EMBASSY Remote Administration Server (ERAS) Installation Guide

EMBASSY Remote Administration Server (ERAS) Installation Guide ERAS Version 2.8 Document Version 1.0.0.24 http://www.wave.com ERAS v 2.8.2 Wave Systems Corp. 2011

Contents Contents... 3 1. Introduction... 4 What s new in this version of ERAS... 4 ERAS Functionality:... 4 Intended Audience... 6 Technical Support... 6 2. ERAS Installation Preparation... 7 2.1 Pre-installation checklist... 7 2.2 ERAS central management network communication pre-requisites overview... 9 General ERAS Snap-in Communication Requirements... 9 ERAS Management Model... 9 Remote Management from ERAS... 10 Load Balancing Configurations... 10 Changing ICMP Echo on and ERAS console timeout parameters... 11 Define the connection mechanism and order for establishing a session with the remote computer... 11 2.3 Server prerequisites:... 12 Server hardware minimum prerequisites for new installations for up to 2K accounts... 12 Server software prerequisites for new installations... 12 Database Storage and Consumption... 13 Upgrading ERAS from previous versions... 13 Upgrade considerations for recovery methods... 13 Upgrade considerations for Server Setting UI... 14 Windows Server 2008 or Windows 2008 R2 Installation... 15 Considerations in a Multi-domain Environment... 22 Remember before installing... 22 Upgrade Best Practices... 23 Upgrading multi-server environments... 23 2.4 Client prerequisites:... 24 Client hardware prerequisites... 24 Client software prerequisites... 24 ERAS Client Connector installation on Vista/Windows 7... 25 Considerations for redeployment of client machines... 25 2 Contents Wave Systems Corp. 2011

3. ERAS Step-by-Step Installation... 26 3.1 ERAS Server and Tools Installation... 26 ERAS server uninstall... 32 Activate ERAS... 32 3.2 Windows 2008 ERAS Post-Installation Step Add ERAS Service Certificate... 33 Post-installation steps for Windows 2008 Server (Enterprise/R2/64-bit)... 33 Issuing certificates for ERAS Connector Service... 34 3.3 ERAS Remote Management Console Installation... 35 3.4 ERAS Helpdesk Installation... 37 3.5 Add or remove an Administrative Template (.adm file)... 41 3.6 ADMX GPO Installation... 41 3.7 GPMC Installation... 42 Windows Server 2003 GPMC installation... 42 Windows Server 2008 GPMC installation... 42 RDP Console Session... 43 4. ERAS client installation... 44 Installation Overview of ERASConnector.msi or ERASProvider.msi... 44 Appendix I... 45 Glossary... 45 Select Dell ControlVault Platforms... 45 Appendix II... 46 Database Administrator Installation Steps and Tools... 46 Domain Controller Installation (ERASService login failures during the ERAS install)... 46 Clean ERAS install requires password for old ERAS service account... 46 ERAS and Remote Console Port Settings... 47 Contents 3 Contents Wave Systems Corp. 2011

1. Introduction Welcome and thank you for choosing Wave s EMBASSY Remote Administration Server (ERAS) software. Here you will find the information you need to install, configure and uninstall the EMBASSY Remote Administration Server (ERAS) software. This guide consists of an installation preparation section to prepare and inform the IT personnel or Administrator prior to performing the task of the ERAS installation. Next, an ERAS step-by-step installation of all the included ERAS components contained in the ERAS installation CD. Section four covers client components included on ERAS installation CD. Please read over this guide carefully before performing an ERAS installation. This guide, the ERAS Admin Manual and the readme.txt file included with the software provide the information you will need to configure and use ERAS. What s new in this version of ERAS Common Access Card (CAC), PIV-compliant and Smartcard Support for authentication to selfencrypting drives - Minimum ESC 2.8 and above required Support of a variety of enrollment use cases for smart cards. Challenge Response Recovery Password II This is now highly configurable to provide several recovery options through the use of policies. User interface enhancements in properties for computer in the Management Console list view: Current View and Expected View in the General Tab with list of postponed operations Expected View shows Trusted Drive state after all pending operations have been executed successfully Additional Trusted Drive and BitLocker Drive selection criteria in Search and Reports BitLocker support for FIPS enabled Enhanced recovery, reset and refresh functionality added to Helpdesk Additional management policies in separate ADM or ADMX files Two separate sets (32bit and 64bit) remote client installers. Only need to install one package based on administrative requirements ERAS Functionality: BitLocker Central Management - ERAS 2.8 will provide central management to BitLocker clients running Microsoft Windows 7 Ultimate and Enterprise machines. Device Management Wizard Enhancements to the management of devices from the wizard including optimizing user enrollment and locking of self-encrypting drives Configuration Settings User Interface Allows for easily configuring changes to ERAS including device tab view, choice of Trusted Drive password recovery method and auto-enrollment of foreign clients. Challenge Response password support - Is a challenge/response mechanism for self-encrypting drive (SED) access recovery that presents a new challenge and response value each time it is used. ProtectDrive Encryption Status - ProtectDrive is a software-encryption drive. The encryption process starts when user enables locking on the drive and it usually takes some time to complete. At any time, ERAS administrator can get the encryption status of the drive in terms of percentage completion. When the drive is 100% encrypted, its status will be changed "locked". Otherwise, the status will remain "unlocked". The decryption process works the same way. Disaster Recovery/ High Availability - Multiple ERAS instances are now officially supported in ERAS 2.1 and above. Concurrency issues have been addressed and resolved. 4 Introduction Wave Systems Corp. 2011

BIOS and ATA Hard Drive passwords management (Dell Platforms) - ERAS can be used to manage a machine's administrator, system, and ATA hard drive passwords remotely. Management actions include set, reset, clear, and view passwords. All actions are logged in ERAS server logs and reports can be generated as well. ControlVault Management (Select Dell Platforms) - Management of a secure bank for storing and processing user credentials which maintain passwords, biometric templates, and security codes. This includes the initializing of CV to set administration password and user management. ERAS Client Connector This allows for client initiated communication to ERAS. Pending Operations Allows ERAS to place management operations in a queue for clients that are unavailable at the time that the command was issued to the client. Client Audit log consolidation - This records a user being authenticated (success or failure) to a self-encrypting drive (SED), an authentication log is created on the drive. These logs can be uploaded to ERAS so Administrators can view an audit trail on any SED that is managed by ERAS. Reports can also be generated from these logs on ERAS for further analysis. ERAS supports the management of non-trusted domain and workgroup clients First Use Must Change (FUMC) user password management option Remote Pre-Boot upgrade Pre-Boot Custom Screen ERAS Database only installation New Reports: o Trusted Drive Management Reports o Device Reports o User Reports Drive Erase Certificate Multiple Trusted Drive support allows management of client primary and secondary (internal and external) drive Built-in search criteria User Interface changes: o Drive locking button moved to properties o Drop down menu for drive selection (platforms with multiple drives) o Pop-up for enabling drive locking in TD initialization wizard 64 Bit Support on Windows 2003, Windows 2008 & Windows 2008 R2 Server Customizable ERAS Service account support: A customizable ERAS Service account can be defined during installation of the first instance of ERAS Server in the target domain. Backward compatibility with ERAS Server 1.7 SP3 clients without any upgrade required on the same. Support for Express/Standard/Workgroup/Enterprise versions of Microsoft SQL Server 2005 through to 2008 R2. Microsoft SQL Server 2008 and above is recommended Enhanced event logging support. ERAS Management Console changes: o Find Computers dialog. o o In the result list view pane, TD column indicates the number of drives and drive status. TD icons added to computer list view. If a computer includes TPM and TD, computer icon will indicate the presence and status of TD only. ERAS Administrator Manual PDF (requires Acrobat Reader) file is opened upon clicking the F1 key inside ERAS. 5 Introduction Wave Systems Corp. 2011

Intended Audience This document is intended for system administrators as well as other information technology personnel responsible for installing, deploying and administering the EMBASSY Remote Administration Server (ERAS) software. What do these mean? These items denote: Important actions or tasks that need to be taken by the Admin or User Preparations, Needed Files or Settings required for a particular action These items denote: Important Information and/or Additional Requirements These items denote: Warning Technical Support Additional information, technical support and contact information for the ERAS can be found online: Refer to the Wave Systems website http://support.wavesys.com or E-mail your questions or issues to: support@wavesys.com Toll free: (800) WAVE-NET Tel: (413) 243-1600 Fax: (413) 243-0045 6 Introduction Wave Systems Corp. 2011

2. ERAS Installation Preparation There must be only one instance of ERAS repository (database) in the Windows domain. Depending on the deployment and platform management scenarios, the administrator may install and operate several instances of ERAS services in one domain, but sharing one repository (database) is imperative. 2.1 Pre-installation checklist Server and client machines must be members of a domain or domain hierarchy and also work in a multi-domain environment with the appropriate established trust relationships. For non-domain and workgroup client machines please also refer to section five of the ERAS Administrator Manual Part I. ADMX or ADM files needed to be installed in order to use Trusted Drive Management (TDM) policies applicable to self-encrypting hard drives in Windows, such as Windows Password Synchronization. Please refer to section four, Managing and Applying Policies, of the ERAS Administration Manual, Part I. Also two policies need to be enabled and configured prior to installation. The user installing the ERAS server must logon using a domain account and shall be a member of the local administrator group. After installation they can be remove from the local administrator group if desired. A domain account, the ERAS service account must be pre-created during a brand new installation of ERAS Server or in the scenarios where ERAS Server is being re-installed/upgraded, the logged in user who is performing ERAS installation must NOT be the same as ERAS Service account. If this is an upgrade of ERAS from a previous version then previous ERAS service account will be used. The ERAS service account must have log on as a batch job privileges on the server where ERAS is installed. It is recommended that ERAS service password is set to password never expires like other service accounts. If there is a regular need to change the password, then it will be required to update the password on IIS in order for the account to continue operating. To facilitate ERAS setup and installation, install Wave policies and, enable and configure the following GPOs: o Configure ERASConnector settings o Configure ERAS setup parameters Note that this defines the server parameters and ERAS service account in order to configure the clients during the ERASConnector install. Refer to Appendix V in Part I of the ERAS Admin Manual The ERAS installer requires a sysadmin role where the Microsoft SQL Server resides in order to create the database and provision the ERAS service account as a public role. In situations where the ERAS installer does not have SA privileges the DBA can run a command line install parameter using the ERAS installer to install just the database prior to the ERAS installation. There are instructions provided for database preinstallation steps for the Database Administrator in Appendix II of this guide. The user installing the ERAS server will create a password for the ERAS database master key: The installation script requests the installer to enter a password, which is used to create an encryption key for the ERAS database. The database password must meet the domain password complexity policy. Database Password This password is required for restoring the database from a backup (NOTE: It is important to retain this password in the event a restore is needed) Also Backup of the Master key must be done as well since the ERAS database is encrypted. For migration purposes one would also need the Service Master Key. 7 ERAS Installation Preparation Wave Systems Corp. 2011

ERAS Client Communications The following describes requirements for ERAS/Client communication: On the ERAS Server: enable COM+ Network Access and Core Networking. On the Client: enable Remote Administration (for WMI). By default, the dynamic port range in Windows Server 2003 is 1024-5000 for both TCP and UDP. In Windows Server 2008 (and Windows Vista), the dynamic port range is 49152-65535, for both TCP and UDP. In Windows Server 2003 the range always defaults to starting with TCP port 1024, and that is hardcoded. In Vista/2008, one can move the starting point of the range around. So if one needs to, an administrator could tell the servers to use ports 5000 through 15000 for dynamic port allocations, or any boundary or range of ports one prefers. To define a port range for WMI, then do not allow "Remote Administration" exception and open port #135 and a range of ports for RPC (default is 49152 to 65535). You can open each port one-by-one, using UI or a script. To change the port range on Vista/2008 environments and above, execute the command below, where xxx=start port and xxx=number of ports. netsh int ipv4 set dynamicport tcp start=xxx num=yyy For example: nets int ipv4 dynamicport tcp start=10000 num=1000 This example above would set your dynamic port range to start at port 10000 and go through port 11000 For more details and examples on how this command is used please reference: How dynamic ports have changed in Windows Server 2008 and Windows Vista: http://support.microsoft.com/default.aspx?scid=kb;en-us;929851 For more details or how to configure port range in Windows registry refer to this Microsoft article: http://support.microsoft.com/kb/154596 Vista and Windows 7 clients require that Remote Administration is a selected exception in the firewall Additional requirement of port 80 (default) to be open on ERAS Server for support of client initiated management (CIM) such as performed in asynchronous environments with the use of postponed or queued operations. This is also required in non-trusted domain clients or workgroup computers where WMI communication is not possible. Also there may be restricted environments where the requirements only allow communication under a particular port setting. For more information read the next section ERAS central management network communication pre-requisites overview When installing ERAS Server on Windows 2008 Server, "Run as administrator" menu option should be selected upon right clicking on the setup.exe to avoid any permission denied errors due to privilege restrictions for the logged in user during installation. Window 2008 64Bit requires the user to run ERAS Command line utility as Administrator 8 ERAS Installation Preparation Wave Systems Corp. 2011

Please reference section in the ERAS Admin Manual for more information on Client Initiated Management and the command line installation of ERASConnector.msi 2.2 ERAS central management network communication pre-requisites overview The following pre-requisites apply to configuring ERAS server and ERAS managed client communication in different deployment scenarios: General ERAS Snap-in Communication Requirements ERAS requires communication to all Active Directory domain controllers in all domains containing computer or user object that are used as managed objects in the ERAS. ERAS will also need to be able to establish communication with the Microsoft SQL database where ERAS database resides. To enable ERAS connectivity to Active Directory domain controllers and global catalogs in trusted forests, the following ports must be opened in any firewall between ERAS and all domain controllers: http://technet.microsoft.com/en-us/library/dd772723(ws.10).aspx ERAS Management Model Here a brief explanation is provided on how management takes place in ERAS. When ERAS initiates communication within a domain network, it utilizes a 128 bit encryption protocol of Windows Management Instrumentation (WMI). If the client machine is unreachable then ERAS send the task to be performed on the client machine to a queue or pending operation. If the client machine has installed the ERASConnector it is equipped with the ability to initiate communication with the server at configured interval that can be set at the server or upon installation of this client component. Domain clients that have this component installed are capable of asynchronous management which means that if they were unavailable or disconnected from the network the client machine has the ability to call home once they are reconnected to receive the commands that have been placed in a queue. This is done by the use of Windows Communication Foundation (WCF). WCF uses an AES-256 encrypted algorithm for communication. For more detail information on how this works in ERAS please review section 3.6, Pending Operations in Part I of the ERAS Administrator Manual. ERAS connector the ports requirements are limited to opening a single port, 80 (HTTP) by default from any managed client to the hosted ERAS. This allows ERAS to respond to the client over the opened connection. No additional ports are required. ERAS uses encrypted web services messaging over the configured port to send and receive management commands and information such as client logs. Please note that this mode (WCF) only supports the use of postponed, asynchronous operations against managed client. Immediate update can only be initiated by the client. In addition to the above port requirement, any personal firewall or antivirus/spyware on the managed client must be configured to allow the ERASConnector process direct non proxy communication to the ERAS server. ERASConnector can be configured to use another port other than the default port 80. To set ERASConnector communication to a different port, one must follow the details provided in Appendix II of this guide. 9 ERAS Installation Preparation Wave Systems Corp. 2011

Remote Management from ERAS ERAS supports management of clients in trusted domains using secure WMI authenticated connections. This mode allows for immediate server initiated management operations without the need to wait for scheduled client check in. If this is the only type of communication that one wish to deploy then install ERASProvider and change settings in the server settings UI to disable pending operations and any other appropriate changes by following the table provided in the ERAS Administration Manual, part I located in Appendix III The following ports must be opened in both direction between a managed client and the ERAS server: RPC and DCOM Uses port 135 TCP/UDP by default and a set of dynamic ports. Please refer to the following article for more information on RPC and DCOM and how they are used by WMI and other Microsoft service: http://support.microsoft.com/kb/832017 Please note that the required ports for RPC can be controlled, reduced and customized by following the guidance in the following Microsoft knowledge base article on both client and server: http://support.microsoft.com/default.aspx?scid=kb;en-us;154596 If at any time NTLM authentication does not complete during upgrade or installation of ERAS, one must edit the Metabase.xml file. For steps to edit the please look at the ERAS Troubleshooting Guide. Additional Notes: To enable ERAS connectivity to AD domain controllers and global catalogs in trusted forests, the following ports must be opened in any firewall between ERAS and all domain controllers: http://technet.microsoft.com/en-us/library/dd772723(ws.10).aspx The required ports for RPC can be controlled, reduced and customized by following the guidance in the following Microsoft knowledge base article on both client and server: http://support.microsoft.com/default.aspx?scid=kb;en-us;154596 Load Balancing Configurations ERAS supports configuring multiple ERAS servers connected to a single ERAS backend database (clustered), and using a software or hardware load balancer to implement load balancing and fail over for client initiated connections. The load balancer should be configured to load balance the ERAS connector port (port 80 by default) and to use a sticky dynamic or single IP affinity configuration ensuring that a client established TCP connection will be persisted to a specific backend server until closed and reopened. No other ports should be load balanced. The ERAS remote console, ERAS Helpdesk and managed clients using ERAS connector are supported with the use of load balancers. Please note that by default, ERAS uses ICMP (Ping) to validate network connectivity to the client, and DNS to attempt to resolve and locate the client. In environments where this is not possible or desirable, the following ERAS server setting can be changed to influence and disable this default behavior: 10 ERAS Installation Preparation Wave Systems Corp. 2011

Changing ICMP Echo on and ERAS console timeout parameters ERAS allows for setting changes of the default behavior of ping and timeout of the ERAS Console. To refer to these settings go to Appendix III of ERAS Admin Manual Part I. Server Setting UI changes are further explained in section 3.5, Part I of the ERAS Admin Manual. Define the connection mechanism and order for establishing a session with the remote computer Defining the host resolution order in ERAS can be done by defining the setting in web.config located on the server in which ERAS is installed in \Wave Systems\EMBASSY Remote Administration Server\ WCFService. NetBIOSName - specifies to use the computer name. ERAS server TCP/IP must be configured with WINS server. PrimaryDnsHostName - specifies to use fully qualified domain name. This option is automatically selected as preferred when ERAS is configured for the multi-domain environment. This option is also assumes that WINS server is configured. ConnectionSpecificDnsHostName - specifies to use computer name concatenated with the current DNS suffix name. IPAddress - specifies to use IP address reported by ERAS Connector. This attribute can be used only when all remote computers have unique IP addresses. Note: last two attributes can be used in networks that do not have WINS servers. Example of use: <setting name="hostresolutionorder" serializeas="string"> <value>connectionspecificdnshostname</value> </setting> 11 ERAS Installation Preparation Wave Systems Corp. 2011

2.3 Server prerequisites: Server hardware minimum prerequisites for new installations for up to 2K accounts System Processor: Minimum: Intel Xeon EM64T support Processor speed: Minimum: 2.0 GHz; Recommended: 2.5 GHz or faster 4-Core or better L3 Cache: 8MB Systems Memory: 4GB RAM or better is recommended Network: 1GB network interface Free Disk Space: Minimum: 10GB Recommended: 40 GB A separate server configuration for running Microsoft SQL Server is best practice and should be used to prevent performance issues. Virtualization requirements will vary upon configuration, however evaluations can be done with as little as 2 GB of RAM on a dual core machine Server software prerequisites for new installations Operating System: Windows 2003 Server SP2 and Windows 2003 R2 (32 bit only) or Windows 2008 (32-bit/64-bit) Server are all supported Windows 2008 R2 Standard Edition is the minimum recommended Windows XP with SP2, SP3 (Management Console Snap-in) or Vista with SP1 or Windows 7 Domain functional level Windows 2003 or 2008 and 2008 R2 domain Microsoft Management Console 3.0 (MMC) Group Policy Management Console with Service Pack 1 Database choice of: Microsoft SQL Server 2005, 2008 SP1 2008 R2 are all supported [Express Edition/Standard Edition /Workgroup Edition/Enterprise Edition] Microsoft SQL Server 2008 standard or better is recommended. Please note that ERAS will automatically install the role management to MS SQL 2008 or better on new installations of ERAS only. If one is using Microsoft SQL Server 2005 than you will only be allowed to use Active Directory or an XML file to manage roles in the Authorization Manager. Microsoft Internet Information Service 6.0 (IIS) or IIS 7.Net Framework 3.5 minimum of Server Pack 1.Net Framework 4.0 Adobe Acrobat Reader, required to properly launch and read ERAS Administrator Manual 12 ERAS Installation Preparation Wave Systems Corp. 2011

Database Storage and Consumption Provided below are an estimated database size and consumption over time based on number of Trusted Drive users. For example, in the first year 1000 SED users would accumulate approximately 634 MB storage space which includes client authentication logs and recorded event logs. This is provided for long term planning of storage requirements based on assumptions of particular events. ERAS DB Size Estimates Years of Usage DB Size(MB) per Number of TD (Users) 100,000 50,000 10,000 5,000 1,000 1 63,433 31,681 6,336 3,168 634 2 124,492 62,175 12,435 6,217 1,243 5 307,670 153,657 30,731 15,366 3,073 10 612,968 306,128 61,226 30,613 6,123 20 1,223,563 611,069 122,214 61,107 12,221 50 3,055,347 1,525,894 305,179 152,589 30,518 Assumptions for particular event: Number of Hello per day 1.0050 Re-boots per Day 2.0000 Network Change 3.0000 Password Reset/Change 6.0000 Upgrading ERAS from previous versions Previous ERAS service account name must be used upon upgrade. It is highly recommended that the deployment of ERAS meets or exceeds the recommended hardware and software requirements mentioned above. In the case where the current database is Microsoft SQL Server 2005, it is highly recommended to perform a migration of the ERAS database first to a Microsoft SQL Server 2008 or better prior to upgrade. If not, one will not be allowed to later use a database to store the Authorization Manager. This will be done by obtaining a Role Manager Store migration database tool when it becomes available from Wave. The upgrade will retain whatever method used prior for the AZMAN which was either use of the ERASPolicy.xml file or Active Directory Store. Upgrade considerations for recovery methods It is important to look at what the present recovery method is being used with the older client (prior to ESC 2.8.x). Regardless of recovery that is used one will need to install current Wave policies. Installation of ERASConnector is highly recommended prior to upgrade to ESC 2.8.4. It is recommended that recovery policies are not enabled prior to upgrading older clients to ESC 2.8.4. This recommendation is due to the following observations made about recovery method policies and server settings: There are recovery method limitations that exist on older client versions. For instance, there may never have been user base recovery support on older client. Upgraded clients with static recovery already set will continue to remain manageable as device static recovery After server (ERAS is recommended to be upgraded first) and clients are all upgraded, then it is safe to apply the recovery method policies. Please note that upgrade of recovery method may take several minutes. If policy recovery setting default (CRRP-II/128) is set and no recovery method policies are set, 13 ERAS Installation Preparation Wave Systems Corp. 2011

then the following is true: o Upgraded client set to static recovery will remain managed as static recovery o Addition of newly deployed clients will have recovery method of CRRP-II/128 bit set Note that the older client (prior to ESC 2.8.x) will simply ignore SED recovery policies until after it has been upgraded. Also it will be required to upgrade the ERASConnector. If the older client was initialized with a static password recovery then it will be expected to retain it after upgrade as long as no recovery policy has been set. Please note that there is no current supported direct recovery upgrade path available for CRRP-128 to new CRRP II recovery in ESC 2.8.x clients. ERAS is expected to sustain recovery on old clients as long as client has not been upgraded. Currently in these cases it is recommended to uninitialize the SED drive, upgrade to new ESC 2.8.x, and then reinitialize client SED drive. Upgrade considerations for Server Setting UI There are some settings changes in the ERAS database that occur upgrading from earlier ERAS version. ERAS 2.1 contains transitional changes from web.config to server setting when upgrading to ERAS 2.8.x. In order to save setting in the current server setting window, one must actually make a change and save the state prior to upgrading to ERAS 2.8.x. The following action will constitute a change in the database an actually saving content to the database prior to the upgrade: First bring up current server setting and do a 'reset all' or make any changes and click 'apply'. This saves the server settings in the database so when you upgrade, new ERAS sees existing server settings and will not overwrite them. 14 ERAS Installation Preparation Wave Systems Corp. 2011

Windows Server 2008 or Windows 2008 R2 Installation The following settings are required as a prerequisite for Windows 2008 or Windows 2008 R2 for ERAS Server: 1. Using Server Manager add the following Server roles: a. Application Server b. Web Server (IIS) 15 ERAS Installation Preparation Wave Systems Corp. 2011

2. Select Web Server (IIS) Server Role and add/select the following Role Services: a. Application Development (ASP.NET,.NET Extensibility, ASP, ISAPI Extensions, ISAPI Filters) b. IIS 6 Management Compatibility (IIS 6 Metabase Compatibility, IIS 6 WMI Compatibility, IIS 6 Scripting Tools, IIS 6 Management Console) c. Security->Windows Authentication 16 ERAS Installation Preparation Wave Systems Corp. 2011

3. Make sure that ASP.Net 2.0.50727 Web Service extension is added to the extension list by looking up Administrative Tools->Internet Information Services (IIS) Manager->ISAPI and CGI Restrictions (under IIS section). 17 ERAS Installation Preparation Wave Systems Corp. 2011

Windows 2008 Install GPMC Perform Add Feature to install GPMC as shown below: 18 ERAS Installation Preparation Wave Systems Corp. 2011

4. Windows Communication Foundation (WCF) must be activated (WCF Activation) 19 ERAS Installation Preparation Wave Systems Corp. 2011

Prior to running ERASConnector installer: 1. ERASService account should be created in Active Directory 2. The administrator should deploy and configure the following Wave policies: Configure ERASConnector settings Configure ERAS setup parameters Specify a server name (FQDN) and TCP port for ERASConnector to use when establishing a connection to ERAS. The default value for TCP port is 80. There is no default value for server name. A service account is required by ERAS to connect to ERAS database and to remotely manage client computers using WMI (Windows Management Instrumentation). Please specify a user account in the domain where ERAS is installed. The use of Domain\User needs to be placed in field to specify the service account. 20 ERAS Installation Preparation Wave Systems Corp. 2011

Now run ERAS Server installer (Setup.exe) as Administrator by right-clicking on the exe and selecting Run as administrator menu option. In Microsoft SQL Server 2008, only the installer account needs to be added and assigned the privileges to create and add the ERAS service account to the database. The database installation will fail if installer account does not have sufficient permissions. ERAS Service certificate creation fails on 64 bit Windows 2008 Server during ERAS installation. Please use the following command on Command box Run as Administrator from \Windows\System32 after completing ERAS installation: makecert.exe -sr localmachine -ss My -pe -sky exchange -n "CN=ERAS Service" Windows Server 2003 family, the Task Scheduler automatically grants this right as necessary. 21 ERAS Installation Preparation Wave Systems Corp. 2011

Considerations in a Multi-domain Environment A user can manage any computer at the domain where there s a trust relationship between domain to be managed and the current user domain. Inter-forest configuration (ERAS server in one forest, clients in other) may or may not require manually adding corresponding AD configuration entries into clients forest Remember before installing Domain User account must be part of the local administration group in order to perform the ERASConnector.msi or ERASProvider.msi installation. A new ERAS service account needs to be created in Active Directory prior to performing the install. To facilitate ERAS setup and installation, install policies and, enable and configure the following GPOs: o Configure ERASConnector settings o Configure ERAS setup parameters Note that this defines the server parameters and ERAS service account in order to configure the clients during the ERASConnector install. Installing ERAS on a Domain Controller is not a supported deployment option for production environments to avoid any issues in the context of stability and availability of ERAS Server due to any possible updates/changes on the production Domain Controller ERAS Installations on a Domain Controller: Expect issues after install of Microsoft patches to the Server Operating System. ERAS installer (login user) must have administrative privileges to Microsoft SQL Server where ERAS database will be installed. In Microsoft SQL Server 2008 only the installer account (login user) needs to be added and assigned the sufficient permission to allow for the creation of the ERAS database. If this is not possible, there are steps provided for the DBA to perform the database installation prior to the ERAS installation located in this guide in the beginning of appendix II. Please review the troubleshooting guide for any errors dealing with adding the ERAS service account to the database. Follow-up with the regular installation procedure Role management and OU delegation: In order for any user to manage TPM or Trusted Drive (Manage = Perform all operations) they need to be a member of System Administrator Group and if that user is not a domain administrator then he/she needs to have delegated write permissions to the OU in which the computer to be managed exists. 22 ERAS Installation Preparation Wave Systems Corp. 2011

Upgrade Best Practices 1. Upgrade operation can be performed by copying the installer package on the target machine that hosts ERAS Server and running setup.exe. 2. ERAS Server and Tools must be upgraded first. 3. ERAS Helpdesk must be installed on the machine where ERAS Server and Tools is installed. 4. ERAS Remote Management Console can be installed on any machine other than ERAS Server box by copying the installer package on the machine and running setup.exe. 5. Before upgrading clients prior to ESC 2.8.x please read sections on upgrading recovery methods referenced in this guide and the ERAS Administrator Manual. The prerequisites must strictly be followed including the privileges for the user performing an upgrade. Also please reference the ERAS Admin Manual for any additional procedures related to Microsoft SQL Backup. Readme.txt for any additional upgrade instructions that might be included with a new version of ERAS Upgrading multi-server environments In an upgrade the same general order described above should be followed: First upgrade ERAS Server and Tools followed by Helpdesk and then finally upgrade the Remote Consoles. In a multi-server environment ERAS is running multiple instances on several machines or virtual machines pointing to a shared database that maybe clustered. It is important to disable communication from both servers of the additional instances of the core components (ERAS Server and Tools installation) and the client machines. This is done disabling network communication on the additional successive servers with ERAS Server and Tools installed utilizing the shared database. This can be done several ways: 1) The network cards on the successive servers can be disabled by going to network connections, right clicking the main (client facing network adapters) and the Microsoft SQL facing network adapters and disabling them. If this upgrade is being performed on virtual machines, an administrator will need to also have access to the VMware or hypervisor manager to perform these tasks. Alternatively, in the case of virtual machines (VM), if the administrators do not have access to the VM consoles they can shut down IIS on the successive servers running ERAS. 2) Using a command line Open an elevated command-line window. At the command prompt, type net stop WAS and press ENTER; type Y and then press ENTER to also stop W3SVC. To restart the Web server, type net start W3SVC and press ENTER to start both WAS and W3SVC. Disable IIS 23 ERAS Installation Preparation Wave Systems Corp. 2011

2.4 Client prerequisites: Client hardware prerequisites 1. Computing platform that satisfies requirements to run Microsoft Windows XP, Windows Vista or Windows 7 operating systems o Self-encrypting hard drive for remote TDM support and management o Trusted Platform Module (TPM) for remote TPM management Client software prerequisites 1. Microsoft Windows XP SP2, SP3, Vista or Windows 7 operating systems Note: Windows 2000 is not supported (the ERAS management capabilities are implemented through Windows Management Instrumentation (WMI), which is present in Microsoft Windows XP, Windows 2003 & 2008 Server, Vista or Windows 7 operating systems) 2. EMBASSY Security Center 2.8.X or greater is recommended. However ERAS is backward compatible. 3. A domain user with administrative privileges must log on to install ERAS client configuration scripts. 4. ERAS client configuration scripts that are shipped with the ERAS server and can be distributed via GPO. These can be found at: <Program Files>\WaveSystems\Embassy Remote Administration Server\Support\Client ErasProvider_x32.msi & ErasProvider_x64.msi The ERAS Provider is a single installer that contains all the configuration scripts for remote management of client devices. These packages are recommended for client machines that will only be managed while on the domain and do not require asynchronous management (server queued actions) of the client. ERASConnector_x32.msi & ERASConnector_x64.msi The ERAS Connector is a single installer that contains all the scripts contained in the ERAS Provider plus a component responsible for client initiated management that can obtain server queued actions or asynchronous management. This component would need to be used for management of foreign clients. Foreign clients are workgroup computers or non-trusted domain computers that will be managed by ERAS across the internet or by a designated port such as SSL or IPSec. This package can also be used to maintain asynchronous management of domain client within and outside the domain. Note: The scripts will only install on appropriate OS such as 32 BIT versus 64 BIT versions. Items 1 thru 3 will need to be deployed on each client in order to allow remote administration from ERAS. Items 4 thru 6 meet the communication criterion between ERAS and client. 5. Verify that DCOM port: TCP 135 is open on the client machine 6. If WMI is already used for other systems management functions, the required ports are already open 7. Vista and Windows 7 clients require that Remote Administration is a selected exception in the firewall 24 ERAS Installation Preparation Wave Systems Corp. 2011

For upgrade of older ESC clients (prior to ESC 2.8.x), it is required when the client is upgraded to ESC 2.8.2 that one first sets recovery policies as already discussed in this guide, and upgrade ERASConnector. In order to upgrade the ERASConnector it is required to uninstall all previous remoteconfig.msi and ERASConnector.msi prior to upgrading. Note that the new ERASConnector will contain all required remoteconfig functionality integrated. This step must be done prior to performing a refresh on the new ESC client from ERAS. In ERAS 2.1 and above, WMI permissions are configured from the root\cim2, therefore the installer must be a domain user with the corresponding (local) privileges. ERAS Client Connector installation on Vista/Windows 7 Right-click "Run as Administrator" is not available for MSI files on Vista/Windows 7. It is available only for *.exe files. When one double-clicks an MSI it will not be allowed to deploy any payload into the machine if UAC is enabled. Please refer to OS documentation on how to turn off UAC. On Windows 7 one can run CMD box exe by Right-clicking and selecting "Run As Administrator". One can also run CMD or explorer using Run command from accessories and then either run the MSI through command line or in the explorer. Run msiexec /a erasconnector.msi from command line can be performed as well. Considerations for redeployment of client machines If TPM is not cleared when re-provisioned, then ERAS allows the administrator to view the best known information available from the database about TPM on a platform. This will manifest as an unable to detect TPM status and with the ability to still display TPM information in properties tab. For example: This will happen from ERAS when a TPM or TDM gets a fresh image and the computer name is reused or the platform is not available on a network. Best Practice: To prevent this from occurring consider clearing the TPM for the redeployment of any machine. 25 ERAS Installation Preparation Wave Systems Corp. 2011

3. ERAS Step-by-Step Installation To begin the installation of ERAS, you must be login as domain administrator or domain user. The ERAS CD contains three folders that contain independent installer components to facilitate deployment for different configuration within an enterprise environment. The folders are labeled as follows: ERAS Server and Tools This folder contains the installer for the ERAS Core Server and the Snapin tool ERAS Remote Management Console This folder contains the installer for a remote console that can be installed from any machine within the enterprise single or multi-domain environment with the established trust. It also includes support on Windows XP, Vista and Windows 7. The ERAS Server already has this installed as one of its components. ERAS Helpdesk This folder contains the installer for the Helpdesk that must be installed on the machine where the ERAS core server resides. The Helpdesk then can be accessed from a separate machine from the ERAS server through a web browser. Additionally, the ERAS setup requires the installation of ADMX files for Windows Server 2008 and above and ADM files for Windows Server 2003 systems. These files are located in their respective folders: <Program Files>\WaveSystems\Embassy Remote Administration Server\Support\Group Policy 3.1 ERAS Server and Tools Installation Double-click the setup.exe file or on Windows 2008 machines right-click and run as administrator, which is located in the folder labeled ERAS Server and Tools of the ERAS CD. Be patient! It takes a few seconds for the wizard to start. The installation wizard consists of the following steps and screens: 1. Preparing to Install 2. Welcome to InstallShield Wizard screen. Click Next to begin the ERAS installation 26 ERAS Step-by-Step Installation Wave Systems Corp. 2011

3. Accept the license agreement and click Next 27 ERAS Step-by-Step Installation Wave Systems Corp. 2011

4. Choose Destination Location screen. Click Next to install ERAS in appropriate location 5. An ERAS service account must be defined for the management of ERAS. It can be any user within the domain or trusted domain. If you are upgrading from a previous version of ERAS, use the default account. Otherwise pre-create the desired account name to be assigned as the ERAS service account. This needs to be created prior to installation. Click Next. ERAS will continue Note: The ERAS service account name must not contain a space in the name. In the next dialog it should display the top field greyed out with a space to enter the password for the pre-created account. 28 ERAS Step-by-Step Installation Wave Systems Corp. 2011

6. Enter the password for the ERAS Service domain account Note: There must be no quotation marks contained in password 7. In the Database server name box, the database server name must be specified in the following format: SQL_SERVER_HOST_NAME [\SQL_INSTANCE_NAME] SQL_SERVER_HOST_NAME is the name of the SQL server on which you want to install the ERAS database [\SQL_INSTANCE_NAME] is optional, depending on the SQL server version. In case of SQL express version, the instance name is required and if not specified during the SQL installation, is SQLEXPRESS 29 ERAS Step-by-Step Installation Wave Systems Corp. 2011

8. Enter database password and click Next Database Master Password backup: The Master password created here is required if the database needs to be restored from a backup on a different SQL Server instance. Database Password This password is required for restoring the database from a backup (NOTE: It is important to retain this password in the event a restore is needed) Also Backup of the Master key must be done as well since the ERAS database is encrypted. For migration purposes one would also need the Service Master Key. 30 ERAS Step-by-Step Installation Wave Systems Corp. 2011

9. Click Install to begin the installation 10. To complete the installation, check checkbox Restart IIS and click Finish IIS must be restarted after installation of ERAS Server. If at any time NTLM authentication does not complete during upgrade or installation of ERAS, one must edit the Metabase.xml file. For steps to edit the please look at the ERAS Troubleshooting Guide 31 ERAS Step-by-Step Installation Wave Systems Corp. 2011

ERAS server uninstall To uninstall the ERAS server, navigate to: Control Panel -> Add/Remove Programs -> Embassy Remote Administration Server, click Change/Remove. Follow the prompts to remove the ERAS Server Server reboot is required Activate ERAS If you are using a trial license, you will be presented with the Enter Product Activation Code dialog box upon launching ERAS (like below), you can choose to exit this dialog up until the trial period is over. After the trial period is over, you will have to activate the product in order to use it. Activation of product requires internet access. Be sure to rule out firewall restrictions during this process to insure the product is able to communicate with the activation server. If your organization has a highly restrictive environment that does not allow any internet access, please contact our customer service so they can provide assistance in a manual activation process. 32 ERAS Step-by-Step Installation Wave Systems Corp. 2011

3.2 Windows 2008 ERAS Post-Installation Step Add ERAS Service Certificate These steps are important for communication of ERASConnector.msi to the ERAS. If the underlying OS is Windows 2008, then please follow the instructions provided to enable ERAS to access the private key of ERAS Service certificate that is deployed during installation of ERAS. 1. Run mmc.exe on the ERAS Server box and open Certificates snap-in for the computer account on local computer. 2. Select ERAS Service certificate from Personal Certificates (Local Computer) and mouse rightclick to All Tasks -> Manage Private Keys 3. Add ERAS Service account and assign Read permissions, if one does not already exist. Post-installation steps for Windows 2008 Server (Enterprise/R2/64-bit) On Windows 2008 Enterprise version, ERAS fails to run and displays "snap-in unable to communicate" upon launching ERAS Management Console. ERAS Application Pool is disabled and reports that the identity application pool ERAS is invalid. The following post-installation steps must be performed in order for the ERAS to run successfully: 1. Run gpmc.msc and locate Default Domain Policy that ERAS box resides on. 2. Edit Default Domain Policy: 3. Right click on Computer Configuration->Windows Settings->Security Settings->Local Policies->User Rights Assignment->Log on as a batch job to select Properties and add ERAS Service account to this policy. Log on as a batch job translated: German: Anmelden als Stapelverarbeitungsauftrag French: Ouvrir une session en tant que tâche 33 ERAS Step-by-Step Installation Wave Systems Corp. 2011

Issuing certificates for ERAS Connector Service As seen above on install, ERAS installs its own certificate for the ERAS connector service and can be verified by using the steps shown in the previous section. In order for one to issue a certificate to be used for the ERAS Connector service one must first generate a request for the certificate and then have the certificate signed as shown in the following steps: A. Generate a Certificate Request 1. Click Start -> Run and type inetmgr 2. Click on the root node in IIS manager and double-click Server Certificates from the center panel. 3. In the Actions panel on the right, click on Create Certificate Request... 4. Fill in the form, set the Common Name ERAS Service. On the last page, click the browse button, browse to the directory of your choice and enter a file name e.g. ERASServiceCert (for example). B. Get the Certificate Signed. Follow certificate issuer procedure for obtaining Web service certificates. C. Import the Certificate into IIS. 1. In IIS Manager, click on Complete Certificate Request... on the Actions panel. 2. Browse to the directory to where the certificate files were extracted, change the file type to *.*. Now select the file which matches the name you entered for the Common Name field in step 1.4 above. 3. Enter a suitable name for the friendly name (e.g. ERAS certificate) and click OK. If the OCSP certificate extension is defined and client runs on Win 7 then certificate status will be validated according to OCSP settings being used in the Windows OS. 34 ERAS Step-by-Step Installation Wave Systems Corp. 2011

3.3 ERAS Remote Management Console Installation The remote console or snap-in is an extension of the ERAS server. The ERAS Remote Console can be installed and is accessible from any platform (Windows Server 2003 & 2008 or Windows XP, Vista and Windows 7) connected to the network in single or multi-domain environments. This is an extended administrator tool for the ERAS server that can operate remotely from the actual server platform. Software prerequisites: Microsoft Management Console 3.0 (MMC) Windows Server 2003 Service Pack 1 Administration Tools Pack (For use of the Authorization Manager on Windows XP) Microsoft Remote Server Administration Tools for Windows Vista (For use of the Authorization Manager on Windows Vista) Microsoft Remote Server Administration Tools for Windows 7 (For use of the Authorization Manager on Windows 7).Net Framework 3.5 minimum of Server Pack 1.Net Framework 4.0 The key difference during the installation process is pointing the snap-in to the correct location of the ERAS server, since the console only has the requirement to be able to communicate with the ERAS server. This view is provided in the screen below: Role Management Considerations: It is highly recommended that Role Management is done from the main server console. In cases where the Windows Server 2003 is functioning at a 2000 level, the ERASPolicy.xml file is utilized rather than Active Directory. If one desires to manage roles from the remote console, then one will need to maintain equivalent copies of the XML file on all remote consoles and main computer after modifying the role assignments. Note: It s important to make sure that communication between both the network machine and the server in which ERAS resides is established in order for the MMC Snap-in to be setup and operate properly. This can be confirmed by pinging the network machine from the server and conversely. 35 ERAS Step-by-Step Installation Wave Systems Corp. 2011

Note: Install ERAS remote console, fails to launch successfully. User does not have write access to mmc.exe.config file. The user needs write access on the first time launch. Solution: The user must use "Run as Administrator" option first time in Vista and Windows 7. To use Remote Console from Windows Vista or Windows 7 you must run as administrator 36 ERAS Step-by-Step Installation Wave Systems Corp. 2011

3.4 ERAS Helpdesk Installation The helpdesk in ERAS provides the ability for those designated access to use a browser to retrieve Trusted Drive passwords, and reset the TPM lock. The help desk needs to be installed on the machine containing the ERAS core server. It is accessible from any platform (Windows Server 2003 & 2008 & 2008 R2 or Windows XP or Vista) connected to the network in single or multi-domain environments through a web browser. This also allows non- IT administrative staff to be assigned this task without providing them direct physical access to the server. Software prerequisites dependencies: ERAS core server (must be installed on same machine as ERAS) Microsoft Internet Information Service 6.0 (IIS) or IIS 7 (server prerequisite).net Framework 3.5 (server prerequisite) minimum of Server Pack 1.Net Framework 4.0 (server prerequisite) Here we will present the following screenshots provided for the helpdesk installation: 1. Welcome to InstallShield Wizard screen. Click Next to begin the Helpdesk installation For the use and operation of the ERAS HelpDesk, please refer to the ERAS HelpDesk Guide 37 ERAS Step-by-Step Installation Wave Systems Corp. 2011

2. Accept License Agreement and Click Next 3. Choose Destination Location screen. Click Next to install Helpdesk in appropriate location 38 ERAS Step-by-Step Installation Wave Systems Corp. 2011

4. Select the ERAS server the helpdesk will connect to and click Next 5. Verify location and click Next to start copying files 39 ERAS Step-by-Step Installation Wave Systems Corp. 2011

6. Status screen during installation 7. Check checkbox Restart IIS and click Finish IIS must be restarted after installation of ERAS Helpdesk. 40 ERAS Step-by-Step Installation Wave Systems Corp. 2011

3.5 Add or remove an Administrative Template (.adm file) To have the provided TDM policies for a Windows 2003 Server please follow the instructions provided by Microsoft: http://technet.microsoft.com/en-us/library/cc739134(ws.10).aspx 3.6 ADMX GPO Installation To install the WaveSystemCorp policies in addition to the Windows 2008 or Windows 2008 R2 GPOs, one needs to copy the appropriate files as described below. The %systemroot% location for the PolicyDefinitions folder is typically C:\Windows\PolicyDefintions and Windows\PolicyDefinitions\EN-US 1. Copy the WaveSystemsCorp.admx file to the %systemroot%\policydefinitions folder. 2. Copy the WaveSystemsCorp.adml file to the %systemroot%\policydefinitions\en-us folder The above files are located: <Program Files>\WaveSystems\ Embassy Remote Administration Server\Support Also the associated ADM files are for Windows 2003 Server platforms If one needs to create a custom profile of policies, then follow the instructions for creating a central store. Creation of a central followed by populating the central store are shown in the following link: http://download.microsoft.com/download/3/b/a/3ba6d659-6e39-4cd7-b3a2-9c96482f5353/managing%20group%20policy%20admx%20files%20step%20by%20step%20guide.doc Please follow the Microsoft instructions on page 11 to create a central store and page 12 to populate the central store. 3. Determine if a central store has been created on the primary domain controller. Note that if the domain administrator has created a central store for custom display of ADMX policies, this central store would have already been created. If not yet created, create the central store as follows: a. On the primary domain controller, create a folder at %systemroot%\sysvol\domain\policies\policydefinitions b. Create the following subfolder: %systemroot%\sysvol\domain\policies\policydefinitions\en-us (on an English language system) Note that when one creates a central store for policies, these policies will take precedence over policies located in %systemroot%\policydefinitions. 41 ERAS Step-by-Step Installation Wave Systems Corp. 2011

3.7 GPMC Installation Windows Server 2003 GPMC installation If ERAS is running on a Windows 2003 Server, there is the option to use Group Policy Management Console and have it incorporate into the ERAS console. The steps are as follows: 1. Run the GPMC installer, If it has not been installed 2. After successfully installation of GPMC, then open the ERAS console 3. Click on File menu then select Add/Remove Snap-in... 4. Then from the Add/Remove Snap-in window click Add button and locate the GPMC and click the Add button on the next window after selecting the appropriate item. 5. Then click OK on the Add/Remove Snap-in window and the GPMC will be displayed as the last item on the left pane of the console. Windows Server 2008 GPMC installation Through the Server Manager use the Add Feature Wizard as shown below, to install GPMC in Windows Server 2008. 42 ERAS Step-by-Step Installation Wave Systems Corp. 2011

RDP Console Session Errors can appear upon expanding any OU in the ERAS console while connected to the console/console session of RDP. This is repaired by applying the following.net framework update: http://www.microsoft.com/downloads/en/details.aspx?familyid=a4f52459-dfe5-4bc3-8f7f-aa688879b1dc&displaylang=en 43 ERAS Step-by-Step Installation Wave Systems Corp. 2011

4. ERAS client installation Refer to client installation documentation for installation instructions for EMBASSY Security Center. The ERAS client configuration script must also be installed and executed on the client machine. There are several MSI files contained with the Client Configuration folder as discussed under Client software prerequisites and in the ERAS Admin Manual. The deployed components can be located on the server, one for TPM, one for TDM. These all can be pushed via GPO and are located at: <Program Files>\WaveSystems\ Embassy Remote Administration Server\Support\Client ERASProvider.msi ERASConnector.msi (See Client software prerequisites ) A functional ERAS server should be treated as a prerequisite for the deployment of ERASConnector.msi or ERASProvider.msi to the client. Also if ERASConnector or ERASProvider was previously installed while a machine was a member to a different domain, then one should uninstall and re-install the component while on the new domain. This will prevent issues that may arise with resolving the ERAS Service Account name. Installation Overview of ERASConnector.msi or ERASProvider.msi Either ERASConnector.msi or ERASProvider.msi (packaged with ERAS) does: 1) Detect if TDM has been installed 2) Detect ERAS Account via AD 3) Add Eras account (detected on step 2) and recovery to DCOM, WMI permission Requirements: The requirements for ERASConnector.msi or ERASProvider.msi to be installed successfully: 1) TDM has been installed 2) The account that runs either ERASConnector.msi or ERASProvider.msi installer must be able to query domain 3) The account that runs either ERASConnector.msi or ERASProvider.msi installer must have local administrative privileges Deployment options: With the above requirements in mind, the following are options for deployment 1) SCCM or any number of client distribution software can be used. 2) Manual installation: The following procedure guarantees successful deployment: Run either ERASConnector.msi or ERASProvider.msi installer as the domain user as part of the local admin group (double click on the installer file). ERASProvider will only allow use of WMI direct management of clients. For this reason it is highly recommended that one installs and uses ERASConnector for all network environments. For more specific information about additional features of ERASConnector read section 4.5, Installing ERASProvider versus ERASConnector. 44 ERAS client installation Wave Systems Corp. 2011

Appendix I Glossary Terms and Definitions Term AD ADUC CAC ECC ERAS ESC ETS ERASCMD FUMC FDE GPO IT MBR MMC OS Platform SED SSO TDM TPM UI WCF WMI WPS Definition Active Directory Active Directory Users and Computers Common Access Card ERAS Client Connector (ERASConnector.msi) EMBASSY Remote Management Server EMBASSY Security Center EMBASSY Trust Suite ERAS command line utility First Use Must Change Full Disk Encryption Group Policy Object Information Technology Master Boot Record Microsoft Management Console Operating System TPM enabled computing platform Self-encrypting Drive Single Sign-on Trusted Drive Manager Trusted Platform Module User Interface Windows Communication Foundation Windows Management Instrumentation Windows Password Synchronization Select Dell ControlVault Platforms E6400 E6400 ATG XFR E6400 E6500 E4300 M4500 Z600 E4200 XT2 XFR E4310 M4400 E6510 E6410 E6410 ATG M6400 M6500 M2400 45 Appendix I Wave Systems Corp. 2011

Appendix II Database Administrator Installation Steps and Tools Command Line Option - ERAS Database Setup Only Install Many organizations divide the ability for installations of Microsoft SQL databases. For this purpose a command line option is available for the ability to pre-install the ERAS database into MS SQL by the database administrator (DBA). Prior to this installation please review the ERAS server prerequisites found in section 2.2 of this guide. The following command must be performed prior to installation of ERAS in order for ERAS to make a discovery of the database during installation. Syntax: setup.exe /Z"/SETUPTYPE\"ERASDB\" /DBSERVERNAME\"MACHINE\INSTANCE\" /ERASSERVICEACCOUNT\"ERAS_SVC_USERID\" /ERASSERVICEACCOUNTPWD\"ERAS_SVC_USERPWD\" /DBMASTERKEYPWD\"DBMSTKPWD\"" Domain Controller Installation (ERASService login failures during the ERAS install) In general we do not support ERAS Server installation on a Domain Controller. In a DC ERAS deployment scenario, it is required to assign, Log on as a service right to the pre-created ERAS Service account on the DC in question. A Windows Server 2008 R2 deployment will also require additional assignment to the ERAS Service account of Log on as a Batch Job on a DC installs. Pre-create the ERASService account and assign these policies prior to the ERAS install. The following steps are used to perform the above: Open Domain Controller Security Policy. [Start -> All Programs -> Administrative Tools -> Domain Controller Security Policy] In the console tree, click User Rights Assignment. Go to: Security Settings -> Local Policies -> User Rights Assignment. In the details pane, double-click Log on as a service. Click Add User or Group, and then add the ERAS Service account to the list of accounts that possess the Log on as a service right. Note: Because installation of ERAS on a Domain controller is not supported in a production environment, this information can be used on an as needed basis for piloting purposes. Clean ERAS install requires password for old ERAS service account ERAS was previously installed on a test server within the domain. The server was then re-imaged and an attempt was made for a clean install of ERAS. ERAS request a password for the old ERASService account that has already been removed from Active Directory. This is caused by residual information left on the domain controller and must be manually deleted: 1. From Domain Controller, open ADSIEDIT.msc 2. Browse to ProgramData 3. Delete Wave folder This will now allow installation to work. 46 Appendix II Wave Systems Corp. 2011

ERAS and Remote Console Port Settings It may become necessary to configure ERAS and ERAS Remote Console for a different port setting other than the default port 80. This is for the express purpose of communication with ERASConnector. The ERASConnector port settings can be assigned upon install or can more easily be set for the domain by setting the policy Configure ERASConnector settings prior to running the ERASConnector on any client machine in the domain. This of course is different if the client machine is a workgroup computer or nontrusted domain machine. During the install of the ERASConnector one can assign the port communication. In these cases please follow the command line instructions provided in section five, Part I of the ERAS Admin Manual. Configuring the mmc.exe.config is necessary to configure when the port setting is changed to a different port other than 80. In this example the port setting will be changed to communicate on port 8080. The file is created and placed in <root>/windows/system32. This edit can be performed in notepad. The edit must be performed in ten locations within this file. After completing the above steps, it is now necessary to set the port binding correctly in IIS. Bring up IIS Manager and go to Sites/Default Web Site and select the bindings. This is done by selecting the http row and editing the port number to 8080 on the right panel within IIS. Then reset IIS by restarting IIS in the IIS management panel or go to the command line and type the 'iisreset' command. Example port: 8080 To edit the mmc.exe.config search for 'http://yourservername/...' and replace with 'http://yourservername:8080/...'. <?xml version="1.0" encoding="utf-8"?> <configuration> <configsections> <sectiongroup name="applicationsettings" type="system.configuration.applicationsettingsgroup, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"> <section name="wave.eras.proxy.properties.settings" type="system.configuration.clientsettingssection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirepermission="false" /> <section name="wave.eras.properties.settings" type="system.configuration.clientsettingssection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirepermission="false" /> <section name="wave.server.properties.settings" type="system.configuration.clientsettingssection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirepermission="false" /> </sectiongroup> </configsections> <applicationsettings> <Wave.Eras.Properties.Settings> <setting name="eventloglevel" serializeas="string"> <value>error</value> </setting> </Wave.Eras.Properties.Settings> <Wave.Eras.Proxy.Properties.Settings> <setting name="wave_eras_proxy_eraswebserviceproxy_eraswebservice" serializeas="string"> <value>http://wavx-4l4135vmr2:8080/eras/service.asmx</value> </setting> <setting name="eraswebservicetimeout" serializeas="string"> <value>1200</value> </setting> <setting name="pingtimeout" serializeas="string"> <value>2</value> </setting> 47 Appendix II Wave Systems Corp. 2011

</Wave.Eras.Proxy.Properties.Settings> </applicationsettings> <appsettings> <add key="domainlist" value="nextwave.local" /> <add key="domainnetbiosname" value="[domainnetbiosnamevalue]" /> <add key="domainfqdn" value="[domainfqdnvalue]" /> <add key="autoturnofftdmlock" value="false" /> <add key="computerlistlimit" value="5000" /> <!-- Specify sync DB with AD time interval in hours--> <add key="syncdbwithadtimeinterval" value="12" /> </appsettings> <system.servicemodel> <bindings> <wshttpbinding> <binding name="ws" maxreceivedmessagesize="655360" sendtimeout="00:05:00"> <reliablesession enabled="true" /> </binding> </wshttpbinding> </bindings> <client> <endpoint address="http://wavx-4l4135vmr2:8080/eraswcfservice/erasservice.svc" binding="wshttpbinding" bindingconfiguration="ws" contract="wave.eras.wcf.ierasservice" name="ws" /> <endpoint address="http://wavx-4l4135vmr2:8080/eraswcfservice/reportingservice.svc" binding="wshttpbinding" bindingconfiguration="ws" contract="wave.eras.wcf.ireportingservice" name="ws" /> <endpoint address="http://wavx-4l4135vmr2:8080/eraswcfservice/profileservice.svc" binding="wshttpbinding" bindingconfiguration="ws" contract="wave.eras.wcf.iprofileservice" name="ws" /> <endpoint address="http://wavx-4l4135vmr2:8080/eraswcfservice/biosservice.svc" binding="wshttpbinding" bindingconfiguration="ws" contract="wave.eras.wcf.ibiosservice" name="ws" /> <endpoint address="http://wavx-4l4135vmr2:8080/eraswcfservice/tpmservice.svc" binding="wshttpbinding" bindingconfiguration="ws" contract="wave.eras.wcf.itpmservice" name="ws" /> <endpoint address="http://wavx-4l4135vmr2:8080/eraswcfservice/trusteddriveservice.svc" binding="wshttpbinding" bindingconfiguration="ws" contract="wave.eras.wcf.itrusteddriveservice" name="ws" /> <endpoint address="http://wavx-4l4135vmr2:8080/eraswcfservice/controlvaultservice.svc" binding="wshttpbinding" bindingconfiguration="ws" contract="wave.eras.wcf.icontrolvaultservice" name="ws" /> <endpoint address="http://wavx-4l4135vmr2:8080/eraswcfservice/diskdriveservice.svc" binding="wshttpbinding" bindingconfiguration="ws" contract="wave.eras.idiskdriveservice" name="ws" /> <endpoint address="http://wavx-4l4135vmr2:8080/eraswcfservice/bitlockerservice.svc" binding="wshttpbinding" bindingconfiguration="ws" contract="wave.eras.ibitlockerservice" name="ws" /> </client> </system.servicemodel> </configuration> 48 Appendix II Wave Systems Corp. 2011