Creating LDT GuardPoints
Steps to create GuardPoints on individual clients and client groups are similar. GuardPoints can be created on the GuardPoints tab of individual clients and client groups.
Creating LDT GuardPoints on Local Paths
To create an LDT GuardPoint on a client:
Open the Transparent Encryption application.
Select the client or client group on which you want to create a GuardPoint.
Click a client under the Client Name column (Clients > Clients).
Click a client group under the Client Group Name column (Clients > Client Groups).
On the GuardPoints tab, click Create GuardPoint.
Select a Policy. This is a mandatory field.
Click Select next to the Policy field.
Select a Live Data Transformation policy. If no policy exists, create one, as described in Creating Policies.
Click Select.
Select the Type of device to protect. This is a mandatory field. Depending on the platform, the options for an LDT policy are:
Type Windows Linux Description Auto Directory Yes Yes Select for file system directories. Manual Directory No Yes Select for file system directories to be guarded manually. Note
Manual Directory is guarded and unguarded (for example, mounted and unmounted) by running the
secfsd -guard
andsecfsd -unguard
commands. Do not run themount
andumount
commands to swap GuardPoint nodes in a cluster configuration.Specify the Path to be protected. This is a mandatory field. Options to specify the GuardPoint paths are:
Enter/Browse Path: Select this option, and enter the GuardPoint paths by either typing or clicking the Browse button.
Note
A maximum of 200 GuardPaths can be specified using the Enter/Browse Path option.
Browse Method
Click Browse to select a path by browsing the client file system. This method prevents typographical errors and verifies client availability. This is the recommended method to specify individual paths.
File system of a client that is not registered with the CipherTrust Manager cannot be browsed.
In the Search Local Path field, specify a starting path and click Refresh or select from the on-screen file system browser.
Click Add.
Manual Method
Alternatively, if you know the path, manually enter full paths of one or more directories in the given text box. Enter one path per line.
Upload CSV: Select this option and click Browse to upload the CSV file containing the list of one or more directories. This is the recommended method to specify a large number of paths in one step.
Note
• If a manually entered path does not yet exist, be sure to enter the path correctly. The CipherTrust Manager does not parse manually entered paths for correct syntax.
• See Considerations Before Creating GuardPoints for what to be aware of before creating a GuardPoint.
• If multiple paths are specified, they will all be protected by the same policy.
• A maximum of 1000 GuardPaths per CSV file can be uploaded.Configure the Preserve Sparse Region toggle. The toggle is turned on by default.
Caution
If you turn off the Preserve Sparse Region toggle, you are prompted to confirm the action. This is an irreversible action.
(Optional, Windows only) Select Secure Start to enable the Secure Start feature. By default, the check box is clear.
If you plan not to enable the Secure Start now, you can do that later, as described in Enabling Secure Start for GuardPoints.
Click Create. A message appears prompting to confirm the reuse of these GuardPoint settings on another path.
Click Yes to use the same settings on another path. The Use Settings on Another Path dialog box is displayed. Perform the following steps:
In the Search Local Path field, specify a starting path and click Refresh or select from the on-screen browser.
Click Add Path. The newly added path appears under the Paths list on the left. Similarly, add as many paths as required.
Click OK.
Click No if you do not want to use the same settings on another path.
Depending on the number of paths you add to a GuardPoint, a status information message may appear. Refer to GuardPoint Status Information for details.
The newly created GuardPoint appears on the GuardPoints tab. The status remains Unknown
until the client sends the response after processing the GuardPoint request. Click the Refresh GuardPoints icon () to view the updated status.
Status of a GuardPoint can be checked at any time on the GuardPoints tab. Refer to Viewing GuardPoint Status for details.
An LDT GuardPoint is applied automatically according to the QoS settings configured in the linked profile. Refer to Creating a Profile and Setting Quality of Service Configuration.
Refer to Creating LDT GuardPoints on CIFS/SMB Paths for information on creating LDT GuardPoints on Windows SMB shares.
Creating LDT GuardPoints on CIFS/SMB Paths
LDT GuardPoints on CIFS/SMB paths can be applied to CTE Windows clients that have the LDT on CIFS (File Header Support, FHS) capability turned on. This capability can be turned on when installing a compatible CTE Agent on a Windows client. Refer to the CTE Agent Quick Start Guide for Windows for details.
Note
LDT on CIFS on Windows paths and their browsing are supported CTE Agent 7.1.0.84 onward.
An SMB connection must already exist on the CipherTrust Manager before you can apply GuardPoints to an SMB share. Creating an SMB connection requires credentials to access the share. Refer to Connection Manager for details.
To create an LDT over CIFS GuardPoint on a client:
Open the Transparent Encryption application.
Select the client or client group on which you want to create a GuardPoint.
Click a client under the Client Name column (Clients > Clients).
Click a client group under the Client Group Name column (Clients > Client Groups).
On the GuardPoints tab, click Create GuardPoint.
Select a Policy. This is a mandatory field.
Click Select next to the Policy field.
Select a Live Data Transformation policy. If no policy exists, create one, as described in Creating Policies.
Click Select.
Select Auto Directory as the Type of device to protect. This is a mandatory field.
Specify the Path to be protected. This is a mandatory field. Options to specify the GuardPoint paths are:
Enter/Browse Path: Select this option, and enter GuardPoint paths by either manually typing the network paths or clicking the Browse button.
Note
• Paths of only one type can be specified at once - either local or network, not a mix of both.
• A maximum of 200 GuardPaths can be specified using the Enter/Browse Path option.Browse Method
In the text box, type the Windows SMB share (in the format,
\\nas-machine-hostname\share
or\\nas-machine-ip\share
).Click Browse if you want to specify a lower-level network path. This method prevents typographical errors and verifies client availability. This is the recommended method to specify individual paths.
File system of a client that is not registered with the CipherTrust Manager cannot be browsed.
Select Network Path as the Path Type.
Specify the User Name and Password to access the desired network path on the NAS machine.
(Optional) Specify the Domain where the NAS machine exists.
In the Search Network Path field, specify a starting path and click Refresh or select from the on-screen network path browser.
Click Add.
Manual Method
Alternatively, if you know the network path, manually enter full network paths in the given text box. Enter one path per line.
Upload CSV: Select this option and click Browse to upload the CSV file containing the list of one or more directories. This is the recommended method to specify a large number of paths in one step.
Note
• If a manually entered path does not yet exist, be sure to enter the path correctly. The CipherTrust Manager does not parse manually entered paths for correct syntax.
• See Considerations Before Creating GuardPoints for what to be aware of before creating a GuardPoint.
• If multiple paths are specified, they will all be protected by the same policy.
• A maximum of 1000 GuardPaths per CSV file can be uploaded.When you specify a Windows SMB share, the SMB Connection drop-down list is displayed. You need to select the desired SMB connection (described in the next step).
Select the desired SMB Connection if the GuardPaths are on an SMB share.
Configure the Preserve Sparse Region toggle. The toggle is turned on by default.
Caution
If you turn off the Preserve Sparse Region toggle, you are prompted to confirm the action. This is an irreversible action.
(Optional) Select Secure Start to enable the Secure Start feature. By default, the check box is clear.
If you plan not to enable the Secure Start now, you can do that later, as described in Enabling Secure Start for GuardPoints.
Click Create. A message appears prompting to confirm the reuse of these GuardPoint settings on another path.
Click Yes to use the same settings on another path. The Use Settings on Another Path dialog box is displayed. Perform the following steps:
Select Network Path as the Path Type.
Specify the following:
User Name and Password to access the desired network path on the NAS machine.
(Optional) Domain where the NAS machine exists.
In the Search Network Path field, specify a starting network path and click Refresh or select from the on-screen browser.
Click Add Path. The newly added path appears under the Paths list on the left. Similarly, add as many paths as required.
Click OK.
Click No if you do not want to use the same settings on another path.
Depending on the number of paths you add to a GuardPoint, a status information message may appear. Refer to GuardPoint Status Information for details.
The newly created GuardPoint appears on the GuardPoints tab. The status remains Unknown
until the client sends the response after processing the GuardPoint request. Click the Refresh GuardPoints icon () to view the updated status.
Status of a GuardPoint can be checked at any time on the GuardPoints tab. Refer to Viewing GuardPoint Status for details.
An LDT GuardPoint is applied automatically according to the QoS settings configured in the linked profile. Refer to Creating a Profile and Setting Quality of Service Configuration.
Refer to Creating LDT GuardPoints on Local Paths for information on creating LDT GuardPoints on local filesystem paths.