Endpoint Encryption 6.0 Patch 1 includes backwards compatibility to manage all 5.0 versions of Endpoint Encryption as well as authenticate and perform commands on legacy agents (3.1.3 and earlier). Endpoint Encryption uses different architecture for 3.1.3 and earlier agents from 5.0 and later agents, so Endpoint Encryption requires different traffic forwarding services to manage communications between agents and servers.
The Endpoint Encryption Proxy manages the following services:
Traffic Forwarding Service
The Traffic Forwarding Service directs network traffic between Endpoint Encryption 5.0 and later agents and PolicyServer residing in different local area networks. Endpoint Encryption 5.0 and later agents communicate using RESTful. The Traffic Forwarding Service sits between the agents and PolicyServer to prevent insecure policy access. The Traffic Forwarding Service installer configures the TMEEForward service that runs on the Endpoint Encryption Proxy endpoint.
Client Web Service
The Client Web Service directs traffic between legacy Endpoint Encryption agents (3.1.3 and earlier) and PolicyServer residing in different local area networks. Legacy Endpoint Encryption agents communicate using SOAP. Client Web Service sits between the legacy Endpoint Encryption agents and the PolicyServer Windows Service to prevent insecure policy access. The Client Web Service installer configures the MAWebService2 (Legacy Web Service), which is the same Microsoft IIS service installed by the PolicyServer installer in environments that do not use a proxy.
To create a network topology that includes endpoints of different versions, separately deploy services to an endpoint residing in the network DMZ, and configure PolicyServer safely behind a firewall. Install the Endpoint Encryption proxy on the separate endpoint to direct and filter traffic between Endpoint Encryption agents and PolicyServer.
For an example network scenario including legacy agents, see Deployment Including Legacy Agents.
The Endpoint Encryption proxy has the following requirements:
Traffic Forwarding Service and Client Web Service may not be deployed on the same endpoint as PolicyServer.
The default port for the Traffic Forwarding Service is 8080.
The default port for the Client Web Service is 80.
In environments using both new and legacy Endpoint Encryption agents, configure different ports for Traffic Forwarding Service and Client Web Service.
The welcome screen appears.
The Endpoint Encryption proxy installer analyzes the endpoint.
The installation begins. Wait for the Endpoint Encryption proxy to install.
This IP address and port will be used in agent installation.
The Internet Information Services (IIS) Manager screen appears.
Client Web Service is installed.
The Services screen appears.
Traffic Forwarding Service is installed.
After installation, Full Disk Encryption and File Encryption agents start to use the network configuration provided during installation.
If there is a possibility that agent endpoints may be migrated to an different server or network during its use, consider providing the PolicyServer FQDN instead of the IP address during installation. FQDN offers more options in working with network configurations.
After installing the Endpoint Encryption proxy, use the PolicyServer FQDN when setting up new installations of Full Disk Encryption and File Encryption. The Endpoint Encryption proxy bridges the connection to PolicyServer, and enables devices to connect even when it is outside the network.
Depending on the DNS server type, configure the PolicyServer FQDN as follows: