Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Hardening the Windows system to support the Endpoint Encryption proxy functionality

    • Updated:
    • 5 Nov 2018
    • Product/Version:
    • Endpoint Encryption 5.0
    • Endpoint Encryption 6.0
    • Platform:
    • N/A N/A
Summary

To have visibility of the Endpoint Encryption agent while it connects from Internet, deploying the Endpoint Encryption proxy in DMZ is the solution provided by Trend Micro. But some users may have security concerns about installing the Windows server in DMZ.

This article provides the steps to harden the Windows system to improve security without impairing the Endpoint Encryption proxy functionality.

Details
Public

This guide is based on the following assumptions:

  • Only Endpoint Encryption 5.0 / 6.0 agents are connected to the PolicyServer, it does not support legacy agents (3.1.3 or earlier version).
  • Only Endpoint Encryption Proxy is installed in the Windows system. If not, some Windows components cannot be removed, otherwise, other services may be affected.
  • The Windows server 2016 standard edition is suggested.

Hardening the Windows system

  1. Ensure the Windows Firewall is turned on, Allow TMEEForward to communicate through Windows Firewall.

    Restart TMEEForward

  2. Reject PolicyServer MMC or TMCM to connect to PolicyServer via Endpoint Encryption proxy by adding the following registry:

    1. In the "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Trend Micro\TMEEForward" key, create a string value with the name "filter" and for the data, name it "admin".

      Windows Firewall

    2. Restart TMEEForward service

      create string value

    3. Use PolicyServer MMC to connect to the PolicyServer via Endpoint Encryption proxy, the result should be "Unable to connect to PolicyServer"

      Unable to connect to PolicyServer

      An error event is generated on the Endpoint Encryption proxy when PolicyServer MMC or TMCM connects to the PolicyServer via Endpoint Encryption proxy.

      error event

    4. Configure the firewall between DMZ and Intranet, only allow traffic from Endpoint Encryption proxy to the PolicyServer (port 8080) located in the Intranet. Other traffic should be blocked.
    5. Use a network discovery and security auditing tool (such as nmap) to confirm that only port 8080 and port 5985 (default port for WS-Management and PowerShell remoting) are open.

      nmap

    6. Confirm if FDE can now connect to the PolicyServer via Endpoint Encryption proxy.
Premium
Internal
Rating:
Category:
Configure
Solution Id:
1121318
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.