Creating LDT GuardPoints
Steps to create GuardPoints on individual clients and client groups are similar. GuardPoints can be created on the GuardPoints tab of individual clients and client groups.
Creating LDT GuardPoints on Local Paths
To create an LDT GuardPoint on a client:
Open the Transparent Encryption application.
Select the client or client group on which you want to create a GuardPoint.
Click a client under the Client Name column (Clients > Clients).
Click a client group under the Client Group Name column (Clients > Client Groups).
On the GuardPoints tab, click Create GuardPoint.
Select a Policy. This is a mandatory field.
Click Select next to the Policy field.
Select a Live Data Transformation policy. If no policy exists, create one, as described in Creating Policies.
Click Select.
Select the Type of device to protect. This is a mandatory field. Depending on the platform, the options for an LDT policy are:
Type Windows Linux Description Auto Directory Yes Yes Select for file system directories. Manual Directory No Yes Select for file system directories to be guarded manually. Note
Manual Directory is guarded and unguarded (for example, mounted and unmounted) by running the
secfsd -guard
andsecfsd -unguard
commands. Do not run themount
andumount
commands to swap GuardPoint nodes in a cluster configuration.Specify the Path to be protected. This is a mandatory field. Options to specify the GuardPoint paths are:
Enter/Browse Path: Select this option, and enter the GuardPoint paths by either typing or clicking the Browse button.
Note
A maximum of 200 GuardPaths can be specified using the Enter/Browse Path option.
Browse Method
Click Browse to select a path by browsing the client file system. This method prevents typographical errors and verifies client availability. This is the recommended method to specify individual paths.
File system of a client that is not registered with the CipherTrust Manager cannot be browsed.
In the Search Local Path field, specify a starting path and click Refresh or select from the on-screen file system browser.
Click Add.
Manual Method
Alternatively, if you know the path, manually enter full paths of one or more directories in the given text box. Enter one path per line.
Upload CSV: Select this option and click Browse to upload the CSV file containing the list of one or more directories. This is the recommended method to specify a large number of paths in one step.
Note
If a manually entered path does not yet exist, be sure to enter the path correctly. The CipherTrust Manager does not parse manually entered paths for correct syntax.
See Considerations Before Creating GuardPoints for what to be aware of before creating a GuardPoint.
If multiple paths are specified, they will all be protected by the same policy.
A maximum of 1000 GuardPaths per CSV file can be uploaded.
Configure the Preserve Sparse Region toggle. The toggle is turned on by default.
Caution
If you turn off the Preserve Sparse Region toggle, you are prompted to confirm the action. This is an irreversible action.
(Optional, Windows only) Select Secure Start to enable the Secure Start feature. By default, the check box is clear.
If you plan not to enable the Secure Start now, you can do that later, as described in Enabling Secure Start for GuardPoints.
(Optional, Windows only). Select Multifactor Authentication Refer to Multifactor Authentication for details.
Click Create. A message appears prompting to confirm the reuse of these GuardPoint settings on another path.
Click Yes to use the same settings on another path. The Use Settings on Another Path dialog box is displayed. Perform the following steps:
In the Search Local Path field, specify a starting path and click Refresh or select from the on-screen browser.
Click Add Path. The newly added path appears under the Paths list on the left. Similarly, add as many paths as required.
Click OK.
Click No if you do not want to use the same settings on another path.
Depending on the number of paths you add to a GuardPoint, a status information message may appear. Refer to GuardPoint Status Information for details.
The newly created GuardPoint appears on the GuardPoints tab. The status remains Unknown
until the client sends the response after processing the GuardPoint request. Click the Refresh GuardPoints icon () to view the updated status.
Status of a GuardPoint can be checked at any time on the GuardPoints tab. Refer to Viewing GuardPoint Status for details.
An LDT GuardPoint is applied automatically according to the QoS settings configured in the linked profile. Refer to Creating a Profile and Setting Quality of Service Configuration.
Refer to Creating LDT GuardPoints on SMB/NFS Paths for information on creating LDT GuardPoints on CIFS (SMB) and NFS shares.
Creating LDT GuardPoints on SMB/NFS Paths
You can apply LDT GuardPoints on:
CIFS/SMB paths, for CTE Windows clients
NFS paths, for Linux clients
Before applying LDT GuardPoints:
Ensure that the LDT capability is enabled for the client. LDT capability can be enabled during the CTE Agent installation or later through the CipherTrust Manager console.
Ensure that the File Header Support (FHS) capability is enabled on the Windows clients. By default, this capability is turned on when installing a compatible CTE Agent on a Windows client. Refer to the CTE Agent Quick Start Guide for details.
Note
FHS on Windows paths and their browsing are supported CTE Agent 7.1.0.84 onward.
To create an LDT over SMB/NFS GuardPoint on a client:
Open the Transparent Encryption application.
Click Clients > Clients.
Under Client Name, click the LDT client on which you want to create a GuardPoint.
In the GuardPoints tab, click Create GuardPoint.
Select a Policy. This is a mandatory field.
Click Select.
Select a Live Data Transformation policy. If no policy exists, create one, as described in Creating Policies.
Click Select.
Select Auto Directory as the Type of device to protect. This is a mandatory field.
Specify the Path to be protected. This is a mandatory field. Options to specify the GuardPoint paths are:
Enter/Browse Path: Select this option, and enter GuardPoint paths (network paths) manually or click the Browse button.
Note
Paths of only one type can be specified at once - either local or network, not a mix of both.
A maximum of 200 GuardPaths can be specified using the Enter/Browse Path option.
Browse Method
In the text box, type the Windows SMB share (in the format,
\\nas-machine-hostname\share
or\\nas-machine-ip\share
) or Linux NFS path (in the format,/opt/nfs_shared_path1/
).Note
Mount the Linux NFS path on the agent machine before applying guard point.
Click Browse if you want to specify a lower-level network path. This method prevents typographical errors and verifies client availability. This is the recommended method to specify individual paths.
File system of a client that is not registered with the CipherTrust Manager cannot be browsed.
Click Select Client to select the Windows or Linux client.
Select Network Path as the Path Type.
Specify the User Name and Password to access the desired network path on the NAS machine.
(Optional) Specify the Domain where the NAS machine exists.
In the Search Network Path field, specify a starting path and click Refresh or select from the on-screen network path browser.
Click Add. The selected paths appear on the right.
Manual Method
Alternatively, if you know the network path, manually enter full network paths in the given text box. Enter one path per line.
Upload CSV: Select this option and click Browse to upload the CSV file containing the list of one or more directories. This is the recommended method to specify a large number of paths in one step.
Note
If a manually entered path doesn't exist, be sure to enter the path correctly. The CipherTrust Manager doesn't parse manually entered paths for correct syntax.
See Considerations Before Creating GuardPoints for what to be aware of before creating a GuardPoint.
If multiple paths are specified, they will all be protected by the same policy.
A maximum of 1000 GuardPaths per CSV file can be uploaded.
(Windows only) Select the desired SMB Connection if the GuardPaths are on an SMB share.
This drop-down list is displayed when you specify a Windows SMB share in the Path field.
Note
An SMB connection must already exist on the CipherTrust Manager before you can apply GuardPoints to an SMB share. Creating an SMB connection requires credentials to access the share. Refer to Connection Manager for details.
(Applicable only for Client Groups) Select a Designated Primary Set from the dropdown options. See Adding Designated Primary Set to a Client Group for creating Designated Primary Set.
Configure the Preserve Sparse Region toggle. The toggle is turned on by default.
Caution
If you turn off the Preserve Sparse Region toggle, you are prompted to confirm the action. This is an irreversible action.
(Optional) Select Secure Start to enable the Secure Start feature. By default, the check box is clear.
If you plan not to enable the Secure Start now, you can do that later, as described in Enabling Secure Start for GuardPoints.
(Optional, Windows only). Select Multifactor Authentication Refer to Multifactor Authentication for details.
Click Create.
Depending on the number of paths you add to a GuardPoint, a status information message may appear. Refer to GuardPoint Status Information for details.
The newly created GuardPoint appears on the GuardPoints tab. The status remains Unknown
until the client sends the response after processing the GuardPoint request. Click the Refresh GuardPoints icon () to view the updated status.
Status of a GuardPoint can be checked at any time on the GuardPoints tab. Refer to Viewing GuardPoint Status for details.
An LDT GuardPoint is applied automatically according to the QoS settings configured in the linked profile. Refer to Creating a Profile and Setting Quality of Service Configuration.
Refer to Creating LDT GuardPoints on Local Paths for information on creating LDT GuardPoints on local filesystem paths.
Note
All clients in the Client Group should be part of LDT Communication Group. See Managing LDT Communication Groups for more details.
Clients within a Client Group should either be all Windows clients or all Linux clients.
To create an LDT over SMB/NFS GuardPoint on a client group:
Open the Transparent Encryption application.
Click Clients > Client Groups.
Click the LDT client group name on which you want to create a GuardPoint.
In the GuardPoints tab, click Create GuardPoint.
Select a Policy. This is a mandatory field.
Click Select.
Select a Live Data Transformation policy. If no policy exists, create one, as described in Creating Policies.
Click Select.
Select Auto Directory as the Type of device to protect. This is a mandatory field.
Specify the Path to be protected. This is a mandatory field. Options to specify the GuardPoint paths are:
Enter/Browse Path: Select this option, and enter GuardPoint paths (network paths) manually or click the Browse button.
Note
Paths of only one type can be specified at once - either local or network, not a mix of both.
A maximum of 200 GuardPaths can be specified using the Enter/Browse Path option.
Browse Method
In the text box, type the Windows SMB share (in the format,
\\nas-machine-hostname\share
or\\nas-machine-ip\share
) or Linux NFS path (in the format,/opt/nfs_shared_path1/
).Note
Mount the Linux NFS path on the agent machine before applying guard point.
Click Browse if you want to specify a lower-level network path. This method prevents typographical errors and verifies client availability. This is the recommended method to specify individual paths.
File system of a client that is not registered with the CipherTrust Manager cannot be browsed.
Click Select Client to select the Windows or Linux client.
Select Network Path as the Path Type.
Specify the User Name and Password to access the desired network path on the NAS machine.
(Optional) Specify the Domain where the NAS machine exists.
In the Search Network Path field, specify a starting path and click Refresh or select from the on-screen network path browser.
Click Add. The selected paths appear on the right.
Manual Method
Alternatively, if you know the network path, manually enter full network paths in the given text box. Enter one path per line.
Upload CSV: Select this option and click Browse to upload the CSV file containing the list of one or more directories. This is the recommended method to specify a large number of paths in one step.
Note
If a manually entered path doesn't exist, be sure to enter the path correctly. The CipherTrust Manager doesn't parse manually entered paths for correct syntax.
See Considerations Before Creating GuardPoints for what to be aware of before creating a GuardPoint.
If multiple paths are specified, they will all be protected by the same policy.
A maximum of 1000 GuardPaths per CSV file can be uploaded.
(Windows only) Select the desired SMB Connection if the GuardPaths are on an SMB share.
This drop-down list is displayed when you specify a Windows SMB share in the Path field.
Note
An SMB connection must already exist on the CipherTrust Manager before you can apply GuardPoints to an SMB share. Creating an SMB connection requires credentials to access the share. Refer to Connection Manager for details.
(Applicable only for Client Groups) Select a Designated Primary Set from the dropdown options. See Adding Designated Primary Set to a Client Group for creating Designated Primary Set.
Configure the Preserve Sparse Region toggle. The toggle is turned on by default.
Caution
If you turn off the Preserve Sparse Region toggle, you are prompted to confirm the action. This is an irreversible action.
(Optional) Select Secure Start to enable the Secure Start feature. By default, the check box is clear.
If you plan not to enable the Secure Start now, you can do that later, as described in Enabling Secure Start for GuardPoints.
(Optional, Windows only). Select Multifactor Authentication Refer to Multifactor Authentication for details.
Click Create.
Depending on the number of paths you add to a GuardPoint, a status information message may appear. Refer to GuardPoint Status Information for details.
The newly created GuardPoint appears on the GuardPoints tab. The status remains Unknown
until the client sends the response after processing the GuardPoint request. Click the Refresh GuardPoints icon () to view the updated status.
Status of a GuardPoint can be checked at any time on the GuardPoints tab. Refer to Viewing GuardPoint Status for details.
An LDT GuardPoint is applied automatically according to the QoS settings configured in the linked profile. Refer to Creating a Profile and Setting Quality of Service Configuration.
Refer to Creating LDT GuardPoints on Local Paths for information on creating LDT GuardPoints on local filesystem paths.