Professional Documents
Culture Documents
Revision A
TRADEMARK ATTRIBUTIONS
McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator,
McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab,
McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection,
TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and
other countries. Other names and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
Preface 5
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Index 75
This guide provides the information you need to install your McAfee product.
It contains all of the necessary information for installing McAfee® Data Loss Prevention software,
including detailed steps and verification of the installation and configuration process in both the new
hardware platform and legacy appliances. It also includes integration with McAfee® ePolicy
Orchestrator® and McAfee® Data Loss Prevention Endpoint to configure a unified policy installation.
When the process is completed, the user will have a fully functional McAfee DLP hardware and
software implementation that is properly configured.
Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
• Administrators — People who implement and enforce the company's security program.
• Security officers — People who determine sensitive and confidential data, and define the
corporate policy that protects the company's intellectual property.
Conventions
This guide uses the following typographical conventions and icons.
Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis.
Bold Text that is strongly emphasized.
User input or Path Commands and other text that the user types; the path of a folder or program.
User interface Words in the user interface including options, menus, buttons, and dialog
boxes.
Hypertext blue A live link to a topic or to a website.
Note: Additional information, like an alternate method of accessing an option.
Task
1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.
To access... Do this...
User documentation 1 Click Product Documentation.
KnowledgeBase • Click Search the KnowledgeBase for answers to your product questions.
• Click Browse the KnowledgeBase for articles listed by product and version.
McAfee® Data Loss Prevention Manager manages all of the McAfee DLP products from a centralized
console, then displays incidents and events found by them on its dashboards.
In the unified policy design, rules can be configured to find incidents and violations anywhere on an
intranet — in network traffic, in repositories containing structured or unstructured data, and on
endpoints. Actions can also be added to any rule to handle any problem as soon as it is detected.
Contents
McAfee Unified DLP deployment
Management options
Installation scenarios
• The McAfee DLP Monitor capture engine analyzes all content on a network, classifies it into types,
and stores the resulting objects on capture partitions. Some traffic can be filtered out to improve
performance.
• McAfee DLP Prevent monitors all email and webmail and applies actions to resolve any problems.
• McAfee DLP Discover monitors file systems and repositories, locates significant data, and reports
data that is in violation of policy.
• McAfee DLP Endpoint finds significant events occurring at endpoints and reports any policy
violations. Endpoint rules and events are managed through the same workflow as the other
products in the McAfee DLP solution.
Management options
McAfee Data Loss Prevention Manager displays incidents and events on McAfee DLP Manager or
McAfee® ePolicy Orchestrator dashboards.
Depending on the installation, there are three options for managing McAfee Data Loss Prevention.
• If McAfee DLP is installed on a Linux appliance, McAfee DLP Manager is used as the management
console. You can log on to the console with a Mozilla Firefox or Microsoft Internet Explorer browser
using the address https://<server IP>.
• If McAfee DLP is installed in ePolicy Orchestrator, log on to the McAfee ePO™ console using the
address https://<server IP:8443>. Mozilla Firefox 3.0.x and Microsoft Internet Explorer 7
browsers are supported.
• If McAfee DLP is run as a virtual appliance, use the VMware vSphere Client to log on to the console.
Virtual appliance installations are beyond the scope of this guide. See the McAfee Data Loss
Prevention 9.2 Virtual Appliance Installation Guide for more information.
Installation scenarios
McAfee Data Loss Prevention software can be installed on Linux appliances or as an ePolicy
Orchestrator application on a Windows server operating system.
McAfee Data Loss Prevention software comes in both Linux and Microsoft Windows versions. The Linux
version can be run as a virtual appliance.
Virtual appliance installation is documented in McAfee Data Loss Prevention 9.2 Virtual Appliance
Installation Guide.
• Model 1650
• Model 3650
McAfee DLP Discover, McAfee DLP Monitor, and McAfee DLP Prevent are typically installed on separate
appliances that are managed from McAfee DLP Manager. If McAfee DLP Endpoint is installed as part of
the network product suite, it is first installed on ePolicy Orchestrator on a Windows server operating
system. Integration of these components is discussed in chapter 7, Integrating McAfee DLP Endpoint
into a unified policy system.
For complete system requirements, see chapter 6, Installing McAfee DLP Endpoint.
See also
Verify system requirements on page 43
This Quick Start serves as a high-level road map for setting up your McAfee DLP system. McAfee DLP
Manager is shipped pre-installed; the other products in the suite (McAfee DLP Monitor, McAfee DLP
Discover, and McAfee DLP Prevent) must be installed on-site.
McAfee DLP Monitor must be set up to capture network traffic, so it requires additional configuration
steps.
Contents
Adding devices and servers
Check the shipment
Plan your installation
Rack mount the appliances
Connect a management console
Configure McAfee DLP Manager
Select an integration mode for McAfee DLP Monitor
Complete the setup
If you add McAfee DLP Endpoint to the network product suite, you must install it on McAfee® ePolicy
Orchestrator®, and add endpoint, evidence, and directory servers.
Task
1 Refer to your Accessory Kit Content List to ensure that you received the following items:
• Region-specific power cords - 2
• CAT5 cables - 3
• Safety document
• Warranty document
• Recovery media
Task
1 Collect the following information about the network in which McAfee Total Protection for DLP will be
installed.
• Host name • Secondary DNS server
• IP address • Domain
2 Devise a protection strategy by evaluating the type of information you need to protect. Your
objectives will determine which policies you activate.
http://download.intel.com/support/motherboards/server/s5520ur/sb/r2612ur_service_guide_14.pdf
For more information, download the Intel® Server System SR2612UR Technical Product Specification.
http://download.intel.com/support/motherboards/server/s5520ur/sb/sr2612ur_tps_13.pdf
1 Ethernet port 0
2 Ethernet port 1 — Management port
3 Ethernet port 2 — Capture port 0
4 Ethernet port 3 — Capture port 1
1 Ethernet port 0
2 Ethernet port 1 — Management port
3 Ethernet port 2 — Capture port 0
4 Ethernet port 3 — Capture port 1
1 Ethernet port 0
2 Ethernet port 1 — Management port
3 Ethernet port 3 — Capture port 1 — note reversed configuration
4 Ethernet port 2 — Capture port 0 — note reversed configuration
By default, each appliance is configured with the IP address 192.168.1.2, but a new IP address and
other network parameters are required to integrate it into the network.
You must connect a laptop to the management port so you can convey this information to the
appliance. Assign the laptop an IP address that is different, but on the same subnet, so it can access
the management port.
Task
1 Connect a laptop to the management port of the appliance using the supplied Ethernet cable.
2 Change the laptop to an address in the 192.168.1.X/24 IP range — for example, 192.168.1.10.
6 On the Network Configuration page, enter all of the IP addresses, and the host and domain names
needed to integrate the appliance into the network.
If you are configuring a McAfee DLP Manager, skip to the next topic.
When this step is complete, the appliance will have a new IP address and will be integrated into the
network. Restarting is not necessary.
If you have configured McAfee DLP Discover or McAfee DLP Prevent appliances, setup is complete. If
you are configuring McAfee DLP Manager, proceed to the next step. If you are configuring McAfee DLP
Monitor, proceed to the following step.
Task
1 On the Time Configuration page, change the time zone.
3 On the Policy Activation page, select the checkboxes of the policies that will generate incidents that
are relevant to your protection strategy.
If you are in a region that is not listed, you will be able to activate policies that are directly relevant
to your location after the system is installed.
4 On the Administrator Setup page, enter the email address of the primary administrator and change the
password from the default.
5 On the Email and Email Server Setting page, enter the IP address or host name of the email server.
6 On the Review page, verify your settings, click Cancel, or click Previous to change them.
7 When you have confirmed your settings, click Submit, then Exit Wizard.
At this point, the McAfee DLP Manager setup is almost complete. After all other products are
integrated into the network, sync McAfee DLP Manager to the network by completing the final step
in this document.
Certain switch models permit the use of a “remote SPAN”, or “RSPAN” capability, which allows ports
from multiple switches to be mirrored to the port to which McAfee DLP Monitor is connected. If you
want to mirror multiple ports on multiple switches to your DLP appliance, contact the switch vendor for
details on configuring RSPAN.
1 Capture ports
2 WAN router traffic mirrored to McAfee DLP Monitor port
3 LAN
4 LAN switch
5 WAN
This method requires a change on the LAN switch, but no downtime is required because network
traffic is not disrupted.
With this configuration, some packets might be dropped under heavy loads. As a result, the number of
packets seen by McAfee DLP Monitor might not match the number seen by the ports being monitored.
Task
1 Connect McAfee DLP Monitor to a network switch using a console cable or network connection
(such as Telnet or SSH).
Note the port used to connect the appliance to the LAN switch, and the port used by the WAN router.
3 Using interface show commands on the switch, verify that traffic is being received on the switch
port to which McAfee DLP Monitor is connected.
Common configuration
If a SPAN port is configured on a Cisco switch, the WAN router would be connected to
interface "GigabitEthernet1/0/1". The DLP appliance would be connected to interface
"GigabitEthernet1/0/2".
In environments where there is a firewall or a series of devices separating the LAN switch from the WAN
router, the network tap should be installed between the LAN switch and the first device.
1 Capture ports
2 Analyzer ports
3 Network tap
4 LAN
5 LAN switch
6 Router
7 WAN
This method requires physical disconnection and reconnection of network cables, so it disrupts traffic.
A service window is required.
With this configuration, full traffic capture is done even under heavy load conditions.
Regeneration taps for both types can be used to extend monitoring to multiple ports. When these taps
are used, signals are regenerated before sending a copy of the packets to the monitor port.
Task
1 Disconnect the cable between your WAN router and your LAN switch.
2 Connect Monitor Port A of the network tap to Capture Port 0 on McAfee DLP Monitor.
3 Connect Monitor Port B of the network tap to Capture Port 1 on McAfee DLP Monitor.
4 Connect Network Port A of the network tap to a router inside the firewall.
Task
1 Open a web browser and enter the assigned IP address in the address bar to restart McAfee DLP
Manager.
3 Scroll down to the Time section and enter the NTP server.
pool.ntp.org
5 Click Update.
Configuration is complete. If you want to integrate the DLP system into McAfee® ePolicy Orchestrator®
4.5 or 4.6, you can do it now.
A McAfee DLP installation on the Model 4400 contains two released images, each of which contains an
operating system (except for the kernal) and DLP software.
Primary and secondary images are initially duplicate installations. When the system is upgraded, the
primary and secondary disks can contain different versions of the same product.
Contents
Download and expand the archive
Boot options
Upgrade the products
Apply a hotfix
Convert an installation to another DLP product
Restoring the drives
McAfee DLP Manager is pre-installed on the model 4400 appliance. Install the other McAfee DLP
products as needed.
Downloadable archives all have legacy names preceded by "i", although the product names have
changed. In particular, note that McAfee DLP Monitor is also known as "iguard".
Task
1 Open the McAfee Service Portal by typing support.mcafee.com into the address bar of a web browser.
2 From the Products & Solutions menu, select Product Downloads, or locate and click the link under the
Corporate Support heading.
4 Scroll down the page, then select the McAfee Network DLP product and version.
6 Log on as root to the model 4400 appliance and create a product directory under data.
The directory name you select should identify the product to be installed — for example,
imanager, imonitor (iguard), idiscover, iprevent.
8 Extract the contents of the archive, using the -C option to expand it into the product directory.
[root@4400 data]# tar zxf <product>.tgz -C <product>.
Boot options
Unlike the legacy DLP appliances, the model 4400 hardware platform runs the McAfee Linux Operating
System. It contains a boot loader package that allows users to switch between installations.
McAfee DLP uses Gnu GRUB (GRand Unified Bootloader) to install the primary and secondary images
on the model 4400 appliances.
The default Disk Boot option is used only to boot the operating system of the appliance.
During the upgrade process, the configuration data in the /data directory and the kernel/boot loader
information in the boot directory are copied over to the new installation.
McAfee recommends installing duplicate images on both primary and secondary disks.
Task
1 Log on to the appliance as root.
3 Run the installation script with the product name and the path to the product directory.
# ./install_new_pri iguard /data/monitor
When the installation is complete, a message appears stating which image will boot next.
McAfee recommends installing duplicate images on both primary and secondary disks.
Task
1 Log on to the appliance as root.
3 Run the installation script with the product name and the path to the product directory.
# ./install_new_sec iguard /data/monitor
When the installation is complete, a message appears stating which image will boot next.
Task
1 Log on to the appliance as root.
2 Run the system_info utility to determine which versions are installed, so that you can decide
where to install the fresh image.
# /data/stingray/ksh/system_info
4 Run the primary or secondary installation script with the product name and the path to the product
directory.
# ./install_new_pri iguard /data/monitor
or
# ./install_new_sec iguard /data/monitor
The product image installs on the specified disk. When the installation is complete, a message
appears stating which image will boot next.
Take this step only if you have a specific need that cannot be addressed by the current configuration.
Task
1 Log on to the appliance as root.
3 Run the setnextboot script to select one of three boot options: primary, secondary, or boot from
the operating system on the appliance.
# ./setnextboot [reboot_only | pri | sec]
The script sets up the selected option. When the option is set, a message appears stating which
image will boot next.
The install_to_pri and install_to_sec scripts install the upgrade. After the process runs, the
existing configuration and database are copied to the new image.
Task
1 Log on to the appliance as root.
3 Run the system_info utility to determine which versions are installed and where they are located.
# /data/stingray/ksh/system_info
When the upgrade is complete, a message appears stating which image will boot next.
Apply a hotfix
Apply a hotfix by running a script that installs the hotfix RPM.
The hotfix script copies the Hotfix RPM to data/hotfix/<current version> and adds an installation
entry to /data/hotfix/<current_version>/install_hotfix<stingray_version>.sh.
In rare instances, a kernel RPM might be released. If this occurs, installation of the release image
automatically updates the boot loader for the corresponding kernel version.
Task
1 Log on to the appliance as root.
2 Run the hotfix script with an option that identifies the current hotfix package.
# install_hotfix.ksh <hotfix_rpm>
The name of the package follows a convention — Hotfix-<product name>-<Bugzilla
number>-<Perforce change number>-<version number>-(sequence number>-x86-64.rpm.
For example, a package using this naming convention might be
Hotfix-iguard-750875-55025-9.2.0-01.x86-64.rpm.
Task
1 Log on to the appliance as root.
3 Run the installation script with the product name and the path to the product directory.
# ./install_new_full iguard /data/imonitor
The script installs the product on both disks. When the installation is complete, a message appears
stating which image will boot next.
A McAfee DLP installation on the model 1650 and 3650 appliances contains the software for a single
product. The software is installed or upgraded by running two installation scripts.
The platform script installs the operating system components, and it is customized to the hardware
used by entering a platform type option. A Stingray script installs the McAfee DLP application.
The installation and upgrade procedures for the management console (McAfee DLP Manager) and all of
its managed devices (McAfee DLP Discover, McAfee DLP Monitor, and McAfee DLP Prevent) are the
same. McAfee DLP Endpoint must be installed separately.
Contents
Download and expand the legacy archive
Install the products on legacy servers
Upgrade to 9.2.0 on legacy appliances
Downloadable archives all have legacy names preceded by "cdrom_ i<product>", although
the product names have changed and they are no longer distributed on media. In
particular, note that McAfee DLP Monitor is also known as "iguard".
Task
1 Open the McAfee Service Portal by typing support.mcafee.com into the address bar of a web browser.
2 From the Products & Solutions menu, select Product Downloads, or locate and click the link under the
Corporate Support heading.
4 Scroll down the page, then select the McAfee Network DLP product and version.
6 Log on as root to the model 1650 or 3650 appliance and create a product directory under data.
The directory name you select should identify the product to be installed — for example,
imanager, imonitor (iguard), idiscover, iprevent.
8 Extract the contents of the archive, using the -C option to expand it into the product directory.
[root@4400 data]# tar jxf <product>.bz2 -C <product>.
Each of the network DLP products is installed using two different scripts. The platform installation
includes the OS components, and the Stingray package contains the DLP application.
After installing the platform, you might be prompted to restart the system before installing Stingray, but
version 9.2 does not require this restart. You can continue directly to the next step.
Task
1 Log on to the McAfee DLP device as root.
Enter ./install_platform to display the current platform type, along with other options.
Enter ./install_platform to display the current platform type, along with other options.
7 Log on to the McAfee DLP device as root, go to the installation directory, and verify the installation
with the command:
# cat /data/stingray/etc/version
Stop all scans and search tasks before upgrading, and wait until they are completely
stopped before proceeding.
If the patch installation fails, do not install it again. Call McAfee support and submit an
installation log file.
Task
1 Log on to the appliance as root.
3 Make a directory for the patch, check its location, then expand the archive into the new directory.
# mkdir -p /data/patch_9.0.4/686712_i<product>
# ls -l /tmp patch_686712_45025_02_i<product>.tar.gz
# tar zxvf /tmp patch_686712_45025_02_i<product>.tar.gz -C /data/patch_9_0_4/686712
_i<product>
4 Go to the patch directory, then find and read the README file.
# cd /data/patch_9_0_4/686712_i<product>
# ls -l
# cat README
Follow the installation steps in the README file.
6 Make a directory for the hotfix, check its location, then expand the archive into the new directory.
# mkdir -p /data/hotfix
# ls -l /tmp hotfix_719847_45561_01.tar.gz
# tar zxvf /tmp hotfix_719847_45561_01.tar.gz -C /data/hotfix
7 Go to the hotfix directory, run the hotfix installation script, and reboot.
# cd /data/hotfix
# ./install_hotfix
# reboot
All McAfee DLP appliances can be registered to McAfee DLP Manager and managed from that console.
After the appliances are configured, servers that extend the functionality of the system can be added.
At the very least, an NTP server must be added during the installation process.
Most McAfee DLP enterprise configurations have LDAP servers configured, and McAfee® Logon Collector
is often used in addition to resolve the identities of specific users.
After installation of McAfee DLP Monitor, McAfee strongly recommends adding capture filters to
customize the system. Some default filters are provided to filter out extraneous data that would
ordinarily be captured, but each installation has a unique protection strategy that requires different
settings. Consult the McAfee Total Protection for Data Loss Prevention 9.2.0 Product Guide for more
information.
Contents
Configure McAfee DLP appliances using Setup Wizard
Configure McAfee DLP appliances after installation
Add McAfee DLP products to McAfee DLP Manager
Configuring McAfee DLP Prevent
Add LDAP servers to McAfee DLP Manager
Add McAfee Logon Collector to McAfee DLP Manager
Add syslog servers to McAfee DLP systems
Resynchronize McAfee DLP systems with an NTP server
Testing the system
After installation is complete, you can start the Setup Wizard from the Configure link on the System page if
you want to make changes.
Task
1 Open a web browser and start the application using the IP address.
# https://xxx.xxx.xxx.xxx
2 At the logon prompt, type the default user name and password.
admin/mcafee
3 On the End User License Agreement page, select the checkbox and click I Accept.
4 On the Network Configuration page, assign the hostname, domain and IP addresses of the gateway and
DNS servers, then click Next.
You must enter a fully-qualified domain name into the Hostname field.
5 On the Time Configuration page, set the time zone, select the NTP server, and click Next.
You might want to set the NTP server manually in some cases.
6 On the Policy Activation page, select the policies that are needed for you to implement your protection
strategy, then click Next.
If you have to change this configuration later, you can activate or deactivate policies from the Policies
page. For example, you might want to use international policies that are available on that page.
7 On the Administrator Setup page, type in an email address for the primary administrator and set a
password, then click Next.
If additional configuration is needed after installation, logon to the application after rebooting, then
click the Configure link on the System page.
8 If you are setting up McAfee DLP Prevent, type in the IP address of a smart host, then click Next.
The Devices page is refreshed automatically every two minutes to reflect the new status of the devices
and statistics.
Task
1 In ePolicy Orchestrator, select Menu | Data Loss Prevention | DLP Sys Config | System Administration | Devices.
You cannot add McAfee DLP Endpoint to McAfee DLP using this procedure. It must be integrated into the
network product suite after it is installed on ePolicy Orchestrator.
Adding a McAfee DLP appliance wipes the current configuration of that machine, but captured data,
cases, and incidents will not be lost. Unless you have previously deployed policies to All Devices, you will
have to edit them to add the device.
If a device is registered with McAfee DLP Manager, the device cannot be brought back to standalone
mode after deregistering it, and it will have to be reinstalled.
On some networks you can choose a port configuration. The McAfee DLP appliance is a Gigabit network
device, so it is possible to bring it down.
The Add Device page is also used to add an ePolicy Orchestrator server (ePolicy Orchestrator GUI IP
Address) and database (ePolicy Orchestrator Database IP or hostname). If the ePolicy Orchestrator
device checkbox is selected, the options change.
If Incident Copy Only is selected from the Type menu, there is no integration with unified policy, and you
must use the McAfee DLP Endpoint Policy Manager to update the policy.
Task
1 In ePolicy Orchestrator, select Menu | Data Loss Prevention | DLP Sys Config | System Administration | Devices.
5 Click Add.
7 Wait for the Status icon in the device list to turn green.
The CPU usage display indicates that the registration tasks being performed. McAfee DLP Manager
does not display any CPU activity, because it serves only as a collection point for the data. Other
machines are capturing and indexing data and the processor indicates the CPU utilization. It should
not go over 70—80%.
If registration seems to be taking a long time, try refreshing the page.
When devices are added successfully, their status icons will turn green.
When configured with a web proxy server, McAfee DLP Prevent monitors transmissions and identifies
data in wikis, portals, blogs and other collaborative sites using HTTP and HTTPS protocols.
Both MTA and proxy servers can be handled by one McAfee DLP Prevent system, but contact a McAfee
Customer Service representative to assure proper performance.
If you need more information about how McAfee DLP Prevent works with SMTP and ICAP traffic, consult
the McAfee Total Protection for Data Loss Prevention 9.2.0 Product Guide.
McAfee DLP Prevent can be configured with many different email and webmail systems. McAfee Email
and Web Gateway products are supported, and it has also been tested with some third party systems,
such as Blue Coat Systems products.
McAfee Email Security Appliance is set to handle up to 30 concurrent SMTP connections - but McAfee DLP
Prevent exceeds this limit. To get these two appliances to work together, you must modify the ESA
configuration files.
• By incoming and outgoing, we mean emails that are either being sent to or received from
the outside world.
• By entering and leaving, we mean emails that are entering or leaving the MTA.
1 Must be capable of sending either all or a portion of outgoing traffic to the McAfee DLP Prevent
application. McAfee DLP Prevent is not typically used to inspect incoming email. Examples of a
requirement where only a portion of the traffic needs to be scanned might be in environments
where only traffic with attachments is to be scanned, or where scanning is limited to traffic directed
to public sites (for example, Yahoo).
3 Must be capable of taking actions based on specified match expressions for email headers. The
specific header strings received from McAfee DLP Prevent are the X header X-RCIS-Action header
with values ALLOW, BLOCK, QUART, ENCRYPT, BOUNCE, REDIR and NOTIFY.
4 Based on entering port or some other metric, must be capable of distinguishing between all emails
arriving from the McAfee DLP Prevent appliance, then applying header inspection and header-based
action rules exclusively to incoming email from McAfee DLP Prevent.
5 Must be capable of ensuring that emails arriving from the McAfee DLP Prevent appliance are not
routed back to the McAfee DLP Prevent appliance. This can be done either by using port /
srcIP-based mail routing, checking to see if an X-RCIS-Action header already exists in an email
scheduled to be routed to the McAfee DLP Prevent appliance, or by some other means.
6 Must be capable of implementing all of the McAfee DLP Prevent-based actions. If the MTA does not
have all of the required capabilities, inter-operation is still possible — but in that case, the actions
that can be set when rules are created must be limited to those supported by the MTA.
7 Must be able to inter-operate with an email encryption appliance (if this capability is needed) and
instruct the encryption appliance to encrypt specific messages based on header information or
other metrics.
Task
1 In ePolicy Orchestrator, select Menu | Data Loss Prevention | DLP Sys Config | System Administration | Devices.
3 Select the McAfee DLP Prevent appliance and click its Configure link.
4 On the System Configuration page, scroll down to Email and Email Server Setting.
5 Type in the IP address of the smart host and your email address.
Host names are not supported. A smart host is configured only if SMTP email is being processed,
and configuring more than one is not supported.
Task
1 In ePolicy Orchestrator, select Menu | Data Loss Prevention | DLP Sys Config | System Administration | Directory
Services.
• In the Authorization Server field, enter the name or IP address of the server.
If you are using SSL (Secure Sockets Layer) to encrypt the connection, you must enter the
FQDN (fully qualified domain name) cited in the uploaded certificate.
Unlike the LDAP server domain name, you can use any valid account that has permission to
read from the LDAP server (an administrative account is not necessary). If you have already
entered the domain name of the LDAP server, any information you enter here will be ignored.
7 In the Timeout and Retries fields, set intervals for connection (in seconds).
10 Identify the local domain components in the Base DN field (for example, dc=mydomain,dc=com).
Use an administrative account whose password does not expire to maintain the connection, but a
non-administrative account name is acceptable when using an authorization server.
11 Enter the number of records you want to retrieve at one time in the Server Results limit field.
Before entering a value higher than 10, consult the administrator of the Active Directory server to
find out how many records can be served per request.
12 Select the SSL checkbox to encrypt the connection and enable LDAPS (LDAP over SSL).
A secure connection is not required, but is strongly recommended. Accept any available certificate,
or select one by uploading it. If you upload, you must find the FQDN name of the authorization
server in the encrypted file by logging on to the back end of the McAfee DLP appliance and running
the following.
Read from left to right to get the name of the authorization server:
tyche.reconnex.net
14 Click Apply.
Task
1 Open a web browser, type the IP address of the McAfee Logon Collector into the address bar, and
log on.
3 Select and copy all text in the Base 64 field and paste it into a text editor.
4 Add the following beginning and ending lines to the document, then paste in the Base 64 text.
-----BEGIN CERTIFICATE-----
<pasted Base 64 field text>
-----END CERTIFICATE-----
5 Highlight and copy the entire text, including the BEGIN and END CERTIFICATE lines.
6 Open a web browser and log on to the Network McAfee DLP Manager.
7 In ePolicy Orchestrator, select Menu | Data Loss Prevention | DLP Sys Config | System Administration | Directory
Services.
10 Enter the IP address of the McAfee Logon Collector into the Export NetDLP Certificate field.
11 Select the Paste from Clipboard option and paste the Base 64 text into the box.
Alternatively, you can export the certificate from McAfee Logon Collector to your desktop, then
Browse to it from the Import MLC Certificate | From File field.
12 Click Apply.
13 Click the Export link to save the NetDLP certificate to your desktop.
The file name is netdlp_certificate.cer.
14 Open a web browser, enter the IP address of the McAfee Logon Collector in the address bar, and log
on.
19 Open a Remote Desktop session on the McAfee Logon Collector server and restart it.
When the server comes up, the SSL connection between the servers is complete.
Task
1 Log on as root to the McAfee DLP appliance.
The service command will control the service while the system is running; the chkconfig
commands will control what happens at boot time.
Configure the McAfee ePO server before installing McAfee DLP Endpoint. After installation, several
steps are required to complete the installation.
Contents
Verify system requirements
Configure the server
Install McAfee ePolicy Orchestrator
Install McAfee ePolicy Orchestrator
Installing McAfee DLP WCF service
Repository folders
User and permission sets
Install the McAfee Data Loss Prevention Endpoint extension
Initialize the DLP Policy console
Upgrade the license
Check in the McAfee DLP Endpoint package to ePolicy Orchestrator
Deploying McAfee DLP Endpoint
Uninstalling McAfee DLP Endpoint
Network 100 Mbit LAN serving all workstations and the McAfee ePO server
The user installing McAfee DLP Endpoint software on the servers must be a member of the local
administrators group.
The following software is required on the server running the McAfee DLP Endpoint policy console and
McAfee DLP Monitor:
McAfee ePO Help System download the McAfee DLP Endpoint 9.2 Help extension ().
McAfee DLP Windows This is part of the McAfee DLP Endpoint software version 9.2.x
Communication Foundation package, but is installed separately. It should be installed
(DLP WCF) immediately after installing McAfee ePO.
Microsoft .NET 3.5 SP 1 or 4.0
Microsoft SQL Server 2005 or 2008, Advanced Express or Enterprise, 32- or 64-bit
Microsoft SQL Server Install the version that matches the version of Microsoft SQL Server
Management Studio you are using.
The McAfee DLP Endpoint software version 9.2.x package includes the following:
• McAfee Data Loss Prevention Endpoint (McAfee Agent plugin)
• McAfee DLP Endpoint extension (contains the components installed through ePolicy Orchestrator)
Task
1 Install Microsoft Windows Server 2003 SP1 or Windows Server 2008. See the System
Requirements for supported Windows systems.
2 Install Windows Installer 3.0 (Windows 2003) or 4.5 (Windows 2008) and restart the system.
Install all Microsoft Windows Service Packs.
• In Windows 2008, open the Server Manager then select Configure IE ESC in the Security
Information section.
This Microsoft product can hinder proper installation of McAfee DLP Endpoint components. Disable it
before installation, then reconfigure it after installation if it is required.
We recommend using a subnet separate from your company's production network for initial testing.
If you are setting up a production environment, set the server’s static IP address within that range.
Some of the installation scripts require the NETWORK SERVICE account to have write permission for the
C:\Windows\Temp folder. In secure systems, this folder might be locked down. In that case, you must
temporarily change the permissions for this folder. Otherwise, the installation fails. We recommend
completing all software installations before resetting the permissions.
After verification that you want to install the software, the SQL installation
continues without user input. If prompted to install SQL Server 2005
Backward Compatibility, you must install it.
2 During the installation, you might see a warning about trusted sites. Write down the recommended
additions to the Microsoft Internet Explorer trusted sites list before clicking OK. You will need to add
them later.
Some of the installation scripts require the NETWORK SERVICE account to have write permission for the
C:\Windows\Temp folder. In secure systems, this folder might be locked down. In that case, you must
temporarily change the permissions for this folder. Otherwise, the installation fails. We recommend
completing all software installations before resetting the permissions.
After verification that you want to install the software, the SQL installation
continues without user input. If prompted to install SQL Server 2005
Backward Compatibility, you must install it.
2 During the installation, you might see a warning about trusted sites. Write down the recommended
additions to the Microsoft Internet Explorer trusted sites list before clicking OK. You will need to add
them later.
When the McAfee DLP Endpoint policy console attempts to connect to WCF, it impersonates the logged
on user. After the user name is authenticated, WCF checks to see if the user is a member of the WAAG
before connecting to the database.
connection between the administration workstation and WCF always uses Windows authentication. If
you have selected Windows authentication, and the logged on user is a member of the WAAG,
connection to the database proceeds without further checking.
The user must be defined in the SQL database. See Adding a user in SQL Server.
Figure 6-2 WCF service remote from the ePO database server
Tasks
• Add a user in Microsoft SQL Server on page 49
To use either Windows or SQL authentication with the McAfee DLP WCF service or the
ePolicy Orchestrator database, an authorized user must be defined in the Microsoft SQL
database. The authorized user can be either a Windows or a SQL user. Typically, an account
with the minimal permissions required is created.
• Run the McAfee DLP WCF installer on page 53
The McAfee DLP Windows Communication Foundation (WCF) service is used to
communicate between ePolicy Orchestrator, McAfee DLP Endpoint, and the McAfee DLP
Monitor.
This is a required task. The default authorized user does not work with the McAfee DLP WCF service.
In McAfee DLP Manager product suite, Windows authentication is not supported because
communication is between the ePolicy Orchestrator database (Microsoft SQL) and the McAfee DLP
network product suite database (MySQL).
The credentials you set in the following procedure are used on the Add New Device page to connect McAfee
DLP Manager to ePolicy Orchestrator.
Task
1 Open SQL Server Management Studio (Express) and connect to the EPOSERVER instance.
2 In the Object Explorer, right-click the database name then select Properties.
3 On the Security page, select either Window Authentication mode or SQL Server and Windows Authentication mode,
according to which type of authentication you want to use. Click OK.
4 Select Security | Logins. Right-click in the Logins page, then select New Login.
5 On the General page of the Login Properties window, select SQL Server authentication and type the logon
name ndlpuser and a password. Set the default database to ePO4_SERVER and the default language
to English. Click OK.
7 On the User Mapping page of the Login Properties window, in the Users mapped to this login section, select
ePO4_SERVER and verify that the new logon user is listed in the User column, and that public is
checked in the database role membership section. Click OK.
8 Under User Mapping, define the database role memberships by selecting the db_owner and public
checkboxes.
9 Select Databases | ePO4_SERVER | Security | Users. Double-click the logon user name.
10 On the Securables page, click Add. Select Specific objects, and click OK.
11 In the Select Objects window, click Object Types and select Databases. Click OK.
13 If you do not see all six effective permissions, browse through the Explicit Permissions list to locate
each of them and click Grant. Click OK. Repeat steps 9-13 to verify the Effective Permissions.
14 Click OK.
To troubleshoot the McAfee DLP WCF service, use the browser page http://localhost:8731/DLPWCF/
Admin/Testing.
Do not run this test page before installing the McAfee DLP Endpoint software suite in McAfee ePolicy
Orchestrator. The tests will fail if the McAfee DLP Endpoint database is not yet installed.
When installing or upgrading McAfee DLP Endpoint software, you must upgrade the McAfee DLP
Windows Communication Foundation service to the latest version. Failure to upgrade McAfee DLP WCF
can lead to errors when trying to save the global policy to the reporting database or update database
credentials. To prevent this, the new version checks the client and server versions and displays an error
message if they don't match.
Add the logged on user to the Microsoft SQL database as a Windows or SQL user, according to which
form of authorization you plan to use. Log off of ePolicy Orchestrator.
Task
1 Browse to and run the McAfee DLP WCFServiceInstaller.msi installer.
Verify that the McAfee DLP Windows Communication Foundation service installer version matches
the McAfee DLP Endpoint software version you are installing.
b We recommend setting up a group or groups in Windows Active Directory with the names of
users authorized to log on to the database. You must change the default Web Access Authorized
Groups entry from Everyone to a group or user with authorized access, as described in WCF
installation options.
c If you are using the confidential data redaction feature, select Obfuscate Sensitive Data in RSS Feed.
b Select Windows Authentication or SQL Authentication and fill in the associated fields.
Repository folders
Before you begin installation of McAfee DLP Endpoint software, prepare your system as described below.
Two folders and network shares must be created, and their properties and security settings must be
configured appropriately. The folders do not need to be on the same computer as the McAfee DLP
Endpoint Database server, but it is usually convenient to put them there.
We suggest the following folder paths, folder names, and share names, but you can create others as
appropriate for your environment.
• c:\dlp_resources\
• c:\dlp_resources\evidence
• c:\dlp_resources\whitelist
• Evidence folder — Certain protection rules allow for storing evidence, so you must designate, in
advance, a place to put it. If, for example, an email is blocked, a copy of the email is placed in the
Evidence folder.
• Whitelist folder — Text fingerprints to be ignored by the DLP Endpoint are placed in a whitelist
repository folder. An example is boilerplate text such as disclaimers or copyright. McAfee DLP
Endpoint software saves time by skipping these chunks of text that are known to not include
sensitive content.
Tasks
• Configure folders on Windows 2003 Server on page 54
Configuration of the repository folders on Windows 2003 Server requires specific security
settings.
• Configure folders on Windows 2008 Server on page 55
Configuration of the repository folders on Windows 2008 Server requires specific security
settings.
Both folder are configured in the same manner. Repeat this task for each folder.
Task
1 Right-click the evidence / whitelist folder and select Sharing and Security.
2 In the dialog box that appears, select Share this folder. Modify Share name to evidence$ / whitelist$.
4 On the Permissions tab of the Advanced Security Settings for evidence dialog box, deselect Allow inheritable
permissions.
A confirmation message explains the effect this change will have on the folder.
5 Click Remove. The Permissions tab on the Advanced Security Settings dialog box shows all
permissions eliminated except administrators.
Setting permissions for administrators is required for the whitelist folder. It is optional for the
evidence folder, but can be added as a security precaution. Alternately, you can add permissions
only for those administrators who deploy policies.
6 Double-click Administrators entry to open the Permission Entry dialog box. Change the Apply onto option to
This folder, subfolders and files. Click OK.
8 In the Enter the object name to select text box, type Domain Computers, then click OK to display the
Permission Entry dialog box.
Verify that the Apply onto option says This folder, subfolders and files, then click OK.
The Advanced Security Settings dialog box now includes Domain Computers.
Both folder are configured in the same manner. Repeat this task for each folder.
Task
1 Right-click the evidence / whitelist folder and select Permissions.
2 Click the Sharing tab, then click Advanced sharing. Select the Share this folder option and click Apply.
5 On the Permissions tab, deselect the Include inheritable permissions from the object's parent option.
A confirmation message explains the effect this change will have on the folder.
6 Click Remove.
The Permissions tab in the Advanced Security Settings window shows all permissions eliminated.
8 In the Enter the object name to select field, type Domain Computers, then click OK.
Verify that the Apply onto option says This folder, subfolders and files, then click OK.
11 In the Enter the object name to select text box, type Administrators, then click OK to display the
Permission Entry dialog box. Set the required permissions.
Adding administrators is required for the whitelist folder. It is optional for the evidence folder, but
can be added as a security precaution. Alternately, you can add permissions only for those
administrators who deploy policies.
Sensitive data redaction and the McAfee DLP Monitor permission sets
To meet the legal demand in some markets to protect confidential information in all circumstances,
McAfee DLP Endpoint software offers a data redaction feature. Fields in the McAfee DLP Monitor
containing confidential information are encrypted to prevent unauthorized viewing. The feature is
designed with a "double key" release. This means that to use the feature, you must create two
permission sets: one to view the monitor and another to view the encrypted fields. Both roles are
required to use the feature.
Task
1 Click New User.
2 Type a user name and specify logon status, authentication type, and permission sets.
We recommend creating user groups related to the role, for example DLP Quarantine Administrator.
The order of creating users and permission sets is not critical. If you create users first, user names
appear in the permission set form and you can attach them to the set. If you create permission sets
first, the permission set names appear in the user form and you can attach the user to them.
3 Click Save.
Task
1 Click New Permission Set.
The order of creating users and permission sets is not critical. If you create users first, user names
appear in the permission set form and you can attach them to the set. If you create permission sets
first, the permission set names appear in the user form and you can attach the user to them.
3 Click Save.
4 In the Data Loss Prevention field for the new permission set, click Edit.
To turn off the sensitive data redaction feature, select User can view DLP Monitor in the monitor section.
The default installation is a 90-day license for McAfee Device Control software. If you purchased a
license for full McAfee Data Loss Prevention Endpoint software, you must upgrade the license after you
complete the installation.
Task
1 In ePolicy Orchestrator, select Menu | Software | Extensions, then click Install Extension.
3 Click OK.
The wizard can be run at any time by selecting Initialization Wizard from the Tools menu in the McAfee DLP
Endpoint policy console.
The McAfee DLP Endpoint Management Tools installer and McAfee DLP Endpoint policy console
initialization wizard use ActiveX technology. To prevent the installer from being blocked, verify that the
following are enabled in Internet Explorer Tools | Internet Options | Security | Custom level:
• Automatic prompting for ActiveX controls
Task
1 After the McAfee DLP Endpoint Management Tools installation has completed, the McAfee DLP
Endpoint policy console begins loading. If you have an existing policy, you are prompted to convert
it to the new XML format. Click Convert and skip to step 4.
2 If no previous policy exists, the message DLP global policy is unavailable. Loading default policy appears. Click
OK to continue.
3 When the message Agent configuration is unavailable. Loading a default agent. appears, click OK.
4 When the McAfee DLP Endpoint policy console First Time Initialization wizard appears, complete the
following steps:
Option Description
1 of 8 Click Next.
2 of 8 By default, the file system discovery crawler places sensitive files in quarantine. Though
we do not recommend it, you can delete these files instead by selecting the Support
discovery delete option.
This option is not available until you update to the full McAfee Data Loss Prevention
Endpoint software installation.
For troubleshooting, when you need to review an easily readable version of the policy,
select Generate verbose policy. For most installations, we recommend leaving these
checkboxes unselected.
In very large organizations where the rollout of McAfee DLP Endpoint 9.2 is staged over
time, earlier versions of the plug-in need to coexist. Select the appropriate Backward
compatibility mode:
• No compatibility (all endpoints are version 9.2)
The compatibility option McAfee DLP Endpoint Agent 3.0.5 or current version refers to a
specific hotfix. Unless you specifically know that you are using this hotfix, choose DLP
Agent 3.0 compatibility for all version 3 endpoints.
3 of 8
This step is not available when installing McAfee Device Control
.
Type user names, or click Add to search for user names (optional). Click Next.
We recommend creating a role-based group such as DLP Manual Tagging Users, and
using the group when configuring Access Control.
4 of 8 Type a password and confirmation (required). McAfee DLP Endpoint software version
9.2 requires strong passwords, that is, at least 8 characters with at least one each
uppercase, lower case, digit, and special character (symbol). If you are upgrading, this is
not implemented until you change a password.
If you don't want endpoint key generation events reported to the database, deselect the
checkbox. If you want to use short challenge/response (8 digits instead of 16), select the
checkbox.
See the McAfee Data Loss Prevention Endpoint Product Guide for more information on
Agent bypass.
Click Next.
Option Description
5 of 8 Browse to the Whitelist storage share, then click Next. The UNC whitelist path is required
to apply the policy to ePolicy Orchestrator. Size limits are displayed, but cannot be
changed in the Initialization wizard.
6 of 8 Modify the default notification messages (optional). Select each event type in turn, and
type the message in the text box. Click Next.
7 of 8 Browse to the evidence storage share and click Next. The evidence storage path is
required to apply the policy to ePolicy Orchestrator. Set the required Evidence Replication
option. See the Release notes: New Features for more information on this option. Click
Next.
8 of 8 Click Finish.
5 The Initialization Wizard dialog box appears with the message, Apply initial configuration?
• If you have not skipped any required steps, you can click Yes and apply the initial policy.
A password and the evidence storage share are required to complete initialization. The other steps
indicated as required are necessary to complete the policy. They can be skipped during initialization
and completed at a later time. If you did not apply the policy, select File | Save to save the policy to a
file.
6 Click Finish.
Task
1 On the McAfee DLP Endpoint policy console menu bar, select Help | Update License.
The View and Update License window displays the current (default) activation key and expiration date.
2 Click Update.
3 Type or paste the Activation Key in the text box and click Apply.
A warning that you must log on again for the change to take effect appears.
4 Click OK to close the message box, and click Close to close the Update License window, then log off
ePolicy Orchestrator.
6 From the Agent Configuration menu, select Edit Global Agent Configuration.
7 Go to the File Tracking tab and select Device Control and full content protection.
8 Go to the Miscellaneous tab. Only the Agent Popup service, Device Blocking, and Reporting Service
modules are selected. Select the remaining modules you require to enable them and click OK.
Do not enable modules you don't use. They increase the McAfee DLP Endpoint agent size and slow
its operation unnecessarily.
10 In ePolicy Orchestrator, issue a wake-up call to deploy the policy change to the workstations.
Task
1 Select package type Product or Update (.ZIP), browse to ..\HDLP_Agent_9_2_0_xxx.zip, then click Next.
The Check in Package page appears.
If you are upgrading, you are prompted that the product already exists. Click OK. The new package
replaces the old one.
Tasks
• Define a default rule on page 61
To verify that the McAfee DLP Endpoint software has been deployed properly, we
recommend defining a default rule before deploying to the managed computers.
• Deploy McAfee DLP Endpoint with ePolicy Orchestrator on page 62
Before policies can be applied, McAfee DLP Endpoint must be deployed to the endpoint
computers by ePolicy Orchestrator.
• Verify the installation on page 63
After installing McAfee DLP Endpoint software, you should verify the installation in the
McAfee DLP Monitor.
Task
1 Create a classification rule:
a In the McAfee DLP Endpoint policy console navigation pane under Content Protection, select
Classification Rules.
b Right-click in the Classification Rules window and select Add New | Content Classification Rule. Rename the
rule Email Classification Rule.
d In step 1 of the rule creation wizard, select either of the options (ANY or ALL) then scroll down
the text patterns list and select Email Address. Click Next three times, skipping to step 4.
e In step 4 of the rule creation wizard, click Add New to create a new category. Name it Email
Category, click OK to accept the new category, then click Finish.
b Right-click in the Protection Rules window and select Add New | Removable Storage Protection Rule.
d Click through to step 2 of the rule creation wizard and add the Email Category created when
creating the classification rule in the Included column.
e Click through to step 7 of the rule creation wizard. Select Monitor, then click Finish.
3 On the Tools menu, select Run Policy Analyzer. You should receive warnings, but no errors.
If you receive errors, they probably come from improper initialization, such as not specifying an
evidence folder or override password. You can re-run the initialization from the Tools menu to
correct this.
Task
1 In the System Tree, select the level at which to deploy McAfee DLP Endpoint.
Leaving the level at My Organization deploys to all workstations managed by McAfee ePolicy
Orchestrator.
If you select a level under My Organization, the right-hand pane displays the available
workstations. You can also deploy McAfee DLP Endpoint to individual workstations.
2 In the Name field, type a suitable name, for example, Install DLP Endpoint. Typing a description
is optional.
4 Review the task summary. When you are satisfied that it is correct, click Save. The task is scheduled
for the next time the McAfee Agent updates the policy. To force the installation to take place
immediately, issue an agent wake-up call.
5 After McAfee DLP Endpoint has been deployed, restart the managed computers.
Task
• Verify the McAfee DLP Endpoint installation and apply the policy enforcement by using the
cmdagent.exe /s command. See the McAfee ePolicy Orchestrator McAfee Agent documentation
for more information.
• Local uninstall using Windows Add or Remove Programs. This method requires a challenge-response key
obtained from the McAfee DLP Administrator.
Task
1 In the McAfee DLP Endpoint policy console, select Tools | Generate Agent Uninstall Key.
This step can also be performed with the McAfee DLP Help Desk tool, using the Generate Uninstall Key
tab.
4 Type the agent override key password or select Use password from current policy. (Step 3)
5 Click Generate Key to create the uninstall key for the user.
This Release Code is sent to the user to enter into the request bypass dialog box.
Integrate McAfee DLP Endpoint into the McAfee DLP Manager network product suite by installing it on
ePolicy Orchestrator 4.5 or 4.6 and connecting it to McAfee DLP Manager.
Once you have integrated the network products and McAfee DLP Endpoint in a unified solution, you
won't be able to access the existing standalone McAfee DLP Endpoint global policy. Any policy
management will have to be done through McAfee DLP Manager.
The integration is achieved by uniting the McAfee DLP Endpoint global policy within a unified policy
design. When the unified installation is complete, communication between the McAfee DLP system and
its endpoints are handled by the McAfee Agent DLP client.
McAfee DLP Endpoint works with McAfee DLP Manager through ePolicy Orchestrator, so you must
configure all three products to unify the system under the network product suite.
The McAfee Agent DLP client routes policy updates to the clients and collects events from them. If
evidence collecting is enabled in the policy, events are sent to the event parser, then stored in an
evidence folder, which is normally located on the ePolicy Orchestrator.
If McAfee DLP Manager is configured to report endpoint events, they are copied to the ePolicy
Orchestrator database by the McAfee DLP client software, then displayed on the Data-in-Use dashboards.
Installing McAfee Logon Collector is optional, but is especially useful for enterprises that monitor large
numbers of endpoints. McAfee Endpoint Encryption for Files and Folders might also be useful to decrypt
events reported on the Data-in-Use dashboard.
Contents
Setting up Unified DLP on ePolicy Orchestrator
Connecting McAfee DLP Manager and the ePolicy Orchestrator server
Configuring McAfee DLP Endpoint on McAfee DLP Manager
Installation and configuration complete
Task
1 Open a web browser and enter the location of the network extension into the address bar.
https://<DLP_Manager_name>/eponetdlp/netdlp.zip
The extension can also be downloaded from the McAfee Support Portal, or copied from the /data
directory of the downloaded and expanded McAfee DLP Manager directory.
5 Click OK.
Task
1 Download UDLP extension version 9.2.5.xxx from the McAfee Support Portal to your desktop.
The McAfee DLP Endpoint Management Tools installer runs, then the agent configuration console
begins loading. Add the required information to the fields.
If the agent configuration is not deployed on the endpoint computer, none of the protection rules
will work.
Task
1 In the ePolicy Orchestrator header, select Menu | Policy | Policy Catalog.
2 From the Product menu, select Data Loss Prevention 9.2: Policies.
After you name the duplicate and select it, the Settings page appears.
4 In the Evidence tab, type the UNC Path of the evidence folder share and folder name.
\\server name\evidence
The same server will also be entered on the McAfee DLP Manager Add New Evidence Server page.
6 In the Evidence Replication section, select the Evidence and Hit Highlighting checkboxes.
Show abbreviated hits appears in the associated field.
Enabling this option allows users to easily see matching text in the events reported to the McAfee
DLP Manager Data-in-Use dashboards.
7 In the Security tab, type in a list of authorized users and groups to enable manual tagging of files
on agent machines.
For example, type in Everyone to give Manual Tagging Authorization to all users.
This sets up the agent to support manual tagging through McAfee DLP Manager. Selecting the Allow
Manual Tagging checkbox when creating tags on the Endpoint Configuration page makes the tags visible to
trusted users, who can use them to classify documents on their desktops.
8 Click Save.
The folder is normally on the ePolicy Orchestrator, but might be located on another computer.
Task
1 In ePolicy Orchestrator, select Menu | Data Loss Prevention | DLP Sys Config | System Administration | Devices.
4 In the Add New Evidence Server window, enter the required information in the following format.
• Password — ********
5 Click Add.
Creating an ePolicy Orchestrator database user is only one aspect of establishing a connection to the
ePolicy Orchestrator server, which is required to support McAfee DLP Endpoint features.
Task
1 In ePolicy Orchestrator, select Menu | Data Loss Prevention | DLP Sys Config | User Administration | DB User.
4 Type an IP Address for the ePolicy Orchestrator user's account and Add it to the Selected IP Addresses box.
Repeat if more than one ePolicy Orchestrator user is needed.
5 Click Apply.
After McAfee DLP Manager and ePolicy Orchestrator are registered to each other, the extensions and
the McAfee Agent DLP client can be set up to manage McAfee DLP Endpoint communications between
the systems.
Task
1 In ePolicy Orchestrator, select Menu | Configuration | Registered Servers.
3 Type in the name of the McAfee DLP Manager, add optional notes, and click Next.
4 In the Description field, type in the name of the McAfee DLP Manager.
5 In the Database Password field, type in the epouser database password from the McAfee DLP Manager
System | User Administration | DB User page.
This password allows access to the McAfee DLP Manager MySQL database from ePolicy Orchestrator.
7 Type in the user name and password to McAfee DLP Manager and set the refresh period.
Task
1 In ePolicy Orchestrator, select Menu | Data Loss Prevention | DLP Sys Config | System Administration | Devices.
6 Enter the information gathered from the ePolicy Orchestrator Registered Server Builder | 2 Details page.
7 Click Add.
9 Wait for the Status icon in the device list to turn green.
If the icon turns red, the netdlp.zip extension is probably not installed on ePolicy Orchestrator.
The CPU usage display indicates that the registration tasks being performed. McAfee DLP Manager
does not display any CPU activity, because it serves only as a collection point for the data. Other
machines are capturing and indexing data and the processor indicates the CPU utilization. It should
not go over 70—80%.
If registration seems to be taking a long time, try refreshing the page.
The status icon does not apply to the evidence server, which is normally a folder on the ePolicy
Orchestrator server. If it is listed, it has been successfully added to McAfee DLP Manager.
If the ePolicy Orchestrator server loses connection to the database, you cannot use https://
servername:port/core/config to reconnect to the database. Refer to KB66320 in the McAfee
Knowledgebase for more information.
• Enable unified policy management by generating a policy, setting a posting period, and selecting a
backward compatibility mode.
• Add an agent override password to encrypt and decrypt evidence and override default reactions.
• Add a list of printer models that cannot be controlled by McAfee DLP software.
When these operations are complete, you can define unified rules on the Policies page, then view the
Incidents | Data-in-Use dashboard to verify that the endpoint events are being generated and reported.
Click the Columns icon, then add or remove columns to display exactly the information that is needed.
You must also set an interval for posting policy modifications through ePolicy Orchestrator. By default,
rule definitions are updated on the McAfee DLP Endpoint extension every 30 seconds, but you can
define a more conservative transfer interval (up to two hours, or 7200 seconds) by editing the Time
Duration for Posting Policy Definition setting.
Task
1 In ePolicy Orchestrator, select Menu | Data Loss Prevention | DLP Sys Config | Endpoint Configuration |
Miscellaneous and click Manage Endpoints.
2 On your Linux-based appliance, select System | Endpoint Configuration | Miscellaneous and click Manage
Endpoints.
4 In the Time Duration for Posting Policy Definition field, enter a number between 30 and 7200 seconds.
The policy is generated, posted from McAfee DLP Manager to ePolicy Orchestrator, saved in the
database, forwarded to the connected agents, and updated at the defined interval.
5 Click Submit.
Because any existing software installations must continue to be supported, the default unified policy
configuration is not activated until you generate a policy to provide the groundwork for connection
with the McAfee Agent client through ePolicy Orchestrator. Endpoints cannot be managed until a policy
is assigned, and events cannot be monitored until the McAfee Agent client has been updated.
The default configuration is DLP Agent 9.0 and above. If the McAfee Host DLP product installed on McAfee
ePolicy Orchestrator was released before version 9.1, no change is needed on the Manage Endpoints page.
The unified policy management process is initiated by selecting the Generate Policy for Endpoint checkbox
on the system Manage Endpoints page.
The most significant reason for maintaining earlier versions of the endpoint product is the need for
staged updates. A group of clients might be updated to the new version, but support for older clients
still in use might still be needed.
The need for digital rights management, which controls use of digital content not authorized by the
content provider, might be an additional consideration. This feature of McAfee DLP Endpoint (also
known as McAfee Host DLP) is not supported in McAfee DLP Manager, so network and endpoint
applications might have to be run separately.
But if McAfee DLP Endpoint 9.1 is installed and digital rights management is not needed, No compatibility
should be selected. This means that the new features in that release will be available in the network
product suite. Features like Document Scan Scope and Password Protected Files will appear in the user interface
only if the 9.1 version of the McAfee Agent client is accessible through McAfee DLP Manager.
Task
1 In ePolicy Orchestrator, select Menu | Data Loss Prevention | DLP Sys Config | Endpoint Configuration |
Miscellaneous and click Agent Override Password.
2 On your Linux-based appliance, select System | Endpoint Configuration | Miscellaneous and click Agent
Override Password.
McAfee DLP Endpoint 9.2 requires strong passwords — 8 or more upper and lower case characters,
plus a number and a symbol.
4 Click Submit.
After they are created, manual tags are pushed to users at endpoints by the McAfee Agent client.
The ability to classify documents with tags encourages users to take independent action to protect files
within their areas of responsibility. For example, users at medical facilities might be trusted to apply
HIPAA tags to patient records that must be kept confidential by law.
If the Allow Manual Tagging checkbox is not selected, file tagging can still be done manually — but only by
administrative users, who can tag or remove files individually or in groups.
Task
1 In ePolicy Orchestrator, select Menu | Data Loss Prevention | DLP Sys Config | System Administration | Endpoint
Configuration | Tag Labels.
2 On your Linux-based appliance, select System | System Administration | Endpoint Configuration | Tag Labels.
3 Select a tag.
5 Click Save.
Consult the Product Guide for McAfee Total Protection for Data Loss Prevention 9.2 for more information.
A M
about this guide 5 managing DLP 8
administrators, defining 56 McAfee ServicePortal, accessing 6
Microsoft SQL, adding a user 49
B Microsoft SQL, installing 53
backward compatibility 58
P
C permission set options 57
configuration, server 45 permission sets, defining 57
conventions and icons used in this guide 5 policy, initializing 58
D R
default rule, defining 61 redaction 53, 56
DLP administrators, defining 56 roles and permissions 53
DLP endpoint
checking in to ePolicy Orchestrator 61 S
DLP Endpoint server configuration 45
deploying 62 server software requirements 43
deployment verification 63 ServicePortal, finding product documentation 6
uninstalling 63 supported operating systems 43
DLP Help extension, installing 58 system requirements 43
DLP Policy console, installing 58
documentation T
audience for this guide 5 Technical Support, finding product information 6
product-specific, finding 6
typographical conventions and icons 5 U
uninstalling DLP Endpoint 63
E
ePolicy Orchestrator V
installing 45, 46 verifying the installation 63
evidence folder 53
evidence folder, configuring on Windows Server 2003 54 W
evidence folder, configuring on Windows Server 2008 55
WCF, installation options 47
WCF, installing 53
H
WCF, troubleshooting 52
hardware requirements 43 whitelist folder 53
whitelist folder, configuring on Windows Server 2003 54
I whitelist folder, configuring on Windows Server 2008 55
installation 10
L
license, Device Control and DLP 60