Dell Data Protection
Contents
1. The Dell Enterprise Server can optionally be installed in a virtual environment Only certain environments are recommended and there may be performance considerations as described below Dell Enterprise Server v8 5 has been validated with VMWare ESX ESXi 5 5 NOTE When running VMWare ESX ESXi and Windows Server 2012 R2 VMXNET3 Ethernet Adapters are recommended Microsoft Windows Server 2008 R2 Hyper V Dell Enterprise Server Performance in a Virtual Environment Dell has observed up to a 50 performance impact depending on environment The impact is most noticeable during activation inventory processing and triage If performance is a concern we recommend deploying to a non virtual server environment The Microsoft SOL Server database hosting the Dell Enterprise Server should be run on a separate computer and on real hardware Database Microsoft SOL Server 2005 SP1 SP2 and SP3 Standard Edition Enterprise Edition Microsoft SOL Server 2008 and Microsoft SOL Server 2008 R2 Standard Edition Enterprise Edition Microsoft SOL Server 2012 Standard Edition Business Intelligence Enterprise Edition NOTE Express Editions are not supported for production environments Express Editions may be used in POC and evaluations only Web Browsers Silverlight Console Internet Explorer 7 x or later Dell Compliance Reporter Internet Explorer 7 x or later Mozilla Firefox 2 x or later Google Chrome En2. At the Select Computer window select Local computer the computer this console is running on and click Finish Click Close Click OK In the Console Root folder expand Certificates Local Computer s gt a FO T FE T 0 Go to the Personal folder and locate the desired certificate x Highlight the desired certificate right click All Tasks gt Export When the Certificate Export wizard opens click Next Select Yes export the private key and click Next D3 Select Personal Information Exchange PKCS 12 PFX and then select the sub options Include all certificates in the certification path if possible and Export all extended properties Click Next o Enter and confirm a password This can be any password of your choosing Choose a password that is easy for you to remember but no one else Click Next Click Browse to browse to the location of where you would like to save the file In the File Name field enter a name to save the file as Click Save Click Next Click Finish A message stating that the export was successful displays Close the MMC OMS Go back to the Dell Server Configuration Tool From the top menu select Actions gt Import Manager Certificate Navigate to the location where the exported file was saved Select the file and click Open Enter the password associated with this file and click OK lt xXx Zg lt C FD From the top menu select Configuration gt Save If prompted confi
3. check box selected Selecting the check box installs only the proxy components Security Server in Proxy Mode Core Server in Proxy Mode Device Server and Policy Proxy First we will go through the install for the Main Server s Back End and then we will go through the process for the Front End server s Main Server s 1 In the Dell installation media navigate to the Dell Enterprise Server directory Unzip NOT copy paste or drag drop Dell Enterprise Server x64 to the root directory of the server where you are installing Dell Data Protection Enterprise Edition Copying pasting or dragging dropping will produce errors and an unsuccesstul installation NOTE Follow the same procedure for Dell Enterprise Server x86 for the 32 bit installer 2 Double click setup exe 3 When the nstallShield Wizard displays select the language for installation then click OK 4 If not already installed a message may display informing you that Microsoft Visual C 2010 Redistributable Package must be installed before continuing Click Install 5 When the Welcome dialog displays click Next At the License Agreement indicate acceptance then click Next 7 If you optionally completed step 14 in Pre Installation Configuration click Next If not enter the 32 character Product Key and then click Next The Product Key is located in the file EnterpriseServerinstallKey ini 8 Click Next to install the Dell Enterprise Server to the default loca
4. Dell Policy Proxy Polling Interval the default is 1 minute De select the box to run EAS Device Manager in report only mode Click OK A success message displays Click Yes to re start IIS and EAS Mailbox Manager Services Click Quit when finished Continue to Dell Security Server in DMZ Mode Configuration 42 Enterprise Server Installation and Migration Guide Dell Security Server in DMZ Mode Configuration If the Dell Security Server is deployed in a DMZ and a private network and only the DMZ server has a domain certificate from a trusted Certificate Authority CA some manual steps are needed to add the trusted certificate into the Java keystore of the private network Dell Security Server If a trusted certificate is being used omit this section and continue to APNs Enrollment NOTE We highly recommend the use of domain certificates from a trusted Certificate Authority for both DMZ and private network servers Use Keytool to Import the DMZ Domain Certificate IMPORTANT Backup the existing Dell Security Server cacerts before continuing with the Keytool instructions If a configuration error is made you can revert back to the saved file Assumptions Dell Security Server was installed with an untrusted certificate Dell Security Server in DMZ Mode was installed using a signed certificate Entrust Verisign etc A pfx certificate file is available If your certificate needs to be converted to pfx see How to Export a Cert
5. Verify that all other fields are populated for component Leave the default port value as is unless there is a conflict with an existing port Click Next oon NOTE The Message Broker Service does not allow the underscore character in the fully qualified domain name 20 Inthe Security Socket Layer and Host dialog enter the fully qualified domain name of the back end server and select the correct Server edition Enterprise Edition or Virtual Edition no 21 You have a choice of SSL types to use Select option a or b below a To use an existing certificate that was purchased from a CA authority select the first option and click Next NOTE To use this setting the exported CA certificate being imported must have the full trust chain If unsure re export the CA certificate and ensure that the following options are selected in the Certificate Export Wizard Personal Information Exchange PKCS 12 PFX Include all certificates in the certification path if possible Export all extended properties Click Browse to enter the path to the certificate Enter the password associated with this certificate The key store file must be p12 or pfx See How to Export a Certificate to PFX Using the Certificate Management Console for instructions Click Next OR b To create a self signed certificate select the second option and click Next At the Set Up a Certificate Authority dialog enter the following informati
6. 000 20 000 endpoints Optionally a front end server can be placed in the DMZ for activating endpoints and or publishing policies to endpoints over the Internet NOTE If the organization has more than 50 000 endpoints please contact Dell Client Services for assistance Architecture Components Dell Enterprise Server Dell Internal Front End Servers 2 Dell External Front End Server SOL Server Outside DMZ Inside DDPE Compatibility Server DDPE Core Server DDPE Security Server DDPE Console DDPE Key Server DDPE Compliance Reporter DDPE Identity Server DDPE Message Broker Service DDPE Policy Proxy DDPE Security Server Proxy DDPE Enterprise Server DDPE Core Server Proxy Ports 80 1099 61613 61616 DDPE Device Server Proxy d 8000 8443 9000 9011 8050 8084 8888 000 8081 8445 S888 DDPE Policy Proxy DDPE Security Server Proxy External HA Front End DOPE Core Server Prony ponia DDPE Device Server Proxy Front End Server Listening Ports 8000 8081 3443 8888 ternal Front End Exchange Front End Server Enterprise Server Installation and Migration Guide 21 High Availability Considerations This architecture depicts a highly available architecture supporting up to 60 000 endpoints There are two Dell Enterprise Servers set up in an active passive configuration To failover to the second Dell Enterprise Server stop the services on the primary node and point the DNS Alias CNAME to the second node Sta
7. 6 7 8 If needed open Server Manager Highlight Roles In the Role Service area click Add Role Service Select Web Server IIS Support and click Next A dialog may display asking Add role services and features required for Web Server IIS support If so click Add Required Role Services Under Management Tools select IIS Management Console and click Next Click Install When finished close Server Manager The configuration of the web browser version of the Silverlight Console is now complete Test Configuration Follow the instructions below to test the configuration of the web browser version of the Silverlight Console 1 2 3 Launch Internet Explorer In the address bar type lt http servername domainname com console gt Log in with the default credentials of superadmin changeit If you experience errors see Troubleshooting Otherwise continue to Administrative Tasks Enterprise Server Installation and Migration Guide 63 64 Enterprise Server Installation and Migration Guide Administrative Tasks Assign Dell Administrator Role 1 Inthe left pane click Protect amp Manage gt Domains 2 Click the Members icon of the Domain you want to add a user to 3 Click Add Users 4 Enter a filter to search the User Name by Common Name Universal Principal Name or sAMAccountName The wild card character is A Common Name Universal Principal Name and sAMAccountName must be defined in the enterprise dir
8. Certificate Export wizard opens click Next Select Yes export the private key and click Next Select Personal Information Exchange PKCS 12 PFX and then select the sub options Include all certificates in the certification path if possible and Export all extended properties Click Next Enter and confirm a password This can be any password of your choosing Choose a password that is easy for you to remember but no one else Click Next Click Browse to browse to the location of where you would like to save the file In the File Name field enter a name to save the file as Click Save Click Next Click Finish Enterprise Server Installation and Migration Guide 77 A message stating that the export was successful displays Close the MMC How to Add a Trusted Signing Cert to the Security Server when an Untrusted Certificate was used for SSL 1 Stop the Security Server Service if running 2 Back up the cacerts file in lt Security Server install dir gt conf Use Keytool to complete the following 3 Export the trusted PFX into a text file and document the Alias keytool list v keystore C pfxfilename pfx storetype PKCS12 gt C pfxfilename txt 4 Import the PFX into the cacerts file in lt Security Server install dir gt conf keytool importkeystore v srckeystore C pfxfilename pfx srcstoretype PKCS12 srcalias AliasNamePreviouslyDocumented destkeystore C Program Files Dell Enterpris Edition Security Server co
9. DDPE Console DDPE Key Server DDPE Compliance Reporter Exchange Front End DDPE Identity Server Server DDPE Message Broker Service Enterprise Server Installation and Migration Guide 19 20 000 40 000 Endpoints This architecture accommodates environments ranging between 20 000 and 40 000 endpoints An additional front end server is added to distribute the additional load Each front end server is designed to handle approximately 15 000 20 000 endpoints Optionally a front end server can be placed in the DMZ for activating endpoints and or publishing policies to endpoints over the Internet Architecture Components Dell Enterprise Server Dell Internal Front End Servers 2 Dell External Front End Server SOL Server Outside DMZ Inside DDPE Compatibility Server DDPE Core Server DDPE Security Server DDPE Identity Server DDPE Console DDPE Key Server DDPE Compliance Reporter DDPE Message Broker Service DDPE Policy Proxy DOPE Enterprise Server DDPE Security Server Proxy y Ports 80 1099 61613 61616 DDPE Core Server Proxy DDPE Device Server Proxy 3000 8081 S645 SESE Exchange Front End Server Dell Manager 20 Enterprise Server Installation and Migration Guide 40 000 60 000 Endpoints This architecture accommodates environments ranging between 40 000 and 60 000 endpoints An additional front end server is added to distribute the additional load Each front end server is designed to handle approximately 15
10. Edition Enterprise Edition Windows Server 2003 SP2 Standard Edition Enterprise Edition Windows Server 2008 SP2 32 bit Standard Edition Enterprise Edition 16 Enterprise Server Installation and Migration Guide Windows Server 2003 R2 and R2 SP2 Standard Edition Enterprise Edition Windows Server 2008 SP2 64 bit Windows Server 2008 R2 SPO SP1 64 bit Standard Edition Standard Edition Enterprise Edition Enterprise Edition Windows Server 2012 R2 Windows Server 2008 SP2 32 bit Standard Standard Edition Enterprise Edition Windows Server 2008 SP2 64 bit Standard Edition Enterprise Edition Windows Server 2012 R2 Standard Exchange ActiveSync Servers If you intend to use Dell Data Protection Mobile Edition the following Exchange ActiveSync Servers are supported This component is installed on your front end Exchange Server Exchange ActiveSync 12 0 a component of Exchange Server 2007 Exchange ActiveSync 12 1 a component of Exchange Server 2007 SP1 Exchange ActiveSync 14 0 a component of Exchange Server 2010 Exchange ActiveSync 14 1 a component of Exchange Server 2010 SP1 Microsoft Message Queuing MSMO must be installed configured on the Exchange Server LDAP Repository Microsoft Active Directory 2003 Microsoft Active Directory 2008 Recommended Virtual Environments for Dell Enterprise Server Components
11. Finish when complete Generate Self Signed Certificate The information from the self signed certificate that was created when installing the Enterprise Server will be used if available Click Next Click Finish when complete From the top menu select Configuration gt Save If prompted confirm the save Certficate set up is complete If your deployment includes Dell Manager continue to step 8 If your deployment does not include Dell Manager continue to step 9 Import Dell Manager Certificate If your deployment includes Enterprise Edition remotely managed clients with Hardware Crypto Accelerators self encrypting drives or BitLocker Manager you must import your newly created or existing certificate The Dell Manager certificate is used as a vehicle to protect the private key which is used to sign the policy bundles being sent to Enterprise Edition remotely managed clients and BitLocker Manager This certificate can be independent of any of the other certificates Additionally if this key is compromised it can be replaced with a new key and Dell Manager will request a new public key if it cannot decrypt the policy bundles FTO rTO Q0909 0 Open the Microsoft Management Console Click File gt Add Remove Snap in Click Add At the Add Standalone Snap in window select Certificates and click Add Select Computer Account and click Next At the Select Computer window select Local computer the computer this console
12. OR b To create a self signed certificate select the second option and click Next At the Set Up a Certificate Authority dialog enter the following information Fully qualified computer name example computername domain com Organizational Unit example Security Organization City State full name Country Two letter country abbreviation Click Next 15 Atthe Ready to Install the Program dialog click Install to begin installation 16 When prompted click Finish to complete the installation Do not reboot the server until Post Installation Configuration tasks are complete Rebooting now would cause the server to attempt to start Dell Services which would be unsuccessful at this point 34 Enterprise Server Installation and Migration Guide Front End Server s 1 In the Dell installation media navigate to the Dell Enterprise Server directory Unzip NOT copy paste or drag drop Dell Enterprise Server x64 to the root directory of the server where you are installing Dell Data Protection Enterprise Edition Copying pasting or dragging dropping will produce errors and an unsuccesstul installation NOTE Follow the same procedure for Dell Enterprise Server x86 for the 32 bit installer 2 Double click setup exe 3 When the nstallShield Wizard displays select the language for installation then click OK 4 If not already installed a message may display informing you that Microsoft Visual C 2010 Redistributable Package must be installed bef
13. Server TCP 8050 Dell Policy Proxy TCP 8000 Enterprise Server Installation and Migration Guide 25 Dell Security Server HTTPS 8443 NOTE If your Enterprise Edition clients will be entitled from the factory or you purchase licenses from the factory set the GPO on the domain controller to enable entitlements this may not be the server running Enterprise Edition Ensure that outbound port 443 is available to communicate with the Server If port 443 is blocked for any reason the entitlement functionality will not work For more information see Enterprise Edition Administrator Guide Create Dell Database 3 If you do not yet have a Microsoft SOL database configured for Dell follow the instructions below Create the SOL database and SOL user in SOL Management Studio The Dell Enterprise Server is prepped for both SOL and Windows Authentication The default authentication method is SOL Authentication If you wish to use Windows Authentication additional configuration steps are needed after the installation upgrade migration but before using the Dell Server Configuration Tool The additional steps needed are detailed in Use Windows Authentication Create the database and then create a Dell database user with db_owner rights The db_owner may assign permissions back up and restore the database create and delete objects and manage user accounts and roles without any restrictions Additionally ensure that this user has permissions
14. Terms of Use indicate acceptance and click Accept 9 Click Browse and then Upload the CSR you just created 10 On the Certificates for Third Party Servers page click Download Save the file to an easily accessible location 11 Return to the APNs Enrollment Wizard and click Next Step III Upload Push Certificate 12 Enter the following information use the same credentials that were used in Step Create CSR Email Common Name Push Cert File Click Browse to locate the file saved in step 10 Click Upload 13 A success message displays Click Finish Enrollment of the APNs Certificate with the Dell Server is complete Continue to Use Windows Authentication 44 Enterprise Server Installation and Migration Guide Use Windows Authentication If you want to use Windows Authentication instead of SOL Authentication complete the following steps before running the Dell Server Configuration Tool If you do not intend to use Windows Authentication continue to Use the Dell Server Configuration Tool 1 Create a Windows domain account with privileges to serve as Dell database owner and this account will also need to be a member of the Enterprise Server s Local Administrators Group This account is used to run Dell Services so it is important that potential password issues are prevented Ensure that the following password settings are applied a Ensure the following option is NOT selected User Must Change Password on next Login b E
15. certificates Signed public CA signed or domain signed certificates are signed by a public CA or a domain In the case of certificates that are signed by a public certificate authority CA the certificate of the signing CA will usually already exist in the Microsoft certificate store and therefore the chain of trust will be automatically established For domain CA signed certificates if the workstation has been joined to the domain the signing CA certificate from the domain will have been added to the workstation s Microsoft certificate store thereby also creating a chain of trust The components that are affected by certificate configuration Java Services for instance Dell Device Server Dell Console Web Services and so on NET Applications Dell Core Server Validation of smart cards used for Preboot Authentication Dell Security Server Importing of private encryption keys to be used for signing policy bundles being sent to Dell Manager Dell Manager performs SSL validation for remotely managed Enterprise Edition clients with Hardware Crypto Accelerators self encrypting drives or BitLocker Manager Client Workstations Workstations running the web browser version of the Silverlight Console Workstations running Dell Data Protection BitLocker Manager Workstations running Dell Data Protection Enterprise Edition Windows clients Information regarding which type of certificates to use Preboot Authenticatio
16. is running on and click Finish Click Close Click OK In the Console Root folder expand Certificates Local Computer Go to the Personal folder and locate the desired certificate Highlight the desired certificate right click All Tasks gt Export When the Certificate Export wizard opens click Next Enterprise Server Installation and Migration Guide m Select Yes export the private key and click Next n Select Personal Information Exchange PKCS 12 PFX and then select the sub options Include all certificates in the certification path if possible and Export all extended properties Click Next o Enter and confirm a password This can be any password of your choosing Choose a password that is easy for you to remember but no one else Click Next p Click Browse to browse to the location of where you would like to save the file In the File Name field enter a name to save the file as Click Save Click Next Click Finish A message stating that the export was successful displays Close the MMC TQ Go back to the Dell Server Configuration Tool From the top menu select Actions gt Import Manager Certificate Navigate to the location where the exported file was saved Select the file and click Open Enter the password associated with this file and click OK From the top menu select Configuration gt Save If prompted confirm the save lt xXx Zg lt C gt 0 The Dell Manager certificate import is now compl
17. lt system web gt lt compilation targetFramework 4 0 gt lt pages gt lt namespaces gt lt add namespace Credant Console Resources gt lt namespaces gt lt pages gt lt system web gt lt appSettings gt lt Credant Console Default Settings gt lt add key Login UseWindowsAuth value False lockltem true gt lt add key Settings PageSize value 25 lockltem true gt lt add key Settings StartScreen value Home lockltem true gt lt add key Settings Brand value Credant gt lt add key Help Uri value Help gt lt add key Help DefaultDocument value get_started htm gt lt Credant Server Settings gt lt add key ServercoreHostname value serverO4 demain cor server01 gt lt add key ServercorePort value 8888 gt lt add key ServerHostname value serverO demain eorn server01 gt lt add key ServerPort value 9011 gt lt Credant ComplianceReporter Settings gt lt add key ReporterHost value serverOLedemaireom server01 gt lt add key ReporterPort value 8084 gt lt add key ReporterSslRequired value true gt lt Credant Authorization Sts Settings gt lt add key StsHost value serverO demain ecor server01 gt lt add key StsPort value 9000 gt lt add key DisableSSLCertTrust value True gt lt add key Max
18. operating system to access more than 4 GB physical memory enable Physical Address Extension For more information see http msdn microsoft com en us library windows desktop aa366796 28v vs 85 29 aspx Dell Enterprise Server Back end Server Proxy Server Front end Server Processor 2 GHz Core Duo Core 2 Duo Core i3 Core i5 Core i7 Xeon Itanium or AMD equivalent Intel Pentium class or AMD processor RAM 8GB minimum depending on configuration 1 GB Free Disk Space 1 5 GB free disk space plus virtual paging space 104 MB plus virtual paging space Network Card 10 100 1000 network interface card Miscellaneous TCP IPv4 installed and activated Dell Enterprise Server Software The following table details the software requirements for the Dell Enterprise Server and Proxy Server NOTE Always disable UAC when using Windows Server 2008 After disabling UAC the server must be rebooted for this change to take effect Registry location for Windows Servers HKLM SOFTWARE Dell Dell Enterprise Server Back end Server Proxy Server Front end Server Operating System Windows Server 2003 SP2 Standard Edition Enterprise Edition Windows XP Professional SP3 Windows Server 2003 R2 and R2 SP2 Windows 7 SPO SP1 Standard Edition Enterprise Enterprise Edition Professional Ultimate Windows Server 2008 R2 SPO SP1 64 bit Standard
19. privileges to run stored procedures Create a New Microsoft SOL Server Database using Windows Authentication Click Start gt All Programs gt Microsoft SOL Server gt Management Studio Right click the Databases folder and then click New Database The Database Properties dialog displays Enter the Database Name and click OK Expand the Security folder and right click Logins Click New Login to create an owner for the new database Enter a username in the Name field Select the Authentication option Windows Authentication To FO Q2090 0 Select User Mapping and then highlight the new database Select the database role db_owner and click OK OR Create a New Microsoft SOL Server Database using SOL Server Authentication Click Start gt All Programs gt Microsoft SOL Server gt Management Studio Right click the Databases folder and then click New Database The Database Properties dialog displays Enter the Database Name and click OK Expand the Security folder and right click Logins Click New Login to create an owner for the new database Enter a username in the Name field Select the Authentication option SOL Server Authentication Enter and confirm the password Deselect Enforce Password Expiration Select User Mapping and then highlight the new database j Select the database role db_owner and click OK TO 0 A O TD DW Install Windows Installer 3 1 or later 4 26 f not already installed inst
20. 1 2 3 5 Go to Start gt Run Type services msc and click OK When Services opens highlight Dell Message Broker Right click the entry and select Properties On the Log On tab select This account Browse to locate the Windows domain account you set up The format should be DomainName AdministratorName or administrator domainname com Type the password for this Windows domain account and confirm it Click OK Configure the Dell Security Server Service to run using the Windows domain account you set up 1 2 3 5 Go to Start gt Run Type services msc and click OK When Services opens highlight Dell Security Server Right click the entry and select Properties On the Log On tab select This account Browse to locate the Windows domain account you set up The format should be DomainName AdministratorName or administrator domainname com Type the password for this Windows domain account and confirm it Click OK Configure Dell Compliance Reporter to use Windows Authentication As of v8 1 Compliance Reporter is configured to use Windows Authentication out of the box No configuration is needed Continue to Use the Dell Server Configuration Tool Use the Dell Server Configuration Tool Whether a new install or an upgrade migration from a previous version the Dell Server Configuration Tool must be used to configure your environment The Dell Core Server and Dell Compatibility Server cannot run simultaneously with the Dell
21. Ceol 15 Dell Enterprise Server Prerequisites 2 2 o e 15 Dell Enterprise Server Hardware 2 0 ee 16 Dell Enterprise Server Software 0 ee 16 Architecture Design 2 3 ies cia Rae SERA ee RE eda EE eA E ka 18 Up toS O00 Endpoints 22a 24 oa dla ade ee aid eek Ree Babee DAS es 18 5 000 20 000 Endpoints 2 i 24 a ee be ee Re a a ee We D 19 20 000 40 000 Endpoints k 8 fed RPA Rw eee he ee Dea awed BY 20 40 000 60 000 Endpoints a a o ee 21 High Availability Considerations 0 ee 22 MIR AlIZ O er a A a tn len 23 4 Pre Installation Configuration sidra det 25 5 Install o RUBIO at 33 NEw Installations aa ne ack aa EA ee tes A a lg E a tas ee hel te 33 Maite Sevens a ice tart Dk tale foot ES a nal dad i Rat co ae alee At a bee so ine Bn Ae 33 Frontend SOI VES sees a SN a oe ee eee edn A Ras 35 Upgrade Mighation5 como Bese Bd ge ees Nad ES boat oh ewe eh ee 36 Enterprise Server Installation and Migration Guide Mal Server tens ois eon SAR il a Be ph dP Ral A By Sy Mare ee o 37 Front End Senver s fa othe ele Bt ol Oe ag BUS eae e doh oe 39 6 Post lInstallation Contiguratoncs2 lt 2 oy 05h ea swe PRRR eve eeei eee 41 EAS Management Installation and Configuration o o e e 41 Dell Security Server in DMZ Mode Configuration o o e 43 APNs Enrollment sei a ak a ee ee ae ae et ene a is 44 Use Windows Authentication 2 0 ee 45 Use the Dell Serve
22. Core Server displays the installed location of the Dell Core Server Legacy Server displays the installed location of the Dell Compatibility Server Security Server displays the installed location of the Dell Security Server Messaging Service displays the installed location of the Dell Messaging Service Compliance Reporter displays the installed location of the Compliance Reporter Identity Server displays the installed location of the Identity Server Schema Version displays the current database schema version Supported Versions displays the previous versions supported to migrate to the current version 4 Click the Database tab a d e f In the Server Name field enter the fully qualified domain name if there is an instance name include it of the server hosting the database For example SOLTest domain com DellDB Dell recommends using a fully qualified domain name although an IP address may be used In the Database field enter the name of the database In the Authentication field select either Windows Authentication or SOL Server Authentication If you choose Windows Authentication the same credentials that were used to log in to Windows will be used for authentication User Name and Password fields will not be editable In the User Name field enter the appropriate username associated with this database In the Password field enter the password for the username listed in the UserName field From the top men
23. Dell Data Protection Enterprise Edition Enterprise Server Installation and Migration Guide 2014 Dell Inc Registered trademarks and trademarks used in the DDP E E DDP ST and DDP CE suite of documents Dell i and the Dell logo Dell Precision OptiPlex Control Vault Latitude XPS and KACE are trademarks of Dell Inc Intel Pentium Intel Core Inside Duo Itanium and Xeon are registered trademarks of Intel Corporation in the U S and other countries Adobe Acrobat and Flash are registered trademarks of Adobe Systems Incorporated Authen Tec and Eikon are registered trademarks of Authen Tec AMD is 2 registered trademark of Advanced Micro Devices Inc Microsoft Windows and Windows Server Internet Explorer MS DOS2 gt Windows Vista _MSNO ActiveX Active Directory Access ActiveSync Bithocker BitLocker To Go Excel Hyper Ve Silverlight Outlook PowerPoint OneDrive SOL Server and Visual C are either trademarks or registered trademarks of Microsoft Corporation i in the United States and or other countries VMware is a registered trademark or trademark of VMware Inc in the United States or other countries Box is a registered trademark of Box Dropbox is a service mark of Dropbox Inc Google Android Google Chrome Gmail YouTube and Google Play are either trademarks or registered tr trademarks of Google Inc in t
24. Drive gt Program Files Dell on a regular basis Weekly backups of this data are acceptable since it should rarely change and can be manually reconfigured if needed The most critical files store information necessary to connect to the database lt Drive gt Program Files Del Enterprise Edition Compatibility Server conf server_config xml lt Drive gt Program Files Del Enterprise Edition Compatibility Server conf secretKeyStore SOL Server Perform nightly full backups with transactional logging enabled For additional information on SOL Server best practices please see SOL Server Best Practices Enterprise Server Installation and Migration Guide 67 68 Enterprise Server Installation and Migration Guide Troubleshooting Visit support dell com for the most up to date troubleshooting information Troubleshoot Web Browser Version of Silverlight Console If the web browser version of the Silverlight Console does not display follow the steps below 1 Open an Internet Explorer Browser On the browser toolbar select Tools gt Internet Options From the Security tab highlight Trusted Sites Click Sites In the Add this website to the zone field verify that your FODN displays in the text box oR WN If not add your FODN The format is http servername domainname com Click Add 6 Re attempt to open the web browser version of the Silverlight Console Type in the Silverlight Console URL The format is http servername do
25. If you are reinstalling or upgrading use the instructions in Configure a Migration Enterprise Server Installation and Migration Guide 47 b Atthe nitialize Enterprise Database window a warning displays Confirm that you have either backed up the entire database or confirm that a backup does not need to be made of your existing database Click Next c At the nitialize Enterprise Database window read the information and click Next At the nitializing Database window informational messages display the status of the initialization When complete check for errors NOTE An error message identified by 69 signifies that a database task has failed and corrective action needs to be 48 taken before the database can be properly initialized Click Finish correct the database errors and reinitiate the instructions in this section d Click Finish e From the top menu select Configuration gt Save If prompted confirm the save Configure Certificates The first time you run the Dell Server Configuration Tool for initial Dell Enterprise Server setup certificates must be configured for the Dell Compatibility Server Dell Core Server and Message Security You have a choice of which type of certificates to use self signed or signed Self signed certificates are signed by their own creator Self signed certificates are appropriate for pilots POCs etc For a production environment Dell recommends public CA signed or domain signed
26. If you have not yet backed up your existing Dell database do so now a From the top menu select Actions gt Migrate Database The Configuration Wizard launches b At the Migrate Enterprise Database window a warning displays Confirm that you have either backed up the entire database or confirm that a backup does not need to be made of your existing database Click Next c Atthe Migrate Enterprise Database window read the information and click Next At the Migrating Database window informational messages display the status of the migration When complete check for errors NOTE An error message identified by 69 signifies that a database task has failed and corrective action needs to be taken before the database can be properly migrated Click Finish correct the database errors and reinitiate the instructions in this section d Click Finish e From the top menu select Configuration gt Save If prompted confirm the save 8 Configure Certificates The first time you run the Dell Server Configuration Tool for initial Dell Enterprise Server setup certificates must be configured for the Dell Compatibility Server Dell Core Server and Message Security You have a choice of which type of certificates to use self signed or signed Self signed certificates are signed by their own creator Self signed certificates are appropriate for pilots POCs etc For a production environment Dell recommends public CA signed or domain signed ce
27. Install the Program dialog click Install to begin installation 14 When prompted click Finish to complete the installation 15 Go to lt Security Server install dir gt conf and open the application properties file Locate publicdns server host and set the name to an externally resolvable host name Locate publicdns server port and set the port the default is 8443 Do not reboot the server until Post Installation Configuration tasks are complete Rebooting now would cause the server to attempt to start Dell Services which would be unsuccessful at this point The rest of this chapter details the process for an upgrade migration and may be ignored Continue to Post Installation Configuration Upgrade Migration Before you begin ensure that all Pre Installation Configuration is complete This is of particular importance if you intend to use the web browser version of the Silverlight Console or are deploying Dell Data Protection Mobile Edition Read the Release Notes for any current workarounds or known issues related to Dell Enterprise Server installation Dell recommends that DB best practices are used for the Dell database and that Dell software is included in your organization s disaster recovery plan If you intend to deploy Dell components in the DMZ ensure that they are properly protected against attacks For production Dell recommends installing the SOL Server on a dedicated server To leverage full capabilities of policies we recommen
28. ReceivedMessageSize value 1500000 gt lt appSettings gt lt system webServer gt lt defaultDocument gt lt files gt lt clear gt lt add value Default htm gt lt add value Default asp gt lt add value default aspx gt lt add value index htm gt lt add value index html gt lt add value isstart htm gt lt files gt lt defaultDocument gt lt system webServer gt lt contiguration gt 70 Enterprise Server Installation and Migration Guide Appendix A Dell Component Descriptions The following table describes each component and its function Name Description Required For Dell Compliance Reporter Provides an extensive view of the environment for auditing and compliance reporting A component of the Dell Enterprise Server Reporting Dell Key Server A Service that negotiates authenticates and encrypts a client connection using Kerberos APIs A component of the Dell Enterprise Server Dell Admin Utilities Dell Server Configuration Tool Configures database communication with the Dell Core Server and Dell Compatibility Server Dell Security Server Used to initialize the database upon installation or to migrate the database to a newer schema Used to control Dell Services A component of the Dell Enterprise Server All Dell Remote Management Console Administration console and control center for the entire enterpr
29. Server run this installer on each one Select the language for installation then click OK Click Next when the Welcome screen displays Read the license agreement agree to the terms and click Next Click Next to install EAS Device Manager in the default location of C Inetpub wwwroo DelNEAS Device Managen NO oO B W Click Install at the Ready to Begin Installation screen A status window displays the installation progress 8 If desired check the box to show the Windows Installer log and click Finish Install EAS Mailbox Manager 1 In the Dell installation media navigate to the EAS Management folder In the EAS Mailbox Manager folder copy setup exe to your Exchange Mailbox Server s 2 Double click setup exe to begin the installation If your environment includes more than one Exchange Mailbox Server run this installer on each one Enterprise Server Installation and Migration Guide 41 NO 0 gt 0 9 Select the language for installation then click OK Click Next when the Welcome screen displays Read the license agreement agree to the terms and click Next Click Next to install EAS Mailbox Manager in the default location of C Program FilesiIDelNEAS Mailbox Managen At the Logon Information screen enter the credentials of the user account that will logon to use this Service User Name DOMAIN Username Password password associated with this user name Click Next Click Install at the Ready to Begin Installation
30. Server Configuration Tool Stop the Dell Core Server Service and Dell Compatibility Server Service in Services Start gt Run Type services msc prior to starting the Dell Server Configuration Tool The Dell Server Configuration Tool allows you to Configure and initialize your Microsoft SOL database to allow communication with Dell Servers during a new installation of the Dell Enterprise Server OR Configure and migrate your Microsoft SOL database to allow communication with Dell Servers during an upgrade migration of Dell Enterprise Server Configure certificates Configure settings for the web browser version of the Silverlight Console and Dell Manager Trust Validation Configure SMTP settings for Dell Data Protection Cloud Edition Import a Dell Manager certificate To begin select either 46 Configure a New Installation Configure a Migration Enterprise Server Installation and Migration Guide Configure a New Installation 1 Launch the Dell Server Configuration Tool Go to Start gt Programs gt Dell gt Enterprise Edition gt Server Configuration Tool gt Run Server Configuration Tool 2 You may get informational messages stating that your database configuration settings do not match These messages are for information only and are not a cause for concern If prompted click OK for each message 3 Click the Information tab This tab is for information only and cannot be edited All fields are pre populated
31. Troubleshooting Create a Self Signed Certificate and Generate a Certificate Signing Request or How to Export a Certificate to PFX Using the Certificate Management Console Windows Authentication As of v8 1 the Data Source is pre configured out of the box No configuration is needed Use the steps below to change the Data Source if needed 1 Type the Username to log in to the Dell database Leave the password blank When the domain user logs in their password will be passed to the database Type the Hostname to log in to the Dell database Type the Database Name to log in to the Dell database Type the Max Idle connections allowed The default is 2 Type the Max Connections active allowed The default is 10 Type the Max Wait maximum number of milliseconds to wait for a connection 1 is indefinitely ON OoJ AUN To verify the database URL and test the connectivity between the Dell Compliance Reporter and the Dell database click Test Connection 9 Click Update To discard the information click Cancel Administrative tasks are complete If needed continue to Troubleshooting Create a Self Signed Certificate and Generate a Certificate Signing Request or How to Export a Certificate to PFX Using the Certificate Management Console Perform Back ups For the purposes of Disaster Recovery ensure the following locations are backed up weekly with nightly differentials DDPE Enterprise Server Back up the files in lt
32. alias lt ca cert alias gt keystore cacerts file lt ca cert filename gt For example keytool import alias Entrust keystore cacerts file Entrust cer Example Method to Request a Certificate An example method to request a certificate is to use a web browser to access the Microsoft CA Server which will be set up internally by your organization 1 Navigate to the Microsoft CA Server The IP address will be supplied by your organization 2 Select Request a certificate and click Next 76 Enterprise Server Installation and Migration Guide 0 JO 0 A OO 10 Select Advanced Request and click Next Select the option to Submit a certificate request using a base64 encode PKCS 10 file and click Next Paste in the contents of the CSR request in the text box Select a certificate template of Web Server and click Submit Save the certificate Select DER encoded and click Download CA certificate Save the certificate Select DER encoded and click Download CA certification path Import the converted signing authority certificate Return to the DOS window Type keytool import trustcacerts file lt csr filename gt keystore cacerts Now that the signing authority certificate has been imported the server certificate can be imported the chain of trust can be established Type keytool import alias sslkey file lt csr filename gt keystore cacerts Use the alias of the self signed certificate to pair the CSR reques
33. all Windows Installer 3 1 or later Windows Server 2003 Windows Server 2008 and Windows Server 2008 R2 3 7 http Avww microsoft com downloads en details aspx FamilyID 889482FC 5F56 4A38 B838 DE776FD4138C amp displaylang en Windows Server 2003 Windows Server 2008 and Windows Server 2008 R2 4 5 http Awww microsoft com downloads en details aspx Familyld 5A58B56F 60B6 441 2 95B9 54D056D6F9F4 amp displaylang en Enterprise Server Installation and Migration Guide Install Microsoft Visual C 2010 Redistributable Package 5 If not already installed install Microsoft Visual C Redistributable Package If desired you can allow the Dell Enterprise Server installer to install this component Windows Server 2003 Windows Server 2008 and Windows Server 2008 R2 http Awww microsoft com download en details aspx displaylang en amp id 5555 Install Windows Server 2003 Support Tools 6 If using Windows Server 2003 install Windows Server 2003 Support Tools Service Pack 1 32 bit http www microsoft com downloads en details aspx Familyld 6EC50B78 8BE1 4E81 B3BE 4E7AC4F091 2D amp displaylang en Service Pack 2 32 bit http www microsoft com downloads en details aspx FamilyID 96a3501 1 fd83 41 9d 939b 9a772ea2df90 amp DisplayLang en Install NET Framework 3 5 1 Features Omit this step for Windows Server 2003 The steps for Windows Server 2008 and Windows Server 2008 R2 are essentially the same Install NET Fram
34. ame 11 In the Security Socket Layer and Host dialog enter the fully qualified domain name of the back end server and select the correct Server edition Enterprise Edition or Virtual Edition 12 You have a choice of SSL types to use Select option a or b below a To use an existing certificate that was purchased from a CA authority select the first option and click Next NOTE To use this setting the exported CA certificate being imported must have the full trust chain If unsure re export the CA certificate and ensure that the following options are selected in the Certificate Export Wizard Personal Information Exchange PKCS 12 PFX Include all certificates in the certification path if possible Export all extended properties Click Browse to enter the path to the certificate Enter the password associated with this certificate The key store file must be p12 or pfx See How to Export a Certificate to PFX Using the Certificate Management Console for instructions Click Next OR b To create a self signed certificate select the second option and click Next At the Set Up a Certificate Authority dialog enter the following information Fully qualified computer name example computername domain com Organizational Unit example Security Organization City State full name Country Two letter country abbreviation Click Next Enterprise Server Installation and Migration Guide 35 13 At the Ready to
35. cate that is being used with APNs enter the fully qualified domain name specified in the certificate If the box was not selected then the field is not available Verify that all other fields are populated for component Leave the default port value as is unless there is a conflict with an existing port Click Next oon NOTE The Message Broker Service does not allow the _ underscore character in the fully qualified domain name 13 In the Security Socket Layer and Host dialog enter the fully qualified domain name of the back end server and select the correct Server edition Enterprise Edition or Virtual Edition 14 You have a choice of SSL types to use Select option a or b below a To use an existing certificate that was purchased from a CA authority select the first option and click Next NOTE To use this setting the exported CA certificate being imported must have the full trust chain If unsure re export the CA certificate and ensure that the following options are selected in the Certificate Export Wizard Personal Information Exchange PKCS 12 PFX Include all certificates in the certification path if possible Export all extended properties Click Browse to enter the path to the certificate Enter the password associated with this certificate The key store file must be p12 or pfx See How to Export a Certificate to PFX Using the Certificate Management Console for instructions Click Next
36. count must also be db_owner on database Service account must have local administrator rights to the Dell Data Protection application servers Software is downloaded from Dell Data Protection file transfer site CFT Software is located at https ddpe credant com or https cft credant com under the SoftwareDownloads folder If you have purchased DDPIE on the box the software can be downloaded from www dell com On the box refers to software that is included with the factory computer image from Dell DDPIE can be preinstalled at the factory on any Dell computer Installation key and license file are available The license key is included in the original email with CFT credentials see Example Customer Notification Email The license file is an XML file located on the CFT site under the Client Licenses folder NOTE If you purchased your licenses on the box no license file is necessary The entitlement will be automatically downloaded from Dell upon activation of any new DDPIE client Enterprise Server Installation and Migration Guide 7 Database is created A new database is created on a supported server see Requirements and Architecture The target database user has been given db_owner rights DNS alias created for Dell Enterprise Server and or Policy Proxies It is recommended that you create DNS Aliases for scalabil
37. credentials and License Key information Dell Data Protection Encryption Ceara Thank you for purchasing Dell Data Protection Encryption to quickly and easily protect your critical business data The following is the information you need to download your software and installation instructions for Dell Order Download Server https ddpe credant com Username eerie A Password HMoFql0Qe Required to change password No Account Expiration Date Never License Key A a E Support Your Dell Data Protection Encryption Solution is entitled to Dell service and maintenance For extending your service contact your Dell sales representative or ask your support representative about an upgrade For Dell Data Protection Encryption Solution support call 1 877 459 7304 Enterprise Server Installation and Migration Guide Enterprise Server Installation and Migration Guide Introduction About Dell Enterprise Server The Enterprise Server is the security administration piece of Dell s solution The Remote Management Console allows administrators to monitor the state of endpoints policy enforcement and protection across the enterprise The Enterprise Server has the following features Centralized management of devices Role based security policy creation and management Administrator assisted device recovery Separation of administrative duties Automatic distribution of security policies Trusted paths for communication between compon
38. d to use the web browser version of the Silverlight Console Add Web Server IIS Role and ASP NET Role Service ASP NET Role Service is a component of the Web Server IIS Role Windows Server 2003 http www microsoft com TechNet prodtechnol WindowsServer2003 Library IIS 750d3137 462c 491 d b6c7 5f370d7f26cd m spx mfr true Windows Server 2008 and Windows Server 2008 R2 http learn iis net page aspx 29 installing iis 7 on windows server 2008 or windows server 2008 r2 Ensure that the following features are configured Common HTTP Features Static Content Default Document Application Development Net Extensibility To display the current IIS configuration enter the following powershell command Import Module ServerManager Get WindowsFeature gt cNis features txt The Get WindowsFeature gt cNis features txt command creates a text file with the list To change the IIS configuration enter the following powershell command Import Module ServerManager Add WindowsFeature Web Server Web WebServer Web Static content Web Default Doc Web Dir Browsing Web Http Errors Web asp net We b net ext web isapi ext web isapi filter web http logging web request monitor web filtering web stat compression web m gmt console Windows Server 2012 R2 http www iis net learn install installing iis 85 installing iis 85 on windows server 201 2 r2 Ensure that the following features are configured Common HTTP Features Static Conten
39. d updating to the most current versions of both the Dell Enterprise Server and Clients Dell Enterprise Server v8 x supports Dell Data Protection Enterprise Edition Windows clients v7 x 8 x Dell Data Protection Enterprise Edition SED clients v8 x Dell Data Protection Authentication v8 x Dell Data Protection BitLocker Manager v7 2 7 x 8 x Dell Data Protection Cloud Edition v8 x Dell Data Protection Enterprise Edition Mac clients v7 x 8 x Dell Data Protection Mobile Edition v7 x 8 x Upgrade Migration from Dell Enterprise Server v7 x When upgrading migrating your Dell Enterprise Server to a version that includes new policies that are introduced in that version commit updated policy after upgrade migration to ensure that your preferred policy settings are implemented for the new policies rather than default values In general our recommended upgrade path is to upgrade migrate the Dell Enterprise Server and its components followed by Client installation upgrade BEFORE YOU BEGIN As of v7 7 the Enterprise Server upgrade migration process contains a few changes from previous releases You will notice a check box for Front End on the Set Up dialog If your environment is installed on one server simply ignore the check box and continue If your environment is installed on multiple servers Front End DMZ Internal and Back End Enterprise you will run this installer with the check box de selected for your Back End Ente
40. directory of the server where you are installing Dell Data Protection Enterprise Edition Copying pasting or dragging dropping will produce errors and an unsuccesstul installation NOTE Follow the same procedure for Dell Enterprise Server x86 for the 32 bit installer 2 Double click setup exe 3 When the nstal Shield Wizard displays select the language for installation then click OK 4 If not already installed a message may display informing you that Microsoft Visual C 2010 Redistributable Package must be installed before continuing Click Install 5 When the Welcome dialog displays click Next At the License Agreement indicate acceptance then click Next 7 If you optionally completed step 14 in Pre Installation Configuration click Next If not enter the 32 character Product Key and then click Next The Product Key is located in the file EnterpriseServerlnstallKey ini 8 Click Next to install the Dell Enterprise Server to the default location of C Program Files Dell Otherwise click Change to select a different location then click Next 9 Select Complete and select the Front End check box Click Next We recommend only selecting Complete If you select Custom you will need to de select all of the components you do not want installed on the Front End The Complete option automatically installs only the components that are appropriate for the Front End Enterprise Server Installation and Migration Guide 39 10 For the Secur
41. e Generate Self Signed Certificate and Use Current Settings Choose one path Path 1 Generate Self Signed Certificate Path 2 Use Current Settings Path 1 Generate Self Signed Certificate a From the top menu select Actions gt Configure Certificates b When the Configuration Wizard launches select Advanced and click Next c Select Generate Self Signed Certificate and click Next The information from the self signed certificate that was created when installing the Enterprise Server will be used if available d From the top menu select Configuration gt Save If prompted confirm the save Certficate set up is complete The rest of this section details the other method of creating a certificate and may be ignored If your deployment includes Dell Manager continue to step 9 on page 55 Enterprise Server Installation and Migration Guide 9 If your deployment does not include Dell Manager continue to step 10 on page 56 Path 2 Use Current Settings 2000 TT From the top menu select Actions gt Configure Certificates When the Configuration Wizard launches select Advanced and click Next Select Use Current Settings and click Next At the Compatibility Server SSL Certificate window select Generate Self Signed Certificate and click Next The information from the self signed certificate that was created when installing the Enterprise Server will be used if available Click Next At the Core Server SSL Certificate w
42. ectory server for every user If a user is a member of a Domain or Group but does not appear in the Domain or Group Members list in the Dell Remote Management Console ensure that all three names are properly defined for the user in the enterprise directory server The query will automatically search by common name then UPN and then sAMAccount name until a match is found 5 Select users from the Directory User List to add to the Domain Use lt Shift gt lt click gt or lt Ctrl gt lt click gt to select multiple users 6 Click Add Selected 7 Click the Details icon of the specified user 8 Onthe top menu select the Admin tab 9 Select the administrative roles to add to this user 10 Click Save Log in with Dell Administrator Role 1 Log out of the Dell Remote Management Console 2 Login to the Dell Remote Management Console and login with Domain user credentials Upload Client Access License You received Client Access Licenses separately from the installation files either at the initial purchase or later if you added additional Client Access Licenses In the left pane click Home 2 Expand the Settings area if needed and click Client Licenses 3 Click Browse to locate the Client License file 4 Click Upload License File Apply a Policy Template If desired you can apply a policy template to the enterprise level If you want policies to be applied at levels below the Enterprise levels modify the individual policies T
43. ents Unique encryption key generation and automatic secure key escrow Centralized compliance auditing and reporting Customer Support Refer to your Welcome Letter for Dell Pro Support contact information When contacting Dell Pro Support have the following information available Version information for the relevant components Operating system version for the server workstation where the components are running For the Dell Enterprise Server the version number and build date can be found in the About link in the Dell Remote Management Console For the Exchange ActiveSync component installed on the front end Exchange Server locate the version number from Windows Explorer Right click lt Exchange ActiveSync install dir gt OTASyncControl dll select Properties and click the Version tab A detailed description of the issue you are experiencing Information about where we can reach you Enterprise Server Installation and Migration Guide Enterprise Server Installation and Migration Guide Requirements and Architecture This section details hardware and software requirements and architecture design recommendations for Dell Data Protection Encryption implementation Requirements The Dell Enterprise Server components have hardware and software requirements in addition to the software provided on the Dell installation media Ensure that the installation environment meets the requirements before continuing with installation or up
44. ere you intend to install the Dell Enterprise Server is very important Pay special attention to this section to ensure a smooth installation of the Dell Enterprise Server Configuration 1 If enabled turn off User Access Control UAC and Internet Explorer Enhanced Security Configuration ESC Add the Server URL to Trusted Sites in the browser security options Reboot the server Open the following ports for each component Internal Active Directory communication TCP 389 Email communication optional 25 To Front End if needed Communication from external Dell Policy Proxy to Dell Message Broker TCP 61616 and STOMP 61613 Communication to back end Dell Security Server HTTPS 8443 Communication to back end Dell Core Server HTTPS 8888 and 9000 Communication to RMI ports 1099 Communication to back end Dell Device Server HTTP S 8081 If your Dell Enterprise Server is v7 7 or later If your Dell Enterprise Server is pre v7 7 HTTP S 8443 External if needed SOL Database TCP 1433 Silverlight Console HTTP 80 LDAP TCP 389 636 local domain controller TCP 3268 3269 global catalog TCP 135 49125 RPC Dell Compatibility Server TCP 1099 Dell Compliance Reporter HTTP S 8084 Dell Console Web Services HTTP 9011 Dell Identity Server HTTPS 8445 Dell Core Server HTTPS 8888 and 9000 Dell Device Server HTTP S 8081 Dell Enterprise Server v7 7 or later or HTTP S 8443 Pre v7 7 Dell Enterprise Server Dell Key
45. erver Right click the entry and select Properties On the Log On tab select This account Browse to locate the Windows domain account you set up The format should be DomainName AdministratorName or administrator domainname com Type the password for this Windows domain account and confirm it Click OK Configure the Dell Identity Server to run using the Windows domain account you set up 1 2 3 4 5 Go to Start gt Run Type services msc and click OK When Services opens highlight Dell Core Server Right click the entry and select Properties On the Log On tab select This account Browse to locate the Windows domain account you set up The format should be DomainName AdministratorName or administrator domainname com Type the password for this Windows domain account and confirm it Click OK Configure the Dell Key Server to run using the Windows domain account you set up Enterprise Server Installation and Migration Guide 45 5 Go to Start gt Run Type services msc and click OK When Services opens highlight Dell Key Server Right click the entry and select Properties On the Log On tab select This account Browse to locate the Windows domain account you set up The format should be DomainName AdministratorName or administrator domainname com Type the password for this Windows domain account and confirm it Click OK Configure the Dell Message Broker Service to run using the Windows domain account you set up
46. es Dell Security Server or Dell Device Server 2 Back up the default certificate database Click Start gt Run and type move cacerts cacerts old 3 Add Keytool to the system path Type the following command in a command prompt set path Spath lt Dell Java Install Dir gt bin 4 To generate a certificate run Keytool as shown keytool genkey keyalg RSA sigalg SHAlwithRSA alias Dell keystore cacerts 5 Enter the following information as the Keytool prompts for it NOTE Back up configuration files before editing them Only change the specified parameters Changing other data in these files including tags can cause system corruption and failure Dell cannot guarantee that problems resulting from unauthorized changes to these files can be solved without reinstalling the Dell Enterprise Server Keystore password Enter a password unsupported characters are lt gt amp and set the variable in the component conf file to the same value as follows lt Compliance Reporter install dir gt conf eserver properties Set the value eserver keystore password lt Console Web Services install dir gt conf eserver properties Set the value eserver keystore password lt Device Server install dir gt conf eserver properties Set the value eserver keystore password lt Security Server install dir gt conf eserver properties Set the value eserver keystore password Fully Qualified Server Name Enter the fully qualified name of t
47. ete Click the Settings tab Silverlight Console The default installation address of the Silverlight Console is automatically populated If your installation of Silverlight is hosted on a different server such as a special IIS server enter the address in the Silverlight Console URL field Manager To turn off Dell Manager SSL trust validation check Disable Trust Chain Check NOTE The client computer also must have the following registry entry to disable trust validation 10 HKLM System CurrentControlSet Services CredMgmtAgent Parameters DisableSSLCertTrust DWORD 32 bit Value 1 Disabling trust validation lessens security but allows you to use a self signed certificate for pilots POCs etc For a production environment Dell recommends public CA signed or domain signed certificates SCEP If using Dell Data Protection Mobile Edition enter the URL of the server hosting SCEP Click the SMTP tab This tab configures SMTP settings for Dell Data Protection Cloud Edition If SMTP settings need to be configured for other purposes outside of Dell Data Protection Cloud Edition see the AdminHelp topic Enable SMTP Server for License Email Notifications Enter the following information a Inthe Host Name field enter the FQDN of your SMTP server such as smtpservername domain com n the User Name field enter the User Name that will log in to the mail server The format can be DOMAIN jdoe jdoe or whatever form your o
48. ework 3 5 1 Features a Start Server Manager b Select Features c Expand the Features Summary in the right pane and click Add Features d Select the checkbox for NET Framework 3 5 1 Features Depending on server version this may be listed as NET Framework 3 0 Features If so select that option You may be required to install NET Framework 3 5 1 Roles Services before proceeding If so click Add Required Role Services Click Next to begin installation of INET Framework 3 5 1 Features At the Web Server S window click Next At the Select Role Services window leave the default values as is and click Next At the Confirm Installation Selections window click Install Once the installation finishes an Installation Succeeded message displays Click Close y O oO Install NET Framework 3 5 SP1 8 Install NET Framework 3 5 SP1 Windows Server 2003 Windows Server 2008 and Windows Server 2008 R2 http www microsoft com downloads en details aspx familyid AB99342F 5D1A 413D 8319 81DA479AB0D78displaylang en Install NET Framework 4 0 9 Install NET Framework 4 0 Windows Server 2003 Windows Server 2008 and Windows Server 2008 R2 http www microsoft com downloads en details aspx FamilylD 9cfb2d51 5ff4 4491 b0e5 b386f32c0992 displaylang en Enterprise Server Installation and Migration Guide 27 Add Web Server IIS Role and ASP NET Role Service 10 28 This only needs to be completed if you inten
49. fault values Click Next n Confirmation click Install n Results review the results and click Close n Server Manager gt Roles select Add Role Services under Active Directory Certificate Services When the Select Role Services window displays check the box for Network Device Enrollment Service Click Next Add the user account that Network Device Enrollment Service should use when authorizing certificate requests to the Users Group of IIS_IUSRS of the local server The format is Domain UserName Click OK At the Specify User Account windows select the user that was just added to the IIS_IUSRS group Click Next At the Specify Registration Authority Information window keep the default values for Required Information and Add Optional Information as desired Click Next At the Configure Cryptography for Registration Authority window keep the default values Click Next At the Confirm Installation Selections window click Install At the nstallation Results window review the results and click Close Enterprise Server Installation and Migration Guide Close Server Manager b Modify Registry Key as follows HKLM SOFTWARE Microsoft Cryptography MSCEP EnforcePassword EnforcePassword dword 00000000 c Open IIS Manager Drill into lt ServerName gt Sites Default Web Site CertSrv mscep_admin Open Authentication and enable Anonymous Authentication d Click Start gt Run Type certsrv msc and click Enter When the certsrvw
50. grade migration tasks Dell Enterprise Server Prerequisites The following table details the software that must be in place before installing the Dell Enterprise Server Links and directions to install these prerequisites are detailed in Pre Installation Configuration Prerequisites Windows Installer 3 1 or later Windows Installer 3 1 or later must be installed on the server where the installation is taking place Microsoft Visual C 2010 Redistributable Package If not installed the installer will install it for you Microsoft NET Framework Version 3 5 SP1 Microsoft NET Framework Version 4 0 Microsoft has published security updates for NET Framework Version 4 Microsoft Windows Identity Foundation Internet Information Services IIS Windows Server 2003 Support Tools SP1 or SP2 depending on server version If using Windows Server 2003 Silverlight If you intend to use the web browser version of the Silverlight Console Enterprise Server Installation and Migration Guide 15 Dell Enterprise Server Hardware The following table details the minimum hardware requirements for Dell Enterprise Server See Architecture Design for additional information about scaling based on the size of your organization NOTE Registry locations for Dell Policy Proxy if installed 32 bit HKLM Software CREDANT 64 bit HKLM Software Wow6432Node CREDANT NOTE When Enterprise Server is running on a 32 bit
51. he Policy Administrator and Superadmin are the only roles which can work with Policy Templates The default policy templates are read only 1 In the left pane click Protect amp Manage gt Enterprise Enterprise Server Installation and Migration Guide 65 2 Click Security Policies on the top menu Highlight the policy template to apply and click Save 3 Click Actions gt Commit Policies Click Apply Changes Your Policy Template is now applied as specified NOTE You can optionally override a policy template by clicking Override TIP Suppose you applied a template at the Enterprise level saved and then committed it As expected the Save and Cancel buttons are now inactive Now you click another template and that template displays as the Local policy value When you come back to the template page listing the Save and Cancel buttons have become active again and the Local values display as the unsaved uncommitted template In this situation it can be difficult to distinguish which template is applied To reset unset the latest unsaved and uncommitted template simply ctrl left mouse click on the highlighted template name the template name that is not saved or committed to bring the Local values back to the saved and committed level Commit Policies To commit polices that have been modified and saved follow these steps 1 Inthe left pane click Actions gt Commit Policies 2 Click Apply Changes Configure Dell Compliance Rep
52. he United States and other countries Apple Aperture APP Store Apple Remote Desktop Apple TV Boot Camp FileVault iCloud iPad iPhone iPhoto Tunes Music Store Macintosh Safari and Siri are either servicemarks trademarks or registered trademarks of Apple Inc in the United States and or other countries GO ID RSA and SecurID are registered trademarks of EMC Corporation EnCase and Guidance Software are either trademarks or registered trademarks of Guidance Software Entrust isa registered trademark of Entrust Inc in the United States and other countries InstallShield is a registered trademark of Flexera Software in the United States China European Community Hong Kong Japan Taiwan and United Kingdom Micron and RealSSD are registered trademarks of Micron Technology Inc in the United States and other countries Mozilla Firefox is a registered trademark of Mozilla Foundation in the United States and or other countries iOS is a trademark or registered trademark of Cisco Systems Inc in the United States and certain other countries and is used under license Oracle and Java are registered trademarks of Oracle and or its affiliates Other names may be trademarks of their respective owners SAMSUNG is a trademark of SAMSUNG in the United States or other countries Seagate is a registered trademark of Seagate Technology LLC in the United States and or other countries Travel
53. he User Name field enter the User Name that will log in to the mail server The format can be DOMAIN jdoe jdoe or whatever form your organization requires n the Password field enter the Password associated with this User Name n the From Address field enter the email address that the email will originate from This may be the same as the account for the User Name jdoe domain com but it can also be another account that the specified User Name has access to send email for CloudRegistration domain com n the Port field enter the Port number typically 25 n the Authentication menu select either True or False 12 Finish configuration a b Oo 0 Q From the top menu select Configuration gt Save If prompted confirm the save ose the Dell Server Configuration Tool ick Start gt Run Type services msc and click OK When Services opens click Start the service for the Dell Message roker then the Dell Security Server The remaining Services can be started in any order ick Actions gt Commit Policies C C B As a Dell Administrator log in to the Dell Remote Management Console C C ick Apply Changes Log off the Dell Remote Management Console The Dell Server Configuration Tool logs to C Program Files DelNEnterprise Edition Configuration TooNLogs Configuration of the upgrade migration is complete Continue to Web Browser Version of Silverlight Console Configuration Enterprise Server Installa
54. he server where the component you are working with is installed This fully qualified name includes the host name and the domain name example server domain com Organizational unit Enter the appropriate value example Security Organization Enter the appropriate value example Dell Enterprise Server Installation and Migration Guide 75 City or locality Enter the appropriate value example Dallas State or province Enter the unabbreviated state or province name example Texas Two letter country code The utility prompts for confirmation that the information is correct If so type yes If not type no The Keytool displays each value entered previously Click Enter to accept the value or change the value and click Enter Key password for alias lf you do not enter another password here this password defaults to the Keystore password Request a Signed Certificate from a Certificate Authority Use this procedure to generate a Certificate Signing Request CSR for the self signed certificate created in Generate a New Key Pair and a Self Signed Certificate 1 Substitute the same value used previously for lt certificatealias gt keytool certreq sigalg SHAlwithRSA alias lt certificate alias gt keystore cacerts file lt csr filename gt For example keytool certreq sigalg SHAlwithRSA alias sslkey keystore cacerts file Dell csr The csr file will contain a BEGIN END pair that will be used during the creat
55. his account must also be db_owner on the CMG DDPIE database Service account must have local administrator rights to the Dell Data Protection application servers Software is downloaded from Dell Data Protection file transfer site CFT Software is located at https ddpe credant com or https cft credant com under the SoftwareDownloads folder If you have purchased DDPIE on the box the software can be downloaded from www dell com On the box refers to software that is included with the factory computer image from Dell DDPIE can be preinstalled at the factory on any Dell computer Installation key and license file are available The license key is included in the original email with CFT credentials see Example Customer Notification Email The license file is an XML file located on the CFT site under the Client Licenses folder NOTE If you purchased your licenses on the box no license file is necessary The entitlement will be automatically downloaded from Dell upon activation of any new DDPIE client Have enough endpoint licenses Prior to upgrading please ensure that you have enough client licenses to cover all of the endpoints in your environment If your installations currently exceed your license count please contact your Dell Sales Representative prior to upgrading or migrating DDPE 8 x will perform license validation and activatio
56. ificate to PFX Using the Certificate Management Console Process 1 Add Keytool to the system path set path Spath lt Dell Java Install Dir gt bin 2 Use Keytool to list the contents of the trusted domain certificate that you want to import Take note of the Alias Name listed keytool list v keystore C lt path to pfx gt SignedCert pfx storetype PKCS12 3 Use Keytool to import the contents of the signed certificate into the Dell Security Server s cacerts file keytool importkeystore v srckeystore C lt path to source file gt SignedCert pfx srcstoretype PKCS12 srcalias AliasName destkeystore C lt path to dest cacert gt cacerts deststorepass changeit destalias AliasName destkeypass changeit For srcalias you will need to gather this information from the exported contents of the signed certificate For destalias this can be any location you choose 4 Backup and replace the current cacerts file in the lt Security Server install dir gt conf directory with this newly created cacerts file on the Dell Security Server Modify application properties File Modify the application properties file to specify the alias of the signing cert 1 Go to lt Security Server install dir gt conf application properties 2 Modify the follow information keystore alias signing lt Change this value to the value of step 3 above for destalias gt 3 Restart the Dell Security Server Service Continue to APNs Enrollment Enterpri
57. indow select one of the following Select Certificate Select this option to use an existing certificate Click Next Browse to the location of the existing certificate enter the password associated with the existing certificate and click Next Click Finish when complete Generate Self Signed Certificate The information from the self signed certificate that was created when installing the Enterprise Server will be used if available If you select this option the Message Security Certificate window does not display the window does display if you select option Use Current Settings and the certificate created for the Dell Compatibility Server is used Verify that the fully qualified computer name is correct Click Next A warning message displays telling you that a certificate by the same name already exists When asked if you would like to use it click Yes Click Finish when complete Use Current Settings Select this option to change a setting on a certificate anytime after the initial configuration of the Dell Enterprise Server Selecting this option leaves your already configured certificate in place Selecting this option advances you to the Message Security Certificate window At the Message Security Certificate select one of the following Select Certificate Select this option to use an existing certificate Click Next Browse to the location of the existing certificate enter the password associated with the e
58. indow displays right click the server name select Properties and click the Policy Module tab Click Properties and select Follow the settings in the certificate template if applicable Otherwise automatically issue the certificate Click OK e Close IIS Manager f Restart the server To verify open Internet Explorer and in the address bar enter http server domain com certsrv mscep_admin End of MSCEP Windows Server 2008 R2 setup Install Configure Microsoft Message Queuing MSMO This step only needs to be completed if you intend to use Dell Data Protection Mobile Edition This is a prerequisite for the EAS Device Manager and EAS Mailbox Manger to be able to communicate 13 Install MSMO 4 0 on Windows Server 2008 or Windows Server 2008 R2 on the server hosting the Exchange environment http msdn microsoft com en us library aa967729 aspx Optional 14 For a new installation or an upgrade migration for 7 x 8 x copy your Product Key the name of the file is EnterpriseServerInstallKey in to C Windows to automatically populate the 32 character Product Key in the Dell Enterprise Server installer The pre installation configuration of the server is complete Continue to Install or Upgrade Migrate Enterprise Server Installation and Migration Guide 31 32 Enterprise Server Installation and Migration Guide Install or Upgrade Migrate The chapter details a new installation of the Dell Enterprise Server or an upgrade mig
59. ing Participate in Dell Data Protection Administrator basic knowledge transfer Implement Best Practices Coordinate Pilot or Deployment Support with Dell Client Services Kick off and Requirements Review Before installation it is important to understand your environment and the business and technical objectives of your project to successfully implement Dell Data Protection Encryption to meet these objectives Ensure that you have a thorough understanding of your organization s overall data security requirements The following are some common key questions to help the Dell Client Services Team understand your environment and requirements 1 NO oO BR WD 8 9 What is your organization s type of business health care etc What regulatory compliance requirements do you have HIPAA HITECH PCI etc What is the size of your organization number of users number of physical locations etc What is the targeted number of endpoints for the deployment Are there plans to expand beyond this number in the future Do end users have local admin privileges What data and devices do you need to manage and encrypt local fixed disks USB etc What products are you considering deploying Enterprise Edition Windows clients Enterprise Edition SED clients Authentication BitLocker Manager Cloud Edition External Media Shield EMS Enterprise Edition Mac clients Mobile Edition for Android iOS and Windows Phone What type of
60. ing trust validation lessens security but allows you to use a self signed certificate for pilots POCs etc For a production environment Dell recommends public CA signed or domain signed certificates Workstations running the web browser version of the Silverlight Console Insert the Root Agency signing certificate from Intermediate Certification Authorities into the workstation s Trusted Root Certification Authorities for local computer in the Microsoft keystore There are two methods to create a certificate Express and Advanced Choose one method Express Choose this method to generate a self signed certificate for all components This is the easiest method Advanced Choose this method to configure each component separately Express a From the top menu select Actions gt Configure Certificates When the Configuration Wizard launches select Express and click Next The information from the self signed certificate that was created when installing the Enterprise Server will be used if available c From the top menu select Configuration gt Save If prompted confirm the save Certficate set up is complete The rest of this section details the Advanced method of creating a certificate and may be ignored If your deployment includes Dell Manager continue to step 9 on page 55 If your deployment does not include Dell Manager continue to step 10 on page 56 Advanced There are two paths to create a certificat
61. ion of the certificate on the CA 2 Follow your organizational process for acquiring an SSL server certificate from a Certificate Authority Send the contents of the lt csr filename gt for signing NOTE There are several methods to request a valid certificate An example method is shown in Example Method to Request a Certificate 3 When the signed certificate is received store it in a file 4 Asabest practice back up this certificate in case an error occurs during the import process This backup will prevent having to start the process over Import a Root Certificate If the root certificate Certificate Authority is Verisign but not Verisign Test skip to the next procedure and import the signed certificate The Certificate Authority root certificate validates signed certificates 1 Doone of the following Download the Certificate Authority root certificate and store it in a file Obtain the enterprise directory server root certificate 2 Do one of the following If you are enabling SSL for Dell Compliance Reporter Dell Console Web Services Dell Security Server or Dell Device Server change to the component conf directory If you are enabling SSL between the Dell Enterprise Server and the enterprise directory server change to lt Dell install dir gt Java Runtimes jre1 x x_xx lib security the default password for JRE cacerts is changeit 3 Run Keytool as follows to install the root certificate keytool import trustcacerts
62. is complete reboot the server Ensure the directories below no longer exist if so manually delete Program Files Dell ProgramData Dell In the Dell installation media navigate to the Dell Enterprise Server directory Unzip NOT copy paste or drag drop Dell Enterprise Server x64 to the root directory of the server where you are installing Dell Data Protection Enterprise Edition Copying pasting or dragging dropping will produce errors and an unsuccesstul installation NOTE Follow the same procedure for Dell Enterprise Server x86 for the 32 bit installer 9 10 11 12 13 14 15 16 17 18 Double click setup exe When the nstallShield Wizard displays select the language for installation then click OK If not already installed a message may display informing you that Microsoft Visual C 2010 Redistributable Package must be installed before continuing Click Install When the Welcome dialog displays click Next At the License Agreement indicate acceptance then click Next If you optionally completed step 14 in Pre Installation Configuration click Next If not enter the 32 character Product Key and then click Next The Product Key is located in the file EnterpriseServerlnstallKey ini Click Next to install the Dell Enterprise Server to the default location of C Program Files Dell Otherwise click Change to select a different location then click Next Select the Setup type without the Front End chec
63. ise deployment A component of the Dell Enterprise Server All Dell Console Web Services Supports Dell Enterprise Server communication with the Dell Compatibility Server A component of the Dell Enterprise Server All Dell Core Server Used for policy and license management as well as providing policy updates and registration for Dell Data Protection SED Management and Dell Data Protection BitLocker Manager A component of the Dell Enterprise Server All Silverlight Console Web browser version of the administration console and control center for the entire enterprise deployment A component of the Dell Enterprise Server Not required Dell Security Server Provides the mechanism for controlling commands and communication with AD Used to communicate with the Dell Policy Proxy A component of the Dell Enterprise Server All Enterprise Server Installation and Migration Guide 71 Name Description Required For Dell Compatibility Server A Service for managing the enterprise architecture A component of the Dell Enterprise Server All Dell Message Broker Service Handles communication between the services of the Dell Enterprise Server All Dell Device Server Supports activations and password recovery A component of the Dell Enterprise Server Dell Data Protection Enterprise Edition for Mac Dell Data Protection Enter
64. ity This will allow you to add additional servers later or separate components of the application without requiring client update DNS aliases are created if desired Suggested DNS aliases Enterprise Server ddpe es lt domain com gt Front End Server ddpe fe lt domain com gt NOTE Split DNS allows you use to use the same DNS name for both internal and external Front End Services and is necessary in some cases Split DNS enables you to use a single address for your clients and provides flexibility when performing upgrades or scaling the solution later A suggested CNAME for Front End Servers when using Split DNS is this ddpe fe lt domain com gt Plan for SSL Certificates We have an internal Certificate Authority CA that can be used to sign certificates and is trusted by all workstations in the environment or we plan to purchase a signed certificate using a public Certificate Authority such as VeriSign or Entrust If using a public Certificate Authority please inform the Dell Client Services Engineer Change Control requirements identified and communicated to Dell Submit any specific Change Control requirements for the installation of DDPIE to Dell Client Services prior to the installation engagement These requirements may include changes to the application server s database and client workstations Test Hardware prepared Prepare at least three computers with your corp
65. ity Server in Proxy Mode Core Server in Proxy Mode and Device Server in Proxy Mode verify that all fields are populated and correct for each component Leave the default port value as is unless there is a conflict with an existing port For the back end settings used by this server area enter the FODNs of the Back End Servers so that the Front End Servers may communicate with them All fields are required Click Next underscore character in the fully qualified domain name oon NOTE The Message Broker Service does not allow the 11 In the Security Socket Layer and Host dialog enter the fully qualified domain name of the back end server and select the correct Server edition Enterprise Edition or Virtual Edition 12 You have a choice of SSL types to use Select option a or b below a To use an existing certificate that was purchased from a CA authority select the first option and click Next NOTE To use this setting the exported CA certificate being imported must have the full trust chain If unsure re export the CA certificate and ensure that the following options are selected in the Certificate Export Wizard Personal Information Exchange PKCS 12 PFX Include all certificates in the certification path if possible Export all extended properties Click Browse to enter the path to the certificate Enter the password associated with this certificate The key store file must be p12 or pfx See Ho
66. k box being selected and click Next If the Complete option is selected all program features are installed Continue to step 18 The Custom option selection allows installation of only those program features desired Continue to step 17 At the Custom Setup dialog choose the features you want to install For a description of each feature and what it is required for see Dell Component Descriptions Once the features are selected click Next Continue to step 18 Verify that all fields are populated for each component Leave the default port value as is unless there is a conflict with an existing port If the Works with Front End box is selected on the next dialog you will enter the fully qualified domain name for the Dell Security Server If you have an external certificate that is being used with APNs enter the fully qualified domain name specified in the certificate If the box is not selected then the field is not available on the next dialog Click Next Enterprise Server Installation and Migration Guide 37 19 For the Front End Security Server host name this relates to the previous dialog s Works with Front End box If the box was selected on the previous dialog enter the fully qualified domain name for the Dell Security Server If you have an external certificate that is being used with APNs enter the fully qualified domain name specified in the certificate If the box was not selected then the field is not available
67. ld enter application x ms xbap Click OK 5 5 the Extension field enter deploy the MIME types field enter application octet stream Click OK 5 n the Extension field enter xps n the MIME types field enter application vnd ms xpsdocument Click OK 8 Click OK to apply the change IIS 7 Windows Server 2008 and Windows Server 2008 R2 These MIME types are pre configured in IIS 7 Windows Server 2008 and Windows Server 2008 R2 No action is needed IIS 8 5 Windows Server 2012 R2 These MIME types are pre configured in IIS 8 5 Windows Server 2012 R2 No action is needed Add Documents IIS 6 Windows Server 2003 Add the following document type This document type may have already been added to IIS at some point If so continue to the next section once you verify that it is present 1 ON Ook WD 9 If needed open IIS Manager Expand the Websites folder Expand Default Website Right click Console Select Properties Select the Documents tab Ensure the checkbox Enable default content page is selected Ensure that Default aspx is present If not click Add and follow the instructions below In the Default content page field enter Default aspx Click OK Highlight Default aspx and click Move Up to move it to the top of the list Click OK to apply the change IIS 7 Windows Server 2008 and Windows Server 2008 R2 This document type is pre configured in IIS 7 Windows Server 2008 and Windo
68. lick Next Enterprise Server Installation and Migration Guide 49 8 50 Browse to the location of the existing certificate enter the password associated with the existing certificate and click Next Click Finish when complete Generate Self Signed Certificate The information from the self signed certificate that was created when installing the Enterprise Server will be used if available If you select this option the Message Security Certificate window does not display the window does display if you select option Use Current Settings and the certificate created for the Dell Compatibility Server is used Verify that the fully qualified computer name is correct Click Next A warning message displays telling you that a certificate by the same name already exists When asked if you would like to use it click Yes Click Finish when complete Use Current Settings Select this option to change a setting on a certificate anytime after the initial configuration of the Dell Enterprise Server Selecting this option leaves your already configured certificate in place Selecting this option advances you to the Message Security Certificate window At the Message Security Certificate select one of the following Select Certificate Select this option to use an existing certificate Click Next Browse to the location of the existing certificate enter the password associated with the existing certificate and click Next Click
69. mainname com console 7 If the web browser version of the Silverlight Console is installed you will be asked to enter your credentials to access the Dell Remote Management Console If you have not installed Silverlight you will receive a notification asking if you would like to install Silverlight Click Click now to install and follow the prompts to complete the installation 8 You may get a security alert warning that your security settings do not allow this file to be downloaded If so click OK 9 On the browser toolbar select Tools gt Internet Options 10 From the Security tab at the bottom of the window click Custom level 11 Scroll to File download and select Enable and click OK 12 Re attempt to open the web browser version of the Silverlight Console Type in the Silverlight Console URL The format is http servername domainname com console 13 If you have not installed Silverlight you will receive a notification asking if you would like to install Silverlight Click Click now to install and follow the prompts to complete the installation OR As a Dell Administrator log in to the Dell Remote Management Console The default credentials are superadmin changeit Troubleshoot Silverlight Console Error Unable to Access the User Admin Roles The Unable to Access the User Admin Roles error is an end to end check to attempt to retrieve validate the roles from the database Therefore SSL errors network errors database err
70. mart cards requires SSL validation with the Dell Security Server Dell Manager performs SSL validation when connecting to the Dell Core Server The Silverlight Console also performs SSL validation For these types of connections the signing CA will need to be in the keystore either the Java keystore or the Microsoft keystore depending on which Dell Server component is being discussed If self signed certificates are chosen the following options are available Enterprise Server Installation and Migration Guide 53 54 Validation of smart cards used for Preboot Authentication Import the Root Agency signing certificate and full chain of trust into the Dell Security Server Java keystore For more information see Create a Self Signed Certificate and Generate a Certificate Signing Request The full chain of trust must be imported Dell Manager Insert the Root Agency signing certificate from the self signed certificate generated into the workstation s Trusted Root Certification Authorities for local computer in the Microsoft keystore Modify the behavior of Dell Manager to not perform SSL validation To turn off Dell Manager SSL trust validation check Disable Trust Chain Check on the Settings tab The client computer also must have the following registry entry to disable trust validation HKLM System CurrentControlSet Services CredMgmtAgent Parameters DisableSSLCertTrust DWORD 32 bit Value 1 Disabl
71. mpatibility Server DDPE Security Server Proxy DDPE Core Server DDPE Core Server Proxy DDPE Security Server DDPE Device Server Proxy DDPE Console DDPE Policy Proxy DDPE Key Server 7 DDPE Compliance Reporter DDPE Agents amp Dell Manager DDPE Identity Server Exchange Front End DDPE Message Broker Service Server 18 Enterprise Server Installation and Migration Guide 5 000 20 000 Endpoints This architecture accommodates environments ranging between 5 000 and 20 000 endpoints A front end server is added to distribute the additional load and is designed to handle approximately 15 000 20 000 endpoints Optionally a front end server can be placed in the DMZ for publishing policies and or activating endpoints over the Internet Architecture Components Dell Enterprise Server Dell Internal Front End Server Dell External Front End Server SOL Server Outside DMZ DDPE Policy Proxy DDPE Security Server Proxy DDPE Core Server Proxy DDPE Device Server Proxy 8000 3081 448 8988 3443 8388 61613 DDPE Policy Proxy DDPE Security Server Proxy DDPE Core Server Proxy DDPE Device Server Proxy External Front End Proxy Server Front End Server Listening Ports 8000 8081 8445 3883 Inside DOPE Enterprise Server Ports 80 1099 61613 61616 8000 8443 9000 9011 8050 8084 8388 1099 8443 61613 DDPE Compatibility Server DDPE Core Server Internal Front End DDPE Security Server Proxy Server
72. n and Migration Guide Figure 4 1 Known Password File Edit Format View Help lt EncryptedData Id server pass gt lt ds KeyInfo umlns ds http www w3 org 2000 09 zmldsig gt lt ds KeyName gt none lt ds KeyName gt lt ds KeyInfo gt lt CipherData gt lt CipherValue gt lt value gt changeit lt value gt lt CipherValue gt lt CipherData gt lt EncryptedData gt If you do not know the password cut and paste the section similar to the section shown in Figure 4 2 from the backed up lt Compatibility Server install dir gt conf server_config xml file into the corresponding section in the new server_config xml file Figure 4 2 Unknown Password File Edit Format View Help lt EncryptedData Id server pass gt lt ds KeyInfo xmlns ds http wow w3 org 2000 09 xmldsig t gt lt ds KeyName gt CFG_KEY lt ds KeyName gt lt ds KeyInfo gt lt CipherData gt lt CipherValue gt AHashedKeyVal uel sHere LooksLikeRandomCharacters lt CipherValue gt lt CipherData gt lt EncryptedData gt Save and close the file NOTE Do not attempt to change the Dell Enterprise Server password by editing the server pass value in server_config xml at any other time If you change this value you lose access to the database Front End Server s 1 In the Dell installation media navigate to the Dell Enterprise Server directory Unzip NOT copy paste or drag drop Dell Enterprise Server x64 to the root
73. n using smart cards requires SSL validation with the Dell Security Server Dell Manager performs SSL validation when connecting to the Dell Core Server For these types of connections the signing CA will need to be in the keystore either the Java keystore or the Microsoft keystore depending on which Dell Server component is being discussed If self signed certificates are chosen the following options are available Validation of smart cards used for Preboot Authentication Import the Root Agency signing certificate and full chain of trust into the Dell Security Server Java keystore For more information see Create a Self Signed Certificate and Generate a Certificate Signing Request The full chain of trust must be imported Dell Manager Insert the Root Agency signing certificate from the self signed certificate generated into the workstation s Trusted Root Certification Authorities for local computer in the Microsoft keystore Modify the behavior of Dell Manager to not perform SSL validation To turn off Dell Manager SSL trust validation check Disable Trust Chain Check on the Settings tab The client computer also must have the following registry entry to disable trust validation Enterprise Server Installation and Migration Guide HKLM System CurrentControlSet Services CredMgmtAgent Parameters DisableSSLCertTrust DWORD 32 bit Value 1 Disabling trust validation lessens security but allows you to u
74. nager Highlight Roles In the Role Service area click Add Role Service Select Web Server IIS Support and click Next A dialog may display asking Add role services and features required for Web Server IIS support If so click Add Required Role Services Under Common HTTP Features select Static Content and click Next Click Install IIS 8 5 Windows Server 2012 R2 1 oR WN 62 Open Server Manager Highlight Roles In the Role Service area click Add Role Service Select Web Server IIS Support and click Next A dialog may display asking Add role services and features required for Web Server IIS support If so click Add Required Role Services Enterprise Server Installation and Migration Guide 6 7 Under Common HTTP Features select Static Content and click Next Click Install Enable IIS Management Console IIS 6 Windows Server 2003 No action is needed IIS 7 Windows Server 2008 and Windows Server 2008 R2 1 oR WN If needed open Server Manager Highlight Roles In the Role Service area click Add Role Service Select Web Server IIS Support and click Next A dialog may display asking Add role services and features required for Web Server IIS support If so click Add Required Role Services Under Management Tools select IIS Management Console and click Next Click Install When finished close Server Manager IIS 8 5 Windows Server 2012 R2 1 oR WN
75. nd uninstalled if using the same server before the installation engagement with Dell Any production endpoints used during Proof of Concept testing have been decrypted or key bundles downloaded NOTE All new implementations must begin with a new database and installation of the DDPIE software Dell Client Services will not perform a new implementation using a POC environment Any endpoints encrypted during a Proof of Concept will need to be either decrypted or rebuilt prior to the installation engagement with Dell Servers meet required software specifications Windows Server 2008 2012 64 bit R2 Standard or Enterprise is installed NET Framework 3 5 SP1 is installed NET Framework 4 0 4 5 for Windows Server 2012 is installed Windows Identity Foundation is installed Windows Firewall is disabled or configured to allow inbound ports 80 1099 8000 8050 8084 8443 8445 8888 9000 9011 61613 61616 Connectivity is available between Dell Enterprise Server and Active Directory AD over ports 88 135 389 636 3268 3269 49125 RPC inbound to AD UAC is disabled see Windows Control Panel User Accounts IIS Web Server Role with ASP NET Feature is installed Service accounts successfully created Read only access to AD LDAP basic user domain user account is sufficient If using Windows Authentication for the database this ac
76. nents of your environment must be configured EAS Management Installation and Configuration This section needs to be completed if you intend to use Dell Data Protection Mobile Edition If not omit this section and continue to Dell Security Server in DMZ Mode Configuration Prerequisites The logon account for the EAS Mailbox Manager Service must be an account with permissions to create modify Exchange ActiveSync policy assign policies to user mailboxes and query information about ActiveSync devices The EAS Configuration Utility must be run with Admin permissions to modify files and restart Services Network connection to the Dell Policy Proxy is required Have the FODN of the Dell Policy Proxy available Have the Dell Policy Proxy port number available Microsoft Message Queuing MSMO must already be installed configured on the server hosting the Exchange environment If not see Install Configure Microsoft Message Queuing MSMO During the Deployment Process If you intend to use Exchange ActiveSync to manage mobile devices through Dell Data Protection Mobile Edition your Exchange Server environment must be configured Install EAS Device Manager 1 In the Dell installation media navigate to the EAS Management folder In the EAS Device Manager folder copy setup exe to your Exchange Client Access Server s N Double click setup exe to begin the installation If your environment includes more than one Exchange Client Access
77. nf cacerts deststorepass changeit destalias AliasNamePreviouslyDocumented destkeypass changeit 5 Modify the keystore alias signing value in lt Security Server install dir gt conf application properties keystore alias signing AliasNamePreviouslyDocumented 6 Start the Security Server Service 78 Enterprise Server Installation and Migration Guide O XXXXXA0 X
78. ns will be prevented if no licenses are available have enough licenses to cover my environment Plan for SSL Certificates We have an internal Certificate Authority CA that can be used to sign certificates and is trusted by all workstations in the environment or we plan to purchase a signed certificate using a public Certificate Authority such as VeriSign or Entrust If using a public Certificate Authority please inform the Dell Client Services Engineer Enterprise Server Installation and Migration Guide 9 Change Control requirements identified and communicated to Dell Submit any specific Change Control requirements for the installation of DDPIE to Dell Client Services prior to the installation engagement These requirements may include changes to the application server s database and client workstations Test Hardware prepared Prepare at least three computers with your corporate computer image to be used for testing Dell recommends that you not use live systems for testing Live systems should be used during a production pilot after encryption policies have been defined and tested using the Test Plan provided by Dell 10 Enterprise Server Installation and Migration Guide Example Customer Notification Email After you purchase Dell Data Protection you will receive an email from DellDataProtectionEncryption Dell com Below is an example of the email which will include your CFT
79. nsure the following options ARE selected User cannot change password this setting is optional but ensures that a user does not accidentally change this password and Password never expires Configure the Dell Compatibility Server Service to run using the Windows domain account you set up 2 3 4 5 6 Go to Start gt Run Type services msc and click OK When Services opens highlight Dell Compatibility Server Right click the entry and select Properties On the Log On tab select This account Browse to locate the Windows domain account you set up The format should be DomainName AdministratorName or administrator domainname com Type the password for this Windows domain account and confirm it Click OK Configure the Dell Compliance Reporter Service to run using the Windows domain account you set up 1 2 3 5 Go to Start gt Run Type services msc and click OK When Services opens highlight Dell Compliance Reporter Right click the entry and select Properties On the Log On tab select This account Browse to locate the Windows domain account you set up The format should be DomainName AdministratorName or administrator domainname com Type the password for this Windows domain account and confirm it Click OK Configure the Dell Core Server Service to run using the Windows domain account you set up 1 2 3 4 5 Go to Start gt Run Type services msc and click OK When Services opens highlight Dell Core S
80. nt Settings Choose one path Path 1 Generate Self Signed Certificate Path 2 Use Current Settings Path 1 Generate Self Signed Certificate a From the top menu select Actions gt Configure Certificates When the Configuration Wizard launches select Advanced and click Next Select Generate Self Signed Certificate and click Next The information from the self signed certificate that was created when installing the Enterprise Server will be used if available d From the top menu select Configuration gt Save If prompted confirm the save Certficate set up is complete The rest of this section details the other method of creating a certificate and may be ignored If your deployment includes Dell Manager continue to step 8 on page 50 If your deployment does not include Dell Manager continue to step 9 on page 51 Path 2 Use Current Settings a From the top menu select Actions gt Configure Certificates When the Configuration Wizard launches select Advanced and click Next Select Use Current Settings and click Next ao T At the Compatibility Server SSL Certificate window select Generate Self Signed Certificate and click Next The information from the self signed certificate that was created when installing the Enterprise Server will be used if available Click Next e Atthe Core Server SSL Certificate window select one of the following Select Certificate Select this option to use an existing certificate C
81. on 12 Configure MSCEP Windows Server 2003 a nstall the IIS Service Go to Start gt Control Panel gt Add or Remove Programs n Add or Remove Programs click Add Remove Windows Components Under Components click Application Server but do NOT select it and press Details n the Application Server window check the Internet Information Services IIS check box and click OK Click Next at the Windows Components window After the wizard completes the installation click Finish Install the CA Service Click Start gt Control Panel gt Add or Remove Programs In Add or Remove Programs click Add Remove Windows Components Under Components select Certificate Services and click Next A warning about domain membership and computer renaming constraints displays Click Yes to continue At the CA Type window select Stand alone root CA and click Next At the CA Identifying Information window in the Common name for this CA field enter the name of the server and click Next At the Certificate Database Settings window accept the defaults in both the Certificate database and Certificate database log fields and click Next A prompt displays to stop nternet Information Services Click Yes At the prompt to Enable Active Server Pages ASPs click Yes When the installation process is complete click Finish Install the Simple Certificate Enrollment Protocol SCEP Add On for Certificate Services Click Start gt Run then enter l
82. on Fully qualified computer name example computername domain com Organizational Unit example Security Organization City State full name Country Two letter country abbreviation Click Next 22 Atthe Ready to Install the Program dialog click Install to begin installation 23 When prompted click Finish to complete the installation Do not reboot the server until Post Installation Configuration tasks are complete Rebooting now would cause the server to attempt to start Dell Services which would be unsuccessful at this point 24 In your backed up installation copy paste lt Compatibility Server install dir gt conf secretKeyStore to the new installation lt Compatibility Server install dir gt conf secretKeyStore 25 In the new installation open lt Compatibility Server install dir gt conf server_config xml and replace the server pass value with the value from the backed up lt Compatibility Server install dir gt conf server_config xml as follows Instructions for server pass If you know the password refer to the example server_config xml file in Figure 4 1 and make the following changes Edit the KeyName from CFG_KEY value to none Enter the plain text password and enclose it between lt value gt lt value gt which in this example is lt value gt changeit lt value gt When the Dell Enterprise Server starts the plain text password is hashed and the hashed value replaces the plain text 38 Enterprise Server Installatio
83. orate computer image to be used for testing Dell recommends that you not use live systems for testing Live systems should be used during a production pilot after encryption policies have been defined and tested using the Test Plan provided by Dell 8 Enterprise Server Installation and Migration Guide Preparation Checklist Upgrade Migration Use the following checklist to ensure you ve met all prerequisites before beginning to upgrade Dell Data Protection Encryption DDPIE Servers meet required software specifications Windows Server 2008 2012 64 bit R2 Standard or Enterprise is installed NET Framework 3 5 SP1 is installed NET Framework 4 0 4 5 for Windows Server 2012 is installed Windows Identity Foundation is installed Windows Firewall is disabled or configured to allow inbound ports 80 1099 8000 8050 8084 8443 8445 8888 9000 9011 61613 61616 Connectivity is available between Dell Enterprise Server and Active Directory AD over ports 88 135 389 636 3268 3269 49125 RPC inbound to AD UAC is disabled see Windows Control Panel User Accounts IIS Web Server Role with ASP NET Feature is installed Service accounts successfully created Active Directory or SOL service accounts currently used for CMG DDPIE are identified and the account user name s and password s are available If using Windows Authentication for the database t
84. ore continuing Click Install 5 When the Welcome dialog displays click Next At the License Agreement indicate acceptance then click Next 7 If you optionally completed step 14 in Pre Installation Configuration click Next If not enter the 32 character Product Key and then click Next The Product Key is located in the file EnterpriseServerinstallKey ini 8 Click Next to install the Dell Enterprise Server to the default location of C Program Files Dell Otherwise click Change to select a different location then click Next 9 Select Complete and select the Front End check box to indicate that a Front End server will be used Click Next We recommend only selecting Complete If you select Custom you will need to de select all of the components you do not want installed on the Front End The Complete option automatically installs only the components that are appropriate for the Front End 10 For the Security Server in Proxy Mode Core Server in Proxy Mode and Device Server in Proxy Mode verify that all fields are populated and correct for each component Leave the default port value as is unless there is a conflict with an existing port For the back end settings used by this server area enter the FODNs of the Back End Servers so that the Front End Servers may communicate with them All fields are required Click Next oon NOTE The Message Broker Service does not allow the underscore character in the fully qualified domain n
85. ormation only and are not a cause for concern If prompted click OK for each message 3 From the top menu select Configuration gt Save If prompted confirm the save Click the nformation tab This tab is for information only and cannot be edited All fields are pre populated Core Server displays the installed location of the Dell Core Server Legacy Server displays the installed location of the Dell Compatibility Server Security Server displays the installed location of the Dell Security Server Messaging Service displays the installed location of the Dell Messaging Service Compliance Reporter displays the installed location of the Compliance Reporter Identity Server displays the installed location of the Identity Server Schema Version displays the current database schema version Supported Versions displays the previous versions supported to migrate to the current version 5 Click the Database tab a d e f n the Server Name field enter the fully qualified domain name if there is an instance name include it of the server hosting the database For example SOLTest domain com DellDB Dell recommends using a fully qualified domain name although an IP address may be used n the Database field enter the name of the database n the Authentication field select either Windows Authentication or SOL Server Authentication If you choose Windows Authentication the same credentials that were used to log in to Wind
86. ors IIS configuration issues an so forth can all result in this problem One method to troubleshoot this error is to insert the certificate used by the Dell Core Server for STS signing into the Microsoft Certificate Store in Local Computer Trusted People Certificates The Dell Core Server is attempting to validate the signed STS token by using a certificate in the Microsoft Certificate Store in Local Computen Trusted People Certificates If the certificate does not exist there then the signing certificate validation will fail Enterprise Server Installation and Migration Guide 69 Another method to troubleshoot this error is to ensure that there is not a mismatch between the Dell Enterprise Server FODN and the certificates by configuring certificates using a DNS alias instead of the FODN This mismatch can happen if you installed the Dell Enterprise Server using the FODN but configured certificates using a DNS alias To troubleshoot this issue change the web config file in c inetpub wwwroot Console to reflect the CN of the certificate as follows For this example change the Dell Enterprise Server name from the FQDN server01 domain com to the DNS alias server01 Once finished restart the World Wide Web Publishing Service lt xml version 1 0 encoding UTF 8 gt lt l For more information on how to configure your ASP NET application please visit http go microsoft com fwlink Linkld 169433 gt lt configuration gt
87. orter 1 In the left pane click Monitor gt Compliance Reporter 2 When Dell Compliance Reporter launches log in using the default credentials of superadmin changeit 3 Two different authentication methods are supported To configure select either SQL Authentication Windows Authentication SOL Authentication As of v8 1 the Data Source is pre configured out of the box No configuration is needed Use the steps below to change the Data Source if needed 1 To set the Data Source on the top menu click Settings In the left menu click Data Source Type the Username to log in to the Dell database Type the Password to log in to the Dell database Type the Hostname to log in to the Dell database Type the Database Name to log in to the Dell database Type the Max Idle connections allowed The default is 2 Type the Max Connections active allowed The default is 10 Type the Max Wait maximum number of milliseconds to wait for a connection 1 is indefinitely OOAN DO A UOUN To verify the database URL and test the connectivity between the Dell Compliance Reporter and the Dell database click Test Connection o Click Update To discard the information click Cancel Administrative tasks are complete The rest of this chapter discusses Windows Authentication and may be ignored if SOL Authentication is used for Dell Compliance Reporter 66 Enterprise Server Installation and Migration Guide If needed continue to
88. ows will be used for authentication User Name and Password fields will not be editable n the User Name field enter the appropriate username associated with this database n the Password field enter the password for the username listed in the UserName field From the top menu select Configuration gt Save If prompted confirm the save 6 Test Database Configuration a From the top menu select Actions gt Test Database Configuration The Configuration Wizard launches NOTE The database cannot be migrated until after the database configuration tests have passed b C 52 At the Configuration Test window read the test information and click Next If you chose Windows Authentication in the Database tab you can optionally enter alternate credentials to allow the use of the same credentials that will be used to run the Dell Enterprise Server Click Next Enterprise Server Installation and Migration Guide d Atthe Test Configuration window the results of the Test Connection Settings Compatibility Test and the Database Migrated Test display You may get a failed test result for the Database Migrated Test which is correct this database has not been migrated yet You cannot migrate this database until the two other tests Test Connection Settings and Compatibility Test have a result of Passed Click Finish e From the top menu select Configuration gt Save If prompted confirm the save 7 Migrate Database a
89. prise Edition for Windows CREDActivate Dell Device Server Plug ins Provides support for various components A component of the Dell Enterprise Server All Dell Identity Server Handles domain authentication requests Requires an AD account Must be the account used to access SOL when Windows Authentication is used A component of the Dell Enterprise Server All Dell Policy Proxy Provides a network based communication path to deliver security policy updates and inventory updates A component of the Dell Enterprise Server Dell Data Protection Enterprise Edition for Mac Dell Data Protection Enterprise Edition for Windows Dell Data Protection Mobile Edition Security Token Services STS Used to help create a secure authentication channel between the Dell Enterprise Server User Interface and Dell back end Services All EAS Device Manager Enables over the air functionality Installed on the Exchange Client Access Server Exchange ActiveSync Management of mobile devices 72 EAS Mailbox Manager The mailbox agent that is installed on the Exchange Mailbox Server Enterprise Server Installation and Migration Guide Exchange ActiveSync Management of mobile devices Appendix B SOL Server Best Practices The following list explains SOL server best practices which should be implemented when Dell Data Protection is installed if not already implemented 1 Ensure
90. r Configuration Tool 2 ee 46 7 Web Browser Version of Silverlight Console Configuration 59 8 Administrative asks cos eee a ES e eM RRs A 65 Assign Dell Administrator Role 2 ee 65 Log in with Dell Administrator Role o e 65 Upload Client Access License o o 65 Apply a Policy Template t po a bee da a a da 65 Commit Policies x to a a e n de e a ee dls cdo ae Lado de 66 Configure Dell Compliance Reporter o e 66 Perform Backups at AS Sie A A Pe ee a 67 9 Troubleshooting ind avs abe bedi dee ol ate ive o eo elo 69 PODER CIA aura See ok iat elated Os oS ade Bia bee etka Dae fs 71 AS sr storeys dea G20 24 nadla a Wadler ag Hew PGs 26 ate ee ees 73 Appendix G wuts DIETA RALES eed eek 75 Enterprise Server Installation and Migration Guide Getting Started with Dell Data Protection Implementation Phases The basic implementation process includes these phases Perform Kick off and Requirements Review Complete Preparation Checklist Initial Implementation or Preparation Checklist Upgrade Migration Install or Upgrade Migrate Dell Enterprise Server For instructions about client requirements and software installation see Enterprise Edition Administrator Guide Personal Edition Installation Guide Security Tools Installation Guide or Enterprise Edition for Mac Administrator Guide Configure Initial Policy see Administrative Tasks Execute Test Plan Client Packag
91. ration of an older Dell Enterprise Server to a newer Dell Enterprise Server To begin the installation migration select one option New Installation Upgrade Migration New Installation Before you begin ensure that all Pre Installation Configuration is complete This is of particular importance if you intend to use the web browser version of the Silverlight Console or are deploying Dell Data Protection Mobile Edition Read the Release Notes for any current workarounds or known issues related to Dell Enterprise Server installation Dell recommends that DB best practices are used for the Dell database and that Dell software is included in your organization s disaster recovery plan If you intend to deploy Dell components in the DMZ ensure that they are properly protected against attacks For production Dell strongly recommends installing the SOL Server on a dedicated server BEFORE YOU BEGIN As of v7 7 the Enterprise Server installation process contains a few changes from previous releases You will notice a check box for Front End on the Set Up dialog If your environment is installed on one server simply ignore the check box and continue If your environment is installed on multiple servers Front End DMZ Internal and Back End Enterprise you will run this installer with the check box de selected for your Back End Enterprise server s and then run this installer again on your Front End DMZ Internal server s with the Front End
92. re covered by a weekly maintenance job to rebuild the indexes Enterprise Server Installation and Migration Guide 73 74 Enterprise Server Installation and Migration Guide Appendix C Certificates Create a Self Signed Certificate and Generate a Certificate Signing Request This section details the steps to create a self signed certificate for the Java based components This process cannot be used to create a self signed certificate for NET based components We recommend a self signed certificate on y in a non production environment If your organization requires an SSL server certificate or you need to create a certificate for other reasons this section describes the process to create a java keystore using Keytool If your organization plans to use smart cards for authentication you will need to use Keytool to import the full certificate chain of trust that are used in the smart card user s certificate Keytool creates private keys that are passed in the format of a Certificate Signing Request CSR to a Certificate Authority CA such as VeriSign or Entrust The CA will then based on this CSR create a server certificate that it signs The server certificate is then downloaded to a file along with the signing authority certificate The certificates are then imported into the cacerts file Generate a New Key Pair and a Self Signed Certificate 1 Navigate to the conf directory of Dell Compliance Reporter Dell Console Web Servic
93. rganization requires c In the Password field enter the Password associated with this User Name n the From Address field enter the email address that the email will originate from This may be the same as the ccount for the User Name jdoe domain com but it can also be another account that the specified User Name has ccess to send email for CloudRegistration domain com o y e In the Port field enter the Port number typically 25 Enterprise Server Installation and Migration Guide 51 f In the Authentication menu select either True or False 11 Finish configuration a b e From the top menu select Configuration gt Save If prompted confirm the save Close the Dell Server Configuration Tool Click Start gt Run Type services msc and click OK When Services opens navigate to each Dell Service and click Start the service The Dell Server Configuration Tool logs to C Program Files Del Enterprise Edition Configuration Too Logs The rest of this chapter details the process for an upgrade migration and may be ignored Continue to Web Browser Version of Silverlight Console Configuration Configure a Migration 1 Launch the Dell Server Configuration Tool Go to Start gt Programs gt Dell gt Enterprise Edition gt Server Configuration Tool gt Run Server Configuration Tool 2 You may get informational messages stating that your database configuration settings do not match These messages are for inf
94. rm the save The Dell Manager certificate import is now complete Click the Settings tab Silverlight Console The default installation address of the Silverlight Console is automatically populated If your installation of Silverlight is hosted on a different server such as a special IIS server enter the address in the Silverlight Console URL field Manager To turn off Dell Manager SSL trust validation check Disable Trust Chain Check NOTE The client computer also must have the following registry entry to disable trust validation 11 56 HKLM System CurrentControlSet Services CredMgmtAgent Parameters DisableSSLCertTrust DWORD 32 bit Value 1 Disabling trust validation lessens security but allows you to use a self signed certificate for pilots POCs etc For a production environment Dell recommends public CA signed or domain signed certificates SCEP If using Dell Data Protection Mobile Edition enter the URL of the server hosting SCEP Click the SMTP tab Enterprise Server Installation and Migration Guide This tab configures SMTP settings for Dell Data Protection Cloud Edition If SMTP settings need to be configured for other purposes outside of Dell Data Protection Cloud Edition see the AdminHelp topic Enable SMTP Server for License Email Notifications Enter the following information a e f n the Host Name field enter the FODN of your SMTP server such as smtpservername domain com n t
95. rprise server s and then run this installer again on your Front End DMZ Internal server s with the Front End check box selected Selecting the check box installs only the proxy components Security Server in Proxy Mode Core Server in Proxy Mode Device Server and Policy Proxy After publishing policies backing up the database and uninstalling the existing Server we will go through the install for the Main Server s Back End and then we will go through the process for the Front End server s 36 Enterprise Server Installation and Migration Guide Main Server s To begin the upgrade migration oR WN 8 If you have any pending policies As a Dell Administrator log in to the Dell Remote Management Console In the left menu click Actions gt Commit Policies Click Apply Changes When the commit is complete log off the Dell Remote Management Console From the Windows Start menu click Start gt Run Type services msc and click OK When Services opens navigate to each Dell Service and click Stop the service Back up your entire existing installation including the SOL database to an alternate location Several files from your existing installation will be needed after the upgrade migration process is complete Uninstall your existing Dell Enterprise Server installation Navigate to Add Remove Programs in the Control Panel Locate Dell Enterprise Server click Change Remove and follow the prompts Once the uninstall
96. rt the services on the second node and launch the console to ensure the application is working properly Services on the second passive node should be configured as Manual in order to prevent those services from accidentally starting during regular maintenance and patching An organization can also choose to have an SOL Cluster database server In this configuration the Dell Enterprise Server should be configured to use the cluster IP or hostname NOTE Database replication is not supported Client traffic is distributed across three internal front end servers Optionally multiple front end servers can also be placed in the DMZ for activating endpoints and or publishing policies to endpoints over the Internet Outside DMZ Inside DDPE Compatibility Server DDPE Core Server DDPE Security Server DDPE Console DDPE Key Server DDPE Compliance Reporter DDPE Identity Server DDPE Message Broker Service DDPE Policy Proxy DDPE Security Server Proxy Admi rkstati DDPE Enterprise Server DDPE Core Server Proxy mon vons Ports 80 1099 61613 61616 DDPE Device Server Proxy 8000 8443 9000 9011 lt 8050 8084 8838 2907 yr 8443 61613 613 ao External HA Front End Front End Server Proxy Servers Listening Ports 8000 3081 8443 8388 Internal Front End Proxy Servers DDPE Identity Server DDPE Policy Proxy DDPE Security Server Proxy DDPE Core Server Proxy DDPE Device Server Proxy 22 Enterprise Server In
97. rtificates Signed public CA signed or domain signed certificates are signed by a public CA or a domain In the case of certificates that are signed by a public certificate authority CA the certificate of the signing CA will usually already exist in the Microsoft certificate store and therefore the chain of trust will be automatically established For domain CA signed certificates if the workstation has been joined to the domain the signing CA certificate from the domain will have been added to the workstation s Microsoft certificate store thereby also creating a chain of trust The components that are affected by certificate configuration Java Services for instance Dell Device Server Dell Console Web Services and so on NET Applications Dell Core Server Validation of smart cards used for Preboot Authentication Dell Security Server Importing of private encryption keys to be used for signing policy bundles being sent to Dell Manager Dell Manager performs SSL validation for remotely managed Enterprise Edition clients with Hardware Crypto Accelerators self encrypting drives or BitLocker Manager Client Workstations Workstations running the web browser version of the Silverlight Console Workstations running Dell Data Protection BitLocker Manager Workstations running Dell Data Protection Enterprise Edition Windows clients Information regarding which type of certificates to use Preboot Authentication using s
98. rver To verify open Internet Explorer and in the address bar enter the URL you made a note of earlier The format is http server domain com certsrv mscep mscep dll End of MSCEP Windows Server 2003 setup Windows Server 2008 R2 must be Enterprise Edition Standard Edition will not allow the MSCEP role to be installed a Open Server Manager In the left menu select Server Roles and check the box for Active Directory Certificate Services Click Next The Add Roles Wizard advances you to the next steps n AD CS gt Role Services check the boxes for Certification Authority and Certification Authority Web Enrollment role services Select Add Required Role Services for Web Server IIS if prompted Click Next n AD CS gt Setup Type select Standalone Click Next n AD CS gt CA Type select Subordinate CA Click Next n AD CS gt Private Key select Create a new private key Click Next n AD CS gt Private Key gt Cryptography keep the defaults of RSA Microsoft Software Key Storage Provider 2048 and SHA1 Click Next n AD CS gt Private Key gt CA Name keep all of the default values Click Next n AD CS gt Private Key gt Certificate Request select Send a certificate request to a parent CA Select Browse by CA name Browse to and select Parent CA Click Next n AD CS gt Certificate Database keep the default values Click Next n Web Server IIS click Next n Web Server IIS gt Role Services keep the de
99. s Server 2008 and Windows Server 2008 R2 1 If needed open IIS Manager Expand the Websites folder Expand Default Website Right click Console select Convert to Application In the Application Pool area ensure that ASP NET v4 0 is selected not ASP NET v4 0 Classic Click OK Close IIS Manager NO oO BR WD Enterprise Server Installation and Migration Guide 61 IIS 8 5 Windows Server 2012 R2 1 NO oO BR WD If needed open IIS Manager Expand the Websites folder Expand Default Website Right click Console select Convert to Application In the Application Pool area ensure that ASP NET v4 5 is selected Click OK Close IIS Manager Configure Web Service Extensions IIS 6 Windows Server 2003 1 oR WN If needed open IIS Manager Open the Web Service Extensions folder Highlight 4 Unknown ISAPI Extensions and click Allow You may get a message asking if you want to allow all unknown ISAPI extensions If so click Yes Close IIS Manager IIS 7 Windows Server 2008 and Windows Server 2008 R2 ISAPI extensions are pre configured in IIS 7 Windows Server 2008 and Windows Server 2008 R2 No action is needed IIS 8 5 Windows Server 2012 R2 ISAPI extensions are pre configured in IIS 8 5 Windows Server 2012 R2 No action is needed Enable Static Content IIS 6 Windows Server 2003 No action is needed IIS 7 Windows Server 2008 and Windows Server 2008 R2 1 o A WN 6 gt Open Server Ma
100. screen A status window displays the installation progress If desired check the box to show the Windows Installer log and click Finish Use the EAS Configuration Utility 10 11 12 On the same computer go to Start gt Dell gt EAS Configuration Utility gt EAS Configuration to run the EAS Configuration Utility Click Setup to configure EAS Management Settings Enter the following information FODN of the Dell Policy Proxy Dell Policy Proxy Port the default port is 8090 Dell Policy Proxy Polling Interval the default is 1 minute Select the box to run EAS Device Manager in report only mode recommended during deployment NOTE The Report only mode allows unknown devices users to have access to Exchange ActiveSync but still reports 13 14 the traffic to you Once your deployment is up and running you can change this setting to tighten security Click OK A success message displays Click Yes to re start IIS and EAS Mailbox Manager Services Click Quit when finished After the Deployment Process Once your deployment is up and running and you are ready to tighten security follow the steps below On your Exchange Mailbox Server s 1 2 3 Go to Start gt Dell gt EAS Configuration Utility gt EAS Configuration to run the EAS Configuration Utility Click Setup to configure EAS Management Settings Enter the following information FODN of the Dell Policy Proxy Dell Policy Proxy Port the default port is 8090
101. se Server Installation and Migration Guide 43 APNs Enrollment If you intend to use Dell Data Protection Mobile Edition with iOS devices the APNs Enrollment wizard must be used to Create a CSR Create an Apple Push Certificate Upload a Push Certificate If you do not intend to use Dell Data Protection Mobile Edition with iOS devices omit this section and continue to Use Windows Authentication The Apple Push Notification service APNs enables secure communication to iOS devices over the air APNs is used to send notification for an iOS device to check in with the Dell Enterprise Server The APNs only sends notification to the device no data is sent Process 1 Open a browser and go to https lt FODN of security server gt 8443 csrweb 2 Onthe APNs Enrollment Wizard Login dialog enter your Dell Administrator credentials and click Login 3 A dialog displays that describes the steps you are about to take Click Next Step Create CSR 4 Enter the following information Email The email address can be any UPN but we recommend using an account for the administrator that will be maintaining the APNs certificate Common Name Enter the Common Name associated with this email address Click Generate CSR 5 After you generate a CSR save the file to an easily accessible location 6 Click Next Step Il Create Apple Push Certificate 7 Click the link for the Apple Push Certificate Portal Login with your Apple ID and password 8 Read the
102. se a self signed certificate for pilots POCs etc For a production environment Dell recommends public CA signed or domain signed certificates Workstations running the web browser version of the Silverlight Console Insert the Root Agency signing certificate from Intermediate Certification Authorities into the workstation s Trusted Root Certification Authorities for local computer in the Microsoft keystore There are two methods to create a certificate Express and Advanced Choose one method Express Choose this method to generate a self signed certificate for all components This is the easiest method Advanced Choose this method to configure each component separately Express a From the top menu select Actions gt Configure Certificates b When the Configuration Wizard launches select Express and click Next The information from the self signed certificate that was created when installing the Enterprise Server will be used if available c From the top menu select Configuration gt Save If prompted confirm the save Certficate set up is complete The rest of this section details the Advanced method of creating a certificate and may be ignored If your deployment includes Dell Manager continue to step 8 on page 50 If your deployment does not include Dell Manager continue to step 9 on page 51 Advanced There are two paths to create a certificate Generate Self Signed Certificate and Use Curre
103. stallation and Migration Guide Virtualization Dell Data Protection Application Servers Disk speed on the hardware that hosts the virtual server RAM allocation to the guest and storage configuration may cause significant performance impact The impact is most noticeable during activation policy and inventory processing and triage Dell recommends reserving as much RAM as possible for the virtual host and giving the virtual host priority in resource allocation If performance is a concern Dell recommends deploying to a non virtual server environment SOL Server In larger environments it is highly recommended that the SOL Database server run on physical hardware and on a redundant system such as a SOL Cluster to ensure availability and data continuity It is also recommended to perform daily full backups with transactional logging enabled to ensure that any newly generated keys through user device activation are recoverable Database maintenance tasks should include rebuilding of all databases indexes and collecting statistics For additional information on SOL Server best practices please see SOL Server Best Practices Enterprise Server Installation and Migration Guide 23 24 Enterprise Server Installation and Migration Guide Pre Installation Configuration Before you begin read the Release Notes for any current workarounds or known issues related to Dell Enterprise Server The pre installation configuration of the server s wh
104. star is a registered trademark of HGST Inc in the United States and other countries UNIX is a registered trademark of The Open Group VALIDITY is a trademark of Validity Sensors Inc in the United States and other countries VeriSign and other related marks are the trademarks or registered trademarks of VeriSign Inc or its affiliates or subsidiaries in the U S and other countries and licensed to Symantec Corporation KVM on IP is a registered trademark of Video Products Yahoo is a registered trademark of Yahoo Inc This product uses parts of the 7 Zip program The source code can be found at www 7 zip org Licensing is under the GNU LGPL license unRAR restrictions www 7 zip org license txt 2014 11 Protected by one or more U S Patents including Number 7665125 Number 7437752 and Number 7665118 Information in this document is subject to change without notice Contents 1 Getting Started with Dell Data Protection 00 5 lmplem ntation PAaS S s ia 2 2 aes etl Aa eR a lee a A ee a 5 Kick off and Requirements Review osoa 5 Preparation Checklist Initial Implementation 2 a 7 Preparation Checklist Upgrade Migration o oo a 9 2s loa AA avin 62g A Se Stak een eee ets 13 About Dell Enterprise Server aoaaa ee 13 Customer Support at toot fda A e Boe a e ds o a BEY 13 3 Requirements and Architectural eds 15 Requirementse Aa fares tk es das dy a A res bl es tl hie a ene NO Ae ey
105. t Default Document Application Development Net Extensibility Expand the hierarchy and select ASP NET 3 5 and 4 5 To display the current IIS configuration enter the following powershell command Import Module ServerManager Get WindowsFeature gt cNis features txt The Get WindowsFeature gt cNis features txt command creates a text file with the list To change the IIS configuration enter the following powershell command Import Module ServerManager Add WindowsFeature Web Server Web WebServer Web Static content Web Default Doc Web Dir Browsing Web Http Errors Web asp net We b net ext web isapi ext web isapi filter web http logging web request monitor web filtering web stat compression web m gmt console Enterprise Server Installation and Migration Guide Install Windows Identity Foundation 11 Install Windows Identity Foundation Windows Server 2003 http www microsoft com downloads en details aspx FamilylD be4db6a0 b76d 446d 81 0c ea3c25b3969a amp displaylang en Windows Server 2008 and Windows Server 2008 R2 http www microsoft com downloads en details aspx FamilylD eb9c345f e830 40b8 abfe ae7a864c4d76 amp displaylang en Windows Server 2012 R2 In Server Manager Add Roles and Features Wizard select Features then Windows Identity Foundation 3 5 Click Next then click Install Configure Microsoft CA MSCEP This step only needs to be completed if you intend to use iOS with Dell Data Protection Mobile Editi
106. t drive gt cepsetup exe where drive is the CD ROM drive where the Windows Server 2003 Resource Kit CD is located or the disk drive where you have downloaded cepsetup exe This starts the SCEP Add On for Certificate Services Setup wizard Click Yes Click Yes to accept the license agreement for SCEP Add On for Certificate Services Click Next at Welcome dialog Select Use local system account and click Next Deselect Require SCEP Challenge Phrase to Enroll and click Next A warning about disabling the challenge phrase option for enrollment displays Click Yes to continue Click Finish to complete installation A Setup Successful message displays Make a note of the URL in this message you will need it later Click OK Enterprise Server Installation and Migration Guide 29 30 Open IIS Manager Drill into lt Server gt Web Sites CertSrv Right click mscep and select Properties Select the Directory Security tab and click Edit for Authentication and access control In the bottom half of the dialog deselect ntegrated Windows authentication and click OK From the Administrative Tools menu open Certification Authority Right click your Authority and select Properties Select the Policy Module tab and click Properties At the Request Handling window select Follow the settings in the certificate template if applicable Otherwise automatically issue the certificate option and click Apply Close IIS Manager Restart the se
107. t with the server certificate A listing of the cacerts file will show that the server certificate has a certificate chain length of 2 which indicates that the certificate is not self signed Type keytool list v keystore cacerts The certificate fingerprint of the second certificate in the chain is the imported signing authority certificate which is also listed below the server certificate in the listing The server certificate has successfully been imported along with the signing authority certificate How to Export a Certificate to PFX Using the Certificate Management Console Once you have a certificate in the form of a crt file in the MMC it must be converted to a pfx file for use with Keytool when the Dell Security Server is used in DMZ Mode and when importing a Dell Manager certificate into the Dell Server Configuration Tool 1 oo NoD AUN 11 12 13 14 15 16 17 18 19 Open the Microsoft Management Console Click File gt Add Remove Snap in Click Add At the Add Standalone Snap in window select Certificates and click Add Select Computer Account and click Next At the Select Computer window select Local computer the computer this console is running on and click Finish Click Close Click OK In the Console Root folder expand Certificates Local Computer Go to the Personal folder and locate the desired certificate Highlight the desired certificate right click All Tasks gt Export When the
108. terprise Server Installation and Migration Guide 17 Architecture Design The Dell Data Protection Encryption solution is a highly scalable product scaled on the size of your organization and the number of endpoints targeted for encryption This section provides a set of guidelines for scaling the architecture for 5 000 to 60 000 endpoints NOTE If the organization has more than 50 000 endpoints please contact Dell Client Services for assistance NOTE Each of the components listed in each section include the minimum hardware specifications which are required to ensure optimal performance in most environments Failing to allocate adequate resources to any of these components may result in performance degradation or functional problems with the application Up to 5 000 Endpoints This architecture accommodates most small to medium size businesses ranging between 1 and 5 000 endpoints All DDPE server components can be installed on a single server Optionally a front end server can be placed in the DMZ for publishing policies and or activating endpoints over the Internet Architecture Components Dell Enterprise Server Dell External Front End Server SOL Server Outside DMZ Inside DOPE Enterprise Server Ports 80 1099 61613 61616 8000 8443 9000 9011 k 5 Ss 8050 8090 8084 8888 Admin Workstations z 886 Console Access d 000 8081 444 88868 8443 8888 61613 External Front End Proxy Server DDPE Policy Proxy DDPE Co
109. the NTFS block size where the data file and log file reside is 64 KB SOL Server extents basic unit of SOL Storage are 64 KB For more information search Microsoft s TechNet articles for Understanding Pages and Extents Microsoft SOL Server 2008 http technet microsoft com en us library ms190969 28v sql 100 29 Microsoft SOL Server 2008 R2 http technet microsoft com en us library ms190969 v sql 105 aspx 2 Asa general guideline set the maximum amount of SOL Server memory to 80 percent of the installed memory For more information search Microsoft s TechNet articles for Server Memory Server Configuration Options Microsoft SOL Server 2008 http technet microsoft com en us library ms1 78067 28v sql 100 29 Microsoft SOL Server 2008 R2 http technet microsoft com en us library ms1 78067 28v sql 105 29 Microsoft SOL Server 2012 http technet microsoft com en us library ms1 78067 28v sql 110 29 3 Set t1222 on the instance startup properties to ensure deadlock information is captured if one occurs For more information search Microsoft s TechNet articles for Trace Flags Transact SQL Microsoft SOL Server 2008 http technet microsoft com en us library ms188396 28v sql 100 29 Microsoft SOL Server 2008 R2 http technet microsoft com en us library ms 188396 28v sql 105 29 Microsoft SOL Server 2012 http technet microsoft com en us library ms 188396 28v sql 110 29 4 Ensure that all Indexes a
110. tion and Migration Guide 57 58 Enterprise Server Installation and Migration Guide Web Browser Version of Silverlight Console Configuration Complete the steps in this chapter if you intend to use the web browser version of the Silverlight Console If not continue to Administrative Tasks Add MIME Types IIS 6 Windows Server 2003 Add the following MIME types These MIME types may have already been added to IIS at some point If so continue to the next section once you verify that they are all present 1 N Oo BR WD Open IIS Manager Expand the Websites folder Right click Default Website Select Properties Select the HTTP Headers tab Click MIME Types Ensure that the following MIME types are present If not click New and follow the instructions below In the Extension field enter manifest In the MIME types field enter application manifest Click OK 5 the Extension field enter xaml n the MIME types field enter application xaml xml Click OK 5 the Extension field enter xap 5 the MIME types field enter application x silverlight app Click OK In the Extension field enter dll In the MIME types field enter application x msdownload Click OK n the Extension field enter application In the MIME types field enter application x ms application Click OK n the Extension field enter xbap Enterprise Server Installation and Migration Guide 59 the MIME types fie
111. tion of C Program Files Dell Otherwise click Change to select a different location then click Next Enterprise Server Installation and Migration Guide 33 9 Select the Setup type without the Front End check box being selected and click Next If the Complete option is selected all program features are installed Continue to step 11 The Custom option selection allows installation of only those program features desired Continue to step 10 10 Atthe Custom Setup dialog choose the features you want to install For a description of each feature and what it is required for see Dell Component Descriptions Once the features are selected click Next Continue to step 11 11 Verify that all fields are populated for each component Leave the default port value as is unless there is a conflict with an existing port If the Works with Front End box is selected on the next dialog you will enter the fully qualified domain name for the Dell Security Server If you have an external certificate that is being used with APNs enter the fully qualified domain name specified in the certificate If the box is not selected then the field is not available on the next dialog Click Next 12 For the Front End Security Server host name this relates to the previous dialog s Works with Front End box If the box was selected on the previous dialog enter the fully qualified domain name for the Dell Security Server If you have an external certifi
112. u select Configuration gt Save If prompted confirm the save 5 Test Database Configuration a From the top menu select Actions gt Test Database Configuration The Configuration Wizard launches NOTE The database cannot be initialized until after the database configuration tests have passed b e e At the Configuration Test window read the test information and click Next If you chose Windows Authentication in the Database tab you can optionally enter alternate credentials to allow the use of the same credentials that will be used to run the Dell Enterprise Server Click Next At the Test Configuration window the results of the Test Connection Settings Compatibility Test and the Database Initialized Test display You may get a failed test result for the Database Initialized Test which is correct this database has not been initialized yet You cannot initialize this database until the two other tests Test Connection Settings and Compatibility Test have a result of Passed Click Finish From the top menu select Configuration gt Save If prompted confirm the save 6 Initialize Database a From the top menu select Actions gt Initialize Database The Configuration Wizard launches NOTE If you are reinstalling or upgrading the Dell Enterprise Server initializing the database erases all data including key material user states and administrators Initialize the database in a new installation only
113. user connectivity does your organization support Types might include the following Local LAN connectivity only VPN based and or enterprise wireless users Remote disconnected users users not connected to the network either directly or via VPN for extended periods of time Non domain workstations What data do you need to protect at the endpoint What type of data do typical users have at the endpoint Enterprise Server Installation and Migration Guide 5 What user applications may contain sensitive information What are the application file types How many domains do you have in your environment How many are in scope for encryption What Operating Systems and OS versions are targeted for encryption For a list of Operating Systems supported with Dell Data Protection Encryption see Enterprise Edition Administrator Guide Personal Edition Installation Guide Security Tools Installation Guide or Enterprise Edition for Mac Administrator Guide Do you have alternate boot partitions configured on your endpoints a Manufacturer Recovery Partition b Dual boot Workstations Enterprise Server Installation and Migration Guide Preparation Checklist Initial Implementation Use the following checklist to ensure you ve met all prerequisites before beginning to install Dell Data Protection Encryption DDPIE Proof of Concept environment cleanup is complete If Applicable The Proof of Concept database and application have been backed up a
114. w to Export a Certificate to PFX Using the Certificate Management Console for instructions Click Next OR b To create a self signed certificate select the second option and click Next At the Set Up a Certificate Authority dialog enter the following information Fully qualified computer name example computername domain com Organizational Unit example Security Organization City State full name Country Two letter country abbreviation Click Next 13 Atthe Ready to Install the Program dialog click Install to begin installation 14 When prompted click Finish to complete the installation 15 Go to lt Security Server install dir gt conf and open the application properties file Locate publicdns server host and set the name to an externally resolvable host name Locate publicdns server port and set the port the default is 8443 Do not reboot the server until Post Installation Configuration tasks are complete Rebooting now would cause the server to attempt to start Dell Services which would be unsuccessful at this point Upgrade migration tasks are now complete Continue to Post Installation Configuration 40 Enterprise Server Installation and Migration Guide Post Installation Configuration Read the Release Notes for current workarounds or known issues related to Dell Enterprise Server configuration Whether you are installing the Dell Enterprise Server for the first time or are upgrading an existing installation some compo
115. ws Server 2008 R2 No action is needed IIS 8 5 Windows Server 2012 R2 This document type is pre configured in IIS 8 5 Windows Server 2012 R2 No action is needed 60 Enterprise Server Installation and Migration Guide Enable ASP NET 4 x IIS 6 Windows Server 2003 1 If needed open IIS Manager Expand the Websites folder Right click Default Website Select Properties Select the ASPNET tab In the ASPNET version field select 4 0 lt xxxxx gt Click OK NOOO AOUN IIS 7 Windows Server 2008 and Windows Server 2008 R2 1 Open a command prompt from C Windows Microsoft NET Framework or Framework64 v4 0 30319 2 Type the following command aspnet_regiis exe i See http msdn microsoft com en us library k6h9cz8h aspx for additional information IIS 8 5 Windows Server 2012 R2 1 Open a command prompt from C Windows Microsoft NET Framework64 v4 x xxxxx 2 Type the following command aspnet_regiis exe i See http msdn microsoft com en us library k6h9cz8h aspx for additional information Convert Console to Application IIS 6 Windows Server 2003 1 If needed open IIS Manager Expand the Websites folder Expand Default Website Right click Console Select Properties Select the Directory tab NOOO FP WN In the Application settings area click Create The application is now created 8 Select the ASPNET tab Ensure that ASP NET version 4 0 lt xxxxx gt is selected 9 Click OK IIS 7 Window
116. xisting certificate and click Next Click Finish when complete Generate Self Signed Certificate The information from the self signed certificate that was created when installing the Enterprise Server will be used if available Click Next Click Finish when complete From the top menu select Configuration gt Save If prompted confirm the save Certficate set up is complete If your deployment includes Dell Manager continue to step 9 If your deployment does not include Dell Manager continue to step 10 Import Dell Manager Certificate If your deployment includes Enterprise Edition remotely managed clients with Hardware Crypto Accelerators self encrypting drives or BitLocker Manager you must import your newly created or existing certificate The Dell Manager certificate is used as a vehicle to protect the private key which is used to sign the policy bundles being sent to Enterprise Edition remotely managed clients and BitLocker Manager This certificate can be independent of any of the other certificates Additionally if this key is compromised it can be replaced with a new key and Dell Manager will request a new public key if it cannot decrypt the policy bundles Enterprise Server Installation and Migration Guide 55 10 Open the Microsoft Management Console Click File gt Add Remove Snap in Click Add At the Add Standalone Snap in window select Certificates and click Add Select Computer Account and click Next
Download Pdf Manuals
Related Search