View as PDF.
Contents:
1. Installing DL Enterprise Server
2. Connecting DL Service to DL Enterprise Server
3. Reporting
4. Monitoring
1. Installing DL Enterprise Server
INTRO: DeviceLock Enterprise Server (DLE Server) is the optional component for centralized collection and storage of shadow data and audit logs. Also, DLE Server can monitor remote computers in real-time, checking DeviceLock Service (DL Service) status, policy consistency and integrity.
NOTE: You can install several DLE Servers on different computers across your network to uniformly spread the network load.
PRE-REQUEST: MS SQL Server installed and started in your network.
1.1 Run Setup (setup.exe) and follow the instructions that appear on the screen.
1.2 You have the following two choices: either
a) Install both DLE Server and DeviceLock management consoles (DLMC) using the Server + Consoles option or
b) Install only DLE Server using the Custom option and select the DLE Server component.
1.3 You may follow the instruction to first page the wizard of DLE Server, where you can opt to install DLE Server’s service and define its startup parameters:
·Log On As: Select the Local System account option, then input .\Eric and corresponding password.
·Connection Settings: You may type the port number in Fixed TCP port. By default, DLE Server is using the 9133 port.
1.4 On the second page, you can define the list of Users that have administrative access to DLE Server and install DeviceLock Certificate (the private key). To define which actions are to be allowed for a user or user group, set the appropriate rights:
·Full access – Users can change settings and run reports.
·Change – Users can change settings, install/uninstall DLE Server and run reports, but they cannot add new users to the list of authorized accounts that Installation can connect to DLE Server or change access rights for existing users in this list.
·Read-only – to enable only read access to DeviceLock Enterprise Server. Users can run reports and view settings, but can't modify anything:
1.5 On the third page, you can load your DeviceLock licenses.
1.6 On the fourth page, you can configure database parameters.
·Database name: (e.g. DeviceLockDB)
·Database type: (e.g. ODBC driver)
·SQL Server name: (e.g. MFHK-RIVERLIU\SQLEXPRESS)
Select either Windows authentication or SQL server authentication. Press the Test Connection button to make sure that all the parameters were specified correctly
1.7 If there are no errors, press the Finish button to close the wizard and continue the installation process.
1.8 Uncheck the DeviceLock Home Page flag if you do not want to visit the DeviceLock Web site. Press the Close button to finish the installation.
INTRO: There are two methods to connect DL Service to DLE server. Both methods should be implemented in DLMC.
Method 1: configuring service-server connection on each computer.
Method 2: enforcing a group policy to computers. This method is an extension of method 1.
2.a Method 1: configuring service-server connection on each
2.a.1 In the left menu of DLMC, select DeviceLock | DeviceLock Service. Right click it and select Connecting…
2.a.2 Select Another computer. Enter the host name of the computer where DL service is running. Click OK.
2.a.3 Input the user name .\Eric and corresponding password. Click OK.
2.a.4 If connection is successful, you may be able to access DeviceLock | DeviceLock Service | Service Options. Double click DeviceLock Enterprise Server(s) on the right, and then enter the host name(s) where the DLE server(s) run (e.g. MFHK-RIVERLIU). Click OK.
Select DeviceLock | DeviceLock Service | Service Options | Auditing & Shadowing. Double click Audit Log Type, and then select Event $ DeviceLock Logs.
2.a.5 Select DeviceLock | DeviceLock Enterprise Server on the left menu. Right click it and select Connecting…
2.a.6 Select Another computer. Enter the host name of the computer where DLE server is running. Click OK.
2.a.7 Repeat steps 2.a.1 – 2.a.4 until all computers with DL service installed are connected to DLE server.
2.b Method 2: enforcing a group policy to computers
2.b.1 Follow the steps 2.a.1 – 2.a.5.
2.b.2 Select DeviceLock | DeviceLock Service
2.b.3 Click Action | Save Service Settings. The steps 2.b.2 – 2.b.3 allow you to create and save a service setting file (*.dls).
2.b.3 Select DeviceLock | DeviceLock Enterprise Server | Monitoring on the left menu. Right click it and select Create Task…
2.b.4 On the Create Task wizard, specify the following parameters:
·Name: (e.g. Workstations monitor: 2010-7-12)
·Computers: Select Static List, then Click Edit. You may either select computers from the list on the left, or load in a computer list from file.
NOTE: The computer list shown by the wizard may not be completed.
At this point, I wrote a C# program to browse Active Directory with the path:
LOAP: //OU=Workstations, DC=china, DC=messefrankfurt, DC=com.
This program could generate a txt file contains all computer names of workstations.
Also I tried to use the Dynamic List supported by DLMC, with user name of Eric and corresponding password, but an error of “access denied to Active Directory” was reported.
·Check Verify Service Settings. Then browse to the service setting file you saved.
·Check Restore Service Settings.
·Change the Scanning interval.
·Change the Number of scanning threads.
·Check Active.
2.b.5 Click OK to start enforcing.
3. Reporting
INTRO: This task allows you to read file read/write record or generate recording reports.
3.1 Repeat steps 2.a.1 – 2.a.3.
3.2 If connection is successful, you may be able to access DeviceLock | DeviceLock Service | Device | Auditing & Shadowing. Double clock the device you wish to configure using auditing / shadowing. (e.g. Removable)
3.3 In the Auditing / Shadowing wizard, specify the following parameters:
·Check Audit Allowed.
·Users: Click Set Default.
·User’s Right: For corresponding user, check the report you wish to view.
Click OK or Apply.
NOTE: You may use steps 2.b.2 – 2.b.5 to enforce the settings to several computers.
3.4 To view the auditing \ shadow real-time report of certain device, connect to it with steps 2.a.1 – 2.a.3, and then select DeviceLock | DeviceLock Service | Audit Log Viewer or Shadow Log Viewer.
3.5 To send the auditing \ shadow real-time report of certain device to server immediately, select DeviceLock | DeviceLock Service | Audit Log Viewer or Shadow Log Viewer, then right click it and select Send data to server. Then you may view the data by selecting DeviceLock | DeviceLock Enterprise Server | Audit Log Viewer or Shadow Log Viewer.
3.6 To generate auditing \ shadow reports, select DeviceLock | DeviceLock Enterprise Server | Reports. Right click the report you which to generate and select New report. Specify the following parameters:
·Period
·Computer(s)
·User(s)
·Other options
Then click OK. The report will be generated in PDF form.
4. Monitoring
4.1 Repeat steps 2.b.3 – 2.b.4. But do not check the box Restore Service Settings.
4.2 The result will show immediately, or you may right click the task you create and select Refresh.
NOTE: There can be seven possible statuses:
a) Computer is available – this status means that the monitored computer is working and DeviceLock Service is running on it. Also, if this task verifies policy integrity, then this statue means that verification happened without any errors. The computer’s icon will be “green computer”.
b) Computer is unavailable – this status means that DeviceLock Enterprise Server is unable to scan the monitored computer. This occurs when a computer is not working or connections are blocked by a firewall, but the computer’s name/address can be resolved through DNS. The computer’s icon will be “red computer”.
c) Service is unavailable – this status means that DeviceLock Enterprise Server is unable to connect to DeviceLock Service on the monitored computer. This occurs when the computer is working but DeviceLock Service is not running. Also, it could be the result of in the task configuration or due to connections being blocked by the firewall. The computer’s icon will be “red computer with exclamation mark”. For more information on connection issues, see the description of the Service connection settings parameter.
d) Settings are corrupted – this status means that the monitored computer is working and DeviceLock Service is running on it but the policy verification process has failed. This happens when the master policy is assigned to a task and it differs from the monitored DeviceLock Service policy. The computer’s icon will be “green computer with exclamation mark”.
e) Unresolved computer address – this status means that DeviceLock Enterprise Server is unable to resolve the name/address of the computer. This happens when an invalid computer name that does not exist in DNS is specified. Also, it could happen because there is no DNS server. In this case the Unresolved computer address status should be treated as Computer is unavailable. The computer’s icon will be “red computer with exclamation mark”.
f) Unsupported service version – this status means that DeviceLock Enterprise Server is trying to download a policy (service settings) from DeviceLock Service version 6.2 and lower. The policy verification is supported only for version 6.2.1 and later. The computer’s icon will be “green computer with exclamation mark”.
g) Access is denied – this status means that DeviceLock Enterprise Server is unable to connect to DeviceLock Service due to lack of privileges. It happens when the account under which the DeviceLock Enterprise Server service starts has no rights to connect to DeviceLock Service. The computer’s icon will be “green computer with exclamation mark”. For more information on how to resolve this issue, see the description of the Service connection settings parameter.
4.3 To view the details information of each device, you may click it, and the DLMC will connect to it automatically. Then you can view its information about permission, auditing or shadowing from DeviceLock | DeviceLock Service.
0 comments:
Post a Comment