securing your endpoints - prosoft...
TRANSCRIPT
-
safend S e c u r i n g Y o u r E n d p o i n t s
SAFEND SUPPORT KNOWLEDGE BASE DOCUMENT
February 2009
-
2 | P a g e
Ch
apte
r: In
tro
du
ctio
n:
2
1. Table of Contents
2. Introduction: ....................................................................................................................................................7
3. Safend Protector Client .....................................................................................................................................8
3.1. Safend Protector Client architecture ..................................................................................................................................... 8
3.2. Support logs ........................................................................................................................................................................... 8
3.3. Troubleshooting Guidelines ................................................................................................................................................... 9
3.4. Safend Protector Client Support Solutions .......................................................................................................................... 11
3.4.1. Clients not sending logs back to the Safend Server ............................................................................................. 11
3.4.2. Pointing the installation to the SCC file ............................................................................................................... 11
3.4.3. Uninstalling the Safend Protector Client via startup script ................................................................................. 12
3.4.4. Silent install of a client ......................................................................................................................................... 12
3.4.5. The message "The Client Configuration file does not contain a valid policy." shows up when installing Safend
Protector Client ................................................................................................................................................... 13
3.4.6. Installing the Safend Protector Client with by a startup script with elevated privileges..................................... 13
3.4.7. How to activate an ETL when using the offline access utility (when a client is not installed) Version 3.2, 3.3 ....
............................................................................................................................................................................. 15
3.4.8. Sonic DLA burning not supported by Safend Protector ....................................................................................... 16
3.4.9. Cleanup utility for the Safend Protector Client ................................................................................................... 17
3.4.10. Using the Registry To Check If A Policy Was Updated ......................................................................................... 17
3.4.11. Client stops sending logs to the server when disabling the sprotector service .................................................. 18
3.4.12. Bubble notifications are not displayed for Safend Protector Events ................................................................... 18
3.4.13. Client installation fails instantly with an error message requesting to reboot ................................................... 19
3.4.14. Safend Trigger commands - alternatives to "update policy" and "collect logs" WMI commands ...................... 19
3.4.15. Changing the Safend Protector Client installation method ................................................................................. 20
3.4.16. User or Computer Policy Uninstall Password ...................................................................................................... 21
3.4.17. Changing the Safend Protector Balloon Message Display Time .......................................................................... 21
3.4.18. Installing Safend Protector Client to a Non-Default Folder ................................................................................. 22
4. Safend Protector Management Server ............................................................................................................ 23
4.1. Safend Protector Management Server architecture ............................................................................................................ 23
4.2. Support logs ......................................................................................................................................................................... 24
4.3. Troubleshooting Guidelines ................................................................................................................................................. 24
4.4. Safend Protector Management Server Support Solutions ................................................................................................... 26
4.4.1. How to configure the Websense integration ...................................................................................................... 26
4.4.2. How to change the synchronization interval between AD and the Management Server ................................... 27
4.4.3. How to use the log restore tool in versions 3.2 GA2 and 3.2 GA3 ...................................................................... 28
4.4.4. How to use the log restore tool in version 3.2 GA1 ............................................................................................. 28
-
3 | P a g e
Ch
apte
r: In
tro
du
ctio
n:
3
4.4.5. How to obtain and change the base policy in 3.3 ................................................................................................ 29
4.4.6. How to manually remove the Management Server and Console........................................................................ 30
............................................................................................................................................................................. 30
4.4.7. How to view the lower levels of the organizational tree in 3.3 console when the directory tree has many
levels ............................................................................................................................................................................. 32
4.4.8. Suspension password identified as wrong when entered to the client .............................................................. 33
4.4.9. Using the HW fingerprint tool when changing server's hardware ...................................................................... 34
4.4.10. Time format conflict in the DB ............................................................................................................................. 34
4.4.11. Upgrade Path from Safend Protector 2.0 to 3.3 .................................................................................................. 36
4.4.12. Reducing the Logs Trace Level for the Safend Server .......................................................................................... 37
4.4.13. Alerts on client installation are not received in version 3.3 SP1 ......................................................................... 37
4.4.14. Restoring a server with Content Inspection fails ................................................................................................. 38
4.4.15. Disabling IIS Logs (to prevent accumulation of large log files) ............................................................................ 39
4.4.16. Role Based access does not function ................................................................................................................... 39
4.4.17. When changing the server certificate to an organizational certificate, logs are not sent ................................... 40
4.4.18. Changing source name when sending Safend alerts to the Event Viewer .......................................................... 41
4.4.19. IIS diagnostics tool ............................................................................................................................................... 41
4.4.20. User Permissions for the Safend Server .............................................................................................................. 42
4.4.21. Unable to publish a policy and a specific error appears in the Domain Service log ............................................ 42
5. Safend DB ......................................................................................................................................................... ...................................................................................................................................................................... 44
5.1. Safend Protector Client Support Solutions .......................................................................................................................... 44
5.1.1. Policy not applied due to the small size of the DB column "Groups" .................................................................. 44
5.1.2. Restoring missing MySQL index files ................................................................................................................... 45
5.1.3. Repairing corrupted MySQL index files ............................................................................................................... 46
5.1.4. Changing external DB user, password and authentication method (domain) while connected to Protector .... 49
5.1.5. Replacing the DB which is used by Safend Protector Management Server ........................................................ 49
5.1.6. When using MsSQL DB User cannot save policies, run queries, change settings or logs are not saved. ................
............................................................................................................................................................................. 50
5.1.7. When using MsSQL DB User cannot connect to the server ................................................................................. 50
5.1.8. When using MsSQL DB the installation cannot create the DB ............................................................................ 51
5.1.9. When using MsSQL DB performing DB related actions causes console freeze. .................................................. 51
6. Safend Protector Management Console .......................................................................................................... 52
6.1. Support logs ......................................................................................................................................................................... 52
6.2. Troubleshooting Guidelines ................................................................................................................................................. 52
-
4 | P a g e
Ch
apte
r: In
tro
du
ctio
n:
4
6.3. Safend Protector Management Console Solutions .............................................................................................................. 54
6.3.1. When trying to log-in to the console, the error message "user is not in the authorized user group" appears ......
............................................................................................................................................................................. 54
6.3.2. How to login to the console without entering the password each time ............................................................. 54
6.3.3. Cannot use WMI commands from 3.3 console if MsSQL installed with windows authentication ...................... 57
6.3.4. Cannot open the console after upgrade to 3.3 or a fresh install, with an error message of access denied to
reports folder ....................................................................................................................................................... 57
6.3.5. When using role based permissions user can't publish policies .......................................................................... 58
6.3.6. When using role based permissions user can't associate polices ....................................................................... 58
6.3.7. Console cannot be opened due to Local and Domain Services fail with
"System.Security.Cryptography.CryptographicException - Access is denied" in the logs .................................................... 59
6.3.8. Enabling WMI commands via Safend Protector .................................................................................................. 59
7. Safend Auditor .................................................................................................................................................. ............................................................................................................................................................... 67
7.1. Troubleshooting Guidelines ................................................................................................................................................. 67
7.2. Safend Auditor Support Solutions ........................................................................................................................................ 68
7.2.1. Safend Auditor Command Line Parameters ........................................................................................................ 68
7.2.2. Enabling Safend Auditor Debugging logs Note: the logs are cryptic and no one except from a developer with
the code in front of him can understand them ................................................................................................... 68
7.2.3. Safend Auditor installation fails with DVOM registration errors ......................................................................... 69
7.2.4. Opening ports on Windows Firewall for the Safend Auditor .............................................................................. 69
7.2.5. Auditing a Remote Domain with the Safend Auditor .......................................................................................... 71
7.2.6. There is no response when clicking "View Excel" ................................................................................................ 71
7.2.7. Error received when attempting to view the Excel report of the Auditor scan .................................................. 72
7.2.8. Auditor report with connection time and data transfer ...................................................................................... 72
7.2.9. Local machine cannot be found in Auditor report .............................................................................................. 72
7.2.10. Safend Auditor fails to audit certain remote machines ....................................................................................... 73
7.2.11. Error message received when attempting to view HTML report of Auditor scan ............................................... 75
7.2.12. Safend Auditor Graphic Report Procedure for MS Excel ..................................................................................... 75
7.2.13. The Safend Auditor Scanning Method and Network bandwidth information..................................................... 76
7.2.14. Where the auditor is key located in the registry? ............................................................................................... 77
7.2.15. The Safend Auditor creates new user profiles on the audited machines ............................................................ 77
7.2.16. The Auditor seems not to detect remote devices when working via VPN .......................................................... 78
7.2.17. The Auditor is unreachable when right-clicking on a machine in the Clients World and choosing to Audit
Devices. ....................................................................................................................................................................
............................................................................................................................................................................. 78
-
5 | P a g e
Ch
apte
r: In
tro
du
ctio
n:
5
8. Safend Reporter ............................................................................................................................................. 79
8.1. Safend Reporter Support Solutions ...................................................................................................................................... 79
8.1.1. Internet Explorer Error message when running any report on Safend server 3.3 SP2 ........................................ 79
8.1.2. Required IE settings for Safend reporter ............................................................................................................. 80
9. Safend Encryptor ............................................................................................................................................ 84
9.1. Safend Encryptor Support Solutions .................................................................................................................................... 84
9.1.1. Internal hard disk encryption doesn't get applied to the client due to publishing backup compatible policies .....
............................................................................................................................................................................. 84
9.1.2. After encrypting the HD of a machine, shared folders which are located on this machine cannot be accessed
from another machine ......................................................................................................................................... 85
9.1.3. In Encryptor 2.0, how to copy the reset code & the one time access code from Encryptor login screen, ..............
............................................................................................................................................................................. 85
10. Implementation ............................................................................................................................................. 87
10.1. Implementation Support Solutions ...................................................................................................................................... 87
10.1.1. Implementation in non directory environments ................................................................................................. 87
10.1.2. Environment Requirements Estimates for the Safend Protector ........................................................................ 88
10.1.3. Resolving and Identifying GPO Errors .................................................................................................................. 89
10.1.4. Building Protector Policy per Security Group (GPO policy distribution) .............................................................. 90
10.1.5. Enabling Verbose logging for GPO installations .................................................................................................. 91
-
6 | P a g e
Ch
apte
r: In
tro
du
ctio
n:
6
-
7 | P a g e
Ch
apte
r: In
tro
du
ctio
n:
7
2. Introduction:
The Support knowledge base document provides common troubleshooting guidelines for Safend products.
It also includes support solutions for each and every safend component.
This document includes basic knowledge for which every certified safend engineer should know when managing or supporting safend products.
For any further information feel free to contact us at [email protected]
mailto:[email protected]
-
8 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r C
lien
t
8
3. Safend Protector Client
3.1. Safend Protector Client architecture
- Safend Protector consists of User and Kernel mode components.
The Manager of all components is the SimonPro.exe process.
Safend runs a service on the endpoint - SProtector.exe.
The GUI process is Simba.exe.
Safend Protector Emergency Clean-up utility (SPEC) is located under \Windows\System32\SPEC.exe.
3.2. Support logs
- Installation Logs:
An Event Trace Log (ETL) is automatically created during the installation process in the installation directory (\program files\safend\safend protector client\)
A file called Sinta.log is created in \Windows\temp\ directory
An MSI installer log can be created when installing the safend client using the following syntax: msiexec /i SafendProtectorClient.msi /l* *filename+
Client operation logs
To debug a certain issue, you need to create an ETL file and Policy XML files.
- Creation of an ETL file:
Open regedit
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector\Input
Add a new dword called dll and assign it with the value 3
A file with ETL extension will be created in the installation directory (\program files\safend\safend protector client\)
Reproduce the issue scenario
Change the dword value to 0
Creation of Policy XML files:
Open regedit
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector\Input
Add a new dword called dll and assign it with the value 4
From the client GUI press Policy Update
Policy XML files will be created in the installation directory (\program files\safend\safend protector client\)
Change the dword value to 0
- Creating a memory dump:
In cases of a BSOD, a full memory dump is needed in order to investigate the cause of the issue.
Configuring a full memory dump via my computer properties advanced startup and recovery settings write debugging information select complete memory dump
-
9 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r C
lien
t
9
A BSOD memory dump can be open with the Windows Debugging Tools (windbg) to determine what was the probable cause of the BSOD.
Send the dump to Safend Support with the needed information.
3.3. Troubleshooting Guidelines
- When investigating an issue regarding the Safend Protector Client, most issues fall under the following categories:
Safend Client fails to install/uninstall
Safend Client fails to send logs back to the Safend Server.
Safend Client fails to receive/apply policies.
Safend Client handles a device incorrectly.
Safend Client conflicts with other software/BSOD.
- Safend Client Fails to Install/Uninstall
- When you encounter installation/uninstall issues, the following needs to be performed:
-
Try the installation process again.
Try the installation process on a different machine.
Try to completely remove the Safend Client using the SPEC utility and run the installation process again.
If one of the above was successful, the differences between the two attempts must be inspected. Examples of differences between installation attempts:
The new machine is in a different domain.
A specific machine had environmental issues.
There are different security configurations on the machine.
The SPEC utility removed random corruptions that were previously on the machine.
- Safend Client Fails to Send Logs/ Receive Policies to/from the Safend Server
- When the client is not sending logs or receiving policies the following needs to be verified:
Check that Safend Server services are running and that the websites are up.
Check the Policy web service and event web service logs for indications of the source of the problem
Try to browse Safend web services: https://[ServerName]:443/SafendProtector/EventSinkWebService.cs.asmx https://[ServerName]:443/SafendProtector/PolicyWebService.cs.asmx
https://[ServerName]:443/SafendProtector/EventSinkWebService.cs.asmxhttps://[ServerName]:443/SafendProtector/PolicyWebService.cs.asmx
-
10 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r C
lien
t
10
SC commands sc control SafendPS 222 (logs)/ 225 (policies)/ 228 (OTP)
create an ETL file
Safend Client handles a device incorrectly
- When the client does not handle a device correctly, the following needs to be verified:
Search for the relevant log in the management console how is the device identified (device type, port)?
Is it a composite device, i.e., is it identified as several devices by the OS?
Is the correct policy applied properly?
Is the policy configured properly? Was the device added/removed from the white list?
When auditing the device, does it appear correctly (as it appears in the policy)?
- Safend Client conflict with 3rd party software / BSOD
- When a conflict occurs between the Safend Client and 3rd party software, the following should be verified:
Is this a system/environment issue?
Is this the latest version/driver of the 3rd party software?
What are the exact steps that caused the issue to occur?
- When a BSOD occurs with the Safend Client, the following should be verified:
Is this a system/environment issue?
Which driver was shown as the probable cause for the BSOD?
What are the exact steps that caused the issue to occur?
Create a full memory dump and send it to Safend support with the needed information.
-
11 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r C
lien
t
11
3.4. Safend Protector Client Support Solutions
3.4.1. Clients not sending logs back to the Safend Server
NEED: In some cases, installed Safend Protector Clients do not succeed in sending logs back to the Safend Server. This is usually due to environment definitions that block the log transfer to the Safend Server. RESOLUTION: In order to identify the issue and resolve it, please verify the following: a) The policy you created is applied on the Client. b) The Server is up and running (accessible by the Console). c) Try pinging the Server from the Client machine. d) Make sure the SSL port you use for the communication between the Server and the Clients (by default it is 443) is open on any firewall or port blocking application (either on the Client or on the Server). e) Try browsing (from the Client machine) to https://ServerName/SafendProtectorWS/EventSinkWebService.cs.asmx f) If all above is ok, please activate the Client logging run regedit go to HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector on V3.1 or HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector\input on V3.2 create a new DWORD called Dll give it the value of 3. g) Run (on the Client machine) the following command sc control SafendPS 222 h) Change the DWORD value back to 0 to stop logging, and send [email protected] the Solog*.etl file created in the \Program Files\Safend\Safend Protector Client folder.
3.4.2. Pointing the installation to the SCC file
NEED:
To point the installation to the location of the SCC files PROBLEM: The SCC file must be on the same directory as the installation file SOLUTION:
When running the client installation a parameter can be specified to access the SCC file: msiexec /i safendprotectorclient.msi /standalone="[path to SCC]"
https://servername/SafendProtectorWS/EventSinkWebService.cs.asmxmailto:[email protected]
-
12 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r C
lien
t
12
3.4.3. Uninstalling the Safend Protector Client via startup script
NEED: When uninstalling the Safend Protector client in a large environment, a method for performing mass un-installation is required. Below you will find instructions for executing such a method, using a GPO linked to a startup script which uninstalls the protector. RESOLUTION: Open Note Pad and enter the following text: msiexec.exe /x "\\Servername\Path\SafendProtectorClient.msi" /qn UNINSTALL_PASSWORD="Password1" Where instead of Servername\Path you enter the machine name and path to the SafendProtectorClient.msi file used for the installation, and instead of "Password1" you enter the uninstall password defined for the client. Save this file as a .bat file. In Active Directory, go to the relevant OU, click properties and create and link a new GPO which will contain the uninstall script. Once the GPO is created within the OU, right click it and select edit. In the Group Policy Management menu, go to "Computer configuration->Windows Settings->Scripts" Double click the startup script and select Add and Browse. This should open the policy's Startup folder from within the domain controller. Copy the script file to this location and click OK. Once this is done, restart the relevant machines in order for the startup script to run and remove Safend's Clients from them. keywords: command line, uninstall
3.4.4. Silent install of a client
NEED:
When using silent installation one may want to prevent a reboot following the installation RESOLUTION:
The reboot is caused due to two factors: 1. Windows installer requirement of reboot following the installation 2. Safend client requirement of reboot following the installation Using the following command will suppress the reboot required by the windows installer: msiexec /i \\PathToFile\Share\SafendProtectorClient.msi /norestart REBOOT=ReallySuppress /qn */qn parameter will causes a quite installation without showing the UI Performing the following changes will suppress the reboot required by the client:
file:\\Servername\Path\SafendProtectorClient.msifile:\\PathToFile\Share\SafendProtectorClient.msi
-
13 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r C
lien
t
13
1. Open the clientconfig.scc file for editing 2. Search for the string installmethod 3. Change its value from 2 to 3
3.4.5. The message "The Client Configuration file does not contain a valid policy." shows up when installing Safend Protector Client
SYMPTOMS:
On rare occasions, when trying to reinstall Safend Protector Client with a different user than the original installation, the following message will show up: "The Client Configuration file does not contain a valid policy." CAUSE:
The user trying to access the encryption object doesn't have the appropriate privileges. SOLUTION:
In such cases, perform the following: 1. In order to run the Safend Protector Client installation as local machine please run the following command:
at *time+ /INTERACTIVE cmd Instead of [time] write the current time + 1 minute. For example: when time is 16:08 write 16:09. 2. A local system window will open. Run the installation from there by writing the following: msiexec /I SafendProtectorClient.msi
3.4.6. Installing the Safend Protector Client with by a startup script with elevated privileges
NEED: In some cases, it is not possible to implement the Safend Protector Client's installation process through a regular GPO package. In such cases, the installation must be implemented by a GPO with a start up script, and the administrator must enable elevated privileges for the end-users. SOLUTION: 1. Installing the Safend Protector Client with a startup script: Open Note Pad and enter the following text: msiexec.exe /i "\\Servername\Path\SafendProtectorClient.msi" /qn Where instead of Servername\Path you enter the machine name and path to the SafendProtectorClient.msi file used for the installation. make sure the folder containing the msi is shared. Save this file as a .bat file.
file:\\Servername\Path\SafendProtectorClient.msi
-
14 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r C
lien
t
14
In Active Directory, go to the relevant OU, click properties and create and link a new GPO which will contain the installation script. Once the GPO is created within the OU, right click it and select edit. In the Group Policy Management menu, go to "Computer configuration->Windows Settings->Scripts" Double click the startup script and select Add and Browse. This should open the policy's Startup folder from within the domain controller. Copy the script file to this location and click OK. Once this is done, restart the relevant machines in order for the startup script to run and install the Safend Client on them. 2. Granting elevated privileges to non-administrator users: following is an article by Microsoft, pertaining to this issue: Important: This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. SUMMARY:
This article describes three methods by which an administrator can enable a non-administrator user to install managed Windows Installer applications. An application is called a "managed application" if elevated (system) privileges are used to install the application. A situation in which you might need to install a managed application is if you are installing an application on Windows NT or Windows 2000 and do not have administrative privileges on that computer. By using the following methods, an administrator can enable a non-administrator user to install managed applications. A) On a computer running Windows NT 4.0, Windows 2000, or Windows XP an administrator can set the AlwaysInstallElevated registry keys for both per-user and per-machine installations on the computer. If you want to make sure that all Windows Installer packages are installed with elevated (system) privileges, you must set the AlwaysInstallElevated value to "1" under the following registry keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer WARNING: This particular method can open the computer to a security risk because once an administrator with elevated privileges has set these registry keys, non-administrator users can run installations with elevated privileges and access secure locations on the computer, such as the System folder or HKLM registry key. B) On Windows NT 4.0 or Windows 2000, an administrator can install or advertise the package on the computer for a per-machine installation (per-machine means that it will be available for all users of that computer). The Windows Installer always has elevated privileges while performing per-machine installations. The administrator uses elevated privileges to advertise the package. If a non-administrator user then installs the application, the installation can run with elevated privileges. Non-administrator users still cannot install unadvertised packages that require elevated system privileges. The following is an example of a command line used by an administrator doing a per-machine installation: msiexec -i c:\pathtofile\mypackage.msi ALLUSERS=1 Here is an example of how the administrator would advertise the package on the computer per-machine: msiexec -jm c:\pathtofile\mypackage.msi For more information, see the Help topic "Advertisement" in the Windows Installer Platform SDK: http://msdn.microsoft.com/library/en-us/msi/setup/advertisement.asp
../../../../pathtofile/mypackage.msi../../../../pathtofile/mypackage.msihttp://msdn.microsoft.com/library/en-us/msi/setup/advertisement.asp
-
15 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r C
lien
t
15
C) On Windows 2000, an administrator can advertise an application on a user's computer by assigning or publishing the Windows Installer package using application deployment and Group Policy. The administrator uses elevated privileges to advertise the package per machine. If a non-administrator user then installs the application, the installation can run with elevated privileges. Non-administrator users still cannot install unadvertised packages that require elevated system privileges. For more information on Group Policy, see the "Introduction to Windows 2000 Group Policy" white paper: http://www.microsoft.com/windows2000/docs/GPIntro.doc These settings can also be set via GPO and not by directly opening the registry - the settings must be applied both for Machines and Users: - Computer Configuration>Administrative Templates>Windows Components> Windows Installer: Always install with elevated privileges (enabled/disabled; this policy must be set for the machine and the user to be enforced). - User Configuration>Administrative Templates>Windows Components> Windows Installer: Always install with elevated privileges (enabled/disabled; this policy must be set for the machine and the user to be enforced) Link to Microsoft documentation: http://support.microsoft.com/default.aspx?scid=kb;en-us;q259459 Link to additional documentations for GPO configuration: http://lspservices.iupui.edu/docs/win2k/gpo_configurations.asp
3.4.7. How to activate an ETL when using the offline access utility (when a client is not installed) Version 3.2, 3.3
NEED:
On some cases the need to activate ETL for the offline access utility (Access secure data) PROBLEM: An ETL cannot be activated the ordinary way when a client is not installed, since the ETL requires the existence of a registry string that indicates what is the Client's installation path. SOLUTION: In order to activate the ETL when no Client is installed: 1. Connect the encrypted device to the home machine. 2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector 3. Create a new String Value called InstallDir, and assign it with the value "c:\Progrem Files\Safend\Safend Protector Client" . This creates the registry string that indicates where the Client is installed (of course, the Client is not really installed; the above mentioned path is a path created when running the Offline Access Utility) 4. Now the ETL can be activated, as usual.
http://www.microsoft.com/windows2000/docs/GPIntro.dochttp://support.microsoft.com/default.aspx?scid=kb;en-us;q259459http://lspservices.iupui.edu/docs/win2k/gpo_configurations.asp../../../../Progrem
-
16 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r C
lien
t
16
3.4.8. Sonic DLA burning not supported by Safend Protector
QUESTION:
Is the burning format used with the Sonic DLA software supported by the Safend Protector Client? ANSWER:
The Sonic DLA software uses the UDF file system (which is supported by us) and the Packet writing burning format, which is not supported. Therefore, the Sonic DLA burning format is not supported by the Safend Protector Client, which means it will be blocked if the policy applied has the check box for "Block unsupported burning formats" checked.
From Roxio 09/20/07 3:10 PM Thank you for contacting Roxio Technical Support Our apologies for the earlier agent's response. Please disregard it. Drag to Disk and DirectCD have been discontinued in version 10 of our software due to compatibility concerns. You should, however, be able to manage anything that they were able to do using version 10. Please tell us what you are trying to accomplish with them so that we may suggest other means of doing so. If the information provided does not resolve your issue simply update your web ticket with a detailed explanation with the steps you have tried and any error messages you receive. Regards, Roxio Technical Support http://support.roxio.com Thank you for your comments and we appreciate the feedback
More information will be found on :
http://forums.support.roxio.com/lofiversion/index.php/t28374.html
http://support.roxio.com/http://forums.support.roxio.com/lofiversion/index.php/t28374.html
-
17 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r C
lien
t
17
3.4.9. Cleanup utility for the Safend Protector Client
NEED:
In some very rare cases, the Safend Protector Client installation may fail, rendering the Safend Protector Client unable to function. in such cases, an alternate way for removing the Safend Protector Client is needed.
RESOLUTION:
The Safend Protector Emergency Cleanup utility - SPEC, is used to uninstall the Safend Protector Client in Cleanup Mode. Once unzipped, it is ready for use, and requires only a link to the ClientConfig.scc file and the global uninstall password.
If any of these details are not available, we will be able to generate a machine-specific Cleanup key according to the Cleanup Token, provided by the utility. Please contact [email protected] and request the SPEC utility and the cleanup key for your machine's token.
Remember! This is more of a last resort for cleaning up the protector when nothing else can be done. Usually, we would want to get to the bottom of why the crash happened so we will be able to improve the Safend protector to be able to cope with such situations in the future.
On version 3.2 and above the Spec.exe utility is located in windows\system32 directory
3.4.10. Using the Registry To Check If A Policy Was Updated
QUESTION: I would like to integrate a third party tool in order to distribute policy registry files to the end point. I would like to have an indication that the policy was indeed updated. ANSWER: The registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector\LastPolicyUpdate is a 4 bytes key that contains the time in which the policy was last updated. You can use this key to check for update of policies. The key "LastPolicyUpdate" is set to indicate that a policy was pulled from the GPO, without consideration of whether the content of the policy was updated. As the computer pulls policies on startup, it will show an update when the computer is restarted, even though the content of the policy is not changed.
-
18 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r C
lien
t
18
3.4.11. Client stops sending logs to the server when disabling the Sprotector service
PROBLEM:
When using local admin credentials, disabling the Sprotector service and then closing it, the safend client stops sending logs to the server. SOLUTION:
The mentioned behavior of the client is according to the product design. Be advised that the only effect of the procedure on the Safend client is that he will not send logs until the next time that he will be loaded. All other parameters of the clients are set exactly as they were before the procedure. All ports, device, storage device, files and etc will act exactly as they acted before the procedure. Please notice that usually a user in an organization will not receive local admin rights on machines, so this shouldnt be a major issue.
3.4.12. Bubble notifications are not displayed for Safend Protector Events
SYMPTOM: After installing the Safend Protector Client, Event Messages (Pop Up Messages) for device/port actions, do not appear. CAUSE: Windows registry settings have disabled Balloon Tips for the machine. SOLUTION: Make sure that in the registry, under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, there is no DWORD key named EnableBalloonTips. If it exists, simply delete it. Another simple way to control the balloons is by using a Microsoft's power tool called TweakUI (the tool can be downloaded from http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx). The option to allow balloon tips in TweakUI can be found in the Taskbar and Start Menu option and is called Enable balloon tips.
http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx
-
19 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r C
lien
t
19
3.4.13. Client installation fails instantly with an error message requesting to reboot
SYMPTOM:
When trying to install the Protector Client, installation fails instantly and the following error message is received: Safend Protector Client Please reboot before starting the Install process If a reboot is indeed performed, the same error message is received again. Additionally, the sinta.log file (located at windows\temp folder) will contain only the following entries: [installation Date and time] = Localize installation [installation Date and time] = ********************************** [installation Date and time] = Started Install Process. [version and build number] CAUSE:
A Client was installed on the machine in the past, or the Offline Access Utility was used on the machine in the past. For some reason, remnants of this were left in the system, and so the current installation process behaves as is if a Client is currently installed. SOLUTION:
Running the SPEC utility will clear any remnants of a previous Client installation or Offline Access Utility use. Note that a SPEC utility of the same version or of a version above the version of the previous Client or Offline Access Utility is to be used.
3.4.14. Safend Trigger commands - alternatives to "update policy" and "collect logs" WMI commands
NEED:
In cases the WMI commands from the management console are not working, it is possible to trigger management commands (update policy, send logs etc.) to the Protector Client from the command line.
SOLUTION:
The SC command (supplied with Windows XP or higher) can be used to specifically trigger our process for the following actions.
Send logs now! (without waiting for the interval):
sc control SafendPS 222
Update policy from the GPO (similar to gpupdate /force, but specific to our product and faster):
sc control SafendPS 223
-
20 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r C
lien
t
20
Update policy from REG file:
sc control SafendPS 225
Force InitOTP (In case Client will not accept any passwords, or server will not generate them):
sc control SafendPS 228
.
For Windows 2000 machines this command can be run remotely (i.e. : sc \\ComputerName control SafendPS 223).
3.4.15. Changing the Safend Protector Client installation method
NEED: During the installation of the Safend Protector Client, the installer will go through a process of restarting all the devices in order to make sure its drivers are effective immediately after the installation without the need for a reboot. The default installation method might take a few minutes to complete depending on the amount of connected devices. Additionally, the administrator should consider a momentary network disconnection during this phase. In case the administrator would like to avoid this, a simple parameter may be added to the Safend Protector Client Configuration file (ClientConfig.scc). RESOLUTION: In order to configure the installation method, open the ClientConfig.scc file which is created using the Safend Protector Management Console and add the following lines: [InstallParams] InstallMethod=x where x is the option parameter as listed below: InstallMethod=0 This is the default method (as if no parameter is added at all). During the installation process all the ports and devices are restarted. If one of the devices has failed to restart, the user is prompted to reboot. InstallMethod=1 During the installation process, all the ports and devices are restarted. The user is not prompted to reboot, even if one of the devices has failed to restart. It is important to note that the endpoint will not be fully protected by the Safend Protector Client until the system restarts. It is the responsibility of the system administrator to schedule this system restart. InstallMethod=2 During the installation process, none of the ports or devices are restarted. At the end of the installation, the user is always prompted to reboot.
-
21 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r C
lien
t
21
InstallMethod=3 During the installation process none of the ports or devices are restarted. The user is not prompted to reboot. It is important to note that the endpoint will not be fully protected by the Safend Protector until the user restarts the computer. It is the responsibility of the system administrator to schedule this system restart.
3.4.16. User or Computer Policy Uninstall Password
QUESTION: If I set a different Uninstall Password for the Computer policies and the User policies, Which password should I use to uninstall the Safend Protector Client? ANSWER: There are three scenarios that can be recognized in this situation: 1. The endpoint computer was installed with the Safend Protector. A COMPUTER policy was either applied or not. The current policy is applied for the logged on USER. The Safend Protector is uninstalled manually. ==> The uninstall password is the one set in the USER policy 2. The endpoint computer was installed with the Safend Protector. A COMPUTER policy was never applied. There is currently no logged on user, so the default policy, as set in the Client Configuration file is applied. (This is the situation if the uninstall process is taking place through Active Directory). ==> The uninstall password is the Global uninstall password as it is set for the COMPUTER. 3. The machine was installed with the Safend Protector. A COMPUTER policy was applied. There is currently no logged on user, so the COMPUTER policy is applied. ==> The uninstall password is the one set in the COMPUTER policy.
3.4.17. Changing the Safend Protector Balloon Message Display Time
QUESTION: Can the "User Message Balloon" display time be controlled? ANSWER: The parameter for the Balloon Tips display time in Windows XP can be found in the registry, in: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify. The DWORD entry called BalloonTip is set by default to the value of 3 (seconds). Change its value to control the display time of the Balloon Tips. Some information pertaining to the Balloon Tips of the Safend Protector can be controlled through the Default Agent Policy (the Default Agent Policy is a file that contains some parameters that are not hard-coded into the Protector, but are also not exposed to the user. It is possible to update the Default Agent Policy if necessary). These parameters are the number of seconds that the Protector processes wait between balloons and the number of
-
22 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r C
lien
t
22
seconds between the last notification and the icon returning to its idle mode. In order to change the Default Agent Policy, please contact [email protected].
3.4.18. Installing Safend Protector Client to a Non-Default Folder
NEED:
Is it possible to install the Safend Protector Client silently as a GPO to a folder or drive which is not the default installation path? SOLUTION:
Yes, it is possible to install the client to a specified directory, but the installation needs to be done using a start-up script, instead of a package installation. The process is as follows: 1. For the OU on which you would like to install, go to the OU Properties, Group Policy tab. 2. Create a new Group Policy, and give it a name, then click Edit to open the Group Policy Editor 3. Go to Computer Configuration > Windows Settings and select Start-up > Script 4. Click the Show Files button and create a new text document containing the following command: msiexec.exe /i "\\
-
23 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r M
anag
emen
t Se
rver
23
4. Safend Protector Management Server
4.1. Safend Protector Management Server architecture
- The Safend server contains three services:
Safend protector DB
Safend protector domain service
Safend protector local service
These services should start when starting the server (As a default, the services are running upon server installation)
Safend server is using the IIS Application for communication between its components:
Server - Clients (Safend Protector Web Site WS)
Server - Management Consoles (Safend Protector Web Site )
The IIS web site processes are visible in the Windows task manager (W3WP).
-
24 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r M
anag
emen
t Se
rver
24
4.2. Support logs
- Safend Protector Server Logging
When investigating Safend Server issues, the Server trace logs will provide valuable information.
Each of the different Safend Protector Server components writes a separate log file.
The relevant Server logs reside under the following folders:
\Program Files\Safend\Safend Protector\Management Server\logs
C:\Temp\bin\log
4.3. Troubleshooting Guidelines
- Safend Protector Server Fails to Install/Upgrade/Uninstall
- When the installation/uninstall process fails, the following needs to be verified:
Were all Safend Server prerequisites met (Please find the prerequisites at the end of the presentation)?
Are there any security hardenings that can block the installation?
Did the User used during installation have the appropriate credentials:
Local administrator
Domain account from your Active Directory that can control clients via WMI. We recommend using an account with domain administrator privileges.
When you use an external DB (MS-SQL) DB creator credentials are required.
Are there any remnants of a previously installed Server?
Verify that Safend services do not exist
Verify that Safend Web sites do not exist
Verify that Safend Protector folder does not exist under Program Files=>Safend
Under \program files\common files\safend unregister and delete the dll files in case they exist.
Safend Protector Server Fails to Initialize
- When the Safend Protector Server fails to initialize, the following must be verified:
Were there any hardware changes to the Server computer? HW changes will change the machine fingerprint and you will need to use the HW fingerprint tool.
Verify that no security policy was applied to the machine.
Were the Server User credentials (the user supplied during installation) changed (password\permissions etc.)?
Was the Server DB user changed in any way?
Are there any errors in the event viewer logs?
- When investigating an issue regarding the Safend Protector Server, most issues fall under the following categories:
-
25 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r M
anag
emen
t Se
rver
25
- Safend Protector Server fails to install/upgrade/uninstall
- Safend Protector Server fails to initialize.
-
26 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r M
anag
emen
t Se
rver
26
4.4. Safend Protector Management Server Support Solutions
4.4.1. How to configure the Websense integration
NEED
Installation of Safend Protector integrated with Websense. SOLUTION In all Safend versions ----------------------------- To install Safend protector with Websense integration steps should be performed on both servers Websense server:
1.1 system modulesClick on configuration 1.2 Click the add button 1.3 Choose agent type: endpoint server 1.4 Enter Safend Server FQDN 1.5 Enter a password (this password will be used when installing Websense files on Safends server) 1.6 The endpoint server entry should be displayed in the system modules screen. 1.7 A new file called CPS.MSI should be created Safend server:
2.1 Copy CPS.exe to Safend server 2.2 Run CPS.MSI 2.3 Choose an installation directory 2.4 Select agents only installation 2.5 Click on the endpoint support icon, then press next 2.6 Provide the IP address for the CPS server and enter the one time password defined on the CPS server (step 5 above) 2.7 Press install Websense server:
3.1 Press deploy settings Safend server:
4.1 Press okay 4.2 Conf.xml file will be created in the directory defined during the installation Safend console:
5.1 Open the console 5.2 Enter a license key (that includes Websense integration)
5.3 administrationgo to tools 5.4 choose the content inspection panel 5.5 check the integrate with a 3rd Party Content Inspection Solution checkbox 5.6 browse to the Conf.xml file
-
27 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r M
anag
emen
t Se
rver
27
5.7 Click show details 5.8 Click OK to apply the content inspection flag to all policies To verify that the policy was indeed applied check content inspection status in the client GUI Addition to Safend Protector version 3.3 and above -------------------------------------------------------------------- Since in version 3.3 and above, the Safend client automatically encrypts the files sent to the server (for inspection or shadowing, inspection in this case), the files are sent encrypted to the Websense server as well. The Websense server cannot decrypt these files, and therefore they become inaccessible. Replacing a DLL on the Safend server will cause the files not to be encrypted on the client side, and therefore will prevent the problem on Websenses side. In order to replace the relevant DLL: 1. Stop Safend Local service 2. Kill the W3WP process. If multiple instances of the process exist, all of them should be killed 3. Go to \program files\safend\safend protector\Management server\bin, replace the Backend.Server.dll file with the modified one. The modified DLL for server version 3.3 build 30270 is attached to this solution. For any other server version, a DLL should be created by Safend team. 4. Restart Safend Local service. Note: There are additional KBs describing the replacement of the Backend.Server.dll for different purposes. Be advised that the Safend R&D team should be consulted if more than one of the issues fixed by this replacement is manifested in the same server, since one replacement will cancel the other.
4.4.2. How to change the synchronization interval between AD and the Management Server
Note: Please be advised that changing the synchronization interval is not recommended. It can cause overload to the Management Server's machine, to Active Directory and it creates a load on the network. (This solution is only relevant for version until version 3.2 GA3)
NEED:
Sometimes customers want to change the synchronization interval between AD and the Management Server. By default the interval is set to 8 hours which may not be enough. SOLUTION:
The following steps should be performed on the server machine: 1. Stop Safend services - Domain, Local, Broadcast if version 3.2 is used. 2. Kill the w3wp process (check for multiple instances, kill all of them). 3. Open with notepad the following file for edit : C:\Program Files\Safend\Safend Protector\Management server\servercconfig.xml 4. Search for the following line : 5. A few lines beneath it you will find the line: . Change the number to your desired interval
../../../../Program
-
28 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r M
anag
emen
t Se
rver
28
in hours, please use whole numbers. 6. Save the changes and close the file. 7. Start the Safend services - Broadcast if version 3.2 is used, Local; wait for the Domain service to be restarted.
4.4.3. How to use the log restore tool in versions 3.2 GA2 and 3.2 GA3
Note: This KB article is valid only for versions 3.2 GA2 and 3.2 GA3. for version 3.2.19275
NEED:
Sometimes a need to restore a Safend Log Back (SLB) arises. PROBLEM:
There is no import option in the server for the backed up logs an external tool to the server exist to perform this action SOLUTION:
Running the following command will restore all the information from a backup file to the DB. *Please note that this action will delete all the current logs from the server 1. Rename the ".slb" file to ".slb.Zip" 2. Double click and open the ".slb.zip" file 3. Change the value inside the version.txt file from 3200 to 3210 for GA2 or 3220 for GA3 and save. 4. Rename the ".slb.zip" back to ".slb" 5. Stop safend services, leave the db service running. 6. Run RestoreTool.exe restore -backupFile "[backup file+ when backupFile is case sensitive and [backup file] points to the actual file location
Note: The log restore tool cannot be used for restoration of logs from 3.2 version to 3.3 version due to a change in the log structure in 3.3.X.
4.4.4. How to use the log restore tool in version 3.2 GA1
Note: This KB article is valid only for version 3.2.19275
NEED:
Sometimes a need to restore a Safend Log Back (SLB) arises. PROBLEM:
There is no import option in the server for the backed up logs. An external tool exists to perform this action. SOLUTION:
-
29 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r M
anag
emen
t Se
rver
29
Running the following command will restore all the information from a backup file to the DB. *Please note that this action will delete all the current logs from the server 1. Stop Safend services, leave the DB service running 2. In cmd, run the following: RestoreTool.exe restore -backupFile "*backup file+ Where [backup file] points to the actual file location
4.4.5. How to obtain and change the base policy in 3.3
Note: This solution should be done only with collaboration with Safend support.
NEED: For different reasons, one would require to obtain the base policy and change it. In 3.2, the base policy is one or two XML file/s located under the server Bin directory - defaultAgentPolicy.xml and/or defaultAgentPolicy.en-us.xml. In version 3.3, the base policy cannot be found in the one or two XML file/s, since they do not exist; The base policy in 3.3 is a table in the database, which cannot be reached directly. SOLUTION: 1. How to Obtain the base policy: To obtain the base policy in 3.3, one should run the SPAdmin tool in the following way: a. Open Run / CMD b. Type in the following (this is case sensitive): "C:\Program Files\Safend\Safend Protector\Management Server\bin\SPAdmin.exe" -updateconfig -getfile defaultagentpolicy.en-US [EnterAnyPath]:\[EnterAnyFilename].txt c. Run the string. This will result in a .txt file in the name and path entered. This .txt is a reflection of the base policy. 2. How to change the base policy: After modifying and saving the .txt as required and with caution (again, please review KB00000177 as mentioned above), in order to apply the changes to the base policy (since this .txt is only a reflection), one should perform the following: a. Stop the Local service, kill the w3wp process. b. Open Run / CMD c. Type in the following (this is case sensitive): "C:\Program Files\Safend\Safend Protector\Management Server\bin\SPAdmin.exe" -updateconfig -setfile defaultagentpolicy.en-US [PathOfTheTxtFile]:\[TxtFilename].txt d. Run the string. e. Restart the above mentioned services
../../../../Program../../../../Program
-
30 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r M
anag
emen
t Se
rver
30
4.4.6. How to manually remove the Management Server and Console NEED: Sometimes, the Safend Protector Management Server and Console need to be uninstalled. The following solution is required for scenarios in which you cannot uninstall successfully the Server and/or the Console using the Add/Remove Programs menu. SOLUTION:
There are 3 methods of removing the Safend Protector Server and Console. One should use the methods in the order of appearance in this solution, so the cleanest possible removal will be achieved. Method #1 Using the msiexec /x command ------------------------------------------------------------ 1. Download the Msiinv tool from Microsoft MSDN: Extract it to c:\ or any other path. 2. In cmd, run the following command: c:\msiinv\msiinv.exe -p > c:\msiinv_output.txt You may change the path to the msiinv.exe according to the previous section, and the path of the .txt to any other path desired. This will create a .txt file which contains a list of the programs installed on the machine according to the Windows Installer. 3. Open the c:\msiinv_output.txt , and locate the Safend Server and/or Console entries. Copy the GUID of the Product Code from the server and/or console entries. The GUID appears in the following format: 77BFE295-D7B7-4AF0-AF15-D14AF646AAE7. Make sure to copy the product code and not the package code. 4. In run/cmd prompt, run the following command: msiexec /x {Product Code} When the Product Code is the GUID you previously copied. Make sure to use the curly braces. 5. If you removed the Server/Console and need also to remove the Console/server, perform the previous section again with the proper GUID (again, make sure to use the curly braces). 6. Note that if an external DB was used with the server, the SafendProtector schema remains in the DB, as it does when uninstalling the server properly (using add/remove programs). Altering the schema can be performed by the DBA, an action that is not supported by Safend. Method #2 Using the MSIzap tool ----------------------------------------------- 1. Download the Msiinv tool from Microsoft MSDN, Extract it to c:\ or any other path. 2. In cmd prompt, run the following command: c:\msiinv\msiinv.exe -p > c:\msiinv_output.txt You may change the path to the msiinv.exe according to the previous section, and the path of the .txt to any other path desired. This will create a .txt file which contains a list of the programs installed on the machine according to the Windows Installer. 3. Open the c:\msiinv_output.txt , and locate the Safend Server and/or Console entries. Copy the GUID of the product code from the server and/or console entries. The GUID appears in the following format: 77BFE295-D7B7-4AF0-AF15-D14AF646AAE7. Make sure to copy the Product Code and not the Package Code. 4. Download and the SmartMSIZap tool 5. Extract the tool to c:\ or any other path.
../../../../msiinv/msiinv.exe../../../../msiinv_output.txt../../../../msiinv_output.txt../../../../msiinv/msiinv.exe../../../../msiinv_output.txt../../../../msiinv_output.txt
-
31 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r M
anag
emen
t Se
rver
31
6. From cmd prompt, run the following (path may differ according to the where you extracted the tool to): c:\smartmsizap.exe /p {product_code} When the Product Code is the GUID you previously copied from the Msiinv tool. Make sure to use the curly braces. 7. If you removed the Server/Console and need also to remove the Console/server, perform the previous section again with the proper GUID (again, make sure to use the curly braces). 8. Note that if an external DB was used with the server, the SafendProtector schema remains in the DB, as it does when uninstalling the server properly (using add/remove programs). Altering the schema can be performed by the DBA, an action that is not supported by Safend. Method #3 Server removal only* "Aggressive" deletion of Safend Server components ------------------------------------------------------------------------------------------------------------------------ 1. Stop the Safend Services: Domain, Local, Broadcast (in 3.2 and below), DB (if internal DB is used). 2. Kill the w3wp.exe process (if more than one exists, kill all of the duplicates). 3. Delete the Safend websites: In the Internet Information Services (IIS) snap-in in the Computer Management, delete the "Safend Protector Web Site" and the "Safend Protector Web Site WS". 4. Delete the Safend services in the following order. Note that for version 3.3, the Broadcast service doesn't need to be deleted since it doesn't exist. Also note that if an external DB was used, the Safend Protector DB sevice doesn't need to be deleted since it doesn't exist. a. In cmd type: sc delete "safend.protector.admin.app.managementserver.broadcastservice" Press enter, and if the service was deleted successfully, the following line will apper: SC [DeleteService] SUCCESS. b. In cmd type: sc delete "safend protector db" Press enter, and if the service was deleted successfully, the following line will apper: SC [DeleteService] SUCCESS. c. In cmd type: sc delete "safend.protector.admin.app.managementserver.domainservice" Press enter, and if the service was deleted successfully, the following line will apper: SC [DeleteService] SUCCESS. d. In cmd type: sc delete "safend.protector.admin.app.managementserver.localservice" Press enter, and if the service was deleted successfully, the following line will apper: SC [DeleteService] SUCCESS. 5. Go to the server's installation path, and change the name of the folder "management server" to "management server old" or any other name. 6. Note that if an external DB was used with the server, the SafendProtector schema remains in the DB, as it does when uninstalling the server properly (using add/remove programs). Altering the schema can be performed by the DBA, an action that is not supported by Safend. * Method #3 does not relate to the removal of the console. The console can always be removed using method #1 or #2.
../../../../smartmsizap.exe
-
32 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r M
anag
emen
t Se
rver
32
4.4.7. How to view the lower levels of the organizational tree in 3.3 console when the directory tree has many levels
SYMPTOM:
In environments where the directory tree has many levels in its hierarchy, around 7 levels and above, only the few highest levels can be seen in the console when browsing in the organizational tree in the Clients world or in other places where the organizational tree is displayed. CAUSE:
The component in the console that displays the organizational tree is a 3rd party component integrated into the console. This component has a performance issue that causes long delays when trying to display a directory tree that has many OUs under the root level. In version 3.3, in order to improve performance, it has been configured for the console to automatically create "virtual containers", that each contain a certain amount of OUs. These containers are relevant for the display only and are not created in the domain controller of course. In this way, the loading time of the organizational tree decreases significantly. However, due to their manner of action the virtual containers prevent the display of the lower levels of the directory tree in trees with many levels. SOLUTION:
It is possible to increase the amount of OU the virtual container contains, thus virtually disabling the function of virtual containers. This is done by modifying the consoleconfig.xml file. Note that if multiple consoles are used (remote consoles), the modification should be performed for each and every console. 1. Close the console and kill the W3WP process. In case multiple instances of the process exist, kill all of them. 2. Go to C:\Program Files\Safend\Safend Protector\Management Console\ManagementConsole, open the consoleconfig.xml file for editing. 3. Search the following item: 200 4. Change the value of "200" to a very large number, such as "100000". 5. Save the consoleconfig.xml and exit. 6. Open the console and check if the lower levels of the organizational tree are displayed now.
../../../../Program
-
33 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r M
anag
emen
t Se
rver
33
4.4.8. Suspension password identified as wrong when entered to the client
SYMPTOM:
The one time suspension password (OTP) generated from the console in order to suspend the client's action is identified as a wrong password when entered in the Client's GUI. SOLUTION:
The steps below should be followed in order to identify and solve the source of this issue:
1. If the password was typed and not copied: Make sure it was entered in uppercase and not in lower case, since the suspension passwords are always in uppercase.
2. If this password was entered in lowercase twice or more in the specific client: The password in question and no other new password generated will be applied since the suspension mechanism was locked. In order to release the suspension mechanism, the OTP pool should be regenerated (InitOTP). This is done when running the following command in the client machine: sc control SafendPS 228 As an alternative to this command, in version 3.3 the OTP pool can be regenerated from the console using a WMI command from the clients world, by right-clicking the client/s and choosing "InitOTP". Please refer to "KB00000123 - Forceful Initialization of OTP (InitOTP)" for further information regarding the OTP pool initialization process.
3. If this password was always entered in uppercase in the specific client:
a. It is possible the OTP pool was exhausted. In order to regenerate it, use the following command: sc control SafendPS 228 As an alternative to this command, in version 3.3 the OTP pool can be regenerated from the console using a WMI command from the clients world, by right-clicking the client/s and choosing "InitOTP". Please refer to "KB00000123 - Forceful Initialization of OTP (InitOTP)" for further information regarding the OTP pool initialization process.
b. If regenerating the OTP pool didn't help, make sure the client can browse to the OTPWebService page in the SafendProtectorWS website. The address of the OTPWebService page is: https://[ServerName]/SafendProtectorWS/OTPWebService.cs.asmx A successful browsing will result in an approval page (since connection is made thru SSL).
c. If The client can browse successfully to the OTPWebService page, examine and escalate the OTPWebService server log and activate an .etl while performing the command: sc control SafendPS 228
-
34 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r M
anag
emen
t Se
rver
34
4.4.9. Using the HW fingerprint tool when changing server's hardware
NEED: Sometimes a change to the server hardware needs to be performed. This solution also applies when changing a VM workstation. PROBLEM: Every hardware has a unique fingerprint that Safend uses for certification. When you change the servers machine hardware, the HW fingerprint is automatically changed. The contradiction between the HW fingerprint that is stored in the Safend server configuration and the machines new fingerprint cause a collision that prevents the server from running. SOLUTION: After changing the hardware one should perform the following steps: If running, stop the servers services in the following order: Broadcast, Local and Domain. Run the attached Hardware Fingerprint Tool (after renaming the files extension back to zip) in order to reset the license. When running the HW Tool, if a message window pops up regarding an invalid key, click no" to return to defaults, and send the new fingerprint to Safend support. Restart the services: Broadcast, Local and Domain. If running, kill the IIS processes: w3wp. Reopen Safend Protector Console.
4.4.10. Time format conflict in the DB
*note - this KB article contains changes to be done with DLL files which are part of the Safend system, applying this article incorrectly may cause the server to be dysfunctional. If you are unsure of how to do it, please contact Safend support SYMPTOM
In 3.2, MS SQL environment, when trying to change a global policy settings an error message appears regarding regional time/date format. The problem also appears while trying to save a policy. While trying to enter the logging tab in the policy world the console crushes followed by an "internal error message" CAUSE
One of the definitions of regional settings is different in either the console machine, server machine or MS-SQL machine. The server doesn't know how to handle different date/time formats (the problem is fixed in 3.3). SOLUTION
-
35 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r M
anag
emen
t Se
rver
35
This issue is resolved in version 3.3 and above. Also, if 3.2 GA3is used, a resolution is possible by replacing of one of the dll file. Follow these instructions: 1. When installing a new server, use GA3 installation, following the install you will need to replace the Admin.Utils.GeneralUtils.dll with the new one we gave you. 2. The dll should be replaced as follows: a. Stop the Safend services. (stopping the Safend broadcast service will stop the domain and the local as well) b. Copy the Admin.Utils.GeneralUtils.dll to < Safend\Safend Protector\Management Server\bin > this will overwrite the existing dll file. c. Then copy this dll file to the management console installation folders on every running console on the system ( on the web session we have only replaced the dll on the local console on the server machine) the dll should be replaced on the console installation folder as follows : - Copy the dll to < \Safend\Safend Protector\Management Console > this will overwrite the existing dll. - Copy the dll to < \Safend\Safend Protector\Management Console\ManagementConsole > this will overwrite the existing dll. d. open the command line window and go to the server bin path. e. run the following command: " SPAdmin /updateconfig /getfile globalPolicyBody " (The getfile command retrieves the value of the globalPolicyBody item in the serverconfig DB table) Note: The item name is case sensitive so please Pay attention when running the command. f. A file is created with the name "temp.xml", open it and look for the problematic string -look for the word false and then change the problematic separators to " : " separators). Save the file g. Run the following command: " SPAdmin /updateconfig /setfile globalPolicyBody " (The setfile command stores the file contents in the globalPolicyBody item in the serverconfig DB table). h. Stop Safend services, kill W3Wp processes. i. Replace the dll files in the management console and console updater. j. Turn on Safend Services Once the change for existing components is it required to be done in the installation package so new consoles will also include this change. In order to replace the Admin.Utils.GeneralUtils.dll in the management console install package please perform the following: 1. Under < \Safend\Safend Protector\Management Server\consoleUpdater > you will find the console.zip file which includes the actual console install files which are use upon the console installation. 2.Extract console.zip folder to any destination. 3. After extracting console.zip please copy Admin.Utils.GeneralUtils.dll to the extracted folder. this will overwrite the existing Admin.Utils.GeneralUtils.dll. 4. Compress the extracted console folder which includes the new dll and name it console.zip. 5. Copy console.zip to < \Safend\Safend Protector\Management Server\consoleUpdater > and overwrite the existing console.zip before the change of the .dll. e. After performing all the replacements of the dll, please start the Safend server services again (start the broadcast, then the local and finally the domain service), then kill the w3wp process and then start the console. 3. Please note that this issue will only happen when there is a difference between the regional settings of at least one of the console machines or the server, and not on every environment. This fix is included in version 3.3. 4. in addition for fixing the problem after it happens using the SPAdmin tool: a. open the command line window and go to the server bin path. b. run the following command: " SPAdmin /updateconfig /getfile globalPolicyBody " (The getfile command retrieves the value of the globalPolicyBody item in the serverconfig DB table) Note: The item name is
-
36 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r M
anag
emen
t Se
rver
36
case sensitive so please Pay attention when running the command. c. A file is created with the name "temp.xml", open it and look for the problematic string -look for false and then change the problematic separators to " : " separators). Save the file d. Run the following command: " SPAdmin /updateconfig /setfile globalPolicyBody " (The setfile command stores the file contents in the globalPolicyBody item in the serverconfig DB table). e. Stop Safend services, kill W3Wp processes. f. Replace the dll files in the management console and console updater. h. Turn on Safend Services
4.4.11. Upgrade Path from Safend Protector 2.0 to 3.3
NEED: At some customer site, version 2.0 of the Safend Protector is installed, and an upgrade path to version 3.3 is needed. RESOLUTION: No direct upgrade path is available from 2.0 to 3.2. The current options for moving from version 2.0 to 3.3 are: a) Uninstalling version 2.0 (Management Tools and Clients) and installing version 3.3 b) Upgrading version 2.0 to version 3.1 (Server and Clients), and then upgrading version 3.1 to 3.3 To upgrade your Safend Protector from V2.0 to V3.1 1. Export your current V2.0 policies manually using the Policy Builder. 2. Place the Safend Protector V2.0 datasource.smc file in the same folder in which the ManagementServer.msi file is (This is the temporary folder into which the Self Extractor opens the installation files - C:\Temp). The .smc file is placed in the System Configuration folder that you created while installing your first Management Tools in V2.0. 3. Install the Safend Protector Management Server. 4. Edit the exported .spl file, and go to: ProtectorPolicy -> Body -> uiPolicy -> Security -> restrictedPorts -> deviceApproval -> detailedPolicy -> deviceTypes Add the value: At the bottom of the list. 5. Import the policies that you exported manually into Safend Protector Management Console. . 6. Upgrade the Safend Clients to version 3.1.
../../../../Temp)
-
37 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r M
anag
emen
t Se
rver
37
4.4.12. Reducing the Logs Trace Level for the Safend Server
NEED: By default the Safend Protector Server logs are set to DEBUG level, for writing every Server action, in order to have the most detailed logging for any investigation needed. In most environments, this level of logging is not necessary, and should be changed in order to reduce the server resources needed for Log writing. SOLUTION: To Reduce the Logs detail level, open serverconfig.xml for editing (the file is located at \Program Files\Safend\Safend Protector\Management Server\). For each of the Server services (domainservice, broadcastservice, localService, managementServer, eventSinkWebService, otpWebService, consoleUpdaterSite, consoleUpdaterManifestsGenerator) edit the "TraceLevel" item. By default it is set to "Debug". the values for this item are: 1) Debug - full logging for each event. 2) Warning - logging for Warnings and above. 3) Error - logging for Errors only. By setting the TraceLevel to Error, the least logging will take place, and reduce load on the Server resources.
4.4.13. Alerts on client installation are not received in version 3.3 SP1
Note: This solution should be done only with collaboration with Safend support.
SYMPTOM:
Alerts on client installation are not received in version 3.3 SP1. The logs for the client installation are received though. This happens even after performing the proper procedure of generating this type of alerts - defining that this type of event should generate an alert under Tools --> Global Policy Settings --> Alerts, then recreating the .scc file and using it to install / upgrade clients. CAUSE:
Generally, the .scc file contains the global policy settings that exist when the file is being generated; consequently, these settings will be included in the initial policy a client receives. In 3.3 SP1, the definition of alert on client installation events doesn't get into the .scc file, and so the initial policy doesn't contain this definition and the alerts are not generated. SOLUTION:
In 3.3 SP1, a number of files are to be replaced on the server and on the console(s) in order to make the .scc file receive the client installation definition from the global policy settings: Extract the attached RAR to a temporary folder. The RAR file contains two folders Management Console (contains
-
38 | P a g e
Ch
apte
r: S
afen
d P
rote
cto
r M
anag
emen
t Se
rver
38
one DLL file) and Management Server (contains a few DLL file). Replacing the DLLs for the server, local console and future remote consoles: -------------------------------------------------------------------------------------------------------- 1. In the server machine, close the console and stop the 2 Safend services Domain service, Local service. 2. Copy the DLLs from the Management Server folder in the temporary folder, to the folder C:\Program Files\Safend\Safend Protector\Management Server\bin. Replace all existing files. 3. Copy the DLL from the Management Console folder in the temporary folder, to the folder C:\Program Files\Safend\Safend Protector\Management Console\ManagementConsole. Replace the existing file. 4. Copy the DLL from the Management Console folder in the temporary folder to the following zip: C:\Program Files\Safend\Safend Protector\