Installing Forcepoint DLP Agents

Forcepoint DLP agents enable the system to access the data necessary to analyze specific types of traffic, or the traffic from specific servers.

Important:

Before installing an agent, make sure that the Forcepoint Management Infrastructure and Forcepoint DLP management components are already installed.

Do not install any Forcepoint DLP component on a domain controller.

Click the links below to learn more about each agent, including where to deploy it, installation prerequisites, installation steps, special considerations, and best practices.

  • Connect to Data Protection Service to work with the Forcepoint DLP integrations with Forcepoint CASB, Forcepoint Web Security Cloud, and Forcepoint Cloud Email for enforcement of DLP policies on the cloud. No installation steps are required, only connection and activation of DLP Cloud Applications, as appropriate according to the licenses you have. See Data Protection Service, for more information.
  • The on-premises crawler performs discovery and fingerprinting scans. The crawler is installed automatically on the management server and other Forcepoint DLP servers. To improve scanning performance in high transaction volume environments, additional, standalone instances can be used. (See The crawler)
  • Forcepoint DLP Endpoint client software resides on and monitors data activity on endpoint machines. It also reports on data at rest. The endpoint agent can monitor application operations such as cut, copy, paste, and print screen, and block users from copying files, or even parts of files, to devices such as thumb drives, CD/DVD burners, and Android phones. The endpoint agent can also monitor or block print operations as well as outbound web posts and email messages. (See Installing and Deploying Forcepoint DLP Endpoint Clients.)
Important: Forcepoint DLP agents and machines with a policy engine (such as a Forcepoint DLP Server or Web Content Gateway appliance) must have direct connection to the management server. When deployed in a DMZ or behind a firewall, the relevant ports must be allowed.