Data Loss Prevention Endpoint 9.2 Installation Guide for use with

Installation Guide
McAfee® Data Loss Prevention 9.2
Software
For Use with ePolicy Orchestrator® 4.5.0 Software
COPYRIGHT
Copyright © 2011 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by
any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE),
MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered
trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of
McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
2
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
Contents
Preface
About this guide . . . . . .
Audience . . . . . .
Conventions . . . . .
Finding product documentation
1
5
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
About McAfee Data Loss Prevention Endpoint software
5
5
5
6
7
Recommended installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Choosing a McAfee DLP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Backward-compatible installation . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2
Install McAfee DLP Endpoint software
13
Verify system requirements . . . . . . . . . . . . . . . . . . . . .
Configure the server . . . . . . . . . . . . . . . . . . . . . . . .
Install McAfee ePolicy Orchestrator . . . . . . . . . . . . . . . . . . .
Installing McAfee DLP WCF service . . . . . . . . . . . . . . . . . . .
Install the McAfee DLP WCF service . . . . . . . . . . . . . . .
Before you install the extension . . . . . . . . . . . . . . . . . . . .
Creating and configuring repository folders . . . . . . . . . . . .
Install the McAfee Data Loss Prevention Endpoint extension . . . . . . . . .
Working in a cluster environment . . . . . . . . . . . . . . . . . . .
Prepare the cluster . . . . . . . . . . . . . . . . . . . . . .
Test the cluster . . . . . . . . . . . . . . . . . . . . . . . .
3
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 13
. 15
15
. 16
. 18
. 20
. 21
23
. 24
. 24
24
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. .
. .
. .
. .
.
.
.
.
. 33
. . 34
. . 34
. . 35
25
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Deploying McAfee Data Loss Prevention Endpoint software with SMS
Create
Create
Create
Create
B
.
.
.
.
.
.
.
.
.
.
.
Post-installation tasks
Initialize the DLP Policy console . . . . . . . . . . . . . . . .
Upgrade the license . . . . . . . . . . . . . . . . . . . . .
Initialize the McAfee DLP Monitor . . . . . . . . . . . . . . .
Check in the McAfee DLP Endpoint package to ePolicy Orchestrator . .
Deploying McAfee DLP Endpoint . . . . . . . . . . . . . . . .
Define a default rule . . . . . . . . . . . . . . . . .
Deploy McAfee DLP Endpoint with ePolicy Orchestrator . . . .
Verify the installation . . . . . . . . . . . . . . . . .
Uninstalling McAfee DLP Endpoint . . . . . . . . . . . .
A
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
an installation package . .
the advertisement . . . .
the SMS uninstall package .
an SMS uninstall package to
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
run from a command line . . . . .
Users and permission sets
. .
. .
. .
. .
. .
. .
. .
. .
.
.
.
.
25
27
28
29
30
30
31
32
32
33
. .
. .
. .
. .
37
Create and define McAfee DLP administrators . . . . . . . . . . . . . . . . . . . . . . 37
Create and define permission sets . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
DLP permission set options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
3
Contents
C
Installing a version upgrade
Upgrading issues . . . . . . . . . .
Phased upgrade . . . . . . . . . .
Upgrade McAfee DLP Endpoint software .
Restore the policy after upgrade . . . .
Index
4
McAfee® Data Loss Prevention 9.2 Software
41
. .
. .
. .
. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
41
44
45
45
47
Installation Guide
Preface
Detailed information for installation, verification, and configuration of McAfee DLP Endpoint software.
This guide provides the necessary information for installing McAfee® Data Loss Prevention Endpoint
software. It provides detailed steps and verification of the installation process. This guide
demonstrates how to configure the recommended architecture, and when completed the user will have
a fully functional McAfee DLP Endpoint software implementation that is properly configured.
McAfee DLP Endpoint software is very flexible in meeting a variety of implementation architectures.
We recognize that many configuration possibilities exist, and that the recommended architecture
represents only one path.
Contents
About this guide
Finding product documentation
About this guide
This information describes the guide's target audience, the typographical conventions and icons used
in this guide, and how the guide is organized.
Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
•
Administrators — People who implement and enforce the company's security program.
•
Security officers — People who determine sensitive and confidential data, and define the
corporate policy that protects the company's intellectual property.
Conventions
This guide uses the following typographical conventions and icons.
Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis.
Bold
Text that is strongly emphasized.
User input or Path
Commands and other text that the user types; the path of a folder or program.
Code
A code sample.
User interface
Words in the user interface including options, menus, buttons, and dialog
boxes.
Hypertext blue
A live link to a topic or to a website.
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
5
Preface
Finding product documentation
Note: Additional information, like an alternate method of accessing an option.
Tip: Suggestions and recommendations.
Important/Caution: Valuable advice to protect your computer system,
software installation, network, business, or data.
Warning: Critical advice to prevent bodily harm when using a hardware
product.
Finding product documentation
McAfee provides the information you need during each phase of product implementation, from
installation to daily use and troubleshooting. After a product is released, information about the product
is entered into the McAfee online KnowledgeBase.
Task
1
Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.
2
Under Self Service, access the type of information you need:
To access...
Do this...
User documentation
1 Click Product Documentation.
2 Select a product, then select a version.
3 Select a product document.
KnowledgeBase
• Click Search the KnowledgeBase for answers to your product questions.
• Click Browse the KnowledgeBase for articles listed by product and version.
6
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
1
About McAfee Data Loss Prevention
Endpoint software
McAfee® Data Loss Prevention Endpoint (McAfee DLP Endpoint) software protects enterprises from the
risk associated with unauthorized transfer of data from within or outside the organization.
McAfee DLP Endpoint software is a content-based endpoint solution that inspects enterprise users’
actions concerning sensitive content in their own work environment, their computers. It uses
advanced discovery technology as well as predefined dictionaries to identify this content, and
incorporates device management and encryption for additional layers of control.
McAfee DLP Endpoint software prevents transmission of sensitive data from desktops and laptops,
whether or not they are connected to the enterprise network It protects against data loss regardless of
the format in which data is stored or manipulated.
McAfee® Device Control software incorporates the device management functionality of McAfee DLP
Endpoint software in a simpler package which is sold separately. It prevents unauthorized use of
removable media devices, the most widespread and costly source of data loss in many companies today.
McAfee DLP Endpoint software is administered from the McAfee® ePolicy Orchestrator® (McAfee ePO™)
management console.
Contents
Recommended installation
Choosing a McAfee DLP configuration
Backward-compatible installation
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
7
1
About McAfee Data Loss Prevention Endpoint software
Recommended installation
Recommended installation
The recommended installation for McAfee Data Loss Prevention Endpoint software version 9.x is on a
single server together with McAfee ePO and the McAfee ePO database. The McAfee DLP WCF service
can be installed on a separate server from the McAfee ePO database.
Figure 1-1
McAfee DLP Endpoint components and relationships
The recommended architecture includes:
•
8
McAfee ePO server — Hosts the embedded interfaces, (McAfee DLP Monitor and McAfee DLP
Endpoint policy console) and communicates with the McAfee Agents.
•
McAfee ePO Reports — A list of McAfee DLP Endpoint Events within the ePolicy Orchestrator
reporting service.
•
McAfee DLP WCF (Windows Communication Foundation) Service — Communicates
between ePolicy Orchestrator and McAfee DLP Endpointpolicy console to distribute policies, and
with the McAfee DLP Monitor
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
About McAfee Data Loss Prevention Endpoint software
Choosing a McAfee DLP configuration
1
•
McAfee ePO Event Parser — Communicates with the McAfee Agent and stores event
information in a database.
•
DLP Event Parser — Collects McAfee DLP Endpoint events from the ePolicy Orchestrator Event
Parser and stores them in tables in the SQL database.
•
ePO database — Communicates with the ePolicy Orchestrator Policy Distributor to distribute
policies, and with the McAfee DLP Event Parser to collect events and evidence.
•
Administrator workstation — Accesses ePolicy Orchestrator, McAfee DLP Monitor, and McAfee
DLP Endpoint policy console in a browser through the McAfee DLP WCF service.
•
Managed workstation — Applies the security policies using the following software:
•
McAfee DLP Endpoint — A McAfee Agent plug-in that provides the DLP processes.
•
McAfee Agent — Provides the communication channel between the McAfee ePO server and the
McAfee DLP Endpoint.
Choosing a McAfee DLP configuration
Classifying corporate information into different data loss prevention categories is a key step in
deploying and administering McAfee Data Loss Prevention Endpoint software. While guidelines and
best practices exist, the ideal schema is dependent on your enterprise goals and needs, and is unique
for each installation. Choosing between the two DLP configurations — McAfee Device Control and full
McAfee Data Loss Prevention Endpoint — is the first step in determining how those needs will be met.
Because it might be difficult to determine in advance exactly what your unique needs are, we
recommend initial deployment to a sample group of 15 to 20 users for a trial period of about a month.
During this trial, no data is classified, and a policy is created to monitor, not block, transactions. The
monitoring data helps the security officers make good decisions about where and how to classify
corporate data. The policies created from this information should be tested on a larger test group (or,
in the case of very large companies, on a series of successively larger groups) before being deployed
to the entire enterprise.
McAfee Device Control vs McAfee DLP Endpoint
McAfee Device Control software prevents unauthorized use of removable media devices. Full McAfee
DLP Endpoint software gives you a complete set of tools to inspect enterprise users’ actions
concerning sensitive content anywhere on their computers. The default installation is for McAfee
Device Control software; upgrading is done by changing the licensing. Many organizations begin with
device control, as removable media represent the most widespread and costly source of data loss, and
upgrade as their needs become better defined.
The following table compares the features.
Table 1-1 Feature comparison of software versions
Feature
McAfee Device
Control software
McAfee DLP Endpoint software
Yes
Yes
Database Administration
Yes
Yes
Database Statistics
Yes
Yes
Applications
Enterprise Applications List
Database Administration
Content Based Definitions
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
9
1
About McAfee Data Loss Prevention Endpoint software
Choosing a McAfee DLP configuration
Table 1-1 Feature comparison of software versions (continued)
Feature
McAfee Device
Control software
McAfee DLP Endpoint software
Dictionaries
Yes
Yes
Registered Documents
Repositories
Yes
Yes
Text Patterns
Yes
Yes
Application Definitions
Yes
Yes
Document Properties
Yes
Yes
Email Destinations
No
Yes
File Extension Definitions
Yes
Yes
File Server Definitions
No
Yes
Network Definitions
No
Yes
Printer Definitions
No
Yes
Tags and Categories
Yes
Yes
Content categories
and groups only
Content categories, tags, and groups
Web Destinations
No
Yes
Whitelist Repository
Yes
Yes
Device Classes
Yes
Yes
Device Definitions
Yes
Yes
Device Rules
Yes
Yes
Whitelisted Applications
Yes
Yes
User Assignment Groups
Yes
Yes
Privileged Users
Yes
Yes
RM Servers
No
Yes
RM Policies
No
Yes
Encryption Keys
Yes
Yes
Classification Rules
Yes
Yes
Discovery Rules
No
Yes
Definitions
Device Management
Policy Assignment
RM and Encryption
Rules
10
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
About McAfee Data Loss Prevention Endpoint software
Backward-compatible installation
1
Table 1-1 Feature comparison of software versions (continued)
Feature
McAfee Device
Control software
McAfee DLP Endpoint software
Protection Rules
Yes
Yes
Removable Storage
Protection only
Tagging Rules
No
• Application File
Access Protection
• PDF/Imagewriter
Protection
• Clipboard Protection
• Printing
Protection
• Email Destinations
Protection
• Removable
Storage
Protection
• File System
Protection
• Screen Capture
Protection
• Network
Communication
Protection
• Web Post
Protection
Yes
Backward-compatible installation
To allow an orderly upgrade in large enterprises that have deployed previous versions of McAfee DLP
Endpoint in their production environment, an option exists to deploy backward-compatible policies to
computers still running the older agents.
Host DLP Agent 3.0 Patch 1 is the earliest version supported by this feature. Enterprises running
earlier versions must upgrade to Host DLP Agent 3.0 Patch 1 or later before upgrading to McAfee DLP
Endpoint 9.2.
McAfee DLP Endpoint version 9.2 utilizes a standardized XML policy format, introduced in Version 9.0.
This format is more intuitive, and facilitates integration with other ePolicy Orchestrator applications. As
a result, the backward compatibility option that allows communication with both old and new agents
has five levels:
•
No compatibility (all endpoints are version 9.2)
•
McAfee DLP Endpoint Agent 3.0 and later
•
McAfee DLP Endpoint Agent 9.1 and later
•
McAfee DLP Endpoint Agent 3.5 or
current version
•
McAfee DLP Endpoint Agent 9.0 and later
The compatibility option "DLP Agent 3.0.5 or current version" refers to a specific hotfix. Unless you
specifically know that you are using this hotfix, choose DLP Agent 3.0 compatibility for all version 3.x
agents.
DLP Agent 2.2 Patch 4 is no longer supported.
The agent compatibility option is selected during the McAfee DLP Endpoint policy console initialization.
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
11
2
Install McAfee DLP Endpoint software
Prepare your environment and install McAfee DLP Endpoint software in ePolicy Orchestrator.
Contents
Verify system requirements
Configure the server
Install McAfee ePolicy Orchestrator
Installing McAfee DLP WCF service
Before you install the extension
Install the McAfee Data Loss Prevention Endpoint extension
Working in a cluster environment
Verify system requirements
The following hardware is recommended for running McAfee DLP Endpoint software version 9.2.
Table 2-1 Hardware requirements
Hardware type
Specifications
Servers
• CPU: Intel Pentium IV 2.8 GHz or higher
• RAM:
• 512 MB minimum for McAfee Device Control software only (1 GB
recommended)
• 1 GB minimum for full McAfee DLP Endpoint software (2 GB recommended)
• Hard Disk: 80 GB minimum
Managed
workstations
• CPU: Pentium III 1 GHz or higher
• RAM:
• 256 MB minimum for McAfee Device Control software (1 GB recommended)
• 512 MB minimum for full McAfee DLP Endpoint software (1 GB recommended)
• Hard Disk: 200 MB minimum free disk space
Network
100 Mbit LAN serving all workstations and the McAfee ePO server
• Endpoint computers must be able to access port 8731 on the server running
the WCF Service.
• Administrators running the Event Monitor must be able to access TCP port
8731 on the server running the WCF Service.
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
13
2
Install McAfee DLP Endpoint software
Verify system requirements
The following operating system software is supported:
Table 2-2 Operating systems supported
Computer type
Software
Servers
• Windows 2003 Server Standard (SE) SP1 or later 32- or 64-bit
®
• Windows 2003 Enterprise (EE) SP1 or later 32- or 64-bit
• Windows 2008 Server Enterprise 32- or 64-bit
Managed
workstations
• Windows XP Professional SP1 or later
32-bit
• Windows 2003 Server 32- or
64-bit
• Windows Vista SP1 or later 32-bit only
• Windows 2008 Server 32-bit
• Windows 7 32- or 64-bit
• Windows 2008 Server R2 64-bit
Servers are supported for McAfee Device Control software only.
The user installing McAfee DLP Endpoint software on the servers must be a member of the local
administrators group.
The following software is required on the server running the McAfee DLP Endpoint policy console and
McAfee DLP Monitor:
Table 2-3 Server software requirements
Software
Version
McAfee ePolicy
Orchestrator
• 4.0 Patch 7 or later
• 4.5 Patch 4 or later
• 4.6
McAfee Agent
• 4.0 Patch 3 or later
• 4.5 Patch 3 or later
• 4.6
McAfee ePO Help System
download the McAfee DLP Endpoint 9.2 Help extension.
There is no Help for McAfee DLP Endpoint version 9.2 in McAfee ePolicy
Orchestrator 4.0 because the Help System for McAfee ePO 4.0 is EOL
and cannot be updated.
Microsoft .NET
3.5 or 3.5 SP 1
Agent handlers on remote servers no longer require the .NET Framework.
Microsoft SQL Server
2005 or 2008, Advanced Express or Enterprise, 32- or 64-bit
The McAfee DLP Endpoint software version 9.2 package includes the following:
14
•
McAfee Data Loss Prevention Endpoint (McAfee Agent plugin)
•
McAfee DLP Windows Communication Foundation (DLP WCF)
•
McAfee DLP Endpoint extension (contains the components installed through ePolicy Orchestrator)
•
McAfee DLP Help Desk Tool
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
Install McAfee DLP Endpoint software
Configure the server
2
Configure the server
Basic configuration of the McAfee DLP Endpoint server includes setting the security configuration and
verifying the .NET installation.
Verify that the server meets the minimum system requirements.
Task
1
Install Microsoft Windows Server 2003 SP1 or Windows Server 2008. See the System
Requirements for supported Windows systems.
2
Install Windows Installer 3.0 (Windows 2003) or 4.5 (Windows 2008) and restart the system.
Install all Microsoft Windows Service Packs.
3
Run Windows Update and install all updates.
4
Disable Microsoft Internet Explorer’s Enhanced Security Configuration Window Component.
•
In Windows 2003, open the Windows Control Panel then select Add/Remove Windows Components.
•
In Windows 2008, open the Server Manager then select Configure IE ESC in the Security
Information section.
This Microsoft product can hinder proper installation of McAfee DLP Endpoint components. Disable it
before installation, then reconfigure it after installation if it is required.
5
Verify that Microsoft .NET Framework 3.5 SP1 is installed.
6
Set the server to a static IP address.
We recommend using a subnet separate from your company's production network for initial testing.
If you are setting up a production environment, set the server’s static IP address within that range.
Install McAfee ePolicy Orchestrator
McAfee Data Loss Prevention Endpoint software version 9.2 can be installed in McAfee ePolicy
Orchestrator 4.0, 4.5, or 4.6. There are a few precautions you should be aware of.
Read the McAfee ePolicy Orchestrator Installation Guide and Release Notes to familiarize yourself with
all installation issues.
Some of the installation scripts require the NETWORK SERVICE account to have write permission for the
C:\Windows\Temp folder. In secure systems, this folder might be locked down. In that case, you must
temporarily change the permissions for this folder. Otherwise, the installation fails. We recommend
completing all software installations before resetting the permissions.
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
15
2
Install McAfee DLP Endpoint software
Installing McAfee DLP WCF service
Pay attention to the following points when installing ePolicy Orchestrator:
1
In the McAfee ePO installation wizard, use the following settings.
Installation wizard
screen
Setting
Installation
Options
Select Install Server and Console
Setup
Requirements
When installing on Windows 2003 Server, we recommend using the SQL
Server 2005 Express installer included in the McAfee ePO installer.
Another configuration option is to create an ePolicy Orchestrator instance
on an existing SQL Server 2005 or 2008 server and select it. This is the
preferred option when installing on Windows 2008 Server.
After verification that you want to install the software, the SQL installation
continues without user input. If prompted to install SQL Server 2005
Backward Compatibility, you must install it.
Database Server
Account
2
We recommend using a SQL Server account. If preferred, an NT account
can also be used.
During the installation, you might see a warning about trusted sites. Write down the recommended
additions to the Microsoft Internet Explorer trusted sites list before clicking OK. You will need to add
them later.
Installing McAfee DLP WCF service
The McAfee DLP Windows Communication Foundation (WCF) service is used to communicate between
McAfee ePolicy Orchestrator, McAfee Data Loss Prevention Endpoint, and the McAfee DLP Monitor. In
McAfee Total Protection for Data Loss Prevention, it is not used to communicate with ePolicy
Orchestrator or with the McAfee DLP Monitor.
Web access authorized groups
When installing the McAfee DLP WCF service, you are asked to specify the Web Access Authorized Groups
(WAAG). We recommend setting up a group or groups in Windows Active Directory or Open LDAP with
the names of users authorized to log on to the database.
When the McAfee DLP Endpoint policy console attempts to connect to WCF, it impersonates the logged
on user. After the user name is authenticated, WCF checks to see if the user is a member of the WAAG
before connecting to the database.
16
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
2
Install McAfee DLP Endpoint software
Installing McAfee DLP WCF service
WCF service installation options
There are two basic options for installing the Windows Communication Foundation (WCF) service: on
the same server as the McAfee ePO (SQL) database (local installation) or on a separate server (remote
installation). Where McAfee ePolicy Orchestrator is installed, together with its database or on a
separate server, is not relevant to this discussion; only the relative locations of WCF and the database.
Figure 2-1 WCF installation options
Option 1: Installing WCF locally
When installing WCF on the same server as the McAfee DLP Endpoint database, you can use Windows
authentication or SQL authentication. The option is selected on the WCF service installation wizard.
The selected authentication applies only to the connection between WCF and the database. The
connection between the administration workstation and WCF always uses Windows authentication. If
you have selected Windows authentication, and the logged on user is a member of the WAAG,
connection to the database proceeds without further checking.
The user must be defined in the SQL database. See Adding a user in SQL Server.
Option 2: Installing WCF remotely
When installing WCF on a separate server from the McAfee DLP Endpoint database, you can now use
Windows authentication or SQL authentication. The former limitation to only SQL authentication has
been eliminated. The description of the connection details are the same as in local installation.
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
17
2
Install McAfee DLP Endpoint software
Installing McAfee DLP WCF service
Install the McAfee DLP WCF service
There are two steps to installing the McAfee DLP WCF service. When the installation is complete, you
can troubleshoot the installation to resolve problems.
Before you begin
Before installing the McAfee DLP WCF service, create a user in Microsoft SQL server. You
must do this even if you are going to use Windows authentication.
Tasks
•
Add a user in Microsoft SQL Server on page 18
To use either Windows or SQL authentication with WCF and with the ePolicy Orchestrator
database, an authorized user must be defined in the Microsoft SQL database. The
authorized user can be a Windows user or a SQL user. Typically, an account with the
minimal permissions to run WCF is created.
•
Run the McAfee DLP WCF installer on page 19
The McAfee DLP Windows Communication Foundation (WCF) service is used to
communicate between ePolicy Orchestrator, McAfee DLP Endpoint, and the McAfee DLP
Monitor.
Add a user in Microsoft SQL Server
To use either Windows or SQL authentication with WCF and with the ePolicy Orchestrator database, an
authorized user must be defined in the Microsoft SQL database. The authorized user can be a Windows
user or a SQL user. Typically, an account with the minimal permissions to run WCF is created.
To use either Windows or SQL authentication with WCF and with the ePolicy Orchestrator database, an
authorized user must be defined in the Microsoft SQL database. The authorized user can be a Windows
user or a SQL user. Typically, an account with the minimal permissions to run WCF is created. Use this
task to create such an account.
To perform this task, you must have Microsoft SQL Server Management Studio installed. If you are
using Microsoft SQL Server Express, you should install the Express version of Management Studio. The
administrator performing the task should have system administrator rights on the servers involved.
Task
18
1
Open SQL Server Management Studio (Express) and connect to the EPOSERVER instance.
2
In the Object Explorer, right-click the database name and select Properties.
3
On the Security page, select either Window Authentication mode or SQL Server and Windows Authentication mode,
according to which type of authentication you want to use. Click OK.
4
Navigate to Security | Logins. Right-click in the Logins page, and select New Login.
5
On the General page of the Login Properties dialog box, select SQL Server authentication or Windows
authentication and type a logon name. Set the default database to ePO4_SERVER. Enforcing a password
policy is optional.
6
On the General page of the Login Properties dialog box, select SQL Server authentication and type the
logon name ndlpuser and a password. Set the default database to ePO4_SERVER and the default
language to English. Click OK.
7
On the Server Roles page, select the sysadmin checkbox.
8
On the User Mapping page of the Login Properties dialog box, in the Users mapped to this login section,
select ePO4_SERVER and verify that the new logon user is listed in the User column and that public is
checked in the database role membership section. Click OK.
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
2
Install McAfee DLP Endpoint software
Installing McAfee DLP WCF service
9
Under User Mapping, define the database role memberships by selecting the db_owner and public
checkboxes.
10 Navigate to Databases | ePO4_SERVER | Security | Users. Double-click the logon user name.
11 On the Securables page, click Add. Select Specific objects, and click OK.
12 In the Select Objects dialog box, click Object Types and select Databases. Click OK.
13 Click Browse. Select [ePO4_SERVER] and click OK twice.
14 If you do not see all six effective permissions, browse the Explicit Permissions list to locate and Grant
them. Click OK. Repeat steps 7-11 to verify the Effective Permissions.
15 Click OK.
Run the McAfee DLP WCF installer
The McAfee DLP Windows Communication Foundation (WCF) service is used to communicate between
ePolicy Orchestrator, McAfee DLP Endpoint, and the McAfee DLP Monitor.
When installing or upgrading McAfee DLP Endpoint software, you must upgrade the McAfee DLP
Windows Communication Foundation service to the latest version. Failure to upgrade McAfee DLP WCF
can lead to errors when trying to save the global policy to the reporting database or update database
credentials. To prevent this, the new version checks the client and server versions and displays an error
message if they don't match.
Add the logged on user to the Microsoft SQL database as a Windows or SQL user, according to which
form of authorization you plan to use. Log out of ePolicy Orchestrator.
Task
1
Browse to and run the McAfee DLP WCFServiceInstaller.msi installer.
Verify that the McAfee DLP Windows Communication Foundation service installer version matches
the McAfee DLP Endpoint software version you are installing.
2
3
4
In step 4 of the installation wizard (WCF Service Settings), do the following:
a
Use the default WCF Server Port value. If you must change the server port, consult your McAfee
representative for instructions.
b
We recommend setting up a group or groups in Windows Active Directory with the names of
users authorized to log on to the database. You must change the default Web Access Authorized
Groups entry from Everyone to a group or user with authorized access, as described in WCF
installation options.
c
If you are using the confidential data redaction feature, select Obfuscate Sensitive Data in RSS Feed.
In step 5 of the installation wizard (Microsoft SQL Database) do the following:
a
Review the defaults for Database Server and Database Name. Type other values if necessary.
b
Select Windows Authentication or SQL Authentication and fill in the associated fields.
Click Finish to complete the installation.
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
19
2
Install McAfee DLP Endpoint software
Before you install the extension
Troubleshoot the McAfee DLP WCF service
After installation of the McAfee DLP WCF service and installation of the McAfee DLP Endpoint policy
console, use the troubleshooter to verify the installation.
To troubleshoot the McAfee DLP WCF service, use the browser page http://localhost:8731/DLPWCF/
Admin/Testing.
Do not run this test page before installing the McAfee DLP Endpoint software suite in McAfee ePolicy
Orchestrator. The tests will fail if the McAfee DLP Endpoint database is not yet installed.
Figure 2-2 The McAfee DLP WCF service testing page
Before you install the extension
Before you begin installation of McAfee DLP Endpoint software, prepare your system as described below.
Two folders and network shares must be created, and their properties and security settings must be
configured appropriately. The folders do not need to be on the same computer as the McAfee DLP
Endpoint Database server, but it is usually convenient to put them there.
We suggest the following folder paths, folder names, and share names, but you can create others as
appropriate for your environment.
20
•
c:\dlp_resources\
•
c:\dlp_resources\evidence
•
c:\dlp_resources\whitelist
•
Evidence folder — Certain protection rules allow for storing evidence, so you must designate, in
advance, a place to put it. If, for example, an email is blocked, a copy of the email is placed in the
Evidence folder.
•
Whitelist folder — Text fingerprints to be ignored by the DLP Endpoint are placed in a whitelist
repository folder. An example is boilerplate text such as disclaimers or copyright. McAfee DLP
Endpoint software saves time by skipping these chunks of text that are known to not include
sensitive content.
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
Install McAfee DLP Endpoint software
Before you install the extension
2
Roles and permissions
Consider the administrator roles you need to manage the system, and create the necessary user
profiles. Roles such as McAfee DLP administrators, policy makers, monitor viewers, manual taggers,
and others may be necessary, depending on the size of the system and how centralized you want
control to be. The system can be modified at any time, so the list does not have to be comprehensive.
See also
Create and define permission sets on page 38
Create and define McAfee DLP administrators on page 37
Creating and configuring repository folders
McAfee Data Loss Prevention Endpoint software requires certain repository folders on the server.
These folders must be created and configured before running the installer.
Tasks
•
Configure folders on Windows 2003 Server on page 21
Configuration of the repository folders on Windows 2003 Server requires specific security
settings.
•
Configure folders on Windows 2008 Server on page 22
Configuration of the repository folders on Windows 2008 Server requires specific security
settings.
Configure folders on Windows 2003 Server
Configuration of the repository folders on Windows 2003 Server requires specific security settings.
Before you begin
Create the evidence and whitelist folders, as described in Before you install the extension.
Both folder are configured in the same manner. Repeat this task for each folder.
Task
1
Right-click the evidence / whitelist folder and select Sharing and Security.
2
In the dialog box that appears, select Share this folder. Modify Share name to evidence$ / whitelist$.
The $ ensures that the share is hidden.
3
Click the Security tab, then click Advanced.
4
On the Permissions tab of the Advanced Security Settings for evidence dialog box, deselect Allow inheritable
permissions.
A confirmation message explains the effect this change will have on the folder.
5
Click Remove. The Permissions tab on the Advanced Security Settings dialog box shows all
permissions eliminated except administrators.
Setting permissions for administrators is required for the whitelist folder. It is optional for the
evidence folder, but can be added as a security precaution. Alternately, you can add permissions
only for those administrators who deploy policies.
6
Double-click Administrators entry to open the Permission Entry dialog box. Change the Apply onto option to
This folder, subfolders and files. Click OK.
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
21
2
Install McAfee DLP Endpoint software
Before you install the extension
7
Click Add to select an object type.
8
In the Enter the object name to select text box, type Domain Computers, then click OK to display the
Permission Entry dialog box.
9
In the Allow column, select:
•
Create Files/Write Data and Create Folders/Append Data for the evidence folder.
•
List Folder/Read Data for the whitelist folder.
Verify that the Apply onto option says This folder, subfolders and files, then click OK.
The Advanced Security Settings dialog box now includes Domain Computers.
10 Click OK twice to close the dialog box.
Configure folders on Windows 2008 Server
Configuration of the repository folders on Windows 2008 Server requires specific security settings.
Before you begin
Create the evidence and whitelist folders, as described in Before you install the extension.
Both folder are configured in the same manner. Repeat this task for each folder.
Task
1
Right-click the evidence / whitelist folder and select Permissions.
2
Select the Sharing tab, then click Advanced sharing. Select the Share this folder option and click Apply.
3
Add the share name evidence$ / whitelist$.
The $ ensures that the share is hidden.
4
Select the Security tab, then click Advanced.
5
On the Permissions tab, deselect the Include inheritable permissions from the object's parent option.
A confirmation message explains the effect this change will have on the folder.
6
Click Remove.
The Permissions tab on the Advanced Security Settings dialog box shows all permissions eliminated.
7
Click Add to select an object type.
8
In the Enter the object name to select text box, type Domain Computers, then click OK.
The Permission Entry dialog box is displayed.
9
In the Allow column, select:
•
Create Files/Write Data and Create Folders/Append Data for the evidence folder.
•
List Folder/Read Data for the whitelist folder.
Verify that the Apply onto option says This folder, subfolders and files, then click OK.
The Advanced Security Settings dialog box now includes Domain Computers.
10 Click Add again to select an object type.
22
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
2
Install McAfee DLP Endpoint software
Install the McAfee Data Loss Prevention Endpoint extension
11 In the Enter the object name to select text box, type Administrators, then click OK to display the
Permission Entry dialog box. Set the required permissions.
Adding administrators is required for the whitelist folder. It is optional for the evidence folder, but
can be added as a security precaution. Alternately, you can add permissions only for those
administrators who deploy policies.
12 Click OK twice to close the dialog box.
Install the McAfee Data Loss Prevention Endpoint extension
The McAfee DLP Endpoint software extension and the Help module are installed in ePolicy Orchestrator.
Before you begin
Download the McAfee DLP Endpoint extension from the McAfee download site for McAfee
Data Loss Prevention software. Be sure to also download the McAfee DLP Endpoint Help
extension module for McAfee ePolicy Orchestrator 4.5.
Verify that the ePolicy Orchestrator server name is listed under Trusted Sites in the Internet
Explorer security settings.
The default installation is a 90-day license for McAfee Device Control software. If you purchased a
license for full McAfee Data Loss Prevention Endpoint software, you must upgrade the license after you
complete the installation.
Task
1
In ePolicy Orchestrator, select Menu | Software | Extensions, then click Install Extension.
2
Browse to and select the McAfee DLP Endpoint .zip file (..\HDLP_Extension_9_2_0_xxx.zip). Click
Open, then OK.
The installation dialog box displays the file parameters to verify that you are installing the correct
extension.
3
Click OK. The extension is installed.
The following applications are installed:
4
•
McAfee DLP Endpoint policy console (in ePolicy Orchestrator | Data Protection)
•
McAfee DLP Monitor (in ePolicy Orchestrator | Data Protection)
•
DLP Event Parser
Click Install Extension again, Browse to and select the Help .zip file (...help_dlp_920.zip). Click Open,
then OK.
This file contains the McAfee DLP Endpoint extension to the ePO Help system.
5
Click OK.
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
23
2
Install McAfee DLP Endpoint software
Working in a cluster environment
Working in a cluster environment
McAfee DLP Endpoint 9.2 software provides high availability for environments running ePolicy
Orchestrator 4.5 or ePolicy Orchestrator 4.6 in a cluster.
We recommend cluster installation on a Microsoft Win 2008 Server with Failover Clustering role.
Installation on other operating systems has not been tested and is not currently supported.
Prepare the cluster
Before running McAfee DLP Endpoint software in a cluster environment ensure the following.
•
Microsoft Failover Clustering is set up and running on a cluster of two or more servers.
•
Two separate drives are configured for clustering: a Quorum drive and a Data drive.
•
There is a supported database server (SQL 2005 or SQL 2008) in the network.
•
ePolicy Orchestrator is set up according to the McAfee ePolicy Orchestrator 4.5 Cluster Installation
Guide. The guide can be found at: https://kc.mcafee.com/resources/sites/mcafee/content/live/
product_documentation/21000/pd21842/en_us/epo_450_cluster_install_guide_en-us.pdf.
Test the cluster
Cluster installations should be tested before use.
When the McAfee Data Loss Prevention Endpoint 9.2 cluster is set up and online, use this task to
ensure that DLP functions in a failover situation.
Task
1
Restart the system functioning as the active node.
The passive node automatically becomes the active node.
2
Log on to McAfee ePolicy Orchestrator, open Data Protection | DLP Policy and click Apply to apply the policy.
If the apply policy screen finishes successfully you can conclude that the DLP cluster has continued
to function during the failover.
24
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
3
Post-installation tasks
Several steps are needed to complete the McAfee Data Loss Prevention Endpoint software installation.
You must configure the McAfee DLP Endpoint policy console and McAfee DLP Monitor, install McAfee
DLP Endpoint software on the managed computers, deploy a test policy, and verify the installation.
Contents
Initialize the DLP Policy console
Upgrade the license
Initialize the McAfee DLP Monitor
Check in the McAfee DLP Endpoint package to ePolicy Orchestrator
Deploying McAfee DLP Endpoint
Initialize the DLP Policy console
The first time you open the McAfee Data Loss Prevention Endpoint policy console, a wizard runs for
first-time initialization.
The wizard can be run at any time by selecting Initialization Wizard from the Tools menu in the McAfee DLP
Endpoint policy console.
The McAfee DLP Endpoint Management Tools installer and McAfee DLP Endpoint policy console
initialization wizard use ActiveX technology. To prevent the installer from being blocked, verify that the
following are enabled in Internet Explorer Tools | Internet Options | Security | Custom level:
•
Automatic prompting for ActiveX controls
•
Download signed ActiveX controls
Task
1
In the ePolicy Orchestrator console, select Menu | Data Protection | DLP Policy.
The McAfee DLP Endpoint Management Tools installer runs and, after a brief delay, the Welcome
screen of the DLP Management Tools Setup wizard appears. Complete the steps in the wizard.
2
After the McAfee DLP Endpoint Management Tools installation has completed, the McAfee DLP
Endpoint policy console begins loading. If you have an existing policy, you are prompted to convert
it to the new XML format. Click Convert and skip to step 4.
3
If no previous policy exists, the message DLP global policy is unavailable. Loading default policy appears. Click
OK to continue.
4
When the message Agent configuration is unavailable. Loading a default agent. appears, click OK.
5
When the McAfee DLP Endpoint policy console First Time Initialization wizard appears, complete the
following steps:
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
25
3
Post-installation tasks
Initialize the DLP Policy console
Option Description
1 of 8
Click Next.
2 of 8
By default, the file system discovery crawler places sensitive files in quarantine. Though
we do not recommend it, you can delete these files instead by selecting the Support
discovery delete option.
This option is not available until you update to the full McAfee Data Loss Prevention
Endpoint software installation.
For troubleshooting, when you need to review an easily readable version of the policy,
select Generate verbose policy. For most installations, we recommend leaving these
checkboxes unselected.
In very large organizations where the rollout of McAfee DLP Endpoint 9.2 is staged over
time, earlier versions of the plug-in need to coexist. Select the appropriate Backward
compatibility mode:
•
No compatibility (all endpoints are version 9.2)
•
McAfee DLP Endpoint Agent 9.1 and later
•
McAfee DLP Endpoint Agent 9.0 and later
•
McAfee DLP Endpoint Agent 3.0 and later
The compatibility option McAfee DLP Endpoint Agent 3.0.5 or current version refers to a
specific hotfix. Unless you specifically know that you are using this hotfix, choose DLP
Agent 3.0 compatibility for all version 3 endpoints.
DLP Agent 2.2 Patch 4 is no longer supported.
Select your directory access protocol: Microsoft Active Directory or OpenLDap. When
using Microsoft AD in very large organizations where search times could be excessive,
select Restrict AD searches to default domain.
If you are not using WCF: Deselect Deploy policy to reporting database. This prevents rule
names deploying to the McAfee DLP tables in the McAfee ePO database. If you are using
WCF and deselect this option, the McAfee DLP Monitor displays rule GUIDs, not rule names.
Configure the McAfee DLP Endpoint policy console WCF service path. For the standard
installation, accept the default. Click Test Connection to verify. To change the sign in
credentials, click Update DB Credentials. The WCF Database Connection Settings dialog box
opens for editing.
When you have completed all changes, click Next.
3 of 8
This step is not available when installing McAfee Device Control
.
Type user names, or click Add to search for user names (optional). Click Next.
We recommend creating a role-based group such as DLP Manual Tagging Users, and
using the group when configuring Access Control.
4 of 8
26
Type a password and confirmation (required). McAfee DLP Endpoint software version
9.2 requires strong passwords, that is, at least 8 characters with at least one each
uppercase, lower case, digit, and special character (symbol). If you are upgrading, this is
not implemented until you change a password.
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
3
Post-installation tasks
Upgrade the license
Option Description
If you don't want endpoint key generation events reported to the database, deselect the
checkbox. If you want to use short challenge/response (8 digits instead of 16), select the
checkbox.
See the McAfee Data Loss Prevention Endpoint Product Guide for more information on
Agent bypass.
Click Next.
6
5 of 8
Browse to the Whitelist storage share, then click Next. The UNC whitelist path is required
to apply the policy to ePolicy Orchestrator. Size limits are displayed, but cannot be
changed in the Initialization wizard.
6 of 8
Modify the default notification messages (optional). Select each event type in turn, and
type the message in the text box. Click Next.
7 of 8
Browse to the evidence storage share and click Next. The evidence storage path is
required to apply the policy to ePolicy Orchestrator. Set the required Evidence Replication
option. See the Release notes: New Features for more information on this option. Click
Next.
8 of 8
Click Finish.
The Initialization Wizard dialog box appears with the message, Apply initial configuration?
•
If you have not skipped any required steps, you can click Yes and apply the initial policy.
•
If you have skipped required steps, click No to complete the initialization.
A password and the evidence storage share are required to complete initialization. The other steps
indicated as required are necessary to complete the policy. They can be skipped during initialization
and completed at a later time. If you did not apply the policy, select File | Save to save the policy to a
file.
7
Click Finish.
Upgrade the license
McAfee DLP Endpoint software comes in two versions, McAfee Device Control and full McAfee Data
Loss Prevention Endpoint with two licensing options for each, 90-day trial and unlimited. The default
installation is McAfee Device Control with a 90-day trial license.
Before you begin
Before starting this task, purchase your upgrade license and get an activation key from
your McAfee sales representative.
Task
1
On the McAfee DLP Endpoint policy console menu bar, select Help | Update License.
The View and Update License window displays the current (default) activation key and expiration date.
2
Click Update.
3
Type or paste the Activation Key in the text box and click Apply.
A warning that you must log on again for the change to take effect appears.
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
27
3
Post-installation tasks
Initialize the McAfee DLP Monitor
4
Click OK to close the message box, and click Close to close the Update License window, then log off
ePolicy Orchestrator.
5
Log on to ePolicy Orchestrator to complete the upgrade.
6
From the Agent Configuration menu, select Edit Global Agent Configuration.
7
Go to the File Tracking tab and select Device Control and full content protection.
8
Go to the Miscellaneous tab. Only the Agent Popup service, Device Blocking, and Reporting Service
modules are selected. Select the remaining modules you require to enable them and click OK.
Do not enable modules you don't use. They increase the McAfee DLP Endpoint agent size and slow
its operation unnecessarily.
9
On the Toolbar, click
.
The policy changes are applied to ePolicy Orchestrator.
10 In ePolicy Orchestrator, issue a wake-up call to deploy the policy change to the workstations.
Initialize the McAfee DLP Monitor
The McAfee Data Loss Prevention Monitor must be initialized before it can be used. This consists of
verifying the connection to the McAfee DLP WCF service and setting the options.
Task
1
In McAfee ePolicy Orchestrator, select Menu | Data Protection | DLP Monitor.
The first time you select DLP Monitor, a warning window requests the WCF server path.
28
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
Post-installation tasks
Check in the McAfee DLP Endpoint package to ePolicy Orchestrator
2
Click OK.
3
For a standard installation, accept the default. For a backward-compatible installation, type the
WCF service address in the dialog box, then click OK.
3
Figure 3-1 Initializing the McAfee DLP Monitor
Check in the McAfee DLP Endpoint package to ePolicy
Orchestrator
Any enterprise computer with data protected by McAfee software must have the McAfee Agent
installed, making it a managed computer. To add data loss protection, you must also deploy the
McAfee DLP Endpoint plug-in for McAfee Agent. The installation can be performed using the ePolicy
Orchestrator infrastructure.
Task
1
On the McAfee ePolicy Orchestrator console, select Menu | Software | Master Repository.
2
In the Master Repository, select Actions | Check In Package.
3
Select package type Product or Update (.ZIP), browse to ..\HDLP_Agent_9_2_0_xxx.zip, then click Next.
The Check in Package page appears.
If you are upgrading, you are prompted that the product already exists. Click OK. The new package
replaces the old one.
4
Review the details on the screen, then click Save.
The package is added to the master repository.
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
29
3
Post-installation tasks
Deploying McAfee DLP Endpoint
Deploying McAfee DLP Endpoint
The final stage of McAfee DLP Endpoint software installation is to define a policy, deploy McAfee DLP
Endpoint agents to the managed computers, and verify the installation.
Tasks
•
Define a default rule on page 30
To verify that the McAfee DLP Endpoint software has been deployed properly, we
recommend defining a default rule before deploying to the managed computers.
•
Deploy McAfee DLP Endpoint with ePolicy Orchestrator on page 31
Before policies can be applied, McAfee DLP Endpoint must be deployed to the endpoint
computers by ePolicy Orchestrator.
•
Verify the installation on page 32
After installing McAfee DLP Endpoint software, you should verify the installation in the
McAfee DLP Monitor.
•
Uninstalling McAfee DLP Endpoint on page 32
McAfee Data Loss Prevention Endpoint software is protected from unauthorized removal.
There are two methods of authorized removal.
Define a default rule
To verify that the McAfee DLP Endpoint software has been deployed properly, we recommend defining
a default rule before deploying to the managed computers.
The rule described is an example of a simple rule that can be used to test the system.
Task
1
2
30
Create a classification rule:
a
In the McAfee DLP Endpoint policy console navigation pane under Content Protection, select
Classification Rules.
b
Right-click in the Classification Rules window and select Add New | Content Classification Rule. Rename the
rule "Email Classification Rule".
c
Double-click the rule icon to modify the rule.
d
In step 1 of the rule creation wizard, select either of the options (ANY or ALL) then scroll down
the text patterns list and select Email Address. Click Next three times, skipping to step 4.
e
In step 4 of the rule creation wizard, click Add New to create a new category. Name it Email
Category, click OK to accept the new category, then click Finish.
f
Right-click the rule icon and select Enable.
Create a protection rule:
a
In the McAfee DLP Endpoint policy console navigation pane under Content Protection, select Protection
Rules.
b
Right-click in the Protection Rules window and select Add New | Removable Storage Protection Rule.
c
Double-click the rule icon to modify the rule.
d
Click through to step 2 of the rule creation wizard and add the Email Category created when
creating the classification rule in the Included column.
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
Post-installation tasks
Deploying McAfee DLP Endpoint
3
e
Click through to step 7 of the rule creation wizard. Select Monitor, then click Finish.
f
Right-click the rule icon and select Enable.
3
On the Tools menu, select Run Policy Analyzer. You should receive warnings, but no errors.
If you receive errors, they probably come from improper initialization, such as not specifying an
evidence folder or override password. You can re-run the initialization from the Tools menu to
correct this.
4
On the Toolbar, click
. The policy is applied to McAfee ePolicy Orchestrator.
Deploy McAfee DLP Endpoint with ePolicy Orchestrator
Before policies can be applied, McAfee DLP Endpoint must be deployed to the endpoint computers by
ePolicy Orchestrator.
Before you begin
McAfee Agent 4.5 Patch 3 or later must be installed in ePolicy Orchestrator and deployed to
the target computers before McAfee DLP Endpoint is deployed. Consult the McAfee ePolicy
Orchestrator documentation on how to verify this, and how to install it if necessary.
Task
1
In ePolicy Orchestrator select Menu | System Tree.
2
In the System Tree, select the level at which to deploy McAfee DLP Endpoint.
Leaving the level at My Organization deploys to all workstations managed by McAfee ePolicy
Orchestrator.
If you select a level under My Organization, the right-hand pane displays the available
workstations. You can also deploy McAfee DLP Endpoint to individual workstations.
3
Click the Client Tasks tab. Under Actions, select New Task.
The Client Task Builder wizard opens.
4
In the Type field, select Product Deployment. Click Next.
5
In the Name field, type a suitable name, for example, Install DLP Endpoint. Typing a description
is optional.
6
In the Products and Components field, select Data Loss Prevention 9.2.0.x. The Action field automatically resets
to Install.
7
Click Next.
8
Change the Schedule type to Run immediately. Click Next.
9
Review the task summary. When you are satisfied that it is correct, click Save. The task is scheduled
for the next time the McAfee Agent updates the policy. To force the installation to take place
immediately, issue an agent wake-up call.
10 After McAfee DLP Endpoint has been deployed, restart the managed computers.
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
31
3
Post-installation tasks
Deploying McAfee DLP Endpoint
Verify the installation
After installing McAfee DLP Endpoint software, you should verify the installation in the McAfee DLP
Monitor.
Task
1
Select Menu | Data Protection | DLP Monitor.
The McAfee DLP Monitor opens with a list of events, which should include Agent Installation Events.
2
Verify the McAfee DLP Endpoint installation and apply the policy enforcement by using the
cmdagent.exe /s command. See the McAfee ePolicy Orchestrator McAfee Agent documentation
for more information.
Uninstalling McAfee DLP Endpoint
McAfee Data Loss Prevention Endpoint software is protected from unauthorized removal. There are
two methods of authorized removal.
•
Network uninstall from ePolicy Orchestrator, performed by the McAfee ePO administrator.
•
Local uninstall using Windows Add or Remove Programs. This method requires a challenge-response key
obtained from the McAfee DLP Administrator.
This task describes the local uninstall option.
Task
1
In the McAfee DLP Endpoint policy console select Tools | Generate Agent Uninstall Key.
This step can also be performed with the McAfee DLP Help Desk tool, using the Generate Uninstall Key
tab.
2
Fill in the user information in Step 1.
3
Type in the uninstall challenge code. (Step 2)
4
Type the agent override key password or select Use password from current policy. (Step 3)
5
Click Generate Key to create the uninstall key for the user.
This Release Code is sent to the user to enter into the request bypass dialog box.
32
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
A
Deploying McAfee Data Loss Prevention
Endpoint software with SMS
Microsoft System Management Server (SMS) packages can be used for deployment of McAfee DLP
Endpoint software in cases where deployment with ePolicy Orchestrator is either unfeasible or not
desired.
Microsoft Systems Management Server (SMS) provides a comprehensive solution for deploying and
managing applications and operating systems on Windows desktops and servers. The following tasks
assume working in the Microsoft SMS 2003 environment.
Contents
Create
Create
Create
Create
an installation package
the advertisement
the SMS uninstall package
an SMS uninstall package to run from a command line
Create an installation package
Create a package for installing McAfee Data Loss Prevention Endpoint software with Microsoft Systems
Management Server. This procedure does not require ePolicy Orchestrator.
Install Microsoft Visual C++ 2005 SP1 Redistributable Package (x86). The package can be downloaded
from: http://www.microsoft.com/downloads/details.aspx?
familyid=200B2FD9-AE1A-4A14-984D-389C36F85647.
Task
1
In the Systems Management Server console, right-click Packages and select New | Package.
2
On the General tab, type the Package Name (required), and the Version, Publisher and Language (optional).
3
On the Data Source tab, select This Package Contains Source Files, then click Set.
4
In the Set Source Directory window under Source Directory Location, select the type of connection to the
set-up files in the source directory. Type the source directory path in the text box and click OK.
5
On the Distribution Settings tab, select High from the Sending Priority drop-down list, and click OK.
The package appears under the Packages node of the site tree.
6
Expand the new package under the Packages node.
7
Right-click Distribution Points and select New | Distribution Point. Select the server or servers you want to
be the distribution points for this package, then click Finish.
8
Right-click Programs and select New | Program. Type the application name.
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
33
A
Deploying McAfee Data Loss Prevention Endpoint software with SMS
Create the advertisement
9
In the Command Line text box, type the McAfee DLP command line executable, for example:
msiexec /I DLPAgentInstaller.msi /qn
/forcerestart
.
The .msi file name is extracted manually from the DLPAgentInstaller.x86.exe file.
We recommend restarting the managed computer after McAfee DLP Endpoint package installation.
To enable this option use the
/forcerestart
parameter. To enable the installation log use
/log <LogFile>
10 On the Environment tab select Whether or not a user is logged on from the Program can run drop-down list. Click
OK.
Verify that Run with Administrative Rights is selected. McAfee Data Loss Prevention Endpoint software
setup requires administrator rights to complete installation successfully.
Create the advertisement
SMS packages need to be "advertised." This creates the SMS package advertisement.
Task
1
In the Systems Management Server console, right-click Advertisements and select New | Advertisement.
Type the advertisement name.
2
From the Package drop-down list, select the McAfee DLP package name.
3
From the Program drop-down list, select the McAfee DLP application name.
4
Click Browse and select the collection that the McAfee DLP installation package should apply to, then
click OK.
5
On the Schedule tab, confirm the time that the advertisement is offered, specify if the advertisement
should expire, and when. Click OK.
Create the SMS uninstall package
Create a package for uninstalling McAfee Data Loss Prevention Endpoint software with Microsoft
Systems Management Server. This procedure does not require ePolicy Orchestrator.
Task
34
1
In the Systems Management Server console, right-click Packages and select New | Package.
2
On the General tab, type the Package Name (required), and the Version, Publisher and Language (optional).
3
On the Data Source tab, select This Package Contains Source Files, then click Set.
4
In the Set Source Directory window under Source Directory Location, select the type of connection to the
set-up files in the source directory. Type the source directory path in the text box and click OK.
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
Deploying McAfee Data Loss Prevention Endpoint software with SMS
Create an SMS uninstall package to run from a command line
5
A
On the Distribution Settings tab, select High from the Sending Priority drop-down list, and click OK.
The package appears under the Packages node of the site tree.
6
Expand the new package under the Packages node.
7
Right-click Distribution Points and select New | Distribution Point. Select the server or servers you want to
be the distribution points for this package, then click Finish.
8
Right-click Programs and select New | Program. Type the program name.
9
In the Command Line text box, type the DLP command line executable, for example:
msiexec /x DLPAgentInstaller.msi /qn
/forcerestart
The .msi file name is extracted manually from the DLPAgentInstaller.x86.exe file.
10 On the Environment tab, select Whether or not a user is logged on from the Program can run drop-down list.
Click OK.
Create an SMS uninstall package to run from a command line
Create a package for uninstalling McAfee Data Loss Prevention Endpoint software that runs from a
command line.
Task
1
In the Systems Management Server console, right-click Packages and select New | Package.
2
On the General tab, type the Package Name (required), and the Version, Publisher and Language (optional).
3
On the Data Source tab, deselect This Package Contains Source Files, then click Set.
4
Locate the UninstallString for McAfee DLP Agent.
a
In the registry editor, go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Uninstall.
b
Click through the entries to find DisplayName: McAfee DLP Agent.
c
Copy the uninstall string, for example:
MsiExec.exe /X{287AAE25-B0F4-4E9E-A7FD-8EA81FF635E1}
5
To uninstall, use the command line:
<uninstall string>/qn/forcestart
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
35
B
Users and permission sets
We recommend creating specific administrator roles and permissions in ePolicy Orchestrator for
McAfee DLP Endpoint policy console and McAfee DLP Monitor. These roles include creating and saving
policies, viewing (but not changing) policies, generating override, uninstall, and quarantine release
keys, viewing the McAfee DLP Monitor, and revealing sensitive fields in the monitor.
Sensitive data redaction and the McAfee DLP Monitor permission sets
To meet the legal demand in some markets to protect confidential information in all circumstances,
McAfee DLP Endpoint software offers a data redaction feature. Fields in the McAfee DLP Monitor
containing confidential information are encrypted to prevent unauthorized viewing. The feature is
designed with a "double key" release. This means that to use the feature, you must create two
permission sets: one to view the monitor and another to view the encrypted fields. Both roles are
required to use the feature.
Contents
Create and define McAfee DLP administrators
Create and define permission sets
DLP permission set options
Create and define McAfee DLP administrators
Creates and defines a McAfee DLP administrator in McAfee ePolicy Orchestrator. Administrative users
can be created either before or after the permission sets assigned to them.
Task
For option definitions, click ? in the interface.
1
In McAfee ePolicy Orchestrator, select Menu | User Management | Users.
2
Click New User.
3
Type a user name and specify logon status, authentication type, and permission sets.
We recommend creating user groups related to the role, for example DLP Quarantine Administrator.
The order of creating users and permission sets is not critical. If you create users first, user names
appear in the permission set form and you can attach them to the set. If you create permission sets
first, the permission set names appear in the user form and you can attach the user to them.
4
Click Save.
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
37
B
Users and permission sets
Create and define permission sets
Create and define permission sets
Creates and defines a DLP administrator permission set in McAfee ePolicy Orchestrator Permission sets
are useful for defining different administrative roles in McAfee DLP Endpoint software.
Task
For option definitions, click ? in the interface.
1
In McAfee ePolicy Orchestrator, select Menu | User Management | Permission Sets.
2
Click New Permission Set.
3
Type a name for the set and select users.
The order of creating users and permission sets is not critical. If you create users first, user names
appear in the permission set form and you can attach them to the set. If you create permission sets
first, the permission set names appear in the user form and you can attach the user to them.
4
Click Save.
5
In the Data Loss Prevention field for the new permission set, click Edit.
6
Select the required permissions and click Save.
Figure B-1 Editing a permission set for McAfee DLP Endpoint
To turn off the sensitive data redaction feature, select User can view DLP Monitor in the monitor section.
DLP permission set options
Permission set options are designed to give granular control over administrator roles.
While the division of roles is generally optional, if you are using the sensitive data redaction feature,
you must create separate permission sets for the monitor viewer and the administrator who can reveal
the encrypted data.
Table B-1 Option definitions
38
Option
Definition
User cannot view policies.
User is not a policy administrator.
User can only generate Agent Override,
Agent Uninstall, and Agent Quarantine
Release keys.
User administrator role is limited to override, uninstall,
and release keys.
User can only view policies.
User can review but not edit policies.
User can view and save policies.
User has full policy administrator permissions.
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
Users and permission sets
DLP permission set options
B
Table B-1 Option definitions (continued)
Option
Definition
User cannot view DLP Monitor
User is not a monitor administrator
User can view DLP Monitor
User has full policy administrator permissions. Use this
option if you are not using the sensitive data redaction
feature.
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
39
C
Installing a version upgrade
Upgrade installation is similar to first-time installation, but several points must be considered.
Contents
Upgrading issues
Phased upgrade
Upgrade McAfee DLP Endpoint software
Restore the policy after upgrade
Upgrading issues
Upgrading the software has consequences in ePolicy Orchestrator and in the McAfee DLP Endpoint
software setup. You must also upgrade the McAfee DLP WCF service.
Event parser
After upgrading the McAfee DLP Endpoint software suite in ePolicy Orchestrator, you must restart the
McAfee Event Parser using Administrative Tools | Services.
Figure C-1 Restarting the event parser
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
41
C
Installing a version upgrade
Upgrading issues
McAfee DLP WCF upgrade
The defaults for Database Server and Database Name may not be correct. In particular, ePO4Server
might not be the name of the SQL database instance. If necessary, use the SQL Server Configuration
Manager to determine the database name.
You must upgrade the McAfee DLP Windows Communication Foundation service to the latest version.
Failure to do so produces an error message when trying to save the global policy to the reporting
database or updating database credentials.
Backward compatibility
McAfee DLP Endpoint software version 9.2 contains several changes that make policies incompatible
with earlier versions of the McAfee DLP Endpoint agent. In large enterprises, upgrading McAfee DLP
Endpoint on all workstation nodes can take several weeks or even months.
The McAfee DLP Endpoint policy console version 9.2 initialization has a backward compatibility option
that, when selected, allows communication with both old and new agents. Backward compatibility can
be set to "no compatibility" (McAfee DLP Endpoint 9.2 only), Host DLP Agent 9.1 and later, Host DLP
Agent 9.0 and later, or Host DLP Agent 3.0 or later.
The compatibility option "Host DLP Agent 3.0.5 or current version" refers to a specific hotfix. Unless you
specifically know that you are using this hotfix, choose Host DLP Agent 3.0 compatibility for all version 3
agents.
Host DLP Agent 2.2 Patch 4 is no longer supported.
Unsupported items
If the policy contains any of the following when backward compatibility mode is selected, the policy
fails to be applied to McAfee ePolicy Orchestrator. These unsupported items are cumulative, that is,
the McAfee Data Loss Prevention Endpoint 9.1 and above section lists Version 9.2 features not
supported in Version 9.1. For compatibility with Version 3.0 endpoints, all three sections apply.
42
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
Installing a version upgrade
Upgrading issues
C
Table C-1 Items unsupported in backward-compatible mode
Compatibility mode
Unsupported items
McAfee Data Loss
• An application file access, email, file system, removable storage, or web
Prevention Endpoint
post protection rule contains a document property definition containing a
9.1 and above
File Name property.
backward compatibility
mode
• An application file access protection rule contains a Store Evidence action.
• A discovery or protection rule contains a Content Category or Tag Group.
• An application file access protection rule contains a file type definition.
• A policy contains an email storage discovery rule.
• A clipboard rule restricts pasting into all applications.
McAfee Data Loss
• An application definition uses the executable file hash.
Prevention Endpoint
• A classification or tagging rule uses the AND operator for dictionaries or
9.0 and above
backward compatibility
text patterns.
mode
• A discovery rule has the Tag action selected.
• An email protection rule contains a subject text pattern (bypass keyword).
• A file system or removable storage protection rule has an attachment type
(encryption type) selected.
• A file system, PDF / IMAGEWRITER, printer, or removable storage rule has
the Request justification action selected.
• A protection rule or discovery rule has Microsoft Rights Management or
unsupported attachment type selected.
• A tagging rule contains a dictionary.
• A tagging rule contains header / footer definitions.
McAfee Data Loss
• An application file access, email, file system, removable storage, or web
Prevention Endpoint
post protection rule contains a document property definition.
3.0 and above
backward compatibility • A discovery rule contains a document property definition with unsupported
mode
properties. Version 3.0 only supports the Date Created and Date Modified
properties.
• An email or web post protection rule, or a discovery rule, contains an
Adobe RM encryption definition.
• A discovery rule contains an Apply RM Policy action.
• Removable storage file access rules are enabled.
• Hit-highlighting is selected on the Evidence tab in the Agent Configuration.
Queries and computer assignments
Queries and Dashboards are saved when you upgrade McAfee DLP Endpoint software, as long as you
use the recommended procedure. If you remove the existing Data Loss Prevention extension before
installing the new one, all queries and Dashboards are lost.
To customize a sample query, we recommend using the Duplicate option, to rename the query before
changing it. To use the new sample queries in My Queries in a Dashboard, use the Make Public option. If a
public query exists with the same name, remove or rename the public query first.
ePolicy Orchestrator requires all query names to be unique. The first time you install McAfee DLP
Endpoint software in ePolicy Orchestrator, the sample queries are installed as Public Queries. To view
this, select Reporting | Queries, and scroll down the queries on the left side of the screen. When you
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
43
C
Installing a version upgrade
Phased upgrade
upgrade McAfee DLP Endpoint, ePolicy Orchestrator notices that the names of the sample queries are
already used, and installs the samples in My Queries instead. However, to use a query in a Dashboard, it
must be a public query.
Phased upgrade
Successful upgrading to McAfee Data Loss Prevention Endpoint software version 9.2 from an earlier
version requires following a phased procedure that takes into account many variables. It also has
certain prerequisites that must be met.
Before you begin
Before beginning an upgrade, you must do the following:
•
Verify that all computers are ready for the upgrade. You can check the clinet version of
computers in the network on the DLP: Status Summary dashboard in McAfee ePolicy Orchestrator.
Look on the DLP: Agent version report to make sure that all product versions are McAfee DLP 3.0 Patch
1 or later.
Upgrade all agents to McAfee Data Loss Prevention 3.0 Patch 1 or later. Earlier agent versions are
not supported.
•
Backup the current DLP policy. Saving the policy to disk allows you to convert the policy to the
new format for reuse. You can back up the policy from the McAfee DLP Endpoint policy console. The
Save As option on the File menu saves the policy in .opg format.
•
Save the agent configuration and computer assignment groups. You can save the agent
configuration and computer assignment groups from the McAfee ePolicy Orchestrator System | Policy
Catalog page. Select the product (Data Loss Prevention x.x.0.0) and the category (Computers Assignment Group
or Agent Configuration) from the drop-down lists, and Edit the selection. From the Edit page, you can
select Save to File and specify a destination for the backup file.
Figure C-2 Saving the agent configuration
•
44
Install .NET framework on the server hosting the Windows Communication Foundation
(DLP-WCF) service. Verify the .NET version installed in C:\Windows\Microsoft.NET\Framework. If
necessary, install Microsoft .NET 3.5 Patch 1.
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
Installing a version upgrade
Upgrade McAfee DLP Endpoint software
C
Upgrade McAfee DLP Endpoint software
Upgrading an earlier version of McAfee DLP Endpoint software to version 9.2 in ePolicy Orchestrator is
similar to a clean install.
Before you begin
•
Uninstall the McAfee DLP Endpoint Management Tools from the Windows Control Panel.
•
Uninstall the McAfee DLP WCF service.
•
Update the McAfee DLP WCF service. The version of this service you use must match the
software extension version.
•
When downloading the files from the McAfee download site for McAfee DLP Endpoint
software, follow the link to the download page for ePolicy Orchestrator Help, and
download the latest Help .zip file.
•
Log out of ePolicy Orchestrator and close the browser window. (Step 1 cannot be
completed without doing this.)
If you want to be able to view previous events in the McAfee DLP Monitor, do not remove the existing
McAfee DLP Endpoint extension in ePolicy Orchestrator. Removing the extension removes all events
from the DLP Database.
Task
1
In ePolicy Orchestrator, select Software | Extensions. Click Install Extension, then click Browse and select
the McAfee DLP Endpoint policy manager .zip file (..\HDLP_Extension_9_2_0_xxx.zip). Click Open,
then click OK twice.
If you are installing without removing the previous extension, you see a warning that the new
extension will replace the existing one. Click OK.
The extension is installed, and appears in the extension list.
2
Install Extension again, Browse and select the Help .zip file (..\help_dlp_920.zip). Click Open, then click
OK. The installation dialog box warns you that you will replace the existing Help system. Click OK.
This file contains the McAfee DLP Endpoint extension to the ePolicy Orchestrator Help system.
Log out of ePolicy Orchestrator, then log back in. New features not supported by the previous installed
version might not work if you do not do this.
Restore the policy after upgrade
After upgrading the McAfee DLP Endpoint software, you must restore the DLP policy, computer
assignment groups, and agent configurations from your previous installation.
Install and initialize the McAfee DLP Endpoint policy console. See the sections Upgrade McAfee Data
Loss Prevention Endpoint software and Initialize the McAfee DLP Endpoint Policy console in this
manual. When you have completed the basic installation, continue with this task:
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
45
C
Installing a version upgrade
Restore the policy after upgrade
Task
1
2
Restore the policy
a
Open the McAfee DLP Endpoint policy console, select File | Open, and browse to the location
where you saved the backup of the previous DLP policy.
b
When prompted, click Convert to convert it.
c
On the Verify WCF Service Path screen, click Test Connection to verify that WCF is correctly
configured.
d
Select Tools | Options and verify in the Backward compatibility mode section that the required version is
selected.
e
Click Apply to save the policy to McAfee ePolicy Orchestrator.
Restore the computer assignment groups
a
In ePolicy Orchestrator select Policy | Policy Catalog. Select Data Loss Prevention 9.2.0.0 policies
from the Product drop-down list.
b
Select Computers Assignment Group from the Category drop-down list.
c
Type a name and create a computers assignment group.
d
Click Load from file and browse to the computers assignment group backup file.
Figure C-3 Restoring the computers assignment group settings
3
46
Restore the agent configurations
a
In ePolicy Orchestrator select System | Policy Catalog. Select Data Loss Prevention 9.2.0.0 policies
from the Product drop-down list.
b
Select Agent Configuration from the Category drop-down list.
c
Type a name and create an agent configuration.
d
Click Load from file and browse to the agent configuration backup file.
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
Index
A
event parser, when upgrading 41
about this guide 5
administrators, defining 37
evidence folder 20
evidence folder, configuring on Windows Server 2003 21
evidence folder, configuring on Windows Server 2008 22
B
backward compatibility 11, 25, 41
C
cluster environment
preparing 24
cluster installation
testing 24
clusters, using DLP software in a cluster environment 24
command line uninstall 35
components, Data Loss Prevention (diagram) 8
computer assignments, when upgrading 41
configuration, server 15
conventions and icons used in this guide 5
D
default rule, defining 30
Device Control, feature comparison 9
DLP administrators, defining 37
DLP endpoint
checking in to ePolicy Orchestrator 29
DLP Endpoint
deploying 31
deploying with SMS 33
deployment verification 32
uninstall with SMS 34
uninstalling 32
DLP Help extension, installing 23
DLP Monitor, initializing 28
DLP Policy console, installing 23
documentation
audience for this guide 5
product-specific, finding 6
typographical conventions and icons 5
E
ePolicy Orchestrator
installing 15
McAfee® Data Loss Prevention 9.2 Software
F
feature comparison 9
H
hardware requirements 13
L
license, Device Control and DLP 27
M
McAfee ServicePortal, accessing 6
Microsoft SQL, adding a user 18
Microsoft SQL, installing 19
monitor, initializing 28
P
permission set options 38
permission sets, defining 38
phased upgrade 44
policy, initializing 25
policy, restoring after upgrade 45
Q
queries, when upgrading 41
R
redaction 19, 37
roles and permissions 20
S
server configuration 15
server software requirements 13
ServicePortal, finding product documentation 6
SMS advertisements 34
SMS installation package, creating 33
SMS uninstall package, command line 35
SMS uninstall package, creating 34
Installation Guide
47
Index
supported operating systems 13
system requirements 13
T
Technical Support, finding product information 6
U
uninstalling DLP Endpoint 32
upgrade (task description) 45
upgrade, phased 44
upgrade, unsupported items 41
W
WCF, installation options 16
WCF, installing 19
WCF, troubleshooting 20
WCF, when upgrading 41
whitelist folder 20
whitelist folder, configuring on Windows Server 2003 21
whitelist folder, configuring on Windows Server 2008 22
V
verifying the installation 32
48
McAfee® Data Loss Prevention 9.2 Software
Installation Guide
00
Open as PDF
Similar pages