Data Loss Prevention

 View Only

  • 1.  DLP Enforce Network & Domain Change

    Posted Mar 26, 2017 04:18 AM

    Hi everybody

    I will soon face the situation to change a network and domain of a DLP Enforce server.
    The goal is to change an Enforce server's IP and Domain due to an internal network and domain migration.

    In general/theory, this sould not be a big thing. Neverthelss, DLP solutions are - let's say - a bit sensible to changes outside of the normal use cases.
    After searching quite a bit on the web, I could not really find proper information on this.
    So is there anyone already having some experience with this? Thoughts, considerations?

    Any input appreciated.

    Cheers

     



  • 2.  RE: DLP Enforce Network & Domain Change

    Broadcom Employee
    Posted Mar 26, 2017 04:49 AM

    hope this should help to go ahead with the activity.

     

    How to change the hostname or IP on the Enforce server

    http://www.symantec.com/docs/TECH220038


  • 3.  RE: DLP Enforce Network & Domain Change

    Posted Mar 26, 2017 05:37 AM

    Hi Pete

    Thanks for the link - Funny actually that this thing didn't show up in any search. Quite an obvious one it would have been tho.

    So I suppose that the Domain change would not be a big thing then?

    Cheers



  • 4.  RE: DLP Enforce Network & Domain Change

    Broadcom Employee
    Posted Mar 26, 2017 09:07 AM

    The Enforce should be accessible to the detection servers thats the consideration to be taken.



  • 5.  RE: DLP Enforce Network & Domain Change

    Broadcom Employee
    Posted Mar 26, 2017 12:09 PM

    As long as the detection servers and database names still resolve then DLP is not dependent upon the domain although there are other compnents that would potentially change. If you are currently using AD authentication you would need to make sure your krb5.conf file is updated to ensure users can log on to the system. Just in case I would keep the built in Administrator account password handy. For the rest of the use cases they wont stop you immediately but probleably need some checking. Where these kinds of changes would be is if you are using AD based lookups, AD User Groups, or are doing discover scanning using domain accounts. In each of those cases it would be fairly easy to change things over from the old domain to the new domain. For discover scanning it would be as simple as changing the username on credentials within the credential vault. For AD lookups it would be creating a new directory connection and switching over the domain used within the plugin. For AD User groups you would reuse the direcotry connection but you might need to make some more changes depending on how the migration occurs.

     



  • 6.  RE: DLP Enforce Network & Domain Change

    Posted Mar 28, 2017 09:39 AM

    Thanks guys for the feedback, I will consider this when carrying-out the IP and domain change.
    Of course, I'll keep you posted.