Traffic Forwarding Services for Legacy Agents

Views:

Endpoint Encryption 6.0 Patch 1 includes backwards compatibility to manage all 5.0 versions of Endpoint Encryption as well as authenticate and perform commands on legacy agents (3.1.3 and earlier). Endpoint Encryption uses different architecture for 3.1.3 and earlier agents from 5.0 and later agents, so Endpoint Encryption requires different traffic forwarding services to manage communications between agents and servers.

The Endpoint Encryption Proxy manages the following services:

Service	Description
Traffic Forwarding Service	The Traffic Forwarding Service directs network traffic between Endpoint Encryption 5.0 and later agents and PolicyServer residing in different local area networks. Endpoint Encryption 5.0 and later agents communicate using RESTful. The Traffic Forwarding Service sits between the agents and PolicyServer to prevent insecure policy access. The Traffic Forwarding Service installer configures the TMEEForward service that runs on the Endpoint Encryption Proxy endpoint.
Client Web Service	The Client Web Service directs traffic between legacy Endpoint Encryption agents (3.1.3 and earlier) and PolicyServer residing in different local area networks. Legacy Endpoint Encryption agents communicate using SOAP. Client Web Service sits between the legacy Endpoint Encryption agents and the PolicyServer Windows Service to prevent insecure policy access. The Client Web Service installer configures the MAWebService2 (Legacy Web Service), which is the same Microsoft IIS service installed by the PolicyServer installer in environments that do not use a proxy.

Configuring Traffic Forwarding Services

To create a network topology that includes endpoints of different versions, separately deploy services to an endpoint residing in the network DMZ, and configure PolicyServer safely behind a firewall. Install the Endpoint Encryption proxy on the separate endpoint to direct and filter traffic between Endpoint Encryption agents and PolicyServer.

For an example network scenario including legacy agents, see Deployment Including Legacy Agents.

The Endpoint Encryption proxy has the following requirements:

Traffic Forwarding Service and Client Web Service may not be deployed on the same endpoint as PolicyServer.
The default port for the Traffic Forwarding Service is 8080.

The default port for the Client Web Service is 80.
In environments using both new and legacy Endpoint Encryption agents, configure different ports for Traffic Forwarding Service and Client Web Service.

Procedure

Copy the PolicyServer installation folder to the local hard drive.
Go to the path <installation folder> \TMEE_PolicyServer\Tools\Optional Installations\TMEEProxy Installer and run TMEEProxyInstaller.exe.

The welcome screen appears.
Click Continue.

The Endpoint Encryption proxy installer analyzes the endpoint.
Specify the PolicyServer IP address or host name and the port number of the Endpoint Encryption service.
Click Continue.

The installation begins. Wait for the Endpoint Encryption proxy to install.
After installation completes, note the IP address and port number displayed in the installation screen.

This IP address and port will be used in agent installation.
Click Finish.
Verify the Client Web Service installation.
1. Go to Start → Administrative Tools → Internet Information Services (IIS) Manager.
  
  The Internet Information Services (IIS) Manager screen appears.
2. Find the previously configured site location.
3. Verify that MAWebService2 is configured.
Client Web Service is installed.
Verify the Traffic Forwarding Service installation.
1. Go to Start → Administrative Tools → Services.
  
  The Services screen appears.
2. Verify that TMEEForward service has started.
Traffic Forwarding Service is installed.

Note

After installation, Full Disk Encryption and File Encryption agents start to use the network configuration provided during installation.

If there is a possibility that agent endpoints may be migrated to an different server or network during its use, consider providing the PolicyServer FQDN instead of the IP address during installation. FQDN offers more options in working with network configurations.

After installing the Endpoint Encryption proxy, use the PolicyServer FQDN when setting up new installations of Full Disk Encryption and File Encryption. The Endpoint Encryption proxy bridges the connection to PolicyServer, and enables devices to connect even when it is outside the network.

Depending on the DNS server type, configure the PolicyServer FQDN as follows:

For an internal DNS server, set the PolicyServer FQDN to the IP address of PolicyServer.
For an external DNS server, set the PolicyServer FQDN to the IP address of the Endpoint Encryption proxy.