Summary of Contents for McAfee DTP-1650-MGRA - Network DLP Manager 1650 Appliance
Page 1
Installation Guide Revision C McAfee Data Loss Prevention 9.2.1 For use with ePolicy Orchestrator 4.5.0 and 4.6.0 Software...
Page 2
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
® and McAfee ® Data Loss Prevention Endpoint to configure a unified policy installation. When the process is completed, the user will have a fully functional McAfee DLP hardware and software implementation that is properly configured. Contents About this guide...
Warning: Critical advice to prevent bodily harm when using a hardware product. Find product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase.
Setting up the hardware This Quick Start serves as a high‑level road map for setting up your McAfee DLP system. McAfee DLP Manager is shipped pre‑installed; the other products in the suite (McAfee DLP Monitor, McAfee DLP Discover, and McAfee DLP Prevent) must be installed on‑site.
If an item is missing or damaged, contact your supplier. Plan your installation Before installing, survey your environment and collect configuration information. For the McAfee DLP Monitor appliance, you will also need a network tap (unless you are planning a SPAN port configuration). Task Collect the following information about the network in which McAfee Total Protection for DLP will be installed.
Connect a management console Connect a management console Connect a laptop to the management port of the McAfee DLP appliance so you can reconfigure it through a directly connected device. Because McAfee DLP Manager requires additional steps, reconfigure all other products first.
Restarting is not necessary. If you have configured McAfee DLP Discover or McAfee DLP Prevent appliances, setup is complete. If you are configuring McAfee DLP Manager, proceed to the next step. If you are configuring McAfee DLP Monitor, proceed to the following step.
Certain switch models permit the use of a “remote SPAN”, or “RSPAN” capability, which allows ports from multiple switches to be mirrored to the port to which McAfee DLP Monitor is connected. If you want to mirror multiple ports on multiple switches to your DLP appliance, contact the switch vendor for details on configuring RSPAN.
Page 12
With this configuration, some packets might be dropped under heavy loads. As a result, the number of packets seen by McAfee DLP Monitor might not match the number seen by the ports being monitored. Integrate the appliance using a SPAN port...
McAfee DLP Monitor. The network tap captures traffic through a tap that is attached to the LAN switch and WAN router through two network ports. Traffic from these ports flows directly to the capture ports on McAfee DLP Monitor. In environments where there is a firewall or a series of devices separating the LAN switch from the WAN router, the network tap should be installed between the LAN switch and the first device.
Add the NTP server to sync McAfee DLP Manager to the network. Task Open a web browser and enter the assigned IP address in the address bar to restart McAfee DLP Manager. Click the System tab and select the Configure link.
Installing or upgrading the software on 4400 appliances A McAfee DLP installation on the 4400 contains two released images, each of which contains an operating system (except for the kernal) and DLP software. Primary and secondary images are initially duplicate installations. When the system is upgraded, the primary and secondary disks can contain different versions of the same product.
The software is saved in the Downloads folder. Boot options Unlike the legacy DLP appliances, the model 4400 hardware platform runs the McAfee Linux Operating System (MLOS). It contains a boot loader package that allows users to switch between installations.
From the directory you downloaded the archive to, extract the contents of the archive, using the ‑C option to expand it into the /data/install directory. # tar xvzf ndlp_<product>.tgz ‑C /data/install Go to the /data/install directory. # cd /data/install McAfee Data Loss Prevention 9.2.1 Installation Guide...
Stop all scans and search tasks before upgrading, and wait until they are completely stopped before upgrading. If you want to do a backup before upgrading to 9.2.1 on a 4400 appliance that is running McAfee Data Loss Prevention Manager 9.2.0 or one of the standalone McAfee DLP appliances, you must first apply Hotfix 754037_45668_01.
Page 19
Restart the system. # reboot Restarting the system might take 10–15 minutes. 10 Log on to the McAfee DLP device as root, go to the installation directory, and verify the installation with the command: # cat /data/stingray/etc/version If the Release field contains 9.2.1, installation is complete.
Convert an installation to another McAfee DLP product The 4400 appliance ships with McAfee DLP Manager, but that installation can be converted to another Data Loss Prevention product. However, only one product can be installed on the appliance, so the primary and secondary images must both be installed with that product.
To restore the drives on the 4400 appliance, insert the DVD that was shipped with it. The process that runs from the DVD restores the drives of the appliance to their pre‑installed state. McAfee Data Loss Prevention 9.2.1 Installation Guide...
Page 22
Installing or upgrading the software on 4400 appliances Restoring the drives McAfee Data Loss Prevention 9.2.1 Installation Guide...
Installing or upgrading software on 1650 and 3650 appliances A McAfee DLP installation on the model 1650 and 3650 appliances contains the software for a single product. The software is installed or upgraded by running two installation scripts. The platform script installs the operating system components, and it is customized to the hardware used by entering a platform type option.
Installing or upgrading software on 1650 and 3650 appliances Install a fresh image on 1650 or 3650 appliances Scroll down the page, then select the McAfee Network DLP product and version. On the Software Downloads tab, select and save the appropriate *.bz2 file to your Windows computer.
# ./install_stingray –P <platform type> 14 Restart the system. # reboot 15 Log on to the McAfee DLP device as root, go to the installation directory, and verify the installation with the command: # cat /data/stingray/etc/version If the Release field contains 9.2.1, installation is complete.
If you downloaded the archive to a Windows‑based computer, use WinSCP. If you are copying the archive from a Linux server, use the SCP command scp ‑rp <hotfix • _package> root@<name or ip address>:<directory> McAfee Data Loss Prevention 9.2.1 Installation Guide...
Page 27
# tar xvzf hotfix_xxxxxx_yyyy_zz.tar.gz ‑C /data/hotfix Go to the /data/hotfix directory. # cd /data/hotfix/xxxxxx (Optional) Open the README file to see the hotfix details. Run the installation script. # ./install_hotfix Restart the Stingray service. # service stingray restart McAfee Data Loss Prevention 9.2.1 Installation Guide...
Page 28
Installing or upgrading software on 1650 and 3650 appliances Apply a hotfix McAfee Data Loss Prevention 9.2.1 Installation Guide...
Configuring McAfee DLP appliances and adding servers All McAfee DLP appliances can be registered to McAfee DLP Manager and managed from that console. After the appliances are configured, servers that extend the functionality of the system can be added. At the very least, an NTP server must be added during the installation process.
Page 30
Configuring McAfee DLP appliances and adding servers Configure McAfee DLP appliances using Setup Wizard At the logon prompt, type the default user name and password. admin/mcafee On the End User License Agreement page, select the checkbox and click I Accept.
Page 31
Configuring McAfee DLP appliances and adding servers Configure McAfee DLP appliances using Setup Wizard On the Time Configuration page, set the time zone, select the NTP server, and click Next. Figure 4-2 Time configuration You might want to set the NTP server manually in some cases.
Page 32
Configuring McAfee DLP appliances and adding servers Configure McAfee DLP appliances using Setup Wizard On the Policy Activation page, select the policies that are needed for you to implement your protection strategy, then click Next. Figure 4-3 Policy activation If you have to change this configuration later, you can activate or deactivate policies from the Policies page.
Page 33
Configuring McAfee DLP appliances and adding servers Configure McAfee DLP appliances using Setup Wizard On the Administrator Setup page, type in an email address for the primary administrator and set a password, then click Next. Figure 4-4 Administrator setup McAfee Data Loss Prevention 9.2.1...
Page 34
Configure link on the System page. Figure 4-5 Review Figure 4-6 Email server setting If you are setting up McAfee DLP Prevent, type in the IP address of a smart host, then click Next. McAfee Data Loss Prevention 9.2.1 Installation Guide...
See chapter 7, Integrating McAfee DLP Endpoint into a unified policy system for details. You cannot add McAfee DLP Endpoint to McAfee DLP using this procedure. It must be integrated into the network product suite after it is installed on ePolicy Orchestrator.
Configuring McAfee DLP Prevent If McAfee DLP Prevent is being configured for email, you must identify a smart host and an email address for testing the connection. If it is configured for webmail, a proxy server can be used, but only the ALLOW and BLOCK actions will be available.
Blue Coat Systems products. McAfee Email Security Appliance is set to handle up to 30 concurrent SMTP connections ‑ but McAfee DLP Prevent exceeds this limit. To get these two appliances to work together, you must modify the ESA configuration files.
Configuring McAfee DLP Prevent Configure McAfee DLP Prevent McAfee DLP Prevent can be set up to process email or webmail by adding the appliance to McAfee DLP Manager, then configuring it to connect to one or more email or web servers.
Configuring McAfee DLP appliances and adding servers Add LDAP servers to McAfee DLP Manager Add LDAP servers to McAfee DLP Manager You can add Active Directory or OpenLDAP servers to support integration of McAfee DLP with existing user systems. Before you begin Determine what type of directory server to add.
Page 40
Configuring McAfee DLP appliances and adding servers Add LDAP servers to McAfee DLP Manager Do one of the following: • Enter the Domain of the LDAP server. If you use this option, you must log on to an administrative account on the LDAP server. The system will then query the Domain Name Server to find the domain controller for the Active Directory domain.
A secure connection is not required, but is strongly recommended. Accept any available certificate, or select one by uploading it. If you upload, you must find the FQDN name of the authorization server in the encrypted file by logging on to the back end of the McAfee DLP appliance and running the following.
11 Click the Export link to save the NetDLP certificate to your desktop. The file name is netdlp_certificate.cer. 12 Open a web browser, enter the IP address of the McAfee Logon Collector in the address bar, and log 13 Select Menu | Configuration | Trusted CA.
Configuring McAfee DLP appliances and adding servers Testing the system Task Log on as root to the McAfee DLP appliance. Stop the NTP daemon. # service ntpd stop # chkconfig ‑‑level 2345 ntpd off Restart the NTP daemon. # service ntpd start # chkconfig ‑‑level 2345 ntpd on...
Page 44
Configuring McAfee DLP appliances and adding servers Testing the system McAfee Data Loss Prevention 9.2.1 Installation Guide...
Page 45
Installing McAfee DLP Endpoint Configure the McAfee ePO server before installing McAfee DLP Endpoint. After installation, several steps are required to complete the installation. Contents Verify system requirements Configure the server Install McAfee ePolicy Orchestrator Installing McAfee DLP WCF service...
• Windows Server 2008 R2 64‑bit Servers are supported for McAfee Device Control software only. The user installing McAfee DLP Endpoint software on the servers must be a member of the local administrators group. The following software is required on the server running the McAfee DLP Endpoint policy console and McAfee DLP Monitor.
• McAfee DLP Endpoint extension (contains the components installed through ePolicy Orchestrator) Configure the server Basic configuration of the McAfee ePO server includes setting the security configuration and verifying the .NET installation. Before you begin Verify that the server meets the minimum system requirements.
If you are setting up a production environment, set the server’s static IP address within that range. Install McAfee ePolicy Orchestrator McAfee Data Loss Prevention Endpoint software version 9.2 Patch 2 can be installed in McAfee ePolicy Orchestrator 4.5 or 4.6. There are a few precautions you should be aware of.
Orchestrator or with the McAfee DLP Monitor. Web access authorized groups When installing the McAfee DLP WCF service, you are asked to specify the Web Access Authorized Groups (WAAG). We recommend setting up a group or groups in Windows Active Directory or Open LDAP with the names of users authorized to log on to the database.
Figure 5-2 WCF service remote from the McAfee ePO database server Install the McAfee DLP WCF service There are two steps to installing the McAfee DLP WCF service. When the installation is complete, you can troubleshoot the installation to resolve problems.
Page 51
Management Studio. The administrator performing the task should have system administrator rights on the servers involved. This is a required task. The default authorized user does not work with the McAfee DLP WCF service. Task Start SQL Server Management Studio (Express) and connect to the EPOSERVER instance.
Page 52
Installing McAfee DLP Endpoint Installing McAfee DLP WCF service Select Security | Logins. Right‑click in the Logins page, then select New Login. On the General page of the Login Properties window, select SQL Server authentication or Windows authentication and type a logon name. Set the default database to ePO4_SERVER. Enforcing a password policy is optional.
Page 53
Orchestrator, McAfee DLP Endpoint, and the McAfee DLP Monitor. Before you begin Before installing the McAfee DLP WCF service, create a user in Microsoft SQL Server. You must do this even if you are going to use Windows authentication.
Page 54
McAfee DLP Endpoint software version you are installing. In step 4 of the installation wizard (WCF Service Settings), do the following: • Use the default WCF Server Port value. If you must change the server port, consult your McAfee representative for instructions. •...
Two folders and network shares must be created, and their properties and security settings must be configured appropriately. The folders do not need to be on the same computer as the McAfee DLP Endpoint Database server, but it is usually convenient to put them there.
Page 56
A confirmation message explains the effect this change will have on the folder. Click Remove. The Permissions tab in the Advanced Security Settings window shows all permissions eliminated. Click Add to select an object type. McAfee Data Loss Prevention 9.2.1 Installation Guide...
User and permission sets We recommend creating specific administrator roles and permissions in ePolicy Orchestrator for McAfee DLP Manager and McAfee DLP Monitor. These roles can include creating and saving policies, viewing (but not changing) policies, generating override, uninstall, and quarantine release keys, viewing the McAfee DLP Monitor, and revealing sensitive fields in the monitor.
Click Save. Create and define permission sets Permission sets are useful for defining different administrative roles in McAfee DLP Endpoint software. Task For option definitions, click ? in the interface.
Verify that the ePolicy Orchestrator server name is listed under Trusted Sites in the Internet Explorer security settings. The default installation is a 90‑day license for McAfee Device Control software. If you purchased a license for full McAfee Data Loss Prevention Endpoint software, you must upgrade the license after you complete the installation.
The first time you open the McAfee Data Loss Prevention Endpoint policy console, a wizard runs for first‑time initialization. The wizard can be run at any time by selecting Initialization Wizard from the Tools menu in the McAfee DLP Endpoint policy console.
Page 61
• McAfee DLP Endpoint Agent 3.0.5 and current version The compatibility option McAfee DLP Endpoint Agent 3.0.5 and current version refers to a specific hotfix. Unless you specifically know that you are using this hotfix, choose DLP Agent 3.0 compatibility for all version 3 endpoints.
Click the Miscellaneous tab. Only the Agent Popup service, Device Blocking, and Reporting Service modules are selected. Select the remaining modules you require to enable them and click OK. Do not enable modules you don't use. They increase the McAfee DLP Endpoint agent size and slow its operation unnecessarily.
The package is added to the Master Repository. Deploy McAfee DLP Endpoint The final stage of McAfee DLP Endpoint software installation is to define a policy, deploy McAfee DLP Endpoint agents to the managed computers, and verify the installation. Tasks •...
On the Toolbar, click . The policy is applied to McAfee ePolicy Orchestrator. Deploy McAfee DLP Endpoint with ePolicy Orchestrator 4.6 Before policies can be applied, McAfee DLP Endpoint must be deployed to the endpoint computers by ePolicy Orchestrator. Before you begin A current version of McAfee Agent, 4.6 Patch 2 or later, must be installed in ePolicy...
Click the Assigned Client Tasks tab. Select Actions | New Client Task Assignment. The Client Task Builder wizard opens. In the Product field select McAfee Agent. In the Task Type field, select Product Deployment. Click Create New Task. In the Task Name field, type a suitable name, for example, Install DLP Endpoint. Typing a description is optional.
This information is not required when creating a master release code. Type the uninstall challenge code (Step 2). This is the code the user obtains by clicking the McAfee Agent icon in the icon tray and selecting Manage Features | McAfee DLP Endpoint | Request DLP Endpoint bypass.
The McAfee Agent DLP client routes policy updates to the clients and collects events from them. If evidence collecting is enabled in the policy, events are sent to the event parser, then stored in an evidence folder, which is normally located on the ePolicy Orchestrator.
Open a web browser and enter the location of the network extension into the address bar. https://<DLP_Manager_name>/eponetdlp/netdlp.zip The extension can also be downloaded from the McAfee Support Portal, or copied from the /data directory of the downloaded and expanded McAfee DLP Manager directory.
Setting up Unified DLP on ePolicy Orchestrator Configure McAfee Agent on ePolicy Orchestrator You must add an evidence folder on ePolicy Orchestrator to collect the events forwarded by the McAfee Agent client, then configure essential features to enable McAfee DLP Endpoint functionality through McAfee DLP Manager.
GUI port Address bar of McAfee ePO server Add an ePolicy Orchestrator database user You must create an ePolicy Orchestrator database user to set up access to the McAfee DLP Manager MySQL database. Before you begin Register ePolicy Orchestrator on McAfee DLP Manager.
You must have an ePolicy Orchestrator database user ready for entry on the ePolicy Orchestrator Registered Server Builder page. After McAfee DLP Manager and ePolicy Orchestrator are registered to each other, the extensions and the McAfee Agent DLP client can be set up to manage McAfee DLP Endpoint communications between the systems. Task In ePolicy Orchestrator, select Menu | Configuration | Registered Servers.
If registration seems to be taking a long time, try refreshing the page. Checking the connection If your connection through McAfee DLP Manager is successful, the ePolicy Orchestrator will display a green Status icon on the System page. The status icon does not apply to the evidence server, which is normally a folder on the ePolicy Orchestrator server.
McAfee Agent client has been updated. The default configuration is DLP Agent 9.0 and above. If the McAfee Host DLP product installed on McAfee ePolicy Orchestrator was released before version 9.1, no change is needed on the Manage Endpoints page.
Configuring McAfee DLP Endpoint on McAfee DLP Manager But if McAfee DLP Endpoint 9.1 is installed and digital rights management is not needed, No compatibility should be selected. This means that the new features in that release will be available in the network product suite.
Installation and configuration complete Installation and configuration are now complete. You can now start working with the unified policy version of McAfee DLP Endpoint. McAfee recommends that you start by setting up protection rules and viewing the events reported on the ePolicy Orchestrator Data‑in‑Use dashboard.
Page 76
Integrating McAfee DLP Endpoint into a unified policy system Installation and configuration complete McAfee Data Loss Prevention 9.2.1 Installation Guide...
Windows Server 2008 WCF, installing WCF, troubleshooting whitelist folder hardware requirements whitelist folder, configuring on Windows Server 2003 whitelist folder, configuring on Windows Server 2008 license, Device Control and DLP McAfee Data Loss Prevention 9.2.1 Installation Guide...