http://docs.trendmicro.com/en-us/enterprise/cloud-app-encryption-foroffice-365.aspx

Trend Micro Incorporated reserves the right to make changes to this document and to the cloud service described herein without notice. Before installing and using the cloud service, review the readme files, release notes, and/or the latest version of the applicable documentation, which are available from the Trend Micro website at: http://docs.trendmicro.com/en-us/enterprise/cloud-app-encryption-foroffice-365.aspx 2015 Trend Micro Incorporated. All Rights Reserved.Trend Micro, the Trend Micro t- ball logo, and Cloud App Encryption are trademarks or registered trademarks of Trend Micro Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Document Part No.: APEM26769_141031 Release Date: February 2015 Protected by U.S. Patent No.: Patents pending.

This documentation introduces the main features of the cloud service and/or provides installation instructions for a production environment. Read through the documentation before installing or using the cloud service. Detailed information about how to use specific features within the cloud service may be available at the Trend Micro Online Help Center and/or the Trend Micro Knowledge Base. Trend Micro always seeks to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro document, please contact us at docs@trendmicro.com. Evaluate this documentation on the following site: http://docs.trendmicro.com/en-us/survey.aspx

Table of Contents Preface Preface... iii Documentation... iv Audience... iv Document Conventions... v About Trend Micro... vi Chapter 1: Introduction Cloud App Encryption... 1-2 Cloud App Encryption Key Server... 1-2 Deployment Overview... 1-4 Chapter 2: Requirements System Requirements... 2-2 Port Requirements... 2-3 Chapter 3: Deployment Deployment Process... 3-2 Best Practices for Deployment... 3-2 Installing the Cloud App Encryption Key Server Operating System... 3-3 Configuring the Key Management Environment... 3-13 Important Note... 3-14 Chapter 4: Integration Locating the Public Certificate File... 4-2 Enabling / Disabling SSH... 4-2 i

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide Public Certificate Example... 4-3 Integrating with Cloud App Encryption for Office 365... 4-5 Chapter 5: Key Maintenance Destroying Keys... 5-2 Destroying the Encryption Key... 5-2 Encryption Key Backup and Restore... 5-3 Creating an Encryption Key Backup... 5-3 Restoring an Encryption Key from a Backup... 5-3 Unreachable Keys... 5-5 Appendix A: Command Line Interface Using the CLI... A-2 Entering the CLI... A-2 Command Line Interface Commands... A-3 CLI Command Reference... A-3 Appendix B: Additional Resources Console and Proxy Addresses by Region... B-2 Appendix C: Glossary Index Index... IN-1 ii

Preface Preface Welcome to the Trend Micro Cloud App Encryption Key Server Deployment Guide. This guide explains how to deploy Cloud App Encryption Key Server in your environment on-premises and then integrate as a Key Management Interoperability Protocol (KMIP) server with Cloud App Encryption for Office 365 in the cloud. iii

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide Documentation The documentation set for Cloud App Encryption for Office 365 includes the following: TABLE 1. Product Documentation DOCUMENT Cloud App Encryption Key Server Deployment Guide Third-Party KMIP Server Integration Guide Online Help Support Portal DESCRIPTION Explains how to deploy Cloud App Encryption Key Server in your environment on-premises and then integrate with Cloud App Security for Office 365 in the cloud. Explains how integrate a third-party Key Management Interoperability Protocol (KMIP) server with Cloud App Security for Office 365 in the cloud. Web-based documentation that is accessible from the Cloud App Encryption management console. The Online Help contains explanations of Cloud App Encryption components and features, as well as procedures needed to configure Cloud App Encryption. The Support Portal is an online database of problemsolving and troubleshooting information. It provides the latest information about known product issues. To access the Support Portal, go to the following website: http://esupport.trendmicro.com View and download Cloud App Encryption documentation from the Trend Micro Documentation Center: http://docs.trendmicro.com/en-us/enterprise/cloud-app-security-for-office-365.aspx Audience The Cloud App Encryption for Office 365 documentation is written for IT administrators and security analysts. The documentation assumes that the reader has an in-depth knowledge of networking and information security, including the following topics: iv

Preface Network topologies Email routing SMTP Encryption fundamentals The documentation does not assume the reader has any knowledge of sandbox environments or threat event correlation. Document Conventions The documentation uses the following conventions: TABLE 2. Document Conventions CONVENTION UPPER CASE Bold Italics Monospace Navigation > Path Note DESCRIPTION Acronyms, abbreviations, and names of certain commands and keys on the keyboard Menus and menu commands, command buttons, tabs, and options References to other documents Sample command lines, program code, web URLs, file names, and program output The navigation path to reach a particular screen For example, File > Save means, click File and then click Save on the interface Configuration notes Tip Recommendations or suggestions v

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide CONVENTION Important DESCRIPTION Information regarding required or default configuration settings and product limitations WARNING! Critical actions and configuration options About Trend Micro As a global leader in cloud security, Trend Micro develops Internet content security and threat management solutions that make the world safe for businesses and consumers to exchange digital information. With over 20 years of experience, Trend Micro provides top-ranked client, server, and cloud-based solutions that stop threats faster and protect data in physical, virtual, and cloud environments. As new threats and vulnerabilities emerge, Trend Micro remains committed to helping customers secure data, ensure compliance, reduce costs, and safeguard business integrity. For more information, visit: http://www.trendmicro.com Trend Micro and the Trend Micro t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. vi

Chapter 1 Introduction 1-1

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide Cloud App Encryption Trend Micro Cloud App Encryption keeps Office 365 data private through independent email encryption. By integrating cloud-to-cloud with Microsoft Office 365, Cloud App Encryption requires no email traffic rerouting and transparently preserves user and administrative functionality. Cloud App Encryption Key Server Cloud App Encryption Key Server enhances Cloud App Encryption for Office 365 by separately managing the encryption keys for Exchange Online. Deploy Cloud App Encryption to maintain data ownership and control with independent data encryption. Cloud App Encryption Key Server controls the encryption key lifecycle, including encryption key creation and destruction. Cloud App Encryption Key Server also supports backing up and restoring encryption keys to save configurations or to migrate a configuration to another server. 1-2

Introduction The following illustration shows the network topology after deploying Cloud App Encryption Key Server on-premises. FIGURE 1-1. Trend Micro Cloud App Encryption Key Server 1-3

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide Note Cloud App Encryption Key Server utilizes Key Management Interoperability Protocol (KMIP) technology. KMIP is an open source communication protocol between key management systems (servers) and encryption systems (clients). By abstracting the task of managing keys from the applications that use them, KMIP technology, like other encryption technologies, allows Trend Micro to separately manage your keys in the cloud or on-premises while maintaining encryption in the cloud. The KMIP effort is governed by the Organization for the Advancement of Structured Information Standards (OASIS). For details, see https://www.oasis-open.org/committees/ kmip/charter.php. Deployment Overview Procedure 1. Review the requirements. Learn about the system requirements and port information. See Requirements on page 2-1. 2. Configure the Cloud App Encryption Key Server environment. Install the operating system, create a certificate, and configure additional settings. See Deployment Process on page 3-2. 3. Integrate with Cloud App Encryption. Specify the Cloud App Encryption Key Server IP address, port, and public server certificate information in the Cloud App Encryption console. See Integration on page 4-1. 1-4

Chapter 2 Requirements 2-1

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide System Requirements The following table provides the recommended and minimum system requirements for running Cloud App Encryption Key Server. TABLE 2-1. System Requirements SPECIFICATION DESCRIPTION Hypervisor VMware ESXi 5.1 5.0 Operating System A separate operating system is not required. Cloud App Encryption Key Server provides a self-contained installation using the CentOS Linux operating system. This dedicated operating system installs with Cloud App Encryption Key Server. CPU Recommended: Four virtual core processors Minimum: Two virtual core processors Memory Recommended: 2 GB RAM Minimum: 1 GB RAM Disk Space Recommended: 200 GB Minimum: 100 GB Note The Cloud App Encryption Key Server installation program automatically partitions the detected disk space as per recommended Linux practices. Monitor Monitor that supports 800 x 600 resolution with 256 colors or higher. 2-2

Requirements Port Requirements The following table shows the ports required for Cloud App Encryption Key Server and the purpose. TABLE 2-2. Ports used by Cloud App Encryption for Office 365 PORT PROTOCOL FUNCTION PURPOSE 5696 KMIP Listening Outbound Allow connections from Trend Micro Cloud App Encryption for Office 365 key requests and other commands. 2-3

Chapter 3 Deployment 3-1

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide Deployment Process Procedure 1. Do any of the following to obtain an SSL certificate and private key. Automatically generate a certificate when you install Cloud App Encryption Key Server. Create your own certificate. Obtain a certificate from a Certificate Authority (CA), such as VeriSign. 2. Prepare the virtual machine to meet system requirements. See Requirements on page 2-1. 3. Install the Cloud App Encryption Key Server operating system. See Installing the Cloud App Encryption Key Server Operating System on page 3-3. 4. Configure the Cloud App Encryption Key Server key management environment. See Configuring the Key Management Environment on page 3-13. Best Practices for Deployment Before proceeding to installation and deployment, note the following best practices: The SSL certificate should be from a real Certificate Authority (CA). Examples include VeriSign or an internal CA. Cloud App Encryption Key Server uses a PostgreSQL database. If you are not using an ESX cluster, follow the VMware guidelines available at: https://www.vmware.com/support/pubs/ Size the virtual disk for future use. The installed system uses less than 900 MB. Trend Micro recommends using a 100 GB thin provisioned drive to handle growth potential. 3-2

Deployment Make sure to back up your encryption key after deploying Cloud App Encryption Key Server. For details, see Encryption Key Backup and Restore on page 5-3. Cloud App Encryption Key Server maintains your actual encryption keys. Keep security paramount. Be mindful of technologies with unintended side effects that can leak information. Installing the Cloud App Encryption Key Server Operating System WARNING! The installation deletes existing data and partitions from the selected device. Back up existing data before installing Cloud App Encryption Key Server. Procedure 1. Go to the Trend Micro Download Center. http://downloadcenter.trendmicro.com/ 2. Select Cloud App Encryption Key Server from the list. 3. Download the Cloud App Encryption Key Server ISO file. 4. Power on the virtual machine. 5. Configure the virtual machine to boot from the ISO file. 6. Restart the virtual machine. The server boots from the Cloud App Encryption Key Server ISO file and the installation begins. 3-3

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide The Cloud App Encryption Key Server Installation Menu screen appears. 7. Select Install Server. 3-4

Deployment After the setup initializes, the Trend Micro License Agreement screen appears. 8. Click Accept to continue. 9. Select the appropriate keyboard language. 3-5

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide 10. Click Next 11. Select the drive location to install Cloud App Encryption Key Server. 3-6

Deployment 12. Click Next. A warning message about removing all partitions (ALL DATA) on the selection appears. 13. Click Yes to continue. 3-7

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide The Cloud App Encryption Key Server install program scans the system to determine that the hardware meets minimum specifications. 14. Click Next. 15. Specify the network interface settings and general settings. 3-8

Deployment 16. Click Next. 17. Select a time zone. 3-9

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide 18. Click Next. 19. Specify the administrator account (root) credentials. This account can access the operating system shell and has all rights on the server. This is the most powerful user in the system. 3-10

Deployment 20. Click Next. The Summary screen appears. 21. Review the summary and then click Next to begin the installation. 3-11

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide 22. At the warning message, click Continue. After formatting the device, the program installs the operating system. Cloud App Encryption Key Server installs after the server restarts. 23. When the installation confirmation appears, click Reboot. 3-12

Deployment 24. Disconnect the Cloud App Encryption Key Server ISO file to prevent reinstallation. Configuring the Key Management Environment After completing the installation, the server restarts and loads the Command Line Interface (CLI). Configure Cloud App Encryption Key Server certificate settings to complete the installation. If you do not already have a certificate, you can generate one during the setup process. Procedure 1. Log on Cloud App Encryption Key Server with the default credentials. 3-13

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide User name: root Password: <password specified at installation> 2. Type the following command: /opt/trend/keyserver/script/kmip_setup.sh 3. Follow the on-screen prompts. If you do not have a certificate, the script can create one during the configuration process. Required information includes: Location Organization Server host name Email address PostgreSQL account credentials If you already have a certificate, make sure to have the public and private key information available. The initial configuration is complete. Log on to the Command Line Interface (CLI) later to perform additional configurations or maintenance tasks. Important Note If the external KMIP server (Cloud App Encryption Key Server or a third-party KMIP server) goes down and cannot communicate with Cloud App Encryption for Office 365, encryption and decryption stop. Email messages remain in whatever encrypted or decrypted state they were when the server stopped communication. 3-14

Chapter 4 Integration 4-1

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide Locating the Public Certificate File Procedure 1. Log on Cloud App Encryption Key Server with the default credentials. User name: root Password: <password specified at installation> 2. Enable SSH. See Enabling / Disabling SSH on page 4-2. 3. Use an SSH client (example: PuTTy) to log on Cloud App Encryption Key Server. 4. Locate the certificate at: /var/app_data2/server.pem 5. Copy the contents of the certificate to a text file stored on the local disk. Tip You may need to enable SSH to copy and paste from the virtual machine. 6. Disable SSH. See Enabling / Disabling SSH on page 4-2. WARNING! Not disabling SSH after configuring the key management environment risks security. Enabling / Disabling SSH You may need to temporarily disable SSH while importing a certificate signed by an external Certificate Authority into Cloud App Encryption Key Server. SSH is not 4-2

Integration required to import the certificate. Cloud App Encryption Key Server also supports direct USB connections. Enabling SSH allows: Using an SSH client to remotely access Cloud App Encryption Key Server Importing an external certificate with a secure copy tool such as SCP (Secure Copy Protocol) Procedure Enable SSH: a. cp -f /etc/ssh/sshd_config /etc/ssh/sshd_config.bk b. vi /etc/ssh/sshd_config to set UsePAM yes and PermitRootLogin yes c. service sshd start Disable SSH: a. service sshd stop b. rm f /etc/ssh/sshd_config c. cp -f /etc/ssh/sshd_config.bk /etc/ssh/sshd_config Public Certificate Example The highlighted content in the following image represents the public certificate information required to configure encryption. 4-3

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide FIGURE 4-1. Highlighted Content Required for Encryption 4-4

Integration Integrating with Cloud App Encryption for Office 365 Procedure 1. Log on to Cloud App Encryption for Office 365. See Console and Proxy Addresses by Region on page B-2. 2. Go to Encryption. 3. Select Click here to choose. 4. Select Maintain encryption keys in your own network. 5. Specify the server settings. OPTION FQDN or IP address Port Public server certificate Client certificate DESCRIPTION Specify the Cloud App Encryption Key Server fully-qualified domain name or IP address. Specify the port used to connect to Cloud App Encryption Key Server. The default port is 5696. Copy the contents of the certificate file. Make sure to only include the certificate information and not the private key. For information about locating the certificate file, see Locating the Public Certificate File on page 4-2. Download the Trend Micro client certificate if you must change the client certificate used when you deployed Cloud App Encryption Key Server. Reasons include: 4-5

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide OPTION Expired certificated DESCRIPTION Updated / Modified Cloud App Encryption certificate Note Trend Micro provides the client certificate when you install Cloud App Encryption Key Server. 6. Click Generate Key. 4-6

Chapter 5 Key Maintenance 5-1

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide Destroying Keys Destroying the encryption key has a significant impact. Destroyed encryption keys can never be restored and email messages remain in their encrypted state forever. Users will be unable to decrypt and read email messages with the revoked encryption key. Destroy the encryption key if your organization plans to stop using Office 365 and wants to keep encrypted email messages in the cloud that can never be decrypted. Destroying encryption keys has the same affect as decommissioning a KMIP server. Cloud App Encryption for Office 365 may malfunction if you do not provide a new encryption key after destroying the existing key. Destroying encryption keys from a third-party server causes Cloud App Encryption for Office 365 to immediately stop encrypting or decrypting email messages. Destroying the Encryption Key Procedure 1. Log on to Cloud App Encryption for Office 365. 2. Go to Encryption. 3. Select Maintain encryption keys in your own network. 4. Click Destroy Key. WARNING! Clicking Destroy Key permanently deletes the encryption key. This cannot be undone. Encrypted email messages will remain in an encrypted state forever. 5. At the warning message, type your password and then click Destroy Key. 5-2

Key Maintenance Encryption Key Backup and Restore You cannot back up or restore an encryption key through the Cloud App Encryption console. Access the Cloud App Encryption Key Server through SSH or a direct VGA connection to perform backup and restore operations. Creating an Encryption Key Backup Backing up the encryption key offers the following benefits: Ensures that you can build a new instance and import the backed up encryption key if the Cloud App Encryption Key Server instance crashes. Allows you to import the encryption key from another Cloud App Encryption Key Server instance. Backing up the encryption key calls a PostGreSQL utility to back up the entire database. Procedure 1. Log on Cloud App Encryption Key Server with the default credentials. User name: root Password: <password specified at installation> 2. Type the following command: /opt/trend/keyserver/script/db_backup_restore.sh backup 3. Follow the on-screen prompts. Cloud App Encryption Key Server stores the backup file at /var/app_data/. Restoring an Encryption Key from a Backup Restoring up the encryption key offers the following benefits: 5-3

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide Allows you to restore the encryption key on another server Ensures that you have a backup server if the Cloud App Encryption Key Server instance crashes. Restoring an encryption key calls a PostGreSQL utility to restore the entire database. Any existing encryption key is overwritten by the restored encryption key. After restoring the encryption key, you cannot decrypt email messages that were encrypted using the previous encryption key. Note The backup file must be in.tar file format. Important Restoring the encryption key overwrites any existing encryption key. After restoring the encryption key, users will be unable to decrypt any email messages that were encrypted with the previous encryption key. If you do not make a backup of the previous encryption key, then those email message can never be decrypted. Procedure 1. Log on Cloud App Encryption Key Server with the default credentials. User name: root Password: <password specified at installation> 2. Type the following command: /opt/trend/keyserver/script/db_backup_restore.sh restore <full_file_path_and_file_name> Example: /opt/trend/keyserver/script/db_backup_restore.sh restore /tmp/keyserver_db_kmip_ 1379552900_ 10.64.72.122.tar 5-4

Key Maintenance 3. Follow the on-screen prompts. Unreachable Keys If the external KMIP server (Cloud App Security Key Server or a third-party KMIP server) goes down and cannot communicate with Cloud App Encryption for Office 365, encryption and decryption stop. Email messages remain in whatever encrypted or decrypted state they were when the server stopped communication. 5-5

Appendix A Command Line Interface A-1

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide Using the CLI Use the Command Line Interface (CLI) to perform the following tasks: Configure the Cloud App Encryption Key Server environment Make an encryption key backup Restore an encryption key Configure network settings, such as the device IP address and host name Restart the device View device status Debug and troubleshoot the device Note Do not enable scroll lock on your keyboard when using HyperTerminal. If scroll lock is enabled, you cannot enter data. Entering the CLI To log on to the CLI, either connect directly to the server or connect using SSH. Not all commands appear when you log on with the root account. Use the enable account (Privileged Mode) to access privileged commands. WARNING! Enter the shell environment only if your support provider instructs you to perform debugging operations. Procedure To connect directly to the server: A-2

Command Line Interface a. Connect a monitor and keyboard to the server. b. Log on to the CLI in Privileged Mode. User name: enable Password: <root password defined at installation> Note To connect using SSH: To log on without being in Privileged Mode, use root for the user name. a. Verify the computer you are using can ping the Cloud App Encryption Key Server instance IP address. b. Use an SSH client to connect to the Cloud App Encryption instance IP address and TCP port 22. Command Line Interface Commands The Cloud App Encryption Key Server CLI commands are separated into two categories: normal and privileged commands. Normal commands are basic commands to obtain specific low security risk information and to perform simple tasks. Privileged commands provide full configuration control and advanced monitoring and debugging features. Privileged commands are protected by an additional layer of credentials: the Enable account and password. CLI Command Reference The following tables explain the CLI commands. A-3

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide configure network dns TABLE A-1. configure network dns ipv4 Configures IPv4 DNS settings for the device. Syntax: configure network dns ipv4 <dns1> <dns2> View Parameters Privileged <dns1>: Primary IPv4 DNS server <dns2>: Secondary IPv4 DNS server Note Use a space to separate the primary and secondary DNS value. Examples: To configure the primary DNS with an IP address of 192.168.10.21: configure network dns ipv4 192.168.10.21 To configure the primary and secondary DNS with the following values: Primary DNS: 192.168.10.21 Secondary DNS: 192.168.10.22 configure network dns ipv4 192.168.10.21 192.168.10.22 configure network hostname Configures the host name for the device. Syntax: configure network hostname <hostname> View Privileged A-4

Command Line Interface Parameters <hostname>: The host name or fully qualified domain name (FQDN) for the device Examples: To change the host name of the device to test.host.com: configure network hostname test.example.com configure network interface TABLE A-2. configure network interface ipv4 Configures the IPv4 address for the network interface card (NIC). Syntax: configure network interface ipv4 <interface> <ip> <mask> View Parameters Privileged <interface>: NIC name <ip>: IPv4 address for the interface <mask>: Network mask for the NIC Examples: To configure an NIC with the following values: Interface: eth0 IP address: 192.168.10.10 Subnet mask: 255.255.255.0 configure network interface ipv4 eth0 192.168.10.10 255.255.255.0 configure network route add TABLE A-3. configure network route add ipv4 Adds a new route entry A-5

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide Syntax: configure network route add ipv4 <ip_prefixlen> <via> <dev> View Parameters Privileged <ip_prefixlen>: Destination network ID with format IPv4_Address/ Prefixlen <via>: IPv4 address of the next hop <dev>: Device name Example: To add a new route entry: configure network route add ipv4 172.10.10.0/24 192.168.10.1 eth1 configure network route default TABLE A-4. configure network route default ipv4 Sets the default route for the device Syntax: configure network route default ipv4 <gateway> View Parameter Privileged <gateway>: IPv4 address of default gateway Example: To set the default route for the device: configure network route default ipv4 192.168.10.1 configure network route del TABLE A-5. configure network route del ipv4 Deletes a route for the device A-6

Command Line Interface Syntax: configure network route del ipv4 <ip_prefixlen> <via> <dev> View Parameters Privileged <ip_prefixlen>: Destination network ID with format IPv4_Address/ Prefixlen <via>: IPv4 address of the next hop <dev>: Device name Example: To delete a route for the device: configure network route del ipv4 172.10.10.0/24 192.168.10.1 eth1 configure service ssh disable Disables SSH on all network interface cards (NIC). Syntax: configure service ssh disable View Parameters Privileged None Examples: To disable SSH on all NICs: configure service ssh disable configure service ssh enable Enables SSH on one specific network interface card (NIC). A-7

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide Syntax: configure service ssh enable <interface> View Parameters Privileged <interface>: The name of the NIC Examples: To enable SSH on NIC eth0: configure service ssh enable eth0 configure system date Configures the time and date and saves the data in CMOS. Syntax: configure system date <date> <time> View Parameters Privileged <date>: Set the date using the following format: yyyy-mm-dd <time>: Set the time with the following format: hh:mm:ss Examples: To set the date to August 12, 2010 and the time to 3:40 PM: configure system date 2010-08-12 15:40:00 configure system password enable To change the password required to enter Privileged mode. Syntax: configure system password enable View Privileged A-8

Command Line Interface Parameters None Examples: To change the password required to enter Privileged mode configure system password enable configure system timezone Configures the time zone used by the device. Syntax: configure system timezone <region>/<city> View Parameters Privileged <region>: Region name <city>: City name Examples: To configure the device to use the time zone for the following location: Region: America City: New York configure system timezone America/New_York TABLE A-6. Time Zone Setting Examples REGION/COUNTRY CITY Africa Cairo Harare Nairobi A-9

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide REGION/COUNTRY CITY America Anchorage Bogota Buenos_Aires Caracas Chicago Chihuahua Denver Godthab Lima Los_Angeles Mexico_City New_York Noronha Phoenix Santiago St_Johns Tegucigalpa A-10

Command Line Interface REGION/COUNTRY CITY Asia Almaty Baghdad Baku Bangkok Calcutta Colombo Dhaka Hong_Kong Irkutsk Jerusalem Kabul Karachi Katmandu Krasnoyarsk Kuala_Lumpur Kuwait Magadan Manila Muscat Rangoon Seoul Shanghai A-11

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide REGION/COUNTRY CITY Asia (Continued) Singapore Taipei Tehran Tokyo Yakutsk Atlantic Australia Azores Adelaide Brisbane Darwin Hobart Melbourne Perth Europe Amsterdam Athens Belgrade Berlin Brussels Bucharest Dublin Moscow Paris A-12

Command Line Interface REGION/COUNTRY CITY Pacific Auckland Fiji Guam Honolulu Kwajalein Midway US Alaska Arizona Central East-Indiana Eastern Hawaii Mountain Pacific enable Enters privileged mode so privileged commands can be provided. Syntax: enable View Parameters Root None Examples: A-13

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide To enter privileged mode: enable exit Exits privileged mode. Exits the session for those not in privileged mode. Syntax: exit View Parameters Root/Privileged None Examples: To exit privileged mode or to exit the session when not in privileged mode: exit help Displays the CLI help information. Syntax: help View Parameters Privileged/Root None Examples: To display the CLI help information: help A-14

Command Line Interface history Displays the current session's command line history. Syntax: history [limit] View Parameters Privileged/Root [limit]: Specifies the size of the history list for the current session Specifying "0" retains all commands for the session. Examples: To specify six commands for the size of the history list: history 6 logout Logs out of the current CLI session. Syntax: logout View Parameters Root None Examples: To logout from the current session: logout ping Pings a specified host. A-15

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide Syntax: ping [-c num_echos] [-i interval] <dest> View Parameters Root [-c num_echos]: Specifies the number of echo requests to be sent. Default value is 5. [-i interval]: Specifies the delay interval in seconds between each packet. Default value is 1 second. <dest>: Specifies the destination hostname or IP address Examples: To ping the IP address 192.168.1.1: ping 192.168.1.1 To ping the host remote.host.com: ping remote.host.com reboot Reboots the device immediately or after a specified delay. Syntax: reboot [time] View Parameters Privileged [time]: Specifies the delay, in minutes, to reboot the device Examples: To reboot the device immediately: reboot To reboot the device after 5 minutes: reboot 5 A-16

Command Line Interface resolve Resolves an IPv4 address from a hostname or resolves a hostname from an IPv4 address. Syntax: resolve <dest> View Parameter Privileged <dest>: Specifies the IPv4 address or hostname to resolve Examples: To resolve the hostname from IP address 192.168.10.1: resolve 192.168.10.1 To resolve the IP address from hostname parent.host.com: resolve parent.host.com show storage statistic Displays the file system disk space usage. Syntax: show storage statistic [partition] View Parameters Root [partition]: Specify a partition. This is optional. Examples: To display the file system disk space usage of the device: show storage statistic A-17

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide show network Displays various network configurations. Syntax: show network [arp connections dns hostname interface route] View Parameters Root arp: Displays the Address Resolution Protocol (ARP) tables. connections: Displays the device s current network connections. dns: Displays the device s DNS IP address. dns primary: Displays the device s primary DNS IP address. dns secondary: Displays the device s secondary DNS IP address. hostname: Displays the device s hostname. interface: Displays the network interface card (NIC) status and configuration. route: Displays IP address route table. Examples: To display the ARP tables: show network arp To display the device s current network connections: show network connections To display the DNS configuration: show network dns To display the hostname of the device: show network hostname To display the NIC status and configuration: show network interface A-18

Command Line Interface To display the IP address route table: show network route show kernel Displays the device s OS kernel information. Syntax: show kernel {messages modules parameters iostat} View Parameters Root messages: Displays kernel messages. modules: Displays kernel modules. parameters: Displays kernel parameters. iostat: Displays CPU statistics and I/O statistics for devices and partitions. Examples: To display the OS kernel s messages: show kernel messages To display the OS kernel s modules: show kernel modules To display the OS kernel s parameters: show kernel parameters To display device CPU statistics and I/O statistics: show kernel iostat show service Displays the SSH service status. A-19

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide Syntax: show service [ssh] View Parameters Root ssh: Displays the status of SSH. Examples: To display the SSH status: show service ssh show memory Displays the device s system memory information. Syntax: show memory [statistic] View Parameters Root statistic: Displays system memory statistics Examples: To display system memory statistics: show memory statistic show process Displays the status of processes currently running. Syntax: show process [top] View Root A-20

Command Line Interface Parameters [top]: Displays the status of processes currently running and system related processes Examples: To display the status of processes currently running: show process show system Displays various system settings. Syntax: show system [date timezone uptime version] View Parameters Root date: Displays the current time and date. timezone: Displays the device s time zone settings. uptime: Displays how long the device has been running. version: Displays version number for the device. Examples: To display the current time and date of the device: show system date To display the device s timezone settings: show system timezone To display how long the system has been running: show system uptime To display system s version number: show system version A-21

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide shutdown Specifies shutting down the device immediately or after a specified delay. Syntax: shutdown [time] View Parameters Privileged [time]: Shuts down the device after a specified delay in minutes. Examples: To shut down the device immediately: shutdown To shut down the device after a 5 minute delay: shutdown 5 traceroute Displays the tracking route to a specified destination. Syntax: traceroute [-h hops] <dest> View Parameters Root [-h hops]: Specifies the maximum number of hops to the destination. The minimum number is 6. <dest>: Specifies the remote system to trace Examples: To display the route to IP address 172.10.10.1 with a maximum of 6 hops: traceroute 172.10.10.1 A-22

Command Line Interface To display the route to IP address 172.10.10.1 with a maximum of 30 hops: traceroute -h 30 172.10.10.1 A-23

Appendix B Additional Resources B-1

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide Console and Proxy Addresses by Region The email proxy address for MAPI, EAS, and OWA connections and the administrative console depends on the AWS datacenter for the region. The following table explains the email proxy and administrative console addresses by region. TABLE B-1. Console Addresses by Region REGION DATACENTER LOCATION ADDRESS Europe Ireland admin-eu.tmcae.trendmicro.com North America Oregon admin.tmcae.trendmicro.com TABLE B-2. Email Proxy Addresses by Region REGION DATACENTER LOCATION ADDRESS Europe Ireland EAS: easeu.tmcae.trendmicro.com MAPI: mapieu.tmcae.trendmicro.com OWA: owaeu.tmcae.trendmicro.com North America Oregon EAS: eas.tmcae.trendmicro.com MAPI: mapi.tmcae.trendmicro.com OWA: owa.tmcae.trendmicro.com TABLE B-3. Autodiscover Proxy Addresses by Region REGION DATACENTER LOCATION ADDRESS Europe Ireland http://autodiscovereu.tmcae.trendmicro.com North America Oregon http:// autodiscover.tmcae.trendmicro. com B-2

Appendix C Glossary C-1

Trend Micro Cloud App Encryption for Office 365 Key Server Deployment Guide Cryptographic Engine As an integral component of Cloud App Encryption for Office 365, the Cryptographic Engine uses an industry standard algorithm to encrypt and decrypt email from Microsoft Office 365. The Delegate Listener Component (Delegate Accounts) directs the Cryptographic Engine to encrypt email messages on arrival, while the Protocol Proxy Component (email proxy) directs the engine to decrypt email messages for retrieval. Delegate Account A Delegate Account is not associated with an actual person. A Delegate Account is a tenant account that Cloud App Encryption requires to integrate with Microsoft Office 365 services. Create a Delegate Account in Microsoft Office 365 for Cloud App Encryption to access your Microsoft Office 365 mailbox accounts for email encryption. The Delegate Account must have the ApplicationImpersonation and Mailbox Search roles assigned to it. EAS Exchange ActiveSync (EAS) is an XML-based protocol that communicates over HTTP (or HTTPS) designed for the synchronization of email, contacts, calendar, tasks and notes from a messaging server to a mobile device. The protocol also provides mobile device management and policy controls. Exchange Admin Center Accessed through the Microsoft Office 365 Admin Center (Admin > Exchange), this web-based management console is where you manage items related to email that you cannot manage through the Microsoft Office 365 Admin Center. This includes the management of recipients, permissions, C-2

Glossary compliance management, organization, protection, mail flow, mobile devices, public folders, and unified messaging. MAPI Messaging Application Programming Interface (MAPI) is a protocol used by Microsoft Outlook to communicate with Microsoft Exchange servers. Office 365 Admin Center Launched from the top right corner of the navigation bar, the Admin Center is where you can perform various administrative tasks for Office 365, which include system setup, reports, email services, users and groups, domains, product subscriptions and licenses, policies, service support requests, and additional account services requests. OWA Outlook Web App (OWA) is used to access email (including support for S/ MIME), calendars, contacts, tasks, documents (used with SharePoint or in 2010, Office Web Apps), and other mailbox content when access to the Microsoft Outlook Windows client is unavailable. Trend Micro Key Management Service This service, hosted in the cloud, manages the encryption keys necessary to protection Microsoft Office 365 email accounts with email encryption and decryption. C-3

Index C command line interface entering the shell environment, A-2 Command Line Interface accessing, A-2 using, A-2 CPU requirements, 2-2 D disk space requirements, 2-2 M memory requirements, 2-2 minimum requirements, 2-2 R requirements, 2-2 S shell environment, A-2 system requirements, 2-2 IN-1