search cancel

Installing and configuring Symantec Endpoint Encryption 6.x for the first time

book

Article ID: 151538

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

This document describes the procedure for installing and configuring Symantec Endpoint Encryption (SEE) 6.x in an environment that does not currently have the product installed. Please note that the procedure for installing SEE 7.x and 8.x is different. See TECH131424 for detailed instructions on installing SEE 7.x.

Resolution

Verify the environment

Before installing Symantec Endpoint Encyption, verify the system environment and the system requirements. You will need:

  • An Active Directory domain with the Manager Computers, the SEE Servers and Client Computers in the same AD forest.
  • At least one Manager Computer running:
    • Windows XP Professional SP2, Microsoft .NET Framework 1.1 or 1.1 and 2.0, Group Policy Management Console with SP1 and the Server 2003 Administration Tools Pack
    or
    • Windows Server 2003 Standard or Enterprise Editions with Group Policy Management Console with SP1
  • At least one Symantec Endpoint Encryption Server running Windows Server 2003 Standard or Enterprise Edition SP1 or SP2

NOTE: The SEE Server must be upgraded to Active Directory Application Mode (ADAM) SP1 before upgrading to Windows Server 2003 SP2

  • Client Computers running:
    • Windows XP Professional SP1 or SP1 with .NET Framework 1.1 or 1.1 and 2.0, Internet Explorer 6.0 with SP2 or Internet Explorer 7
    • Windows XP Tablet Edition SP1 or SP2 with .NET Framework 1.1 or 1.1 and 2.0, Internet Explorer 6.0 with SP2 or Internet Explorer 7 (Keyboard required)
    • Windows 2000 Professional Edition SP4 with .NET Framework 1.1 or 1.1 and 2.0, Internet Explorer 6.0 or Internet Explorer 7


After verification of a supported environment, follow this specific install sequence:

  1. Create the required account and group provisioning
  2. Install the SEE Server
  3. Install the SEE Manager
  4. Install the SEE Clients


Required Accounts and Groups

Before attempting to install the SEE Server, verify that the following Accounts and Groups are created on the SEE Server:

Account/Group Type Sample Name/Function *
Domain User ADAM Admins
Domain User ADAM Client
Domain Group (optional) ADAM Admins DG **
Domain Group (optional) ADAM Clients DG**
Local Group ADAM Admins LG
Local Group ADAM Clients LG
Domain User Client Administrator


* Do NOT use sample names in a production environment
** Creating optional groups requires an account with create child permissions in Active Directory

Symantec Endpoint Encryption Server Initial Instance

Before installing, verify that the appropriate users and groups have been created within Active Directory. You will also want to have at least one local administrator account on the SEE Server that possesses sufficient rights to run the ADAM install, create local groups and add domain user accounts as members of the local groups. Also verify that the Windows Server 2003 system has been joined to the appropriate domain as a member server.

    ADAM Installation
    1. On the system that will host the initial SEE Server instance, open the ADAM Setup folder and run adamsetup.exe.
    2. For first time users, after accepting the license agreement select "ADAM and ADAM administration tools" and click NEXT.
    3. Following this, select "A unique instance" and again select NEXT.
    4. Provide the Instance Name on the following screen. This will be the name for the first SEE Server instance. Click NEXT.
    5. On the following page the LDAP and LDAPS (SSL) port numbers (389 and 636) will be automatically added if available. If alternate ports need to be used, they will be automatically pre-filled starting at port 50000. You can also enter in specific port numbers here if you wish and then click NEXT.
    6. Once this is done, click "Yes, create an application directory partition." All SEE Server instances must use the same application partition name. Enter in this partition name in the box. For example: dc=,dc=com and click NEXT.
    7. Now you will see the File Locations page. Change the default locations of where individual files will be stored or click NEXT to accept them.
    8. There are two choices on the Service Account Selection screen - either the currently logged in user, or the default network service account. Choose the default value and click NEXT.
    9. The ADAM Administrators window will let the installer specify the user or group that will have administrative privileges for the SEE Server instance. Click BROWSE and type the full name of the local group created earlier. For example \. Click OK and then NEXT.
    10. Finally, on the Importing LDIF Files screen, accept the default choice of "Do not import LDIF files for this instance of ADAM" and click NEXT.
    11. On the Ready to Install window, verify the settings and click NEXT to begin the installation.
    12. Once the install is complete, click Finish.

    New Organizational Unit

    Once the ADAM install is complete, it will now be time to bind the to the SEE Server instance and create two Organizational Units (OUs): EncryptionAnywhereComputers and AdminsStore.
    1. Open ADAM ADSI Edit in Start->All Programs->ADAM
    2. In the left pane, select the top level node ADAM ADSI Edit, right-click and select Connect to.
    3. A Connection Settings window will open. Enter the following settings to bind to the SEE Server instance:
      • Server name: localhost
      • Port: 389 (or the LDAP port number specified in ADAM installation)
      • Distinguished name (DN) or naming context: dc=EncryptionAnywhere,dc=com
      • Click "This account" and select the domain user account of the ADAM Admin from the "User name" list and enter the account's password
      • Click OK to bind to the SEE Server instance.
    4. Expand My Connection in the left navigation pane - this pane will populate with the SEE Server instance showing the default containers.
    5. Right click the contaner named dc=EncryptionAnywhere,dc=com and point to "New" and click "Object" to open the Create Object window.
      • Click organizationalUnit and then NEXT.
      • In the Value box type the name of the first OU, EncryptionAnywhereComputers, click NEXT and then FINISH.
    6. Repeat step 5 to create a second OU called AdminsStore.

    Symantec Endpoint Encryption Schema Importation
    1. Copy the EASchema.ldf file from the ADAM Setup folder to C:\Windows\ADAM
    2. Open a Command Prompt and naviate to C:\Windows\ADAM
    3. Type the following: ldifde.exe -i -f EASchema.ldf -t 389 -b adamadmin your-org password -s localhost -k -c"CN=Schema,CN=Configuration,DC=X" #schemaNamingContext
      • NOTE: Remember to replace adamadmin, your-org and password entries with the account name, domain and password specified for the ADAM Admin domain user account. Replace 389 with any custom port used for LDAP in the line above as well.
    4. When prompted, enter the ADAM Admin account password

    Access Permissions
      ADAM Clients Local Group Grant Access - ADAM OU
      1. While still in the command prompt opened above, enter the following command: dsacls.exe "\\localhost:389\OU=EncryptionAnywhereComputers,DC=EncryptionAnywhere,dc=com" /G"ADAM Clients LG":GASDDTRCWDWOLCCCDCWSRPWPCALO/domain:your-org /user:adamadmin/passwd:* /I:T
        • NOTE: Remember to replace adamadmin and your-org entries with the account name and domain specified for the ADAM Admin domain user account. Replace 389 with any custom port used for LDAP in the line above as well.
      2. When prompted, enter the ADAM Admin account password.

      ADAM Clients Local Group Deny Access - AdminsStore OU
      1. While still in the command prompt opened above, enter the following command: dsacls.exe "\\localhost:389\OU=AdminsStore,DC=EncryptionAnywhere,dc=com" /D "ADAM ClientsLG":GASDDTRCWDWOLCCCDCWSRPWPCALO /domain:your-org /user:adamadmin /passwd:*
        • NOTE: Remember to replace adamadmin and your-org entries with the account name and domain specified for the ADAM Admin domain user account. Replace 389 with any custom port used for LDAP in the line above as well.
      2. When prompted, enter the ADAM Admin account password.

      ADAM Clients Local Group Read Access - All Objects
      1. While still in the command prompt opened above, enter the following command: dsacls.exe "\\localhost:389\DC=EncryptionAnywhere,dc=com" /G "ADAMClients LG":GRLC /domain:your-org /user:adamadmin /passwd:* /I:T
        • NOTE: Remember to replace adamadmin and your-org entries with the account name and domain specified for the ADAM Admin domain user account. Replace 389 with any custom port used for LDAP in the line above as well.
      2. When prompted, enter the ADAM Admin account password.

      ADAM Clients Local Group Read and List - Configuration Partition
      1. Open the ADAM ADSI Edit from Start->All Programs->ADAM
      2. In the left-pane, select the top-level node ADAM ADSI Edit, right click and select Connect to.
      3. In the Connection Settings window enter the following information:
        • Server name: localhost
        • Port: 389 (or the LDAP port number specified in ADAM installation)
        • Click Well-known naming context and select Configuration from the drop-down list
        • Click OK
      4. Once the credentials have been accepted the left pane of the window will populate with the configuration partition of the SEE instance. There will be a name for the configuration partition container object similar to CN=Configuration,CN={5C8AFFC9-89D2-4ADF-B5E0-6A3AE3D31200}. This is the GUID of the configuration partition.
      5. Select the configuration partition container object and press Control-C to copy the GUID.
      6. At the command prompt, enter the following: dsacls.exe "\\localhost:389\CN=Configuration,CN={GUID.EN_US}" /G "ADAMClients LG":GRLC /domain:your-org /user:adamadmin /passwd:* /I:T
        • NOTE: Replace {GUID.EN_US} with the GUID copied in the step above. Remember to replace adamadmin and your-org entries with the account name and domain specified for the ADAM Admin domain user account. Replace 389 with any custom port used for LDAP in the line above as well.

    Verification
    1. At the C:\Windows\ADAM prompt type dsdbutil
    2. Type list instances
    3. Verify that the output window contains:
      • Instance Name: EncryptionAnywhere
      • Service state: Running
    4. Type quit and press ENTER

The SEE Server log files are located in C:\WINDOWS\Debug to assist with troubleshooting installation issues.

Symantec Endpoint Encryption Server Replication

After the install of the initial instance, optional installs of replica instances can take place if desired. This will allow for SEE Client systems to select the closed SEE Server instance based on network topology.

    Prerequisites
    • An initial SEE Server instance
    • The SEE Server replica must be running Windows Server 2003 and configured as a member server
    • ADAM Admins LG and ADAM Clients LG must be added as local groups to the SEE Server replica
    • The ADAM Admin and ADAM Client Active Directory domain user accounts created from the initial SEE Server instance install added to the ADAM Admins LG and ADAM Clients LG appropriately on the replica SEE Server
    • The ADAM Setup folder with adamsetup.exe, answer.txt and EASchema.LDF files available either locally or on a shared network resource
    • A local administrator account on the SEE Server replica with appropriate rights to run the ADAM installer, create local groups and add the domain user accounts as members of the local groups
    • Optional domain groups for managing the SEE Server replicas: ADAM Admins DG and ADAM Clients DG
    ADAM Installation
    1. On the system that will host the replicated SEE Server instance, open the ADAM Setup folder and run adamsetup.exe.
    2. For first time users, after accepting the license agreement select "ADAM and ADAM administration tools" and click NEXT.
    3. Following this, select "A replica of an existing instance" and again select NEXT.
    4. Provide the Instance Name on the following screen. This will be the name of your initial SEE Server instance. Click NEXT.
      • NOTE: If the second SEE member server you are installing is on the same domain as the initial SEE Server instance, you can use the same SEE Server instance name EncryptionAnywhere specificed in the install of the initial SEE Server instance of the first member server
    5. On the following page enter the port number for the replica instance in the LDAPS (SSL) field and click NEXT.
    6. After this the Joining a Configuration Set screen will appear. Specifiy the name of the server with the initial SEE Server instance. Enter the port number used by the initial SEE Server instance in the LDAP port field and click NEXT.
    7. Now you will see the File Locations page. Change the default locations of where individual files will be stored or click NEXT to accept them.
    8. On the Administrative Credentials for the Configuration Set page click "This account" and select the domain user account of the ADAM Administrator from the "User name" list and provide that acount's password. Click NEXT.
    9. In the "Copying Application Directory Partitions" page, highlight an available partition from the "Available partitions" area on the left and click "Add" to move it into the "Partitions to copy" box on the right and click NEXT.
    10. Now you will see the File Locations page. Change the default locations of where individual files will be stored or click NEXT to accept them.
    11. There are two choices on the Service Account Selection screen - either the currently logged in user, or the default network service account. Choose the default value and click NEXT.
    12. The ADAM Administrators window will appear. Click "This account" and in the "Account Name" field, enter the name of the ADAM Administrators group local to the member server that you are installing to. This should be identical to the how ADAM Administrators are specified when installing the initial SEE Server instance. Click NEXT.
    13. On the Ready to Install window, verify the settings and click NEXT to begin the installation.
    14. Once the install is complete, click Finish.

    Access Permissions
      ADAM Clients Local Group Grand Acess - ADAM OU
      1. While still in the command prompt opened above, enter the following command: dsacls.exe "\\localhost:389\OU=EncryptionAnywhereComputers,DC=EncryptionAnywhere,dc=com" /G"ADAM Clients LG":GASDDTRCWDWOLCCCDCWSRPWPCALO /domain:your-org /user:adamadmin/passwd:* /I:T
        • NOTE: Remember to replace adamadmin and your-org entries with the account name and domain specified for the ADAM Admin domain user account. Replace 389 with any custom port used for LDAP in the line above as well.
      2. When prompted, enter the ADAM Admin account password.

      ADAM Clients Local Group Deny Access - AdminsStore OU
      1. While still in the command prompt opened above, enter the following command: dsacls.exe "\\localhost:389\OU=AdminsStore,DC=EncryptionAnywhere,dc=com" /D "ADAM ClientsLG":GASDDTRCWDWOLCCCDCWSRPWPCALO /domain:your-org /user:adamadmin /passwd:*
        • NOTE: Remember to replace adamadmin and your-org entries with the account name and domain specified for the ADAM Admin domain user account. Replace 389 with any custom port used for LDAP in the line above as well.
      2. When prompted, enter the ADAM Admin account password.

      ADAM Clients Local Group Read Access - All Objects
      1. While still in the command prompt opened above, enter the following command: dsacls.exe "\\localhost:389\DC=EncryptionAnywhere,dc=com" /G "ADAMClients LG":GRLC /domain:your-org /user:adamadmin /passwd:* /I:T
        • NOTE: Remember to replace adamadmin and your-org entries with the account name and domain specified for the ADAM Admin domain user account. Replace 389 with any custom port used for LDAP in the line above as well.
      2. When prompted, enter the ADAM Admin account password.

      ADAM Clients Local Group Read and List - Configuration Partition
      1. Open the ADAM ADSI Edit from Start->All Programs->ADAM
      2. In the left-pane, select the top-level node ADAM ADSI Edit, right click and select Connect to.
      3. In the Connection Settings window enter the following information:
        • Server name: localhost
        • Port: 389 (or the LDAP port number specified in ADAM installation)
        • Click Well-known naming context and select Configuration from the drop-down list
        • Click OK
      4. Once the credentials have been accepted the left pane of the window will populate with the configuration partition of the SEE instance. There will be a name for the configuration partition container object similar to CN=Configuration,CN={5C8AFFC9-89D2-4ADF-B5E0-6A3AE3D31200}. This is the GUID of the configuration partition.
      5. Select the configuration partition container object and press Control-C to copy the GUID.
      6. At the command prompt, enter the following: dsacls.exe "\\localhost:389\CN=Configuration,CN={GUID.EN_US}" /G "ADAMClients LG":GRLC /domain:your-org /user:adamadmin /passwd:* /I:T
        • NOTE: Replace {GUID.EN_US} with the GUID copied in the step above. Remember to replace adamadmin and your-org entries with the account name and domain specified for the ADAM Admin domain user account. Replace 389 with any custom port used for LDAP in the line above as well.

      Verification

      Open the ADAM ADSI Edit and verify that you can connect to both the Configuration naming context and the dc=EncryptionAnywhere,dc=com application naming contect from the ADAM Admin domain user account and the ADAM Client domain user account.

      Preparing the Configuration Context

      Setting up multiple sites for replication on separate network subnets is covered in the Symantec Endpoint Encryption Installation Guide pn page 38.