protected by u.s. patent no. 7,516,130 and u.s. patent no....
TRANSCRIPT
Trend Micro Incorporated reserves the right to make changes to this document and tothe products described herein without notice. Before installing and using the software,please review the readme files, release notes, and the latest version of the applicable userdocumentation, which are available from the Trend Micro website at:
http://docs.trendmicro.com
Trend Micro, the Trend Micro t-ball logo, and TrendLabs are trademarks or registeredtrademarks of Trend Micro Incorporated. All other product or company names may betrademarks or registered trademarks of their owners.
Copyright © 2012 Trend Micro Incorporated. All rights reserved.
Document Part No.: LPEM55495/120717
Release Date: July 2012
Protected by U.S. Patent No. 7,516,130 and U.S. Patent No. 7,747,642.
The user documentation for Trend Micro Data Loss Prevention introduces the mainfeatures of the software and installation instructions for your production environment.Read through it before installing or using the software.
Detailed information about how to use specific features within the software are availablein the online help file and the online Knowledge Base at the Trend Micro website.
Trend Micro always seeks to improve its documentation. If you have questions,comments, or suggestions about this or any Trend Micro document, please contact us [email protected].
Please evaluate this documentation on the following site:
http://www.trendmicro.com/download/documentation/rating.asp
Table of Contents
Audience .............................................................................................................. 1
Migration Overview ........................................................................................... 1Migration Toolkit Components ............................................................... 1Migrated Data ............................................................................................. 2Migration Prerequisites ............................................................................. 4Migration Toolkit Usage Parameters ...................................................... 5
Migration Procedures ........................................................................................ 5Installing the RPM Package on the DLP 5.5 Server ............................. 6
Checking File Locations ................................................................... 6Migrating the DLP Server ......................................................................... 7
.............................................................................................................. 9Upgrading Agents .................................................................................... 10Upgrading Remote Crawlers .................................................................. 11
Post Migration Issues ...................................................................................... 12Fingerprint Acquisition Performance ................................................... 12
AudienceThis document is intended for IT administrators involved in migrating from DLP 5.5 toDLP 5.6. IT administrators must have an overall understanding of the Data LossPrevention system, as well as general familiarity with Linux and Windows™ operatingsystems.
Migration OverviewThe DLP Endpoint 5.6 migration tool enables administrators to move server, agent, andremote crawler configuration settings. For the English version, the server’s versionshould be 5.5 with Patch 2 (DSC-5.5-1355) or later, while the agent should be DLPEndpoint 5.5 agent.
This migration tool extracts and migrates DLP 5.5 server data, such as data identifiers,templates, policies, logs, forensic data, reports, schedules, and system configurations.The tool also upgrades the server and deploys an upgrade hot fix to agents.
NoteThere is no need to prepare two servers for migration. The procedure involves both datamigration and server upgrade on the original DLP 5.5 server. More than 10GB free diskspace is required.
After migration, the DLP server can manage DLP 5. 5 agents and deploy the upgradehot fix. Consequently, you must upgrade both agents and remote crawlers.
Migration Toolkit ComponentsThe migration toolkit contains the following components:
1
TABLE 1. Migration Toolkit Components
COMPONENT DESCRIPTION DESCRIPTION
Migration tool Migrates the server from version 5.5 (GM build withPatch 2 (DSC-5.5-1355) or later) to version 5.6 (GMbuild DSC-5.6-1071):
DLP-MigrationTool-55To56-1.0-1.noarch.rpm
Upgrade hot fix Upgrades the agents from version 5.5 to 5.6:
LP_56_en_hotfix1_b1071_20120714.zip
Migrated DataThe following table lists the types of data that are migrated and not migrated to the newversion.
DLP Endpoint 5.6 Migration Guide
2
DATA MIGRATED DATA NOT MIGRATED
• Data identifiers (expressions, fileattributes, fingerprints, keyword lists)
• Templates
• Policies
• Data discovery
• Device control
• Reports
• Logs (policy deployment, securityviolations, and system events)
• Fingerprint data
• Schedules (fingerprint, data discovery,and report schedules)
• Update configuration (user-definedupdate server, proxy settings, andupdate schedule)
• Server configuration (fingerprintsettings and application settings)
• Agent configuration (dialogconfiguration, logging configuration,and global exceptions)
• Remote crawler agent information
• Agent information
• User accounts
• Roles
• LDAP configuration
• Product license code
• Patches/hot fixes
• Add-ons
• Trend Micro ActiveUpdate server
• Server status logs
• UDP Listener information
• Exported file from system data
3
NoteOld violation logs are migrated, and they can be queried on the “Log Query” page byselecting “Data range = all date; Log type = DLP incidents”. The summary page of theweb console also displays the statistics on the dashboard.
Migration PrerequisitesThe following items should be ready before migration.
TABLE 2. Server Data Migration Prerequisites
ITEM RECOMMENDATION
DLP 5.5 appliance Ensure that the DLP 5.5 server and agents are runningcorrectly before migration. If there are any problemswith the current state, refer to the Administrator’sGuide or contact the Trend Micro DLP Support team.
Migration toolkit The package “DLP-MigrationTool-55To56-1.0-1.noarch.rpm” containsthe migration tool and the server upgrade build. Ensurethat the DLP 5.5 server have enough space (more than10G) to store the backup files during migration.
WARNING!This migration toolkit only supports DLP 5.5servers with Patch 2 (DSC-5.5-1355) and othermore recent versions.
Policies All enabled polices will be deployed automatically aftermigration. Modify or delete policies before or aftermigration.
DLP client 5.6 upgrade patch LP_56_en_hotfix1_b1071_20120714.zip
Deploy this upgrade hot fix to DLP 5.5 agents afterserver migration.
DLP Endpoint 5.6 Migration Guide
4
Migration Toolkit Usage Parameters
The migration toolkit includes the script file (dlpMTool56). Run dlpMTool56 from theDLP server command line interface (CLI).
Usage
dlpMTool56 [-m | -h | -?]
PARAMETER DESCRIPTION
-h | -? Displays Help information.
NoteYou can also display Help information by executingdlpMTool56 without any parameters.
-m Migrate server from DLP v5.5 to DLPv5.6.
Log
If the migration fails, check the following log file: /var/tmp/migration.log
Migration ProceduresBelow are the high-level procedures for migrating the DLP server, agents, and remotecrawler:
Task
1. Installing the rpm package on the DLP v5.5 server
2. Migrating the DLP 5.5 server
3. Upgrading the DLP 5.5 agents
4. Upgrading the remote crawlers
5
ImportantThis sequence must be followed.
Installing the RPM Package on the DLP 5.5 Server
Task
1. Log on to the DLP 5.5 server using the dgate account.
2. Save the DLP-MigrationTool-55To56-1.0-1.noarch.rpm file in thefollowing folder on the DLP server: /home/dgate/.
3. From the RPM package directory, run the following command: sudo rpm -ivhDLP-MigrationTool-55To56-1. -1.noarch.rpm
NoteTo uninstall the migration tool, run the following command: sudo rpm -e DLP-MigrationTool-55To56
Checking File Locations
After installing the rpm package, check the following files:
TABLE 3. Migration Tool Locations
LOCATIONS FILES
/usr/local/bin/ dlpMTool56
DLP Endpoint 5.6 Migration Guide
6
LOCATIONS FILES
/etc/tmdlp/dlpmtool56 DSC-5.6-1071.tar.gz
clish_profile
AutoActionsAfterMigration.class
dlpMigrate.py
applicationContext.xml
Compliance Template.xml
Migrating the DLP Server
Task
1. Before migration, disable the DLP server service port for agents. This will preventagents from interrupting the server during the migration process.
a. Log on to the DLP 5.5 server using the dgate account.
b. Open the following iptables configuration file:
[dgate@localhost ~]$ sudo vi /etc/sysconfig/iptables
c. Add the comment character “#” at the beginning of the following entries:
-A INPUT -p tcp -m tcp --dport 8804 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8904 -j ACCEPT
d. Save the file.
e. Restart the iptables service:
[dgate@localhost ~]$ sudo service iptables restart
2. On the DLP 5.5 CLI, run the following command:
dlpMTool56 –m
7
Note
The script may run for several minutes. The confirmation message “migrationsuccessful finish...” is displayed on the CLI when the migration process is successfullycompleted.
The automatic migration process involves the following steps:
a. Stop server services.
b. Back up database settings and files in the /var/tmp/ folder.
c. Pre-update the database and replace files for migration.
d. Start services and update DB.
Note
If migration fails during these steps, contact the Trend Micro DLP Support team.
3. On the DLP Endpoint 5.6 server web console, manually upload the upgrade hotfix package LP_56_en_hotfix1_b1071_20120714.zip in both staging andproduction environments.
4. Enable the DLP server service port for agents.
a. Log on to DLP Endpoint 5.5 server using the dgate account.
b. Open the iptables configuration file:
[dgate@localhost ~]$ sudo vi /etc/sysconfig/iptables
c. Remove the comment character “#” from the beginning of the followinglines and save the iptables configuration file.
#-A INPUT -p tcp -m tcp --dport 8804 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 8904 -j ACCEPT
d. Restart the iptables service.
[dgate@localhost ~]$ sudo service iptables restart
DLP Endpoint 5.6 Migration Guide
8
5. On the DLP Endpoint server web console, review the settings to ensure that thedata was migrated successfully.
TABLE 4. DLP Settings
DATA LOCATION
Data Identifiers Data Protection > Data Identifiers > Expressions
Data Protection > Data Identifiers > File Attributes
Data Protection > Data Identifiers > Fingerprints
Data Protection > Data Identifiers > Keyword Lists
Templates Data Protection > Templates
Policies Data Protection > Policies
Data Discovery Data Protection > Data Discovery
Device Control Data Protection > Device Control
Reports Reports > Archived Reports > Generate Reports
Logs Logs > Query
Update configuration (updatesource, proxy settings, andupdate schedule)
Update > Configuration
Fingerprint settings Administration > Server Configuration > FingerprintSettings
Application settings Administration > Server Configuration > ApplicationSettings
Agent settings Administration > Agent Configuration > AgentSettings
Dialog configuration Administration > Agent Configuration > AdvancedSettings > Dialog Configuration
9
DATA LOCATION
Logging configuration Administration > Agent Configuration > AdvancedSettings > Logging Configuration
Global exceptions Administration > Agent Configuration > GlobalExceptions
Exported data setting Administration > Data Management > DataManagement Control
Remote crawler agentinformation
Administration > Crawler Management
Agent information Administration > Agent Management
User accounts Administration > Management Console > UserAccounts
Roles Administration > Management Console > RoleManagement
LDAP configuration Administration > LDAP
License Information Product license
Upgrading Agents
Trend Micro recommends two solutions for upgrading DLP agents. Select the solutionthat best fits your business environment.
Task
1. Solution 1
a. Uninstall DLP 5.5 agents via uninstall.bat or dtool as described in theDLP Installation Guide.
b. Perform a fresh installation of the DLP Endpoint 5.6 agent via install.bator dtool.
2. Solution 2
DLP Endpoint 5.6 Migration Guide
10
a. Upload the upgrade hot fix to the DLP 5.6 web console.
b. Deploy the hot fix to all DLP Endpoint 5.5 agents.
Note
After hot fix deployment and reboot, agents will register on the DLP 5.6 serverwith the new version and automatically retrieve configuration settings.
c. On the Agent Management page of the web console, check that the agents arerunning the new DLP Endpoint 5.6 version.
Note
When offline agents connect to the DLP 5.6 server (containing the activeupdate hot fix), the agents will automatically install the upgrade hot fix.
Upgrading Remote Crawlers
After server migration is completed, “Update Available” will display in the RemoteCrawler screen of the web console.
Task
1. Back up the repository settings from the DLP 5.5 remote crawler srcrepo.xmlconfiguration file. The srcrepo.xml configuration file can be found in differentlocations on different platforms:
PLATFORM FILE PATH
Windows XP and 2003 ALLUSERSPROFILE\Application Data\Trend Micro\DLP RCA\srcrepo.xml
For example, C:\Documents and Settings\AllUsers\Application Data\Trend Micro\DLP RCA\srcrepo.xml
11
PLATFORM FILE PATH
Windows Vista/2008/7 ALLUSERSPROFILE\Trend Micro\DLP RCA\srcrepo.xml
For example, C:\Program Data\Trend Micro\DLPRCA\srcrepo.xml
2. Uninstall the DLP 5.5 remote crawler agent on the control panel.
3. On the DLP 5.6 web console, download the latest remote crawler fromAdministration > Crawler Management > Download Remote Crawler.
4. Add related repository settings using the backup configuration file.
5. Check remote crawler status and details.
Post Migration IssuesThe following issues may arise after migration to DLP Endpoint 5.6.
Fingerprint Acquisition PerformanceAfter migration, fingerprint acquisition may be slow when acquiring initial fingerprintsof many documents from an existing repository with the remote crawler. The solution isto re-initialize the acquisition cache after the remote crawler update.
The acquisition cache is the fast-acquisition mechanism that scans specific areas of asource repository. For example, if DLP scans and acquires fingerprints of documents Aand B in the repository, and the user subsequently adds document C, the acquisitioncache will only scan document C. However, the remote crawler update clears the cacheand will scan documents A, B, and C to re-initialize the cache.
DLP Endpoint 5.6 Migration Guide
12