cynapspro endpoint data protection - installation guide
1. cynapspro
Endpoint Data Protection 2010
Installation Guide
Cynapspro Endpoint Data Protection
DevicePro prevents data loss by controlling all kinds of ports and external storage
devices.
CryptionPro protects your company data by efficiently encrypting data stored on
external devices.
CryptionPro HDD protects confidential data through automatic and efficient hdd
encryption.
ApplicationPro controls the use of applications based on a white list or black list.
ErasePro ensures that files are securely and permanently deleted.
PowerPro cuts energy costs and reports suspicious activity.
Last Update: May 17, 2010
2. 2 cynapspro Endpoint Data Protection 2010 – Installation Guide
Table of Content
System Architecture ............................................................ 3
Before the Installation ........................................................ 5
Administration of cynapspro Endpoint Data Protection ................................................... 5
The cynapspro Management Console: ....................................................................... 5
cynapspro AdminTool ............................................................................................. 5
System Requirements ................................................................................................ 5
Server Component ................................................................................................. 5
Client Component .................................................................................................. 6
Installation Process ............................................................. 7
Installation of the cynapspro Server ............................................................................ 7
Active Directory Log-in Data.................................................................................... 7
Novell eDirectory Log-in Data .................................................................................. 7
After the Installation ........................................................... 9
The cynapspro AdminTool .......................................................................................... 9
Database Settings ................................................................................................... 10
Directory Service Settings ........................................................................................ 10
cynapspro Server Settings........................................................................................ 10
Loglevel ................................................................................................................. 10
Roll-Out of the cynapspro Agent ........................................ 11
Generate MSI Packet ............................................................................................... 11
Installation of the Agent ........................................................................................... 11
Update the Agent .................................................................................................... 12
Uninstallation of the Agent ....................................................................................... 13
Installation of CryptionPro HDD ........................................ 14
Before the Installation ............................................................................................. 14
Installation Process ................................................................................................. 14
Appendix ........................................................................... 16
Unattended Installation of cynapspro ......................................................................... 16
Installation of SQL Server 2005 Express/MSDE ........................................................... 17
Microsoft SQL Server 2005 Express Edition ............................................................. 17
Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) ......................................... 17
Automatic Distribution of the Agent (via AD) .............................................................. 18
Copyright ........................................................................... 19
3. 3 cynapspro Endpoint Data Protection 2010 – Installation Guide
System Architecture
The cynapspro Server is responsible for the centralized management of your cynapspro clients.
You can install the server on any one computer on your network.
The structure of the directory service of your existing MS Active Directory or Novell eDirectory
will be read by the DevicePro server and stored in its own database.
There will be no schema extensions to your directory, nor will information be written to it.
cynapspro creates only a copy of the structure, which is then updated on a scheduled basis. To
access Active Directory, you need a user with read permissions, nothing more.
All records are maintained in a SQL database (MSDE, MS SQL Server Express, MS SQL Server
2000, 2005 or 2008) by the cynapspro server.
Changes you make in the cynapspro Management Console will be immediately sent to the
client by the cynapspro server and stored in the database.
All changes to user rights are effective immediately. Neither a reboot, nor other additional
actions are necessary.
The cynapspro Agents communicate with the server using a push / pull process and pick up all
the changes immediately.
There will be no polling, which reduces the network load significantly. Only those computers
and users, whose rights have been modified, will be contacted so they can pick up the
changes.
If a computer is not in the network, changes can be communicated using a secure TAN.
4. 4 cynapspro Endpoint Data Protection 2010 – Installation Guide
Communication between server and client takes place using ports that have been defined by
the administrator.
Access permissions for external devices and applications are controlled by a kernel driver.
The cynapspro agent sends all changes made in the management console of the cynapspro
Server to the kernel driver and takes over the complete communication between the server,
the kernel driver and, if necessary, with the user.
5. 5 cynapspro Endpoint Data Protection 2010 – Installation Guide
Before the Installation
Before you start with the installation of cynapspro Endpoint Data Protection 2010 (formerly
DevicePro Ultimate 2009), it is recommended that you gather the following data and files.
DevicePro Installation File
License Key (.lic & .txt) (not required for a test installation)
At least 20 MB free hard disk space
User with read permissions for Microsoft Active Directory / Novell eDirectory
SQL – user with permission to create a database (MSDE, SQL Server Express 2005 or
2008, SQL Server 2000, 2005 or 2008)
Administration of cynapspro Endpoint Data Protection
For the administration of the cynapspro Server, there are two tools available:
The cynapspro Management Console:
The cynapspro Management Console is the central interface for controlling all
cynapspro functions. The management console can be accessed from any location,
i.e. each administrator can run it from his work station.
cynapspro AdminTool
The cynapspro Admin Tool is used to configure or check the server settings.
By installing the cynapspro client component, a kernel filter driver is installed on the Windows
system.
The task of the kernel filter driver is to monitor the rights that have been allocated to the user
or computer.
The use of the kernel filter driver has the advantage that all rights remain valid and effective
when the computer is offline.
Furthermore, the kernel filter driver ensures a much higher security and prevents
incompatibilities and problems.
The cynapspro client component should be installed on each workstation.
System Requirements
Before you start the installation: Please check whether your system meets all system
requirements.
Server Component
To ensure a smooth installation, please ensure that the following system components are
installed and available:
Windows Server 2000 / 2003 / 2008 (e.g. R2)
Directory Service:
Active Directory
Novell Client 4.91 SP2 or better
SQL-Server:
6. 6 cynapspro Endpoint Data Protection 2010 – Installation Guide
SQL-Server 2000 SP3a
SQL-Server 2005
SQL-Server 2005 Express Edition
SQL-Server 2008
SQL-Server 2008 Express Edition
MSDE (Microsoft SQL-Server Database Engine).
The cynapspro architecture is based on a bi-directional communication. The use of push
technology only requires a bare minimum of bandwidth in your network.
Client Component
For the client component, the following system requirements need to be met:
Windows 2000 (SP4 + RollUp 1)
Windows XP + SP2/SP3 32/64 Bit
Windows Vista (+ SP1) 32 or 64 Bit
Windows 7 32 or 64 Bit
7. 7 cynapspro Endpoint Data Protection 2010 – Installation Guide
Installation Process
If you already have a SQL Server or MSDE installed, you can immediately start with the
installation. Otherwise, you should install a SQL server. A guide on how to install the free
MSDE or SQL Server 2005 Express version is available in the appendix.
Installation of the cynapspro Server
First, you need to install the server component on your intended cynapspro server.
Open the setup file (deviceprosetup.exe) provided via our download portal or on a disk. The
installation routine will open in the Install Shield. Choose your setup language and a wizard
will guide you through the installation routine. Click Next. If you agree with the license
agreement, click on "I accept the terms of the license agreement".
When you click Next, cynapspro is installed in the predefined destination folder.
If you want to enter a different directory for the installation, you can click on change to define
the destination yourself. A new window appears where you can select the desired folder:
When you have selected the folder, click Next.
Please enter at this point the following ports:
- Client-Server XmlRpcPort. (Default: 6005) is used by clients to connect to the server
- Server-Client Notification XmlRpcPort (Default: 6006) is used to alert the clients
about rights changes made on the server
Attention: The registered ports must be enabled in your firewall!
Next you will be asked to select the directory service you are using in your organization. Click
Next. You may uses as directory service either Active Directory, or Novell eDirectory (4.91
SP2 or higher), or an independent cynapspro directory structure.
In the next window the settings for the directory service can be made:
Active Directory Log-in Data
Enter the name of your domain controller. Additional domain controllers can be added later
in the Management Console. Define the Active Directory administrator as user and enter his
password.
Novell eDirectory Log-in Data
When using an NDS server, the name of the NDS must be provided. Define under Context
the context of your Novell environment. Enter the Novell Supervisor as user and enter his
password.
After correctly entering the login information please go to Next. The database server is now
configured. Enter the name of your SQL server. Use Browse to select from the available
database servers.
Attention: If you use MSDE, the corresponding checkbox must be activated.
(Compare with Preparation of the Installation using MSDE)
8. 8 cynapspro Endpoint Data Protection 2010 – Installation Guide
If you do not select or specify a previously created database, a new database called
"Device_Pro" will automatically be generated.
Click on SQL authentication and enter your "sa" password. Alternatively, you can use Windows
authentication. Click Next and start the Installation. The Install Shield now installs the
cynapspro server components. Click Finish to exit the wizard.
9. 9 cynapspro Endpoint Data Protection 2010 – Installation Guide
After the Installation
You have completed the installation of the cynapspro server.
If you have already purchased a license, you should go through the following steps.
If you have installed the cynapspro server for evaluation purposes only, you can skip these
steps.
Open the cynapspro management console using the shortcut on your desktop.
After successfully logging onto the cynapspro server, select Administration.
Go to license management to deposit the licenses you have purchased by entering the name
of the licensee and the license file in the appropriate fields.
The name of the licensee is stored in the txt file that is provided with the license.
Close the license extension with Accept. Your licenses have now been activated.
The cynapspro AdminTool
After successful installation of the cynapspro server, both server and database settings can be
viewed or changed with the help of the DevicePro Admin Tool.
By default, the tool is installed at
C:Program Filescynapspro GmbHDevicePro 2010 and can be started from
> Program Files > cynapspro GmbH > DevicePro 2010.
10. 10 cynapspro Endpoint Data Protection 2010 – Installation Guide
Database Settings
Click the button Validate to check the connection to the specified database. cynapspro
solutions needs a database user who has all rights to the cynapspro database (DB Owner).
Directory Service Settings
A precondition for the synchronization of the directory structure is that the specified user has
the necessary rights (List Contents, Read All Properties). Read access is fully sufficient, since
no data is written in the Active Directory or eDirectory.
Enter the host name of the directory service server in the field “domain controller”.
Click the button Validate to check the connection.
cynapspro Server Settings
Two ports are used for the communication between the cynapspro server and the cynapspro
clients. Here you can define the client-server and server-client XmlRpcPort notification port.
The client-server XmlRpcPort is used by clients to connect to the server (default: 6005).
The server-client notification XmlRpcPort serves to alert the clients about the rights changes
made on the server (default: 6006).
Loglevel
Internal cynapspro operations are stored in a log file. The strength of the logs can be set here.
Operation Modus: Errors Only
Administration Modus: Detailed
Debug Modus: Very Detailed
11. 11 cynapspro Endpoint Data Protection 2010 – Installation Guide
Roll-Out of the cynapspro Agent
Generate MSI Packet
After the server installation has been completed, you can install the agents. Generate an MSI
package for the installation of cynapspro agents.
The settings for the package will automatically be copied from the current cynapspro server.
When generating the MSI package, you can define whether you want the tray icon to be
hidden in Windows.
We recommend not hiding the tray icon in order to ensure an optimal offline support.
By activating the checkbox Hide cynapspro agent service, the MSI package is generated in
such a way, that users with administrative rights can no longer stop the service that is used
for the communication between server and client.
Password protected uninstallation prevents users with administrative rights from uninstalling
the cynapspro agents.
Installation of the Agent
In the installation path of the server component, you will find the following files under MSI:
- DPAgentSetup.msi
12. 12 cynapspro Endpoint Data Protection 2010 – Installation Guide
- Install.bat
- Uninstall.bat
- Update.bat
Copy these files to the workstations or on a network drive.
To install the agents, run the file Install.bat on the workstation.
You can change the installation path of the agent. This change can be made in the file
install.bat or in the script with the command INSTALLDIR = "C: Program Files cynapspro
GmbH DevicePro"
Update the Agent
If you have installed a new version of cynapspro Endpoint Data Protection on the server, you
should also update the agents on the workstations.
You can update the agents using one of the following methods:
You can run the update automatically from the management console. In the Management
Console got to Administration – Install / Update Agents.
Here you can determine how many clients may download the MSI package right away and
when the download and update process should be executed.
Confirm your entry and select the agents that need to be updated. By pressing the button
update, the automatic update process will start.
To update manually, you must generate a new MSI package (see MSI package code).
13. 13 cynapspro Endpoint Data Protection 2010 – Installation Guide
Then go to the installation path of the cynapspro server component and open the folder MSI.
Copy the two files DPAgentSetup.msi and Update.bat to the corresponding computers or on
a network drive.
Run the file Update.bat. The software will immediately notice that a previous version of the
cynapspro agent had been installed and will perform the update.
Uninstallation of the Agent
An uninstallation of the agent can be done using one of the following methods:
- Copy the two files DBAgentSetup.msi and uninstall.bat in a folder that can be
accessed by the client or directly onto the workstation.
Start the file Uninstall.bat and uninstall the agent.
- Use the command line „msiexec /x [installation path]MSIDPAgentSetup.msi“
14. 14 cynapspro Endpoint Data Protection 2010 – Installation Guide
Installation of CryptionPro HDD
"CryptionPro HDD is a product created as part of a cooperation between cynapspro and
Secude. cynapspro contributes the central management interface for the management of
Secude’s FinallySecure (total Data-At-Rest security with software- or hardware-based Full Disk
Encryption, which can be downloaded at http://hdd.cryptionpro.de). CryptionPro HDD if fully
integrated into the cynapspro Management Console that takes care of the complete installation
and management of the hard disk encryption. For more information, please check the
cynapspro Endpoint Data Protection 2010 User Guide.
If your prefer to install cryptionpPro HDD manually, this is how you should proceed:
Before the Installation
We recommend that you run "Finally Secure SystemCheck.exe” before installing the HDD
CryptionPro 2010 client component. The file is located in the FinallySecure folder.
Alternatively, just install the Finally Secure client and the cynapspro Management Console
takes care of the rest.
Installation Process
To start the installation of CryptionPro HDD 2010, please run the Setup.exe, which is also
located in the FinallySecure folder.
The first step is to choose a language for the installation and then confirm with OK. The
installation wizard starts the installation in a new window. Click on the button Next to
continue.
Accept the license agreement and click Next twice, after reading the warning notice.
In order to initialize the PBA and FDE, use the preselected checkboxes. You can also skip this
point and do this at a later date in the cynapspro Management Console.
Do not select initialization at this point.
Next takes you to the next step, where you should select Complete in order to install
CryptionPro 2010 HDD with all the features. If you select Custom, you have the option to
choose the installation path.
Start the installation in the next window using the Install button. After the installation has
been completed, click Finish.
15. 15 cynapspro Endpoint Data Protection 2010 – Installation Guide
Initialization of Finally Secure FDE:
If you have previously selected initialization, the initialization of the FDE is automatically
started. Alternatively, you can do so at a later time via the centrally controlled management of
CryptionPro HDD 2010 and skip this point.
16. 16 cynapspro Endpoint Data Protection 2010 – Installation Guide
Appendix
Unattended Installation of cynapspro
This allows you to carry out the installation of the server and the agents “unattended”. In
addition you can do the synchronization and all the settings through a script, as well as import
all the permissions using the xml interface. All this is fully automated, so no action from an
administrator is required.
Step 1 – Recording of Parameters
Run the DeviceProSetup using the command line:
DeviceProSetup.exe /r /f1"C:TempDeviceProSetup.iss”.
All settings will be saved to the iss-file.
Step 2 – Adjustments (optional)
Change the settings in the iss-file.
Step 3 - Unattended Server Installation
Start the unattended server installation using the following command line:
DeviceProSetup.exe /s /f1"C:TempDeviceProSetup.iss" /f2"C:TempDeviceProSetup.log"
For a new installation “inheritance” is automatically activated.
Step 4 – Import Licenses (optional)
DPAdminTool.exe /license "LICENSE_FILE_PATH" /user USER_NAME
Step 5 – Start Synchronization
DPAdminTool.exe /sync /activate
Step 6 – Define directory for the xml-file
DPAdminTool.exe /impdir "FOLDER_PATH" [/impdirsuccess "FOLDER_PATH"] [/impdirfail
"FOLDER_PATH"]
Step 7 – Import Permission Settings
Please note the following:
No access = 0
Read access = 1
Full access = 3
If an error is found in a file, the entire file will not be imported but copied to the "Failed" list.
Step 8 – Install Agent
msiexec /i DPAgentSetup.msi /l*vx AgentInstall.log SERVER_NAME="server"
17. 17 cynapspro Endpoint Data Protection 2010 – Installation Guide
Installation of SQL Server 2005 Express/MSDE
You can choose between SQL Server 2005 Express or MSDE. Both are available free of
charge from Microsoft.
Microsoft SQL Server 2005 Express Edition
Download the installation file from Microsoft, which can be found at:
http://www.microsoft.com/downloads/details.aspx?familyid=4C6BA9FD-319A-4887-BC75-
3B02B5E48A40&displaylang=de
Start the SQLEXPR_ADV_GER.EXE of the "Microsoft SQL Server 2005 Express Edition with
Advanced Services." Agree to the terms of the Microsoft EULA and click Next. Now the
components that are required for the SQL Server Setup will be installed. Click Next twice. The
system configuration review should be completed with success. If this is the case, click the
button Next to continue.
The installation is started. In a next step you enter your name and company name and leave
the checkbox Hide Advanced Configuration Options activated.
In the next window, you can select the features, as well as the installation path.
Select the data files, common tools, connectivity components and the Management
Studio Express.
Use mixed mode for authentication and define a password for the 'sa' user. Then click Next
twice and complete the installation.
Microsoft SQL Server 2000 Desktop Engine (MSDE 2000)
First you download the installation file from Microsoft at:
http://www.microsoft.com/downloads/details.aspx?FamilyID=413744D1-A0BC-479F-BAFA-
E4B278EB9147&displaylang=de
Then open the GER_MSDE2000A.exe of MSDE. Read the Microsoft license agreement and click
Yes. Enter the folder to unpack the files. If the folder does not exist, you will be prompted to
create it. Then click Finish.
After you have successfully unpacked the files in the specified folder, please execute the
following command line to assign a SA password.
[Installation] / setup.exe sapwd = "[password]"
The MSDE database has been installed. You can now proceed with the installation of
cynapspro.
18. 18 cynapspro Endpoint Data Protection 2010 – Installation Guide
Automatic Distribution of the Agent (via AD)
Thanks to Microsoft software distribution, you can automatically install the agent on all clients
using the Active Directory. To do this, follow these steps:
Set access permissions for all users on a network drive. Copy the DPAgentSetup.msi on this
network drive.
Open the OU Computer in the Active Directory and select Properties. Now click on Group
Policy and create a new directive.
Use Edit to open the Group Policy Editor. Go to computer configuration, software
configuration, and then software installation and create a new package.
Select the MSI file from the network drive. Got to software provisioning and click
Advanced. Activate the checkbox Uninstall application if it is outside the scope of
management in the register software provisioning.
19. 19 cynapspro Endpoint Data Protection 2010 – Installation Guide
Congratulations!
You are now familiar with the installation of cynapspro Endpoint Data Protection.
Please consult the cynapspro User Guide for assistance on hoe to efficiently work with cynapspro
solutions. If you need any help, we shall be happy to support you!
We hope you’ll enjoy using our products.
Copyright
All Rights Reserved, 2004 - 2010 cynapspro GmbH. This document is copyrighted. All rights
are reserved by cynapspro GmbH. Any other use, especially the disclosure to third parties,
storage within a data system, distribution, processing, presentation, performance and
production is prohibited. This applies to the entire document, as well as to any of its parts.
Subject to change. The software described in this document is subject to continuous
development. As a result, functions described in the documentation may differ from the actual
software.
Cynapspro and DevicePro ® are registered trademarks of cynapspro GmbH. All other product
names and trademarks are the property of their respective owners.
cynapspro GmbH
Am Hardtwald 1
76275 Ettlingen
Germany
Phone +49 (0)7243-945-250
Fax +49 (0)7243-945-100
Email: contact@cynapspro.com
Website: http://www.cynapspro.com