Admin Guide for DPWMS v3.1.1

Dell Protected Workspace Management
Administrator’s
Guide
Dell Protected Workspace Management v3.1
Created and Maintained by Invincea, Inc.
Proprietary – For Customer Use Only
Dell Protected Workspace Management Server – Install and Configure – v3.1
Contents
Purpose and Intended Audience ................................................................................................................... 6
System Requirements .................................................................................................................................. 6
Dell Protected Workspace Management Server Features ............................................................................. 7
Threats Module ......................................................................................................................................................7
Sensor Module .......................................................................................................................................................7
Configuration Module ............................................................................................................................................7
Admin Module .......................................................................................................................................................7
Installation on VMware vSphere 4.x or later ................................................................................................ 8
Additional Options for configuring DPWMs on VMware ........................................................................................ 14
Installing VMware Tools for DPWMs running in a vSphere Environment ....................................................................................... 14
Upgrading the network adapter to VMXNET3 for DPWMS running in a vSphere Environment ..................................................... 16
Installing DPWMs on VMware Workstation 7.1.x or later........................................................................... 21
Converting OVF files for VMware Workstation 7 or 8 ............................................................................................ 21
VMware Workstation Installation Instructions ...................................................................................................... 22
Installing the DPWMs on Custom Hardware or a custom Virtual Machine .................................................. 24
Installing the DPWMs and prerequisites................................................................................................................ 24
MySQL 5.6 Additional Configuration ............................................................................................................................................... 25
Configuring the DPWMs SYSV startup script .......................................................................................................... 26
Configuring the DPWMs configuration file ............................................................................................................ 29
[server] ........................................................................................................................................................................................ 29
[proxy] ......................................................................................................................................................................................... 30
[api_archive] ............................................................................................................................................................................... 30
[license] ....................................................................................................................................................................................... 30
[mysql] ........................................................................................................................................................................................ 30
[logging] ...................................................................................................................................................................................... 31
[host_event_proc] ...................................................................................................................................................................... 31
[summary_proc] ......................................................................................................................................................................... 31
[threat_report_mgr] ................................................................................................................................................................... 31
[trp_virus_total] .......................................................................................................................................................................... 31
[trp_cynomix] ............................................................................................................................................................................. 32
[trp_metascan] ........................................................................................................................................................................... 32
[trp_reversing_labs].................................................................................................................................................................... 33
Configuring Secure Protocol for Client Connections ............................................................................................... 34
Configuring the DPWMs to use a Proxy for Outbound Connections ........................................................................ 34
Configuring the DPWMs to use Third Party intelligence services for Sensor scoring ................................................ 34
Updating the DPWMs v2.2.1 or later to DPWMs v3.1 using the DPWMs 2.2.1 or later Virtual Machine ................... 36
2
Dell Protected Workspace Management Server – Install and Configure – v3.1
Merging configuration file (ims.conf) changes after upgrade ..................................................................... 36
Running IM3 for the first time post-upgrade ......................................................................................................... 37
Configuring the Dell Protected Workspace Management Server for Basic Operation – Pre-Built Virtual
Machine Only ............................................................................................................................................ 38
Obtaining the DHCP Address of the System ........................................................................................................... 38
Accessing the WebUI ............................................................................................................................................ 39
Changing the time or time zone ............................................................................................................................ 40
Network Configuration ......................................................................................................................................... 42
Self-Signed Certificate Creation ............................................................................................................................ 45
Changing the root and ims_admin passwords ....................................................................................................... 48
Additional Administrative Tasks................................................................................................................. 49
Modifying the default Firewall .............................................................................................................................. 49
Installing Linux Updates ....................................................................................................................................... 50
Generating a new self-signed certificate after initial configuration is complete ...................................................... 52
Installing a Trusted SSL certificate ......................................................................................................................... 52
Generating a CSR ............................................................................................................................................................................. 52
Importing Signed Certificate and Key .............................................................................................................................................. 54
Configuring the Dell Protected Workspace Management Server for SYSLOG .......................................................... 55
Testing SYSLOG connection from DPWMs ...................................................................................................................................... 56
Configuring the Threats Module with the Correct SYSLOG format ................................................................................................. 57
Configuring the DPWMs to Log Messages to SYSLOG ..................................................................................................................... 58
[logging] ...................................................................................................................................................................................... 58
Operational Notes for the Dell Protected Workspace Management Server ................................................. 59
Security Restrictions/Features .............................................................................................................................. 59
Logging into the Appliance Remotely via SSH ........................................................................................................ 59
Pound Configuration ............................................................................................................................................ 59
Configuring Dell Protected Workspace to work with the Dell Protected Workspace Management Server –
Configuration Management Module .......................................................................................................... 60
Configuring Dell Protected Workspace to work with the Dell Protected Workspace Management Server –
Threat Data Module .................................................................................................................................. 61
Dell Protected Workspace Management Server Administrative Tasks ......................................................... 62
Acquiring the temporary administrator password for DPWMs ............................................................................... 62
Logging into the Dell Protected Workspace Management Server Console .............................................................. 63
Entering the DPWMs License Key .......................................................................................................................... 64
DPWMs UI Method ......................................................................................................................................................................... 64
3
Dell Protected Workspace Management Server – Install and Configure – v3.1
DPWMs Configuration File Method ................................................................................................................................................ 66
Modules............................................................................................................................................................... 67
Admin Module................................................................................................................................................................................. 68
Users Tab .................................................................................................................................................................................... 68
LDAP Integration .................................................................................................................................................................... 68
Adding a new DPWMs User .................................................................................................................................................... 73
Deleting a user from the DPWMs ........................................................................................................................................... 74
Activity Tab ................................................................................................................................................................................. 75
Backup Tab .................................................................................................................................................................................. 75
Create a Database Backup ...................................................................................................................................................... 76
Recovering from a Database Backup File ............................................................................................................................... 76
Errors Tab .................................................................................................................................................................................... 77
Upgrades Tab .............................................................................................................................................................................. 78
Upgrading the DPWMs ........................................................................................................................................................... 78
Restarting the DPWMs Process .............................................................................................................................................. 79
Relicensing the IMs................................................................................................................................................................. 79
Platform Tab ............................................................................................................................................................................... 80
Note: for systems running multiple API/UI servers, this button will only connect to the webmin interface of the UI server
currently being accessed.Settings Button ................................................................................................................................... 81
Legal Disclaimer ...................................................................................................................................................................... 81
Dell Protected Workspace Home Module ....................................................................................................................................... 82
Home Tab .................................................................................................................................................................................... 83
Threat Data Section ................................................................................................................................................................ 83
Configuration Management Section ...................................................................................................................................... 84
Administration Section ........................................................................................................................................................... 85
Threats Module ............................................................................................................................................................................... 86
Settings and Plugins .................................................................................................................................................................... 87
Threat Data Module Settings ................................................................................................................................................. 87
Plugin Settings ........................................................................................................................................................................ 88
Overview Tab .............................................................................................................................................................................. 89
Detections by Date ................................................................................................................................................................. 89
Detections by Category .......................................................................................................................................................... 89
Top Users and Top Sources .................................................................................................................................................... 90
Detections Tab ............................................................................................................................................................................ 91
Threat Categories ................................................................................................................................................................... 92
Report Overview Page ................................................................................................................................................................ 94
Statistics ................................................................................................................................................................................. 94
Configuration .......................................................................................................................................................................... 95
Applications ............................................................................................................................................................................ 96
Threat Report Analysis Tab..................................................................................................................................................... 97
Threat Report Event Tree Tab ................................................................................................................................................ 98
Threat Report Timeline Tab .................................................................................................................................................. 100
Threat Report Geography Tab .............................................................................................................................................. 101
Threat Report Plugin Tabs .................................................................................................................................................... 101
Threat Report Actions: ......................................................................................................................................................... 102
Files Tab .................................................................................................................................................................................... 103
File Overview Page .................................................................................................................................................................... 105
File Details ............................................................................................................................................................................ 105
Hosts ..................................................................................................................................................................................... 106
4
Dell Protected Workspace Management Server – Install and Configure – v3.1
Cynomix ................................................................................................................................................................................ 106
File locations ......................................................................................................................................................................... 106
Configuration Module ................................................................................................................................................................... 108
Groups ...................................................................................................................................................................................... 108
Hosts ......................................................................................................................................................................................... 108
Packages ................................................................................................................................................................................... 108
Audit ......................................................................................................................................................................................... 108
Accessing the Configuration Module ........................................................................................................................................ 109
Configuration Module Interface ............................................................................................................................................... 109
Groups Tab ........................................................................................................................................................................... 109
Creating a New Group ...................................................................................................................................................... 110
Renaming a Group ........................................................................................................................................................... 110
Group Details View .......................................................................................................................................................... 111
Set Installation Method.................................................................................................................................................... 117
Adjust Preferences ........................................................................................................................................................... 119
Adding Custom Preferences / Attributes ......................................................................................................................... 121
Manage Unprotected Sites .............................................................................................................................................. 123
Customize App Settings ................................................................................................................................................... 126
Authentications ................................................................................................................................................................ 129
Hosts Tab .............................................................................................................................................................................. 132
The exported report will include the same information that is displayed in the hosts table based on the currently selected
filter. ..................................................................................................................................................................................... 136
Packages Tab ........................................................................................................................................................................ 137
Adding a Package to the DPWMs ..................................................................................................................................... 138
Viewing package details ................................................................................................................................................... 139
Entering the Client Software Activation Key .................................................................................................................... 142
Additional Global Package Settings .................................................................................................................................. 143
Audit Tab .............................................................................................................................................................................. 144
Contacting Dell Support ............................................................................................................................146
5
Dell Protected Workspace Management Server – Install and Configure – v3.1
Purpose and Intended Audience
This document is intended to provide instructions for installing and configuring the Dell Protected Workspace
Management server.
System Requirements











One of the following Host Platforms
o VMware Workstation 7.1 or later
o VMware ESX or ESXi 4 or later
4 Processors for the Virtual Machine (for pre-built template)
8GB of available RAM for the Virtual Machine (for pre-built template)
250GB of available disk for the Virtual Machine and Sensor Data (for pre-built template)
1 Network connection for the Virtual Machine
1 IP address to assign to the system
1 DNS System Name to assign to the system
External internet connectivity (for activation and OS updates)
Compatible web browser to access the system
o Internet Explorer 10+
o Google Chrome 30+
o Mozilla Firefox 20+
Compatible database systems
o MySQL 5.1
o MySQL 5.6 (requires v3.0.3 or later)
Subscription to threat intelligence service (if using Endpoint Sensor Feature)
o ReversingLabs
o VirusTotal
o Metascan
IMPORTANT NOTE: The Dell Protected Workspace Management server requires an internet connection to allow
activation of the server and for connection to third party threat intelligence services.
The virtual machine can also be run in a Citrix or Microsoft virtual environment; however installation instructions are not
included for those environments. The provided VMware image will also need to be converted to support these other
platforms before deployment. Post-installation configuration steps will remain the same.
6
Dell Protected Workspace Management Server – Install and Configure – v3.1
Dell Protected Workspace Management Server Features
The Dell Protected Workspace Management server is a modular system that allows for multiple Dell Protected
Workspace applications to run on a single appliance. Each module is licensed individually and will only be available with
a valid license key.
Threats Module
The Threats Module allows Dell Protected Workspace clients to view Threat Report details that have been sent from the
Dell Protected Workspace software. These reports can be used to determine if suspect activity that occurred within the
DPW container are suspicious.
Sensor Module
The Sensor Module allows for DPW administrators to review DPW sensor data, which is collected from DPW machines,
to determine if malicious executables are running outside of the Dell Protected Workspace container.
Configuration Module
The Configuration Module allows for centralized management of the Dell Protected Workspace clients, managing both
configuration files and software updates.
Admin Module
The Admin Module allows for administrative management of the Dell Protected Workspace Management server,
including managing user accounts, applying DPWMs upgrades, viewing error logs and creating backups of the database.
7
Dell Protected Workspace Management Server – Install and Configure – v3.1
Installing the Dell Protected Workspace Management Server
The Dell Protected Workspace Management Server is delivered as a virtual machine, in the VMware OVF template
format. The following instructions outline how to install the DPWMs on either VMware vSphere 4.x or later or VMware
Workstation 7.1.x or later. Some steps may differ slightly based on the version being used. The following instructions
assume that the latest DPWMs template has been downloaded from the Dell Support site.
Installation on VMware vSphere 4.x or later
1. Open the VMware vSphere Client and connect to the ESX(i) or vCenter system that the DPWMs will be installed
on.
8
Dell Protected Workspace Management Server – Install and Configure – v3.1
2. Select the File menu and choose “Deploy OVF Template…”
3. Choose the file location of the OVF template (the download must be unzipped before this step). Press the
“Next” button.
9
Dell Protected Workspace Management Server – Install and Configure – v3.1
4. Review the OVF information. Press the “Next” button.
5. Give the virtual machine a name (or use the default one provided). Choose which datacenter/folder the VM will
be deployed to (if applicable). Press the “Next” button.
10
Dell Protected Workspace Management Server – Install and Configure – v3.1
6.
For clustered systems, choose which cluster/host the VM will be deployed on. Press the “Next” button.
7. If multiple datastores are available, choose the datastore to deploy the VM on. Press the “Next” button.
11
Dell Protected Workspace Management Server – Install and Configure – v3.1
8. Choose the desired disk format for the virtual disk. Press the “Next” button.
9. Select the network that the VM will be connected to. Press the “Next” button.
12
Dell Protected Workspace Management Server – Install and Configure – v3.1
10. Verify your configuration and press the “Finish” button.
11. Optional step: Once the OVF template has finished deploying, take a snapshot of the VM to retain the original
settings before any configuration is done.
12. Power on the VM.
13. Installation of the DPWMs is now complete. Please continue to the “Configuring the Dell Protected Workspace
Management server for Basic Operation” section.
13
Dell Protected Workspace Management Server – Install and Configure – v3.1
Additional Options for configuring DPWMs on VMware
Installing VMware Tools for DPWMs running in a vSphere Environment
To install VMware Tools into the DPWMs appliance, follow these steps.
1. Connect to the console of the DPWMs from the vSphere client. Use the root account (default password is
invincea)
2. From the VM menu, select Guest, then Install/Upgrade VMware Tools
3. Create a mount point for the cdrom by running the following command:
mkdir /mnt/cdrom
4. Mount the VMware Tools image by running the following command:
mount /dev/cdrom /mnt/cdrom
5. Extract the tar file for VMware tools to the /var directory by running the following command:
tar zxf /mnt/cdrom/VMwareTools-X.X.X-YYYYYY.tar.gz -C /var/
NOTE: replace X.X.X-YYYYYY with the version number of the VMware Tools being
installed
6. Change to the extracted directory by running the following command:
cd /var/vmware-tools-distrib/
7. Run the VMware Tools installer script by running the following command:
./vmware-install.pl
8. Follow the on-screen prompts and select the default setting for each option.
14
Dell Protected Workspace Management Server – Install and Configure – v3.1
9. Confirm the installation was successful by viewing the details of the VM. A status of “VMware Tools: Running
(Current)” should be displayed.
15
Dell Protected Workspace Management Server – Install and Configure – v3.1
Upgrading the network adapter to VMXNET3 for DPWMS running in a vSphere Environment
In some VMware environments, changing the DPWMs appliance network adapter from the default E1000 adapter to a
VMXNET3 adapter may be required. To change the appliance to the high-performance network adapter, follow these
instructions.
1. Connect to the DPWMs appliance VM via the vSphere console.
2. From the VM menu, choose Edit Settings
3. Select the “Network Adapter 1” device from the list and press the “Remove” button above the device list.
16
Dell Protected Workspace Management Server – Install and Configure – v3.1
4. Press the “Add” button above the device list.
5. Select “Ethernet Adapter” from the device list and then press the “Next” button.
17
Dell Protected Workspace Management Server – Install and Configure – v3.1
6. From the Network Type window, select VMXNET 3 as the Adapter Type and select the correct network from the
Network Connection drop-down. Also make sure the “Connect at power on” check box is selected. Press the
“Next” button.
7. Press the “Finish” button.
18
Dell Protected Workspace Management Server – Install and Configure – v3.1
8. Press the “OK” button.
9. From the console, log in as the root user and run the following command:
rm /etc/udev/rules.d/70-persistent-net.rules
10. Confirm the delete process when prompted.
19
Dell Protected Workspace Management Server – Install and Configure – v3.1
11. Reboot the appliance by running the following command:
reboot
12. Verify proper network connectivity after the system reboot.
20
Dell Protected Workspace Management Server – Install and Configure – v3.1
Installing DPWMs on VMware Workstation 7.1.x or later
Converting OVF files for VMware Workstation 7 or 8
Before installation can begin on VMware Workstation version 7 or 8, the OVF file provided in the download must be
converted to the correct format. The following steps will outline the proper steps for the conversion. The following
steps also assume that VMware Workstation has already been installed.
1. Create a new folder where you want the virtual appliance to be stored on the host system. This will be used as
the destination folder for the converted files.
2. Open a command prompt and navigate to the VMware Workstation installation folder (usually C:\Program Files
(x86)\VMware\VMware Workstation\). Inside this folder, there is another folder called OVFTool. Navigate into
this folder.
3. Use the ovftool.exe to convert the OVF file into the correct format using the following command (Note, the
destination folder must exist before running the tool). File names are case sensitive.
a. ovftool.exe <original ovf file location>.ovf <converted vmx file destination>.vmx
Example:
b. ovftool.exe C:\Users\Support\Documents\DPW_MS_3\DPW_MS_3.ovf
C:\Users\Support\Documents\DPW_MS_3\DPW_MS_3.vmx
c. This will create the converted VMX and VMDK files in the destination folder.
Note: VMware Workstation 9.x and later does not require this process. Simply use the Open command as outlined
below and select the OVF file. VMware Workstation will do the conversion while opening the file.
21
Dell Protected Workspace Management Server – Install and Configure – v3.1
VMware Workstation Installation Instructions
1. Open VMware Workstation. Select File  Open…
2. Browse to the location of extracted / converted files and select the <DPWMs file name>.vmx file (for
Workstation 7 or 8). Choose Open.
a. For VMware Workstation 9 or later, select the OVF file.
22
Dell Protected Workspace Management Server – Install and Configure – v3.1
3. Optional step: Take a snapshot of the VM to retain the original settings before any configuration is done.
4. Power on the DPWMs virtual machine and continue to the “Configuring the Dell Protected Workspace
Management Server for Basic Operation” section.
23
Dell Protected Workspace Management Server – Install and Configure – v3.1
Installing the DPWMs on Custom Hardware or a custom Virtual Machine
Installing the DPWMs and prerequisites
If administrators prefer to use their own version of Linux, a TGZ file is available for installation. Invincea uses CentOS 6.6
x86_64, but a similar Linux OS may be used (a 64-bit Linux OS is required). The DPWMs requires a MySQL database,
either on the local system or on a remote system. The DPWMs also requires that the system has port 443 available
through the local firewall for the DPWMs Console and API calls to work (assuming the recommended ports are used.
This may vary based on custom configurations). The following packages are required for full system functionality
(assuming RHEL or CentOS):
mysql-server (version 5.1)
epel (version 6.8 or later)
wine
Optional: MySQL-python
The DPWMs can be installed via the tgz file supplied. A destination directory needs to be created first. It is
recommended that the following directory be used: /opt/im3. Once the destination directory is created, the following
command can be used to extract the components:
tar xzf dpwms-z.z.z-YYYYY.tgz –C /opt/im3
This assumes the recommended destination path is used and the DPWMs package is in the directory the command is
being executed from.
Before the DPWMs can run, MySQL also needs to be installed on the host, as all DPWMs data is stored within a MySQL
database. The database can be stored on a separate machine; however the default configuration file will need to be
updated to point to the destination system. Also, a user name and password are necessary so the DPWMs process can
connect to the MySQL database. These will need to be entered into the ims.conf file.
Additionally, to support threat report uploads and package uploads, the /etc/my.cnf file needs to be modified to include
the following under the [mysqld] section:
max_allowed_packet=500M
innodb_log_buffer_size=128M
innodb buffer_pool_size=128M
The default my.cnf included with the pre-built system contains the following:
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
max_allowed_packet=500M
innodb_log_buffer_size=128M
innodb buffer_pool_size=128M
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
24
Dell Protected Workspace Management Server – Install and Configure – v3.1
Once the package and MySQL database are ready, following the steps in the “Configuring the DPWMs SYSV startup
script” and “Configuration the DPWMs configuration file” sections.
MySQL 5.6 Additional Configuration
If using MySQL 5.6 as a dedicated database for the Dell Protected Workspace Management server, an additional
configuration setting is required in the my.cnf file. In addition to the previously mentioned settings:
max_allowed_packet=500M
innodb_log_buffer_size=128M
innodb buffer_pool_size=128M
The following line also needs to be added to the /etc/my.cnf file
innodb_log_file_size=2G
This setting increases the INNODB log files to allow for the package uploads to the database. The INNODB logs will each
consume 2GB of disk space (there are two of them) once this setting has been enabled and the MySQL service has been
restarted. This should be taken into account when determining the amount of disk space that is required for the MySQL
server.
25
Dell Protected Workspace Management Server – Install and Configure – v3.1
Configuring the DPWMs SYSV startup script
In order to simplify and automate the startup of DPWMs, the following SYSV startup script can be added to the system.
Before creating the startup script, a change to the number of files a single process can access needs to be made. By
increasing this limit, it allows the DPWMs process to handle a higher number of requests per API system. The file that
needs to be modified is:
/etc/security/limits.conf
Using the vi command to edit this file, go to the end of the file and look for the following entries (the exact settings may
vary):
root soft
root hard
nofile
nofile
4096
8192
Modify these entries by setting both limits to 65536. If the entries don’t exist at all, add them as follows:
root soft
root hard
nofile
nofile
65536
65536
Save the file and exit the vi editor.
To create the startup script, copy the im.init file stored in /opt/im3/etc (/opt/im3 being the install path) into /etc/init.d
with the following command:
cp /opt/im3/etc/im.init /etc/init.d/im3
This newly created im3 file contains the following:
#!/bin/sh
#
# ims3 - this script starts and stops the IM 3 server
#
# chkconfig: 2345 95 20
# description: Invincea Management Server
# processname: main
# Source function library.
. /etc/init.d/functions
# Source networking configuration
. /etc/sysconfig/network
# Check that networking is up
[ "$NETWORKING" = "no" ] && exit 0
CONSOLE_OUTPUT=/var/log/im3_console.log
IMS_PATH=/opt/im3
RUN="${IMS_PATH}"/run.sh
lockfile=/var/lock/subsys/${IMS_INSTANCE}
pidfile=$IMS_PATH/pidfile
“/etc/init.d/im3” 95L, 1430C
start() {
echo -n "Starting ims: "
ulimit –n 65536
cd $IMS_PATH && ($RUN >> $CONSOLE_OUTPUT 2>&1 &)
retval=$?
[ $retval -eq 0 ] && echo "started" && touch $lockfile
26
Dell Protected Workspace Management Server – Install and Configure – v3.1
return $retval
}
stop() {
echo -n "Shutting down ims: "
killproc main
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}
status() {
if [ ! if $pidfile ]; then
echo “not running”
return
fi
pid=$(cat $pidfile)
rc=1
ps ax | grep –q main && rc=$?
echo –n “state: “
if [ $rc –eq 0 ]; then
echo “running ($pid)”
else
echo “not running ($pidfile)”
fi
}
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status
;;
restart)
stop
start
;;
reload)
stop
start
;;
*)
echo "Usage: ($IMS_INSTANCE) {start|stop|status|reload|restart}"
exit 1
;;
esac
exit $?
Now modify the permissions on the file by running the following command:
chmod a+x /etc/init.d/im3
This now enables the IMs 3 application to be started and stopped using the following options:
service im3 start
service im3 stop
27
Dell Protected Workspace Management Server – Install and Configure – v3.1
service im3 restart
service im3 status
To set the IMs application to start with the OS (both for upgrades and new system installs), run the following command:
chkconfig im3 on
28
Dell Protected Workspace Management Server – Install and Configure – v3.1
Configuring the DPWMs configuration file
The DPWMs configuration file defines the necessary settings needed for the DPWMs to function, including port
numbers, certificate locations, MySQL settings and logging settings. The configuration file is located at:
/opt/im3/ims.defaults (or ims.conf once the DPWMs has run at least once)The following section reviews the
configuration file and options. The virtual application defaults are listed, but can be modified to fit the needs of the
environment:
[server]
This section defines the default server settings. It is important to properly define the port that the DPWMS UI will be
available on and to define the SSL certificate location.
#
#
#
#
#
#
#
#
#
#
config_server_url defines the TDS/CMS URL that client machines use
to reach the server.
NOTE:
* Any input from the global package settings will take precedence
over this setting.
* If you're using an SSL terminator and running the IMS in non-SSL
mode, clients will still need to use https to reach the server
config_server_url =  REQUIRED: remove # and enter the server address (https://<server_name>)
# Port to use for UI and client requests. This will use the SSL
# settings (ssl_cert, ssl_key) if specified.
port = 80  can be configured to any port, used to access the UI
# Use this to listen on another port for client requests,
# e.g. hearbeat, incident upload, etc. This will use the SSL settings
# (ssl_cert, ssl_key) if specified.
api_port =  this is the port that clients connect to, can be set to something else so that the UI
and API are on different ports.
Leaving this blank means the UI and API will use the same port.
#use 'localhost' to make server visible only to local machine
#use '0.0.0.0' to make server available publicly
host = 0.0.0.0  can be used to allow another process (such as Apache or Pound) to be the frontend webserver, rather than running directly from the application.
#use this for SSL
#if all 3 items are not blank, SSL is used
ssl_cert = /etc/pki/tls/certs/dpwms.crt  REQUIRED for SSL: provide path to crt file
ssl_key = /etc/pki/tls/private/dpwms.key  REQUIRED for SSL: provide path to key file
# valid ssl_versions are ['SSLv3', 'SSLv23', 'TLSv1']
# if unspecified TLSv1 is used
ssl_version = TLSv1  REQUIRED for SSL: used to specify required client protocol
# The system certificate bundle, if available to IMS, can be
# used to validate the identity of third parties with whom
# we integrate.
ca_cert_loc = /etc/pki/tls/certs/ca-bundle.crt  used to validate integrated third
parties
# enable FIPS mode for SSL
fips_enable = true  used to enable FIPS for SSL connections
# set session timeout in seconds for UI clients
29
Dell Protected Workspace Management Server – Install and Configure – v3.1
session_timeout = 86400
out
 used to configure the timeout for DPWMs GUI before a user is logged
# the location of the admin tool (ie. Webmin)
# the string "localhost" will be replaced with the server hostname as the browser sees it
platform_admin = https://localhost:10000/
 used to specify the URL for the “Platform
Administration Tool” on the Platform tab of the DPWMs GUI
# Max body size for Tornado, in MB. This sets the largest file size
# that can be uploaded.
max_body_size = 500  used to determine max file size for uploads to Sensor
# file_store_root specifies the path where all sensor file uploads
# will be kept. This must be a full path.
#
# If left blank, it will point to the temp dir as specified by the os;
# on linux systems this is usually /tmp
file_store_root = /opt/im3/sensor_file_store  used to determine the folder location for where
Sensor files are stored
[proxy]
# The location of the proxy server(s), with different configurations available
# for HTTP and HTTPS. Values are stored in 'http://<address>:<port>' or
# 'http://<user>:<pass>@<address>:<port>' format.
#
# If authentication is required, only BASIC authentication is supported at this
# time.
http_proxy =  used to define proxy settings for outbound connections
https_proxy =
[api_archive]
# The api_archive section controls the background thread that keeps the
# api summary tables updated.
# In deployments with multiple api servers, api_archive_enable only
# needs to be set to true on *ONE* of the instances to do the
# archiving.
api_archive_enable = true  used to define if api_archiving is enabled on this node
# How often the background threat runs, specified in seconds.
api_archive_interval = 300  used to define how often the archive process occurs on this node
[license]
#the license activation key to automatically attempt
activation_key =  paste activation key here for automatic activation when the system starts
(prevents need to having to enter key into the UI)
#activation server url
server = http://delllicense.invincea.com/activate  defines the URL that will be used to
activate the system with the supplied license key.
[mysql]
#mysql parameters
host = 127.0.0.1  defines the address for the MySQL server to use, default uses MySQL on local
system. If connecting to an external system, provide that systems IP address here.
30
Dell Protected Workspace Management Server – Install and Configure – v3.1
port = 3306  defines the port to use to connect to MySQL.
If going to an external system, this
port needs to be open on the local system firewall.
name = invincea2  name of database to use for the DPWMs
user = root  username of user that has access to the above database on the selected MySQL server
pass = invincea  password of the above user for access to the configured database
[logging]
file = ims.log  name of file the DPWMs will log to within the install directory
level = INFO  level of logging: INFO is recommended (available options: DEBUG, INFO, WARN,
ERROR)
# When use_syslog is set to true...
# - Log messages will be sent to syslog at the host specified in syslog_host
# - The logging.file setting is ignored and no log messages will be sent to that file.
use_syslog = false used to enable ims logging directly to syslog
# If use_syslog = true, specify the facility number to use for logging.
# Use one of the "local use" facility numbers (16 - 23) specified
# in https://tools.ietf.org/html/rfc5424
syslog_facility_number = 20 the facility number specified for logging to syslog
# Must be one of SOCK_DGRAM, SOCK_STREAM
syslog_socket_type = SOCK_DGRAM used to specify socket type of datagram or stream for syslog
# When set to true, logging is directed to /dev/log of the local host.
syslog_use_localhost = true used to log to /dev/log of the local host
# Specifies the device to write to when logging to syslog on the local host.
syslog_local_device = /dev/log used to specify where to log on the local host
# Specify these two parameters when syslog_use_localhost = false
syslog_host = used to specify the syslog host when not using the localhost
syslog_port = 514 used to specify the port of the syslog host
[host_event_proc]
# Enables host event processing.
enabled = true  used to enable the processing of sensor host events
# Specifies the number of host_events_proc instances that will be launched.
process_count = 1 the number of processes used for host event processing
[summary_proc]
# Enables stats and search index updates.
enabled = true used to enable processing for sensor file summary information
[threat_report_proc]
# Enables processing of the threat_report queue
enabled = true used to enable the processing of sensor threat reports from vendors
[threat_report_mgr]
# When true, enables threat scoring of the files and network locations
# that FreeSpace hosts have interacted with.
enabled = true  used to enable the threat report manager (processes sensor data)
# The number of minutes to wait between checks for missing threat reports.
missing_reports_check_interval_minutes = 60
[trp_virus_total]
# When true VirusTotal will be used as a source of threat reports
# for files, URLs, and domains. Support for IP addresses will be added later.
31
Dell Protected Workspace Management Server – Install and Configure – v3.1
#
# NOTE: api_key is required -- but not provided -- for use of VirusTotal
#
services
enabled = false  used to enable the VirusTotal TR Plugin
api_url = https://www.virustotal.com/vtapi/v2  used to define TR plugin API URL
api_key =  enter customer api_key for access
# Should file uploads occur to this provider? Legal values are
# AUTOMATIC, or DISABLED. Defaults to DISABLED.
upload_policy = DISABLED  defines if unknown EXE/DLL files are uploaded to TR provider
# Maximum size of file to be uploaded to this provider, in MB.
max_file_size = 32  defines max_size of files to upload to provider
# The timeout period (in seconds) for requests to the VirusTotal API.
request_timeout = 120  defines time out period for provider
[trp_cynomix]
# When true Cynomix will be used as a source of file threat reports.
enabled = true  used to enable the Cynomix TR Plugin
api_url = http://cynomix3.appspot.com/api  used to define TR plugin API URL
# Should file uploads occur to this provider? Legal values are AUTOMATIC,
# FILE_TYPE, MANUAL, or DISABLED. Defaults to DISABLED.
upload_policy = DISABLED  defines if unknown EXE/DLL files are uploaded to TR provider
# Maximum size of file to be uploaded to this provider, in MB.
max_file_size = 10  defines max_size of files to upload to provider
# The timeout period (in seconds) for requests to the Cynomix API.
request_timeout = 120  defines time out period for provider
[trp_metascan]
# When true, Metascan will be used as a source of file threat reports.
#
# NOTE: api_key is required -- but not provided -- for use of MetaScan
#
services
enabled = false  used to enable the Metascan TR Plugin
api_key =  enter customer api_key for access
#
#
#
#
the public Metascan API URLs are baked in, but can be overridden
with the following:
scan_results_url =
hash_lookup_url =
# Should file uploads occur to this provider? Legal values are
# AUTOMATIC, or DISABLED. Defaults to DISABLED.
upload_policy = DISABLED  defines if unknown EXE/DLL files are uploaded to TR provider
32
Dell Protected Workspace Management Server – Install and Configure – v3.1
# Maximum size of file to be uploaded to this provider, in MB.
max_file_size = 200  defines max_size of files to upload to provider
# The timeout period (in seconds) for requests to the Metascan API.
request_timeout = 120  defines time out period for provider
[trp_reversing_labs]
# When true Reversing Labs will be used as a source of file threat reports.
#
# NOTE: username and password are required -- but not provided -- for use of
#
Reversing Labs
enabled = false  used to enable the ReversingLabs TR Plugin
api_url = https://api.reversinglabs.com/api  used to define TR plugin API URL
api_username =  enter customer api_username for access
api_password = enter customer api_password for access
# Should file uploads occur to this provider? Legal values are
# AUTOMATIC, or DISABLED. Defaults to DISABLED.
#
# NOTE: Reversing Labs does not support file uploads for analysis at this time.
upload_policy = DISABLED  defines if unknown EXE/DLL files are uploaded to TR provider
# The timeout period (in seconds) for requests to the Reversing Labs API.
request_timeout = 120  defines max_size of files to upload to provider
33
Dell Protected Workspace Management Server – Install and Configure – v3.1
Configuring Secure Protocol for Client Connections
Starting with DPWMs 2.2, the required secure protocol for client connections can now be configured in the ims.conf file.
Previous to DPWMs 2.2, TLS 1.0 was required to be enabled on client computers to enable communication to the
DPWMs. This new feature now allows for TLS and SSL protocols.
By default, the IMs is still configured to require TLS 1.0, but this can be changed by modifying the following in the
ims.conf file. This file is located in the root installation directory (on pre-built Virtual Machines, this is /opt/ims3/)
Under the [server] tag, the “ssl_version” tag can be set to the following:



TLSv1 (default) = requires TLS 1.0 protocol to be enabled on clients
SSLv3 = requires the SSL 3.0 protocol to be enabled on clients
SSLv23 (supports the most protocols) = requires SSL 3.0 or TLS 1.0 to be enabled
NOTE: SSL v2 is not supported.
Configuring the DPWMs to use a Proxy for Outbound Connections
Starting with DPWMs 3.0, a proxy for outbound connections can be configured directly in the ims.conf file.
Under the [proxy] tag, there are two fields, one for an http proxy and one for an https proxy. Values are stored in
'http://<address>:<port>' or 'http://<user>:<pass>@<address>:<port>' format. If authentication is required, only BASIC
authentication is supported at this time.
To set the proxy, enter the proxy address in the appropriate field. Save and quit the ims.conf file. Lastly, restart the im3
service by running service im3 restart.
Configuring the DPWMs to use Third Party intelligence services for Sensor scoring
Starting with DPWMs 3.0 along with Sensor is the ability to connect to third party intelligence services to assist in scoring
and evaluating Sensor data directly in the DPWMs.
NOTE: These services require a subscription that must be purchased separately before this functionality can be used.
In the ims.conf file, under the tags beginning with [trp…] there are fields to configure the multiple intelligence server
connections. VirusTotal, Metascan, and Reversing Labs each require security information such as a key or username and
password that is supplied upon subscribing to their service. Cynomix does not as it is a service provided by Invincea with
the DPWMs. Each service can be enabled or disabled with the “enabled” field set to true or false respectively. Each
section also contains connection information in the form of a URL to the services public API. These can be modified if
the values provided are outdated or our different they recommended by the vendor.
Below is a sample of one of the TRP sections:
[trp_reversing_labs]
# When true Reversing Labs will be used as a source of file threat reports.
#
34
Dell Protected Workspace Management Server – Install and Configure – v3.1
# NOTE: username and password are required -- but not provided -- for use of
#
Reversing Labs
enabled = true
api_url = https://api.reversinglabs.com/api
api_username = RLuser1234
api_password = RLpassword5678
# Should file uploads occur to this provider? Legal values are
# AUTOMATIC, or DISABLED. Defaults to DISABLED.
#
# NOTE: Reversing Labs does not support file uploads for analysis at this time.
upload_policy = DISABLED
# The timeout period (in seconds) for requests to the Reversing Labs API.
request_timeout = 120
The “upload_policy” option is used to control if unknown executables are sent to the third party vendor for evaluation.
This is used in conjunction with the max_file_size. In order for a file to be uploaded, the policy must be set to
AUTOMATIC and the file must be smaller than the max specified.
To enable one of the plugins, set enabled = true, input all necessary security information supplied by the service, and
change any of the other settings if desired. Save and quit the ims.conf file. Lastly, restart the im3 service by running
service im3 restart.
35
Dell Protected Workspace Management Server – Install and Configure – v3.1
Updating the DPWMs v2.2.1 or later to DPWMs v3.1 using the DPWMs 2.2.1 or later Virtual
Machine
For clients already running Dell Protected Workspace Management Server version 2.2.1, the new version can be
installed on the same system, if desired. If running an earlier version, the DPWMS must be upgraded to at least version
2.2.1 before updating to version 3.1.
Prior to installing the new DPWMs 3 package, the previously running DPWMs version needs to be stopped by running
the following as the root user or using SUDO:
service ims2 stop
Now that the old version has been stopped, the upgrade can continue
Installation instructions are the same as those listed in the “Installing the DPWMs and prerequisites” and the
“Configuring the DPWMs SYSV startup script.” Once the system has been configured with the new DB settings and
installation files, the ims.conf file of the new installation needs to be modified as outlined in the next section.
Merging configuration file (ims.conf) changes after upgrade
As part of the upgrade process, the ims.conf file needs to be modified to enable/configure new DPWMs preferences.
The ims.defaults file is located in the installation directory of the new version (default is /opt/im3/ims.defaults). This file
should be copied to a file named “ims.conf” if one does not exist
The ims.conf file in the new install location should be modified to include the settings previously configured. These can
be viewed in the old installation location (default for DMWMs v2 is /var/www/html/ims2).
Using a tool like Notepad ++, and admin can identify new settings that exist in the ims.defaults file (which displays all
configurable options in the currently installed version).
36
Dell Protected Workspace Management Server – Install and Configure – v3.1
Running IM3 for the first time post-upgrade
Once the DPWMs 3.1 system has been installed successfully, the following steps need to be accomplished to migrate the
existing DPWMs 2.x data into the new DPWMs 3.1 database.
1. Start the DPWMs 3.1 application by running the following as the root user
service im3 start
NOTE: it is not recommended to start the im3 service on the same port as the DPWMs until the migration of data is
completed. If client machines start writing to the database of the DPWMs 3 before the migration is completed, errors
can occur. To avoid this scenario, modify the “API_PORT” setting in ims.conf file to some alternative port (such as
8443). If “API_PORT” is blank, simply add the 8443 to the line before starting the service. If the service is started
already, issue a restart command to change the setting after saving the file.
2.
3.
4.
5.
6.
Browse to the UI at the following address: https://<FULLY_QUALIFIED_DOMAIN_NAME>
Enter credentials for an admin level user
The DPWMs 3 activation key needs to be updated to relicense the system for the new features.
Follow the steps in the “Relicensing the DPWMs” section.
Once relicensed, any DPW v5 installation kits need to be re-uploaded to the DPWMs to pick up missing
configuration files.
7. From the Packages tab, remove any existing DPW v5 installation kits then re-upload them to the system
For questions/comments/issues, please contact Dell Support.
37
Dell Protected Workspace Management Server – Install and Configure – v3.1
Configuring the Dell Protected Workspace Management Server for Basic Operation – Pre-Built
Virtual Machine Only
Obtaining the DHCP Address of the System
By default, the DPWMs is configured to obtain a DHCP address. In order to continue with the configuration of the
DPWMs, this address is needed so that the WebUI can be accessed.
To obtain the address of the system, open a console session to the server. At the login prompt, enter the following
default credentials:
User: ims_admin
Password: invincea
Once logged in, run the command:
[ims_admin@ims ~]# ifconfig
This will display the IP address for eth0. It is labeled as “inet addr:”
38
Dell Protected Workspace Management Server – Install and Configure – v3.1
Accessing the WebUI
The remaining initial configuration steps can be completed by accessing the Dell Protected Workspace Management
server WebUI. To access the WebUI, use a web browser to browse to the following address:
https://<system_IP_address>:10000
where <system_IP_address> is the one obtained in the last section. This address will be changed later in the
setup. If prompted about an issue with the site certificate, choose “Continue to this website”.
At the login prompt, use the default credentials to log in to the WebUI. (ims_admin/invincea) Administrators should use
ims_admin account for general DPWMs configuration. For advanced configuration, use the root account
(root/invincea).
Once logged in, the DPWMs System Information Page will display:
39
Dell Protected Workspace Management Server – Install and Configure – v3.1
Changing the time or time zone
For the DPWMS to function properly, it is important that the system be configured with the correct date, time and time
zone. The current date and time can be seen on the default landing page after logging into the WebUI. To modify these
settings, select “09 System Time.”
The System Time page has three tabs at the top of the page: Set time, Change time zone and Time Server sync.
Start by setting the system to the correct time zone. The change time zone tab displays a drop-down box with the
different time zones available to select from. Once the proper time zone has been selected, click Save.
From the Set time tab, the system and hardware time and date can be set. Set the System date and time first, pressing
the apply button when finished. Next, press the Set hardware time to system time button to sync the hardware time.
40
Dell Protected Workspace Management Server – Install and Configure – v3.1
The Time server sync tab lets administrators enter the name of a time server hostname or web address. Administrators
also have the ability to set when the synchronization happens and the schedule by minutes, hours, days, months, and
weekdays. Make sure to click Sync and Apply when finished making changes.
41
Dell Protected Workspace Management Server – Install and Configure – v3.1
Network Configuration
The next task is to configure the network and DNS name of the system. To do this, select “01 Network Configuration”
under the “Invincea Server Management” menu.
Click on the “Network Interfaces” icon to set the IP address of the system. Once in the configuration view click on
“eth0” to set a static IP address for the network adapter. It is recommended that the system not be left with a DHCP
address.
In the “Edit Bootup Interface” dialog for eth0, select the radio button for “Static Configuration” under IPv4 address and
enter the assigned IP and netmask. Everything else can remain as default.
Press the “Save” button when finished.
42
Dell Protected Workspace Management Server – Install and Configure – v3.1
Now select the “Routing and Gateways” icon. On the “Boot time configuration tab”, select “eth0” as the interface under
the Default route section. Then add the default gateway in the text box. Once that is entered, press Save. The WebUI
will be directed back to the “Network Configuration” page when complete.
Once back on the Network Configuration page, press the “Apply Configuration” button.
After the settings have been applied, the browser needs to be pointed to the new address (either IP or DNS name).
Once the login page loads on the new address, reenter the admin credentials, and navigate back to the “01 Network
Configuration” dialog.
Next, select the “Hostname and DNS Client” icon. From the dialog, enter the new server name under host name (this
needs to be the Fully Qualified Domain Name, host-only names will not work correctly), and enter the appropriate DNS
servers and search domains.
Press the “Save” button when that is completed. The WebUI will be directed back to the “Network Configuration” page
when complete.
43
Dell Protected Workspace Management Server – Install and Configure – v3.1
Last, choose the “Host Addresses” icon from the Network Configuration page. Click on “Add a new host address.”
On the “Create Host Address” page, enter the IP address of the system in the “IP Address” box. Then, enter the Fully
Qualified Domain Name of the system in the “Hostnames” box. Once they are entered, press the Create button.
On completion, the page will redirect back to the Host Addresses page. The new host address should now be listed.
The network configuration is now complete.
44
Dell Protected Workspace Management Server – Install and Configure – v3.1
Self-Signed Certificate Creation
In order for the DPWMS to operate properly, a SSL certificate needs to be generated. The following steps outline the
process for generating a self-signed certificate.
Start by selecting “02 Certificate Management” from the “Invincea Server Management” menu.
From the “Certificate Manager” page, click the “Generate Self Signed Certificate and Key” option.
Starting with the “Common Name (e.g. Host name)” field, fill out the information for the certificate. Please note the
fully qualified domain name MUST be entered for the product to work properly (this should be automatically entered
if the network configuration is correct, but should still be verified before continuing). The Key size should also be
changed from 1024 to 2048.
45
Dell Protected Workspace Management Server – Install and Configure – v3.1
Additionally, verify that the paths to the certificate files are correct before continuing. They should read as follows:
Certificate file name:
Key file name:
Key/Cert pair file name:
/etc/pki/tls/certs/dpwms.crt
/etc/pki/tls/private/dpwms.key
/etc/pki/tls/private/dpwms.csr
Once all of the information is filled out and verified, press the “Generate Key” button.
A confirmation page (displaying the old certificate that is about to be replaced) will display. Click the “Continue” button.
The new certificate has now been generated.
46
Dell Protected Workspace Management Server – Install and Configure – v3.1
After the certificate and key are generated go to “03 Custom Commands” and select “Create SSL Certificate.” This will
combine the dpwms.key and dpwms.crt file to create the pound.pem SSL file.
Next, select “Restart Pound Reverse Proxy Service” in order to apply the certificate changes to Pound.
47
Dell Protected Workspace Management Server – Install and Configure – v3.1
Changing the root and ims_admin passwords
To change the passwords for the root and ims_admin user accounts, select the “07 Change Passwords” page from the
“Invincea System Management” menu. Select “root” or “ims_admin” from the list of users.
Enter the new password in both fields and make sure the “Change passwords in other modules?” option is checked.
Press the Change button to commit the new password.
The other user accounts are Linux system accounts and are not used to administer the DPWMs.
48
Dell Protected Workspace Management Server – Install and Configure – v3.1
Additional Administrative Tasks
Modifying the default Firewall
In most cases the firewall will not need to be modified. However, if a custom firewall rule is needed or if a default rule
needs to be removed, use the “Linux Firewall” page from the “Unused Modules” menu to make the modifications.
Incoming firewall rules should be added, changed or removed in the Chain RH-Firewall-1-INPUT section. Outgoing
firewall rules should be added, changed or removed in the Chain RH-Firewall-1-OUTPUT section.
49
Dell Protected Workspace Management Server – Install and Configure – v3.1
Installing Linux Updates
In order to keep the Linux OS up to date, available system patches should be applied like any other server in the
environment.
By navigating to the “05 Software Package Updates” page from the “Invincea Server Management” menu, a list of all
available updates can be viewed.
50
Dell Protected Workspace Management Server – Install and Configure – v3.1
To apply updates, select the desired updates and press the “Update Selected Packages” button at the bottom of the list.
51
Dell Protected Workspace Management Server – Install and Configure – v3.1
Generating a new self-signed certificate after initial configuration is complete
In case a new self-signed certificate needs to be generated, either because the system name has changed, the original
certificate is incorrect or for any other reasons, follow the steps listed under “Certification Creation” and “Restarting the
DPWMS.”
Installing a Trusted SSL certificate
If a trusted SSL certificate is going to be used rather than a self-generated one, follow these steps to install it on the IMS.
Generating a CSR
If needed, a CSR can be created for the SSL Certificate. Start by selecting “02 Certificate Management” from the
“Invincea Server Management” menu. From the “Certificate Manager” page, select the “Generate Key and Certificate
Signing Request (CSR)” option.
Starting with the “FULLY QUALIFIED HOSTNAME” field, fill out the “Generate CSR” form. Once completed, press the
“Generate CSR” button.
52
Dell Protected Workspace Management Server – Install and Configure – v3.1
On the next page, press the “Continue” button to generate the CSR.
From the confirmation page, use the hyperlink locations to go to the download page for the CSR and KEY files. Press the
“Download” button to display the file so it can be copied to the local machine.
53
Dell Protected Workspace Management Server – Install and Configure – v3.1
Importing Signed Certificate and Key
To import a certificate and key from a trusted CA, start by choosing the “02 Certificate Management” option from the
“Invincea Server Management” menu. From the “Certificate Manager” page, select “Import Key or Signed Certificate.”
From the “Import Key or Signed Certificate” page, press the “Browse” button to choose the certificate or key that needs
to be uploaded. Once selected, press the “Upload Certificate” and/or “Upload Key” button(s) to complete the upload.
The certificate files (named dpwms.crt) must be uploaded to the following directory: /etc/pki/tls/certs
The private key file (named dpwms.key), if it needs to be replaced, must be uploaded to the following directory:
/etc/pki/tls/private
54
Dell Protected Workspace Management Server – Install and Configure – v3.1
Configuring the Dell Protected Workspace Management Server for SYSLOG
For SIEM integration it is necessary to add a SYSLOG destination server to the DPWMs. To configure this, select the “06
System Logs” option from the “Invincea Server Management” menu.
From the System Logs page, select the “Add a new system log” hyperlink located at the bottom of the table.
In the “Log to” section of the “Add System Log” page, change the radio button to select “Syslog server on” and enter the
destination IP address of your syslog listener.
Under the “Facilities” section, choose “local0” from the drop-down and select the “All” radio button under “Priorities.”
Press the Save button when finished.
Verify that the syslog server is now configured in the “System Logs” page. It should be listed as “Syslog server on
<IP_ADDRESS>”, be Active and selected for local0.*
55
Dell Protected Workspace Management Server – Install and Configure – v3.1
To complete the syslog configuration, the syslog service needs to be restarted (or started if it was not running). To do
this, navigate to the 03 Custom Commands menu and use the Syslog commands.
Testing SYSLOG connection from DPWMs
To validate that the DPWMs is sending data to the configured SYSLOG destination server, go to the “03 Custom
Commands” menu from the “Invincea Server Management” Menu.
Listed under the Custom Commands Menu is a command labeled “DPWMs Syslog Test Command.” Click on this
command link to send a destination to the specified destination server.
Once the command is run, verify that the SYSLOG destination server received a SYSLOG message with the text “DPWMs
Syslog Control Test.” If this message was received by the destination server, SYSLOG reporting is working correctly.
56
Dell Protected Workspace Management Server – Install and Configure – v3.1
Configuring the Threats Module with the Correct SYSLOG format
The DPWMs Threats Module is able to send Threat Report information to SIEM systems in a few different formats to
better suit the receiving SIEM system. Available formats are Splunk, Q1 Labs, Arcsight and RSA Envision.
To set the proper logging format, select the Plugins menu from the Threat Data tab.
From the Plugin Settings dialog, locate the entry for formats under the alerts header and make sure that the “Enabled”
box is checked. If not, check the box and restart the DPWMs (im3) service. Now, modify this line to the correct format
(only one should be selected. All four are displayed by default, and should be modified to the correct selection):




sp = Splunk
q1 = Q1 Labs
arst = Archsight
env = RSA Envision
Optionally, modify the logname entry to create a custom search word in the SYSLOG entry. This logname is including at
the beginning of the SYSLOG messages generated by the Threats Module.
Press the “Save” button and close the dialog once the changes have been made.
57
Dell Protected Workspace Management Server – Install and Configure – v3.1
Configuring the DPWMs to Log Messages to SYSLOG
The DPWMs is able to log messages that get logged to the ims.log file directly to SYSLOG. In order to set up this up edit
the ims.conf file (default location is /opt/im3/ims.conf). To edit the file enter the following at the command prompt:
vi /opt/im3/ims.conf
Navigate to the [logging] section of the file. Edit the following lines (except file and level) according to the existing
SYSLOG setup.
[logging]
file = ims.log  name of file the DPWMS will log to within the install directory
level = INFO  level of logging: INFO is recommended (available options: DEBUG, INFO, WARN,
ERROR)
# When use_syslog is set to true...
# - Log messages will be sent to syslog at the host specified in syslog_host
# - The logging.file setting is ignored and no log messages will be sent to that file.
use_syslog = false  used to enable ims logging directly to syslog
# If use_syslog = true, specify the facility number to use for logging.
# Use one of the "local use" facility numbers (16 - 23) specified
# in https://tools.ietf.org/html/rfc5424
syslog_facility_number = 20  the facility number specified for logging to syslog
# Must be one of SOCK_DGRAM, SOCK_STREAM
syslog_socket_type = SOCK_DGRAM  used to specify socket type of datagram or stream for syslog
# When set to true, logging is directed to /dev/log of the local host.
syslog_use_localhost = true  used to log to /dev/log of the local host
# Specifies the device to write to when logging to syslog on the local host.
syslog_local_device = /dev/log  used to specify where to log on the local host
# Specify these two parameters when syslog_use_localhost = false
syslog_host =  used to specify the syslog host when not using the localhost
syslog_port = 514  used to specify the port of the syslog host
To save the file press the Esc key, then type :wq.
Restart the im3 service by typing:
service im3 restart
58
Dell Protected Workspace Management Server – Install and Configure – v3.1
Operational Notes for the Dell Protected Workspace Management Server
Security Restrictions/Features
The Dell Protected Workspace server has the following security restrictions that may need to be taken into
consideration within your environment.




ICMP echo (ping) is disabled
SELinux is enabled and configured with the strictest default policy.
You can only connect to the appliance using HTTPS on port 443 and SSH on port 10022.
You can only make outbound connections from the appliance to port 80 and 443.
Logging into the Appliance Remotely via SSH
You can log into the host remotely using a SSHv2 client, such as OpenSSH, SecureCRT or PuTTY. The username is
ims_admin and the password will be the default password or what the administrator has changed it to. The ims_admin
account is the ONLY account that has SSH access to the system. The SSH server runs on port 10022, so the client will
need to use that port rather than the default. The command using OpenSSH is:
ssh –P10022 ims_admin@your.host.name.here
Once logged into the ims_admin account, the “su “command can be used to elevate privileges and become root. This
will be required if administrative tasks need to be performed.
Pound Configuration
The DPW Management template comes preconfigured with Pound. Pound is a reverse proxy server used to optimize the
handling of communication from the DPW clients to the DPW Management server.
The configuration file for Pound is located here: /etc/pound.cfg
To restart the Pound service, run the following command:
service pound restart
Or run the Restart Pound Reverse Proxy Service custom command:
59
Dell Protected Workspace Management Server – Install and Configure – v3.1
Configuring Dell Protected Workspace to work with the Dell Protected Workspace
Management Server – Configuration Management Module
In order for installations of Dell Protected Workspace to report to the Dell Protected Workspace Management server –
Configuration Management Module, the client software needs to be configured to point to the DPWMs. The following
steps outline how to properly configure the clients.
1. From the Dell Protected Workspace configuration files, open the preferences.xml file with a standard text
editor.
2. Locate the line beginning with “<config_server”.
3. Modify this line to point to the DNS name of the newly configured DPWMs
a. <config_server server="https://<FQDN SERVER NAME>/api" accept_untrusted_cert="false" />
4. If using a self-generated certificate, also change the value of “accept_untrusted_cert” on the same line to
“true”.
a. < config_server server="https://<FQDN SERVER NAME>/api" accept_untrusted_cert="true" />
5. Save the file and deploy it with new client installs.
60
Dell Protected Workspace Management Server – Install and Configure – v3.1
Configuring Dell Protected Workspace to work with the Dell Protected Workspace
Management Server – Threat Data Module
In order for installations of Dell Protected Workspace to report to the Dell Protected Workspace Management server –
Threat Data Module, the client software needs to be configured to point to the DPWMs. The following steps outline
how to properly configure the clients.
1. From the Dell Protected Workspace configuration files, open the preferences.xml file with a standard text
editor.
2. Locate the line beginning with “<report”.
3. Modify this line to point to the DNS name of the newly configured DPWMs
a. <report enabled=”true” address="https://<FQDN SERVER NAME>:443" accept_untrusted_cert="false"
/>
4. If using a self-generated certificate, also change the value of “accept_untrusted_cert” on the same line to
“true”.
a. < report enabled=”true” address="https://<FQDN SERVER NAME>:443" accept_untrusted_cert="true"
/>
5. Save the file and deploy it with new client installs.
61
Dell Protected Workspace Management Server – Install and Configure – v3.1
Dell Protected Workspace Management Server Administrative Tasks
Acquiring the temporary administrator password for DPWMs
Upon startup of the DPWMs 3.x server, a temporary password is generated and stored in the database for the DPWMs
system. The follow steps outline how to access the temporary password so that access can be granted to the DPWMs
UI.
From the WebUI (port 1000) interface, log in and browse to Invincea Server Management -> 03 Custom Commands.
Click on the “Show Temporary Admin Password” link.
This link will display the temporary password assigned to the admin user. This password is needed to log into the
DPWMs 2.x system for the first time. The first line of the output will display the user name “admin”. The second line
will display the temporary password.
If the Webmin (port 10000) interface is not available, the temporary password can be view by looking at the contents of
the /opt/im3/admin-info.temp file.
62
Dell Protected Workspace Management Server – Install and Configure – v3.1
Logging into the Dell Protected Workspace Management Server Console
To access the Dell Protected Workspace Management server Console (DPWMs Console), use a web browser to browse
to the following address:
https://<dpw_management_hostname>
where <dpw_management_hostname> is the FQDN defined during setup (alternatively, the IP address of the
system can be used). If prompted about an issue with the site certificate, choose “Continue to this website”
At the login prompt, use the default credentials to log in to the DPWMs Console.
User: admin
Password: <acquired via WebUI custom_command>
When accessing the Dell Protected Workspace Management server, the home page is displayed first. This home page
will display differently depending on what modules the system is licensed for. The following information describes the
available modules and their functions.
63
Dell Protected Workspace Management Server – Install and Configure – v3.1
Entering the DPWMs License Key
The DPWMS license key can be entered via two different methods: via the DPWMs UI or via the DPWMs configuration
file.
IMPORTANT NOTE: The Dell Protected Workspace Management server requires an internet connection to allow
product activation of the server. If an internet connection is not available, please contact Dell Support for assistance.
DPWMs UI Method
When the Admin account is logged into the DPWMs for the first time, the unlicensed modules will be displayed on the
landing page.
To activate the modules, click on the “Activate” button on either the Threat Data or Configuration Management module
headers.
64
Dell Protected Workspace Management Server – Install and Configure – v3.1
When the Activate License dialog box is displayed, enter the license key from the License Entitlement Certificate. Press
the “Activate” button to finish the activation.
If the activation is successful, the Activate License dialog will close and the modules will now be available for use.
If the activation does not work, an error message will display on the dialog box.
If activation fails, validate that the DPWMs system has access to http://delllicense.invincea.com/activate
If an internet connection is not available, please contact Dell Support.
Note: If any of the system properties of the DPWMs change (system name, mac address, etc.) the license key will need
to be re-entered when using this method. In some cases it will need to be reissued.
65
Dell Protected Workspace Management Server – Install and Configure – v3.1
DPWMs Configuration File Method
By placing the DPWMs activation key into the configuration file, the DPWMs will automatically attempt to activate, if it
has not done so already, when the DPWMs (im3) service is started. This ensures that any hardware / configuration
changes (MAC, FQDN, etc.) will not cause a user to be prompted to enter the activation key when they log in.
To enter the activation key into the configuration file, start by connecting to the virtual machine console or using SSH to
access the system. An elevated account, such as the root account, will need to be used in order to make changes to the
configuration file.
Once connected, stop the DPWMs (im3) service by running the following command:
service im3 stop
Change to the installation directory (which is /opt/im3 by default; if a custom install was done, it may be different).
Use a text editor, such as vi to modify the ims.conf file.
Find the following line and enter the activation key after the equals sign on the activation_key line:
[license]
#the license activation key to automatically attempt
activation_key = 12345678901234567890
Save the file, then restart the IMs 3 service by running the following command:
service im3 start
Validate the activation was successful by logging into the DPWMs UI. The modules should now be active. If not, view
the ims.log file (located in the same installation directory as the ims.conf file) for details on what the error was.
If activation fails, validate that the DPWMs system has access to http://delllicense.invincea.com/activate
If an internet connection is not available, please contact Dell Support.
66
Dell Protected Workspace Management Server – Install and Configure – v3.1
Modules
The Dell Protected Workspace Management server is broken into different modules. Each module can be accessed by
clicking on the appropriate module icon on the navigation bar.
This version of the Dell Protected Workspace Management server contains the following modules:




Dell Protected Workspace Home – The Home module is a consolidated view of the Configuration and Threats
Modules. This view contains a system overview. Information will only be displayed for those modules that are
licensed.
Threat Data – The Threat Data Module provides an analyst view of Threat Reports and DPW Sensor information
submitted from the client software.
Config – The Config Module is used to manage client software configuration files and versions.
Admin – The Admin Module is always available and is used to create user accounts and view user activity.
67
Dell Protected Workspace Management Server – Install and Configure – v3.1
Admin Module
The Admin module is used for user management and activity tracking, database backups, error log viewing and DPWMs
upgrades. It can be accessed by clicking on the Admin tab in the navigation bar.
Users Tab
The Admin module defaults to the Users tab when it is loaded. From this tab, new users can be added and existing users
can be modified or removed.
LDAP Integration
With the release of DPWMs 3.1, LDAP Integration is available for DPWMs users. In order to turn on LDAP Integration for
logging in to the DPWMs select the “LDAP Integration” switch.
The following window will appear to enter the credentials for configuration.
68
Dell Protected Workspace Management Server – Install and Configure – v3.1
Username – Enter the username that will be used to authenticate the connection to the LDAP server.
Password – Enter the password that is used to authenticate the connection to the LDAP server.
Hostname – Enter the IP or the FQDN of the LDAP server used.
Port – Enter the port of the LDAP server. It is most likely 389.
SSL Usage – Check this box if the connection to the LDAP server uses SSL.
Base DN – Enter the distinguished name to use for the LDAP queries. For example, if the domain is test.local, enter
“DC=test, DC=local”.
Click “Next”. The connection will be tested to ensure the entries are valid. The next configuration window will appear.
69
Dell Protected Workspace Management Server – Install and Configure – v3.1
The values in these fields lookup the Active Directory Group values from the Base DN entered in the configuration. In the
Active Directory, create groups to associate with the above fields.
Allow Login – The Active Directory Group entered here allows the users in that group to login to the DPWMs.
Admin Flag – The Active Directory Group entered here gives users in that group full access to Admin tab. This field is
equivalent to the Admin flag.
CMS Modify – The Active Directory Group entered here gives users in that group ability to modify the CMS. This field is
equivalent to the CMS Modify flag.
TDS Modify – The Active Directory Group entered here gives users in that group ability to modify the TDS. This field is
equivalent to the TDS Modify flag.
Sensor Modify – The Active Directory Group entered here gives users in that group ability to modify Sensor events. This
field is equivalent to the Sensor Modify flag.
In the Active Directory Groups, add users to give them the appropriate rights in the DPWMs. For example, a user in the
Active Directory Groups entered in Allow Login, CMS Modify, and TDS Modify can log in to the DPWMs, modify the CMS,
and modify the TDS.
Click “Next” to advance. A final window will appear to confirm the configuration, requiring the password of the current
account logged in in order to complete the change.
70
Dell Protected Workspace Management Server – Install and Configure – v3.1
Enter the password for the current user and click “Submit”. By clicking “Submit”, users can no longer be managed in the
DPWMs, and will now be managed through the Active Directory. All current DPWMs users will be deleted from the
database and the current logged in user will be logged out.
By clicking “Edit”, the configuration can be edited further before continuing on to submit and finalize the configuration.
After LDAP Integration is enabled, the configuration can be edited by clicking the gear icon next to the switch.
With LDAP Integration enabled, the user list will populate with users that have logged in at least once.
The user information screen displays the flags applied to the user based on the user’s Active Directory Groups. These
flags are greyed as user modification is disabled while in LDAP mode. Also, only the View Recent Activity button is
available as changing the user’s password and deleting the user is done in the Active Directory in LDAP mode.
To turn off LDAP Integration, click the switch. Enter the password of the current user and click “Submit” in order to
complete the change.
71
Dell Protected Workspace Management Server – Install and Configure – v3.1
The current user will be logged out. Since all DPWMs users had been deleted, use the credentials used the first time
logging in to the DPWMs:
User Name: admin
Password: <acquired via WebUI custom command>
Any other users will need to be created again.
72
Dell Protected Workspace Management Server – Install and Configure – v3.1
Adding a new DPWMs User
To add a new user to the DPWMs, click on the “Add User” button:
When the Add User dialog box is displayed, enter a user name. Then enter a password for the user and confirm it.
When finished, click the “Create” button. To cancel the add user action, press the “Cancel” button.
73
Dell Protected Workspace Management Server – Install and Configure – v3.1
After the user has been created, the user details will display. If required, select the additional flags necessary to give the
user the correct permission level. Press the Save Flags button when finished.
Note: once a user is given admin level privileges, only that user can remove the admin level flag from the account.
Deleting a user from the DPWMs
To delete a user from the DPWMs, go to the user’s details page and press the Delete User button.
If the Delete User button is disabled, the user account will need to be modified to a standard (not admin) account before
it can be deleted. This can only be done while the account is logged in.
74
Dell Protected Workspace Management Server – Install and Configure – v3.1
Activity Tab
The Activity Tab is used to display the user audit log. This log will display when users log in and out of the system, and
what actions they take while modifying the system. For example, activities such as creating or deleting a new group are
tracked.
Backup Tab
The Backup Tab is used to backup and restore the DPWMs database. The backup table displays a list of all backups that
have been run or uploaded to the DPWMs.
The table displays the time of the backup (when it was created or uploaded), the size of the backup, and the backup file
name. Additionally, it allows for three actions to be taken with that backup:


Download – downloads a copy of the backup file through the browser accessing the UI
Delete – removes the backup from the system
75
Dell Protected Workspace Management Server – Install and Configure – v3.1
Create a Database Backup
To create a new database backup, press the “Create” button at the bottom of the table.
Click the “Create” button to finish the creation. To cancel the action, press the “Cancel” button.
Once the backup is successfully created, it will be displayed in the list of available backups. Press the “Download” link on
a selected backup file to download a local copy of the backup. Press the “Restore” link to restore the database from this
backup. Press the “Delete” button to remove the selected backup.
Recovering from a Database Backup File
In the case of recovering a DPWMs from a backup file the backup file can be directly imported into the database using
the mysql command. From the ssh console, an import of the database would look similar to:
mysql –u <username> -p <databasename> > </path/to/backup/file.sql.tgz>
Note: running the above command will overwrite any data in the database, so be sure that this is only run into a new
system or if the current system is no longer functional.
76
Dell Protected Workspace Management Server – Install and Configure – v3.1
Errors Tab
The Errors Tab provides a UI display of the latest errors logged by the system. These error messages may be useful in
troubleshooting an issue with the DPWMs.
The table displays the error messages, with the most recent issue listed first. The table can be sorted by clicking on the
column headers. If more than ten errors exist in the log, the table will display multiple pages that can be navigated and
searched using the navigation bar.
The “Clear…” button can be used to clear the message from the Errors table.
77
Dell Protected Workspace Management Server – Install and Configure – v3.1
Upgrades Tab
The Upgrades Tab is used to display the upgrade history of the DPWMs system and can also be used to apply new
versions of the DPWMs software, restart the DPWMS process, and relicense the IMs.
The Upgrade History table displays the date and version of the DPWMs software that was installed. The log entry may
also display any important details about the version applied.
Upgrading the DPWMs
To apply an upgrade to DPWMs 3.0, click on the “Install Upgrade…” button.
NOTE: Only applies to single instance systems. Multiple API/UI systems must be upgraded manually.
When the “Install Upgrade” dialog is displayed, press the “Choose File” button and select the upgrade file, then press
the “Upload” button. To cancel the upgrade process, press the “Cancel/Close” button.
Once the upgrade has begun, it cannot be stopped. When the upgrade has finished, the UI should refresh, and the new
version should be listed at the top of the list. If the browser does not refresh or times out, manually refresh the browser
to display the upgraded system.
If for some reason the UI does not return, use the Custom Command section of the WebUI (port 10000) interface to
restart the DPWMs 3 (im3) service.
78
Dell Protected Workspace Management Server – Install and Configure – v3.1
Restarting the DPWMs Process
If the DPWMs process needs to be restarted, such as when enabling new plugins for the Threat Data module, a “Restart
Server…” button is also available on the Upgrade History tab. To restart the DPWMs process on the system, press the
“Restart Server…” button.
NOTE: This only restarts the IM service on the node that the UI is running on. For multiple API/UI systems, the IM
service needs to be stopped/started manually on all systems.
Relicensing the IMs
A “Relicense…” button is available in the Upgrades tab in order to relicense the DPWMs after upgrading from DPWMs
2.x to DPWMs 3. This process necessary to update the DPWMs with the SEN (sensor) license information. To relicense
the DPWMs, press the “Relicense…” button, enter the Activation Key and select Save.
NOTE: This only applies to single instance servers. Multipe API/UI servers must be relicensed manually.
Next to the “Relicense…” button, a box displays the date the DPWMs was last licensed or the number of days left of the
license (if within 1 month) with the licensed modules.
Note: if this does not take effect immediately, try restarting the DPWMs service to reload the system.
79
Dell Protected Workspace Management Server – Install and Configure – v3.1
Platform Tab
The Platform Tab provides some basic information about the DPWMs server, including the currently configured host
name, CPU usage information, Memory usage information, and disk usage information.
Additionally, two buttons exist at the bottom of the screen to allow access to the server’s ims.log file and also to provide
one-click button access to the backend management page (webmin).
If the “Platform Administration Tool” is not visible, a change to the ims.conf file needs to be made. From the server
console or via ssh, connect as the root user and use vi or a similar tool to edit the configuration file: /opt/im3/ims.conf
Under the existing option “fips_enable = true” add the following:
platform_admin = https://localhost:10000/
Once the above line has been added, save the file, and restart the ims2 service. After the service restart, the “Platform
Administrator Tool” button will now be available.
80
Dell Protected Workspace Management Server – Install and Configure – v3.1
Note: for systems running multiple API/UI servers, this button will only connect to the webmin interface of the UI
server currently being accessed.Settings Button
The Settings button provides additional admin settings for the IMs.
Legal Disclaimer
New to IMs 3.1 is the ability to require accepting a legal disclaimer before logging in to the IMs.
Enable this setting by checking the “Require users to accept a disclaimer prior to logging in” check box and adding the
disclaimer text to the “Disclaimer Text” field. Then click “Save”.
When logging in to the IMs, the user will first be presented with this window:
After selecting “OK”, the user can then proceed with normal login procedures.
81
Dell Protected Workspace Management Server – Install and Configure – v3.1
Dell Protected Workspace Home Module
The Dell Protected Workspace Home Module is a consolidated view of the Modules. This view will change based on
which modules are available in the system.
82
Dell Protected Workspace Management Server – Install and Configure – v3.1
Home Tab
Threat Data Section
The Threat Data Section provides a brief overview of threats that have been reported to the system. The section header
contains a “View All Threat Data” button that will direct the user to the Threat Data module.
The display contains a graphical display showing the number of threat reports received per day, a chart of the most
recent reports and a breakdown of the different report classifications for all reports in the Threat Data module.
83
Dell Protected Workspace Management Server – Install and Configure – v3.1
Configuration Management Section
The Configuration Management section provides a brief overview of hosts that are being managed by the system. The
section header contains a “Manage Configuration” button that will direct the user to the Config module.
The display contains a graphical display showing the total number of hosts by version per day, a chart of the five groups
with the most hosts and additional host-level statistics.
84
Dell Protected Workspace Management Server – Install and Configure – v3.1
Administration Section
The Administration Section provides a brief overview of the DPWMs users. The section header contains a “Manage
Administration” button that will direct the user to the Admin module.
The display contains a chart showing the most recent user activity.
85
Dell Protected Workspace Management Server – Install and Configure – v3.1
Threats Module
The Threats module is used to review Threat Reports and Sensor data that are reported by the Dell Protected
Workspace client software. From this module, detailed analysis can be performed on the reports to determine the
source and impact of the threat on the client system.
To access the Threats module, click on the Threat Data icon from the navigation bar of DPWMs. The main display for the
Threats module includes three tabs, Overview, Detections, and Files.
86
Dell Protected Workspace Management Server – Install and Configure – v3.1
Settings and Plugins
Additional settings for the Threat Server and for Plugins can be modified by accessing the Settings or Plugins
configuration dialogs.
Threat Data Module Settings
Pressing the “Settings” button will display the “Threat Data Module Settings” dialog box. The following options can be
configured in this dialog.


Ignore incoming detections that are duplicates currently in the database, including deleted ones.
o This setting ensures that if a duplicate report is sent to the system (in case a client tries to upload the
report more than once) it will only be displayed once.
Remove personal information (name, hostname, etc.) from incoming detection reports.
o This setting allows personal information to be removed from the uploaded threat reports before they
are displayed in the UI.
87
Dell Protected Workspace Management Server – Install and Configure – v3.1
Plugin Settings
Additional third-party plugins can be enabled to allow for integration with such providers as ReversingLabs, VirusTotal,
ThreatGrid, Threat Stream, URLQuery, Google, Email Alerts, and iSightPartners. By enabling these plugins, additional
tabs will be added to the threat report view.
NOTE: These are different provides / configurations then the ones used to score Sensor data in the “Files” tab.
To enable a plugin, select the checkbox next to the plugin name. In order for plugins to be fully enabled, the DPWMs
(im3) service must be restarted. This can be done from the Admin Module, under the Upgrades tab. Press the “Restart
Server” option.
Some plugins may require additional information, such as account information. This information will need to be entered
before the plugin will work properly.
88
Dell Protected Workspace Management Server – Install and Configure – v3.1
Overview Tab
The Overview tab contains an overview of the threat reports that have been uploaded to the DPWMs. Graphs, charts
and other information are provided to show statistical information about the threat reports. The overview tab is broken
into four sections.
Detections by Date
This section will display incidents by 3 filters: daily, monthly, or yearly. There are also 2 other display filters on the right
side of the section: triggered and received. Triggered will display when the incident occurred on the end user’s machine.
Received will display when the incident was uploaded to the Threat Data Module.
Detections by Category
This section displays the number of each type of incident by category.





Confirmed Infection – The total number of threat reports that have been flagged as actual infections Dell
Protected Workspace was able to protect the host system from.
False Positive – The total number of threat reports that have been identified as false positives (by trusted
processes not whitelisted in the Dell Protected Workspace default configuration).
Training – The total number of threat reports marked for rules training, to create custom suppression rules
for the Dell Protected Workspace detection engine.
Uncategorized – The total number of threat reports that have yet to be categorized.
Deleted – The number of threat reports that have been deleted from the Threat Data module.
89
Dell Protected Workspace Management Server – Install and Configure – v3.1
Top Users and Top Sources
This section displays the number of incidents for the top users with the most threat reports sent to the Threat Data
module and the top sources that existed in threat reports sent to the Threat Data module.
Top Users – Displays the users in descending order based off of the number of threat reports that have been submitted
to the Threat Data module.
Top Sources - Displays the most reported sources (websites, document file name, etc.) that have been in reports sent to
the Threat Data module.
90
Dell Protected Workspace Management Server – Install and Configure – v3.1
Detections Tab
The Detections Tab of the Threats module displays a summary of fifteen threat reports. The details of any report can be
viewed by clicking on the source name for the selected report.
The detections table can be filtered to only display certain categories of threat reports by selecting a category in the
“Category” drop-down menu.
To filter the threats by category, use the drop-down box, and then select which category to display. The options are as
follows: Uncategorized, Training, False Positive, Confirmed Infection, and Deleted.
The column headings can also be used to sort the display view. Click on a column heading to sort by that column.
Additionally, the search box can be used to search the threat report information for specific information, such as user,
host name, source and other information.
91
Dell Protected Workspace Management Server – Install and Configure – v3.1
The detections tab provides the ability to manually import threat reports, modify threat report categories and delete
threat reports from the DPWMs system through a series of buttons that exist below the incidents table.
The “Select All” and “Select None” buttons are used to work with the currently displayed page of threat reports. The
“Select All” button will select the threat reports that are currently displayed in the table (up to 15 reports). The “Select
None” button will unselect any reports that are currently selected. An individual report can also be selected or
unselected at any time by clicking on the checkbox at the beginning of the threat reports line in the table.
Threat Categories
Threat reports can be categorized in the Threats module to see which reports have been reviewed and what
classification the report falls into. The Threat Data module has four different categories available for the threat reports.
Every report must belong to one of these categories.




Uncategorized – All threat reports which have not yet been categorized.
Training – A threat report that is being used to create a custom set of threat detection rules to suppress a false
positive report.
False Positive – A threat report from a client machine that is a trusted action, but is not part of the default rule
set in the Dell Protected Workspace Detection Engine.
Confirmed Infection – A threat report that has been confirmed as an actual threat.
92
Dell Protected Workspace Management Server – Install and Configure – v3.1
To manually import an infection report, click the “Import” button from the series of buttons below the threat reports
table.
From the Import dialog box, press the “Choose File” button and locate the XML report file to upload. Once the file is
selected, press the “Upload” button.
Once the report import has finished, the report will be displayed on the Detections tab.
The delete button allows a threat report to be deleted from the Threat Data Module. Before the report is deleted, a
confirmation dialog will display and a reason for deletion of the report must be provided. Deleting a report removes
that report from the UI, but retains some of the information in the database, along with the reason for deletion.
From the Delete Detections dialog, enter a reason for deleting the selected threat report and press the “Delete” button
to remove the report from the system.
93
Dell Protected Workspace Management Server – Install and Configure – v3.1
Report Overview Page
The details of a threat report can be viewed by clicking the Source hyperlink of the report in the incidents table. The
reports details will then be displayed so that the threat report can be reviewed in detail.
The heading bar at the top of the report details provides a color code based on the category assigned to the report. To
change the Category of a threat report, click the “Categorize…” button and select the desired category.
The next section of the report is split into three different sections:
Statistics
This section contains statistics about the threat report, based on actions that occurred.




Executables Written – Displays the number of executable files written to the container.
Processes Launched – Displays the number of processes launched in the report.
Connections Opened – Displays the number of network modifications (TCP connect, TCP listen) made to/from
the system.
System Changes – Displays the number of changes made to the container before the threat stopped or the
container was restored.
94
Dell Protected Workspace Management Server – Install and Configure – v3.1
Configuration
The Configuration section contains additional information about the host system and user that uploaded the Threat
Report.
Displayed Information:
Product – Displays which flavor of Dell Protected Workspace is running on the machine that reported the alert.
Version – Displays which version of Dell Protected Workspace is running on the machine that reported the alert.
Protocol – Displays the threat protocol number.
Operating System – Displays the Operating System of the machine at the time of the alert.
User – Displays the user ID of the user logged in during the time of the alerts (not available if the anonymize option is
enabled).
Host –Displays the machine name of the machine at the time of the alert (not available if the anonymize option is
enabled).
Local IP - Displays the IP address of the machine at the time of the alert (not available if the anonymize option is
enabled).
Activation Key –Displays the activation key of the machine at the time of the infection, if available.
Host Descriptor – Displays the unique host identifier for the machine at the time of the alert.
Service Tag – Not currently used.
User Action – Displays what action was taken after the alert occurred (Restored/Ignored).
95
Dell Protected Workspace Management Server – Install and Configure – v3.1
Kill Processes – Displays a red X or a green checkmark depending on whether or not the processes were terminated
when the detection occurred.
Delete Downloads – Displays a red X or a green checkmark depending on whether or not all downloads during that
session were deleted.
Delete Source – Displays a red X or a green checkmark depending on whether or not the document responsible for the
infection during that session was deleted.
Infection Warning - Displays a red X or a green checkmark depending on whether or not the end user received a
notification of infection.
Rule Training - Displays a red X or a green checkmark depending on whether or not this infection was categorized as
Training.
Applications
The Applications section displays a list of the applications that were available in the secure container during the alert
(apps are defined in the default product and custom apps file). The versions for the applications are displayed when
they are available.
96
Dell Protected Workspace Management Server – Install and Configure – v3.1
Threat Report Analysis Tab
The Analysis tab provides the common display of the Threat report that a user can see from the Dell Protected
Workspace product when the Threat is detected. This display categorizes the actions based on five severity levels: Red,
Orange, Yellow, Green and Blue.
Each categorized line can be expanded so that the contents can be reviewed.
97
Dell Protected Workspace Management Server – Install and Configure – v3.1
Threat Report Event Tree Tab
The Event Tree tab window provides a hierarchal view of the threat. The display shows parent and sub-events. The
display has the ability to be filtered, so specific event types (Process, File, Registry, Network and Module Load) can be
displayed. By default, all filters are displayed except for the Module Load filter.
Events are grouped on a second-by-second basis and a prefix with the event type (process launch, file written, URL, etc.).
Clicking on a specific event brings up the details of that event.
98
Dell Protected Workspace Management Server – Install and Configure – v3.1
For threat reports that were triggered by an untrusted process, the triggering process (that caused the threat report) will
be displayed in Red to help easily identify it.
All process entries contain additional details about the process (some will display options used during the process
launch). When third-party integration is enabled for the Threat Data module, these plugins can be used to for additional
analysis.
99
Dell Protected Workspace Management Server – Install and Configure – v3.1
Threat Report Timeline Tab
The Timeline tab provides the time-based display of all the actions that occurred during the threat. The display has the
ability to be filtered, so specific event types (Process, File, Registry, Network and Module Load) can be displayed. By
default, all filters are displayed except for the Module Load filter.
Similar to the Event Tree display, each line contains a hyperlink which displays additional information.
100
Dell Protected Workspace Management Server – Install and Configure – v3.1
Threat Report Geography Tab
The geography tab displays a geo-lookup view of the threat to identify where any outbound connections that were
made by the threat are located on a map. A connection line will display between these connections and the DPWMs
home location.
Threat Report Plugin Tabs
Additional tabs may also be displayed, based on which Threat Data module plugins have been enabled.
101
Dell Protected Workspace Management Server – Install and Configure – v3.1
Threat Report Actions:
There are several additional actions that can be done with a threat report. The following outlines what the available
actions are.
Export – The Export Detection dialog menu provides the option to export the threat report. Available formats are XML,
CSV, and JSON. There is also an option to view the export in a new tab instead of downloading.
Allow – The allow button displays a custom rule snippet to allow the displayed detection to not be triggered in the
future. This partial snippet can be added to a custom_app snippet that contains all of the necessary information needed
to allow an application to run within Dell Protected Workspace.
Delete – The delete button allows a threat report to be deleted from the Threats Module. Before the report is deleted,
a confirmation dialog will display and a reason for deletion of the report must be provided. Deleting a report removes
that report from the UI, but retains some of the information in the database, along with the reason for deletion.
102
Dell Protected Workspace Management Server – Install and Configure – v3.1
Files Tab
The Files Tab of the Threats module displays information of files collected by the Sensor. Files are collected when a dll or
exe is executed, a DPW detection occurs, or a download occurs. Initially, only file metadata is sent to the server. This
information is displayed in the Files Tab and detailed further in each file link.
The details of any file can be viewed by clicking on the file name in the list, and a file can be selected by clicking
anywhere on that file’s row.
The files list is filtered by default to display the last week of data, “Known Bad” and “Likely Bad” severity levels, and
“Track All Activity” and “Track New Activity” reporting policies. Files can be filtered by Status, Last seen dates, Severity,
Group, and Reporting policy.
To filter the files, use the drop-down boxes or date fields, and then select which option to display. The options for
Status are as follows: Read and Unread. The options for Severity are Known Bad, Likely Bad, Unknown to mildlysuspicious, Mildly-suspicious, Likely Good, and Known Good. The options for Group are all the Groups from the Config
module. The options for Reporting policy are Track All Activity, Track New Activity, and Ignored.
The column headings can also be used to sort the display view. Click on a column heading to sort by that column. The
columns are Severity, File name, Found By, Num Hosts, and Threat Summary.
103
Dell Protected Workspace Management Server – Install and Configure – v3.1





Severity – This column is the score that the Sensor assigns to the file based on the plugins used. The score is 0100, closer to 0 being good and closer to 100 being bad. The score is determined by evaluating each plugin’s
score and how severe (good or bad) the scores are.
File name – This column displays the name and publisher of the file.
Found By – This column has three icons which illustrate how the file was found. The hazard icon indicates it was
found by a DPW detection. The arrow icon indicates the file was found by a download. The bolt icon indicates
the file was found by it being executed. The icons will appear colored if found by its respective method and gray
otherwise.
Num Hosts – This column displays the number of hosts in which the file was found.
Threat Summary – This column summarizes each plugin’s threat details.
Additionally, the search box can be used to search the files information for specific files, such as file name or publisher.
The “Select All” and “Select None” buttons are used to work with the currently displayed page of files. The “Select All”
button will select the files that are currently displayed in the list. The “Select None” button will unselect any files that
are currently selected. An individual file can also be selected or unselected at any time by clicking on the checkbox at
the beginning of the line in the list.
The “Mark…” button is used to mark files as either unread or read based on the matching filter or the selected files.
The “Track…” button is used to set files to show all activity or new activity for selected files or all files matching the filter.
The “Ignore…” button is used to mark a file as ignored so no activity will be tracked for that file.
104
Dell Protected Workspace Management Server – Install and Configure – v3.1
File Overview Page
The details of a file can be viewed by clicking the file name hyperlink in the file list. The file’s details will then be
displayed.
The heading bar at the top of the file details provides a color code based on the severity assigned to the file. In addition,
the bar has three buttons, Mark as unread, File tracking, and Ignore this file.



Mark as unread – this button will mark the file as unread and bring the user back to the file list
File tracking – this button displays a dropdown to select the option to show all activity for the file or new activity
for the file
Ignore this file – this button will give the file a Reporting policy of Ignored no further activity will be tracked for
the file
File Details
The first section of the File Overview is the File Details section.
File Details is split into three sections, Properties, Patient zero, and Detection methods. Properties displays a list of
metadata about the file. Patient Zero displays information regarding the user and host the file information is collected
105
Dell Protected Workspace Management Server – Install and Configure – v3.1
from. Detection methods displays the count of how this file was detected, either through a DPW detection, a download,
or an execution.
Hosts
The next section of the File Overview is the Hosts section.
This section displays all of the hosts this file was found on. The table displays the host name, the corresponding user
from that host, how it was found (DPW detection, download, or execution), the time the file was first found, and the
time of the most recent event of the file.
Cynomix
The next set of sections includes all plugins enabled for the Sensor. The Cynomix plugin section is detailed here because
it is included with the DPWMs. If other plugins are enabled there will be other sections for those plugins similar to the
Cynomix section.
This section is split into two main groups, Neighbors and Capabilities. Neighbors displays the similar files found by
Cynomix based on percentage of similar code. The Capabilities section lists each possible capability and the tokens of the
file considered evidence for that file having the listed capabilities.
Additionally, the white “i” icon in the section header links to the plugin’s site detailing the file information.
File locations
The next section of the File Overview is the File locations section.
106
Dell Protected Workspace Management Server – Install and Configure – v3.1
This sections displays the location of the file on the host machine in which it was found.
107
Dell Protected Workspace Management Server – Install and Configure – v3.1
Configuration Module
The Configuration Module provides the ability to control client configuration files and software versions from a
centralized system. Client machines can be separated into different groups to allow for custom configurations on the
group level. The follow section reviews the Configuration Module and its functions.
Groups
The Configuration Module applies configuration files on a per group basis. This allows for the administrator to group
together hosts that will require the same configuration. The system includes one Default group (which cannot be
deleted). The Default group will be the group that new clients are added to at time of installation; therefore it is
important that this group always contains a valid configuration. If all clients will receive the same configuration, the
Default group can be used and no additional groups need to be created.
Hosts
The Configuration Module creates a unique descriptor for each host entry, regardless of the user or hostname of the
system. However, the last reported hostname is used as the display name for a host entry to allow admins to identify
the host in the DPWMs. A host is added to the DPWMs database on installation of the Enterprise client, if the client
software is configured to connect to a DPWMs and the DPWMs is available. It will display in the UI in the Default group
after installation or after the first successful heartbeat into the DPWMs. A host will remain in the UI, regardless of
whether the client system still has the software installed. If a host needs to be removed from the system, it can be
deleted.
Packages
Starting with DPWMs 2.0, the concept of a package is introduced. In previous versions of the DPWMs, when a new
version of the client software was added to the DPWMs, only the product installer was used. This allowed for
mismatched client software and configuration versions. As of DPWMs 2.0, instead of only the product installer, the
entire installation kit, or “package”, is now is uploaded to the system. This allows the DPWMs to associate specific
configuration files with the correct version of the client software and ensures that there are no further mismatches
between client software and configuration versions.
Audit
The Audit tab tracks events send by hosts. The tab logs user trusted sites if the User Trusted Sites audit preference is set
to true. The tab displays the event, the date of the event, the user of the machine, the hostname and the group the host
is in. This allows admins to determine which sites are being trusted by users and if further action with the site should be
taken, such as trusting the site group-wide or troubleshooting an issue with the site and Dell Protected Workspace.
108
Dell Protected Workspace Management Server – Install and Configure – v3.1
Accessing the Configuration Module
The Configuration Module is accessed by clicking on the “Config” button in the navigation bar.
Configuration Module Interface
Groups Tab
The Groups Tab displays a list of all available groups on the system. By default, the display lists the group with the
largest number of hosts first. Along with the group name, the current revision number for that group is displayed, along
with the total number of hosts assigned to the group, and the date of the last modification of that group.
The column headers can be clicked on to sort the list by any of the selected headers. The search box can also be used to
search for a specific group.
When more than 10 groups are present, the groups will span multiple pages. The arrow buttons can be used to advance
to the next or return to the previous page of Groups. Additionally, the Page number can be entered into the Page
Number box to jump to a specific page. The total number of groups is listed in the center of the navigation tools.
109
Dell Protected Workspace Management Server – Install and Configure – v3.1
Creating a New Group
To add a new group to the DPWMs, press the “Add Group” button. In the Add Group dialog, enter a name for the new
group, and select an existing group to copy the configuration from. It is recommended that an existing group always be
used as a template for any new group. If the None option is selected, the group will contain only the default settings.
Press the “Create” button to finish the process. The dialog box will close and return to the Groups tab.
Renaming a Group
Added with the release of DPWMs 2.2 is the ability for the name of a group to be modified after it has been created. In
order to rename a group (with the exception of the “Default” group), click on the group name in the Groups table. From
the Group details screen, press the “Rename Group…” button.
When the “Rename Group” dialog box is displayed, enter the new name for the group, then press the Rename button.
110
Dell Protected Workspace Management Server – Install and Configure – v3.1
Group Details View
The Group Details View provides a view of the currently selected group that shows the current configuration options,
current software deployment options, plus history information and a link to the list of hosts that are currently assigned
to the group.
Once customizations have been made to any section of the Group Detail View (Install Method, Preferences, Trusted
Sites, Custom Apps, or Authentications), they need to be saved before they will be sent to the clients. Pressing the
“Save” button at the bottom of the view will display a confirmation dialog.
An optional comment can be saved to indicate what changes were made during this revision. Pressing the “Save”
button on the dialog will commit the changes and publish them to the clients. Any comments can be reviewed on the
“View History” tab for the group. Pressing the “Close” button on this dialog will cancel the save action.
The “Clear” button at the bottom of the view can also be used to remove any pending changes and revert back to the
last saved state.
The Group navigation bar provides information about the Group, including the name of the currently selected group,
and the date and time of the last revision.
111
Dell Protected Workspace Management Server – Install and Configure – v3.1
There are also six buttons available in the navigation bar that allow the current hosts assigned to the group to be listed,
the audit events log for the current group to be displayed, the revision history of the group to be reviewed, provide the
ability to reset a group to its default configuration, rename a group and finally allow a group to be deleted from the
system.
Pressing the “View Hosts” button will switch the display to the Hosts tab, with the correct filter applied (in the image
below the “Production” group filter is applied) for the group that is currently selected. To return to the group, go back
to the Groups tab and select the group from the list.
Pressing the “Audit Events” button will switch the display to the Audit tab.
This view will have the correct filter applied (in the image below the “Production” group filter is applied) for the group
that is currently selected. To return to the group, go back to the Groups tab and select the group from the list.
112
Dell Protected Workspace Management Server – Install and Configure – v3.1
113
Dell Protected Workspace Management Server – Install and Configure – v3.1
Pressing the “View History” button will switch the display to view the revision History for the currently selected group.
Any comments that were noted while saving a revision will be displayed on the Comment section of that revision.
Clicking the “View Changes” link on a revision will provide a detail of whatever changes were made during the selected
revision.
Clicking on the “Revert” link on a revision with reset the group settings back to what was published in this revision.
114
Dell Protected Workspace Management Server – Install and Configure – v3.1
To return to the Group, click on the Group Name link in the title.
Pressing the “Reset Group…” button on the group details page will prompt the user to select where the group should be
reset. The user can select the current configuration of another group, or can go back to all default settings by selecting
“None”.
115
Dell Protected Workspace Management Server – Install and Configure – v3.1
Finally, pressing the “Delete…” button will prompt the user to confirm deletion of the selected group.
116
Dell Protected Workspace Management Server – Install and Configure – v3.1
Set Installation Method
The next section of the Group Details View is the Set Installation Method section.
While the DPWMs is not able to do initial installations of client software, it can provide software updates once the
clients are managed. The Set Installation Method provides options for how client updates should be applied.
When a DPWMs group is assigned with a specific software version, it is then able to ensure that all clients that are
assigned to the group are running this specific version, or greater, of the client software. For example, if the Group is
assigned v5.0.2 and a client is running v5.0.0, the client will be upgraded. However, if the client is running v5.0.3, it will
not be downgraded.
The first section deals with the user experience during the software upgrade process. One of three options needs to be
selected when a software version is specified.
The “Default” method will provide the user with a Dell Protected Workspace Alert over the system tray, after the
upgrade file has finished downloading to the staging area on the client machine, with the option to either “Install Now”
or “Install Later”. By choosing Now, the user will immediately be exited out of all protected applications and the
upgrade process will take place immediately. The Later option will put the upgrade into a pending state and it will
automatically apply the next time the client software is restored or restarted.
The “Nice” method does not alert the user at all, but after the upgrade file has finished downloading to the staging area
on the client machine, the upgrade will be in a pending state, and it will automatically apply the next time the client
software is restored or restarted.
Finally, the “Force” method will provide the user with a Dell Protected Workspace Alert over the system tray, after the
upgrade file has finished downloading to the staging area on the client machine that indicates a five (5) minute
countdown until the software is forcibly upgraded. Once the timer has expired, all protected applications will close and
the upgrade will be processed.
117
Dell Protected Workspace Management Server – Install and Configure – v3.1
The next section provides a drop-down that allows for the selection of the software version to be used for the client
upgrades.
Starting with DPWMs 2.0 is the ability to directly assign a package upgrade to an individual host. If a package has been
assigned directly to a host, that host will not receive a package upgrade assignment from the Group it is part of until the
package assignment has been removed. The text above the package assignment for the group specifies Host with no
package as a reminder. You can tell if a host has had a packaged assigned by searching for the host in the Hosts table
and seeing what value is in the Package column. This column needs to display (None) for the host to receive software
upgrades from the group level settings.
118
Dell Protected Workspace Management Server – Install and Configure – v3.1
Adjust Preferences
The Adjust Preferences section is used to set the client software preferences. This UI is automatically created based on
the latest version of the client software loaded into the system.
The preferences are broken into several sections to help group together the different preferences by functionality. By
clicking on the tabs along the left hand side, the different sections are displayed.
There are two different types of preference selection: radio button and text box. Preferences attributes that have a predefined true or false option will display as a radio button. All other preferences display as a text box where a specific
value needs to be entered, based on the preference being set. Please reference the client software documentation for
descriptions of each preference and allowed values for the text box fields.
Additionally, the “?” next to the name of each preference may provide some additional information about the
preference, if it is available. This information may contain valid entries for text box fields, however the comprehensive
information can be found in the client software documentation.
119
Dell Protected Workspace Management Server – Install and Configure – v3.1
Preferences all start with the default values that are set in the client software installation kit. When a value has been
changed from the default option, an additional option will now be present on the same line.
The word “Default” being displayed next to a preference attribute indicates that the preference is no longer set to the
default value in the client installation kit. If the Default option is clicked, the value will be reset back to what it was in
the client installation kit.
Additionally, the word “Revert” is displayed. Clicking this link will revert the value back to what it was the last time the
group was saved. This can be used if a value was changed by accident and the previous setting is not known.
120
Dell Protected Workspace Management Server – Install and Configure – v3.1
Adding Custom Preferences / Attributes
In some cases, a custom preference may need to be added to enable a new preference, or to add additional attributes
to a default preference. To add a new preference or attributes, switch to the “other” tab of the Adjust Preferences
menu and press the Add Custom Preference button.
When the Add/Modify Preference dialog is displayed, copy the new preference or updated preference XML snippet into
the dialog box. Be sure to include the <preferences> tag before the snippet and the </preferences> tag after the
snippet. Press the “Create” button to confirm the change.
121
Dell Protected Workspace Management Server – Install and Configure – v3.1
Locate the new or modified preference to ensure it has been added or modified. Modifications that are not part of the
default configuration file will contain an “x” at the end of the line to allow for removal of the modification, and to act as
an indicator that it is a custom entry. For modified preferences, this only applies to attributes that are not part of the
default configuration file. Once added to the UI, these new preferences can be modified the same as any other
preference.
122
Dell Protected Workspace Management Server – Install and Configure – v3.1
Manage Unprotected Sites
The next section on the Group Detail View is the Manage Unprotected Sites section. This section is used to enter regex
values for URLs that should be added to the trusted sites list for the client software.
The list below describes the different behaviors each entry can have.






Red - trusted (unprotected) – indicates that any matching URL will open in an unprotected browser, outside of
the secure container.
Gold - blocked – indicates that any matching URL will not be allowed to open in an unprotected browser;
however, if the URL is entered into the unprotected browser it will not be redirected. The only method for
accessing a blocked URL is to access it via a protected browser directly. This is mostly used to block third-party
embedded ad URLs that are on trusted sites, to prevent the ad URLs from opening in a protected browser. This
feature is no longer valid after the release of Dell Protected Workspace 4.0.
Green - untrusted (protected) – indicates that any matching URL will open in the protected browser. This
feature is used when certain subdomains (such as a publically facing website) should be forced to open in the
protected browser, while the rest of the domain is allowed to open in an unprotected browser. It is important
that untrusted entries be listed above any associated trusted entries, as the trustedsites list is evaluated from
top down.
Blue – Sharepoint – indicates that any matching URL will be an allowed Sharepoint domain used with the
Sharepoint Passthru feature. The Sharepoint URL will open in the protected browser and launch Office
applications on the host. To make a Sharepoint rule, use this format in the 'Custom rule' textbox:
sharepoint=server.example.com, then click 'Add Rule'. Wildcard is accepted, for example:
sharepoint=*.example.com.
Purple – unredirected – indicates that any matching URL will be allowed to stay in whatever browser (protected
or unprotected) it is accessed from. This is important for sites like Google account sites, to allow users to be
able to log into both the protected and unprotected Chrome browsers.
Grey – disabled – indicates that the entry is not active and will be skipped. The disabled option can also be used
to place comments within the trusted sites list to indicate what a certain section of regex values may relate to. If
a comment is entered, it is extremely important to make sure it is disabled.
When a new group is created, this section is populated with the default entries included in the installation kit.
123
Dell Protected Workspace Management Server – Install and Configure – v3.1
These entries cannot be removed from the list, however they can be disabled as described below. Custom entries can
be added to the list using the Add Custom Rule entry box at the bottom of the list. Enter the desired regex entry into
this box, then press the Add Rule button to add it to the list.
The Quick Add Domain feature can be used to add a standard regex for a simple domain, such as example.com. By
entering the domain into the rule text box, and pressing the Quick Add Domain button, a regex will be auto-created and
added.
The Add Multiple Rules button, located below the Custom Rule section, allows for a multi-rule regex file to be pasted
into the provided dialog to allow for a bulk upload of regex entries.
Within the Add Multiple Unprotected Sites dialog box, paste a list of regex entries, one per line, then press the “Create”
button to add them. Comments can also be added within the bulk upload by adding a hashtag “#” at the beginning of
the line.
124
Dell Protected Workspace Management Server – Install and Configure – v3.1
Each entry in the list must be classified with one of six different classifications. By default, all new entries are classified
as trusted (unprotected).
To change the classification of an entry, click on the colored square at the beginning of the line until it displays the
desired color of the classification needed. Entries can also be reordered by using the up and down arrows at the
beginning of each line, or by clicking and dragging the entry to the desired location (not supported with all browsers). A
custom entry can also be removed completely by clicking on the “x” at the end of its line.
To make a Sharepoint rule, use this format in the 'Custom rule' textbox: sharepoint=server.example.com, then click
'Add Rule'. Wildcard is accepted, for example: sharepoint=*.example.com. Note: Sharepoint rules are not part of the
type rotation. To remove or disable a Sharepoint rule, click the “x”.
125
Dell Protected Workspace Management Server – Install and Configure – v3.1
Customize App Settings
The Customize App Settings section of the Group Details View allows the default custom_apps.xml that is included with
the installation kit to be displayed as individual apps so that those individual apps can be enabled or disabled and/or
modified from their default values. Additionally, it also allows for additional custom apps snippets to be added.
Each custom app is listed based on the name supplied within the <app> tag of the snippet. From this list, an app can be
enabled or disabled by checking or unchecking the checkbox next to the app name. The default custom_apps cannot be
deleted.
To view or modify one of the default custom_apps, click on the “edit” link to display the XML snippet.
126
Dell Protected Workspace Management Server – Install and Configure – v3.1
The XML editor allows for the XML snippet to be modified as necessary. Once finished, press the “Apply” button. For
custom_apps included with the installation kit, press the “Use Default” button to return the snippet to its default
setting. This should also be used when a new version of the client software is added to the system, to ensure the latest
version of the snippet is being used. Once the “Use Default” button has been pressed and the new version is displayed,
any customizations can be re-entered.
To add a custom_app to click on the “Add Custom App” link below the list of custom_apps.
When the New Custom App dialog is displayed, paste the XML snippet into the dialog box, making sure to include the
<app> tag at the beginning and the </app> tag at the end. Press the “Create” button to finish adding the snippet.
Additionally, multiple custom app snippets can be added at one time by copying them all into the New Customapp
dialog box. Individual app snippet will be created after the “Create” button is pressed.
127
Dell Protected Workspace Management Server – Install and Configure – v3.1
Once the new snippet has been added, it will display in the list of available apps. From the list, it can also be enabled or
disabled and edited, same as the default apps. Additionally, custom snippets can be deleted from the system.
When a previous default custom app is removed or added to the apps.xml, the custom app will appear empty with a
note reading “Note: this custom app was previously a default but has been removed in the latest package.”
128
Dell Protected Workspace Management Server – Install and Configure – v3.1
Authentications
The Authentications section of the Group Details View allows for the configuration of Single Sign-On (SSO) with DPW.
SSO is a session/user authentication process that permits a user to enter one name and password in order to access
multiple applications. SSO in DPW works by passing the session cookies from the host browser to the guest browser so
that DPW can continue the seamless browsing experience for users, eliminating the need to sign-in multiple times.
After clicking the “Add Sign-On” button the user is presented with the “Add New Sign-On” window.
Site Name – This field is used as a label for the SSO configuration. Enter any value here.
Domain – Copy and paste the domain from the cookie Domain field without the leading “.”.
Relevant Browser – This value is a dropdown menu with the options “*”, “Firefox”, “Google Chrome”, and “Internet
Explorer”. Use “*” as wildcard. Note that Internet Explorer is the only browser that supports SSO with DPW.
Cookie Names – Copy and paste the name from the cookie Name field. Click Add Cookie Name to add another Cookie
Name field.
Content – Leave as “*” to accept any Content value.
129
Dell Protected Workspace Management Server – Install and Configure – v3.1
Security – This field accepts “Secure” or “*” for any value other than “Secure”. Use “Secure” if the Send for: field from
the cookie reads “Secure connections only”.
Path – Copy and paste the value from the cookie Path field. The value will usually be “/”.
Below is an example of the cookie information to pull the values:
Please find more details and instructions for SSO configuration in the Dell Protected Workspace – SSO Config Guide
available at http://www.dellprotectedworkspace.com/support.
130
Dell Protected Workspace Management Server – Install and Configure – v3.1
Copy Configuration File(s)
The final option on the Group Details page is the Copy Config… button. This button is used to copy a set of configuration
files between groups.
To copy one or more configuration files to one or more groups, start by browsing to the source group to be copied from,
and press the Copy Config… button.
The Copy Group Configuration dialog allows an admin to select which configuration files/settings to copy, and to select
which group(s) to copy to. Once the appropriate selections are made, press the “Copy” button to apply these settings.
A confirmation dialog will display, outlining the changes that are about to be made. Press the “Overwrite” button to
commit the changes. Once copied, the changes immediately go into effect on the destination groups.
131
Dell Protected Workspace Management Server – Install and Configure – v3.1
Hosts Tab
The Hosts Tab displays a list of all hosts currently being managed by the Config module. This tab can be used to display
all hosts and details. The display can also be filtered on several different criteria to display a subset of the hosts.
The table displays the Hostname, IP address, last reported status, product version currently installed, currently assigned
package, current group, and the last time a heartbeat was received for each host displayed. Clicking on the column
heading for any of these options will sort the table by the selected column. By default, the table displays the first 20
results, sorted by most recent heartbeat. The number of results can be changed by selecting a different host count in
the “Hosts Per Page” drop-down.
The table can also be filtered based on the drop-down menus above the table.
The Group filter is used to display hosts from a specific group. The drop-down will contain a list of all the groups
currently on the system. Selecting one of the options from the drop-down selects that filter. Multiple groups can be
selected at once.
132
Dell Protected Workspace Management Server – Install and Configure – v3.1
Once a filter has been selected, it will display below the drop-down. To remove a filter, click on the “x” next to the filter
name.
The packages drop-down allows the table to be filtered by the assigned package version. The drop-down will include all
software versions that have been added to the package tab. When a version is selected, only hosts that are currently
assigned to that package version will display. The assigned package is not the currently installed version.
The final filter available is the Host Status filter. This option will display all hosts with the selected filter based on the
following options:
Activity Options:



Active – a host is active when during a heartbeat to the server a protected application was running. A host
needs to have reported in an active state within the last 7 days.
Inactive – a host is inactive when all heartbeats in the last 7 days occurred while no protected application were
running.
Never Active – a host is never active if it has never reported an active state since it first was added to the system
as a host.
133
Dell Protected Workspace Management Server – Install and Configure – v3.1
Install Status Options:
All of the following actions are reported in the heartbeats received from the client:









Installed – a software install has finished successfully
Installing – a software install has started, but not yet finished
Install Failed – a software install finished, but not successfully
Upgrading – a software upgrade has started, but not yet finished
Upgrade Failed –a software upgrade finished, but not successfully
Uninstalling – a software uninstall has started, but not yet finished
Uninstall Failed – a software uninstall has finished, but not successfully
Uninstalled – a software uninstall has finished successfully
Fetch Config – the latest available configuration from the assigned group was requested
The last filter option is the search box. The search box allows an admin to create a custom filter based on hostname, IP
address or user name.
For all filtered displays, up to ten results are displayed in the table. If more than ten hosts meet the filtered criteria,
multiple table pages will be displayed and can be traversed from the navigation bar.
The left and right navigation buttons can be used to move one page at a time between the different available pages.
The “Page X of X” indicates the current page number that is being displayed and the total number of pages that exist for
the filter. To jump to a specific page, enter the page number into the Page box and press enter.
The center title of the table will indicate the total number of hosts that meet the current criteria and number of hosts
that are currently displayed. For page 1, hosts 1-10 are displayed, for page 2, 11-20, etc.
At the bottom of the Hosts tab are additional actions that can be performed based on the filtered display of hosts in the
table.
134
Dell Protected Workspace Management Server – Install and Configure – v3.1
The Select All and Select None buttons are used to select all of the currently displayed hosts or to clear the currently
selected hosts. These buttons only apply to the currently displayed page, and not all hosts within the current filter if
there are multiple pages.
The Change Group… button is used to reassign selected hosts (or filtered hosts) to a new group. Once the hosts or filter
are selected, press the Change Group… button to assign a new group.
When the Change Group dialog box is displayed, select the new group that the hosts are to be moved to. Next, select
whether the change will apply only to the hosts that are currently selected (up to ten hosts on the current page) or to all
hosts that are in the current filter. When finished, press the “Change” button. To cancel the action, press the “Close”
button.
The Change Package… button is used to manually assign a new package to a host, rather than letting it receive a new
package from the group it is current assigned to. This is useful when testing a new version of the client software to
ensure that it successfully works with all settings in a specified group. Once the hosts or filter are selected, press the
Change Package… button to assign a new package.
When the Change Package dialog box is displayed, select the new package to assign to the selected hosts. Next select
whether the change will apply only to the hosts that are currently selected (up to ten hosts on the current page) or to all
hosts that are in the current filter. When finished, press the “Change” button. To cancel the action, press the “Close”
button.
Once a package has been assigned to a host, it will no longer receive package updates from the group it is assigned to. It
will still receive configuration updates based on the group it is currently assigned to, unless that group is not sending
135
Dell Protected Workspace Management Server – Install and Configure – v3.1
configuration updates to any clients. To enable a host to receive package updates based on the group level settings, set
the host back to the (None) assignment.
The Delete... button is used to remove the currently selected or filtered hosts from the system. This not only removes
the host, but all history for the host. However, this does not remove the client software from the host system. If a host
is deleted from the DPWMs, but the client software is still running, the host will be recreated within the DPWMs on the
next heartbeat that it performs. To delete hosts from the system, select them from the table, or filter the table to
display all hosts that should be deleted, then press the “Delete…” button.
When the Delete Hosts dialog box is displayed, select whether the delete action will apply only to the hosts that are
currently selected (up to ten hosts on the current page) or to all hosts that are in the current filter. When finished, press
the “Delete” button. To cancel the action, press the “Close” button.
The final option available is the Export… button. This option is used to export the current filter to a HTML or CSV report.
The exported report will include the same information that is displayed in the hosts table based on the currently
selected filter.
136
Dell Protected Workspace Management Server – Install and Configure – v3.1
Packages Tab
Packages are Dell Protected Workspace Install Kits combined with apps.xml overrides and/or server mirrors for the
product installer files. The files that are within the package are merged with settings defined on the group level (as an
overlay of the default settings) and served to hosts. A package must exist on the DPWMs for a host to receive group
configuration updates.
If a package does not exist on the DPWMs, the group preferences will look like this:
For example, if a host has version X installed, the Install Kit for version X must be uploaded to the server for the host to
receive configuration updates. Hosts that are running client version software that is not uploaded to the DPWMs will
still display the correct group and revision number in the About window, however the configuration files will not be sent
to the client. Software version updates will be applied if they are greater than the installed client version.
The package tab provides a list of all currently uploaded packages, plus the ability to add additional packages and modify
global settings.
137
Dell Protected Workspace Management Server – Install and Configure – v3.1
Adding a Package to the DPWMs
To add a new package to the DPWMs, press the Add Package button.
When the Upload Package dialog box is displayed, press the “Choose File” button and select the installation kit to
upload.
Once the file has been selected, press the “Upload” button.
The dialog box will display “Uploading…” in the bottom left corner during the upload process, and will close when the
process is complete. The uploaded installation kit will now be listed in the Packages list.
138
Dell Protected Workspace Management Server – Install and Configure – v3.1
Viewing package details
To view the details of a package, click on the package name in the packages list.
The package details view provides several different options. Below the display name, the product version, date of
upload and the last modified date are displayed.
To the right of this information are two buttons. The Download the original kit button allows the user to download a
copy of the kit that was uploaded, in its original form. The Delete this package… button removes a package from the
system.
The Files section contains the original configuration files for the installation kit, along with the product installer. Each of
the icons can be clicked on to download a copy of the original file included with the installation kit.
Clicking on the client installer icon is a recommended way to verify that an upload was completely successful, as the
provided link is the one the client software will use to download the software from the DPWMs. If, after clicking on the
139
Dell Protected Workspace Management Server – Install and Configure – v3.1
installer icon, an error is displayed, rather than beginning a download of the installer, delete the package and attempt to
upload it again.
The Override Apps.xml section is used to upload (or replace) a new apps.xml configuration file to extend or modify the
default configuration file included with this version of the product being viewed. This is often used to add support for
new browser versions that are not supported in the default configuration. Apps.xml override files are available on the
DPW Support landing page (http://www.dellprotectedworkspace.com/support), when needed.
If no override exists for the selected package, press the Upload button to select a new override file. If a previous
override is in place, press the Replace button to upload a new version or the Delete button to remove the override.
140
Dell Protected Workspace Management Server – Install and Configure – v3.1
The last section is the Installer Mirror section. This section allows for the product installer to be downloaded by the
clients from an alternate location, such as an internal NAS or public CDN. The address provided must be a HTTP or
HTTPS address, and must include the full path to the installer, not the full installation kit. The installer can be
downloaded from the installer icon on this page, and uploaded to an external source.
NOTE: It is HIGHLY recommended that an Installer Mirror be used for any deployment over 500 clients.
To add a mirror link, press the “Set mirror…” button and paste the URL to the alternate source. Once set, the URL will
display on the page. The URL can be modified by pressing the “Change…” button or removed by pressing the “Delete…”
button.
141
Dell Protected Workspace Management Server – Install and Configure – v3.1
Entering the Client Software Activation Key
The DPWMs is now able to provide a global activation key that will be used for all clients that connect to the DPWMs
system. In order to enable this feature, the client activation key needs to be entered into the Global Settings. To access
the Global Settings, click the Global Settings button at the bottom of the Packages tab.
To apply the client activation key, enter it into the “Use the following client activation key” text box on the Global
Package Settings dialog. Press the “Save” button to save the setting.
142
Dell Protected Workspace Management Server – Install and Configure – v3.1
Additional Global Package Settings
The Global Package Settings dialog box provides three other global setting options, which affect the entire DPWMs. The
first option is used to override the config_server and report preference URLs for all groups. By default, any new group
will be automatically populated with the FQDN of the DPWMS system. However, this may not be the desired address for
clients to use. By overriding the default setting here, the provided URL will be used instead of the FQDN of the DPWMs.
This may be useful if using a “vanity” URL for client connections, such as https://dpw.mycompany.local, rather than the
FQDN of the system or if a load balancer is being used in front of the DPWMs API servers. It is also important to check
the “Accept untrusted and self-signed certificates” check box if using an SSL cert that is not publically signed (by a public
CA).
Note: The config_server and report lines can still be modified for an individual group. This setting only modifies the
default value that will be provided for new groups.
The next option on the Global Packages Setting dialog is a check box to enable sending threat reports to the Invincea
public servers, as well as the specified local server. Some customers are required to have this option enabled per their
license agreements.
The final option in the Global Packages Settings dialog is the “Limit number of concurrent downloads” option. This
option is used to control the number of client machines that will be able to download a new update package from the
DPWMS at one time. This option can be modified based on the load placed on the server for a specific environment. It
is recommended that this option be left enabled for most deployments.
143
Dell Protected Workspace Management Server – Install and Configure – v3.1
Audit Tab
The Audit Tab is used to display client audit events (such as using the Unprotect Current Page option) that were sent to
the server. The table will show all audit events, with the most recently received displayed at the top by default. In order
for the DPWMs to receive audit events, the client software has to be configured to point to this DPWMs.
For the audit events table, up to ten results are displayed on a single page. If more than ten events are in the audit
table, multiple table pages will be displayed and can be traversed from the navigation bar.
The left and right navigation buttons can be used to move one page at a time between the different available pages.
The “Page X of X” indicates the current page number that is being displayed and the total number of pages that exist for
the filter. To jump to a specific page, enter the page number into the Page box and press enter.
The center title of the table will indicate the total number of audit events that meet the current criteria and which audit
events are currently displayed. For page 1, events 1-10 are displayed, for page 2, 11-20, etc.
Similar to the Hosts table, the Audits table can also be filtered and searched. The Group drop-down allows the events to
be filtered to display only the audit events for a specific group. The group information for a reported event is based on
of the host that submitted the event. The group will be the group that host was assigned to at the time of the event, not
necessarily its current group. Multiple groups can be displayed at the same time when selected from the drop-down.
To remove a group from the filter, press the “x” next to the group name.
The Audit event table contains the following information:





Date – the date and time the audit event was reported to the server
Event – details about the type of event recorded, plus any additional information about the event, including user
comments if available
User – username of the user that reported the event
Hostname – hostname of the host that the event was reported from
Group – the group that the host was part of when the event was reported
144
Dell Protected Workspace Management Server – Install and Configure – v3.1
These column headings can be used to sort the table based on the selected column header. By default, the Date column
is selected to display the most recent event at the top of the table.
The search box can also be used to search the audit table for specific information.
Finally, the currently displayed table, based on selected filter, can be exported to an HTML or CSV report by pressing the
Export… button at the bottom of the table.
145
Dell Protected Workspace Management Server – Install and Configure – v3.1
Contacting Dell Support
For assistance with the Dell Protected Workspace Management System, please contact Dell Support at:
http://support.dell.com
DPWMs updates, DPW apps.xml updates and Installation Kit downloads can all be found at:
http://www.dellprotectedworkspace.com/support
146
Download PDF