Data Loss Prevention

Hello everyone

I currently need to re-install a DLP Enforce server due to malfunctions. It also hosts the endpoint server.
Therefore, a new server will be set up and DLP installed on the new machine using the already existing database.
Server versions stays the same, so are the agents not change in version.

I now have two questions:

1. Do I have to re-install each Agent? Since they have been deployed with the key of the current endpoint server. Or can I simply copy/paste the endpointKeyStore file from the old to the new server?
2. Will the agents send the incident data that potentially has been generated during server outage to the new server after it is up and running again?

Cheers and thanks

Hi Flutti,

When unistalling DLP you will be asked if you want to back up your config, you should do this and store it in a safe location.

Whehn you re-install you get a prompt to say that you want to use existing files (I can't rememebr what the exact message is of the top of my head..Sorry) when promted navigate to the location of where you stored your back up.

In regards to the agent you you just need to specify the agent on the enforce, when you go to System, Servers and Detectors, Overview Add server and specify the IP address.

You will need to generate new certificate keys this is a straight forward task you can find the details on how to do this here https://support.symantec.com/en_US/article.TECH221433.html

It is usually good practice to generate certificates for DLP rather than use the default. Once you have generated your certificates copy them to the server as described in the link above.

In regards to the agents sending incident data, yes the data is held in a queue and once its connected to the enforce it will send the data there.

Let me know if you need any further assistance.

If you are happy with this solution could you please mark as resolved. Thanks

Use the System Maintenance Guide to make sure you have backups of the things you need to restore to the new servers. Install Enforce first, restore files and connect to the DB (DO NOT INITIALIZE). Then install the Endpoint server.

Getting the Enforce install and restoring files correctly is key. Done correctly, you should see what you saw before in the console and not lose communication with existing agents.

Agents will write encrypted incident information to the workstation's hard drive while the Endpoint server is unavailble. Space to do this is limited so oldest incidents could be overwritten as needed. Agents will send their collected incidents to the Endpoint server when communication is restored.
 

Attachment(s)

Symantec_DLP_15.0_System_Maintenance_Guide.pdf   1.30 MB 1 version

Hi Flutti,

Please follow the steps :

Recently I have done the enforce recovery by uininstalling and recovering back to original one.

1. Backup your config folder  located at Symantec DLP\protect.

2. Backup your plugins folder  located at Symantec DLP\protect

3. Backup the .keystore file located at Symantec DLP\protect\tomcat\conf

4. Backup the keystore folder located at Symantec DLP\protect

5. Create EnforceReinstallationResources.zip containg config and keystore folder. (Note this is manual process of creating EnforceReinstallationResources.zip, if you want to get it automatically then at the time you uninstall the enforce it will ask you to save the previous configuration the same file will be created  in SymantecDLP Folder, you can use that file to resinstall the enforce server.

6. Resinstall the Enforce Server using ProtectInstaller64_15.0.exe and make sure you uncheck the Initialize Enforce Data check box if you want to perform a recovery operation.

7. It will ask EnforceReinstallationResources.zip browse the location where you stored it and click next.

8. If you get an error like this : Failed to encrypt the password file. Installation will abort,  then click OK to abort.

9. Even if installtion is aborted, it will create the Symantec DLP Folder at the installed location.

10. Maunally copy the CryptoMasterKey.properties and Encryption key(not sure abou the exact name but the file type will be key file) located under config folder which you already had the backup to SymantecDLP\protect\config

11. Again reinstall the eforce server and this time you will not get any error.

12. After reinstalltion, stop the vontu services, replace plugin folder and .keystore file which you have taken the backup earlier.

13. Start the Vontu services, Now go to Keystore folder. check if certificate_authority_v1.jks is same as the file located in the backup of keystore folder.

14. if not replace the file with original file and update it on oracle by going to DB and connecting it to sql plus using protect folder and executing this command: 

update certificate set CERTIFICATEFILENAME=’certificate_authority_v1.jks’ where CERTIFICATEID=1;

15. check if Agents are reporting or not, If not remove the detection server from the console and go to keystore folder remove the certificate starting with the name of monitor there will be 2 certificates starting with monitor if you are using single detection server, then again add detction server, Your agent will communicate, if still agents are not reporting, go to detection server and check the Agrregator logs under Symantec DLP\protect\logs\debug.

Hope it will help.

Regards

Satyajeet Anand.