trend micro data loss prevention endpoint 5.6 installation guide

Trend Micro Incorporated reserves the right to make changes to this document and tothe products described herein without notice. Before installing and using the software,please review the readme files, release notes, and the latest version of the applicable userdocumentation, which are available from the Trend Micro website at:

http://docs.trendmicro.com

Trend Micro, the Trend Micro t-ball logo, and TrendLabs are trademarks or registeredtrademarks of Trend Micro Incorporated. All other product or company names may betrademarks or registered trademarks of their owners.

Copyright © 2012 Trend Micro Incorporated. All rights reserved.

Document Part No.: LPEM54474/100607

Release Date: June 2012

Protected by U.S. Patent No. 7,516,130 and U.S. Patent No. 7,747,642.

The user documentation for Trend Micro Data Loss Prevention introduces the mainfeatures of the software and installation instructions for your production environment.Read through it before installing or using the software.

Detailed information about how to use specific features within the software are availablein the online help file and the online Knowledge Base at the Trend Micro website.

Trend Micro always seeks to improve its documentation. If you have questions,comments, or suggestions about this or any Trend Micro document, please contact us [email protected].

Please evaluate this documentation on the following site:

http://www.trendmicro.com/download/documentation/rating.asp

1

http://docs.trendmicro.com

http://www.trendmicro.com/download/documentation/rating.asp

Table of Contents

Chapter 1: Installing the DLP Endpoint AgentAgent Installation Overview ......................................................................... 1-2

System Requirements ............................................................................. 1-2Installation Prerequisites ....................................................................... 1-3Preparation .............................................................................................. 1-4

Agent Installation with DLPforEndpoint.msi ........................................... 1-4Agent Installation with install.bat ........................................................ 1-4Agent Installation with Microsoft System Center ConfigurationManager (SCCM) .................................................................................. 1-10Custom Installation .............................................................................. 1-12DTOOL Property ................................................................................ 1-13

Agent Installation with dtool.exe ............................................................... 1-14Dtool Parameters ................................................................................. 1-15Installing DLP with Dtool.exe ........................................................... 1-16Uninstalling DLP with DTool.exe ..................................................... 1-17Performing Custom Installation ........................................................ 1-18Enabling Safe Mode Support ............................................................. 1-19

Agent Installation with a Copied Image ................................................... 1-19Installing the DLP Endpoint Agent by Copying the Image .......... 1-19

Chapter 2: Installing the DLP Virtual ApplianceDLP Virtual Appliance Installation ............................................................. 2-2

Virtual Machine Specifications ............................................................. 2-2Installing the DLP Virtual Appliance .................................................. 2-3

Configuring Network Settings .................................................................... 2-15Configuring Network Settings through the DLP Server CLI ....... 2-16

Reconfiguring the DLP Web Console Date Format .............................. 2-17

i

Trend Micro DLP Endpoint 5.6 Installation Guide

ii

Chapter 1

Installing the DLP Endpoint Agent

1-1

Agent Installation OverviewYou can install the DLP Endpoint agent using one of the following methods.

• Install with DLPforEndpoint.msi

• Install with Dtool.exe

• Deploy to multiple endpoints by copying an image

WARNING!

You must restart target machines after installation and uninstallation. Failure to restart afteruninstallation leaves filter drivers in place until the machine is shut down.

System RequirementsHardware Requirements

TABLE 1-1. Endpoint Agent Hardware Requirements

SPECIFICATIONS MINIMUM RECOMMENDED

CPU 300MHz Intel Pentium orequivalent

1024MHz Intel Pentium orgreater

RAM 128MB 1024MB or greater

Available Disk Space 300MB 1GB or greater

Network Interface Card (NIC) 10/100 Mbps

The endpoint agent consumes more disk space with the following activities:

• Downloading sensitive information/policies from the DLP server

• Downloading the fingerprint file from the DLP server

• Temporarily storing incident logs or captured data when the agent is offline

• Applying patches and hot fixes

• Temporarily processing data or files that are potential leaks


1-2

Software Requirements

The endpoint agent runs on the following operating systems:

32-bit

• Windows 7 Ultimate SP1, Enterprise SP1, Professional SP1, Starter SP1, HomePremium SP1, Home Basic SP1

• Windows Vista Enterprise SP1/SP2, Business SP1/SP2, Home Premium SP1/SP2,Ultimate SP1/SP2, Home Basic SP1/SP2

• Windows XP Professional SP2/SP3, Home SP2/SP3, Tablet 2005, Media CenterSP2/SP3

• Windows 2008 Datacenter SP1/SP2, Enterprise SP1/SP2, Standard SP1/SP2

• Windows 2003 Enterprise SP1/SP2, Datacenter SP2, Standard SP1/SP2, StandardR2 SP1/SP2, Web Edition SP2, Enterprise R2 SP1/SP2

64-bit

• Windows 7 Ultimate SP1, Enterprise SP1, Professional SP1, Starter SP1, HomePremium SP1, Home Basic SP1

• Windows Vista Enterprise SP1/SP2, Business SP1/SP2, Home Premium SP1/SP2,Ultimate SP1/SP2, Home Basic SP1/SP2

• Windows XP Professional SP1/SP2

• Windows 2008 Datacenter SP1/SP2, Enterprise SP1/SP2, Standard SP1/SP2,Enterprise R2 SP1, Standard R2 SP1

• Windows 2003 Enterprise SP1/SP2, Datacenter SP2, Standard SP1/SP2, StandardR2 SP1/SP2, Web Edition SP2, Enterprise R2 SP1/SP2

Installation Prerequisites• You must have an overall understanding of the DLP system, as well as general

familiarity with MS DOS and Windows™ operating systems.

• Before using this guide, you must set up the server. See the QuickStart Guideincluded with the product for this process.

Agent Installation Overview

1-3

• Ensure that you have administrative privileges on all endpoints.

• DLP uses different installation packages for systems running Windows 32-bit and64-bit platforms. Use the package created for the type of platform installed on yoursystem. If the package does not match the platform, installation cannot becompleted.

Preparation• If you have a previous version, you will need to perform a fresh install. Uninstall

the previous version before beginning the installation.

• If your server components are deployed with default port settings, note that theDLP management server listens at the following ports:

• 8904, 8804: Agent connection

• 8080: Agent connection (ActiveUpdate) and web console access

• 8443: Web console access

Basically, you install the DLP server on a standalone OS with a standalone IPaddress. There is little chance of conflict on those ports with other servers thathave their own IP addresses. If there is a conflict on those ports (such as if they areall behind the same firewall), you can use different firewall ports to map to thoseports.

• Copy the installation package into a temporary directory on your hard disk. Be sureto maintain the directory structure, and copy all files including subdirectories to thetemporary installation directory.

Agent Installation with DLPforEndpoint.msiThis topic describes how to install, uninstall and deploy DLPforEndpoint.msi.

Agent Installation with install.batYou can install the agent using the install.bat batch file.


1-4

WARNING!

install.bat must run with administrative privileges. If the target OS is Windows Vista orlater, only the administrator can execute it successfully.

Usage scenarios:

install.bat ServerIP [ MsiPath [n] [log] [nohide] [sb] ]

Parameters:

• ServerIP: The IP address of the DLP server must be the first parameter. [Required]

• MsiPath: Indicates the absolute path of DLPforEndpoint.msi. [Optional] DLPaccepts the UNC path. If omitted, DLP uses the current path.

• n: No reboot after installation. [Optional]

• log: Log the installation to file at c:\InstallDLPforEndpoint.log [Optional]

• nohide: Do not hide the Agent folder and service. [Optional]

• sb: Support safe mode. [Optional]

Note

The ServerIP must be the first parameter. The MsiPath must be the second parameter if itexists.

Sample Installation Procedures

1. Install the endpoint agent on a local machine with the server IP of 10.20.30.40

a. Open a command prompt.

b. Change to the directory that contains the install.bat and DLPforEndpoint.msifiles.

c. Execute the following command:

install.bat 10.20.30.40

2. Install the endpoint agent on a local machine from the UNC path with no reboot.

Agent Installation with DLPforEndpoint.msi

1-5


b. Change to the directory that contains the install.bat file.


install.bat 10.20.30.40 \\server\share\DLPforEndpoint.msi n

3. Install the endpoint agent with the server IP of 10.20.30.40, with the log openedand not hiding the agent.


b. Change to the directory that contains the install.bat and DLPforEndpoint.msifiles.


install.bat 10.20.30.40 \\server\share\DLPforEndpoint.msi n

4. Install the endpoint agent with the server IP of 10.20.30.40, with the log opened,not hiding the agent and supporting safe mode.

a. In normal mode, open a command prompt.

b. Change to the directory that contains the install.bat and DLPforEndpoint.msifiles


install.bat 10.20.30.40 DLPforEndpoint.msi sb log nohide

Installation Result

The installation is successful if the command line shows the following string:

## DLPforEndpoint installed successfully!

Otherwise, the installation has failed. If you cannot check the output of the commandline, check the log.

Log


1-6

File name: InstallDLPforEndpoint.log

Location: In the target machine's root drive c:\

Installation is successful if the log contains:

• a. Action ended xxx: Dtool. Return value 1.

• b. xxxProduct: LeakProof -- Installation operation completed successfully.

• c. xxxProduct: LeakProof -- Removal completed successfully.

Note

xxx represents an insignificant string.

Line a means Dtool.exe inside the DLPforEndpoint.msi was successfully executed.

Line b means the msiexec /i command was successfully executed.

Line c means the msiexec /x command was successfully executed.

Uninstallation

The DLP Endpoint uninstall batch file is uninstall.bat.

Usage scenarios:

• Deploy the DLPforEndpoint.msi file through the Microsoft System CenterConfiguration Manager (SCCM).

• Deploy the DLPforEndpoint.msi file through the AD (Domain Controller).

• Uninstall DLP Endpoint Agent manually.

uninstall.bat [MsiPath [n] [log]]

Parameters:

• MsiPath: The absolute path of the DLPforEndpoint.msi file. [Optional]

The UNC path is accepted. If omitted, the current path is used.

• n: No reboot after uninstallation. [Optional]


1-7

• log: Log the uninstallation to the c:\UninstallDLPforEndpoint.log file [Optional].

Note

The MsiPath must be the first parameter if it exists.

Sample Uninstallation Procedures

1. Uninstall local DLP Endpoint Agent with log opened.


b. Change to the directory that contains the uninstall.bat andDLPforEndpoint.msifiles.


uninstall.bat DLPforEndpoint.msi log

2. Uninstall the local DLP Endpoint Agent version from the UNC path, with Noreboot.


b. Change to the directory that contains the uninstall.bat file.


uninstall.bat \\server\share\DLPforEndpoint.msi n

Uninstalling Password-protected Agents

Note

The password protection functionality was added to dtool.exe but not install.bat. However,you can still use uninstall.bat to uninstall an agent that is password protected.

1. Open uninstall.bat with a text editor and find the following line:

set set LPPara=“-u -n”

2. Change the line to the following line:


1-8

set set LPPara=“-u -n -p{password}”

Password is a placeholder for your actual password. Password acceptsalphanumeric characters and no spaces.

3. Save the uninstall.bat file.

4. Open a command prompt.

5. Change to the directory that contains the uninstall.bat andDLPforEndpoint.msifiles.

6. Execute the following command:

uninstall.bat DLPforEndpoint.msi n

Uninstallation Result

The uninstallation is successful when the command line shows the following string:

## DLPforEndpoint uninstall finished! Check the log in drive C for details!

Otherwise, the uninstallation has failed. If you cannot check the output of the commandline, check the log.

Log

Filename: UninstallDLPforEndpoint.log

Location: In the target machine's root drive c:\

The uninstall was successful when the log contains:

• a. Action ended xxx: Dtool. Return value 1.

• b. xxxProduct: LeakProof -- Installation operation completed successfully.

• c. xxxProduct: LeakProof -- Removal completed successfully.

xxx represents an insignificant string.

Line a means the Dtool.exe inside the DLPforEndpoint.msiwas successfully executed.

Line b means the msiexec /i command was successfully executed.


1-9

Line c means the msiexec /x command was successfully executed.

Agent Installation with Microsoft System CenterConfiguration Manager (SCCM)

Deploying Agents Using SCCM

Note

DLP uses different installation packages for systems running Windows 32-bit and 64-bitplatforms. Use the package created for the type of platform installed on your system.Perform installation for each platform type separately. If the package does not match theplatform, installation cannot be completed.

1. Create a shared folder that contains the DLPforEndpoint.msi, install.bat, anduninstall.bat files on the server.

2. Create a package in the Software Distribution folder of the SCCM ComputerManagement section.

a. Right-click Packages and select New > Package.

b. Complete the General panel of the New Package Wizard.

c. Set the Source Directory (the share folder) in the Data Source panel.

3. Create a Distribution Point for the Package.

4. Create an install program for the Package.

a. Set the command line with: install.bat x.x.x.x (x.x.x.x is the server_ip).

b. Set Run: Hidden.

c. Set the Run Mode: Run with administrative rights.

d. Select Suppress program notifications.

5. Create an install advertisement for the Package.

a. Set the Package created above.


1-10

b. Set the install Program created above.

c. Set the collection to deploy.

Uninstalling Agents Using Microsoft SCCM

Note

DLP uses different installation packages for systems running Windows 32-bit and 64-bitplatforms. Perform uninstallation for each platform type separately.

1. Create a share folder that contains the DLPforEndpoint.msi, install.bat, anduninstall.bat files on the server.

2. Create a package in the Software Distribution folder of the SCCM ComputerManagement section.

a. Right-click Packages and select New > Package.

b. Complete the General panel of the New Package Wizard.

c. Set the Source Directory (the share folder) in the Data Source panel.

3. Create a Distribution Point for the Package.

a. Set the command line: uninstall.bat

b. Set Run: Hidden.


4. Create an uninstall program for the Package.

a. Set the command line: uninstall.bat

b. Set Run: Hidden.


d. Select Suppress program notifications.

5. Create an uninstall advertisement for the Package

a. Set the Package created above.


1-11

b. Set the uninstall Program created above.

c. Set the collection to deploy.

Custom Installation

Use the msiexec command and its parameters to install the DLPforEndpoint.msi file.

Note

DLP uses different installation packages for systems running Windows 32-bit and

64-bit platforms. Use the package created for the type of platform installed on your system.If the package does not match the platform, installation cannot be completed.

Two-step Custom Installation

1. msiexec /i command with the DTOOL property

a. Extract the DLP Endpoint setup files to a temporary folder.

b. Run Dtool in the temporary folder with parameters.

c. DTOOL Property: Refer to the DTOOL Property.

2. msiexec /x command

a. Clean up the files extracted to the temporary folder.

b. Clean up the registry keys written by the /i command.

Sample Installation Procedures

1. Install locally without the UI. Specify the server IP 1.2.3.4, and log on to the c:\InstallDLPforEndpoint.log file.

a. Run the following command:

msiexec /i DLPforEndpoint.msi /q /norestart DTOOL="-i -n-clink_ip=1.2.3.4" /log c:\InstallDLPforEndpoint.log


1-12

Note

/q: No UI

/log xxx: Record the log to the xxx file

/l*+ file.log: Record the log to the existing xxx file

b. After the first command finishes successfully, run the following command:

msiexec /x DLPforEndpoint.msi /q /l*+ c:\InstallDLPforEndpoint.log

2. Install from a share folder without the UI and reboot after installation.

a. Run the following command:

msiexec /i \\server\share\DLPforEndpoint.msi /q /norestart DTOOL="-i -n"

b. After the first command finishes successfully, run the following command.

msiexec /x \\server\share\DLPforEndpoint.msi /q /forcerestart

Tip

/forcerestart: Reboots the computer after installation.

DTOOL PropertyDTOOL is a property of the DLPforEndpoint.msifile.

Usage: DTOOL=''parameters''

Separate parameters with a space.

For example:

msiexec /i DLPforEndpoint.msi DTOOL="-i -n -clink_ip=192.168.1.1"

Current Parameters


1-13

• -i: Install.

• -n: no reboot after installation.

• -cpara=value: Specify the parameters when installing (combine with -i).

For example:

clink_ip=[x.x.x.x], server IP address is x.x.x.x

Agent Installation with dtool.exeDtool.exe offers additional installation functions not available with install.bat, such asthe “install with password” function. The “install with password” function protectsunauthorized DLP Agent uninstalls by requiring a password to run dtool. The dtool.exeexecutable is a command line application for deploying the DLP Endpoint agent toclient machines (endpoints) throughout the network.

Note

Only the domain administrator can install remotely.

Only the accounts with administrative privilege can install locally.

The File and Printer Sharing must be in the exception list in the Microsoft WindowsFirewall on the target machine before installing or uninstalling remotely.

The User Account Control is enabled in Windows Vista and later versions by default. TheDOS prompt must be run as the administrator in order to install or uninstall locally,whether using dtool or msi.

WARNING!

You must reboot target machines after installation and after uninstallation. Failure toreboot after install or uninstall will put the target machine into an unknown state.

To recover from an unknown state:

reboot - uninstall - reboot - install - reboot


1-14

Dtool Parameters

Specify dtool.exe without parameters to see the Help listing. The following aresupported options.

Usage

dtool.exe [-i [-cpara=value] [-ppwd] [-sb] ] [-u] [-s] [-d] n[-n] [-v] [-q] [-ffilename] [computer_name]

Parameters

• -i: Install

• -sb: Support safe mode in DLP agent.

• -u: Uninstall

• -e: update install, keep original settings and policy

• -s: Silent reboot, no shutdown message box.

• -dx: Delay rebooting x minutes (maximum to 11:59PM today).

• -n: No reboot after install/update/uninstall.

• -v: Show dtool version.

• -q: Quiet mode, no messages.

• -fx: Take computer names from file x:

One computer name for each line in file x.

• -efile.cfg: update, install, keep settings indicated by file.cfg.

• -cpara=value: Specify parameters when installing (combine with -i).

Para list: link_ip=[x.x.x.x], Server IP address;

link_port=[x], Server Port;

hide_me=[true|false], Hide agent or not.

Agent Installation with dtool.exe

1-15

• -ppwd: pwd is the protection password when installing or uninstalling. Thepassword is 1-20 characters, including [a-z][A-Z][0-9] and [~!@#$^&*()_+-={}[];:,.?.

• computer_name: This must be the last one in the command, if any.

Installing DLP with Dtool.exe

Note

DLP uses different installation packages for systems running Windows 32-bit and 64-bitplatforms.

If the package does not match the platform, an error message is displayed and installationwill not be completed.

If remotely deploying DLP to both 32-bit and 64-bit platforms, run both installationpackages on a 64-bit machine. It is not possible to run the package for 64-bit platforms ona 32-bit machine.

During remote installation, the message “computer architecture error” is displayed in thefile dtoolRemoteControl.csv when the package does not match the platform. To completeinstallation, search the file for a list of machines that return the error and restart installationusing the correct package.

1. Prepare the DLP directory tree as an installation directory. Simply copy the DLPdirectory from the setup DVD or other source location.

Directory tree contains:

[dir] DLP

[file] --dtool.exe

[file] --PVUSvc.exe

[file] --uninstaller.exe

[file] --updater.exe

[sub-dir] --system32

2. Open a command prompt and change the directory to the installation directory.


1-16

3. Enter the dtool command from the command prompt.

Command samples:

dtool.exe -i -clink_ip=x.x.x.x

-- install to a local machine and set the server ip x.x.x.x.

dtool.exe -i -clink_ip= x.x.x.x -sb

-- install to a local machine. Set the server ip x.x.x.x and enable the safe modefeature.

dtool.exe -i XYZ

-- install to a remote machine XYZ.

dtool.exe -i -s -d10

-- install silently and reboot the system after 10 minutes.

dtool.exe -i -flist.txt

-- load the computer names from the list.txt file and install.

dtool.exe -i -clink_ip=x.x.x.x -ppwd

-- install to a local machine, set the server ip x.x.x.x, and set the dtool.exe passwordto pwd. The password, pwd, will be required to run dtool.exe to uninstall the agent.For example, if the password = 123, type -p123.

Uninstalling DLP with DTool.exe

Note

Only the domain can uninstall remotely.

Only the administrator can uninstall locally.

1. Prepare the DLP directory tree as an uninstallation directory. Simply copy the DLPdirectory from the setup DVD or other source location.

2. Open a command prompt and change the directory to the uninstallation directory.

Agent Installation with dtool.exe

1-17

3. Enter the dtool command from the command prompt.

Command samples:

dtool.exe -u

-- uninstall the agent of a local machine.

dtool.exe -u XYZ

-- uninstall the agent of a remote machine XYZ.

dtool.exe -u -flist.txt

-- load the computer names from the list.txt file and uninstall.

dtool.exe -u -ppwd

-- uninstall the agent from a local machine using the password, pwd, to rundtool.exe.

Performing Custom Installation

Note

This is the former method of installation.

1. Configure two files:

dsa.pro

dsa.loc

The file, dsa.pro in system32\dgagent, configures the DLP agent.

Configuration options:

link_ip = (Server IPv4 address)

link_port = (Server configured link port number)

hide_me = (Set to false to see the agent process, service and registry keys)

2. Open a command prompt and change the directory to the installation directory.


1-18

3. From the command prompt, enter the dtool command. See commands ofinstallation in Part 3. (You do not need the -c option in this case).

Enabling Safe Mode SupportYou must use “sb” option for the DLP agent to work in safe mode. To directly enablesafe mode after the installation, use the following command:

�- dtool.exe -sb

Agent Installation with a Copied ImageYou can ghost one machine with the DLP agent installed and copy the image for virtualmachines on other endpoints. However, you must remove the GUID of the DLP agentbefore copying the image.

Installing the DLP Endpoint Agent by Copying the Image1. Create a virtual machine with the installed DLP Endpoint agent.

2. Stop the DLP Endpoint agent.

3. Delete the DLP Endpoint agent GUID.

Note

The AgentGuid string is at registry key: HKEY_LOCAL_MACHINE > SOFTWARE >Provilla

4. Stop the operating system on the virtual machine.

5. Copy the virtual machine with the installed agent to another virtual machine.(Ghost the physical image or virtual image of the original virtual machine.)

6. Start the second virtual machine with the copied image.

7. Change the operating system name and IP address for the new machine.

Agent Installation with a Copied Image

1-19

8. Restart the new machine and change its machine name and IP accordingly.

Note

The network is available during this. There is no need to disconnect the network.

The second machine can automatically register with the DLP server.


1-20

Chapter 2

Installing the DLP Virtual Appliance

2-1

DLP Virtual Appliance InstallationThe DLP Virtual Appliance (DLP VA) only supports new installations. You cannotupgrade an existing DLP installation. The DLP VA installation process formats yourexisting system for DLP VA. The installation procedure is basically the same for both aBare Metal and a VMware ESX virtual machine platform. However, the Bare Metalinstallation boots from the DLP VA installation DVD to begin the procedure.

Virtual Machine SpecificationsIf you are installing the DLP VA on a new virtual machine under VMware ESX 3.5,ensure that you create the new virtual machine with the following configuration:

TABLE 2-1. ESX Virtual Machine Specifications

COMPONENT SPECIFICATION

Guest Operating System Redhat Enterprise Linux 4 (32-bit)

Virtual CPUs 1 (DLP currently supports one virtual processor).

Memory 2048MB

NoteTrend Micro recommends at least 4096MB ofRAM.

Network Interface Card (NIC) DLP supports only 1 NIC.

Disk Size 30GB minimum

NoteTrend Micro recommends at least 250GB ofdisk space for incident logs, fingerprints, andother data storage purposes.


2-2

Note

When using VMware, the DLP server performance may downgrade depending on theCPU, memory, and the hard disk drive input/output in the virtual machine.

Installing the DLP Virtual Appliance

WARNING!

Any existing data or partitions are removed during the installation process. Back up anyexisting data on the system (if any) before installing DLP VA.

1. Start the DLP VA installation:

On a Bare Metal Server

a. Insert the Data Loss PreventionVA Installation DVD into the server’sDVD drive.

b. Power on the Bare Metal server.

On a VMware ESX Virtual Machine

WARNING!

If you install DLPVA on an ESX server, disable the snapshot feature for the virtualmachine. Otherwise, the snapshot will exhaust hard disk space.

a. Start the virtual machine on your VMware ESX server.

b. Insert the Data Loss PreventionVA Installation DVD into the virtual DVDdrive with any one of the following methods.

* Insert the DLP VA Installation DVD into a physical DVD drive on theESX server. Then connect the virtual DVD drive of the virtual machine tothe physical DVD drive.

* Connect the virtual DVD drive of the virtual machine to the Data LossPreventionDLPVA-5.5.xxxx-i386-DVD.iso file. The Data LossPreventionDLPVA-5.5.xxxx-i386-DVD.iso file is available at:

DLP Virtual Appliance Installation

2-3

http://www.trendmicro.com/download

c. Restart the virtual machine by clicking VM > Send Ctrl+Alt+Del on theVMware Web console.

The DLP VA installation menu appears.

FIGURE 2-1. Data Loss Prevention VA installation menu

These are the options on the DLP VA installation menu:

TABLE 2-2. DLP VA Installation Menu Options

MENU OPTIONS DESCRIPTION

Install DLP VA Installs DLP VA onto the new hardware or virtualmachine.


2-4

http://www.trendmicro.com/download

MENU OPTIONS DESCRIPTION

System Recovery Recovers a DLP VA system if the administrativepasswords cannot be recovered.

System MemoryTest

Performs memory diagnostic tests to rule out memoryissues.

Exit Installation Exits the installation process to boot from the localdisk.

2. Select Install DLP VA.

The license agreement screen appears.

FIGURE 2-2. DLP VA Wizard License Agreement screen

3. Click Accept to continue.


2-5

The keyboard language selection screen appears.

FIGURE 2-3. DLP VA Wizard keyboard selection

4. Select the keyboard language for the system and click Next.


2-6

The DLP VA installer scans your hardware to determine if the minimumspecifications have been met and displays the results.

FIGURE 2-4. DLP VA Wizard hardware components screen

Note

If the host hardware contains any components that do not meet the minimumspecifications, the installation program highlights the non-conforming componentsand the installation stops.

5. Click Next.

The DLP VA installer detects and displays all available hard disk drives.

6. Select at least one drive for the DLP VA installation.

7. If the hard drive requires partitioning, a warning appears above the list of availablehard drives. Click Next to continue with the partitioning.


2-7

8. Select the drive to use for the DLP VA installation and click Next.

The network settings screen appears.

FIGURE 2-5. DLP VA Wizard network settings screen

Note

Although the Dell R610 has multiple network interface ports, you must configure theeth0 interface. The DLP management server only manages agents (DLP NetworkMonitor and DLP Endpoint agents) using the eth0 interface. You will connect agentsto the DLP server using the eth0 interface.

9. Type the following network settings for eth0 and click Next.


2-8

TABLE 2-3. Network Settings Fields

FIELD DESCRIPTION

IPv4 Address This is the IP address of the DLPVA management interface. Typethe IP address and appropriate subnet mask to complete theconfiguration.

Hostname Type the Fully Qualified Domain Name (FQDN) for this DLPVAhost. Hostname must be unique so that you can identify the DLPmanagement server when you register the agents to the server.

Gateway Type the IP address to be used as the gateway for this DLPVAinstallation.

Primary DNS Type the IP address to be used as the primary DNS server forthis DLPVA installation.

SecondaryDNS

Type the IP address to be used as the secondary DNS server forthis DLPVA installation.


2-9

The Network Time Protocol (NTP) settings screen appears.

FIGURE 2-6. DLP VA Wizard NTP settings screen

Note

You can reconfigure the date format on the web console. See Reconfiguring the DLPWeb Console Date Format on page 2-17.

10. Specify the DLP VA server time and clock settings.

a. Select the location of the DLP VA server.

b. Specify whether the server system clock uses UTC.

Note

You can click a yellow point to select a city in a different region.


2-10

11. Click Next.

The account settings screen appears.

FIGURE 2-7. DLP VA Wizard account settings screen

12. Specify passwords for the root, enable, and admin accounts. DLP VA uses threedifferent levels of administrator types to secure the system. The password must bea minimum of eight characters and a maximum of 32 characters.

Tip

For the best security, create a highly unique password using upper and lower casealphabetic characters, numerals, and special characters found on your keyboard.

• Root Account: Accesses the operating system shell and has all rights to theserver. This is the most powerful user on the system.


2-11

• Enable Account: Accesses the command line interface (CLI) - privilegemode. This account has all rights to execute any CLI command.

• Admin Account: Accesses the Data Loss PreventionVA CLI managementinterfaces. It has all rights to the Data Loss PreventionVA application but noaccess rights to the operating system shell.

13. Click Next.

The review settings screen appears.

14. Confirm that the selected values are correct, and click Next.

The installation process prompts you to begin the installation.

15. Select Continue to erase any data on the hard disk partition and format the harddisk. If you have data on the hard disk that you need to keep, cancel the installationand back up the information before proceeding.

16. Click Continue.


2-12

A screen appears with the formatting status of the local drive. When formattingcompletes, the DLP VA installation begins.

FIGURE 2-8. DLP VA Wizard formatting status screen


2-13

After the installation completes, a summary screen appears. The installation log issaved in the /root/install.log file for reference.

FIGURE 2-9. DLP VA Wizard Installation Successful screen

17. Click Reboot to restart the system.

Bare Metal installation:

The DVD automatically ejects. Remove the DVD from the drive to preventreinstallation.

Virtual machine installation:

Trend Micro recommends disconnecting the DVD drive from the virtual machinenow that DLPVA is installed.

After DLPVA reboots, the initial CLI login screen appears.


2-14

Note

During installation, you might receive the following messages:

for crash kernel (0x0 to 0x0) not within permissible range

powernow-k8: bios error -no psb or acpi_pss objects

Both of these messages are normal. The latter message indicates that the systemBIOS is not reporting or presenting any PSB or ACPI objects or hooks to the Linuxkernel. Either the CPU or BIOS does not support PSB or ACPI objects or hooks, orthey are simply disabled.

18. After installation, log on to the CLI to enable the DLP server.

You can also log on to the CLI shell to perform additional configuration,troubleshooting, or housekeeping tasks.

Configuring Network SettingsIf you received the DLP VA pre-installed with your appliance, then you must configurenetwork settings from the DLP server command line interface (CLI) before logging onto the DLP web console. If you re-installed or installed the DLP VA yourself, you set upthe network settings during the installation process. Therefore, you can go directly to theDLP web console.

Note

You must configure system configurations, such as network settings, through the DLP VACLI. You cannot configure system configurations using Linux commands. If you do,settings are not saved in the configuration file and the agent will not be able to register withthe server.

The default users for the DLP server CLI are admin, enable and root. Log on to theDLP server CLI as admin to configure the network settings if you have not already doneso. If you received the DLP VA pre-installed with your appliance, use the defaultpassword, “trenddlp.” You will automatically enter the CLI where you are required toconfigure the network.

Configuring Network Settings

2-15

Configuring Network Settings through the DLP Server CLI1. Log on to the DLP server CLI.

The DLP server command prompt appears.

FIGURE 2-10. Command line interface

2. Type enable and press Enter.

3. Type the Enable account password and press Enter.

You enter privileged mode.

4. Set up the IP, Gateway, and DNS.


2-16

FIGURE 2-11. Configure IP settings

Note

To change network settings, you can log on at any time and use the command“configure DLP network” if needed.

Reconfiguring the DLP Web Console DateFormat

You can change the date format that displays on the DLP web console.

1. Log on to the DLP management server as root.

2. Edit the systemConf.properties file at /home/dgate/prod/common/cfg/.

3. Change the user.defined.locale.key=en-US parameter to any of the followinglocales: en-US, en-CA, zh-CHS, zh-CHT, ja-JP, ko-KR, or fr-FR.

Reconfiguring the DLP Web Console Date Format

2-17

4. Change the user.defined.time.format=short date parameter. This parameter can beshort date or long date.

5. Reboot the server so the changes can take effect.


2-18

trend micro data loss prevention endpoint 5.6 installation guide

Documents