policies > User rights assignment(continued)


AdministratorsDebug programs

Deny access to this computer from thenetwork

Deny log on as a batch job

Deny log on as a service

Deny log on locally

Deny log on through Remote DesktopServices

Enable computer and user accounts to betrusted for delegation

AdministratorsForce shutdown from a remote system

LOCAL SERVICE, NETWORK SERVICEGenerate security audits

Administrators, SERVICEImpersonate a client after authentication

AdministratorsIncrease scheduling priority

AdministratorsLoad and unload device drivers

Lock pages in memory

LOCAL SERVICELog on as a batch job

NETWORK SERVICELog on as a service

AdministratorsManage auditing and security log

AdministratorsModify firmware environment values

AdministratorsPerform volume maintenance tasks

Administrators, Power UsersProfile single process

AdministratorsProfile system performance

Administrators, Power UsersRemove computer from docking station

LOCAL SERVICE, NETWORK SERVICEReplace a process level token

Administrators, Backup OperatorsRestore files and directories


Table 8-4 Security settings > Local Policies > User rights assignment(continued)


Administrators, Power Users, BackupOperators

Shut down the system

Synchronize directory service data

AdministratorsTake ownership of files or other objects

Table 8-5 Security settings > Local Policies > Security options

Recommended security settingsSecurity options

EnabledAccounts: Administrator account status

DisabledAccounts: Guest account status

EnabledAccounts: Limit local account use of blankpasswords to console logon only

protectdemoAccounts: Rename administrator account

GuestAccounts: Rename guest account

DisabledAudit: Audit the access of global systemobjects

DisabledAudit: Audit the use of Backup and Restoreprivilege

DisabledAudit: Shut down system immediately ifunable to log security audits

EnabledDevices: Allow undock without having to logon

AdministratorsDevices: Allowed to format and ejectremovable media

EnabledDevices: Prevent users from installing printerdrivers

EnabledDevices: Restrict CD-ROM access to locallylogged-on user only

EnabledDevices: Restrict floppy access to locallylogged-on user only


Table 8-5 Security settings > Local Policies > Security options (continued)


Do not allow installationDevices: Unsigned driver installation behavior

EnabledDomain controller: Allow server operators toschedule tasks

Not DefinedDomain controller: LDAP machine signingrequirements

Not DefinedDomain controller: Refuse machine accountpassword changes

EnabledDomain member: Digitally encrypt or signsecure channel data (always)

EnabledDomain member: Digitally encrypt securechannel data (when possible)

EnabledDomain member: Digitally sign securechannel data (when possible)

DisabledDomain member: Disable server accountpassword changes

30 daysDomain member: Maximum server accountpassword age

EnabledDomain member: Require strong (Windows2000 or later) session key

EnabledInteractive logon: Do not display last username

DisabledInteractive logon: Do not requireCTRL+ALT+DEL

Interactive logon: Message text for usersattempting to log on

Not DefinedInteractive logon: Message title for usersattempting to log on

10 logonsInteractive logon: Number of previous logonsto cache (in case domain controller is notavailable)

14 daysInteractive logon: Prompt user to changepassword before expiration




DisabledInteractive logon: Require domain controllerauthentication to unlock workstation

DisabledInteractive logon: Require smart card

Force LogoffInteractive logon: Smart card removalbehavior

EnabledMicrosoft network client: Digitally signcommunications (always)

EnabledMicrosoft network client: Digitally signcommunications (if server agrees)

DisabledMicrosoft network client: Send unencryptedpassword to third-party SMB servers

15 minutesMicrosoft network server: Amount of idle timerequired before suspending session

EnabledMicrosoft network server: Digitally signcommunications (always)

EnabledMicrosoft network server: Digitally signcommunications (if client agrees)

EnabledMicrosoft network server: Disconnect clientswhen logon hours expire

DisabledNetwork access: Allow anonymous SID/Nametranslation

EnabledNetwork access: Do not allow anonymousenumeration of SAM accounts

DisabledNetwork access: Do not allow anonymousenumeration of SAM accounts and shares

DisabledNetwork access: Do not allow storage ofcredentials or passwords for networkauthentication

DisabledNetwork access: Let Everyone permissionsapply to anonymous users




COMNAP, COMNODE, SQL\QUERY,SPOOLSS, EPMAPPER, LOCATOR,TrkWks, TrkSvr

Network access: Named Pipes that can beaccessed anonymously

System\CurrentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\Windows NT\CurrentVersion

Network access: Remotely accessible registrypaths

System\CurrentControlSet\Control\Print\Printers, System\CurrentControlSet\Services\Eventlog

Network access: Remotely accessible registrypaths and sub-paths


About system events and syslog serversSymantec Data Loss Prevention enables you to send severe system events to asyslog server. Configuring a syslog server in this manner can be helpful afterinstallation to help identify problems with the initial deployment. To enable sysloglogging, you must modify the Manager.properties file in the config directory.

See the Symantec Data Loss Prevention System Maintenance Guide for moreinformation about using a syslog server.

Note: As an alternative to syslog logging, you can configure Symantec Data LossPrevention to send email notifications of severe system events. See the online Helpfor details.

Enforce Servers and unused NICsIf the Enforce Server has multiple NICs, disable the unused NICs if possible. If theunused NIC cannot be disabled, make the following changes to the properties file.These changes enable the detection servers to talk to the Enforce Server.

On the Enforce Server \SymantecDLP\Protect\config\model.properties file:

model.notification.host=IP

model.notification.serverobject.host=IP

On the detection server \SymantecDLP\Protect\config\model.properties file:

112Post-installation tasksAbout system events and syslog servers

model.notification.host=IP

\SymantecDLP\Protect\bin\NotificationTrafficMonitor.lax

lax.command.line.args=IP:37328

Where IP is the IP address that you want to bind on.

Performing initial setup tasks on the Enforce ServerImmediately after installing the Enforce Server, you should perform these initialtasks to set up Symantec Data Loss Prevention.

See the Symantec Data Loss Prevention Administration Guide and online Help forinformation on how to perform these tasks.

To initially set up Symantec Data Loss Prevention

1 If you have not already done so, back up the uniqueCryptoMasterKey.properties file for your installation and store the file in asafe place. This file is required for Symantec Data Loss Prevention to encryptand decrypt the Enforce Server database.

Warning: If the unique CryptoMasterKey.properties file becomes lost orcorrupted, you must restore a copy of the file in order for Symantec Data LossPrevention to function. The Enforce Server database cannot be decryptedwithout the corresponding CryptoMasterKey.properties file.

2 If you use password authentication, change the Administrator’s password to aunique password known only to you.

3 Add an email address for the Administrator user account so you can be notifiedof system events.

4 Add user accounts for all users who are authorized to use the system, andprovide them with their log on information.

5 If you are responsible for adding policies, add one or more policies.

If not, notify the policy administrator(s) that data profiles have been added andthey can proceed with policy addition. Be sure that you have added useraccounts with policy access for each policy administrator in your organizationand provided them with their logon information.

6 Configure any detection servers that you registered with the Enforce Server.

113Post-installation tasksPerforming initial setup tasks on the Enforce Server

7 If you installed Network Discover, set up Discover targets.

8 Determine your organization’s incident management workflow and add incidentattributes.

You can continue to add data profiles, policies, and reports, and modify yoursettings to suit your organization’s needs.

114Post-installation tasksPerforming initial setup tasks on the Enforce Server

Starting and stoppingSymantec Data LossPrevention services


■ About Data Lost Prevention services

■ About starting and stopping services on Windows

About Data Lost Prevention servicesThe Symantec Data Loss Prevention services may need to be stopped and startedperiodically. This section provides a brief description of each service and how tostart and stop the services on supported platforms.

The Symantec Data Loss Prevention services for the Enforce Server are describedin the following table:

Table 9-1 Symantec Data Loss Prevention services

DescriptionService Name

Provides the centralized reporting and management servicesfor Symantec Data Loss Prevention.

Vontu Manager

Controls the detection servers (monitors).Vontu Monitor Controller

Provides the database notifications.Vontu Notifier

Writes the incidents to the database.Vontu Incident Persister

9Chapter

Table 9-1 Symantec Data Loss Prevention services (continued)

DescriptionService Name

Installs the Symantec Data Loss Prevention system updates.Vontu Update

See “About starting and stopping services on Windows” on page 116.

About starting and stopping services on WindowsThe procedures for starting and stopping services vary according to installationconfigurations and between Enforce and detection servers.

■ See “Starting an Enforce Server on Windows” on page 116.

■ See “Stopping an Enforce Server on Windows” on page 117.

■ See “Starting a Detection Server on Windows” on page 117.

■ See “Stopping a Detection Server on Windows” on page 117.

■ See “Starting services on single-tier Windows installations” on page 118.

■ See “Stopping services on single-tier Windows installations” on page 118.

Starting an Enforce Server on WindowsUse the following procedure to start the Symantec Data Loss Prevention serviceson a Windows Enforce Server.

To start the Symantec Data Loss Prevention services on aWindows Enforce Server

1 On the computer that hosts the Enforce Server, navigate to Start > AllPrograms > Administrative Tools > Services to open the Windows Servicesmenu.

2 Start the Symantec Data Loss Prevention services in the following order:

■ Vontu Notifier

■ Vontu Manager


■ Vontu Monitor Controller (if applicable)

■ Vontu Update (if necessary)

Note: Start the Vontu Notifier service first before starting other services.

116Starting and stopping Symantec Data Loss Prevention servicesAbout starting and stopping services on Windows

See “Stopping an Enforce Server on Windows” on page 117.

Stopping an Enforce Server on WindowsUse the following procedure to stop the Symantec Data Loss Prevention serviceson a Windows Enforce Server.

To stop the Symantec Data Loss Prevention Services on aWindows Enforce Server

1 On the computer that hosts the Enforce Server, navigate to Start > AllPrograms > Administrative Tools > Services to open the Windows Servicesmenu.

2 From the Services menu, stop all running Symantec Data Loss Preventionservices in the following order:



■ Vontu Manager

■ Vontu Notifier


See “Starting an Enforce Server on Windows” on page 116.

Starting a Detection Server on WindowsTo start the SymantecData Loss Prevention services on aWindowsdetection server

1 On the computer that hosts the detection server, navigate to Start > AllPrograms > Administrative Tools > Services to open the Windows Servicesmenu.

2 Start the Symantec Data Loss Prevention services, which might include thefollowing services:

■ Vontu Monitor

■ Vontu Update

See “Stopping a Detection Server on Windows” on page 117.

Stopping a Detection Server on WindowsUse the following procedure to stop the Symantec Data Loss Prevention serviceson a Windows detection server.


To stop the SymantecData Loss Prevention Services on aWindows detection server

1 On the computer that hosts the detection server, navigate to Start > AllPrograms > Administrative Tools > Services to open the Windows Servicesmenu.

2 From the Services menu, stop all running Symantec Data Loss Preventionservices, which might include the following services:

■ Vontu Update

■ Vontu Monitor

See “Starting a Detection Server on Windows” on page 117.

Starting services on single-tier Windows installationsUse the following procedure to start the Symantec Data Loss Prevention serviceson a single-tier installation on Windows.

To start the Symantec Data Loss Prevention services on a single-tier Windowsinstallation

1 On the computer that hosts the Symantec Data Loss Prevention serverapplications, navigate to Start > All Programs > Administrative Tools >Services to open the Windows Services menu.

2 Start the Symantec Data Loss Prevention in the following order:

■ Vontu Notifier

■ Vontu Manager



■ Vontu Monitor


Note: Start the Vontu Notifier service before starting other services.

See “Stopping services on single-tier Windows installations” on page 118.

Stopping services on single-tier Windows installationsUse the following procedure to stop the Symantec Data Loss Prevention serviceson a single-tier installation on Windows.


To stop the Symantec Data Loss Prevention services on a single-tier Windowsinstallation

1 On the computer that hosts the Symantec Data Loss Prevention serverapplications, navigate to Start > All Programs > Administrative Tools >Services to open the Windows Services menu.

2 From the Services menu, stop all running Symantec Data Loss Preventionservices in the following order:

■ Vontu Monitor



■ Vontu Manager

■ Vontu Notifier


See “Starting services on single-tier Windows installations” on page 118.


Uninstalling Symantec DataLoss Prevention


■ Uninstalling a server or component from a Windows system

■ About Symantec DLP Agent removal

Uninstalling a server or component from a Windowssystem

You can uninstall Symantec Data Loss Prevention from a Windows-based EnforceServer or detection server. You can uninstall Symantec Data Loss Prevention by:

■ Using Add or Remove Programs control from the Windows Control Panel

■ Double-clicking on the c:\SymantecDLP\uninstall.exe file

■ Running c:\SymantecDLP\uninstall.exe from the command line

■ SelectingStart > All Programs > Symantec DLP > Symantec DLPUninstaller

Note: Uninstalling Symantec Data Loss Prevention also removes the incrementalscan index that is used with Network Discover. If you want to preserve theincremental scan index, back it up before you uninstall Symantec Data LossPrevention. See the Symantec Data Loss Prevention System Maintenance Guidefor information about backing up the incremental scan index.

10Chapter

To uninstall a Windows server

1 Before running the uninstaller, ensure that you have backed up all keystorefiles in the c:\SymantecDLP\Protect\keystore directory

2 Run c:\SymantecDLP\uninstall.exe. Or open theAddor RemoveProgramscontrol from the Windows Control Panel, select the Symantec Data LossPrevention entry, and then click Change/Remove.

The Symantec Data Loss Prevention Uninstall panel appears.

3 Click Next to display the Preserve Reinstallation Resources panel.

4 Select Preserve Reinstallation Resources to indicate that the uninstallershould not remove the CryptoMasterKey.properties file or the keystore files.

Note: Each Symantec Data Loss Prevention installation encrypts its databaseusing a unique CryptoMasterKey.properties file, and uses unique keystorefiles for Endpoint certificate management. Exact copy of these file are requiredif you intend to reuse the existing Symantec Data Loss Prevention databaseand Endpoint Servers. Preserving your Enforce Schema during uninstallationcreates an EnforceReinstallationResources.zip file containing both theCryptoMasterKey.properties and keystore files, which you can use duringthe reinstallation process. If the EnforceReinstallationResources.zip filebecomes lost or corrupted and you do not have a backup, contact SymantecTechnical Support to recover the file.

5 Click Next to uninstall Symantec Data Loss Prevention.

6 Click Finish to complete the uninstall process.

If you chose to save the EnforceReinstallationResources.zip, it ispreserved in the c:\SymantecDLP directory.

About Symantec DLP Agent removalYou may need to uninstall the Symantec DLP Agent from your endpoints. You canuninstall Symantec DLP Agents in the following ways:

Table 10-1 Removing the Symantec DLP Agent

Removing a DLP Agent from a Windows endpoint

Removing DLP Agents from Windows endpoints using system management software

Removing DLP Agents from Mac endpoints using system management software

121Uninstalling Symantec Data Loss PreventionAbout Symantec DLP Agent removal

Table 10-1 Removing the Symantec DLP Agent (continued)

Removing a DLP Agent from a Mac endpoint

Removing DLP Agents from Windows endpoints using systemmanagement software

Follow this procedure if you elected to hide the Symantec Data Loss Preventionservice from the Add or Remove Programs list (ARP) during installation. Becausethe Symantec DLP Agent does not appear in the ARP, you cannot use the ARP listfor the uninstallation process. You must use the MSI command to remove theSymantec DLP Agent. Only use the MSI command uninstallation if you have hiddenthe Symantec DLP Agent from the ARP during installation.

To remove the agent with the MSI command

1 Open the command prompt window.

2 Enter the string:

msiexec /x AgentInstall.msi

You can add several different options to this command prompt.

3 Click OK.

The Symantec DLP Agent uninstalls.

To remove the agent manually if the agent does not appear in the ARP

1 Open the command prompt window.

2 Enter the following command where [guid] is the product code. You can locatethe GUID from the Windows registry or in the uninstall_agent.bat file.

You can add several other options to this command prompt:

msiexec /x {guid}


3 Enter any optional commands to the end of the command:

msiexec /x AgentInstall.msi

4 Click OK.

You can add options to the uninstall command such as SilentMode or Logname.SilentMode allows the Symantec DLP Agent to uninstall without displaying auser interface on the desktop. The installation takes place in the backgroundof the workstation and is not visible to the user. Logname Lets you set any logfile you want. However, this option is only available if you have the originalinstaller present. If you do not have the original installer, you must use theproduct code.

The code for a silent install is:

/QN:silentmode

The code for Logname is:

/L*V _logname

msi.exe has several other options. For further options, see your MSI guide.

See “About Symantec DLP Agent removal” on page 121.

Removing a DLP Agent from a Windows endpointYou can uninstall Symantec DLP Agents manually. Manual uninstallation is onlypossible if you configured the Symantec DLP Agent to appear in the endpoint Addor Remove Programs list during deployment.

Note:You uninstall Windows 7/8/8.1 agents in Elevated Command Promptmode.See “Using the Elevated Command Prompt with Windows” on page 80.

See “Process to install the DLP Agent on Windows” on page 81.

To uninstall the agent manually

1 Go to Start > Control Panel and double-click Add or Remove Programs.

2 Select Agent Install.

3 Click Remove.

See “About Symantec DLP Agent removal” on page 121.


Removing DLP Agents from Mac endpoints using systemmanagement software

Use the following steps to remove DLP Agents from Mac endpoints using yoursystem management software (SMS).

To remove the agent

1 Locate the uninstall_agent command and copy it to a temporary location onthe endpoint.

This tool is located in the Symantec_DLP_12.5_Agent_Mac-IN.zip file.

2 Add the uninstall command to your SMS.

/tmp/uninstall_agent -prompt=n

/rm -f /tmp/uninstall_agent

Replace /tmp with the location where the uninstall_agent command islocated.

3 Identify agents to be uninstalled and run the uninstallation.

Removing a DLP Agent from a Mac endpointYou can uninstall the Mac DLP Agent by running the uninstaller tool from the defaultagent installation location: /Library/Manufacturer/Endpoint Agent.

To uninstall the DLP Agent from Mac endpoints

1 Open the Terminal app.

2 Run this command:

$sudo ./uninstall_agent

Note: You can review uninstall logs on the Terminal application by running thiscommand: sudo ./uninstall_agent -prompt=no -log=console. By default, logsare saved to the uninstall_agent.log file


Installing Symantec DataLoss Prevention with theFIPS encryption option

This appendix includes the following topics:

■ About FIPS encryption

■ Installing Symantec Data Loss Prevention with FIPS encryption enabled

■ Configuring Internet Explorer when using FIPS

About FIPS encryptionThe Federal Information Processing Standards 140-2 (FIPS) are federally definedstandards on the use of cryptography. Using FIPS encryption is not generallyrecommended for most customers because it requires additional computationaloverhead.

Before you enable FIPS encryption, you must contact your Symantec representative.

You should install Symantec Data Loss Prevention with FIPS encryption enabledonly if your organization must comply with FIPS regulations (typical organizationsinclude US government agencies and departments). If you do not choose to useFIPS encryption, the installer defaults to standard encryption. After you have installedSymantec Data Loss Prevention, you cannot switch to a different encryption optionexcept by reinstalling Symantec Data Loss Prevention. When a re-installation isrequired, old incidents are not preserved.

See “Installing Symantec Data Loss Prevention with FIPS encryption enabled”on page 126.

AAppendix

Note: You must install all Symantec Data Loss Prevention servers with the sameencryption option; you cannot mix encryption options. If the Endpoint Prevent Serveris installed with FIPS enabled, no additional configuration is required to enable FIPSencrypted communication with your DLP Agents.

If your organization uses Internet Explorer to access the Enforce Server, then youmust ensure that Internet Explorer is configured to use FIPS.

See “Configuring Internet Explorer when using FIPS” on page 126.

Installing Symantec Data Loss Prevention with FIPSencryption enabled

To run Symantec Data Loss Prevention with FIPS encryption, Symantec Data LossPrevention has to be installed with FIPS enabled.

See “About FIPS encryption” on page 125.

To install the SymantecData LossPrevention softwarewith FIPS encryption enabled

◆ When installing each Symantec Data Loss Prevention server, execute theProtectInstaller with the -VJCEProviderType=FIPS command-line argument:

ProtectInstaller64_12.5.exe -VJCEProviderType=FIPS

When this command is entered correctly, the first panel of the InstallationWizard notifies you that the system is being installed with FIPS encryptionenabled.

See “Installing an Enforce Server” on page 26.


See “Installing a single-tier server” on page 61.

If your organization uses Internet Explorer to access the Enforce Serveradministration console, you must ensure that Internet Explorer is configured to useFIPS.

See “Configuring Internet Explorer when using FIPS” on page 126.

Configuring Internet Explorer when using FIPSIf you have installed Federal Information Processing Standards (FIPS) support, youmust enable TLS 1.0 protocol support in Internet Explorer to access Symantec DataLoss Prevention with that browser.

126Installing Symantec Data Loss Prevention with the FIPS encryption optionInstalling Symantec Data Loss Prevention with FIPS encryption enabled

Note: Firefox is already FIPS compatible. You do not need to perform the steps inthis section to access Symantec Data Loss Prevention with Firefox.

You must first enable TLS 1.0 protocol support in Internet Explorer, and then enableFIPS compliance in Windows. This procedure must be done on all Windowscomputers in your organization that access the Symantec Data Loss PreventionEnforce Server administration console.

To enable TLS 1.0 protocol support in Internet Explorer

1 Go to Tools > Internet Options.

2 Go to the Advanced tab.

3 Scroll down to the Security settings.

4 Make sure that the following check boxes are selected: Use SSL 2.0, Use SSL3.0, and Use TLS 1.0.

5 Click Apply.

6 Click OK.

Internet Explorer on all computers that access the Enforce Server must beconfigured to use the TLS 1.0 protocol.

All Windows computers that access the Enforce Server administration console withan Internet Explorer browser must be configured for FIPS compliance.

To enable FIPS compliance in Windows

1 Open the Windows Control Panel.

2 Double-click Administrative Tools.

3 Double-click Local Security Policy.

4 In the Local Security Settings, double-click Local Policies.

5 Double-click Security Options.

6 In the Policy pane on the right, double-click System cryptography: Use FIPScompliant algorithms for encryption, hashing, and signing.

7 Choose the Enabled radio button and then click Apply.

127Installing Symantec Data Loss Prevention with the FIPS encryption optionConfiguring Internet Explorer when using FIPS

AAdditional Locale panel 30, 64Administrator Credentials panel 34, 68AL32UTF8 character set 30antivirus software

scan exclusions, DLP 102scan exclusions, Oracle 103

Bbrowser certificates 98

creating 99

Ccertificates

browser 98browser, creating 99self-signed, creating 99server, generating 55SSL/TLS 97sslkeytool 52, 55

classification server 43

Ddatabase. See Oracle databasedetection server installation 45

permissions 45preparations 44ProtectInstaller64_12.5.exe 46registering 49remote indexers 44Select Components panel 47Select Destination Directory panel 47System Account panel 48Transport Configuration panel 48types of 41verifying 49WinPcap 46, 62

DLPDownloadHome directory 15

EEndace cards

dagsnap command 25SPAN tap 24

Endpoint Serverredundancy 79

Enforce Server installationSystem Account panel 36

Enforce server installation 26Additional Locale panel 30Administrator Credentials panel 34, 68initial setup tasks 113Initialize DLP Database panel 30Initialize Enforce Data 30installation steps 27Oracle Database User Configuration panel 30Oracle Listener Port 29Select Components panel 27System Account panel 29verifying 35

FFIPS encryption 27, 125–126

Internet Explorer, configuration 126VJCEProviderType=FIPS parameter 126

firewall configuration 103

Hhosts file 24

Iinitial setup tasks 113Initialize DLP Database panel 30, 64Initialize Enforce Data 30Initialize Enforce Data panel 64installation 11

See also detection server installationSee also Enforce server installationSee also single-tier installationSee also three-tier installation

Index

installation (continued)See also two-tier installationFIPS encryption 125–126logs 36, 70materials, required 15presintallation steps 22servers, verifying before installation 23system requirements 14uninstalling 120VJCEProviderType=FIPS parameter 126

Kkeystore 101keytool command 99

options 100

Llicense files 15logs 36, 70

MMicrosoft Auto Update 22

NNapatech cards

SPAN tap 24NIC cards 23

unused 112

OOracle database

AL32UTF8 character set 30OracleOraDb10g_home1TNSListener service 35OracleServicePROTECT service 35required character set 30software 15

Oracle Database Server Information panel 64Oracle Database User Configuration panel 30, 64Oracle Listener Port 29OracleOraDb10g_home1TNSListener service 35OracleServicePROTECT service 35

Pports

10026 (telnet) 251521 (Oracle Listener Port) 6425 (SMTP) 24

ports (continued)3389 (RDP) 243389 (Windows Remote Desktop Client ) 103443 (SSL) 248100 (Enforce - detection) 48, 50, 63Enforce - detection connection range 48, 50Oracle Listener 29, 64

post-installation tasks 96initial system setup 113security configuration 96syslog servers 112unused NIC cards 112

preinstallation steps 22ProtectInstaller64_12.5.exe 22, 27ProtectInstaller_12.0.exe 62ProtectInstaller_12.5.exe 27, 46

Rregistering a detection server 49remote desktop connections 24requirements 14

materials 15

Ssecurity configuration 96

antivirus software 101auditing 107browser certificates 98browser certificates, creating 99certificate, self-signed 99firewall configuration 103self-signed certificate 99SSL/TLS certificates 97virus scan exclusions 102virus scan exclusions, Oracle 103Windows hardening 104Windows password policies 106Windows policies 106Windows security options 112Windows settings 105Windows users 109

Select Components panel 27, 47, 62Select Destination Directory panel 47, 63single-tier installation 11, 61

Additional Locale panel 64high-level steps 20Initialize DLP Database panel 64Initialize Enforce Data panel 64

129Index

single-tier installation (continued)Oracle Database Server Information panel 64Oracle Database User Configuration 64ProtectInstaller_12.0.exe 62Select Components panel 62Select Destination Directory panel 63System Account panel 63Transport Configuration panel 63verifying 69

64-bit installer 22solution packs 37

file names 22importing 38list of 38SolutionPackInstaller.exe 40

SolutionPackInstaller.exe 40SPAN port/tap 24SSL/TLS certificates 97sslkeytool 52

generating server certificates 55options 53

Symantec DLP Agentinstallation 81installed aspects 84, 91installing on Windows Vista 80installing with system management software 82,

90preinstallation steps 79removing 121removing manually 123removing with system management software

(SMS) 122, 124watchdog service 84

syslog servers 112System Account panel 29, 48, 63

default 36System Center Configuration Manager 82system events 112system requirements 14Systems Management Server (SMS) 82

Tthree-tier installation 11

high-level steps 16tiers, installation 11Transport Configuration panel 48, 63two-tier installation 11

high-level steps 19

Uuninstallation passwords

using 94uninstalling 120upgrading agents

uninstallation passwords 95

Vverification

detection server installation 49Enforce Server installation 35servers ready for installation 23single-tier installation 69

VJCEProviderType=FIPS parameter 126Vontu services

starting 116–118stopping 116–118

Wwatchdog service 84Windows

auditing 107password policies 106policy settings 106security hardening 104security options 112security settings 105users 109

Windows Services for UNIX (SFU) 16WinPcap 15, 45Wireshark 15

130Index

Date post:	23-Jun-2020
Category:	Documents
Upload:	others
View:	7 times
Download:	0 times

Symantec Data Loss PreventionInstallationGuide for...

Documents