Skip to main content
Matrix42 Self-Service Help Center

Agent Installation III: Installation on Windows Computers

Creating MSI package

Once the Server is installed for the first time, the MSI package is generated automatically with default settings. If settings change is required, configure and then generate an MSI package manually. MSI package is always stored on the Server computer and is regenerated automatically after the Server update.

Configurable package options

Option Description

EgoSecure Agent components installation

Install network driver for WLAN control

Select if and when to install the kernel driver for WLAN control (esndislwf.sys). The following options are available:

  • Do not install: The WLAN control on the client remains disabled.
  • Immediately (not recommended): The driver is installed shortly after the MSI installation. Warning! The client network connection is temporary interrupted.
  • After restart: The driver is installed the first time the Client is restarted after the MSI installation.

 

Possible data loss with immediate WLAN control installation. If for the setting Install network driver for WLAN control you select Immediately, the client network connection is temporarily interrupted after the Agent installation. This can lead to data loss. To install the WLAN control after the restart of the EgoSecure Agent, select After restart.

Install kernel driver for CD/DVD control

Install the kernel driver (escdflt.sys) to encrypt on CD/DVD disks and control disk writing performed by third-party applications.

EgoSecure Agent service

Protect EgoSecure Agent service and files

 

Protects the EgoSecure Agent service from being stopped and the EgoSecure Agent system files from being removed and renamed. Once a user tries to stop the EgoSecure Agent service, all device types listed under Storage group are blocked. 

EgoSecure Agent UI

Hide tray icon

Enable the option to make the EgoSecure Agent interface invisible. Users do not see any notifications, assigned permissions, etc. They can only use options available in the Windows Explorer context menu for encryption, Secure Erase, and Antivirus.

Tray UI language

Define the language of the EgoSecure Agent interface that is applied only during the first Agent installation. A user is permitted to change this language.

The automatic language selection is performed in the following priority:

  1. user-defined language (user key in the registry)
  2. language specified when generating the MSI package
  3. system language for the computer
  4. English (if nothing above matches)

EgoSecure overlay icons priority

Define whether EgoSecure overlay icons have priority over other applications in Windows Explorer. Overlay icons identify an encryption type of files and folders. The following levels of adding EgoSecure Shell Icon Overlay Identifiers to the registry are available:

  • Low - adding z at the beginning of EgoSecure identifiers, no changes to the identifiers of other applications.
  • Normal - adding EgoSecure identifiers without spaces, no changes to the identifiers of other applications.
  • High - adding EgoSecure identifiers with spaces, no changes to the identifiers of other applications.
  • Highest - adding EgoSecure identifiers with spaces at the beginning, deleting spaces at the beginning of identifiers of other applications.

Uninstall/Update password

Password

Optionally set a password required from users if they want to perform Agent uninstallation or update locally.

Check the password on

Select which operation with Agent is protected from unauthorized access: uninstallation or update

Rights for communication devices

Apply after restart only

Define whether the rights for communication devices are applied shortly after the Agent installation or after a computer restart.

Write rights and settings into the MSI file (Offline Clients)

Export access control rights

Export access rights defined in User management and Computer management under Control | Devices and ports tab.

Export permitted devices

Export a list of device permissions defined under Permitted devices | Permitted device models and under Permitted devices | Individual device permissions.

Export encryption settings

Export encryption types and encryption keys (including their private part) permitted for users or computers.

Export only public part of keys

Only having a public part of keys, a user is not permitted to decrypt, and therefore, open files encrypted on other Agents.

Note: Files encrypted internally on this Agent can be decrypted.

Export EgoSecure Antivirus settings

Distribute AV signatures to selected computers via the MSI package not to overload the network; global antivirus exclusions are also applied.

If proxy server settings are defined under Administration | Servers | Mail, proxy and others and the Use proxy server check box is set under Product settings | EgoSecure Antivirus | Update settings, proxy server settings are written. The proxy server settings will be used later for signature update on the Client side via the Internet (if update from the EgoSecure Server is not possible).

For details, see Installing Antivirus via MSI

Selection of objects

Select the objects (user/computer) for which the rights and settings selected in this section are exported to the MSI file.

Write authentication certificate for SSL communication to MSI

Add authentication certificate

Enable the option to add an Agent authentication certificate and its private key to the MSI package. The area with this option is greyed out if SSL is disabled. For details, see Configuring SSL.

Password

Enter a password to protect an Agent authentication certificate and its private key. This password is required from users during a local Agent installation/update or a remote Agent installation/update via script/software enrollment tools.
Use only printable characters of the ASCII table.

Local installation on offline clients. To ensure that the permissions and settings defined under User management and Computer management are applied immediately after installation on Clients not waiting for a Server connection, write the permissions and settings of selected users/computers in the MSI file. For users/computers, which settings and permissions are NOT included in the package, the Unknown user rights are applied till the connection to the Server is established. In the Write rights and settings into the MSI file area, select which rights and permissions to write in the MSI file. Select the users/computers under Selection of objects.

Package generation on the Server computer

  • Navigate to Installation | EgoSecure agents | Create MSI package.
  • If you are a supervisor, select how to generate MSI packages on the Server:
    • Generate tenant-specific MSI packages. A package with its specific settings is generated for each tenant individually. When updating the Server, all existing tenant-specific MSI packages are updated as a result. 
    • Generate a single MSI package for all tenants. One single package with the settings of a default tenant is generated and used by all tenants. Note: If administrators or super administrators generate an MSI package with different settings, the single MSI package is modified as a result. To forbid them to make changes to MSI settings, disable the displaying of the Create MSI package section in the layout for all admins and super admins under Administration | Superadmin | Consoles layout.

The way of generating MSI packages is a global setting that affects all existing tenants and their administrators. Only the supervisor can make changes to this setting. For super administrators and administrators, these radio buttons are greyed out.

  • In the Settings of MSI package area, check the settings, which must be included.
  • If you are going to use SSL in the company, you can include an SSL certificate for the Agent to the MSI package via enabling the Add SSL certificate and its private key option and defining a password for certificate protection.
    • The certificate for the Agent with its private key is added to the MSI package if the certificate with its private key is provided under Administration | Administrator | SSL configuration. There are also other ways of distributing SSL certificate to Agents. For additional information, please refer to SSL Configuration.
  • In the Path to the MSI package area, select the Server radio button.
  • Click Browse to specify the location where the MSI package is stored on the server computer.

Do not use the path C:\ProgramData\EgoSecure\EgoSecureServer\MSI because there the MSI templates are located.

  • Specify another name of a file in the File name field, if necessary.
  • Click Generate.

The MSI package is generated on the Server. Once the Sever is updated, the MSI package is regenerated automatically.

Package generation for local installation/update or for update from network folder

  • Navigate to Installation | EgoSecure agents | Create MSI package.
  • In the Settings of MSI package area, check the settings, which must be included.
  • If you are going to use SSL in the company, you can include an SSL certificate for the Agent to the MSI package via enabling the Add SSL certificate and its private key option and defining a password for certificate protection (use only printable characters from the ASCII table for the password).
    •  The certificate for the Agent with its private key is added to the MSI package if the certificate with its private key is provided under Administration | Administrator | SSL configuration. There are also other ways of distributing SSL certificate to Agents. For additional information, please refer to SSL Configuration
  • In the Path to the MSI package area, select the Other destination radio button.
  • Click Browse to specify the location on the computer where the Console is launched or in the network folder where the MSI package must be stored.
  • Specify another name of a file in the File name field, if necessary.
  • Click Generate.
  • To update from a network folder, copy the path to the Directory filed under Installation | EgoSecure agents | Installation settings.

The MSI package is generated in the specified location. Once the Sever is updated, the MSI package is NOT regenerated automatically in the specified location.
Once the package is generated and the Console content is refreshed (e.g. by changing the console menu), an automatic switch to the default option – Server - occurs. The path set for the Other destination option is saved.

Settings included in the MSI package

The following settings are included in the MSI package and are applied on endpoints not waiting for the connection to the Server:

  • Default policies for unknown users (User management | Default policies | Unknown users).
  • Client settings under Administration | Clients | Client settings.
  • MSI package settings under Installation | EgoSecure agents | Create MSI package. For details about the MSI package settings, please refer to Configurable package options.
  • List of permitted EgoSecure servers under Administration | Servers | EgoSecure servers. Shortly after the Agent installation, only the servers selected with check marks are permitted to Agents. If the list of server changes (new servers are marked), this list is sent to Agents.

Agent Installation

Installation via EgoSecure Console

Customizing Windows Firewall settings

When installing the Agents via the Console, enable the remote administration exceptions in the Windows Firewall. It can be customized via GPO or, as described below, locally for each Agent:

  • Open the Group Policy Editor via the Windows Settings or by running the gpedit.msc file.
  • On the computer with the EgoSecure Agent, under Computer configuration, navigate to Administrative Templates | Network | Network Connections | Firewall.
  • Enable the Allow inbound remote administration exception option for the Domain profile and the Standard profile.,

clipboard_e43b635a0769cb18255167e87df14030d.png

Preparing the installation

By default, the Agents are installed in the following directory: C:\Program Files\EgoSecure\EgoSecure Agent You can change the path, if necessary. For details, see Set different installation path.

  • Open the EgoSecure Data Protection Console.
  •  For computers, which are NOT in a directory service:
    • Go to Computer management and right-click a domain under the Own Directory folder.
    • Select Add | Computer from the context menu.
    • Enter a name of a computer where to install the Agent.
    • Set up WMI on the computer where Agent will be installed to provide an access to administrative shares for the administrator specified in step Remote installation settings below
    • Go to Installation | EgoSecure agents | Installation settings.
    • In the Remote installation settings work area, specify the login data of the administrator who has enough rights for installing the EgoSecure Agent on the devices.
    • Click Save.
    • Configure the settings of the MSI package and generate it under Installation | EgoSecure agents | Create MSI package.

Starting installation

  • In the EgoSecure Data Protection Console, go to Installation | EgoSecure agents | Install/Update.
  • Select Only computers without agents from the drop-down menu.
  • Select the clients for installation.
  • Click Install/Update

Local Installation 

Agents can be installed manually from MSI packages. In addition to this, 3rd party software distribution, Microsoft Group Policy can be used to automatically distribute EgoSecure Agents to client computers or users.

  • Start the ESAgentSetup.exe file.

Once the Agent is installed and connects to the Server, its user and computer appears in the Console under Computer management/User management | Directory service structure | Own directory | Unsorted folder. Make sure the “Own directory” mode support is enabled in Console under Administration | Synchronization | Directory service settings.

Installation via msiexec

In the EgoSecure Server installation directory under EgoSecure Server\MSI, you can find the .BAT files: install.bat and uninstall.bat, which contain the recommended installation parameters.

To perform the installation via the BAT file, run the file as administrator and specify in the file the full path for the MSI package and for the log file.

When installing via msiexec you can use the following options:

Option

Description

/i <MSI package>

Install MSI package. Example: /i ESAgentSetup_x64.msi

/x <MSI package>

Uninstall MSI package- Example: /x ESAgentSetup_x64.msi

INSTALLDIR="<installation path>"

Install Agent to the path other than the default one. INSTALLDIR="D:\Programs\EgoSecure\Agent"

/l* <path>

Path and options of the logfile. Example:  /l* D:\AgentInstall.log

<Property>

Any properties

Example: REINSTALLMODE="vamus"

For details, see: Microsoft Docs - Property Reference

ADMINPWD="<password>"

Password for uninstallation/update defined in the MSI package settings. The password is defined in Console under Installation | EgoSecure agents | Create MSI package before generating the package.

Note: Make sure that you setup the necessary encoding for the .bat file so that the characters contained in the password can be correctly identified. 

PKCS12_PASS="<password>"

Password for protecting the SSL certificate and its private key. The password is defined in Console under Installation | EgoSecure agents | Create MSI package before generating the MSI package or in the InstallShield Wizard during the Server installation (SSL and certificates step).

Note: Make sure that you setup the necessary encoding for the .bat file so that the characters contained in the password can be correctly identified. 

SERVER_NAME="<name>"

The EgoSecure Server name for connecting Agent manually to it.

SERVER_IP="<IP address>"

The EgoSecure Server IP address for connecting Agent manually to it.

SERVER_PORT="<port>"

The EgoSecure Server port for connecting Agent manually.

For details, see Microsoft Docs - Command line options.

Additional Information

Set different installation path

By default, Agents installed remotely via the EgoSecure Data Protection Console, are located in C:\Program Files\EgoSecure\EgoSecure Agent. But in some cases, administrators want to change the Agent installation path, for example, to install Agents via a 3rd party software distribution system. In such cases, the default Agent installation path is changed manually as described below.

  • Open install.bat or install_x64.bat file with notepad.
  • Enter INSTALLDIR="installation path" after ESAgentSetup_x64.msi.
  • Save the changes and close the text file.
  • Start the file.
Example of the installation path in the 64-bit version

start /B msiexec /i ESAgentSetup_x64.msi INSTALLDIR="C:\Program files\EgoSecure\Agent" /l* AgentInstall.log REINSTALL="ALL" REINSTALLMODE="vamus" ADMINPWD=""

Example of the installation path in the 32-bit version

start /B msiexec /i ESAgentSetup.msi INSTALLDIR="C:\Program files\EgoSecure\Agent" /l* AgentInstall.log REINSTALL="ALL" REINSTALLMODE="vamus" ADMINPWD=""

Transferring SSL certificate password to Agents

In case of script-based Agent installation/update, the password for protecting the SSL certificate and its private key is defined manually. The password is transferred to Agents in an unencrypted form.

  • Open install.bat or install_x64.bat file with notepad.
  • Enter PKCS12_PASS="". E.g.: msiexec /fvamus ESAgentSetup_x64.msi PKCS12_PASS="1uU22iI33nN*!h"
  • Save the changes and close the text file.
  • Start the file.

Connecting Agent to another Server manually

Assign a different Server - on first Agent installation

  • Option 1
    • Go to C:\Program Files (x86)\EgoSecure\EgoSecure Server\MSI.
    • Right-click the install.bat (or install_x64.bat) file and select Edit from the context menu.
      • The file is opened in the editor.
    • Add the following parameters:
      • SERVER_NAME="PC_NAME" SERVER_IP="111.111.0.1" SERVER_PORT=port_number (default value: 6005; if the default value is used, SERVER_PORT parameter can be omitted)
    • Save the changes and close the editor.
    • Launch the install.bat file. Installation starts.
  • Option 2 
    • Run cmd.
    • Enter the following parameters:
      • Msiexec /i ESAgentSetup.msi SERVER_NAME="PC_NAME" SERVER_IP="111.111.0.1" SERVER_PORT=6005
  • Press Enter.

Assign a different Server - on Agent update

  • Option 1
    • Go to C:\Program Files (x86)\EgoSecure\EgoSecure Server\MSI.
    • Right-click the install.bat (or install_x64.bat, depends on the system bit version) file and select Edit from the context menu.
      • The file opens in the editor.
    • Add the following parameters:
      • SERVER_NAME="PC_NAME" SERVER_IP="111.111.1.1" SERVER_PORT =port_number (default value: 6005; if the default value is used, SERVER_PORT parameter can be omitted) REINSTALL="ALL" REINSTALLMODE="vamus"
    • Save the changes and close the editor.
    • Launch the install.bat file. Update starts.
  • Option 2 
    • Run cmd.
    • Enter the following parameters:
      • Msiexec /i ESAgentSetup.msi SERVER_NAME="PC_NAME" SERVER_IP="111.111.0.1" SERVER_PORT=6005 REINSTALL="ALL" REINSTALLMODE="vamus"
    • Press Enter.

Make sure that Agent version is the same or lower than that of the Server version. If Agent version is higher than Server version, the connection between them cannot be established.

Connection Test

 Enabling Windows Telnet. To enable Telnet, type OptionalFeatures in the Windows search box and then check the Telnet Client box in the Windows Features dialog.

  • Open the Windows command prompt and enter the following:
    • To test the connection from Server to Client: telnet [Client IP address] 6006
    • To test the connection from Client to Server: telnet [Server IP address] 6005
  •  For a functioning communication, the result looks like this:

clipboard_e8e58d9c00233ca57acaf9628e52455ce.png

If the command fails, check whether another component of your network environment is blocking the communication.

  • Was this article helpful?