This article explains requirements and things to consider when setting up Endpoint Encryption to function in an external network, as in a work-from-home setup.
If the customer has a TMEEProxy installed in a DMZ environment, then working from home should have no issues as the clients will function as if they are in the office.
The Endpoint Encryption proxy has the following requirements:
- Traffic Forwarding Service and Client Web Service may not be deployed on the same endpoint as the PolicyServer.
- The default port for the Traffic Forwarding Service is 8080.
- The default port for the Client Web Service is 80.
In environments using both new and legacy Endpoint Encryption agents, configure different ports for Traffic Forwarding Service and Client Web Service.
To Install TMEEProxy:
- Copy the PolicyServer installation folder to the local hard drive.
- Go to the path \TMEE_PolicyServer\Tools\Optional Installations\TMEEProxy Installer and run TMEEProxyInstaller.exe.
- The welcome screen appears.
- The Endpoint Encryption proxy installer analyzes the endpoint.
- Specify the PolicyServer IP address or host name and the port number of the Endpoint Encryption service.
- The installation begins. Wait for the Endpoint Encryption proxy to install.
- After installation completes, note the IP address and port number displayed in the installation screen. Note that this IP address and port will be used in agent installation.
- Click Finish.
- Verify the Client Web Service installation:
- Go to Start > Administrative Tools > Internet Information Services (IIS) Manager. The Internet Information Services (IIS) Manager screen appears.
- Find the previously configured site location.
- Verify that MAWebService2 is configured.
- Verify the Traffic Forwarding Service installation
- Go to Start > Administrative Tools > Services.
- Verify that TMEEForward service has started.
- Traffic Forwarding Service is installed.
Depending on the DNS server type, configure the PolicyServer FQDN based on the following:
- For an internal DNS server, set the PolicyServer FQDN to the IP address of PolicyServer.
- For an external DNS server, set the PolicyServer FQDN to the IP address of the Endpoint Encryption proxy.
If the customer does not have a TMEEProxy in the DMZ, but they have a VPN that allows for connection to the PolicyServer, then they still can sync within Windows and use the tool SyncPassword.exe to update the pre-boot password to the current Active Directory password (assuming they are using Domain Authentication):
- Go to the Full Disk Encryption installation folder \Program Files\Trend Micro\Endpoint Encryption\.
- Run the SyncPassword.exe as Administrator.
- On the application, input the credentials that you want to change.
- Click Continue.
If the customer does not have either a TMEEProxy or a VPN then they should consider the following:
- Set the Full Disk Encryption Local Password of the users to change every . Note that this applies for Fixed Password Users only. The agents must first get the policy on their synchronization beforehand. Navigate to PolicyServer MMC > Group > Policies > Common > Authentication > User Password
- Set the Full Disk Encryption Account Lockout Period. Note that this applies for Fixed Password Users only. The agents must first get the policy on their synchronization beforehand. Navigate to PolicyServer MMC > Group > Policies > Full Disk Encryption > Login.