Table of Contents Introduction... 1 Setting Up Endpoint Encryption s HTTP Server...2 How to trust Control Break as an CA... 20 Start Endpoint Encryption s HTTP Server service... 23 Verify Endpoint Encryption HTTP Server Status on the Server... 26 Introduction This document describes how to set up the Endpoint Encryption HTTP server and install the Northwestern Mutual Certificate. This operation must be completed to allow use of Endpoint Encryption s webhelpdesk and webrecovery tools from this server. In addition, a Firewall Change Request must be submitted, approved, and implemented before setting up Endpoint Encryption s HTTP server to allow HTTPS communication to and from the server through port 449. This operation can only be performed directly on the server that hosts the Endpoint Encryption Administration database. Use Remotely Anywhere (RA) to access the server and execute the tasks below during an RA session. NOTE: Throughout this document as well as the McAfee Endpoint Encryption product, there are references to SafeBoot in the User Interface. It must be understood that wherever SafeBoot exists, it refers to the McAfee Endpoint Encryption product. McAfee, Inc. Page 1 of 27
Setting Up Endpoint Encryption s HTTP Server NOTE: It is assumed that the Northwestern Mutual Certificate is located in c:\temp. 1. From within an RA session, open the Start menu and select Run. Type MMC.EXE in the Open: dropdown box of the Run screen and click OK. This opens the Microsoft Management Console screen displayed below. McAfee, Inc. Page 2 of 27
2. Navigate to the Console menu and select the Add/Remove Snap-In menu option as shown below. This action opens the Add/Remove Snap-In screen, displayed behind the active window in the screen print below. Click on the Add button in the Add/Remove Snap-In screen. This opens the Add Standalone Snap-In screen displayed in the active window below. McAfee, Inc. Page 3 of 27
3. In the Add Standalone Snap-In screen, either double-click the Certificates list item or select the Certificates list item and click the Add button to open the Certificates Snap-In screen displayed below. Choose the Services Account option in the Certificates Snap-In screen. Click the Next button to continue. McAfee, Inc. Page 4 of 27
4. In the Select Computer screen, choose the Local Computer option as shown below and click the Next button to continue. 5. In the Certificates Snap-In screen, select SafeBoot HTTP Server and click the Finish button. McAfee, Inc. Page 5 of 27
6. The previous action closes the Certificates Snap-In screen and returns to the Add Standalone Snap- In screen shown below. Close the Add Standalone Snap-In screen by clicking the Close button, hidden below by the Remotely Anywhere notification window. McAfee, Inc. Page 6 of 27
7. Closing the Add Standalone Snap-In screen returns to the Add/Remove Snap-In screen below. Click the OK button to return to the Microsoft Management Console screen. McAfee, Inc. Page 7 of 27
8. In the Microsoft Management Console screen, expand the Certificates entry under the Console Root folder. McAfee, Inc. Page 8 of 27
9. Select the SafeBootHttpServer\Personal entry, then right-click to view the shortcut menu. Choose the All Tasks shortcut menu option, then Import as displayed below to begin to import the HTTP server s SSL certificate. McAfee, Inc. Page 9 of 27
10. Click Next at the first screen of the Certificate Import Wizard to initiate the import of the SSL certificate. McAfee, Inc. Page 10 of 27
11. Click on the Browse button in the second screen of the Certificate Import Wizard to present the Open window used to locate the SSL certificate. This file will be in c:\temp named after the server name: ServerName.yourdomain.com Note: The temporary certificate is in \Tools\HTTP Certificates folder of the SafeBootCD McAfee, Inc. Page 11 of 27
12. After locating and selecting the SSL certificate and returning to the Certificate Import Wizard window as shown below, click Next to continue through the wizard. McAfee, Inc. Page 12 of 27
13. Enter 12345 in the Password: as shown below, and click Next to continue through the wizard. 14. Accept the default Certificate Store option as shown below ( Place all certificates in the following store: SafeBootHTTPServer\Personal) and click Next to continue through the wizard. McAfee, Inc. Page 13 of 27
15. Review the options displayed in the final screen of the Certificate Import Wizard. Click Finish to import the SSL certificate. McAfee, Inc. Page 14 of 27
16. The Certificate Import Wizard presents a confirmation dialog box if the import was successful. This confirmation is shown below. McAfee, Inc. Page 15 of 27
17. Select Certificates as shown below to display the imported SSL certificate in the right-hand pane. McAfee, Inc. Page 16 of 27
18. Save the MMC console just created. Select the Console menu, then the Save As option. McAfee, Inc. Page 17 of 27
19. Name the newly-created console Webrecovery, and click the Save button to save the console. McAfee, Inc. Page 18 of 27
20. Next edit the following files: d:\sbadmin\sbhttp.ini d:\sbadmin\sbhttpadmin.ini Change Server.Ssl.Certname=127.0.0.1 into Server.Ssl.Certname=ntapsh0799m00.test.nmfco.com 21. Stop the SafeBoot HTTP server under services McAfee, Inc. Page 19 of 27
How to trust Control Break as an CA Start internet Explorer. Fill in https://servername.yourdomain.com and press Enter. HTTP Server Setup for McAfee Endpoint Encryption The screen above will appear. Choose View Certificate The screen above will appear. McAfee, Inc. Page 20 of 27
Choose Install Certificate The screen above will appear. Press next and select Place all certificates in the following store The screen above will appear. Browse to Trusted Root Certification Authorities McAfee, Inc. Page 21 of 27
The screen above will appear. Press OK, Next, Finish, Yes OK NOTE: This action should be performed on every PC that will use this tool. Otherwise you will get a warning, every time you start the Webserver. McAfee, Inc. Page 22 of 27
Start Endpoint Encryption s HTTP Server service 1. Open the Services applet (START->PROGRAMS->Administrative Tools->Services) on the server. Select Settings Control Panel Administrative Tools Services McAfee, Inc. Page 23 of 27
2. Select the SafeBoot HTTP Server item in the Services list and right-click the item. Select the Start shortcut menu option to start the service. McAfee, Inc. Page 24 of 27
3. The SafeBoot HTTP Server should now show a status of Running as shown below. McAfee, Inc. Page 25 of 27
Verify Endpoint Encryption HTTP Server Status on the Server 1. Open Internet Explorer on the server. Enter the following URL to test that the Endpoint Encryption HTTP Server is operational: https://servername.yourdomain.com. Press enter to attempt to connect to the HTTP server. You may see a message as shown in the foreground below. McAfee, Inc. Page 26 of 27
2. The dialog box shown in the foreground below appears when the browser connects with a URL that has an SSL certificate associated with it. Click Yes to proceed. If you get this warning you still have to trust the SafeBoot CA as mentioned in this document already. 3. The SafeBoot Web Helpdesk application will appear in the browser if the HTTP server is operational. McAfee, Inc. Page 27 of 27