Mobile agent

Deployment and Installation Center | Data Security Solutions | Version 7.7.x

Applies to:

In this topic:

Data Security, v7.7.x

Deploying the mobile agent

Hardware requirements

Required ports

Installing the mobile agent software

Configuring the mobile agent

Configuring a mobile DLP policy

The mobile agent is a Linux-based appliance that lets you secure the type of email content that is synchronized to users' mobile devices when they connect to the network. This includes content in email messages, calendar events, and tasks.

The mobile agent analyzes content when users synchronize their mobile devices to your organization's Exchange server. If content or data being pushed to their device breaches the organization's mobile DLP policy, it is quarantined or permitted accordingly.

Deploying the mobile agent

In your network, the appliance connects to the Data Security Management Server and to your Microsoft Exchange agent to provide this function. DLP analysis is done on the appliance or on other Data Security servers (rather than on the management server) to optimize performance and balance the load.

Outside your DMZ, the mobile agent connects to any Microsoft ActiveSync-compatible mobile device over 3G and wireless networks, such as i-pads, Android mobile phones, and i-phones. (ActiveSync is a wireless communication protocol used to push resources, such as email, from applications to mobile devices.)

Unlike the protector, the mobile agent appliance acts as a reverse proxy, because it retrieves resources, such as email, from the Exchange server on behalf of the mobile device.

The following diagram illustrates the system architecture of a typical mobile agent deployment. Depending on your network and security requirements, you can also go through an edge device, such as a Microsoft ISA Server, that acts as a reverse proxy to the mobile agent.

For system requirements, see Mobile Agent hardware requirements.

For the default port numbers used by the mobile agent, see Mobile agent. If you have a security policy in place, exclude these ports from that policy so the mobile agent can operate properly. You can lock down or harden your security systems once these ports are open.

Deploying the Data Security mobile agent comprises the following basic steps:

Installing the mobile agent software

Configuring the mobile agent

Configuring a mobile DLP policy

Mobile agent installations include:

A policy engine

Secondary fingerprint repository (the primary is on the management server)

Hardware requirements

The mobile agent is a soft appliance. If you are using your own hardware, it must meet the following hardware requirements:


Mobile Agent	Minimum requirements	Recommended
CPU	4 core processors (for example, Single quad or two dual core processors), 2.0 GHz Intel Xeon or AMD equivalents	4 core processors (for example, Single quad or two dual core processors), 2.0 GHz Intel Xeon or AMD equivalents
Memory	8 GB	8 GB
Hard drives	2 - 72 GB	4 - 146 GB
Disk space	70 GB	292 GB
Hardware RAID	1	1 + 0
NICs	2	2

Required ports

The following ports must be kept open for the mobile agent:


Outbound
To	Port	Purpose
Data Security Management Server	17443	Syslog, forensics, incidents, mobile status
Data Security Management Server	80	Fingerprint sync
Data Security Server	17500-17515*	Consecutive ports that allow communication with Websense agents and machines.
Microsoft Exchange Server	80/443	ActiveSync (user defined using TRITON - Data Security)
Websense Web Security	56992	Linking Service
Other	UDP 123	Inbound/ outbound NTPD (available on the appliance yet disabled by default)
* This range is necessary for load balancing.
Inbound
From	Port	Purpose
Data Security Management Server	5820	Settings deployment
Mobile Devices	80/443	ActiveSync (user defined using TRITON - Data Security)
Data Security Management Server	8892	Management
Data Security Management Server	17500-17515*	Consecutive ports that allow communication with Websense agents and machines.
Anywhere (including the Mobile agent)	22	SSH access
Data Security Server	5443	Release quarantined messages
* This range is necessary for load balancing.

Installing the mobile agent software

The mobile agent must be installed on hardware that meets the requirements described in Mobile Agent hardware requirements. Websense appliances meet these requirements, or you can host the agent on your own Linux-based hardware.


	Note For best performance, make sure that the mobile agent is located in close proximity to the back-end server.

You access the installation wizard for your mobile agent through a putty Command Line Interface (CLI).

To install the mobile agent, do the following:

If you have purchased the Websense V5000 G2 Data Security Appliance, follow the instructions on its quick start poster to rack, cable, and power on the appliance.

If you are using your own hardware:

Use either a direct terminal or connect via serial port to access the command line. For serial port connection, configure your terminal application, such as HyperTerminal or TeraTerm, as follows:

The mobile agent software is provided on an ISO image. Download the image, WebsenseDataSecurityProtector77x.iso, from MyWebsense and burn it to a CD.

Place the CD in the protector's CD drive and restart the machine.

An installer page appears. If you are using a regular keyboard and screen, type kvm and press Enter. If you are using a serial console, press Enter. The machine is automatically restarted.

You're prompted to enter a user name and password. Enter root for user name and admin for password.

To access the wizard, type "wizard" at the command prompt, and press Enter.

You have the option to install the Websense protector software or mobile agent software. Type M for Mobile agent.

Follow the instructions given by the wizard to configure basic settings.

When the wizard requires data entry, it prompts you. In some cases, a default setting is provided:

Capital letter: Shows the default value, such as Yes/no for a yes/No prompt.

Square brackets ([ ]): Shows the current value and is usually followed by text, such as: Press [Enter] to leave as is.

If the default setting is acceptable, press <Enter> to keep the default value.

STEP 1: Accept license agreement

Each time the installation wizard opens, the end-user license agreement appears. Use the page-down/ scroll / space keys to read/scroll to the end of the agreement.

Carefully read the license agreement and when prompted, type yes to accept the license agreement.

STEP 2: Set administrator password

Type in and confirm a new password for the "admin" account. For security reasons, it is best practice to change the default password.

Important

A valid password should be at least 7 characters in length. It should contain at least 2 of the following classes:

If you begin the password with a capital letter or end it with a digit, these characters do not count as one of these classes.

The Operating System (OS) prompts you to change (refresh) your password every 90 days.

STEP 3: Set root password

Type in and confirm a new password for the root user. The root account provides full access to the device and should be used carefully.

Important

A valid password should be at least 7 characters in length. It should contain at least 2 of the following classes:

If you begin the password with a capital letter or end it with a digit, these characters do not count as one of these classes.

STEP 4: Network configuration

Select the network interface (NIC) from the list of available NICs (eth0 by default), or for advanced configuration, type c.

To configure your NIC, choose the NIC index number from the list of NICs that display on the wizard.

To configure the NIC that you selected, do one of the following:

Type e to configure the NIC that you selected. You are prompted to define details for the NIC, such as IP address, network address, and gateway (only for the first NIC that you define). You do not need to specify the gateway for subsequent NICs that you want to define.

Type a to change the current NIC alias address setup.

Type b for LEDs to blink on that port.

Type Enter to exit and continue setting other NICs, if required.

To define the properties for the NIC:

Type the IP address.

Type the network prefix. This is the subnet mask in abbreviated format (number of bits in the subnet mask). The default is 255.255.255.0 for eth0.

Type the IP address for the default gateway to be used to access the network. This configuration is only for the first NIC that you configured.

After you have configured your NIC, you can redefine it (change the IP address, network prefix, or gateway) or remove it (type e, then d) if necessary.


	Note If you type Enter, a list of available NICs display, allowing you to define other NICs.

Type a NIC index number to configure another NIC (or reconfigure the same NIC), or type Enter to finish setting up the NICs and continue to the routing setup.

Type one of the following options:

Enter: Accept the routing configuration.

Index: Modify or delete a routing entry index.

a: Add a routing entry.


	Note If the IP address of the Data Security server is not on the same subnet as the one specified for the mobile management NIC, a gateway is required to tell the mobile agent how to communicate with the Data Security server.

To store these network definitions, type Y.

Note

After you finish routing the configuration, you are prompted to store the network configuration.

If you type n, the network configuration is not saved, and you are prompted to configure the network again.

If you type y, the details for the network configuration are saved and the network service is reloaded with the new parameters. The new parameters, such as IP address, network prefix, and gateway for the NIC display on the wizard.

Type the index number of the Management NIC you have chosen, or type c to define the network parameters. This NIC can be used for other purposes, such as SSH connections, access points for mobile devices, and Exchange communications.

STEP 5: Define the host name

Type the Fully Qualified Domain Name (FQDN) for the mobile appliance.

Type the name to use for the default security certificate in the Subject field.

This can be used to secure the connections between mobile devices and the mobile agent using the default certificate. The default certificate is a self-signed certificate automatically generated by Websense.

STEP 6: Define the domain name server

Optionally, in the wizard, type the IP address of the Domain Name Server (DNS) that will service this mobile agent. A DNS will allow access to other network resources using their names instead of their IP addresses.


	Important Type the IP address of the DNS server if you identify the back-end Exchange server by its host name (using the Data Security GUI) instead of by its IP address.

STEP 7: Set the date, time and time zone

Type the current time zone (to view a list of all time zones, type list).

Type the current date in the following format: dd-mm-yyyy.

Type the current time in the following format: HH:MM:SS. Note that this is a 24-hour clock.

STEP 8: Register with a Data Security Server

In this step, a secure channel will be created connecting the mobile agent to a Data Security Server. This can be the Data Security Management Server or a supplemental server, depending on your set up.

Type the IP address or FQDN of the Data Security Server. Note that this must be the IP address identified when you installed the server machine. It cannot be a secondary IP address.

Type the user name and password for a TRITON - Data Security administrator that has privileges to manage system modules.

Type Enter to exit the wizard. A message displays stating that the configuration was successful.

Step 9: Reboot the mobile agent appliance

For best practice, reboot the mobile agent appliance. You can reboot later if desired. This completes the IPv6 disabling process that the wizard starts.

Final step: Verification

In the Data Security module of TRITON Unified Security Center, verify that the Websense mobile agent is no longer pending and that the icon displays its active status. Refresh the browser.

Click Deploy.

The mobile agent is now ready to be configured. See Configuring the mobile agent for instructions.


	Note If you reboot, make sure that the mobile agent appliance is on before you configure the mobile agent.

Configuring the mobile agent

Log on to TRITON - Data Security.

Navigate to Settings > Deployment > System Modules.

Verify that the mobile agent is available on the System Modules page.

Double-click Mobile agent.

Click the Connection tab, then define the connections: Exchange and Mobile Devices. For more information, see the TRITON - Data Security Help.

For Exchange Connection, supply the domain and name or IP address of the Exchange server. Ensure a port number is specified.

If you select the Use secure connection (SSL) check box, the port number defaults to 443.

If you do not select the Use secure connection (SSL) check box, the port number defaults to 80.


	Important If the Exchange server is specified by name, make sure local resolving is properly configured to resolve this name. In addition, if an edge-like device is used (for example, ISA), ensure there are no loops through the device.

For Mobile Devices Connection, supply the following information: IP address of the mobile agent and port number. To use all IP addresses, select All IP addresses from the IP address drop-down list.


	Note The IP address of the mobile agent was defined during the installation of the mobile device, when configuring the network settings.

Optionally, if you secure connections between mobile devices and the mobile agent, you can use one of 2 certificate options:

Self-signed certificate (default option)

A self-signed certificate is signed by Websense.

Custom certificate

A custom certificate is officially signed by a Certificate Authority (CA).

Click Browse to locate and upload your public certificate.

Click Browse to locate and upload your private key.

Optionally, select the Add chained certificate check box, and click Browse to locate and upload your chained certificate.

For more information, see the TRITON - Data Security Help.

Click the Analysis tab and then select a mode: Blocking or Monitoring. Click the Analysis tab, then configure the Mode.

Note

When you select Blocking mode, it is best practice to:

Select the Allow on fail option (the default option is Block on fail). Selecting Allow on fail enables failed messages to be received on the mobile device. If you do not select Allow on fail, these messages will be dropped and are not tracked nor released.

Define the sender's email address, outgoing mail server, and port to Notify Users of Breach. To do so, navigate to Settings > System > Alerts > Email Properties.

For more information, see TRITON - Data Security Help.

Navigate to Main > Resources > Notifications and select the mobile policy violation template. Add sender details, then use the Outgoing mail server field to define a next hop relay for outbound mail. If you do not, the mobile agent may not send block notifications.

Click Deploy.

Wait for the agent to fully deploy. This may take a few minutes.


	Tip You can also configure the mobile agent for high-availability. High-availability enables mobile devices to run seamlessly and continuously in the event of a system outage (such as hardware or software failure). For more information about configuring the mobile agent for high-availability, refer to the document Mobile DLP agent using cluster solutions.

Configuring a mobile DLP policy

To begin analysis, configure the mobile DLP policy or create a custom policy. To configure the mobile DLP policy, Navigate to Main > DLP Policies > Mobile DLP Policy. See TRITON - Data Security Help for more configuration information.

To create a custom policy, navigate to Main > DLP Policies > Manage Policies. Select Mobile Email on the Destination tab for each rule to support Mobile events.