Installing email protection components

Forcepoint Email Security is an appliance-based solution. All components run on the appliance, except the Email Security module of the Forcepoint Security Manager and the Email Log Server. These are the only two email protection components that may be installed using the Forcepoint Security Installer.

Before you begin

Important: You should have already installed Forcepoint DLP, which you need in order to access and configure email DLP functions in the Data Security module.
Applies to:
  • Forcepoint Email Security, v8.5.x

Steps

  1. It is assumed you have already launched the Forcepoint Security Installer and chosen the Custom installation type. If not, see Deployment section in Installing components via the Custom option.
  2. On the Custom Installation dashboard, click the Install link for email protection solutions.
  3. The email protection component installer is launched.
  4. On the Introduction screen, click Next.
  5. If the installer detects Forcepoint Infrastructure on this machine, it operates as if it is part of a Forcepoint Security Manager installation. See Installing the Email Security module of the Security Manager for instructions.
    If Forcepoint Infrastructure is not detected, then the installer operates in custom mode.
  6. In the Select Components screen, specify whether you want to install the Email Log Server.
    Email Log Server is selected for installation by default. To install the Email Log Server, SQL Server or SQL Server Express must already be installed and running in your network. (See System requirements for this version for supported database systems.)

    If you choose to install the Email Log Server, the Email Log Server Configuration utility is also installed. This utility can be accessed by selecting Start > Forcepoint > Email Log Server Configuration.

  7. If Forcepoint Infrastructure is not found already installed on this machine, the Email Log Database screen appears. Specify the location of a database engine and how you want to connect to it.
    • Log Database location: Enter the IP address or hostname of the database engine machine. If you want to use a named database instance, enter in the form <IP address>\<instance name>. The instance must already exist. See your SQL Server documentation for instructions on creating instances.

      If you chose to install SQL Server Express as part of the installation of the Security Manager (when available), the log database IP address should be that of the Security Manager machine.

      Starting in version 8.5.4, more stringent connection string and certificate requirements are needed for establishing an encrypted connection with a SQL Server. Using an IP address is no longer supported for encrypted connections; you must use a hostname or a fully qualified domain name (FQDN) that matches the Common Name (CN) field on the certificate used by SQL Server, if using an encrypted database connection.

    • You may specify whether the connection to the database should be encrypted.

      If you are using an encrypted connection, ensure that you use a hostname or FQDN for your Email Log Database that matches the CN field on the certificate that SQL Server is using.

      Please note the following issues associated with using this encryption feature:

      • By default, Email Log Server uses NTLMv2 to encrypt the connection.

        If you want to use SSL encryption, you must have imported a trusted certificate to the Log Server machine. See your database documentation for information about importing a trusted certificate.

      • The Bulk Copy Program (BCP) option for inserting records into the Log Database in batches cannot be used. Not using the batch method may affect Log Database performance.
      • The connection from the Forcepoint appliance to the Log Database cannot be encrypted. If you enable encryption for Log Database, you must disable the SQL Server force encryption feature.
    • Database login type: Select how Email Log Server should connect to the database engine.
      • Windows authentication: connect using a Windows trusted connection.
      • Database account: connect using a SQL Server account. Then enter a user name and password.
      • If using a trusted connection, enter the domain\username of the account to be used. This account must be a trusted local administrator on the database engine machine.
      • If using a database account, enter the name of a SQL Server account. This account must have certain roles assigned; see Installing with SQL Server.

        When you click Next, connection to the database engine is verified. If the connection test is successful, the next installer screen appears.

  8. On the Email Database File Location screen, specify where database files should be located and then click Next.
    This screen appears only if you chose to install the Email Log Server.

    A default location for the Log Database is automatically shown. Information about the location of the database engine and connection credentials were entered when Forcepoint Infrastructure and Forcepoint Email Security were installed on this machine. The installer reads this information from configuration files created by Forcepoint Security Setup.

    It is a best practice to use the default location. However, if you want to create the Log Database in a different location (or if you already have a Log Database in a different location), enter the path to the database files.

    The path entered here is understood to refer to the machine on which the database engine is located. The path entered must specify a directory that already exists.

    If any email protection components (e.g., the Security Manager Email Security module or another instance of Email Log Server) have already been installed in your deployment, the following message appears:

    The Email Log Database exists, do you want to remove it?

    This occurs because the database was created upon installation of the other email protection components. Click No to continue using the existing database. In general, you should keep the database if you are sure the database was created only during the course of installing other components in your current deployment.

    Clicking Yes removes the database.

    DANGER
    Any email traffic log data that has been written to the database will be lost if you remove the database. If you want to keep this data, back up the esglogdb7x and esglogdb7x_n databases. See your SQL Server documentation for backup instructions.
    DANGER
    If you remove the database, any currently quarantined email will no longer be accessible.
  9. On the Installation Folder screen, specify the location to which you want to install Email Log Server and then click Next.
    Note: The full installation path must use only ASCII characters. Do not use extended ASCII or double-byte characters.

    To select a location different than the default, use the Browse button.

    Email Log Server will be installed in its own folder under the parent folder you specify here.

  10. On the Pre-Installation Summary screen, review the components to be installed. If they are correct, click Install.
  11. The Installing Email Protection Solutions screen appears, as components are being installed.
  12. Wait until the Installation Complete screen appears, and then click Done.