Agent Installation III: Installation on Windows Computers
Creating MSI package
Once the Server is installed for the first time, the MSI package is generated automatically with default settings. If settings change is required, configure and then generate an MSI package manually. MSI package is always stored on the Server computer and is regenerated automatically after the Server update.
- Generating an MSI package on the Server computer
- Generating an MSI package for local installation/update or for update from network folder
- Settings included in the MSI package
Configurable package options
Option | Description |
---|---|
EgoSecure Agent components installation |
|
Install network driver for WLAN control |
Select if and when to install the kernel driver for WLAN control (esndislwf.sys). The following options are available:
Possible data loss with immediate WLAN control installation. If for the setting Install network driver for WLAN control you select Immediately, the client network connection is temporarily interrupted after the Agent installation. This can lead to data loss. To install the WLAN control after the restart of the EgoSecure Agent, select After restart. |
Install kernel driver for CD/DVD control |
Install the kernel driver (escdflt.sys) to encrypt on CD/DVD disks and control disk writing performed by third-party applications. |
EgoSecure Agent service |
|
Protect EgoSecure Agent service and files
|
Protects the EgoSecure Agent service from being stopped and the EgoSecure Agent system files from being removed and renamed. Once a user tries to stop the EgoSecure Agent service, all device types listed under Storage group are blocked. |
EgoSecure Agent UI |
|
Hide tray icon |
Enable the option to make the EgoSecure Agent interface invisible. Users do not see any notifications, assigned permissions, etc. They can only use options available in the Windows Explorer context menu for encryption, Secure Erase, and Antivirus. |
Tray UI language |
Define the language of the EgoSecure Agent interface that is applied only during the first Agent installation. A user is permitted to change this language. The automatic language selection is performed in the following priority:
|
EgoSecure overlay icons priority |
Define whether EgoSecure overlay icons have priority over other applications in Windows Explorer. Overlay icons identify an encryption type of files and folders. The following levels of adding EgoSecure Shell Icon Overlay Identifiers to the registry are available:
|
Uninstall/Update password |
|
Password |
Optionally set a password required from users if they want to perform Agent uninstallation or update locally. |
Check the password on |
Select which operation with Agent is protected from unauthorized access: uninstallation or update |
Rights for communication devices |
|
Apply after restart only |
Define whether the rights for communication devices are applied shortly after the Agent installation or after a computer restart. |
Write rights and settings into the MSI file (Offline Clients) |
|
Export access control rights |
Export access rights defined in User management and Computer management under Control | Devices and ports tab. |
Export permitted devices |
Export a list of device permissions defined under Permitted devices | Permitted device models and under Permitted devices | Individual device permissions. |
Export encryption settings |
Export encryption types and encryption keys (including their private part) permitted for users or computers. |
Export only public part of keys |
Only having a public part of keys, a user is not permitted to decrypt, and therefore, open files encrypted on other Agents. Note: Files encrypted internally on this Agent can be decrypted. |
Export EgoSecure Antivirus settings |
Distribute AV signatures to selected computers via the MSI package not to overload the network; global antivirus exclusions are also applied. If proxy server settings are defined under Administration | Servers | Mail, proxy and others and the Use proxy server check box is set under Product settings | EgoSecure Antivirus | Update settings, proxy server settings are written. The proxy server settings will be used later for signature update on the Client side via the Internet (if update from the EgoSecure Server is not possible). For details, see Installing Antivirus via MSI |
Selection of objects |
Select the objects (user/computer) for which the rights and settings selected in this section are exported to the MSI file. |
Write authentication certificate for SSL communication to MSI |
|
Add authentication certificate |
Enable the option to add an Agent authentication certificate and its private key to the MSI package. The area with this option is greyed out if SSL is disabled. For details, see Configuring SSL. |
Password |
Enter a password to protect an Agent authentication certificate and its private key. This password is required from users during a local Agent installation/update or a remote Agent installation/update via script/software enrollment tools. |
Local installation on offline clients. To ensure that the permissions and settings defined under User management and Computer management are applied immediately after installation on Clients not waiting for a Server connection, write the permissions and settings of selected users/computers in the MSI file. For users/computers, which settings and permissions are NOT included in the package, the Unknown user rights are applied till the connection to the Server is established. In the Write rights and settings into the MSI file area, select which rights and permissions to write in the MSI file. Select the users/computers under Selection of objects.
Package generation on the Server computer
- Navigate to Installation | EgoSecure agents | Create MSI package.
- If you are a supervisor, select how to generate MSI packages on the Server:
- Generate tenant-specific MSI packages. A package with its specific settings is generated for each tenant individually. When updating the Server, all existing tenant-specific MSI packages are updated as a result.
- Generate a single MSI package for all tenants. One single package with the settings of a default tenant is generated and used by all tenants. Note: If administrators or super administrators generate an MSI package with different settings, the single MSI package is modified as a result. To forbid them to make changes to MSI settings, disable the displaying of the Create MSI package section in the layout for all admins and super admins under Administration | Superadmin | Consoles layout.
The way of generating MSI packages is a global setting that affects all existing tenants and their administrators. Only the supervisor can make changes to this setting. For super administrators and administrators, these radio buttons are greyed out.
- In the Settings of MSI package area, check the settings, which must be included.
- If you are going to use SSL in the company, you can include an SSL certificate for the Agent to the MSI package via enabling the Add SSL certificate and its private key option and defining a password for certificate protection.
- The certificate for the Agent with its private key is added to the MSI package if the certificate with its private key is provided under Administration | Administrator | SSL configuration. There are also other ways of distributing SSL certificate to Agents. For additional information, please refer to SSL Configuration.
- In the Path to the MSI package area, select the Server radio button.
- Click Browse to specify the location where the MSI package is stored on the server computer.
Do not use the path C:\ProgramData\EgoSecure\EgoSecureServer\MSI because there the MSI templates are located.
- Specify another name of a file in the File name field, if necessary.
- Click Generate.
The MSI package is generated on the Server. Once the Sever is updated, the MSI package is regenerated automatically.
Package generation for local installation/update or for update from network folder
- Navigate to Installation | EgoSecure agents | Create MSI package.
- In the Settings of MSI package area, check the settings, which must be included.
- If you are going to use SSL in the company, you can include an SSL certificate for the Agent to the MSI package via enabling the Add SSL certificate and its private key option and defining a password for certificate protection (use only printable characters from the ASCII table for the password).
- The certificate for the Agent with its private key is added to the MSI package if the certificate with its private key is provided under Administration | Administrator | SSL configuration. There are also other ways of distributing SSL certificate to Agents. For additional information, please refer to SSL Configuration
- In the Path to the MSI package area, select the Other destination radio button.
- Click Browse to specify the location on the computer where the Console is launched or in the network folder where the MSI package must be stored.
- Specify another name of a file in the File name field, if necessary.
- Click Generate.
- To update from a network folder, copy the path to the Directory filed under Installation | EgoSecure agents | Installation settings.
The MSI package is generated in the specified location. Once the Sever is updated, the MSI package is NOT regenerated automatically in the specified location.
Once the package is generated and the Console content is refreshed (e.g. by changing the console menu), an automatic switch to the default option – Server - occurs. The path set for the Other destination option is saved.
Settings included in the MSI package
The following settings are included in the MSI package and are applied on endpoints not waiting for the connection to the Server:
- Default policies for unknown users (User management | Default policies | Unknown users).
- Client settings under Administration | Clients | Client settings.
- MSI package settings under Installation | EgoSecure agents | Create MSI package. For details about the MSI package settings, please refer to Configurable package options.
- List of permitted EgoSecure servers under Administration | Servers | EgoSecure servers. Shortly after the Agent installation, only the servers selected with check marks are permitted to Agents. If the list of server changes (new servers are marked), this list is sent to Agents.
Agent Installation
- Installing via EgoSecure Data Protection Console remotely
- Installing MSI package locally
- Installation via Matrix42 Silverback
- Installing via 3rd party Software Distribution
- Install via Microsoft Group Policy
Installation via EgoSecure Console
Customizing Windows Firewall settings
When installing the Agents via the Console, enable the remote administration exceptions in the Windows Firewall. It can be customized via GPO or, as described below, locally for each Agent:
- Open the Group Policy Editor via the Windows Settings or by running the gpedit.msc file.
- On the computer with the EgoSecure Agent, under Computer configuration, navigate to Administrative Templates | Network | Network Connections | Firewall.
- Enable the Allow inbound remote administration exception option for the Domain profile and the Standard profile.,
Preparing the installation
By default, the Agents are installed in the following directory: C:\Program Files\EgoSecure\EgoSecure Agent You can change the path, if necessary. For details, see Set different installation path.
- Open the EgoSecure Data Protection Console.
- For computers, which are NOT in a directory service:
- Go to Computer management and right-click a domain under the Own Directory folder.
- Select Add | Computer from the context menu.
- Enter a name of a computer where to install the Agent.
- Set up WMI on the computer where Agent will be installed to provide an access to administrative shares for the administrator specified in step Remote installation settings below
- Go to Installation | EgoSecure agents | Installation settings.
- In the Remote installation settings work area, specify the login data of the administrator who has enough rights for installing the EgoSecure Agent on the devices.
- Click Save.
- Configure the settings of the MSI package and generate it under Installation | EgoSecure agents | Create MSI package.
Starting installation
- In the EgoSecure Data Protection Console, go to Installation | EgoSecure agents | Install/Update.
- Select Only computers without agents from the drop-down menu.
- Select the clients for installation.
- Click Install/Update
Local Installation
Agents can be installed manually from MSI packages. In addition to this, 3rd party software distribution, Microsoft Group Policy can be used to automatically distribute EgoSecure Agents to client computers or users.
- Start the ESAgentSetup.exe file.
Once the Agent is installed and connects to the Server, its user and computer appears in the Console under Computer management/User management | Directory service structure | Own directory | Unsorted folder. Make sure the “Own directory” mode support is enabled in Console under Administration | Synchronization | Directory service settings.
Installation via msiexec
In the EgoSecure Server installation directory under EgoSecure Server\MSI, you can find the .BAT files: install.bat and uninstall.bat, which contain the recommended installation parameters.
To perform the installation via the BAT file, run the file as administrator and specify in the file the full path for the MSI package and for the log file.
When installing via msiexec you can use the following options:
Option |
Description |
---|---|
/i <MSI package> |
Install MSI package. Example: /i ESAgentSetup_x64.msi |
/x <MSI package> |
Uninstall MSI package- Example: /x ESAgentSetup_x64.msi |
INSTALLDIR="<installation path>" |
Install Agent to the path other than the default one. INSTALLDIR="D:\Programs\EgoSecure\Agent" |
/l* <path> |
Path and options of the logfile. Example: /l* D:\AgentInstall.log |
<Property> |
Any properties Example: REINSTALLMODE="vamus" For details, see: Microsoft Docs - Property Reference |
ADMINPWD="<password>" |
Password for uninstallation/update defined in the MSI package settings. The password is defined in Console under Installation | EgoSecure agents | Create MSI package before generating the package. Note: Make sure that you setup the necessary encoding for the .bat file so that the characters contained in the password can be correctly identified. |
PKCS12_PASS="<password>" |
Password for protecting the SSL certificate and its private key. The password is defined in Console under Installation | EgoSecure agents | Create MSI package before generating the MSI package or in the InstallShield Wizard during the Server installation (SSL and certificates step). Note: Make sure that you setup the necessary encoding for the .bat file so that the characters contained in the password can be correctly identified. |
SERVER_NAME="<name>" |
The EgoSecure Server name for connecting Agent manually to it. |
SERVER_IP="<IP address>" |
The EgoSecure Server IP address for connecting Agent manually to it. |
SERVER_PORT="<port>" |
The EgoSecure Server port for connecting Agent manually. |
For details, see Microsoft Docs - Command line options.
Additional Information
Set different installation path
By default, Agents installed remotely via the EgoSecure Data Protection Console, are located in C:\Program Files\EgoSecure\EgoSecure Agent. But in some cases, administrators want to change the Agent installation path, for example, to install Agents via a 3rd party software distribution system. In such cases, the default Agent installation path is changed manually as described below.
- Open install.bat or install_x64.bat file with notepad.
- Enter INSTALLDIR="installation path" after ESAgentSetup_x64.msi.
- Save the changes and close the text file.
- Start the file.
Example of the installation path in the 64-bit version |
start /B msiexec /i ESAgentSetup_x64.msi INSTALLDIR="C:\Program files\EgoSecure\Agent" /l* AgentInstall.log REINSTALL="ALL" REINSTALLMODE="vamus" ADMINPWD="" |
Example of the installation path in the 32-bit version |
start /B msiexec /i ESAgentSetup.msi INSTALLDIR="C:\Program files\EgoSecure\Agent" /l* AgentInstall.log REINSTALL="ALL" REINSTALLMODE="vamus" ADMINPWD="" |
Transferring SSL certificate password to Agents
In case of script-based Agent installation/update, the password for protecting the SSL certificate and its private key is defined manually. The password is transferred to Agents in an unencrypted form.
- Open install.bat or install_x64.bat file with notepad.
- Enter PKCS12_PASS="". E.g.: msiexec /fvamus ESAgentSetup_x64.msi PKCS12_PASS="1uU22iI33nN*!h"
- Save the changes and close the text file.
- Start the file.
Connecting Agent to another Server manually
Assign a different Server - on first Agent installation
- Option 1
- Go to C:\Program Files (x86)\EgoSecure\EgoSecure Server\MSI.
- Right-click the install.bat (or install_x64.bat) file and select Edit from the context menu.
- The file is opened in the editor.
- Add the following parameters:
- SERVER_NAME="PC_NAME" SERVER_IP="111.111.0.1" SERVER_PORT=port_number (default value: 6005; if the default value is used, SERVER_PORT parameter can be omitted)
- Save the changes and close the editor.
- Launch the install.bat file. Installation starts.
- Option 2
- Run cmd.
- Enter the following parameters:
- Msiexec /i ESAgentSetup.msi SERVER_NAME="PC_NAME" SERVER_IP="111.111.0.1" SERVER_PORT=6005
- Press Enter.
Assign a different Server - on Agent update
- Option 1
- Go to C:\Program Files (x86)\EgoSecure\EgoSecure Server\MSI.
- Right-click the install.bat (or install_x64.bat, depends on the system bit version) file and select Edit from the context menu.
- The file opens in the editor.
- Add the following parameters:
- SERVER_NAME="PC_NAME" SERVER_IP="111.111.1.1" SERVER_PORT =port_number (default value: 6005; if the default value is used, SERVER_PORT parameter can be omitted) REINSTALL="ALL" REINSTALLMODE="vamus"
- Save the changes and close the editor.
- Launch the install.bat file. Update starts.
- Option 2
- Run cmd.
- Enter the following parameters:
- Msiexec /i ESAgentSetup.msi SERVER_NAME="PC_NAME" SERVER_IP="111.111.0.1" SERVER_PORT=6005 REINSTALL="ALL" REINSTALLMODE="vamus"
- Press Enter.
Make sure that Agent version is the same or lower than that of the Server version. If Agent version is higher than Server version, the connection between them cannot be established.
Connection Test
Enabling Windows Telnet. To enable Telnet, type OptionalFeatures in the Windows search box and then check the Telnet Client box in the Windows Features dialog.
- Open the Windows command prompt and enter the following:
- To test the connection from Server to Client: telnet [Client IP address] 6006
- To test the connection from Client to Server: telnet [Server IP address] 6005
- For a functioning communication, the result looks like this:
If the command fails, check whether another component of your network environment is blocking the communication.