Deploying a supported Data Loss Prevention server on AWS
This section provides instructions for deploying a supported Data Loss Prevention detection server (Oracle database, Enforce Server, or detection server) on an AWS EC2 instance. It also details how to connect this detection server to an on-premises Enforce Server. These instructions assume that you have deployed an on-premises Enforce Server and that this server is available.
The deployment workflow includes AWS-specific tasks and tasks specific to
Symantec Data Loss Prevention
.Step | Action | Description |
|---|---|---|
1 | Choose an AMI. | Log on to the AWS Console and select an AMI that provides an operating system that Data Loss Prevention supports. For example: Microsoft Windows Server 2012 Base - ami-3b83c20b |
2 | Choose an instance type. | Select an EC2 instance type that is suitable for your business requirements. For example:
Symantec Data Loss Prevention does not recommend the use of t2.* instance types. |
3 | Configure instance details. | Do not select Request Spot Instances. Spot instances are not supported. Verify that the Network is VPC. EC2 Classic (non-VPC) instance types are not supported. |
4 | Add storage. | Skip this step. You do not need external storage for a Data Loss Prevention detection server. |
5 | Tag the instance. | Optionally you can add metadata tags to help yourself or other administrators organize and locate your EC2 instances. |
6 | Configure the security group. | Specify and configure your own security group. Initially the EC2 instance is open to the Internet and is not secure. You secure the instance by configuring a TCP port that the Enforce Server connects to. You also need to poke a hole in the firewall all so you can connect using RDP. |
7 | Review and launch. | Review the EC2 instance details and click Launch when you are ready. Back at the console, the instance displays Initializing . |
8 | Create and download the private key, or use an existing one previously generated. | Select Create a new key pair. This key pair lets you decrypt the Windows password that you used to log on to the system. Download the key pair. You use the key to log on to the system the first time. If you already generated a key pair, you can use it to log on to the EC2 instance. |
9 | Use the private key to decrypt the Windows password. | Right click the instance and select Get Windows Password. Select the *.pem file you downloaded. Click Decrypt Password . Write down the decrypted password. You need it to log on to the EC2 instance. |
10 | RDP to the EC2 instance. | RDP to the EC2 instance and logon using the password key you decrypted. You may have to disable the operating system firewall to be able to connect using RDP. |
11 | Change the host password. | Alternatively, to avoid having to using the key password each time, you can change the password. |
12 | Copy the Data Loss Prevention installer to the EC2 instance. | You must copy the Data Loss Prevention installation software to the EC2 instance. You can get the software at Symantec FileConnect using a web browser running on the EC2 instance. Alternatively you can place the software in a cloud or FTP storage site and download it to the EC2 instance. |
13 | Install the Data Loss Prevention software. | Make sure that you select the Hosted Network Prevent option. |
14 | Register the detection server. | Go to the Enforce Server administration console and register the detection server with the Enforce Server by specifying the port. The port must be a registered TCP port in the range of 1024 to 49151. The Enforce Server does not accept well-known ports (0 through 103) or private ports (49152 through 65535). You must have added this port to an inbound rule for the Security Group. |
15 | Generate custom server certificates. | The default Data Loss Prevention server certificate is not secure. With Hosted Network Prevent option as recommended (step 13), you do not have a server certificate. Either way, you must generate a unique, self-signed server certificate to ensure secure communications between the on-premises Enforce Server and the detection server on AWS. |
16 | Verify your Data Loss Prevention on AWS deployment. | Once you deploy the custom certificate, the Enforce Server should be able to connect to the detection server. |