Solution
The new Self-Enrollment feature provides automatic activation for systems that are on the same local network as the ESET Endpoint Encryption (EEE) Server. When a user logs into their domain account, the EEE Server is contacted and the ESET Endpoint Encryption client is automatically provided with the user’s key-file and activation information.
This provides a seamless experience for the user, especially when roaming, since a user can log into a new workstation without needing to activate EEE.
Once Self-Enrollment is completed, the EEE Server and client communicate through the Cloud Proxy. Key-File updates, Full Disk Encryption and all the EEE functions continue to operate as usual.
To use Self Enrollment, users must be in the Active Directory that is queried by the EEE Server to identify and enroll the user. If a user is unable to activate using Self-Enrollment, for example, they may are not connected to the LAN, then traditional activation can still be used. The user can be sent an activation email, with a clickable activation button, or the activation code can be typed in manually.
Setup Guide
- Enable ESET Endpoint Encryption Server Direct Communications—ESDirect
This option is enabled by default on new installations of the EEE Server (v2.8.0 or later). Self-Enrollment uses a new EEE Server feature called ESDirect, which provides Self-Enrollment and Network Discovery (so the EEE Client can find the server).
- Open the EEE Server Control Panel. In the Administration section, click Settings.
- Select the check box next to Enable ESET Endpoint Encryption Server Direct Communications.
The Communications Port can be changed from the default 8266 setting if required.
Figure 1-1
- Configure the firewall
For the client workstations to self-enroll, the network must allow access on the communications port specified in Step 1 into the machine hosting the EEE Server.
Ensure that both the hardware and software firewalls protecting the EEE Server open port 8266 (the default setting) for both UDP and TCP traffic from domain network traffic. Alternatively, with software firewalls, you can specify the executable of the EEE Server itself, dlpecsrv.exe as an exclusion. This file may be located in the EEE Server folder: C:\Program Files\ESET Endpoint Encryption Server\
(Program Files (x86) on 32-bit hosts).
Visit this article to view an example for opening the build in Windows Firewall: Opening the Windows Firewall for Self-Enrollment.
- Ensure client licenses have been added to the ESET Endpoint Encryption Server
Make sure the pool of licenses you will be using have been added to the EEE Server. Add a new client license to my ESET Endpoint Encryption Server.
- Self-Enrollment requires users who are activating to have their details imported from an Active Directory server and have a license assigned to them. When configuring the Active Directory settings you can select which license the new users are allocated to when they enroll. If no license is selected, then only already licensed users can use Self-Enrollment. If you did not automatically import users, perform a manual import before proceeding.
For more information about setting up Active Directory synchronization, visit: How does the ESET Endpoint Encryption Server integrate with Active Directory?
Figure 1-2
-
Workstation Policy—This option is already enabled by default on new installs of DESlock+ Enterprise Server version 2.8.0 / ESET Endpoint Encryption Server 3.0 or later).
Self-Enrollment is controlled in the EEE Client with a new workstation policy. If you have existing workstations you are enabling this option for, they must be updated once the setting has been changed. Visit the Applying to existing workstations section in How do I modify workstation policy? for more information.
Figure 1-3
- Install software on target workstations—With the Self-Enrollment setting enabled you will need to install the software to the workstations. The software can be installed using push install or a client .msi install. Install software on target workstations.
- When the user logs into their domain network profile on the workstation, they will activate automatically and they will appear licensed and linked to the workstation in the EEE Server.
Figure 1-4
Troubleshooting
Logging
The ESDirect and Self-Enrollment log can be found in the following directories. If you are experiencing difficulties and require assistance then you should provide this with your support ticket where possible:
Windows XP: \Documents and Settings\\Local Settings\DESkey\DESlock+\ESDirect.log
Windows Vista and later: \Users\\AppData\Local\DESkey\DESlock+\ESDirect.log
Communications Timeout
If the logfile details 'Server Not Found C03B0003' then the workstation is unable to communicate with the EEE Server. Ensure that exceptions have been included for firewalls as detailed above to allow the workstation to communicate with the EEE Server for both UDP and TCP protocols. Additionally, if your network is configured to block multicast UDP packets, then you will need to specify the exact Server Address as detailed in the client settings below.
User not found
If the log file details 'Command Failed C03B000E' then the user was not found in the EEE Server itself. You should ensure this user has been imported from the domain and has been added to the EEE Server. They should also be licensed already, unless you have selected a license to use for auto licensing within the ES Direct settings.
Client Settings
The following settings are used to control the Self Enrolment in the EEE client. This information is provided for reference, take care when editing the registry.
- Server Address: Use this to manually set the address of the server if multicast UDP packets are blocked by the network. In this example, the server address is dlpes.mydomain.local. You may also set a static IP address instead of a name if DNS is not implemented correctly. [HKEY_LOCAL_MACHINE\SOFTWARE\DESlock\Client\CentralCtrl] Insert new string value: "DLPESDirectAddress"="dlpes.mydomain.local"
- Enable Self Enrollment: Set through ES Workstation Policy [HKEY_LOCAL_MACHINE\SOFTWARE\DESlock\Client] "EnableSelfEnrolment"=dword:00000001
- Server Port: Set through ES Workstation Policy. The example below is of the default 8266 port. [HKEY_LOCAL_MACHINE\SOFTWARE\DESlock\Client\CentralCtrl] "DLPESDirectPort"=dword:0000204A
- Balloon Popup after Activation: This prevents the notification displayed to the user when the system activates. No value = enabled [HKEY_LOCAL_MACHINE\SOFTWARE\DESlock\Client\CentralCtrl] "SelfEnrolmentPopup"=dword:00000000