Connection settings

A. Connection settings

Under Connection settings, you can configure the connection type and session properties.

Connection type

By default, DataSecurity Plus uses the ports listed below based on the connection type: HTTP: 8800

HTTPS: 9163

To change these ports, select the connection type, enter the desired port number, and click Save. Then, restart the DataSecurity Plus server to ensure unhindered event collection.

Once a DataSecurity Plus professional edition license is applied, HTTPS connection will be mandatory to ensure secure data transfers.

Configuring SSL

Applying Secure Sockets Layer (SSL) certificates to DataSecurity Plus ensures that all data transfers between users’ web browsers and the DataSecurity Plus server remain secure. DataSecurity Plus mandates the use of HTTPS connections for heightened security, and this guide explains the steps to enable SSL for DataSecurity Plus.

The steps to enable SSL vary depending on whether you already have a signed SSL certificate.

• If you already have an SSL certificate, skip ahead to Step 3.
• If you do not have an SSL certificate yet, follow the entirety of this guide.

DataSecurity Plus can generate a certificate signing request (CSR) that can then be submitted to your certificate authority (CA) for signing. The signed certificate can then be uploaded to the DataSecurity Plus console. To achieve this, follow these steps:

• Generate a certificate or CSR
• Request certificate signing from a CA
• Define the SSL port in the DataSecurity Plus console
• Upload your SSL certificate

1. Generate a certificate or CSR

The following steps detail the procedure for creating a certificate or CSR from the DataSecurity Plus Admin Console:

• Log in to the DataSecurity Plus console with an account that has administrative privileges.
• From the applications drop-down menu, select Admin Console.
• Navigate to General Settings > Connection.
• After defining the port, click Apply SSL Certificate next to DataSecurity Plus Portal (https).
• On the next page, select Generate Certificate.
• Provide the required details:

  Parameter	Description
  Common Name	Enter the name of the server on which DataSecurity Plus is running.
  SANs	Enter the names of the additional hosts (sites, IP addresses, etc.) that are to be protected by the SSL certificate.
  Organizational Unit	Enter the department name that is to appear on the certificate.
  Organization	Enter the legal name of your organization.
  City	Enter the city name as shown in your organization’s registered address.
  State/Province	Enter the state/province as shown in your organization’s registered address.
  Country Code	Enter the two-letter code of the country in which your organization is located.
  Password	Enter a password that is at least six characters long.
  Validity (In Days)	Enter the number of days for which the certificate should be valid. If no value is provided, it will be set to 90 days.
  Public Key Length (In Bits)	Enter the public key length. The larger the size is, the stronger the key will be. The default size is 1,024 bits, and the size can be increased only in multiples of 64.

• If you plan to use a self-signed certificate, click Generate and Apply Self-Signed Certificate. This will create the SSL certificate and bind it to DataSecurity Plus to finish enabling HTTPS. Otherwise, proceed to the next step.
• Click Generate CSR.

  Note: For the steps to manually create a CSR file, refer to the manual SSL configuration guide.

• The generated CSR can be downloaded by clicking Download CSR on the pop-up. Alternatively, the created CSR file can be found in <installation directory>\ManageEngine\DataSecurity Plus\jre\bin. This file must be submitted to your CA for signing—to do so, follow the directions in the next section.

2. Request certificate signing from a CA

The steps below provide instructions for connecting to a CA, submitting the CSR, procuring the SSL certificate, and importing it.

2.1 From Microsoft Certificate Services (internal CA)

For an internal CA:

• Connect to Microsoft Certificate Services and click Request a certificate.
• Click advanced certificate request, then select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
• Open the CSR file using a text editor, copy the content, and paste it under Saved Request.
• Select Web Server as the Certificate Template and click Submit.
• Click the Download certificate chain link to download the issued PKCS #7 Certificate type to the <installation directory>\ManageEngine\DataSecurity Plus\jre\bin folder. The downloaded certificate will be in P7B format.
• Click Home in the top-right corner and click Download a CA certificate, certificate chain, or CRL.
• Click Download CA certificate to download and save the root certificate in CER format.

2.2 From an external CA

Contact your CA to get the commands required to receive signed certificates.

3. Define the SSL port in the DataSecurity Plus console

Once you have your CA-signed SSL certificate, follow these steps to define the HTTPS port in the DataSecurity Plus console:

• Log in to the DataSecurity Plus console with an account that has administrative privileges.
• From the applications drop-down menu, select Admin Console.
• Navigate to General Settings > Connection.
• Select DataSecurity Plus Portal (https) as the Connection Type and enter the port number you plan on using for DataSecurity Plus.

Note: DataSecurity Plus provides an option to use a default SSL certificate. However, we strongly recommend uploading your own SSL certificate for maximum security.

4. Upload your SSL certificate

To upload your CA-signed SSL certificate, follow these steps:

• Click Apply SSL Certificate next to Upload or Generate SSL Certificate.
• On the next page, select Apply Certificate.
• There are two upload options you can choose from:
  • Option 1—ZIP Upload: If your CA has sent you a ZIP file, click ZIP Upload > Browse and select your target file. If your private key is password-protected, then enter the password next to Private Key Passphrase.
  • Option 2—Individual Certificate: If your CA has sent you just one certificate file (PFX or PEM format), click Individual Certificate. Next to Upload Certificate, click Browse and select your certificate. Then, next to Upload CA Bundle, click Browse and select your CA bundle files. Finally, provide your Certificate Password.

  Note: If your CA has sent the certificate content, paste the content in a text editor and save it in a CER, CRT, or PEM format. Then, upload the file by following the steps for Option 2.

• Click Apply.
• Restart the DataSecurity Plus server for the changes to take effect.

Session properties

This setting allows administrators to define how long a user's session can be inactive in their browser before they are automatically logged out of the DataSecurity Plus web console. By default, sessions will time out after 30 minutes of inactivity. Any changes to this duration will be reflected only after the DataSecurity Plus server is restarted.

B. Proxy settings

To configure DataSecurity Plus to use a proxy server for connecting to the internet, follow the steps below:

• Login to the DataSecurity Plus web console.
• Go to Admin Console > Admin > General Settings > Connection, and click the Proxy Settings tab.
• Enable the Proxy Server Settings checkbox.
• Specify the Server Name or IP Address of your proxy server.
• If your environment has an authentication-enabled proxy setup, check Authentication and type in the Username and Password.
• Click the Save button.

C. NAT settings

When endpoint devices need to access the DataSecurity Plus central server through the internet, you can configure a network address translation (NAT) device. This will map your internal IP address to a public IP address or fully qualified domain name (FQDN), which the devices can use to access the central server.

Configure the NAT device by following the steps below:

• The details of DataSecurity Plus' central server (private IP address and port number) are prefilled based on your current configuration.
• Enter the public FQDN and port number of the Secure Gateway Server.
• Click Save.

D. Secure Gateway Server settings

A Secure Gateway Server provides an additional layer of security when handling communications between your central server and endpoint devices. It prevents the central server from being exposed directly to the internet by acting as an intermediary between the central server and the endpoint devices. When the agent tries to contact the central server, the Secure Gateway Server receives all the communications and redirects it to the central server.

Follow the steps below to configure the Secure Gateway Server:

• Download and install the DataSecurity Plus proxy server application.
• After installation, open the application.
• Enter the central server name and port number.
• Provide the required details for local or AD authentication.
• Wait until the server certificates are installed.
• Click Finish to close the window.

The Secure Gateway Server will start running. You can check the status of the connection by going back to the Secure Gateway Server settings page.

If you want to change the port number of the Secure Gateway Server, follow the steps below:

• Go to the NAT settings tab and change the port number of the Secure Gateway Server to your required value.
• Open the installation folder of the DataSecurity Plus proxy server application and go the conf folder.
• Open the websettings.conf file.
• Find fs.https.port within the file and change the port number here as well. Double-check to ensure that the port numbers match.
• Save and close the file.
• Restart the DataSecurity Plus proxy server to apply the changes.
• Go to Secure Gateway Server tab and click Test Connection to check whether connection is successful.