CTE Windows Deployment for LDT AccessOnly nodes
Currently, Windows clients that attempt to access CIFS paths must be part of an LDT Communication Group. The LDT Communication Group assigns the role of primary node to one of the clients, which performs LDT data rekeying. All of the other clients are assigned as secondary nodes, and they do not participate in rekeying data.
This is important to note because there are specific use cases which require that some of the nodes accessing a GuardPoint do not join the LDT Communication Group, such as when:
-
All of the nodes accessing the GuardPoint are not able to communicate to other servers in the LDT Communication Group due to differences in security policies. Nodes with weaker security policies are left out of the LDT Communication Group to ensure the LDT Communication Group maintains a highest level of security.
-
Certain nodes, which go through frequent network disconnects, should not participate in the LDT Communication Group to again, ensure the highest level of security. For example, windows endpoint protection clients or laptop users.
To overcome these limitations, CipherTrust Transparent Encryption has a new feature called Windows AccessOnly. AccessOnly clients:
-
Do not participate in data transformation
-
Cannot become part of an LDT Communication Group
-
Do have permission to access a protected LDT CIFS GuardPoint
The following illustration shows a typical setup for a network with LDT clients and Windows AccessOnly clients:
Note
-
An AccessOnly node can set a GuardPoint, however, a node in the LDT Communication Group will be the system to rekey the GuardPoint.
-
When an LDT rekey is in-progress, AccessOnly nodes cannot access the files being rekeyed.
Warning
All CTE AccessOnly agents, in an LDT Communication Group, must have CTE v7.4.0 or subsequent versions, installed. Agents that contain a previous version must be upgraded.
Setup and Configure Windows LDT AccessOnly Nodes on CipherTrust Transparent Encryption
The new role, LDT AccessOnly, can be assigned to any CipherTrust Transparent Encryption Windows client.
-
During Agent registration, a new option AccessOnly (No LDT Transformation) displays. Select it to setup the client as a Windows AccessOnly client.
Note
If you enable it, then the option to specify an LDT Communication Group name is disabled.
-
Alternatively, on CipherTrust Manager, in the client details page, there is a checkbox to enable/disable LDT AccessOnly.
Creating the Setup
-
On CipherTrust Manager, create a Windows LDT AccessOnly Client Group.
-
Add the Windows LDT AccessOnly clients to the Windows Client Group.
-
-
Select the same LDT policy that you used for the clients participating in initial transformation.
-
Mount the same path on each client to participate in the transformation of the GuardPoint, or in the client group containing those clients. Example path:
\\192.168.1.100\Share1\Data1.
-
-
Once Windows has fully completed initial data transformation, and the status is REKEYED, then create the GuardPoint in the Windows Access-Only Client Group. All Windows LDT AccessOnly clients will now be able to guard and access the files.
-
Select the same LDT policy that you used for the clients participating in initial transformation.
-
Mount the same path on each client to participate in the transformation of the GuardPoint, or in the client group containing those clients. Example path:
\\192.168.1.100\Share1\Data1.
-
Limitations
- For existing LDT Communication Group nodes that need to be converted into AccessOnly nodes, you must remove them from the LDT Communication Group before enabling the LDT Access Only option.
Backup/Restore from Access-Only nodes when LDT is in progress
- While LDT is in progress, backup/restore from access-only nodes is not recommended. Backup/Restore must be performed from Primary or Secondary nodes in the LDT Communication Group. This is because while LDT is in progress, files under rekey may not be accessible from access-only nodes. This may cause the Backup/Restore process to fail as file access is denied.
