McAfee Cloud Data Protection Beta Setup Guideb2b-download.mcafee.com/products/naibeta...2017-03... · The Policy Sync extension ensures your on-premise and cloud-based policies are

Setup Guide

McAfee Cloud Data Protection Beta

McAfee Cloud Data Protection Beta Release 11-Apr-2017

COPYRIGHT

© 2017 Intel Corporation

TRADEMARK ATTRIBUTIONSIntel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee ActiveProtection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfeeTotal Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.Other marks and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.


2 McAfee Cloud Data Protection Beta Setup Guide

Contents

1 About the McAfee Cloud Data Protection solution 5Components installed on-premise . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Cloud-based components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2 Preparing to install and configure the McAfee Cloud Data Protection components9

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Sign up for McAfee Cloud Data Protection beta . . . . . . . . . . . . . . . . . . . . . . 9Download the on-premise components and documentation . . . . . . . . . . . . . . . . . 10

3 Installing the on-premise components 11Installing the KMS service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Pre-installation steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Installation steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Open Cloud Transmission Channel communications port . . . . . . . . . . . . . . . . . . 18Installing McAfee ePO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Set up your SQL Server and start the installation software . . . . . . . . . . . . . . 19Configure your McAfee ePO installation in the InstallShield Wizard . . . . . . . . . . . 20Complete a first-time installation . . . . . . . . . . . . . . . . . . . . . . . . 21

Install required on-premise McAfee ePO extensions . . . . . . . . . . . . . . . . . . . . 21Install the Cloud Bridge extension . . . . . . . . . . . . . . . . . . . . . . . . 22Install the Common Core, Common Rest, and Policy Sync extensions . . . . . . . . . . 22Install the Endpoint Health Check extension . . . . . . . . . . . . . . . . . . . . 23Install the DLP extension . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Install the FRP extension . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Push McAfee DLP and McAfee FRP to your endpoints . . . . . . . . . . . . . . . . . . . 24Add packages to on-premise McAfee ePO . . . . . . . . . . . . . . . . . . . . . 25Deploy McAfee DLP to managed systems . . . . . . . . . . . . . . . . . . . . . 25Deploy FRP to managed systems . . . . . . . . . . . . . . . . . . . . . . . . 26Send an agent wake-up call . . . . . . . . . . . . . . . . . . . . . . . . . . 27

4 Configuration steps 29Communicating with McAfee ePO Cloud . . . . . . . . . . . . . . . . . . . . . . . . . 29Cloud bridge server settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Connect your Active Directory to your on-premise McAfee ePO . . . . . . . . . . . . . . . 30Provision KMS communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Create a new Registered Server . . . . . . . . . . . . . . . . . . . . . . . . . 32Create the required permission sets . . . . . . . . . . . . . . . . . . . . . . . 32Create a user with the required permissions . . . . . . . . . . . . . . . . . . . . 32Provision the Key Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Unlock the Key Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

5 Connecting to 3rd-party cloud services 35Advanced Protection for Box.net . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35


McAfee Cloud Data Protection Beta Setup Guide 3

Provision Advanced Protection for Box.net . . . . . . . . . . . . . . . . . . . . 35Advanced Protection for Microsoft SharePoint . . . . . . . . . . . . . . . . . . . . . . 36

Provision Advanced Protection for Microsoft SharePoint . . . . . . . . . . . . . . . 36

A Install Docker on your server 39Installing Docker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Installing Docker engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Managing Docker as a non-root user . . . . . . . . . . . . . . . . . . . . . . . 39Installing OpenSSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Installing OpenJDK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Index 41

McAfee Cloud Data Protection Beta Release 11-Apr-2017Contents


1 About the McAfee Cloud Data Protectionsolution

McAfee®

Cloud Data Protection enables you to protect your users and data against data loss frommanaged and unmanaged devices in an environment that is increasingly reliant on cloud applications.You can investigate cloud-related traffic, and provide protection by applying policies as appropriate foryour organization.

With multiple McAfee products forming this solution, installed both in your network and on McAfeeePolicy Orchestrator (on-premise) and McAfee ePolicy Orchestrator Cloud, you get total protection.

Figure 1-1 Cloud and on-premise components

1McAfee Cloud Data Protection Beta Release 11-Apr-2017


Contents Components installed on-premise Cloud-based components

Components installed on-premiseTo benefit from the full range of McAfee Cloud Data Protection features, the following products andcomponents must be installed inside your network.

Key Management Service

Key Management Service (KMS) is a component that stores and serves the encryption keys used toencrypt and protect your data across cloud and on-premise environments. The Key ManagementService integrates with several McAfee products, serving your encryption keys to McAfee File andRemovable Media Protection and the cloud encryption engine. Key Management Service also servesyour encryption keys to the cloud-based components of McAfee Cloud Data Protection responsible forremediating sensitive data uploads from unmanaged devices to third-party cloud applications.

This single key-management infrastructure remains under your control inside your corporate network,and is securely connected to the cloud via the Cloud Transmission Channel.

Cloud Transmission Channel

The Cloud Transmission Channel (CTC) is installed as part of the Key Management Service installpackage. CTC provides a secure tunnel from the Key Management Service to the cloud componentswithout needing to open any incoming ports on your firewall. A single outgoing port is required.

Active Directory

To obtain user and user-group information, McAfee Cloud Data Protection integrates with youron-premise Active Directory (AD). Make sure your beta environment includes an AD server.

Cloud Directory Service

Cloud Directory Service (CDS) is the mechanism that interfaces between your Active Directory andMcAfee Cloud Data Protection, running inside McAfee ePolicy Orchestrator Cloud .

On-premise McAfee ePolicy Orchestrator

McAfee Cloud Data Protection uses both on-premise McAfee ePO and McAfee ePolicy OrchestratorCloud to provide protection for your data in the cloud. The on-premise McAfee ePolicy Orchestratorgives management of the required on-premise components of the McAfee Cloud Data Protectionsolution, including McAfee

®

Data Loss Prevention (McAfee DLP) and McAfee®

File and Removable MediaProtection (FRP).

Your on-premise McAfee ePolicy Orchestrator also hosts the components required to synchronizeinformation between the on-premise and cloud-based parts of the solution.

Cloud Bridge extension

The Cloud Bridge extension enables communication between your on-premise McAfee ePO server andMcAfee ePolicy Orchestrator Cloud .

Common Core and Common Rest extensions

McAfee Cloud Data Protection Beta Release 11-Apr-20171 About the McAfee Cloud Data Protection solution

Components installed on-premise


These extensions provide core functions that other extensions use to perform correctly. Theseextensions have no configuration or user interface, but must be installed to enable the correctfunctioning of the on-premise components of McAfee Cloud Data Protection.

Policy Sync extension

The Policy Sync extension ensures your on-premise and cloud-based policies are kept in step. PolicySync works by running McAfee ePO Server Tasks to share policies and client tasks between youron-premise McAfee ePO server and ePolicy Orchestrator Cloud .

Endpoint Health Check (EHC) extension

EHC collates security posture information from several McAfee products about your endpoint devices.At the point that encryption keys are requested, the posture information is compared to your chosenEHC policy. Only if the outcome of this comparison is acceptable are the encryption keys released toMcAfee FRP.

DLP extension

McAfee®

Data Loss Prevention (McAfee DLP) identifies and protects data in your network. McAfee DLPhelps you understand the data on your network, how the data is accessed and transmitted, and if thatdata contains sensitive or confidential information.

McAfee File and Removable Media Protection extension

McAfee®

File and Removable Media Protection (FRP) provides encryption services to McAfee DLP.McAfee DLP classifies the files it scans and, depending on the policies triggered, FRP encrypts the filesusing the encryption keys specified by the policy.

Cloud synchronization extension

Synchronize McAfee DLP web and cloud protection incidents and Endpoint Health Check data withePolicy Orchestrator Cloud reporting services. Synchronize McAfee ePolicy Orchestrator Cloud GlobalSettings, Web Application Filter, and Cloud Data Protection policies with on-premises McAfee DLP.

Cloud-based componentsSeveral of the key components included in McAfee Cloud Data Protection are based in the cloud.

The cloud-based components of McAfee Cloud Data Protection Beta are accessed from the McAfeeePolicy Orchestrator Cloud beta site. To test McAfee Cloud Data Protection you need an account on theMcAfee ePolicy Orchestrator Cloud beta site. You also need to sign up for the beta program for McAfeeCloud Data Protection, Cloud Data Protection for Box, and Cloud Data Protection for Office 365.

Best practice: Signing up for a beta trial of McAfee Web Gateway Cloud Service enables you to viewthe seamless transfer of information between McAfee Cloud Data Protection and McAfee Web GatewayCloud Service.

To test the Advanced Protection features of McAfee Cloud Data Protection, you must provision the relevantcloud applications to allow communications between the cloud application and your account.

McAfee Cloud Data Protection Beta Release 11-Apr-2017About the McAfee Cloud Data Protection solution

Cloud-based components 1


McAfee Cloud Data Protection Beta Release 11-Apr-20171 About the McAfee Cloud Data Protection solution

Cloud-based components


2 Preparing to install and configure theMcAfee Cloud Data Protectioncomponents

Sign up for the McAfee Cloud Data Protection beta, and download the components you need to install.

Contents Prerequisites Sign up for McAfee Cloud Data Protection beta Download the on-premise components and documentation

PrerequisitesThe following prerequisites are needed to successfully set up and test the McAfee Cloud DataProtection beta.

McAfee recommends that all beta testing is carried out in a test network. Do not use beta software on aproduction environment.

• You must have signed up for the McAfee Cloud Data Protection beta from https://beta.manage.mcafee.com

• Download the products, components, and documentation from https://www.mcafee.com/casbbeta

• Your test environment must include a configured Active Directory (AD) server

• To install the KMS component, you must have a Linux server (Ubuntu 14.04, or Debian) set up.

• A mail server must be available, reachable from the Linux server.

• Download the Key Management Service license key from the Getting Started with Cloud DataProtection pages on https://beta.manage.mcafee.com

Sign up for McAfee Cloud Data Protection betaAccess the McAfee ePolicy Orchestrator features by signing up for the McAfee Cloud Data Protectionsolution beta.

Best practice: Sign up for McAfee Web Gateway Cloud Service, to test the automatic forwarding of loginformation from McAfee Web Gateway Cloud Service to McAfee Cloud Data Protection.



https://beta.manage.mcafee.com


https://www.mcafee.com/casbbeta


Task1 Navigate to https://beta.manage.mcafee.com.

2 Sign up for McAfee Cloud Data Protection:

• If you do not have a McAfee ePolicy Orchestrator beta account, click Sign up Now.

1 From Product Selection, choose Web Gateway Cloud Service, McAfee Cloud Data Protection, Cloud DataProtection for Box, and Cloud Data Protection for Office 365.

2 Provide and submit the requested information.

• If you have an existing McAfee ePolicy Orchestrator beta account, log on to McAfee ePolicyOrchestrator.

1 From the McAfee ePolicy Orchestrator menu, select User Management | My Account.

2 Read and accept the license agreement and privacy notice.

3 From Subscriptions | Create Order / Trial, click Create Trial for McAfee Cloud Data Protection, Cloud DataProtection for Box, and Cloud Data Protection for Office 365 (as appropriate).

Download the on-premise components and documentationDownload the required products, components, and documentation for McAfee Cloud Data Protection.

Task1 Navigate to https://mcafee.com/casbbeta and open the Downloads and Documents tab.

2 Download and save all the items listed under both Downloads and Documents.

McAfee Cloud Data Protection Beta Release 11-Apr-20172 Preparing to install and configure the McAfee Cloud Data Protection components

Download the on-premise components and documentation



https://mcafee.com/casbbeta

3 Installing the on-premise components

Several products and components must be installed in your network to provide the encryption, keymanagement, and data classification services that are used by the McAfee Cloud Data Protectionsolution.

We recommend that you install the products and components and configure communications in thefollowing order:

1 Install and configure the KMS and CTC

2 Install your on-premise McAfee ePO server

3 Install the Cloud Bridge extension onto McAfee ePO

4 Install the Common Core, Common Rest, and Cloud Sync extensions

5 Install the McAfee DLP and McAfee FRP extensions onto McAfee ePO

6 Upload the McAfee DLP and McAfee FRP client packages onto McAfee ePO

7 Register and configure your Active Directory server

8 Provision your McAfee FRP and KMS

9 Push the client packages from McAfee ePO to your endpoints

Contents Installing the KMS service Open Cloud Transmission Channel communications port Installing McAfee ePO Install required on-premise McAfee ePO extensions Push McAfee DLP and McAfee FRP to your endpoints

Installing the KMS serviceThis section explains in detail on installing the KMS service.

Contents Prerequisites Pre-installation steps Installation steps



PrerequisitesThe following system/software/processes must be setup in order to proceed with the installation ofKMS.

• Linux system (x64)

• Ubuntu 14.04 / 16.04 / 16.04.1 / 16.10

• Debian 8.5 / Debian 8.6

• Docker (Minimum version is 1.10.02)

• OpenSSL and OpenJDK (minimum version is 1.8)

Make sure to note that these are needed only during the installation of KMS and Cloud TransmissionChannel (CTC).

• Access to a Certificate Authority for signing certificates

• Database server running either:

• MySQL (minimum version is 5.6.x) — https://dev.mysql.com/

• PostgreSQL (minimum version is 9.5.x) — https://www.postgresql.org/

Please note that "SQL server" used throughout this guide (with respect to KMS installation) refers toMySQL or PostgreSQL servers.

Pre-installation stepsBefore you proceed with the process of installing KMS, you need to perform certain key activities likesetting up a database, getting access to the installation and license files, and gathering the requiredinformation.

This section walks you through these steps one by one.

Database setupThe installation does not install or create a database on the database server. This will need to be doneprior to running the install.sh.

Create database

A database needs to be created on the SQL server, this should be a blank database with no tables. Theinstallation script will prompt for a database schema, and the KMS will create the required tables whenit starts.

KMS currently supports the following SQL servers:

• MySQL — https://dev.mysql.com/doc/

• PostgreSQL — https://www.postgresql.org/docs/

User account

KMS requires a database user account to manage the SQL server database, which will require thefollowing permissions:

• To create tables within the database

• To create new schemas

McAfee Cloud Data Protection Beta Release 11-Apr-20173 Installing the on-premise components

Installing the KMS service


https://dev.mysql.com/

https://www.postgresql.org/

https://dev.mysql.com/doc/

https://www.postgresql.org/docs/

Security considerations

As this database is being used to store encryption keys, the following should be considered:

• SSL/TLS for communication between KMS and datastore

• Restricting access to the user account by using the IP of the KMS

• Restricting access to the database and the server itself

• Enabling encryption to protect data at rest

Verify and extract the InstallKMS.zip fileMake sure that you copy these downloaded files to the Linux server system.

• InstallKMS.zip

• MD5SUM

• SHA256SUM

In order to verify the integrity of the InstallKMS.zip file, navigate to this file's location on commandline, and type either of these commands:

• md5sum ‑cMD5SUM

• sha256sum ‑cSHA256SUM

After verification, you need to extract the InstallKMS.zip file. To do so, type either of thesecommands on command line:

• To extract to the folder where InstallKMS.zip is located:

• unzip InstallKMS.zip

• To extract to a particular folder, replacing "foldername" with your desired location:

• unzip InstallKMS.zip ‑d "foldername"

The extracted folder should contain these files:

• checkconnection.jar • log4j2.xml

• ctc‑csb‑onprem‑mlos3‑x.x.x‑xxx.tar • install.sh

• keyservice‑x.x.x‑xxx.tar

Download the License fileYou can download the license file only on McAfee ePO Cloud. Make sure that you have access toMcAfee ePO Cloud.

TaskFor details about product features, usage, and best practices, click ? or Help.

1 Log on to Cloud ePO as an administrator.

2 Click Menu | Data Protection | Getting Started with Cloud Data Protection.

3 Under Steps to Configure Controls, click Step 2: Configure Encryption.

4 Click license file to download it on your system.

McAfee Cloud Data Protection Beta Release 11-Apr-2017Installing the on-premise components

Installing the KMS service 3


Information requiredBefore you perform the installation process, it is recommended that you have the followinginformation in order to speed up the process.

Database Instance IP / FQDN

Port

User

Password

Schema Name

SMTP mail server instance IP / FQDN

Port

User

Password

Email/Distribution List

Docker Host (Linux server) IP

Installation stepsExecute this command from the command line where the files were extracted.

./install.sh

The install script will prompt you to configure the installation. The following sections explain theinstallation process step by step and also elaborate on the information being requested.

Passwords you enter will not be echoed to the screen, but you will be prompted to confirm thepassword. An error is displayed if the entered passwords do not match, and the prompt for thepassword will start again.

Dependency checkAt this step of the installation process, a check is performed to determine the integrity of Linux hostand if the required dependencies are installed. A check is also performed to see if the requiredcommands are accessible through the command line.

Loading Docker imagesThe .tar files that were extracted from InstallKMS.zip will be installed as docker images.

Verify filesThe installer will check for the existence of the auth.lic file within the same folder as the install.shfile.

These are required for Cloud Transmission Channel (CTC) to register with cloud services. If KMS is notused in conjunction with Cloud Data Protection (CDP), you can proceed with the installation.Otherwise, you need to abort the installation by pressing Ctrl+C and obtaining the required files.




KMS credentialsAt this step, you are prompted to create a KMS administrator name and password. These credentialsare also needed by FRP to provision KMS through McAfee ePO.

The user will not have access to keys from the database, as key access is separated from administratoraccess in KMS. To unlock the keys database, the user needs to enter the KMS administrator usernameand password each time the KMS is started.

Choose a username

The default user name is kmsAdmin but can be changed as required.

Choose a password

There are not any specific password restrictions, but we recommend that you set a strong password.

Email settings for notificationsYou need to provide an email server for notifications from KMS when it is running. When KMS isstarted or if KMS administrator is not available to service a request, KMS will send an email to the KMSadministrator (defined during provisioning of a tenant) to alert them. All emails will be sent with ahigh priority flag.

IP/FQDN for the mail server

The IP address or Fully Qualified Domain Name (FQDN) for the mail server that emails will be sentfrom.

Is this over TLS

Y or N is expected.

Username

The account name to access the mail server.

Password

The password for the specified account name.

Email address to send notification to

The email address to be used to send notifications to (requesting that the tenant administrator unlockthe KMS for use) when KMS has started.

Reply address

The email address that will be used for from and reply address of the email.

Not all email servers support this feature.

Subject for emails

The subject of emails sent to the tenant administrator(s) and email address.

The default is Key Management Service - requires administrator logon in order to releasekeys.




Body for emails

The body of the email that is sent. The following tokens can be used:

• hostIp — This will be replaced with the KMS server's IP address.

• hostName — This will be replaced with the KMS server's name.

The default is Administrator logon is required to release keys on {hostIp}/{hostName}

Datastore for KMSAfter you enter all the information in this step of the installation process, a test will be performed tovalidate communication with the database instance. Once the connection has been validated, theinstallation will proceed to the next step.

Database type

Enter the type of database, which should be either mysql or postgresql.

Database hostname

Enter the IP / FQDN / Hostname for the system that the database instance is running on. The installscript will default to the IP address of the system where the script is running.

Database port

Enter the TCP/IP port on which the communication to the database should be performed on.

Schema name

Choose the schema name within the database instance that should be used for KMS.

Username

The username for the database credentials.

Password

The password for the database credentials.

Keystore informationKMS requires a certificate for secure communications that can be signed by a trusted root certificate.This is created and stored in a keystore at the following location:

• {installfolder}/config/keystore.jks

CTC requires a certificate for secure communication that can be signed by a trusted root certificate.This is created and stored at the following locations:

• {installfolder}/ctc/etc

• {installfolder}/ctc/etc/ca

• {installfolder}/config/keystore.jks

Keystore password

In order to create keystore, a password is required that should be at least six characters long. Thispassword should be recorded and secured.




Self-Signed Certificates

The install script will generate certificates to secure the KMS and CTC communications. Enter N toavoid creating self-signed certificates (recommended for production environments), so that theinstallation creates certificate signing requests. Enter Y (and confirm it) to create self-signedcertificates.

Certificate information

You will be prompted for the configuration below for the KMS certificate followed by an identical set ofprompts for the CTC certificate.

• Alias — This alias is used to identify the certificate within the keystore that will be created.

• Distinguished Name — The name of the system the certificate should be issued for.

• Validity period — The number of days that the certificate is valid for from the current date.

• Password — The password for the certificate that is going to be created. The password should beat least six characters long. This password should be recorded and secured.

Import trusted root certificate and signed certificates

When Self-Signed Certificate is not selected, certificate signing requests will be generated and thelocation of these requests will be displayed on the screen.

These files should be taken and signed by a certificate authority. After signing, the files should beplaced on the Linux host system in order to proceed with the installation.

• Trusted root certificate — The location of where the trusted root certificate should be placed.This will be imported into the keystore.

• KMS SSL certificate — The location of where the signed KMS certificate should be placed. Thiswill be imported into the keystore.

• CTC SSL certificate — The location of where the signed CTC certificate should be placed. This willbe imported into the keystore.

Installation directoryThe location where the shell scripts and configuration files for KMS and CTC should be placed. Thisdirectory is relative to where the install.sh is executed.

Docker informationThis step explains the Docker information required for KMS and CTC.

KMS

• Container name — Defaults to KMS, but you can change as required. This is required to assign aname to the KMS Docker container. If the container already exists, a warning is displayed and theprompt appears again.

To remove an existing docker container, see the Troubleshooting section.




• Standard Port — Defaults to 8443. But, if this port is already being used, this can be changed toan available port. Essentially, this will route {dockerHost}:{port} to {KMSContainer}:8433. Thisport is used by services for tenant specific APIs.

• Management Port — Defaults to 9003. If this port is already being used, this can be changed toan available port. Essentially, this will route {dockerHost}:{port} to {KMSContainer}:9003. Thisport is used by services for provisioning a tenant and non-tenant specific APIs.

CTC

• Container name — Defaults to CTC, but you can change as required. It is required to assign aname to the CTC Docker container. If the container already exists, a warning is displayed and theprompt appears again.

To remove an existing docker container, see the Troubleshooting section.

• Host IP — Defaults to the first detected local IP. If this is incorrect, we recommend that youcorrect it. This is required for configuring CTC.

Configuration files and scriptsThis step will write out the configuration files to the installation folder/directory. An offer to start thedocker container for KMS and then CTC will be provided.

These can be started manually:

• KMS - by invoking the {installfolder}/startKMS.sh

• CTC - by invoking the {installfolder}/startCTC.sh

Open Cloud Transmission Channel communications portEnable communications between your on-premise McAfee ePO and the ePolicy Orchestrator Cloud betaenvironment.

Open port 19091 outbound to enable Cloud Transmission Channel (CTC) to provide the securecommunications channel needed between your on-premise McAfee ePO and the ePolicy OrchestratorCloud beta environment.

Installing McAfee ePOYou can install the McAfee ePO software either as a first-time initial installation or as a recoveryinstallation where your Microsoft SQL Server already includes an McAfee ePO configuration from a


Open Cloud Transmission Channel communications port


previous installation. The McAfee ePolicy Orchestrator - InstallShield Wizard guides you through the installationprocess.

Set up your SQL Server and start the installation softwareWhen you set up the McAfee ePO installation, you download the software and start the installation.

Before you begin• Make sure that you have read, understood, and complied with the information in

Installation requirements and recommendations. Also, verify that you are running asupported version of SQL Server or SQL Server Express.

• Update the system that hosts your McAfee ePO server with the latest Microsoft securityupdates, then turn off Windows updates during the installation process.

Monitor the installation process. You might need to restart your system.

Task1 Set up SQL Server and make sure that you can communicate with the database server.

a Verify that the SQL Browser Service is running.

b Update both the system that hosts your McAfee ePO server and your SQL Server with the latestMicrosoft security updates. Then turn off Windows updates during the installation process.

c Decide if you want to run Automatic Product Configuration after installation.

d Decide if you want to download the Product Compatibility List automatically from the McAfeewebsite, or use an alternate list stored locally.

2 Enable TCP/IP protocol in the SQL Server Configuration Manager.

a Start SQL Server Configuration Manager.

b In the console pane, expand SQL Server Network Configuration.

c In the details pane, right-click TCP/IP to open the TCP/IP Properties window.

d Select the Protocol tab, click Enabled, and select Yes.

e Click Apply and then OK to close the Warning dialog.

TCP/IP is enabled. You can now restart the service to make sure that your changes take effect.

f In the console pane, click SQL Server Services.

g In the details pane, right-click the SQL Server service and click Restart.

Your changes are now complete. Before continuing, make sure to capture the value for TCPDynamic Ports.

h Right-click TCP/IP to open the TCP/IP Properties window.

i Select the IP Addresses tab.

j Under IPAII, make note of the value for TCP Dynamic Ports.

For example, 49657. This information might be needed later in the installation.

You are now ready to begin the McAfee ePO installation.


Installing McAfee ePO 3


3 Log on to the Windows Server computer to be used as the McAfee ePO server.

Use an account with local administrator permissions.

4 Locate the software you downloaded from the McAfee website and extract the files to a temporarylocation. Double-click Setup.exe.

The executable is located in the downloaded McAfee ePO installation file.

If you try to run Setup.exe without first extracting the contents of the .zip file, the installation fails.

The McAfee ePolicy Orchestrator - InstallShield Wizard starts.

5 Click Next to continue the installation.

The installation is set up and started. Now configure the database, communication ports, and licenseto complete the installation.

Configure your McAfee ePO installation in the InstallShieldWizardComplete the installation by selecting and configuring your database, communication port, and licenseoptions.

Monitor the installation process when using the installation wizard. You might need to restart yoursystem.

Task1 In the Destination Folder step, click:

• Next — Install your McAfee ePO software in the default location (C:\Program Files\McAfee\ePolicy Orchestrator\).

• Change — Specify a custom destination location for your McAfee ePO software. When the ChangeCurrent Destination Folder window opens, browse to the destination and create folders ifneeded. When finished, click OK.

2 In the Database Information step, specify information for your database, then click Next.a Specify the Database Server and Database Name.

Database Server Select your server from the list. If it does not appear, enter the informationbased on whether you are using SQL Server or SQL Server Express:• ServerName\SQLSERVER• ServerName\SQLEXPRESS

Database Name This value populates automatically.

b Specify which type of Database Server Credentials to use.

Windowsauthentication

1 From the Domain menu, select the domain of the user account you're going touse to access the SQL Server.

2 Type the User name and Password. If you are using a previously installed SQLServer, make sure that your user account has access.

SQLauthentication

Type the User name and Password for your SQL Server. Make sure that credentialsyou provide represent an existing user on the SQL Server with appropriaterights.

The Domain menu is grayed out when using SQL authentication.


Installing McAfee ePO


c If necessary, specify the value for the SQL server TCP port.

Use the value from the TCP Dynamic Ports field you wrote down when you enabled TCP/IP. This portis used to communicate between your McAfee ePO server and database server.

3 In the HTTP Port Information step, review the default port assignments. Click Next to verify that theports are not already in use on this system.

You can change some of these ports now. When your installation is complete, you can change onlythe Agent wake-up communication port and Agent broadcast communication port. To change your other portsettings later, reinstall your McAfee ePO software.

4 In the Administrator Information step, type this information, then click Next.

a Type the user name and password you want to use for your primary administrator account.

b Type the keystore encryption password.

Keep a record of this password. To restore your McAfee ePO database, you need this passwordto decrypt the Disaster Recovery Snapshot records.

5 In the Type License Key step, type your license key, then click Next.

If you don't have a license key, you can select Evaluation to continue installing the software. Theevaluation period is limited to 90 days. You can provide a license key after installation is completefrom the application.

6 Accept the McAfee End User License Agreement and click OK.

7 From the Ready to install the Program dialog box, decide if you want to Send anonymous usageinformation to McAfee. Then click Install to begin installing the software.

8 When the installation is complete, click Finish to exit the InstallShield wizard.

Your McAfee ePO software is now installed. Double-click on your desktop to start using yourMcAfee ePO server, or browse to the server from a remote web console (https://servername:port).

Complete a first-time installationWhen you have completed the installation process, configure your McAfee ePO server.

To complete your initial configuration quickly, accept the default policies. If you need to customizeyour configuration, you can use the McAfee ePO Guided Configuration to set up your server andmanaged environment. This configuration tool is an overlay to existing features and functionalityintended to help you get your server up and running quickly.

Install required on-premise McAfee ePO extensionsSeveral McAfee ePO extensions must be installed onto your on-premise server. Some of theseextensions provide the communications between your on-premise McAfee ePO server and ePolicyOrchestrator Cloud. Other extensions provide important functions including providing encryptionservices and data classifications on your endpoint devices.

Install the McAfee ePO extensions that you previously downloaded (see Download the on-premisecomponents and documentation).

We recommend you install these extensions in the order given below.


Install required on-premise McAfee ePO extensions 3


1 Cloud Bridge extension 5 Endpoint Health Check extension

2 Common Core extension 6 DLP extension

3 Common Rest extension 7 FRP extension

4 Policy Sync extension package

Install the Cloud Bridge extensionInstall the Cloud Bridge extension to provide the link between your on-premise McAfee ePO server andePolicy Orchestrator Cloud.

Before you beginDownload the installation file: CloudBridge 1.2.1 Build xxx (ENU-RELEASE-MAIN).zip

Task1 From your on-premise McAfee ePO server, navigate to Menu | Software | Extensions.

2 Click Install Extension.

3 Browse to the CloudBridge 1.2.1 Build xxx (ENU-RELEASE-MAIN).zip extension file.

4 Click OK to select the extension to install, and then OK to install the extension.

The Cloud Bridge extension is installed.

5 From a new browser tab or window, run the following commands:

a https://<on-premise ePO-Server IP or Hostname:port>/remote/epo.cloudbridge.setProvisioningServiceURLCommand?url=https://beta.provision.manage.mcafee.com/provision/v2

b https://<on-premise ePO-Server IP or Hostname:port>/remote/epo.cloudbridge.setCloudEpoPodURLCommand?url=https://ui2.beta.manage.mcafee.com

If prompted, enter your on-premise McAfee ePO credentials.

6 From your on-premise McAfee ePO server, navigate to Menu | Configuration | Server Settings.

7 Select McAfee® ePO™ Cloud Bridge.

8 Click Edit and enter your beta ePolicy Orchestrator Cloud credentials.

9 Click Save.

Install the Common Core, Common Rest, and Policy SyncextensionsThe Common Core, Common Rest, and Policy Sync extensions all follow the same workflow to install.

Before you beginLocate the required extensions as shown and install them in order:


Install required on-premise McAfee ePO extensions


• Common Core extension (mfs-commonui-core-common-1.7.0.xxx.xip)

• Common Rest extension (mfs-commonui-core-rest-1.7.0.xxx.zip)

• Policy Sync extension package (onPrem-commonui-policy-1.4.0.xxx-extensions.zip)



3 Browse to the location containing the downloaded extension files.

4 Select the extension to install, click OK and then OK again to install the extension.

The selected extension is installed.

5 Repeat these steps to install all the extensions listed above.

Install the Endpoint Health Check extensionTo provide Endpoint Health Check posture comparison by McAfee Cloud Data Protection, install theEndpoint Health Check extension in your on-premise McAfee ePO server.

Before you beginLocate the Endpoint Health Check extension (endpointhealthcheck_xx.zip).



3 Browse to the location containing the Endpoint Health Check extension files.


The Endpoint Health Check extension is installed.

Install the DLP extensionThe McAfee DLP extension provides central management of your on-premise data loss preventionfeatures on your managed endpoints.

Before you beginLocate the McAfee DLP extension (DLP_Mgmt_11.0.0.x_Package.zip).

Ensure you have downloaded the file DLP_Setting_Cloud Security Platform_XML.zip andhave extracted the files contained inside it to a location you can access from your McAfeeePO server.



3 Browse to the location containing the DLP extension files.


Install required on-premise McAfee ePO extensions 3



The DLP extension is installed.

5 Navigate to Menu | Data Protection | DLP Settings | Advanced.

6 In Cloud Security Platform | Events Ingestion APU - push DLP events to Cloud Reporting Services, click Choose File.

7 Browse to DLP_CloudSyncConfig_Events.xml and click OK.

8 In Cloud Security Platform | EHC Ingestion APU - push system EHC information to Cloud Reporting Services, click ChooseFile.

9 Browse to DLP_CloudSyncConfig_Facts.xml and click OK.

10 Click Save.

Install the FRP extensionTo provide encryption services to your managed endpoints, install the FRP extension in youron-premise McAfee ePO server.

Before you beginLocate the FRP extension (FRP-extension-6.0.0.xxx.zip).



3 Browse to the location containing the FRP extension files.


The FRP extension is installed.

Push McAfee DLP and McAfee FRP to your endpointsTo detect and classify data on your managed endpoint devices, these devices need to have McAfeeDLP installed. To provide encryption services to your managed endpoint devices, these devices need tohave McAfee FRP installed. Use McAfee ePO to push McAfee DLP McAfee FRP and to your managedendpoints.

Contents Add packages to on-premise McAfee ePO Deploy McAfee DLP to managed systems Deploy FRP to managed systems Send an agent wake-up call


Push McAfee DLP and McAfee FRP to your endpoints


Add packages to on-premise McAfee ePOMcAfee ePO includes the ability for you to check in software packages, and then deploy thesepackages to your managed endpoint devices. McAfee Cloud Data Protection uses this method todeploy McAfee DLP and McAfee FRP to your managed endpoints.

Before you beginLocate the following software packages:

• HDLP_Agent_11_0_0_xx.zip

• MfeFRP_Client_6.0.0.xxx.zip

Task1 Log on to the McAfee ePO server as an administrator.

2 Click Menu | Software | Master Repository, then click Actions | Check In Package.

3 On the Package page, select the Package type as Product or Update (.ZIP). Click Choose File to locate thepackage to be added. Then click Next.

4 On the Package Options page, click Save.

The new package appears in the Packages in Master Repository page under the respective branch of in therepository.

Deploy McAfee DLP to managed systemsYou can use McAfee ePO to create tasks to deploy McAfee DLP to a single system, or to groups in theSystem Tree.

Task1 Click Menu | Policy | Client Task Catalog | Client Task Types | McAfee Agent | Product Deployment | New Task.

2 Set these options for the new task:

a Make sure that Product Deployment is selected, then click OK.

b In the Name field, enter the name for the task.

c From the Target Platforms list, select Windows.

d From the Products and components drop-down list, based on the target platform selected in theprevious step, select McAfee Data Loss Prevention.

e As the Action, select Install.

f Select an appropriate Language.

3 Click Save.

4 Click Menu | Systems | System Tree | Assigned Client Tasks, then select the required group in the System Tree.

5 Select the Preset filter as Product Deployment (McAfee Agent).

Each assigned client task per selected category appears in the details pane.

6 Click Actions | New Client Task Assignment.


Push McAfee DLP and McAfee FRP to your endpoints 3


7 Set these options:

a On the Select Task page, select McAfee Agent as Product and Product Deployment as Task Type, then selectthe task you created for deploying the product.

b Next to Tags, select the appropriate option, then click Next:• Send this task to all computers

• Send this task to only computers that have the following criteria — Use one of the edit links to configurethe criteria.

c On the Schedule page, select whether the schedule is enabled, specify the schedule details, thenclick Next.

8 Review the summary, then click Save.

At the next agent-server communication, the task runs and McAfee DLP is deployed on the managedsystems.

Deploy FRP to managed systemsYou can use McAfee ePO to create tasks to deploy FRP to a single system, or to groups in the SystemTree.


1 Click Menu | Policy | Client Task Catalog | Client Task Types | McAfee Agent | Product Deployment | Actions | New Task.

2 Set these options for the new task:

a Make sure that Product Deployment is selected, then click OK.

b In the Name field, enter the name for the task.

c From the Target Platforms drop-down list, select Windows.

d From the Products and components drop-down list, based on the target platform selected in theprevious step, select File and Removable Media Protection for Windows systems.

e As the Action, select Install.

f Select an appropriate Language.

g (Optional) To deploy FRP in FIPS mode, in the Command line field, enter FIPS.

h Next to Options, specify if you want to run this task for every policy enforcement process(Windows only).

3 Click Save.

4 Click Menu | Systems | System Tree | Assigned Client Tasks, then select the required group in the System Tree.

5 Select the Preset filter as Product Deployment (McAfee Agent).

Each assigned client task per selected category appears in the details pane.

6 Click Actions | New Client Task Assignment.




7 Set these options:

a On the Select Task page, select McAfee Agent as Product and Product Deployment as Task Type, then selectthe task you created for deploying the product.

b Next to Tags, select the appropriate option, then click Next:• Send this task to all computers

• Send this task to only computers that have the following criteria — Use one of the edit links to configurethe criteria.

c On the Schedule page, select whether the schedule is enabled, specify the schedule details, thenclick Next.

8 Review the summary, then click Save.

At the next agent-server communication, the task runs and FRP is deployed on the managed systems.

Send an agent wake-up callThe client system gets the policy update whenever it connects to the McAfee ePO server during theagent‑server communication. However, you can force an immediate update with an agent wake-upcall.


1 Log on to the McAfee ePO server as an administrator.

2 Click Menu | Systems | System Tree, then select a system or a group of systems from the left pane.

3 Select the System Name of that group.

4 Click Actions | Agent | Wake Up Agents.

5 Select a Wake-up call type and a Randomization period (0-60 minutes) to define the length of time whenall systems must respond to the wake-up call.

6 Under Options, select Get full product properties.

7 Under Force policy update, select Force complete policy and task update.

8 Click OK.

To view the status of the agent wake-up call, navigate to Menu | Automation | Server Task Log.


Push McAfee DLP and McAfee FRP to your endpoints 3





4 Configuration steps

Configure the on-premise products and components to enable communications between theon-premise and cloud components that make up McAfee Cloud Data Protection.

Contents Communicating with McAfee ePO Cloud Cloud bridge server settings Connect your Active Directory to your on-premise McAfee ePO Provision KMS communications

Communicating with McAfee ePO CloudThe on-premise products and components must be able to communicate with McAfee ePO Cloud.

Ensure that the following ports are open on your firewall:

Reason Destination Port

Access to the user interface and cloud beta.manage.mcafee.com 443

Data Loss Prevention events global.databus.cloudplatform.mcafee.com 443

Endpoint Health Check events global.databus.cloudplatform.mcafee.com 443

Key Management Service, Cloud TransmissionChannel

19091

Cloud bridge server settingsWhen you configure the McAfee ePO Cloud Bridge Server Setting, you can link your local McAfee ePOserver to the McAfee ePO Cloud account.

Before you beginYou must have administrator rights to complete this task.




1 Select Menu | Configuration | Server Settings, select McAfee® ePO™ Cloud account from the Setting Categories.

The McAfee® ePO™ Cloud Bridge Server Settings page displays:

Option Definition

Status Displays the status of your McAfee ePO Cloud connection. See Status Messages fordetailed status information.

Before you configure your connection, the status is Not linked.

Refresh allows you to re-establish the connection between the McAfee ePO server andyour McAfee ePO Cloud account.

Linked Account Displays the email address of the linked McAfee ePO Cloud account.

2 From the McAfee® ePO™ Cloud Bridge Server Settings page, click Edit.

3 From the Edit McAfee® ePO™ Cloud page:

• If you don't have a McAfee ePO Cloud account, click the link to open the McAfee ePO Cloud logon page.

• Click Sign up Now to compete the McAfee ePO Cloud sign-up process.

• After your McAfee ePO Cloud account is configured, return to this step to complete the CloudBridge Server Settings.

• If you do have a McAfee ePO Cloud account:

• Type your McAfee ePO Cloud connection credentials.

• Read and click I accept the License Agreement.

• Click Save.

If an error appears, see Log on errors for error and troubleshooting information.

4 The McAfee® ePO™ Cloud Bridge Server Settings page displays:

• Status — After configuration, above the Refresh button, the status is This server is activelylinked.

• Linked Account — The email address configured for the McAfee ePO Cloud account.

Now you can use the McAfee ePO Cloud Bridge connection to your local McAfee ePO server.

Connect your Active Directory to your on-premise McAfee ePOConnecting to your Active Directory (AD) service enables you to define policies in McAfee ePO Cloudthat are applied to your users and user groups.

Task1 Select Menu | Configuration | Registered Servers and click New Server.

2 From the Server type menu on the Description page, select Directory Services, specify a unique nameand any details, then click Next.

McAfee Cloud Data Protection Beta Release 11-Apr-20174 Configuration steps

Connect your Active Directory to your on-premise McAfee ePO


3 Enter a Domain name.

Use DNS-style domain names. For example, example.com.

4 Click Add Systems and select one or two systems as your Active Directory connectors.

If AD Connectors are not deployed, click Deploy to install the AD Connector on the selected system.

5 Choose whether to Use SSL when communicating with this server or not.

Enable this option if you have set SSL in your Active Directory.

6 Enter a User name and Password as indicated.

These credentials must be for an admin account on the server. Use domain\username format.

7 Choose whether to replicate your Active Directory to the McAfee ePO database or not.

Replicating your Active Directory reduces the communication time between your Active Directoryand McAfee ePO.

8 Click Test Connection to confirm the communication between your Active Directory and McAfee ePO issuccessful.

Deploying AD Connectors could take few minutes. Click Save to save your settings and perform Testconnection later, after the AD Connector is deployed.

Provision KMS communicationsConfigure your on-premise McAfee ePO server to use the Key Management Service (KMS) for storageof, and access to, encryption keys.

Tasks• Create a new Registered Server on page 32

Use the Registered Server page to create a McAfee ePO service for your KMS.

• Create the required permission sets on page 32Create the permission sets required to allow your selected McAfee ePO administratorsrights to administrator the key management service.

• Create a user with the required permissions on page 32You need to create a user profile that has the permissions required to provision and unlockthe tenant on the Key Management Service.

• Provision the Key Service on page 33Provisioning the Key Serice makes sure the ePolicy Orchestrator Cloud tenant is createdand available to your KMS.

• Unlock the Key Service on page 33When needed, unlock the KMS.

McAfee Cloud Data Protection Beta Release 11-Apr-2017Configuration steps

Provision KMS communications 4


Create a new Registered ServerUse the Registered Server page to create a McAfee ePO service for your KMS.

Task1 Log on to your on-premise McAfee ePO server as an administrator.

2 Browse to Menu | Configuration | Registered Servers. Click New Server.

3 From the Server type drop-down list, select Key Management Service.

4 Type a server name, and any optional notes to describe the KMS. Click Next.

5 Type the IP address or hostname for your KMS.

Unless you changed the ports during your KMS installation, leave the default values for Port Numberand Admin Port Number.

6 Click Verify Connection.

If you used self-signed certificates during the KMS installation, you must import these certificatesinto your on-premise McAfee ePO server before you can verify the connection. See the on-premiseMcAfee ePO online help for more information on installing certificates.

7 Click Save.

Create the required permission setsCreate the permission sets required to allow your selected McAfee ePO administrators rights toadministrator the key management service.

Task1 Browse to Menu | User Management | Permission Sets. Click New Permission Set.

2 Type a name for the new permission set. Click Save.

3 Click Edit adjacent to FRP Manage Keys.

4 Select Manage Key Server. Make sure Enable management of keys for Cloud Data Protection is selected. Click Save.

5 Click Edit adjacent to Registered Servers.

6 In Key Management Service, select View, create, and edit registered servers. Click Save.

Create a user with the required permissionsYou need to create a user profile that has the permissions required to provision and unlock the tenanton the Key Management Service.

Task1 Browse to Menu | User Management | Users. Click New User.

2 Type a User name for this user.

3 Enter the required Authentication type credentials.

4 Make sure the permission set you created for your KMS permissions is selected. Click Save.


Provision KMS communications


Provision the Key ServiceProvisioning the Key Serice makes sure the ePolicy Orchestrator Cloud tenant is created and availableto your KMS.

Before you beginYou will need:

• A copy of the cloud license file exported from ePolicy Orchestrator Cloud

• An email server configured for use from McAfee ePO

• To log out of your on-premise McAfee ePO and then log on using the user andcredentials previously created

• You must also know the credentials used when installing the KMS

Task1 Browse to Menu | Configuration | Registered Servers. Select the Key Management Service server.

2 Click Actions | Key Management Service: Provision.

3 Enter the database credentials for your KMS.

4 Enter the email address for your KMS-related information.

This email address is required in order to unlock the KMS tenant in case of power or other failure.

5 Click Send Verification Email.

This step makes sure the entered email address is contactable, and sends a verification code.

6 Enter the verification code received in the email confirmation.

7 Select the cloud license file that you previously downloaded from ePolicy Orchestrator Cloud.

The license file provides details of the tenant required to provision the key service.

You can enter the license file later, by using the action Key Management Service: Attach cloud ePO

8 Click Save.

Unlock the Key ServiceWhen needed, unlock the KMS.

The KMS is automatically unlocked after provisioning. However, if the KMS is restarted, you mustfollow these instructions to again unlock the service.

Task1 Log out of your on-premise McAfee ePO.

2 Log on to your on-premise McAfee ePO server, using your KMS administrator credentials.

3 Browse to Menu | Configuration | Registered Servers.

4 Select the KMS Registered Server. Click Actions | Key Management Service: Unlock.

A message appears confirming that the tenant unlock is successful.

McAfee Cloud Data Protection Beta Release 11-Apr-2017Configuration steps

Provision KMS communications 4



Provision KMS communications


5 Connecting to 3rd-party cloud services

By creating connectors to popular 3rd-party cloud services, McAfee Cloud Data Protection providesAdvanced Protection to the interactions between your users and the connected cloud applications.

Contents Advanced Protection for Box.net Advanced Protection for Microsoft SharePoint

Advanced Protection for Box.netMcAfee

®

Cloud Data Protection for Box* provides visibility and management as your users save andretrieve information using the Box cloud application.

McAfee Cloud Data Protection for Box is a subscription option within McAfee Cloud Data Protection.

*Other marks and brands may be claimed as the property of others.

Provision Advanced Protection for Box.net Set up the connection between McAfee Cloud Data Protection and your enterprise Box account.

Before you beginYou must create a trial subscription from https://beta.manage.mcafee.com for McAfeeCloud Data Protection for Box before you can provision the service.

Make sure that you have disabled any browser popup blockers before attempting toconnect to Advanced Protection services.

Best practice: Create and supply a generic administrator account on your third-partycloud services, for use only when configuring McAfee Cloud Data Protection to protect thesecloud services. Any documents or files copied or moved using this supplied administratoraccount will not be scanned or remediated by McAfee Cloud Data Protection. Do not use thesupplied generic administrator accounts for any other purposes.

Task1 From the McAfee ePO menu, select Cloud Protection Workspace.

2 In the Applications List, select Box.net.

The Application Details card is updated with information about the Box.net service.

3 From Application Details, expand the Provisioning tab.




4 Click Connect.

If the Connect button is grayed out, you have not yet purchased the McAfee Cloud Data Protection forBox subscription.

A new browser window is displayed showing the logon page for your corporate Box.net account.

5 From the new browser window, enter the logon details for your box account. Click Sign in.

6 Click Allow to give permission for McAfee Cloud Data Protection to provide visibility andmanagement of your corporate Box.net account.

McAfee Cloud Data Protection reports when Box.net has been successfully connected.

Advanced Protection for Microsoft SharePoint McAfee

®

Cloud Data Protection for Office 365* provides visibility and management as your users saveand retrieve information using the Microsoft SharePoint cloud application.McAfee Cloud Data Protection for Office 365 is a subscription option within McAfee Cloud DataProtection.

*Other marks and brands may be claimed as the property of others.

Provision Advanced Protection for Microsoft SharePointSet up the connection between McAfee Cloud Data Protection and your enterprise Microsoft SharePointaccount.

Before you beginYou must create a trial subscription from https://beta.manage.mcafee.com for McAfeeCloud Data Protection for Office 365 before you can provision the service.

Make sure that you have disabled any browser popup blockers before attempting toconnect to Advanced Protection services.

Best practice: Create and supply a generic administrator account on your third-partycloud services, for use only when configuring McAfee Cloud Data Protection to protect thesecloud services. Any documents or files copied or moved using this supplied administratoraccount will not be scanned or remediated by McAfee Cloud Data Protection. Do not use thesupplied generic administrator accounts for any other purposes.

Task1 From the McAfee ePO menu, select Cloud Protection Workspace.

2 In the Applications List, select Microsoft SharePoint.

The Application Details card is updated with information about the Microsoft SharePoint service.

3 From Application Details, expand the Provisioning tab.

4 Click Connect.

If the Connect button is grayed out, you have not yet purchased the McAfee Cloud Data Protection forOffice 365 subscription.

A new browser window is displayed showing the logon page for your corporate Microsoft SharePointaccount.

McAfee Cloud Data Protection Beta Release 11-Apr-20175 Connecting to 3rd-party cloud services

Advanced Protection for Microsoft SharePoint



5 From the new browser window, enter the logon details for your Microsoft SharePoint account. ClickSign in.

6 Click Allow to give permission for McAfee Cloud Data Protection to provide visibility andmanagement of your corporate Microsoft SharePoint account.

7 Register the Microsoft SharePoint Add-in for McAfee Cloud Data Protection for Microsoft SharePointServices, and elevate permissions using the Microsoft SharePoint Workflow platform.

a Navigate to https://<tenant>-admin.sharepoint.com/_layouts/15/AppInv.aspx, (replacing<tenant> with your SharePoint Online tenant information.)

b Enter the client ID, fb528eb0-bb2b-4a41-bc31-e8ff0cdf6ab7.

c Click Lookup.

The App Title, McAfee O365 Protection is displayed.

d Provide the required information on the form.

For the Permission Request XML field, enter the following text exactly as shown :

<AppPermissionRequests> <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" /></AppPermissionRequests>

e Click Create.

See the following Microsoft articles for further information:

• https://msdn.microsoft.com/en-us/library/office/jj687469.aspx

• https://msdn.microsoft.com/en-us/library/office/jj822159.aspx

McAfee Cloud Data Protection reports when Microsoft SharePoint has been successfully connected.

McAfee Cloud Data Protection Beta Release 11-Apr-2017Connecting to 3rd-party cloud services

Advanced Protection for Microsoft SharePoint 5


https://msdn.microsoft.com/en-us/library/office/jj687469.aspx

https://msdn.microsoft.com/en-us/library/office/jj822159.aspx

McAfee Cloud Data Protection Beta Release 11-Apr-20175 Connecting to 3rd-party cloud services

Advanced Protection for Microsoft SharePoint


A Install Docker on your server

The KMS software is provided as a Docker image. Make sure your Linux server has Docker installed asdetailed, before you attempt to install KMS.

Installing DockerThis section explains in detail on installing Docker.

Installing Docker engineIt is necessary to install Docker, as KMS and Cloud Transmission Channel (CTC) are delivered asself-contained Docker Images. No other images or software are downloaded or run from any otherDocker registries (such as Docker Hub).

For information about getting started with Docker and installing it, please refer to these websites:

https://docs.docker.com/engine/getstarted/

https://docs.docker.com/engine/installation/.

For instructions related to your specific Linux distribution, please refer to these websites:

https://docs.docker.com/engine/installation/linux/ubuntulinux/

https://docs.docker.com/engine/installation/linux/debian/.

Managing Docker as a non-root userThe install scripts created by the installation will either need root access or the user running themneeds to be a member of the Docker group account. This is because the install script runs the Dockercommand, and the Docker daemon binds to a Unix socket, which requires root access. It isrecommended to add your user to the Docker group account; otherwise files will be created thatrequire root permission to access.

Create the docker group using the following command at the command line:

sudo groupadd docker

To add a user to the docker group, use the following command at a command line:

sudo usermod ‑a ‑G docker {username}



https://docs.docker.com/engine/getstarted/

https://docs.docker.com/engine/installation/

https://docs.docker.com/engine/installation/linux/ubuntulinux/

https://docs.docker.com/engine/installation/linux/debian/

Replacing {username} with the required user name. Once added, the user will need to logoff andlogon again for this to take effect.

If you experience any problems, refer to one of the following:

https://docs.docker.com/engine/installation/linux/ubuntulinux/#manage-docker-as-a-non-root-user

https://docs.docker.com/engine/installation/linux/debian/

Installing OpenSSLTo install OpenSSL, please run the following command from a command line interface tool:

sudo apt‑get install openssl

Installing OpenJDKTo install OpenJDK, please run the following command from a command line interface tool:

sudo apt‑get install openjdk‑8‑jdk‑headless

If you experience any problems, please refer to http://openjdk.java.net/install/ for further instructions.

McAfee Cloud Data Protection Beta Release 11-Apr-2017A Install Docker on your server

Installing Docker


HTTPS://DOCS.DOCKER.COM/ENGINE/INSTALLATION/LINUX/UBUNTULINUX/#MANAGE-DOCKER-AS-A-NON-ROOT-USER

HTTPS://DOCS.DOCKER.COM/ENGINE/INSTALLATION/LINUX/UBUNTULINUX/#MANAGE-DOCKER-AS-A-NON-ROOT-USER

HTTPS://DOCS.DOCKER.COM/ENGINE/INSTALLATION/LINUX/DEBIAN/

http://openjdk.java.net/install/

Index

Aagent wake-up call, sending 27

BBox.net 35

Box.net services 35

configuring 35

set up 35

Cconfiguring Box.net services 35

configuring Microsoft SharePoint services 36

Ddeployment, installing products 25, 26

Disaster Recovery Snapshot 19, 20

Iinstallation 19

completing 21

installation, DLPdeploying to managed systems 25

installation, FRPdeploying to managed systems 26

Mmanaged systems

deploying DLP on 25

deploying FRP on 26

McAfee ePO software 20

Microsoft SharePoint 36

Microsoft SharePoint servicesconfiguring 36

set up 36

Microsoft SharePoint Services 36

Pproduct installation

configuring deployment tasks 25, 26

Ssetting up Box.net services 35

setting up Microsoft SharePoint services 36



2017-03-00