Data Loss Prevention

We are deploying Vontu DLP Endpoint Agents within our virtual environment. When I initially looked through the product documentation for the version we are deploying (v11.1.2) it seemed that it would be as simple as just adding the agent to the image and deploying. After further discussion with support and also some KB research it seems that deploying from the image will not work because the agent key is encrypted within a SQL database on the initial image. Since the initial image has one key, now all agents that have been deployed from that image have the same key and are causing detection/reporting issues.

I would like to know if anyone else has tried deploying their agents to VM's and if so, how have you gone about doing so?

-Andrea

Which KB article refers to the ability to install the Endpoint Agent on a VMware desktop? Could you share the information.

I was told by a support agent that the Endpoint agent was not supported on VMWare and only on Citrix Xen desktops.

I don't there will be a problem to install your DLP agent on your template VMware virtual machine.

In my opinion, if you deploy your template VMware virtual machine into a new one, the DLP agent in this new virtual machine will be registered into the Endpoint Server as a new agent, because the machine name and the IP address are changed.

@venkatp - The KB that says a virtual machine image will give issues is https://kb-vontu.altiris.com/article.asp?article=54857&p=4

@yang_zhang - You cannot install off of a template because all the machines have the same key within their encrypted sql database. Even though the machines register to an endpoint server, the machines have issues reporting their incidents to that endpoint server. I do not know all the details of all the issues this cause; however there have been problems, maybe due to two different machines reporting incidents at the same time with identical keys to the endpoint server.

I'm not so sure that the issue described in that article has anything to do with the Agent's "key" in the agent database. 

As a quick test of that, I cloned a VM workstation in my lab system, then started both machines (the original VM workstation, and the cloned workstation).  Both agents started fine, no issues with detection, etc.  I additionally ran a full Endpoint Discover scan on the machines...also, no issues.  Obviously this is a very small scale test, but would suspect that if there were going to be communication issues, I would have seen them there if it was indeed something as a result of that agent key.

It appears, based on that article, that it is something specific toXenDesktop images created using XenConvert.  It would be nice to know why that is, but the KB article gives very little information. 

I've seen customers of mine use images for physical machines where the agent is included in the image, and don't recall ever having any issues with that, either.  All of which says to me that it's not desktop images in general, rather something specific to images created using XenConvert.

~Keith

Keith,

    I understand what you are saying, but I have direct emails from Symantec support:

"I have confirmed that the deployment of the Agent software to a VM image is not supported for version 11.
 
I located another reference stating the deployment to a master or template image is not supported.
 
Endpoint Agent can not be deployed on XenDesktop deployment VM templates
https://kb-vontu.altiris.com/article.asp?article=54857&p=4"

That is where I got the prior information when i started researching this, and also I have this email from another support person at Symantec:

"There are options for installing an Endpoint agent to VM, just not the ability to deploy it as an image.
 
In the attached System Requirements and Compatibility Guide, the caveats/ways to install start on page 28. 
­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­
Additional limitations listed below From KB Article ID: 46366 Which components are supported within virtualized environments?
https://kb1-vontu.altiris.com/article.asp?article=46366&p=5"

Has anyone had any luck installing the DLP Endpoint Agent (v 11.x) on either the VMware Virtualization Server or to the Virtual Desktops themselves?

Please respond with your expriences and what to look out for.

Symantec's official response is that it is not supported on VMware, but just Citrix.

As usual, Symantec seems to be purposely vague when they say something is or is not supported.  In my experience, "not supported" simply means that they have not tested and/or certified a particular configuration, not that it doesn't work.  Though I will conceed that the KB article that you reference (54857) seems to identify a specific type of image for virtual machines using XenDesktop that will not work, and I'd heed that warning and push deployment of agents via other means if using XenDesktop.

@Venkat - where are you getting that information with regards to VMWare? Check the same referenced System Requirements Guide, which states:

Symantec also supports running the Symantec DLP Agent software on virtual

workstations using VMware Workstation 6.5.x. This is in addition to the support

for running the DLP Agent software on Citrix virtual desktops and virtual

applications.

I've got customers using VMWare workstations where they are deploying agents, and have not had issues. 

~Keith

@kreynolds - I completely agree with the purposeful vagueness that sometime comes with the "not supported comment". I called support and spoke at a bit more length about this subject. It seems that although it will work (images of the same agent) there is a security concern because if the "master encryption key" for the image is cracked, then someone would be able to open all the logs of every agent in your virtual space. Functionality should be fine from the image, but security is the downfall. Also another issue is that if you use different endpoint servers, the master image will determine which endpoint server all the agent report to because it will be predefined in the master image.

The recommendation is to have the .msi package for the agent on the image and your installation .bat as well. During the start up of the non-persistent virtual machine you should have the start up script run the install silent and hidden in the background. This will ensure that each virtual machine is individually registered with a separate encryption key and pointed to a different endpoint server (if you are using 3DNS or something that can round robin your endpoint server in the .bat where it points to the endpoint server).

So in the end it seems that you can have the agent on your master image (for VMware I can confirm), but only with the concerns I have iterated above.

Good synopsis and thanks for conveying the recommendation.  That seems just about as easy as having the agent pre-installed on the image, I suppose. 

I'm curious as to what the true risk is in being able to crack the agent log files? There's not anything particularly sensitive in the log files themselves apart from detailing what files/actions have been inspected.  I must be missing something there.

~Keith