You are on page 1of 49

Installation Guide

McAfee Data Loss Prevention 9.2 Software


For Use with ePolicy Orchestrator 4.6.0 Software

COPYRIGHT

Copyright 2011 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS

AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATION License Agreement


NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

McAfee Data Loss Prevention 9.2 Software

Installation Guide

Contents

Preface
About this guide . . . . . . Audience . . . . . . Conventions . . . . . Finding product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5
5 5 5 6

About McAfee Data Loss Prevention Endpoint software

Recommended installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Choosing a McAfee DLP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Backward-compatible installation . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Install McAfee DLP Endpoint software


Verify system requirements . . . . . . . . . . . . . . . . . . . . . Configure the server . . . . . . . . . . . . . . . . . . . . . . . . Install McAfee ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . Installing McAfee DLP WCF service . . . . . . . . . . . . . . . . . . . Install the McAfee DLP WCF service . . . . . . . . . . . . . . . Before you install the extension . . . . . . . . . . . . . . . . . . . . Creating and configuring repository folders . . . . . . . . . . . . Install the McAfee Data Loss Prevention Endpoint extension . . . . . . . . . Working in a cluster environment . . . . . . . . . . . . . . . . . . . Prepare the cluster . . . . . . . . . . . . . . . . . . . . . . Test the cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

13
. 13 . 15 15 . 16 . 18 . 20 . 21 23 . 24 . 24 24

Post-installation tasks
Initialize the DLP Policy console . . . . . . . . . . . . . . . . Upgrade the license . . . . . . . . . . . . . . . . . . . . . Initialize the McAfee DLP Monitor . . . . . . . . . . . . . . . Check in the McAfee DLP Endpoint package to ePolicy Orchestrator . . Deploying McAfee DLP Endpoint . . . . . . . . . . . . . . . . Define a default rule . . . . . . . . . . . . . . . . . Deploy McAfee DLP Endpoint with ePolicy Orchestrator . . . . Verify the installation . . . . . . . . . . . . . . . . . Uninstalling McAfee DLP Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

25
25 27 28 29 30 30 31 32 32

Deploying McAfee Data Loss Prevention Endpoint software with SMS


Create Create Create Create an installation package . . the advertisement . . . . the SMS uninstall package . an SMS uninstall package to . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . run from a command line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

33
. 33 . . 34 . . 34 . . 35

Users and permission sets

37

Create and define McAfee DLP administrators . . . . . . . . . . . . . . . . . . . . . . 37 Create and define permission sets . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 DLP permission set options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

McAfee Data Loss Prevention 9.2 Software

Installation Guide

Contents

Installing a version upgrade


Upgrading issues . . . . . . . . . . Phased upgrade . . . . . . . . . . Upgrade McAfee DLP Endpoint software . Restore the policy after upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

41
41 44 45 45

Index

47

McAfee Data Loss Prevention 9.2 Software

Installation Guide

Preface

Detailed information for installation, verification, and configuration of McAfee DLP Endpoint software. This guide provides the necessary information for installing McAfee Data Loss Prevention Endpoint software. It provides detailed steps and verification of the installation process. This guide demonstrates how to configure the recommended architecture, and when completed the user will have a fully functional McAfee DLP Endpoint software implementation that is properly configured. McAfee DLP Endpoint software is very flexible in meeting a variety of implementation architectures. We recognize that many configuration possibilities exist, and that the recommended architecture represents only one path. Contents About this guide Finding product documentation

About this guide


This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized.

Audience
McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Administrators People who implement and enforce the company's security program. Security officers People who determine sensitive and confidential data, and define the corporate policy that protects the company's intellectual property.

Conventions
This guide uses the following typographical conventions and icons. Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis. Bold User input or Path
Code

Text that is strongly emphasized. Commands and other text that the user types; the path of a folder or program. A code sample. Words in the user interface including options, menus, buttons, and dialog boxes. A live link to a topic or to a website.

User interface Hypertext blue

McAfee Data Loss Prevention 9.2 Software

Installation Guide

Preface Finding product documentation

Note: Additional information, like an alternate method of accessing an option. Tip: Suggestions and recommendations. Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data. Warning: Critical advice to prevent bodily harm when using a hardware product.

Finding product documentation


McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. Task 1 2 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com. Under Self Service, access the type of information you need: To access... User documentation Do this... 1 Click Product Documentation. 2 Select a product, then select a version. 3 Select a product document. KnowledgeBase Click Search the KnowledgeBase for answers to your product questions. Click Browse the KnowledgeBase for articles listed by product and version.

McAfee Data Loss Prevention 9.2 Software

Installation Guide

About McAfee Data Loss Prevention Endpoint software

McAfee Data Loss Prevention Endpoint (McAfee DLP Endpoint) software protects enterprises from the risk associated with unauthorized transfer of data from within or outside the organization. McAfee DLP Endpoint software is a content-based endpoint solution that inspects enterprise users actions concerning sensitive content in their own work environment, their computers. It uses advanced discovery technology as well as predefined dictionaries to identify this content, and incorporates device management and encryption for additional layers of control. McAfee DLP Endpoint software prevents transmission of sensitive data from desktops and laptops, whether or not they are connected to the enterprise network It protects against data loss regardless of the format in which data is stored or manipulated. McAfee Device Control software incorporates the device management functionality of McAfee DLP Endpoint software in a simpler package which is sold separately. It prevents unauthorized use of removable media devices, the most widespread and costly source of data loss in many companies today. McAfee DLP Endpoint software is administered from the McAfee ePolicy Orchestrator (McAfee ePO) management console. Contents Recommended installation Choosing a McAfee DLP configuration Backward-compatible installation

McAfee Data Loss Prevention 9.2 Software

Installation Guide

About McAfee Data Loss Prevention Endpoint software Recommended installation

Recommended installation
The recommended installation for McAfee Data Loss Prevention Endpoint software version 9.x is on a single server together with McAfee ePO and the McAfee ePO database. The McAfee DLP WCF service can be installed on a separate server from the McAfee ePO database.

Figure 1-1

McAfee DLP Endpoint components and relationships

The recommended architecture includes: McAfee ePO server Hosts the embedded interfaces, (McAfee DLP Monitor and McAfee DLP Endpoint policy console) and communicates with the McAfee Agents. McAfee ePO Reports A list of McAfee DLP Endpoint Events within the ePolicy Orchestrator reporting service. McAfee DLP WCF (Windows Communication Foundation) Service Communicates between ePolicy Orchestrator and McAfee DLP Endpointpolicy console to distribute policies, and with the McAfee DLP Monitor

McAfee Data Loss Prevention 9.2 Software

Installation Guide

About McAfee Data Loss Prevention Endpoint software Choosing a McAfee DLP configuration

McAfee ePO Event Parser Communicates with the McAfee Agent and stores event information in a database. DLP Event Parser Collects McAfee DLP Endpoint events from the ePolicy Orchestrator Event Parser and stores them in tables in the SQL database. ePO database Communicates with the ePolicy Orchestrator Policy Distributor to distribute policies, and with the McAfee DLP Event Parser to collect events and evidence.

Administrator workstation Accesses ePolicy Orchestrator, McAfee DLP Monitor, and McAfee DLP Endpoint policy console in a browser through the McAfee DLP WCF service. Managed workstation Applies the security policies using the following software: McAfee DLP Endpoint A McAfee Agent plug-in that provides the DLP processes. McAfee Agent Provides the communication channel between the McAfee ePO server and the McAfee DLP Endpoint.

Choosing a McAfee DLP configuration


Classifying corporate information into different data loss prevention categories is a key step in deploying and administering McAfee Data Loss Prevention Endpoint software. While guidelines and best practices exist, the ideal schema is dependent on your enterprise goals and needs, and is unique for each installation. Choosing between the two DLP configurations McAfee Device Control and full McAfee Data Loss Prevention Endpoint is the first step in determining how those needs will be met. Because it might be difficult to determine in advance exactly what your unique needs are, we recommend initial deployment to a sample group of 15 to 20 users for a trial period of about a month. During this trial, no data is classified, and a policy is created to monitor, not block, transactions. The monitoring data helps the security officers make good decisions about where and how to classify corporate data. The policies created from this information should be tested on a larger test group (or, in the case of very large companies, on a series of successively larger groups) before being deployed to the entire enterprise.

McAfee Device Control vs McAfee DLP Endpoint


McAfee Device Control software prevents unauthorized use of removable media devices. Full McAfee DLP Endpoint software gives you a complete set of tools to inspect enterprise users actions concerning sensitive content anywhere on their computers. The default installation is for McAfee Device Control software; upgrading is done by changing the licensing. Many organizations begin with device control, as removable media represent the most widespread and costly source of data loss, and upgrade as their needs become better defined. The following table compares the features. Table 1-1 Feature comparison of software versions Feature Applications Enterprise Applications List Database Administration Database Administration Database Statistics Content Based Definitions Yes Yes Yes Yes Yes Yes McAfee Device Control software McAfee DLP Endpoint software

McAfee Data Loss Prevention 9.2 Software

Installation Guide

About McAfee Data Loss Prevention Endpoint software Choosing a McAfee DLP configuration

Table 1-1 Feature comparison of software versions (continued) Feature Dictionaries Registered Documents Repositories Text Patterns Definitions Application Definitions Document Properties Email Destinations File Extension Definitions File Server Definitions Network Definitions Printer Definitions Tags and Categories Yes Yes No Yes No No No Yes Content categories and groups only Web Destinations Whitelist Repository Device Management Device Classes Device Definitions Device Rules Whitelisted Applications Policy Assignment User Assignment Groups Privileged Users RM and Encryption RM Servers RM Policies Encryption Keys Rules Classification Rules Discovery Rules Yes No Yes Yes No No Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes Yes Yes Content categories, tags, and groups Yes Yes McAfee Device Control software Yes Yes Yes McAfee DLP Endpoint software Yes Yes Yes

10

McAfee Data Loss Prevention 9.2 Software

Installation Guide

About McAfee Data Loss Prevention Endpoint software Backward-compatible installation

Table 1-1 Feature comparison of software versions (continued) Feature Protection Rules McAfee Device Control software Yes Removable Storage Protection only McAfee DLP Endpoint software Yes Application File Access Protection Clipboard Protection Email Destinations Protection File System Protection Network Communication Protection Tagging Rules No Yes PDF/Imagewriter Protection Printing Protection Removable Storage Protection Screen Capture Protection Web Post Protection

Backward-compatible installation
To allow an orderly upgrade in large enterprises that have deployed previous versions of McAfee DLP Endpoint in their production environment, an option exists to deploy backward-compatible policies to computers still running the older agents. Host DLP Agent 3.0 Patch 1 is the earliest version supported by this feature. Enterprises running earlier versions must upgrade to Host DLP Agent 3.0 Patch 1 or later before upgrading to McAfee DLP Endpoint 9.2. McAfee DLP Endpoint version 9.2 utilizes a standardized XML policy format, introduced in Version 9.0. This format is more intuitive, and facilitates integration with other ePolicy Orchestrator applications. As a result, the backward compatibility option that allows communication with both old and new agents has five levels: No compatibility (all endpoints are version 9.2) McAfee DLP Endpoint Agent 9.1 and later McAfee DLP Endpoint Agent 9.0 and later
The compatibility option "DLP Agent 3.0.5 or current version" refers to a specific hotfix. Unless you specifically know that you are using this hotfix, choose DLP Agent 3.0 compatibility for all version 3.x agents.

McAfee DLP Endpoint Agent 3.0 and later McAfee DLP Endpoint Agent 3.5 or current version

DLP Agent 2.2 Patch 4 is no longer supported. The agent compatibility option is selected during the McAfee DLP Endpoint policy console initialization.

McAfee Data Loss Prevention 9.2 Software

Installation Guide

11

Install McAfee DLP Endpoint software

Prepare your environment and install McAfee DLP Endpoint software in ePolicy Orchestrator. Contents Verify system requirements Configure the server Install McAfee ePolicy Orchestrator Installing McAfee DLP WCF service Before you install the extension Install the McAfee Data Loss Prevention Endpoint extension Working in a cluster environment

Verify system requirements


The following hardware is recommended for running McAfee DLP Endpoint software version 9.2. Table 2-1 Hardware requirements Hardware type Servers Specifications CPU: Intel Pentium IV 2.8 GHz or higher RAM: 512 MB minimum for McAfee Device Control software only (1 GB recommended) 1 GB minimum for full McAfee DLP Endpoint software (2 GB recommended) Hard Disk: 80 GB minimum Managed workstations CPU: Pentium III 1 GHz or higher RAM: 256 MB minimum for McAfee Device Control software (1 GB recommended) 512 MB minimum for full McAfee DLP Endpoint software (1 GB recommended) Hard Disk: 200 MB minimum free disk space Network 100 Mbit LAN serving all workstations and the McAfee ePO server Endpoint computers must be able to access port 8731 on the server running the WCF Service. Administrators running the Event Monitor must be able to access TCP port 8731 on the server running the WCF Service.

McAfee Data Loss Prevention 9.2 Software

Installation Guide

13

Install McAfee DLP Endpoint software Verify system requirements

The following operating system software is supported: Table 2-2 Operating systems supported Computer type Servers Software Windows 2003 Server Standard (SE) SP1 or later 32- or 64-bit Windows 2003 Enterprise (EE) SP1 or later 32- or 64-bit Windows 2008 Server Enterprise 32- or 64-bit Managed workstations Windows XP Professional SP1 or later 32-bit Windows Vista SP1 or later 32-bit only Windows 7 32- or 64-bit Windows 2003 Server 32- or 64-bit Windows 2008 Server 32-bit Windows 2008 Server R2 64-bit

Servers are supported for McAfee Device Control software only.

The user installing McAfee DLP Endpoint software on the servers must be a member of the local administrators group. The following software is required on the server running the McAfee DLP Endpoint policy console and McAfee DLP Monitor: Table 2-3 Server software requirements Software McAfee ePolicy Orchestrator Version 4.0 Patch 7 or later 4.5 Patch 4 or later 4.6 McAfee Agent 4.0 Patch 3 or later 4.5 Patch 3 or later 4.6 McAfee ePO Help System download the McAfee DLP Endpoint 9.2 Help extension.
There is no Help for McAfee DLP Endpoint version 9.2 in McAfee ePolicy Orchestrator 4.0 because the Help System for McAfee ePO 4.0 is EOL and cannot be updated.

Microsoft .NET

3.5 or 3.5 SP 1
Agent handlers on remote servers no longer require the .NET Framework.

Microsoft SQL Server

2005 or 2008, Advanced Express or Enterprise, 32- or 64-bit

The McAfee DLP Endpoint software version 9.2 package includes the following: McAfee Data Loss Prevention Endpoint (McAfee Agent plugin) McAfee DLP Windows Communication Foundation (DLP WCF) McAfee DLP Endpoint extension (contains the components installed through ePolicy Orchestrator) McAfee DLP Help Desk Tool

14

McAfee Data Loss Prevention 9.2 Software

Installation Guide

Install McAfee DLP Endpoint software Configure the server

Configure the server


Basic configuration of the McAfee DLP Endpoint server includes setting the security configuration and verifying the .NET installation. Verify that the server meets the minimum system requirements. Task 1 2 3 4 Install Microsoft Windows Server 2003 SP1 or Windows Server 2008. See the System Requirements for supported Windows systems. Install Windows Installer 3.0 (Windows 2003) or 4.5 (Windows 2008) and restart the system. Install all Microsoft Windows Service Packs. Run Windows Update and install all updates. Disable Microsoft Internet Explorers Enhanced Security Configuration Window Component. In Windows 2003, open the Windows Control Panel then select Add/Remove Windows Components. In Windows 2008, open the Server Manager then select Configure IE ESC in the Security Information section.
This Microsoft product can hinder proper installation of McAfee DLP Endpoint components. Disable it before installation, then reconfigure it after installation if it is required.

5 6

Verify that Microsoft .NET Framework 3.5 SP1 is installed. Set the server to a static IP address.
We recommend using a subnet separate from your company's production network for initial testing. If you are setting up a production environment, set the servers static IP address within that range.

Install McAfee ePolicy Orchestrator


McAfee Data Loss Prevention Endpoint software version 9.2 can be installed in McAfee ePolicy Orchestrator 4.0, 4.5, or 4.6. There are a few precautions you should be aware of. Read the McAfee ePolicy Orchestrator Installation Guide and Release Notes to familiarize yourself with all installation issues.
Some of the installation scripts require the NETWORK SERVICE account to have write permission for the C:\Windows\Temp folder. In secure systems, this folder might be locked down. In that case, you must temporarily change the permissions for this folder. Otherwise, the installation fails. We recommend completing all software installations before resetting the permissions.

McAfee Data Loss Prevention 9.2 Software

Installation Guide

15

Install McAfee DLP Endpoint software Installing McAfee DLP WCF service

Pay attention to the following points when installing ePolicy Orchestrator: 1 In the McAfee ePO installation wizard, use the following settings. Installation wizard screen Installation Options Setup Requirements Setting Select Install Server and Console When installing on Windows 2003 Server, we recommend using the SQL Server 2005 Express installer included in the McAfee ePO installer. Another configuration option is to create an ePolicy Orchestrator instance on an existing SQL Server 2005 or 2008 server and select it. This is the preferred option when installing on Windows 2008 Server.
After verification that you want to install the software, the SQL installation continues without user input. If prompted to install SQL Server 2005 Backward Compatibility, you must install it.

Database Server Account 2

We recommend using a SQL Server account. If preferred, an NT account can also be used.

During the installation, you might see a warning about trusted sites. Write down the recommended additions to the Microsoft Internet Explorer trusted sites list before clicking OK. You will need to add them later.

Installing McAfee DLP WCF service


The McAfee DLP Windows Communication Foundation (WCF) service is used to communicate between McAfee ePolicy Orchestrator, McAfee Data Loss Prevention Endpoint, and the McAfee DLP Monitor. In McAfee Total Protection for Data Loss Prevention, it is not used to communicate with ePolicy Orchestrator or with the McAfee DLP Monitor.

Web access authorized groups


When installing the McAfee DLP WCF service, you are asked to specify the Web Access Authorized Groups (WAAG). We recommend setting up a group or groups in Windows Active Directory or Open LDAP with the names of users authorized to log on to the database. When the McAfee DLP Endpoint policy console attempts to connect to WCF, it impersonates the logged on user. After the user name is authenticated, WCF checks to see if the user is a member of the WAAG before connecting to the database.

16

McAfee Data Loss Prevention 9.2 Software

Installation Guide

Install McAfee DLP Endpoint software Installing McAfee DLP WCF service

WCF service installation options


There are two basic options for installing the Windows Communication Foundation (WCF) service: on the same server as the McAfee ePO (SQL) database (local installation) or on a separate server (remote installation). Where McAfee ePolicy Orchestrator is installed, together with its database or on a separate server, is not relevant to this discussion; only the relative locations of WCF and the database.

Figure 2-1 WCF installation options

Option 1: Installing WCF locally


When installing WCF on the same server as the McAfee DLP Endpoint database, you can use Windows authentication or SQL authentication. The option is selected on the WCF service installation wizard. The selected authentication applies only to the connection between WCF and the database. The connection between the administration workstation and WCF always uses Windows authentication. If you have selected Windows authentication, and the logged on user is a member of the WAAG, connection to the database proceeds without further checking. The user must be defined in the SQL database. See Adding a user in SQL Server.

Option 2: Installing WCF remotely


When installing WCF on a separate server from the McAfee DLP Endpoint database, you can now use Windows authentication or SQL authentication. The former limitation to only SQL authentication has been eliminated. The description of the connection details are the same as in local installation.

McAfee Data Loss Prevention 9.2 Software

Installation Guide

17

Install McAfee DLP Endpoint software Installing McAfee DLP WCF service

Install the McAfee DLP WCF service


There are two steps to installing the McAfee DLP WCF service. When the installation is complete, you can troubleshoot the installation to resolve problems. Before you begin Before installing the McAfee DLP WCF service, create a user in Microsoft SQL server. You must do this even if you are going to use Windows authentication. Tasks Add a user in Microsoft SQL Server on page 18 To use either Windows or SQL authentication with WCF and with the ePolicy Orchestrator database, an authorized user must be defined in the Microsoft SQL database. The authorized user can be a Windows user or a SQL user. Typically, an account with the minimal permissions to run WCF is created. Run the McAfee DLP WCF installer on page 19 The McAfee DLP Windows Communication Foundation (WCF) service is used to communicate between ePolicy Orchestrator, McAfee DLP Endpoint, and the McAfee DLP Monitor.

Add a user in Microsoft SQL Server


To use either Windows or SQL authentication with WCF and with the ePolicy Orchestrator database, an authorized user must be defined in the Microsoft SQL database. The authorized user can be a Windows user or a SQL user. Typically, an account with the minimal permissions to run WCF is created. To use either Windows or SQL authentication with WCF and with the ePolicy Orchestrator database, an authorized user must be defined in the Microsoft SQL database. The authorized user can be a Windows user or a SQL user. Typically, an account with the minimal permissions to run WCF is created. Use this task to create such an account. To perform this task, you must have Microsoft SQL Server Management Studio installed. If you are using Microsoft SQL Server Express, you should install the Express version of Management Studio. The administrator performing the task should have system administrator rights on the servers involved. Task 1 2 3 4 5 Open SQL Server Management Studio (Express) and connect to the EPOSERVER instance. In the Object Explorer, right-click the database name and select Properties. On the Security page, select either Window Authentication mode or SQL Server and Windows Authentication mode, according to which type of authentication you want to use. Click OK. Navigate to Security | Logins. Right-click in the Logins page, and select New Login. On the General page of the Login Properties dialog box, select SQL Server authentication or Windows authentication and type a logon name. Set the default database to ePO4_SERVER. Enforcing a password policy is optional. On the General page of the Login Properties dialog box, select SQL Server authentication and type the logon name ndlpuser and a password. Set the default database to ePO4_SERVER and the default language to English. Click OK. On the Server Roles page, select the sysadmin checkbox. On the User Mapping page of the Login Properties dialog box, in the Users mapped to this login section, select ePO4_SERVER and verify that the new logon user is listed in the User column and that public is checked in the database role membership section. Click OK.

7 8

18

McAfee Data Loss Prevention 9.2 Software

Installation Guide

Install McAfee DLP Endpoint software Installing McAfee DLP WCF service

Under User Mapping, define the database role memberships by selecting the db_owner and public checkboxes.

10 Navigate to Databases | ePO4_SERVER | Security | Users. Double-click the logon user name. 11 On the Securables page, click Add. Select Specific objects, and click OK. 12 In the Select Objects dialog box, click Object Types and select Databases. Click OK. 13 Click Browse. Select [ePO4_SERVER] and click OK twice. 14 If you do not see all six effective permissions, browse the Explicit Permissions list to locate and Grant them. Click OK. Repeat steps 7-11 to verify the Effective Permissions. 15 Click OK.

Run the McAfee DLP WCF installer


The McAfee DLP Windows Communication Foundation (WCF) service is used to communicate between ePolicy Orchestrator, McAfee DLP Endpoint, and the McAfee DLP Monitor.
When installing or upgrading McAfee DLP Endpoint software, you must upgrade the McAfee DLP Windows Communication Foundation service to the latest version. Failure to upgrade McAfee DLP WCF can lead to errors when trying to save the global policy to the reporting database or update database credentials. To prevent this, the new version checks the client and server versions and displays an error message if they don't match.

Add the logged on user to the Microsoft SQL database as a Windows or SQL user, according to which form of authorization you plan to use. Log out of ePolicy Orchestrator. Task 1 Browse to and run the McAfee DLP WCFServiceInstaller.msi installer. Verify that the McAfee DLP Windows Communication Foundation service installer version matches the McAfee DLP Endpoint software version you are installing. 2 In step 4 of the installation wizard (WCF Service Settings), do the following: a b Use the default WCF Server Port value. If you must change the server port, consult your McAfee representative for instructions. We recommend setting up a group or groups in Windows Active Directory with the names of users authorized to log on to the database. You must change the default Web Access Authorized Groups entry from Everyone to a group or user with authorized access, as described in WCF installation options. If you are using the confidential data redaction feature, select Obfuscate Sensitive Data in RSS Feed.

c 3

In step 5 of the installation wizard (Microsoft SQL Database) do the following: a b Review the defaults for Database Server and Database Name. Type other values if necessary. Select Windows Authentication or SQL Authentication and fill in the associated fields.

Click Finish to complete the installation.

McAfee Data Loss Prevention 9.2 Software

Installation Guide

19

Install McAfee DLP Endpoint software Before you install the extension

Troubleshoot the McAfee DLP WCF service


After installation of the McAfee DLP WCF service and installation of the McAfee DLP Endpoint policy console, use the troubleshooter to verify the installation. To troubleshoot the McAfee DLP WCF service, use the browser page http://localhost:8731/DLPWCF/ Admin/Testing.
Do not run this test page before installing the McAfee DLP Endpoint software suite in McAfee ePolicy Orchestrator. The tests will fail if the McAfee DLP Endpoint database is not yet installed.

Figure 2-2 The McAfee DLP WCF service testing page

Before you install the extension


Before you begin installation of McAfee DLP Endpoint software, prepare your system as described below. Two folders and network shares must be created, and their properties and security settings must be configured appropriately. The folders do not need to be on the same computer as the McAfee DLP Endpoint Database server, but it is usually convenient to put them there. We suggest the following folder paths, folder names, and share names, but you can create others as appropriate for your environment. c:\dlp_resources\ c:\dlp_resources\evidence c:\dlp_resources\whitelist Evidence folder Certain protection rules allow for storing evidence, so you must designate, in advance, a place to put it. If, for example, an email is blocked, a copy of the email is placed in the Evidence folder. Whitelist folder Text fingerprints to be ignored by the DLP Endpoint are placed in a whitelist repository folder. An example is boilerplate text such as disclaimers or copyright. McAfee DLP Endpoint software saves time by skipping these chunks of text that are known to not include sensitive content.

20

McAfee Data Loss Prevention 9.2 Software

Installation Guide

Install McAfee DLP Endpoint software Before you install the extension

Roles and permissions


Consider the administrator roles you need to manage the system, and create the necessary user profiles. Roles such as McAfee DLP administrators, policy makers, monitor viewers, manual taggers, and others may be necessary, depending on the size of the system and how centralized you want control to be. The system can be modified at any time, so the list does not have to be comprehensive. See also Create and define permission sets on page 38 Create and define McAfee DLP administrators on page 37

Creating and configuring repository folders


McAfee Data Loss Prevention Endpoint software requires certain repository folders on the server. These folders must be created and configured before running the installer. Tasks Configure folders on Windows 2003 Server on page 21 Configuration of the repository folders on Windows 2003 Server requires specific security settings. Configure folders on Windows 2008 Server on page 22 Configuration of the repository folders on Windows 2008 Server requires specific security settings.

Configure folders on Windows 2003 Server


Configuration of the repository folders on Windows 2003 Server requires specific security settings. Before you begin Create the evidence and whitelist folders, as described in Before you install the extension. Both folder are configured in the same manner. Repeat this task for each folder. Task 1 2 Right-click the evidence / whitelist folder and select Sharing and Security. In the dialog box that appears, select Share this folder. Modify Share name to evidence$ / whitelist$.
The $ ensures that the share is hidden.

3 4

Click the Security tab, then click Advanced. On the Permissions tab of the Advanced Security Settings for evidence dialog box, deselect Allow inheritable permissions. A confirmation message explains the effect this change will have on the folder.

Click Remove. The Permissions tab on the Advanced Security Settings dialog box shows all permissions eliminated except administrators.
Setting permissions for administrators is required for the whitelist folder. It is optional for the evidence folder, but can be added as a security precaution. Alternately, you can add permissions only for those administrators who deploy policies.

Double-click Administrators entry to open the Permission Entry dialog box. Change the Apply onto option to This folder, subfolders and files. Click OK.

McAfee Data Loss Prevention 9.2 Software

Installation Guide

21

Install McAfee DLP Endpoint software Before you install the extension

7 8

Click Add to select an object type. In the Enter the object name to select text box, type Domain Computers, then click OK to display the Permission Entry dialog box. In the Allow column, select: Create Files/Write Data and Create Folders/Append Data for the evidence folder. List Folder/Read Data for the whitelist folder.

Verify that the Apply onto option says This folder, subfolders and files, then click OK. The Advanced Security Settings dialog box now includes Domain Computers. 10 Click OK twice to close the dialog box.

Configure folders on Windows 2008 Server


Configuration of the repository folders on Windows 2008 Server requires specific security settings. Before you begin Create the evidence and whitelist folders, as described in Before you install the extension. Both folder are configured in the same manner. Repeat this task for each folder. Task 1 2 3 Right-click the evidence / whitelist folder and select Permissions. Select the Sharing tab, then click Advanced sharing. Select the Share this folder option and click Apply. Add the share name evidence$ / whitelist$.
The $ ensures that the share is hidden.

4 5

Select the Security tab, then click Advanced. On the Permissions tab, deselect the Include inheritable permissions from the object's parent option. A confirmation message explains the effect this change will have on the folder.

Click Remove. The Permissions tab on the Advanced Security Settings dialog box shows all permissions eliminated.

7 8

Click Add to select an object type. In the Enter the object name to select text box, type Domain Computers, then click OK. The Permission Entry dialog box is displayed.

In the Allow column, select: Create Files/Write Data and Create Folders/Append Data for the evidence folder. List Folder/Read Data for the whitelist folder.

Verify that the Apply onto option says This folder, subfolders and files, then click OK. The Advanced Security Settings dialog box now includes Domain Computers. 10 Click Add again to select an object type.

22

McAfee Data Loss Prevention 9.2 Software

Installation Guide

Install McAfee DLP Endpoint software Install the McAfee Data Loss Prevention Endpoint extension

11 In the Enter the object name to select text box, type Administrators, then click OK to display the Permission Entry dialog box. Set the required permissions.
Adding administrators is required for the whitelist folder. It is optional for the evidence folder, but can be added as a security precaution. Alternately, you can add permissions only for those administrators who deploy policies.

12 Click OK twice to close the dialog box.

Install the McAfee Data Loss Prevention Endpoint extension


The McAfee DLP Endpoint software extension and the Help module are installed in ePolicy Orchestrator. Before you begin If you are using McAfee ePolicy Orchestrator 4.6, navigate to Menu | Software | Software Manager to view, download, and install the McAfee Data Loss Prevention software and Help modules.> Verify that the ePolicy Orchestrator server name is listed under Trusted Sites in the Internet Explorer security settings.
The default installation is a 90-day license for McAfee Device Control software. If you purchased a license for full McAfee Data Loss Prevention Endpoint software, you must upgrade the license after you complete the installation.

Task 1 2 In ePolicy Orchestrator, select Menu | Software | Extensions, then click Install Extension. Browse to and select the McAfee DLP Endpoint .zip file (..\HDLP_Extension_9_2_0_xxx.zip). Click Open, then OK. The installation dialog box displays the file parameters to verify that you are installing the correct extension. 3 Click OK. The extension is installed. The following applications are installed: 4 McAfee DLP Endpoint policy console (in ePolicy Orchestrator | Data Protection) McAfee DLP Monitor (in ePolicy Orchestrator | Data Protection) DLP Event Parser

Click Install Extension again, Browse to and select the Help .zip file (...help_dlp_920.zip). Click Open, then OK.
This file contains the McAfee DLP Endpoint extension to the ePO Help system.

Click OK.

McAfee Data Loss Prevention 9.2 Software

Installation Guide

23

Install McAfee DLP Endpoint software Working in a cluster environment

Working in a cluster environment


McAfee DLP Endpoint 9.2 software provides high availability for environments running ePolicy Orchestrator 4.5 or ePolicy Orchestrator 4.6 in a cluster. We recommend cluster installation on a Microsoft Win 2008 Server with Failover Clustering role. Installation on other operating systems has not been tested and is not currently supported.

Prepare the cluster


Before running McAfee DLP Endpoint software in a cluster environment ensure the following. Microsoft Failover Clustering is set up and running on a cluster of two or more servers. Two separate drives are configured for clustering: a Quorum drive and a Data drive. There is a supported database server (SQL 2005 or SQL 2008) in the network. ePolicy Orchestrator is set up according to the cluster installation section in the McAfee ePolicy Orchestrator 4.6 Installation Guide. The guide can be found at: https://kc.mcafee.com/resources/ sites/mcafee/content/live/product_documentation/22000/pd22974/en_us/ epo_460_install_guide_en-us.pdf.

Test the cluster


Cluster installations should be tested before use. When the McAfee Data Loss Prevention Endpoint 9.2 cluster is set up and online, use this task to ensure that DLP functions in a failover situation. Task 1 Restart the system functioning as the active node. The passive node automatically becomes the active node. 2 Log on to McAfee ePolicy Orchestrator, open Data Protection | DLP Policy and click Apply to apply the policy. If the apply policy screen finishes successfully you can conclude that the DLP cluster has continued to function during the failover.

24

McAfee Data Loss Prevention 9.2 Software

Installation Guide

Post-installation tasks

Several steps are needed to complete the McAfee Data Loss Prevention Endpoint software installation. You must configure the McAfee DLP Endpoint policy console and McAfee DLP Monitor, install McAfee DLP Endpoint software on the managed computers, deploy a test policy, and verify the installation. Contents Initialize the DLP Policy console Upgrade the license Initialize the McAfee DLP Monitor Check in the McAfee DLP Endpoint package to ePolicy Orchestrator Deploying McAfee DLP Endpoint

Initialize the DLP Policy console


The first time you open the McAfee Data Loss Prevention Endpoint policy console, a wizard runs for first-time initialization.
The wizard can be run at any time by selecting Initialization Wizard from the Tools menu in the McAfee DLP Endpoint policy console.

The McAfee DLP Endpoint Management Tools installer and McAfee DLP Endpoint policy console initialization wizard use ActiveX technology. To prevent the installer from being blocked, verify that the following are enabled in Internet Explorer Tools | Internet Options | Security | Custom level: Automatic prompting for ActiveX controls Download signed ActiveX controls

Task 1 In the ePolicy Orchestrator console, select Menu | Data Protection | DLP Policy. The McAfee DLP Endpoint Management Tools installer runs and, after a brief delay, the Welcome screen of the DLP Management Tools Setup wizard appears. Complete the steps in the wizard. 2 After the McAfee DLP Endpoint Management Tools installation has completed, the McAfee DLP Endpoint policy console begins loading. If you have an existing policy, you are prompted to convert it to the new XML format. Click Convert and skip to step 4. If no previous policy exists, the message DLP global policy is unavailable. Loading default policy appears. Click OK to continue. When the message Agent configuration is unavailable. Loading a default agent. appears, click OK. When the McAfee DLP Endpoint policy console First Time Initialization wizard appears, complete the following steps:

3 4 5

McAfee Data Loss Prevention 9.2 Software

Installation Guide

25

Post-installation tasks Initialize the DLP Policy console

Option Description 1 of 8 2 of 8 Click Next. By default, the file system discovery crawler places sensitive files in quarantine. Though we do not recommend it, you can delete these files instead by selecting the Support discovery delete option.
This option is not available until you update to the full McAfee Data Loss Prevention Endpoint software installation.

For troubleshooting, when you need to review an easily readable version of the policy, select Generate verbose policy. For most installations, we recommend leaving these checkboxes unselected. In very large organizations where the rollout of McAfee DLP Endpoint 9.2 is staged over time, earlier versions of the plug-in need to coexist. Select the appropriate Backward compatibility mode: No compatibility (all endpoints are version 9.2) McAfee DLP Endpoint Agent 9.1 and later McAfee DLP Endpoint Agent 9.0 and later McAfee DLP Endpoint Agent 3.0 and later
The compatibility option McAfee DLP Endpoint Agent 3.0.5 or current version refers to a specific hotfix. Unless you specifically know that you are using this hotfix, choose DLP Agent 3.0 compatibility for all version 3 endpoints.

DLP Agent 2.2 Patch 4 is no longer supported. Select your directory access protocol: Microsoft Active Directory or OpenLDap. When using Microsoft AD in very large organizations where search times could be excessive, select Restrict AD searches to default domain. If you are not using WCF: Deselect Deploy policy to reporting database. This prevents rule names deploying to the McAfee DLP tables in the McAfee ePO database. If you are using WCF and deselect this option, the McAfee DLP Monitor displays rule GUIDs, not rule names. Configure the McAfee DLP Endpoint policy console WCF service path. For the standard installation, accept the default. Click Test Connection to verify. To change the sign in credentials, click Update DB Credentials. The WCF Database Connection Settings dialog box opens for editing. When you have completed all changes, click Next. 3 of 8 . Type user names, or click Add to search for user names (optional). Click Next.
We recommend creating a role-based group such as DLP Manual Tagging Users, and using the group when configuring Access Control. This step is not available when installing McAfee Device Control

4 of 8

Type a password and confirmation (required). McAfee DLP Endpoint software version 9.2 requires strong passwords, that is, at least 8 characters with at least one each uppercase, lower case, digit, and special character (symbol). If you are upgrading, this is not implemented until you change a password.

26

McAfee Data Loss Prevention 9.2 Software

Installation Guide

Post-installation tasks Upgrade the license

Option Description If you don't want endpoint key generation events reported to the database, deselect the checkbox. If you want to use short challenge/response (8 digits instead of 16), select the checkbox. See the McAfee Data Loss Prevention Endpoint Product Guide for more information on Agent bypass. Click Next. 5 of 8 Browse to the Whitelist storage share, then click Next. The UNC whitelist path is required to apply the policy to ePolicy Orchestrator. Size limits are displayed, but cannot be changed in the Initialization wizard. Modify the default notification messages (optional). Select each event type in turn, and type the message in the text box. Click Next. Browse to the evidence storage share and click Next. The evidence storage path is required to apply the policy to ePolicy Orchestrator. Set the required Evidence Replication option. See the Release notes: New Features for more information on this option. Click Next. Click Finish.

6 of 8 7 of 8

8 of 8 6

The Initialization Wizard dialog box appears with the message, Apply initial configuration? If you have not skipped any required steps, you can click Yes and apply the initial policy. If you have skipped required steps, click No to complete the initialization.
A password and the evidence storage share are required to complete initialization. The other steps indicated as required are necessary to complete the policy. They can be skipped during initialization and completed at a later time. If you did not apply the policy, select File | Save to save the policy to a file.

Click Finish.

Upgrade the license


McAfee DLP Endpoint software comes in two versions, McAfee Device Control and full McAfee Data Loss Prevention Endpoint with two licensing options for each, 90-day trial and unlimited. The default installation is McAfee Device Control with a 90-day trial license. Before you begin Before starting this task, purchase your upgrade license and get an activation key from your McAfee sales representative. Task 1 On the McAfee DLP Endpoint policy console menu bar, select Help | Update License. The View and Update License window displays the current (default) activation key and expiration date. 2 3 Click Update. Type or paste the Activation Key in the text box and click Apply. A warning that you must log on again for the change to take effect appears.

McAfee Data Loss Prevention 9.2 Software

Installation Guide

27

Post-installation tasks Initialize the McAfee DLP Monitor

4 5 6 7 8

Click OK to close the message box, and click Close to close the Update License window, then log off ePolicy Orchestrator. Log on to ePolicy Orchestrator to complete the upgrade. From the Agent Configuration menu, select Edit Global Agent Configuration. Go to the File Tracking tab and select Device Control and full content protection. Go to the Miscellaneous tab. Only the Agent Popup service, Device Blocking, and Reporting Service modules are selected. Select the remaining modules you require to enable them and click OK.
Do not enable modules you don't use. They increase the McAfee DLP Endpoint agent size and slow its operation unnecessarily.

On the Toolbar, click

The policy changes are applied to ePolicy Orchestrator. 10 In ePolicy Orchestrator, issue a wake-up call to deploy the policy change to the workstations.

Initialize the McAfee DLP Monitor


The McAfee Data Loss Prevention Monitor must be initialized before it can be used. This consists of verifying the connection to the McAfee DLP WCF service and setting the options. Task 1 In McAfee ePolicy Orchestrator, select Menu | Data Protection | DLP Monitor.
The first time you select DLP Monitor, a warning window requests the WCF server path.

28

McAfee Data Loss Prevention 9.2 Software

Installation Guide

Post-installation tasks Check in the McAfee DLP Endpoint package to ePolicy Orchestrator

2 3

Click OK. For a standard installation, accept the default. For a backward-compatible installation, type the WCF service address in the dialog box, then click OK.

Figure 3-1 Initializing the McAfee DLP Monitor

Check in the McAfee DLP Endpoint package to ePolicy Orchestrator


Any enterprise computer with data protected by McAfee software must have the McAfee Agent installed, making it a managed computer. To add data loss protection, you must also deploy the McAfee DLP Endpoint plug-in for McAfee Agent. The installation can be performed using the ePolicy Orchestrator infrastructure. Task 1 2 3 On the McAfee ePolicy Orchestrator console, select Menu | Software | Master Repository. In the Master Repository, select Actions | Check In Package. Select package type Product or Update (.ZIP), browse to ..\HDLP_Agent_9_2_0_xxx.zip, then click Next. The Check in Package page appears.
If you are upgrading, you are prompted that the product already exists. Click OK. The new package replaces the old one.

Review the details on the screen, then click Save. The package is added to the master repository.

McAfee Data Loss Prevention 9.2 Software

Installation Guide

29

Post-installation tasks Deploying McAfee DLP Endpoint

Deploying McAfee DLP Endpoint


The final stage of McAfee DLP Endpoint software installation is to define a policy, deploy McAfee DLP Endpoint agents to the managed computers, and verify the installation. Tasks Define a default rule on page 30 To verify that the McAfee DLP Endpoint software has been deployed properly, we recommend defining a default rule before deploying to the managed computers. Deploy McAfee DLP Endpoint with ePolicy Orchestrator on page 31 Before policies can be applied, McAfee DLP Endpoint must be deployed to the endpoint computers by ePolicy Orchestrator. Verify the installation on page 32 After installing McAfee DLP Endpoint software, you should verify the installation in the McAfee DLP Monitor. Uninstalling McAfee DLP Endpoint on page 32 McAfee Data Loss Prevention Endpoint software is protected from unauthorized removal. There are two methods of authorized removal.

Define a default rule


To verify that the McAfee DLP Endpoint software has been deployed properly, we recommend defining a default rule before deploying to the managed computers. The rule described is an example of a simple rule that can be used to test the system. Task 1 Create a classification rule: a b c d e In the McAfee DLP Endpoint policy console navigation pane under Content Protection, select Classification Rules. Right-click in the Classification Rules window and select Add New | Content Classification Rule. Rename the rule "Email Classification Rule". Double-click the rule icon to modify the rule. In step 1 of the rule creation wizard, select either of the options (ANY or ALL) then scroll down the text patterns list and select Email Address. Click Next three times, skipping to step 4. In step 4 of the rule creation wizard, click Add New to create a new category. Name it Email Category, click OK to accept the new category, then click Finish. Right-click the rule icon and select Enable.

f 2

Create a protection rule: a b c d In the McAfee DLP Endpoint policy console navigation pane under Content Protection, select Protection Rules. Right-click in the Protection Rules window and select Add New | Removable Storage Protection Rule. Double-click the rule icon to modify the rule. Click through to step 2 of the rule creation wizard and add the Email Category created when creating the classification rule in the Included column.

30

McAfee Data Loss Prevention 9.2 Software

Installation Guide

Post-installation tasks Deploying McAfee DLP Endpoint

e f 3

Click through to step 7 of the rule creation wizard. Select Monitor, then click Finish. Right-click the rule icon and select Enable.

On the Tools menu, select Run Policy Analyzer. You should receive warnings, but no errors. If you receive errors, they probably come from improper initialization, such as not specifying an evidence folder or override password. You can re-run the initialization from the Tools menu to correct this.

On the Toolbar, click

. The policy is applied to McAfee ePolicy Orchestrator.

Deploy McAfee DLP Endpoint with ePolicy Orchestrator


Before policies can be applied, McAfee DLP Endpoint must be deployed to the endpoint computers by ePolicy Orchestrator. Before you begin McAfee Agent 4.6 or later must be installed in ePolicy Orchestrator and deployed to the target computers before McAfee DLP Endpoint is deployed. Consult the McAfee ePolicy Orchestrator documentation on how to verify this, and how to install it if necessary. Task 1 2 In ePolicy Orchestrator select Menu | System Tree. In the System Tree, select the level at which to deploy McAfee DLP Endpoint.
Leaving the level at My Organization deploys to all workstations managed by McAfee ePolicy Orchestrator.

If you select a level under My Organization, the right-hand pane displays the available workstations. You can also deploy McAfee DLP Endpoint to individual workstations. 3 Click the Assigned Client Tasks tab. Under Actions, select New Client Task Assignment. The Client Task Builder wizard opens. 4 5 In the Product field select McAfee Agent . In the Task Type field select Product Deployment. Click Create New Task. In the Name field, type a suitable name, for example, Install DLP Endpoint. Typing a description is optional. In the Products and Components field, select Data Loss Prevention 9.2.0.x. The Action field automatically resets to Install. Click Save. Change the Schedule type to Run immediately. Click Next. Review the task summary. When you are satisfied that it is correct, click Save. The task is scheduled for the next time the McAfee Agent updates the policy. To force the installation to take place immediately, issue an agent wake-up call.

6 7 8 9

10 After McAfee DLP Endpoint has been deployed, restart the managed computers.

McAfee Data Loss Prevention 9.2 Software

Installation Guide

31

Post-installation tasks Deploying McAfee DLP Endpoint

Verify the installation


After installing McAfee DLP Endpoint software, you should verify the installation in the McAfee DLP Monitor. Task 1 Select Menu | Data Protection | DLP Monitor. The McAfee DLP Monitor opens with a list of events, which should include Agent Installation Events. 2 Verify the McAfee DLP Endpoint installation and apply the policy enforcement by using the cmdagent.exe /s command. See the McAfee ePolicy Orchestrator McAfee Agent documentation for more information.

Uninstalling McAfee DLP Endpoint


McAfee Data Loss Prevention Endpoint software is protected from unauthorized removal. There are two methods of authorized removal. Network uninstall from ePolicy Orchestrator, performed by the McAfee ePO administrator. Local uninstall using Windows Add or Remove Programs. This method requires a challenge-response key obtained from the McAfee DLP Administrator.

This task describes the local uninstall option. Task 1 In the McAfee DLP Endpoint policy console select Tools | Generate Agent Uninstall Key. This step can also be performed with the McAfee DLP Help Desk tool, using the Generate Uninstall Key tab. 2 3 4 5 Fill in the user information in Step 1. Type in the uninstall challenge code. (Step 2) Type the agent override key password or select Use password from current policy. (Step 3) Click Generate Key to create the uninstall key for the user. This Release Code is sent to the user to enter into the request bypass dialog box.

32

McAfee Data Loss Prevention 9.2 Software

Installation Guide

Deploying McAfee Data Loss Prevention Endpoint software with SMS

Microsoft System Management Server (SMS) packages can be used for deployment of McAfee DLP Endpoint software in cases where deployment with ePolicy Orchestrator is either unfeasible or not desired. Microsoft Systems Management Server (SMS) provides a comprehensive solution for deploying and managing applications and operating systems on Windows desktops and servers. The following tasks assume working in the Microsoft SMS 2003 environment. Contents Create Create Create Create an installation package the advertisement the SMS uninstall package an SMS uninstall package to run from a command line

Create an installation package


Create a package for installing McAfee Data Loss Prevention Endpoint software with Microsoft Systems Management Server. This procedure does not require ePolicy Orchestrator. Install Microsoft Visual C++ 2005 SP1 Redistributable Package (x86). The package can be downloaded from: http://www.microsoft.com/downloads/details.aspx? familyid=200B2FD9-AE1A-4A14-984D-389C36F85647. Task 1 2 3 4 5 In the Systems Management Server console, right-click Packages and select New | Package. On the General tab, type the Package Name (required), and the Version, Publisher and Language (optional). On the Data Source tab, select This Package Contains Source Files, then click Set. In the Set Source Directory window under Source Directory Location, select the type of connection to the set-up files in the source directory. Type the source directory path in the text box and click OK. On the Distribution Settings tab, select High from the Sending Priority drop-down list, and click OK. The package appears under the Packages node of the site tree. 6 7 8 Expand the new package under the Packages node. Right-click Distribution Points and select New | Distribution Point. Select the server or servers you want to be the distribution points for this package, then click Finish. Right-click Programs and select New | Program. Type the application name.

McAfee Data Loss Prevention 9.2 Software

Installation Guide

33

Deploying McAfee Data Loss Prevention Endpoint software with SMS Create the advertisement

In the Command Line text box, type the McAfee DLP command line executable, for example:
msiexec /I DLPAgentInstaller.msi /qn /forcerestart

. The .msi file name is extracted manually from the DLPAgentInstaller.x86.exe file.
We recommend restarting the managed computer after McAfee DLP Endpoint package installation. To enable this option use the /forcerestart parameter. To enable the installation log use /log <LogFile>

10 On the Environment tab select Whether or not a user is logged on from the Program can run drop-down list. Click OK.
Verify that Run with Administrative Rights is selected. McAfee Data Loss Prevention Endpoint software setup requires administrator rights to complete installation successfully.

Create the advertisement


SMS packages need to be "advertised." This creates the SMS package advertisement. Task 1 2 3 4 5 In the Systems Management Server console, right-click Advertisements and select New | Advertisement. Type the advertisement name. From the Package drop-down list, select the McAfee DLP package name. From the Program drop-down list, select the McAfee DLP application name. Click Browse and select the collection that the McAfee DLP installation package should apply to, then click OK. On the Schedule tab, confirm the time that the advertisement is offered, specify if the advertisement should expire, and when. Click OK.

Create the SMS uninstall package


Create a package for uninstalling McAfee Data Loss Prevention Endpoint software with Microsoft Systems Management Server. This procedure does not require ePolicy Orchestrator. Task 1 2 3 4 In the Systems Management Server console, right-click Packages and select New | Package. On the General tab, type the Package Name (required), and the Version, Publisher and Language (optional). On the Data Source tab, select This Package Contains Source Files, then click Set. In the Set Source Directory window under Source Directory Location, select the type of connection to the set-up files in the source directory. Type the source directory path in the text box and click OK.

34

McAfee Data Loss Prevention 9.2 Software

Installation Guide

Deploying McAfee Data Loss Prevention Endpoint software with SMS Create an SMS uninstall package to run from a command line

On the Distribution Settings tab, select High from the Sending Priority drop-down list, and click OK. The package appears under the Packages node of the site tree.

6 7 8 9

Expand the new package under the Packages node. Right-click Distribution Points and select New | Distribution Point. Select the server or servers you want to be the distribution points for this package, then click Finish. Right-click Programs and select New | Program. Type the program name. In the Command Line text box, type the DLP command line executable, for example:
msiexec /x DLPAgentInstaller.msi /qn /forcerestart

The .msi file name is extracted manually from the DLPAgentInstaller.x86.exe file. 10 On the Environment tab, select Whether or not a user is logged on from the Program can run drop-down list. Click OK.

Create an SMS uninstall package to run from a command line


Create a package for uninstalling McAfee Data Loss Prevention Endpoint software that runs from a command line. Task 1 2 3 4 In the Systems Management Server console, right-click Packages and select New | Package. On the General tab, type the Package Name (required), and the Version, Publisher and Language (optional). On the Data Source tab, deselect This Package Contains Source Files, then click Set. Locate the UninstallString for McAfee DLP Agent. a In the registry editor, go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\Uninstall. Click through the entries to find DisplayName: McAfee DLP Agent. Copy the uninstall string, for example:
MsiExec.exe /X{287AAE25-B0F4-4E9E-A7FD-8EA81FF635E1}

b c

To uninstall, use the command line:


<uninstall string>/qn/forcestart

McAfee Data Loss Prevention 9.2 Software

Installation Guide

35

Users and permission sets

We recommend creating specific administrator roles and permissions in ePolicy Orchestrator for McAfee DLP Endpoint policy console and McAfee DLP Monitor. These roles include creating and saving policies, viewing (but not changing) policies, generating override, uninstall, and quarantine release keys, viewing the McAfee DLP Monitor, and revealing sensitive fields in the monitor.

Sensitive data redaction and the McAfee DLP Monitor permission sets
To meet the legal demand in some markets to protect confidential information in all circumstances, McAfee DLP Endpoint software offers a data redaction feature. Fields in the McAfee DLP Monitor containing confidential information are encrypted to prevent unauthorized viewing. The feature is designed with a "double key" release. This means that to use the feature, you must create two permission sets: one to view the monitor and another to view the encrypted fields. Both roles are required to use the feature. Contents Create and define McAfee DLP administrators Create and define permission sets DLP permission set options

Create and define McAfee DLP administrators


Creates and defines a McAfee DLP administrator in McAfee ePolicy Orchestrator. Administrative users can be created either before or after the permission sets assigned to them. Task For option definitions, click ? in the interface. 1 2 3 In McAfee ePolicy Orchestrator, select Menu | User Management | Users. Click New User. Type a user name and specify logon status, authentication type, and permission sets. We recommend creating user groups related to the role, for example DLP Quarantine Administrator.
The order of creating users and permission sets is not critical. If you create users first, user names appear in the permission set form and you can attach them to the set. If you create permission sets first, the permission set names appear in the user form and you can attach the user to them.

Click Save.

McAfee Data Loss Prevention 9.2 Software

Installation Guide

37

Users and permission sets Create and define permission sets

Create and define permission sets


Creates and defines a DLP administrator permission set in McAfee ePolicy Orchestrator Permission sets are useful for defining different administrative roles in McAfee DLP Endpoint software. Task For option definitions, click ? in the interface. 1 2 3 In McAfee ePolicy Orchestrator, select Menu | User Management | Permission Sets. Click New Permission Set. Type a name for the set and select users.
The order of creating users and permission sets is not critical. If you create users first, user names appear in the permission set form and you can attach them to the set. If you create permission sets first, the permission set names appear in the user form and you can attach the user to them.

4 5 6

Click Save. In the Data Loss Prevention field for the new permission set, click Edit. Select the required permissions and click Save.

Figure B-1 Editing a permission set for McAfee DLP Endpoint To turn off the sensitive data redaction feature, select User can view DLP Monitor in the monitor section.

DLP permission set options


Permission set options are designed to give granular control over administrator roles. While the division of roles is generally optional, if you are using the sensitive data redaction feature, you must create separate permission sets for the monitor viewer and the administrator who can reveal the encrypted data. Table B-1 Option definitions Option User cannot view policies. User can only generate Agent Override, Agent Uninstall, and Agent Quarantine Release keys. User can only view policies. User can view and save policies. Definition User is not a policy administrator. User administrator role is limited to override, uninstall, and release keys. User can review but not edit policies. User has full policy administrator permissions.

38

McAfee Data Loss Prevention 9.2 Software

Installation Guide

Users and permission sets DLP permission set options

Table B-1 Option definitions (continued) Option User cannot view DLP Monitor User can view DLP Monitor Definition User is not a monitor administrator User has full policy administrator permissions. Use this option if you are not using the sensitive data redaction feature.

McAfee Data Loss Prevention 9.2 Software

Installation Guide

39

Installing a version upgrade

Upgrade installation is similar to first-time installation, but several points must be considered. Contents Upgrading issues Phased upgrade Upgrade McAfee DLP Endpoint software Restore the policy after upgrade

Upgrading issues
Upgrading the software has consequences in ePolicy Orchestrator and in the McAfee DLP Endpoint software setup. You must also upgrade the McAfee DLP WCF service.

Event parser
After upgrading the McAfee DLP Endpoint software suite in ePolicy Orchestrator, you must restart the McAfee Event Parser using Administrative Tools | Services.

Figure C-1 Restarting the event parser

McAfee Data Loss Prevention 9.2 Software

Installation Guide

41

Installing a version upgrade Upgrading issues

McAfee DLP WCF upgrade


The defaults for Database Server and Database Name may not be correct. In particular, ePO4Server might not be the name of the SQL database instance. If necessary, use the SQL Server Configuration Manager to determine the database name.
You must upgrade the McAfee DLP Windows Communication Foundation service to the latest version. Failure to do so produces an error message when trying to save the global policy to the reporting database or updating database credentials.

Backward compatibility
McAfee DLP Endpoint software version 9.2 contains several changes that make policies incompatible with earlier versions of the McAfee DLP Endpoint agent. In large enterprises, upgrading McAfee DLP Endpoint on all workstation nodes can take several weeks or even months. The McAfee DLP Endpoint policy console version 9.2 initialization has a backward compatibility option that, when selected, allows communication with both old and new agents. Backward compatibility can be set to "no compatibility" (McAfee DLP Endpoint 9.2 only), Host DLP Agent 9.1 and later, Host DLP Agent 9.0 and later, or Host DLP Agent 3.0 or later.
The compatibility option "Host DLP Agent 3.0.5 or current version" refers to a specific hotfix. Unless you specifically know that you are using this hotfix, choose Host DLP Agent 3.0 compatibility for all version 3 agents.

Host DLP Agent 2.2 Patch 4 is no longer supported.

Unsupported items
If the policy contains any of the following when backward compatibility mode is selected, the policy fails to be applied to McAfee ePolicy Orchestrator. These unsupported items are cumulative, that is, the McAfee Data Loss Prevention Endpoint 9.1 and above section lists Version 9.2 features not supported in Version 9.1. For compatibility with Version 3.0 endpoints, all three sections apply.

42

McAfee Data Loss Prevention 9.2 Software

Installation Guide

Installing a version upgrade Upgrading issues

Table C-1 Items unsupported in backward-compatible mode Compatibility mode Unsupported items McAfee Data Loss An application file access, email, file system, removable storage, or web Prevention Endpoint post protection rule contains a document property definition containing a 9.1 and above File Name property. backward compatibility mode An application file access protection rule contains a Store Evidence action. A discovery or protection rule contains a Content Category or Tag Group. An application file access protection rule contains a file type definition. A policy contains an email storage discovery rule. A clipboard rule restricts pasting into all applications. McAfee Data Loss An application definition uses the executable file hash. Prevention Endpoint A classification or tagging rule uses the AND operator for dictionaries or 9.0 and above backward compatibility text patterns. mode A discovery rule has the Tag action selected. An email protection rule contains a subject text pattern (bypass keyword). A file system or removable storage protection rule has an attachment type (encryption type) selected. A file system, PDF / IMAGEWRITER, printer, or removable storage rule has the Request justification action selected. A protection rule or discovery rule has Microsoft Rights Management or unsupported attachment type selected. A tagging rule contains a dictionary. A tagging rule contains header / footer definitions. McAfee Data Loss An application file access, email, file system, removable storage, or web Prevention Endpoint post protection rule contains a document property definition. 3.0 and above backward compatibility A discovery rule contains a document property definition with unsupported mode properties. Version 3.0 only supports the Date Created and Date Modified properties. An email or web post protection rule, or a discovery rule, contains an Adobe RM encryption definition. A discovery rule contains an Apply RM Policy action. Removable storage file access rules are enabled. Hit-highlighting is selected on the Evidence tab in the Agent Configuration.

Queries and computer assignments


Queries and Dashboards are saved when you upgrade McAfee DLP Endpoint software, as long as you use the recommended procedure. If you remove the existing Data Loss Prevention extension before installing the new one, all queries and Dashboards are lost. To customize a sample query, we recommend using the Duplicate option, to rename the query before changing it. To use the new sample queries in My Queries in a Dashboard, use the Make Public option. If a public query exists with the same name, remove or rename the public query first. ePolicy Orchestrator requires all query names to be unique. The first time you install McAfee DLP Endpoint software in ePolicy Orchestrator, the sample queries are installed as Public Queries. To view this, select Reporting | Queries, and scroll down the queries on the left side of the screen. When you

McAfee Data Loss Prevention 9.2 Software

Installation Guide

43

Installing a version upgrade Phased upgrade

upgrade McAfee DLP Endpoint, ePolicy Orchestrator notices that the names of the sample queries are already used, and installs the samples in My Queries instead. However, to use a query in a Dashboard, it must be a public query.

Phased upgrade
Successful upgrading to McAfee Data Loss Prevention Endpoint software version 9.2 from an earlier version requires following a phased procedure that takes into account many variables. It also has certain prerequisites that must be met.

Before you begin


Before beginning an upgrade, you must do the following: Verify that all computers are ready for the upgrade. You can check the clinet version of computers in the network on the DLP: Status Summary dashboard in McAfee ePolicy Orchestrator. Look on the DLP: Agent version report to make sure that all product versions are McAfee DLP 3.0 Patch 1 or later.
Upgrade all agents to McAfee Data Loss Prevention 3.0 Patch 1 or later. Earlier agent versions are not supported.

Backup the current DLP policy. Saving the policy to disk allows you to convert the policy to the new format for reuse. You can back up the policy from the McAfee DLP Endpoint policy console. The Save As option on the File menu saves the policy in .opg format. Save the agent configuration and computer assignment groups. You can save the agent configuration and computer assignment groups from the McAfee ePolicy Orchestrator System | Policy Catalog page. Select the product (Data Loss Prevention x.x.0.0) and the category (Computers Assignment Group or Agent Configuration) from the drop-down lists, and Edit the selection. From the Edit page, you can select Save to File and specify a destination for the backup file.

Figure C-2 Saving the agent configuration

Install .NET framework on the server hosting the Windows Communication Foundation (DLP-WCF) service. Verify the .NET version installed in C:\Windows\Microsoft.NET\Framework. If necessary, install Microsoft .NET 3.5 Patch 1.

44

McAfee Data Loss Prevention 9.2 Software

Installation Guide

Installing a version upgrade Upgrade McAfee DLP Endpoint software

Upgrade McAfee DLP Endpoint software


Upgrading an earlier version of McAfee DLP Endpoint software to version 9.2 in ePolicy Orchestrator is similar to a clean install. Before you begin Uninstall the McAfee DLP Endpoint Management Tools from the Windows Control Panel. Uninstall the McAfee DLP WCF service. Update the McAfee DLP WCF service. The version of this service you use must match the software extension version. When downloading the files from the McAfee download site for McAfee DLP Endpoint software, follow the link to the download page for ePolicy Orchestrator Help, and download the latest Help .zip file. Log out of ePolicy Orchestrator and close the browser window. (Step 1 cannot be completed without doing this.)
If you want to be able to view previous events in the McAfee DLP Monitor, do not remove the existing McAfee DLP Endpoint extension in ePolicy Orchestrator. Removing the extension removes all events from the DLP Database.

Task 1 In ePolicy Orchestrator, select Software | Extensions. Click Install Extension, then click Browse and select the McAfee DLP Endpoint policy manager .zip file (..\HDLP_Extension_9_2_0_xxx.zip). Click Open, then click OK twice. If you are installing without removing the previous extension, you see a warning that the new extension will replace the existing one. Click OK. The extension is installed, and appears in the extension list. 2 Install Extension again, Browse and select the Help .zip file (..\help_dlp_920.zip). Click Open, then click OK. The installation dialog box warns you that you will replace the existing Help system. Click OK.
This file contains the McAfee DLP Endpoint extension to the ePolicy Orchestrator Help system.

Log out of ePolicy Orchestrator, then log back in. New features not supported by the previous installed version might not work if you do not do this.

Restore the policy after upgrade


After upgrading the McAfee DLP Endpoint software, you must restore the DLP policy, computer assignment groups, and agent configurations from your previous installation. Install and initialize the McAfee DLP Endpoint policy console. See the sections Upgrade McAfee Data Loss Prevention Endpoint software and Initialize the McAfee DLP Endpoint Policy console in this manual. When you have completed the basic installation, continue with this task:

McAfee Data Loss Prevention 9.2 Software

Installation Guide

45

Installing a version upgrade Restore the policy after upgrade

Task 1 Restore the policy a b c d e 2 Open the McAfee DLP Endpoint policy console, select File | Open, and browse to the location where you saved the backup of the previous DLP policy. When prompted, click Convert to convert it. On the Verify WCF Service Path screen, click Test Connection to verify that WCF is correctly configured. Select Tools | Options and verify in the Backward compatibility mode section that the required version is selected. Click Apply to save the policy to McAfee ePolicy Orchestrator.

Restore the computer assignment groups a b c d In ePolicy Orchestrator select Policy | Policy Catalog. Select Data Loss Prevention 9.2.0.0 policies from the Product drop-down list. Select Computers Assignment Group from the Category drop-down list. Type a name and create a computers assignment group. Click Load from file and browse to the computers assignment group backup file.

Figure C-3 Restoring the computers assignment group settings

Restore the agent configurations a b c d In ePolicy Orchestrator select System | Policy Catalog. Select Data Loss Prevention 9.2.0.0 policies from the Product drop-down list. Select Agent Configuration from the Category drop-down list. Type a name and create an agent configuration. Click Load from file and browse to the agent configuration backup file.

46

McAfee Data Loss Prevention 9.2 Software

Installation Guide

Index

A
about this guide 5 administrators, defining 37

event parser, when upgrading 41 evidence folder 20 evidence folder, configuring on Windows Server 2003 21 evidence folder, configuring on Windows Server 2008 22

B
backward compatibility 11, 25, 41

F
feature comparison 9

C
cluster environment preparing 24 cluster installation testing 24 clusters, using DLP software in a cluster environment 24 command line uninstall 35 components, Data Loss Prevention (diagram) 8 computer assignments, when upgrading 41 configuration, server 15 conventions and icons used in this guide 5

H
hardware requirements 13

L
license, Device Control and DLP 27

M
McAfee ServicePortal, accessing 6 Microsoft SQL, adding a user 18 Microsoft SQL, installing 19 monitor, initializing 28

D
default rule, defining 30 Device Control, feature comparison 9 DLP administrators, defining 37 DLP endpoint checking in to ePolicy Orchestrator 29 DLP Endpoint deploying 31 deploying with SMS 33 deployment verification 32 uninstall with SMS 34 uninstalling 32 DLP Help extension, installing 23 DLP Monitor, initializing 28 DLP Policy console, installing 23 documentation audience for this guide 5 product-specific, finding 6 typographical conventions and icons 5

P
permission set options 38 permission sets, defining 38 phased upgrade 44 policy, initializing 25 policy, restoring after upgrade 45

Q
queries, when upgrading 41

R
redaction 19, 37 roles and permissions 20

S
server configuration 15 server software requirements 13 ServicePortal, finding product documentation 6 SMS advertisements 34 SMS installation package, creating 33 SMS uninstall package, command line 35 SMS uninstall package, creating 34

E
ePolicy Orchestrator installing 15

McAfee Data Loss Prevention 9.2 Software

Installation Guide

47

Index

supported operating systems 13 system requirements 13

W
WCF, installation options 16 WCF, installing 19 WCF, troubleshooting 20 WCF, when upgrading 41 whitelist folder 20 whitelist folder, configuring on Windows Server 2003 21 whitelist folder, configuring on Windows Server 2008 22

T
Technical Support, finding product information 6

U
uninstalling DLP Endpoint 32 upgrade (task description) 45 upgrade, phased 44 upgrade, unsupported items 41

V
verifying the installation 32

48

McAfee Data Loss Prevention 9.2 Software

Installation Guide

00