SafeGuard Enterprise Evaluation Guide IaC - 7

SafeGuard Enterprise Encryption Suite
Evaluation Guide
Installation and Basic Configuration
SGN version 7.0
Document date: September 2014

Contents
1 Your evaluation................................................................................................................................... 4
1.1 Contacts ....................................................................................................................................... 4
2 Installation and initial configuration ................................................................................................. 5
2.1 Prepare for installation ............................................................................................................... 5
The Server .............................................................................................................................................. 5
Clients ...................................................................................................................................................... 5
Infrastructure ........................................................................................................................................... 6
2.2 Infrastructure Installation ........................................................................................................... 6
2.2.1 Prepare the Server ..................................................................................................................... 7
2.2.2 Install SafeGuard Enterprise ..................................................................................................... 8
2.2.3 IIS SSL Configuration ............................................................................................................... 12
2.2.4 Remember to ensure that clients trust the self-signed certificate ..................................... 16
2.2.5 Finalize SGN infrastructure ..................................................................................................... 16
3 Configuration of SafeGuard Enterprise ........................................................................................ 21
3.1 Build basic machine policies ................................................................................................... 21
3.1.1 Modify the Default Policy group .............................................................................................. 21
3.2 Build default file encryption policies ....................................................................................... 25
3.2.1 Create File Policy group, ......................................................................................................... 25
3.3 Assigning Policies ..................................................................................................................... 31
3.3.1 Quick review of how to assign policies .................................................................................. 31
3.3.2 Assigning the Default Policy group ........................................................................................ 31
3.3.3 Assign the Default File encryption policy group ................................................................... 32
4 Client Installation .............................................................................................................................. 33
2
Evaluation Guide Installation and Basic Configuration
4.1 Preparation ................................................................................................................................ 33

4.1.1 Windows 7sp1/Windows 8 and higher (64 bit) ..................................................................... 33
4.1.2 Windows 7sp1/Windows 8 and higher (32 bit) ..................................................................... 33
4.1.3 Windows Vista/Windows 7(not SP1) (64bit) ......................................................................... 34
4.1.4 Windows XP/Vista/Windows 7(not SP1) (32bit) ................................................................... 34
4.1.5 Mac OSX 10.8/10.9 .................................................................................................................. 34
4.2 Configuring Client systems for SSL ....................................................................................... 34
4.2.1 Configuring Windows clients for SSL..................................................................................... 35
4.2.2 Configuring Mac OSX for SSL ................................................................................................ 40
4.3 Windows Client Installation ..................................................................................................... 42
4.3.1 A note on Encryption Engines................................................................................................. 43
4.3.2 Installing Windows Clients ....................................................................................................... 43
With the SafeGuard Encryption Engine only ................................................................................... 46
4.3.3 Apple Macintosh OSX clients .................................................................................................. 47
5 Further information ........................................................................................................................... 56
5.1 White papers and guides ......................................................................................................... 56
5.2 Useful Technical resources ..................................................................................................... 56
3
1 Your evaluation
Thank you for your interest in the Safeguard Enterprise Encryption Solution.
This guide is designed to guide you through the installation, basic configuration and testing of the
SafeGuard Enterprise solution.
The guide itself will be provided in two parts. This first part will cover the installation and basic
configuration of the SafeGuard Enterprise Encryption Solution (SGN). Following through each
step in turn will ensure you have a functioning SGN infrastructure and understand the basic
installation process for SGN clients, allowing you to see how encryption can help your
organization meet its compliance requirements.
1.1 Contacts
Your account team is here to support you as you go through the evaluation process, for your
convenience our contact details are below:
Role Name Email Phone
Account Manager
Engineer
In addition we have included links to a number of informative articles and other useful resources
at the end of this document.
4
2 Installation and initial configuration

2.1 Prepare for installation
Before beginning your installation of SafeGuard, prepare the environment. Overall prerequisites
can be found here: http://www.sophos.com/en-us/support/knowledgebase/118646.aspx
For the POC we will be installing the SafeGuard server, management center and database on a
single server. These are the minimum requirements to support this:
The Server
1. A fresh Windows Server 2012 R2, 4GB RAM, 10GB free disk space and two cores. This can be a
virtual server.
2. The system must be properly instantiated in DNS, we want the FQDN to be accurate before
starting this process.
3. Prior to following the installation instructions below ensure that the server has been updated
with any Windows service packs or updates.
4. Ensure that the server is able to reach a domain controller if we want to use AD synchronization;
this can be done via LDAP or LDAP/s.
5. The server must have Internet connectivity and be able to reach the Microsoft Update site.
Clients
For testing the SafeGuard solution, please provide up to 5 test devices that are indicative of
those used in the field. It is recommended that these not be production devices during the initial
test phases.
If testing the native encryption management on Windows, please ensure that the TPM has
been initialized and that Windows was installed with the system partition.
While supported for the purpose of this test, Mac clients should not have FileVault enabled.
5
Infrastructure
1. Create a directory on your server labeled SGN Files. You will use this directory when exporting
files or saving configurations.
2. Share this directory, so it will be available to your test clients. Client software will be placed here
in later steps for client installation.
3. In addition, create a shared directory and name it Corporate share. It will be used for file
encryption testing later.
2.2 Infrastructure Installation

You will have been provided the software by your Account team or will have downloaded it from
your MySophos account. This should be on the server designated for the testing. Take a quick
look over the output. You should be able to drill down and see a number of different directories.
The following steps will prepare your infrastructure for testing.

In the Installers directory:
6
Right-click on the installation advisor and select Run as administrator.
2.2.1 Prepare the Server

1. Select the section labeled Prepare the Server. The steps will be completed in the order they
appear.
2. Once you see a check box next to a step, select the next one. You may already have steps
checked off depending on the preparations you were able to make prior to beginning your
testing.
Once this section is completed, IIS will be installed and ready for configuration, and you will have
created a local database server using MSSQL2012. (Note: In a production environment you could
use an existing SQL server).
7
2.2.2 Install SafeGuard Enterprise

1. In the section Set up SafeGuard Enterprise, select step 1.
2. When you are ready, select the check box I accept the license agreement and click Start
installation. You will see the installation of the SafeGuard server and management center.
3. When they have completed, the SafeGuard Management Center Wizard will launch and the
initial configuration will begin.
The SQL server information has already been carried over from the earlier step.
8
4. Click Next until you reach the Security Officer Data screen.
5. At this screen, create a master set of login credentials. This Master Security Officer will
authenticate based on the certificate created here. Enter a name for the User, and then select
Create. At this point, the Create MSO Certificate screen will appear.
6. At the Create MSO Certificate screen, enter a password for new certificate store. The password
you enter here will be used to log into the SG management console. This password protects the
certificate store. The certificate you create here will be imported into that store.
9
7. Click OK.
8. The Export certificate dialog is displayed. Enter a password that will be used to access the
certificate. In a production environment this MSO certificate, the password and a backup of the
SafeGuard database will allow the rebuild of an SGN environment in the event of a disaster
recovery situation.
10
9. Click OK. Save the certificate to the SGN Files directory created earlier.
10. The next screen is the Company Certificate screen. The Create a new company certificate
option is already selected.
11. Enter a company identifier into this field. The certificate created will be used as part of the SGN
security system to bind clients to this particular environment. This will ensure that a client
cannot be moved from one SGN environment to another.
12. At the bottom of the screen we have the choice to select SHA-1 or SHA-256. If you have any XP,
Vista or Windows 7 clients that will need to be protected choose SHA-1, if not SHA-256. For the
purpose of this test environment, choose SHA-1.
11
13. Click Next to finish the process.
The SafeGuard Management Center Wizard will update the SafeGuard Database and log you into
the SafeGuard Management Center.
14. Minimize the Management Center screen, but do not close.
12
2.2.3 IIS SSL Configuration

1. Launch the IIS management tool.
2. Select the server on the left hand side and then select the Server Certificates icon.
3. On the next screen, choose Create Self-Signed Certificate.
13
4. The System will now prepare a certificate. The certificate will be issued to the server you are
working on. You will be prompted to enter a friendly name for the certificate. For simplicity,
enter the Fully Qualified Domain name (FQDN) of the machine server. This certificate will be
validated by SafeGuard clients and must be correct. If there are any concerns with DNS, please
resolve before proceeding any further.
5. When you click OK, you will be brought back to the Server Certificates screen and you will see
the certificate listed:
Take time to confirm that the Issued To name matches your FQDN in DNS. If not, you will want
to make sure that the DNS record matches.
14
2.2.3.1 Export the self-signed certificate for later use

SGN utilizes SGN for communication security between the client and servers. For the purposes of
this test we are making use of a self-signed certificate. As such we much export the public cert
for deployment to clients. In production a certificate issued from a Trusted Certificate Authority,
either corporate run on a purchased certificate is recommended.
1. Right-click on the server certificate and select View.
2. Then choose Copy to File.
3. Follow the export wizard. When prompted, do not export the key. When saving, name the file
SGNSSLcert and save into the SGN Files directory created earlier.
4. Click Finish. This certificate will be installed on clients at a later step.
2.2.3.2 Configure SSL Bindings

The next step is to configure IIS to offer SSL.
15
1. On the left hand side of the IIS screen, expand Sites and choose Default Web Site.
2. On the right-hand side of the screen, choose Bindings.
3. Click Add to bring up the Add Site Binding dialog dox.

4. Choose https from the Type drop-down list. Leave the default settings, enter the FQDN as
the Host name, and choose your certificate from the drop-down list.
5. Click OK.
6. With the Default Web Site selected in the IIS console, choose browse <FQDN> on :443(Https)
from the right-hand side of the screen. IE will open up and you will see a successful connection
to IIS. If there are any certificate errors at this point, review the previous steps to correct. Pay
close attention to the FQDN of the machine and the DNS Entries.
16
2.2.4 Remember to ensure that clients trust the self-signed certificate

For this POC we have configured the IIS server to use a self-signed certificate. This certificate was
imported into the trusted root Certification authorities store for the Computer account. Any
client that will be used in this POC will need to trust this certificate.
2.2.5 Finalize SGN infrastructure

These next few steps will finalize the SGN infrastructure, preparing the components for the
configuration of your policies.
2.2.5.1 Server Registration and Configuration

1. Open your SGN management center.
2. Select Tools > Configuration Package Tool.
17
3. On the Servers tab, select Add.
4. In the Server Registration wizard, browse to c:\program files(x86)\Sophos\SafeGuard

Enterprise\Machcert. You will see a security certificate named using the server FQDN. Select
this and click OK.
5. A line entry for your server will now appear in your Configuration package tool screen. Select
the Scripting allowed and Win. Auth. WHD Check boxes.
18
6. Select the Server packages tab.
7. On this tab, highlight the server. Then choose the SGNFiles directory in the Configuration
Package output path field.
8. Click Create Configuration Package.
9. A package with the name <ServerFQDN>.msi will be created in the SGNFiles directory.
This configuration package was built using the machine certificate specific to the SGN server you
installed. It contains the necessary information for the server to connect to the SQL database and
become part of your SGN environment. Remember every server package is unique.
2.2.5.2 Create client Configuration package:

1. Select the Managed client packages tab.
2. Highlight the line Managed Client. Under Primary Server, choose your server from the drop-
down list.
3. Choose SGNFiles in the Configuration Package output path field. Then click Create
Configuration Package. At this point the SafeGuard Management Center will generate two files,
Managed clients.msi and Managed Clients.zip. These files will be used to configure the Windows
and Mac client respectively.
19
4. The second Managed Client (Default).msi configures clients and Management centers to
communicate with the SGN server.
5. Run the Server configuration MSI (FQDN.MSI).
6. When complete, run the Managed Client (Default).msi.
7. When prompted, reboot the system.
20
2.2.5.3 Confirm the SGN server is operating correctly

1. Open Internet Explorer. In the address bar type: Https://FQDN/sgnsrv.
2. Select Check Connection and then Invoke. At this point, the SafeGuard website will impersonate
a client connecting to the server. You should then see the following results page:
If you see an error please ensure that ASP.net is in fact installed.

Your SafeGuard infrastructure is set up and you are ready to configure the system.
21
3 Configuration of SafeGuard Enterprise

3.1 Build basic machine policies
This section will cover the creation and assignment of policies that will encrypt a system, and
enable a pre-boot environment. These policies will apply to both SafeGuard encryption engine
and the native encryption engine.
3.1.1 Modify the Default Policy group

In the Management Center Select Policies. From this screen we will be able to configure the
settings needed to define encryption for your environment. The settings defined in this guide will
be a basic set up; for more information please review the Administrator Help guide available on
Sophos.com.
1. On the right-hand side of the SafeGuard Management Center screen, expand the section Policy
Groups.
22
2. Select the Default group.

This Policy group contains and number of Default Policy items. Before editing these, make the
following changes to allow for the file-based policy created further in this guide.
3. In the middle of the screen, on the Members tab, right-click the following items and select
Remove.
File Encryption (Default)

Cloud Storage (Default)
PIN (Default)
Password (Default)
Removable Media Encryption (Default)
4. When finished, select Save in the top left-hand side of the Management Center.
Now make a few changes to the policy items that make up this default group. These settings will
provide you with the ability to test some of the most common use cases.
5. Select each policy item listed below and make the changes to the values as described.
6. Click Save when moving between the items.
3.1.1.1 Authentication (Default)

No changes are necessary for initial testing.
3.1.1.2 General Settings (Default)

Connection Interval to server (min) = 15
23
User can define their own questions = Yes

Enable Local Self-Help = Yes
3.1.1.3 Logging (Default)

1. Expand Success Audit.
2. Select event 3505: Sector-based initial encryption of drive completed successfully.
3. Change the column under the database to a green check.
4. Select Event 2008 with the application SGAPI: Response created

5. Change the column under the database to a green check. This will record when recovery is
performed via the Web Help Desk.
24
3.1.1.4 Special Machine Settings (Default)

Allow Registration of New SGN users for = Everybody
Enable registration of SGN Windows Users = Yes
3.1.1.5 Full Disk Encryption (Default)

For the purposes of this test, we will target only boot encryption drives. Certain external drives
show up as internal storage, eSATA being the most common. If you wish to see all volumes
encrypted, please feel free to ignore the change to the Target setting.
Target = Local Storage Devices\Internal Storage\Boot Drives

Media encryption mode = Volume based
This policy will enable encryption on all supported encryption engines: Microsofts Bitlocker
encryption, Apples FileVault 2 and Sophos SafeGuard.
25
3.1.1.6 Modify Local Self Help settings

When testing SafeGuard Enterprise with the Sophos Encryption engine there is the option for a
user to configure a Local self-help recovery mechanism on each of the machines they can access.
1. Select Local Self Help.
2. On the left hand side you may select the themes, or question lists you wish to use. You may
even create your own. For now simply remove the ones you do not wish to use by right-clicking
them and choosing Delete.
When you have the themes you wish to test, review the local self help parameters.
The first number represents the number of questions a user must answer for this feature to be
available.
The second is the number they must answer to recover the system.
3. Choose the numbers that reflect your organizations requirements, for example, six to activate
and three to recover.
4. Click Save.
You have set up the basic policies required to test Full disk encryption. Now you can do one of
the following:
Skip the next section and go to section 3.3, Assigning Policies, assign these policies, and then
install the client software to begin testing.
Continue to the next section and prepare the file encryption policies before moving to the
client.
26
3.2 Build default file encryption policies

3.2.1 Create File Policy group,
1. Select Policy Groups.
2. Right-click and select New group.
3. Name the group Default File Encryption and click OK.
4. Select the Default File Encryption group that was created.

5. On the right-hand side of the screen, under Available Policies, select and drag the following
policy items to the Members tab in the middle of the screen.
General Settings (Default)

Logging (Default)
Removable Media Encryption (Default)
Cloud Storage (Default)
File Encryption (Default)
6. Save.
In the next step, we will make a few changes to the policy items that will make up this default
group. These settings will provide you with the ability to test some of the most common use
cases.
7. Select and expand Policy Items.
8. Select each policy item listed below and make the changes to the values as described.
27
9. Click save when moving between the items.
3.2.1.1 General settings (Default)

Select General Settings (Default) and set the following option:
User is allowed to set default keys = Yes
3.2.1.2 Logging (Default)

Expand Information.
Select id 3020 File Tracking for removable media: A file has been created and 3025 File
tracking for Cloud Storage: a file has been created check the box under the database symbol for
each.
3.2.1.3 Removable Media Encryption (Default)

Note that these policies apply only to Windows clients.
Media encryption mode = File based
28
Defined key for encryption
Search for root

Select Root_Root@SGN
Initial Encryption of all files = No

User may cancel initial encryption = yes
User may define a media passphrase for devices = yes
29
User is allowed to decide about encryption = yes
3.2.1.4 Cloud Storage (Default)

Note that these policies apply only to Windows clients.
Choose a target, for example Dropbox.
Media encryption mode = File based

Key to be used for encryption = Any key in user key ring
3.2.1.5 File Encryption (Default)

This policy item will provide encryption policies to cover file shares and locations. In addition,
given the nature of Mac OS X, removable media and cloud encryption for Mac will also be
configured using this policy item.
1. Add new line item by clicking in the first empty line.
In the Path column, type \\FQDN_of_server\Corporate Share. Please remember that the Mac
client will be case sensitive, so be careful here.
Select the Key column and add the Root_Root@SGN key as before in the Removable Media
Encryption section.
2. Select the next new line.
In the Path column, choose <Documents> from the drop-down list.

In the Key column, click on the key icon to set this to Personal Key.
30
3. Click Save.
3.2.1.6 Configuring Removable Media encryption for Mac

Removable Media encryption is configured in the same way as file share encryption in Windows, the
target selected being <Removables>. Unlike Windows there is no ability to create local keys or
passphrases on our removable media. For this configuration the Root key will be used to facilitate the
sharing of information within the organization.
1. Open the management center.

2. Select Policies.
3. Select Policy Items.
4. Select File Encryption (Default).
3.2.1.7 Mac Removable Media Encryption

1. Add a new line item.
2. Select the Path column and choose Mac OSX <Removables> from the list.
3. Select the Key column and add the Root_Root@SGN key as before in the Removable Media
Encryption section.
4. Click Save.
31
3.2.1.8 Mac Cloud Encryption (see Test Cases)

The configuration of cloud encryption for the Mac will take place in the test cases document.
3.3 Assigning Policies

3.3.1 Quick review of how to assign policies
SafeGuard Policy assignment is contingent on a few things, the simplest being the location of the
user or machine in relation to the application of the policy, and the group memberships of that
user or machine.
When we synchronize with Active Directory or configure a workgroup, you will see a node
relative to that object appear in the SafeGuard Management Center, under the high level root. It
is possible to have SafeGuard be responsible for multiple domains, workgroups, or even
machines with no higher organizational affiliation.
Having root enables an administrator to create a policy that, when applied at the root of the SG
environment is eligible for any object below. Likewise a policy can be applied at the workgroup
or AD node, allowing the administrator to set policies for only those users\machines under those
organizational umbrellas.
This assignment of policy however does not mean that every user and machine now receives that
policy, only states that they are eligible to do so. Once a policy has been placed it must be
activated, this is done by means of group membership. AD groups, or groups made by SG admins
can be used for this. In most cases however the Authenticated users and authenticated
computers groups will be sufficient. The authenticated computers group is made up of every
system with the SG client installed and registered to this environment, and the authenticated
users group contains every single SGN user for this environment regardless of the domain or the
work group. Essentially these are our everyone groups.
3.3.2 Assigning the Default Policy group

1. In the management center, select Users and Computers in the lower left-hand side of the
screen.
2. Select Root.
3. In the central panel, select the Policies tab.
32
You will notice the default policy group is listed in the top box of this section, while underneath
there are two lines: .Authenticated Computers and .Authenticated Users, the everyone and
everything groups for SGN. The Default policy is targeted at our computers, so the first step is
to remove the .Authenticated Users entry.
4. Right-click on .Authenticated Users.
5. Select Remove.
6. Save.
3.3.3 Assign the Default File encryption policy group

This step will take the policies built around file encryption, policies which are really aimed at who
the user is, and assign them to our environment.
1. With the Policies tab of Root selected, under Available Policies, select Default File Encryption
and drag it over to the central pane.
2. Right-click on the Default File Encryption policy group and select UP.
3. In the pane below select .Authenticated Computers.
4. Right-click and select Remove.
5. Save.
With the policies tab of Root selected, your screen should now look like this:
33
We will now move to the installation of the SafeGuard software. We will need to complete the
Windows client installations before finalizing our Mac File encryption policies.
4 Client Installation
4.1 Preparation
Here we will create directories that can be access from you test clients via the network share set
up earlier. You will only need to follow the steps that apply to your planned POC.
4.1.1 Windows 7sp1/Windows 8 and higher (64 bit)

1. Under the directory SGN Files, create a new folder SGN Windows Client.
2. Copy the file Managed Client (Default).msi to SGN Files\ SGN Windows Client\
3. Copy the file SGNSSLCert to SGN Files\ SGN Windows Client\
4. Copy Client installers x64\ SGxClientPreinstall.msi to SGN Files\ SGN Windows Client\
34
5. Copy Client installers x64\ SGNClient_x64.msi to SGN Files\ SGN Windows Client\
4.1.2 Windows 7sp1/Windows 8 and higher (32 bit)

1. Under the directory SGN Files, create a new folder SGN Windows Client x86.
2. Copy the file Managed Client (Default).msi to SGN Files\ SGN Windows Client x86\
3. Copy the file SGNSSLCert to to SGN Files\ SGN Windows Client x86\
4. Copy Client installers x86\ SGxClientPreinstall.msi to SGN Files\ SGN Windows Client x86\
5. Copy Client installers x86\ SGNClient.msi to SGN Files\ SGN Windows Client x86\
4.1.3 Windows Vista/Windows 7(not SP1) (64bit)

1. Under the directory SGN Files, create a new folder SGN Windows client old.
2. Copy the file Managed Client (Default).msi to SGN Files\ SGN Windows Client old\
3. Copy the file SGNSSLCert to SGN Files\ SGN Windows Client old\
4. Copy Client installers x64 (SGN 6.0.1)\ SGxClientPreinstall.msi to SGN Files\ SGN Windows Client
old\
5. Copy Client installers x64 (SGN 6.0.1)\ SGNClient_x64.msi to SGN Files\ SGN Windows Client old\
4.1.4 Windows XP/Vista/Windows 7(not SP1) (32bit)

1. Under the directory SGN Files, create a new folder SGN Windows client32 old.
2. Copy the file Managed Client (Default).msi to SGN Files\ SGN Windows client32 old \
3. Copy the file SGNSSLCert to SGN Files\ SGN Windows client32 old \
4. Copy Client installers x86 (SGN 6.0.1)\ SGxClientPreinstall.msi to SGN Files\ SGN Windows
client32 old \
5. Copy Client installers x86 (SGN 6.0.1)\ SGNClient.msi to SGN Files\ SGN Windows client32 old \
Copy Client installers x64 (SGN 6.0.1)\ SGNClient_x64.msi to SGN Files\ SGN Windows Client
old\
Copy Client installers x86 (SGN 6.0.1)\ SGNClient.msi to SGN Files\ SGN Windows Client old\
4.1.5 Mac OSX 10.8/10.9

1. Copy the file Managed client (Default).zip to the directory SGN Mac client.
2. Copy Mac clients\ sgde_osx_61.dmg to the directory SGN Mac client.
3. Copy Mac clients\ sgfe_osx_61.dmg to the directory SGN Mac client.
4. Copy the file SGNSSLCert to the directory SGN Mac client.
35
4.2 Configuring Client systems for SSL

SGN utilizes SSL for transport encryption. As such the clients can in a properly architected
environment connect to the SGN server anywhere they have internet access. In a production
environment it is recommended that a public CA or a corporate CA be used. In the POC however
a self-signed certificate has been created. In order to allow proper communicates this Cert must
be imported into the Trusted Certification Authorities Store of the local computer. The following
steps will guide you through this process.
4.2.1 Configuring Windows clients for SSL

On the client system:
1. Log onto your client system as an administrator.
2. Navigate to the shared directory SGN files the server.
3. Open the folder relevant to your OS (for example Windows SGN client for Win7 64 Systems).
4. Run mmc.exe as administrator.

5. Select File, Add/Remove snap-ins.
6. Select certificates and click Add.
36
7. When prompted choose computer account and then local computer.
8. Click Finish.
9. Click OK.
37
10. In the console, select Certificates (local computer) and expand.

11. Select Trusted Root Certification Authorities expand.
12. Right-click on the Certificates directory , All Tasks, Import.
13. The certificate import Wizard will appear, click Next.

14. Select browse and navigate to the directory created earlier with the installation files.
15. Choose the SGNSSLCert.cer and click Open.
38
16. Click Next.

17. You should see that the certificate will be placed in the trusted Root Certification authorities
store.
18. Click Next and then Finish.

19. The certificate matching the FQDN of your server will now show up in the MMC console.
39
20. Open Internet Explorer.

21. Navigate to HTTPS://FQDNofyouserver/sgnsrv. You should see no errors at this point.
40
4.2.2 Configuring Mac OSX for SSL

1. Log onto your client.
3. Open the folder SGN Mac Client.
4. Open the Keychain access application.
41
5. Entering credentials as prompted.

6. Select System, and unlock the key chain.
7. Select certificates.
8. Drag the SGNSSLCert.cer from the shared directory on the server to the certificates screen.
9. When prompted ensure the certificate will be trusted as shown.
10. Now select the certificate from the list you should see the FQDN of your server.
11. Double click to open the certificate.
42
12. Expand the Trust section.

13. Change the value for Secure Sockets Layer (SSL) to read Always Trust.
14. Close the window.
15. Open Safari.
16. Navigate to HTTPS://FQDNofyouserver/sgnsrv. You should see no errors at this point.
4.3 Windows Client Installation

The follow steps will guide you through the client installation on a Windows System. During the
POC we will install with the UI. This will allow you to see the steps involved. During a roll out it is
common practice to run these files via command line, scripted as you would with your software
deployment strategy.
43
By Default the SafeGuard enterprise environment is only licensed for 5 test machines. Do not
install more than 5 machines without first checking with your account team. Installing more than
5 systems can cause the system to stop providing policy updates to clients.
4.3.1 A note on Encryption Engines

On systems running Windows XP you may only install the SafeGuard encryption engine. On
systems running Windows Vista and 7 you have a choice between the SafeGuard engine and the
Native Bitlocker Engine.
Systems running Windows 8 can only use the BL engine, though those properly configure with
UEFI (2.3.1) and a GPT partition may use a Sophos extended recovery mechanism for a challenge
response rather than a recovery passphrase.
4.3.2 Installing Windows Clients

The following steps will work for all versions of Windows; just remember to select the correct
installation folder based on the OS. These folders were created earlier in this section; please refer
back if you are unsure which folder to use.

3. Copy the folder relevant to your OS (for example Windows SGN client for Win7 64 Systems) to
your local system.
44
4. Open the folder.

5. Run the SGxClientPreinstall.msi, there are no choices, simply next through this until complete.
6. Run your SGNClient.msi (_x64) for 64bit.
7. Next through the screens and accept the license agreement.
8. When you get to the type of installation, choose Custom.
9. Choose your encryption engine:
SafeGuard encryption engine: XP/VISTA/Win7
45
Bitlocker Engine: Vista/Win7/Win8
10. Select the other options. In this example we will select all file encryption options. Choose those
you wish to test. You can always modify the installation later to add or remove file encryption
options.
11. Select Next, then Install
46
12. Once the installation has completed, you will see a confirmation screen explaining which
modules have been installed.
13. Click Finish.

14. Run the Managed Client (Default).msi
15. Click Next through the installation.
16. When prompted, reboot.
With the SafeGuard Encryption Engine only

17. The system will boot part way and appear to reboot.
18. A message will appear informing that the SafeGuard Kernel has been installed.
19. The system will now reboot again.

20. At this point the MBR now points to the SafeGuard Kernel. Messages will appear during the load
process and an auto login screen will be displayed (after users have been registered this screen
will prompt for credentials unless POA is disabled).
47
21. The System will continue its boot cycle.
At the login screen a new Icon will be visible. This icon allows users to log into SGN and Windows
with a single prompt. If you switch user, please ensure you use a login option with this icon; if
you do not a second prompt will occur at the desktop asking the users to log into SafeGuard.
After logging in at the Windows prompt you will see a pop up on you screen as SGN attempts to
connect to the server. These pop-ups can be suppressed for production, but for the purpose of
our testing these are left enabled.
When the client has communicated with the server policies and user credentials will be delivered
to the system. As policies are configured you will see immediate changes or prompts on the
system. These will be discussed further under the test cases.
48
4.3.3 Apple Macintosh OSX clients

This section will cover the installation of the client on Mac OSX. Unlike the Windows client there
are in fact two separate installers, the DE client for managing FV2 and the FE client for the file
encryption.
4.3.3.1 Mac DE client

1. Enter credentials as prompted.
4. Copy the SGN Mac Client to your local system.
5. Open the folder:
6. Run Sophos SafeGuard DE.dmg

7. The next screen will offer you the Readme.HTML and the Sophos SafeGuard DE.pkg
8. When done with the readme run the Sophos SafeGuard DE.pkg
9. Click Continue and then review the License agreement. Click Continue when ready.
49
10. Click Install on the next screen, and when prompted enter your credentials.
11. A number of screens will appear with a progress bar, when completed you will see a final thank
you screen.
50
12. With the installation completed go to the System preferences and open the Sophos encryption
Icon seen at the bottom of the screen.
13. This will launch the SafeGuard encryption UI.

14. Select the Server tab.
51
15. Now take the Managed Client (Default). Zip and drag it to the location indicated in the middle of
the screen.
52
16. When prompted, enter your password to update the local system.
17. The SafeGuard Client is now configured to communicate with your SGN server.
18. As policies are configured for encryption, you will be immediately prompted to enter your
password. This will be your user password and will allow you to log in at POA. At this point the
client system will upload the recovery key to the SGN server and restart.
53
54
19. After the reboot, the power-on authentication screen will prompt for credentials (as entered
before the reboot) and the user will be signed on to the system and desktop will load.
4.3.3.2 Mac FE client

1. Open Safari and browse to OSXfuse.github.io
2. Download the latest version of Fuse for OS X.

3. Once the download has completed, run the osxFuse .dmg file.
55
4. Install accepting the defaults.

5. Once complete, close the screen.
6. Run the Sophos SafeGuard FE.DMG
7. When done with the Readme, launch the Sophos SafeGuard FE.pkg
56
8. Enter credentials as prompted to update the system.
Once the installation has completed, you will notice a new icon on the system. This provides
access to the same console as the DE client. Select this and open the Sophos Encryption
preferences.
9. Select Server.
57
10. Click Synchronize, if you have not already you will be prompted for your Mac OS X password.
11. You may now select the user tab. This will display details about your user and how it is identified
by SafeGuard.
12. The Keys tab shows you the key ring provided SGN.
58
13. Selecting policies and clicking on the SafeGuard icon next to Policy view will show you what
policies have been delivered.
With your clients installed, you can now begin testing.
59
5 Further information
5.1 White Papers and Guides
These sources will provide you with further guidance around encryption, from choosing a product to the
concerns addressed by encryption.
Encryption Buyers guide
Regulations and Standards: Where encryption applies
Gartner Magic Quadrant
Tolly report on Safeguard Enterprise and the cost of Full Disk Encryption:
Managing Bitlocker with Safeguard Enterprise, a quick read covering some of the benefits of managing
the BL native encryption engine with Safeguard Enterprise
5.2 Useful Technical Resources

Documentation for Safeguard Enterprise
SafeGuard Enterprise 6.10 Release Notes
SafeGuard Recovery Scenarios
Safeguard Video resources
60
61

SafeGuard Enterprise Evaluation Guide IaC - 7

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SafeGuard Enterprise Evaluation Guide IaC - 7

Uploaded by

Copyright:

Available Formats

SafeGuard Enterprise Encryption Suite

Document date: September 2014

4.1 Preparation ................................................................................................................................ 33

Role Name Email Phone

2 Installation and initial configuration

2.2 Infrastructure Installation

The following steps will prepare your infrastructure for testing.

Right-click on the installation advisor and select Run as administrator.

2.2.1 Prepare the Server

2.2.2 Install SafeGuard Enterprise

13. Click Next to finish the process.

14. Minimize the Management Center screen, but do not close.

2.2.3 IIS SSL Configuration

3. On the next screen, choose Create Self-Signed Certificate.

2.2.3.1 Export the self-signed certificate for later use

2. Then choose Copy to File.

4. Click Finish. This certificate will be installed on clients at a later step.

2.2.3.2 Configure SSL Bindings

2. On the right-hand side of the screen, choose Bindings.

3. Click Add to bring up the Add Site Binding dialog dox.

2.2.4 Remember to ensure that clients trust the self-signed certificate

2.2.5 Finalize SGN infrastructure

2.2.5.1 Server Registration and Configuration

2. Select Tools > Configuration Package Tool.

3. On the Servers tab, select Add.

4. In the Server Registration wizard, browse to c:\program files(x86)\Sophos\SafeGuard

6. Select the Server packages tab.

8. Click Create Configuration Package.

2.2.5.2 Create client Configuration package:

2.2.5.3 Confirm the SGN server is operating correctly

If you see an error please ensure that ASP.net is in fact installed.

3 Configuration of SafeGuard Enterprise

3.1.1 Modify the Default Policy group

2. Select the Default group.

File Encryption (Default)

3.1.1.1 Authentication (Default)

3.1.1.2 General Settings (Default)

User can define their own questions = Yes

3.1.1.3 Logging (Default)

4. Select Event 2008 with the application SGAPI: Response created

3.1.1.4 Special Machine Settings (Default)

3.1.1.5 Full Disk Encryption (Default)

Target = Local Storage Devices\Internal Storage\Boot Drives

3.1.1.6 Modify Local Self Help settings

3.2 Build default file encryption policies

4. Select the Default File Encryption group that was created.

General Settings (Default)

9. Click save when moving between the items.

3.2.1.1 General settings (Default)

User is allowed to set default keys = Yes

3.2.1.2 Logging (Default)

3.2.1.3 Removable Media Encryption (Default)

Media encryption mode = File based

Defined key for encryption

Search for root

Initial Encryption of all files = No

User is allowed to decide about encryption = yes

3.2.1.4 Cloud Storage (Default)

Media encryption mode = File based

3.2.1.5 File Encryption (Default)

2. Select the next new line.

In the Path column, choose <Documents> from the drop-down list.

3.2.1.6 Configuring Removable Media encryption for Mac