This article lists the common questions regarding an external-facing PolicyServer in Endpoint Encryption.
An external-facing PolicyServer facilitates administrator management and audit reporting from devices both inside and outside a corporate network. With an Internet facing PolicyServer:
- Devices can report in from any Internet connection
- Provides administrators added device Kill/Lock ability via any Internet connection
- Provides better traceability for rogue/stolen devices
- Provides additional options for end-user Remote Help
- Facilitates online password resets for Active Directory enabled enterprises
PolicyServer is a windows application server supported by an SQL back end, using a web service hosted in Microsoft Internet Information Services (IIS) for client communication.
All requests come across the wire as HTTP to a packet analyzer.
Requests to the PolicyServer come in as plain text XML, with the values in the XML encrypted by Endpoint Encryption proprietary FIPS 140-2 certified AES-256 encryption.
- XML elements are encrypted by Endpoint Encryption proprietary FIPS 140-2 certified AES-256 encryption.
- Connection authentication is achieved through connection and device specific key exchange, consecutive conversations between a client and the server do not use the same key for communication, nor to devices share a communications key.
- Communication keys are for a single conversation and are timed out to guard against replay attacks.
- Communication key exchange uses Diffie-Hellman (DH) inside a tunnel already encrypted with devices DEK to guard against man in the middle (MITM) attacks. With the exception of new installs, devices cannot negotiate a comm key with the server without already being registered to that server.
- New installs negotiate a communication key with DH, and must be authenticated with a onetime password or administrator credentials. Once the device has been assigned an encryption key, this key is used to further secure communications going forward.
- Devices are authenticated during key exchange.
- Users are authenticated only after device and communication authentication.
DH key negotiation for communications, device and user authentication, protection from MITM and replay attacks, and proprietary FIPS 140-2 certified encryption secure all communications.
We do not explicitly secure the IIS web service as part of our install in order to prevent breaking changes to existing sites which could be present in IIS. Endpoint Encryption recommends all customers making their PolicyServer available on the Internet ensure their installations are compliant with best practices from Microsoft to the extent possible, as well as ensuring that their installation is compliant with all internal network security policies and practices. Alternatively, Endpoint Encryption supports installation of the PolicyServer behind a reverse proxy such as Microsoft Internet Security and Acceleration server or security hardened load balancers for organizations who do not wish to, or have an organizational ban on, placing IIS unprotected on the Internet.
Due to the varied nature of a client's infrastructure general guidance cannot be offered. Contact Trend Micro Technical Support with specific questions or for assistance with professional services guidance on implementing and external facing PolicyServer.