|
Release ID: B-08A-APM |
| Version: 6.0.2200.2 |
| May 2008 |
1. What is Orchestria APM? 2. What's new in this release? 2.1 Announcements 2.2 New features 3. What's fixed in this release? 4. What is on the CD? 4.1 'Docs' folder 4.2 'lin_i' folder 4.3 'Reports' folder 4.4 'Win32' folder 4.5 'Win64' folder 5. Requirements 6. Installation 7. Known issues 8. Default list of long domains 9. Acknowledgements
This CD contains the Bloomberg-licensed OEM edition of Orchestria APM.
Orchestria APM provides real time risk management of Internet communications, right across the organization. Specifically, Orchestria APM enables organizations to capture and control targeted e-mail, IM and Web activity. Orchestria APM can also monitor usage of other applications.
For full details about all Orchestria APM features, see the various guides in the \Software\docs folder on your Orchestria APM distribution media—see section 4.1.
For full details about all Orchestria APM features, see the Administrator and Deployment guides and the Bloomberg Integration guide—see sections 4.1 and 4.3.
This section lists important changes to functionality since Orchestria APM version 5.0
Tracking ID 354-48 Microsoft SQL Server 2000 no longer supported
The current version of Orchestria APM no longer supports SQL Server 2000. If any existing Orchestria APM servers use SQL Server 2000, you must upgrade the database engine to SQL Server 2005 (we recommend the SP2 version) or SQL Server 2008 before you upgrade Orchestria APM.
For details, see the Database guide; search the index for 'SQL Server, upgrading'.
Tracking ID 410-72 Default user accounts created automatically for use by policy engines
In this release, when you install a CMS three new user accounts are created automatically. These accounts are created solely for use by policy engines. The accounts have no management or administrative privileges and all are created in the top-level Users group.
- UnknownInternalSender: The sole purpose of this account is as a conduit to enable policy engines to apply policy to internal e-mails from unrecognized senders.
- ExternalSender: The sole purpose of this account is as a conduit to enable policy engines to apply policy to external e-mails.
- DefaultFileUser: The sole purpose of this account as a conduit to enable policy engines to apply policy to scanned, captured or imported files if no other means are available to determine the policy participant.
In each case, the associated setting in the Common Gateway Policy defaults to use these new user accounts. For details, see the Deployment guide; search the index for 'unknown users: policy engine handling'.
Tracking ID 418-56 PDF hyperlinks between Orchestria APM manuals require Acrobat Reader 8
Orchestria APM manuals are distributed in Adobe PDF format. These PDF manuals can be opened with Acrobat Reader 7, but for the hyperlinks between manuals to work correctly you must use Acrobat Reader 8.
You can download the latest free version of Acrobat Reader from the Adobe web site: http://www.adobe.com/products/acrobat/readstep2.html
Tracking ID 434-96 Oracle primary user and schema owner need the CREATE TRIGGER privilege
Before you upgrade an Oracle CMS to version 6.0, you must manually grant the CREATE TRIGGER privilege to your Oracle primary user and, if specified, the schema owner. (This privilege is granted automatically when you install a new 6.0 Oracle CMS.)
For details, see the Database guide; search the index for 'Oracle, privileges'.
Tracking ID 436-39 Navigation changes for user and machine hierarchies in Administration console
In this release, the navigation method for the user and machine hierarchies has been amended. In common with other widely-used applications such as Windows Explorer, the Orchestria APM Administration console now only lists 'containers' (this is, groups of users or CMSs and gateways) in the left-hand pane. Likewise, the contents of each container (the individual users in a group or the child machines attached to a CMS or gateway) are listed only in the right-hand pane. This model permits the Administration console to provide richer context-sensitive information and more extensive functionality for users and machines listed in the right-hand pane.
This section summarizes the major new functionality added since Orchestria APM version 6.0. For full details about these new features, please see the relevant Orchestria APM guides or the 6.0 New Feature Summary, available from the Orchestria service desk: http://support.orchestria.com
- Network Boundary Agent (NBA): Active version
- The NBA operates at the boundary between an organization and the Internet to ensure that sensitive or confidential information does not leave the corporate network. The current release includes support for the NBA in Active mode.
- In Active mode, the NBA is physically inline between the corporate network and the Internet. This enables it to analyze e-mails, files and IM conversations (reconstructed from individual data packets transmitted across the corporate network to the Internet) and apply policy to those items. In particular, it can block items by not allowing packets to cross the Internet boundary. It can also apply:
- Outgoing E-mail triggers to SMTP and POP3 e-mails, Webmails (such as Hotmail or Yahoo!), and IM conversations.
- Data In Motion triggers to FTP file transfers, files sent as attachments to Webmails or IM conversations, and files uploaded to or downloaded from Web sites. Data In Motion triggers are described below.
- Client File System Agent (CFSA)
- The CFSA can control attempts by users to copy or save files to USB devices such as removable flash drives. If Windows Explorer or a DOS command is used to copy files to USB devices, the CFSA can apply Data In Motion triggers in real time to the file being copied. Data In Motion triggers are described below.
- Client Print System Agent (CPSA)
- The CPSA can capture or control attempts by users to print files or documents on local or network printers. When the CPSA detects a specified print job, it applies Data In Motion triggers in real time to the document being printed. Data In Motion triggers are described below.
- Data In Motion policy triggers
- These are new file triggers can capture and control attempts by users to print files or copy files to a USB device. They can also capture and control files entering or leaving the corporate network. In all cases, Data In Motion triggers can be configured to block and categorize the files. For files being printed or copied to USB devices, they can also warn or inform the user. These triggers are used by the CPSA, CFSA, and the NBA; see above for details.
- Integration with Sendmail and Postfix
- Orchestria APM can now integrate with the Sendmail and Postfix mail transfer agents, analyzing and, if necessary, blocking e-mail traffic passing between corporate networks and the Internet. Integration is implemented through the Milter MTA agent agent; this agent can reside directly on the Sendmail and Postfix server or on a remote Linux machine, connecting to the e-mail server via a socket. The Milter MTA agent passes captured e-mails to policy engines for processing, which in turn apply Outgoing E-mail triggers.
- FSA integration with MS Exchange Public Folders and SharePoint
- In the current release, the File Scanning Agent (FSA) functionality has been extended to enable it to scan files in Exchange Public Folders and items hosted on Microsoft SharePoint sites.
- IIS SMTP Agent
- The IIS SMTP agent enables Orchestria APM to monitor and control e-mails transiting through Microsoft IIS SMTP servers. These servers typically operate at the Internet boundary, and the IIS SMTP agent enables Orchestria APM to analyze e-mails leaving the company or arriving from an external source.
- i This functionality was previously only available in OEM versions of Orchestria APM as the SMTP Relay Agent.
- Categorization
- Categorization is a new policy-based feature that enables Orchestria APM to assign an e-mail or file to one or more categories when it is sent. Categories are defined in control triggers and and 'Categorize' options are available in control actions. When a trigger activates, the categories are stored with the event as smart tags. The categorization process can be fully automated, assisted, or manual.
- Auditing enhancements
- The Administration console includes enhancements for reviewing events in the iConsole:
- Trigger severity: Policy triggers can now be grouped into bands of Low, Medium and High severity. For example, you may want to assign a high severity score to a trigger that detects serious violations of corporate rules.
- Dependent audit states: You can configure dependencies between between audit <Field 1> and <Field 2> values, and between audit <Field 2> and <Field 3> values. For example, you can configure these fields so that if a reviewer chooses a specific <Field 1> value in the iConsole, the available values in <Field 2> are restricted accordngly.
- Policy class: Individual triggers can now be associated with a particular policy for any solution class. For example, the Data Loss Prevention solution includes a Non Public Information class; this solution class is implemented through policies such as Sales Information. If a trigger is associated with the Sales Information policy, this information gets stored with an event's metadata when the trigger activates.
- Dashboard support
- The iConsole now incorporates dashboard support. A dashboard is a collection of searches, each of which populates a pane in the dashboard display. This collection of panes can be grouped into separate pages or onto a sidebar that is visible for all pages. For details, see the iConsole search definition guide; search the index for: 'dashboards'.
- Policy management enhancements
- The Administration console includes enhancements for managing policies:
- Policy Editors support bulk copying and pasting: The User and Machine Policy Editors now support copying and pasting of multiple policy settings from one folder to another within the current policy. For example, this enables administrators to quickly set up multiple triggers with common settings. For full details, please contact the Orchestria service desk (see above).
- Policy import and export: User and Machine Policy Editors now support exporting and importing policies to and from files, copying a policy from one account to another, and checking policy versions. The engine underlying this functionality is wgnpol.exe, which can operate as a standalone command line utility enabling you can incorporate policy operations into scripts or batch files.
- Address Book support for iConsole audit e-mailsCompose Mail dialog
- In this release, when reviewers send audit e-mails to colleagues the iConsole Compose Mail dialog allows them to search for recipients in a corporate address book (typically Active Directory).
- Enhanced platform support
- Orchestria APM now supports
- Lotus/Domino 8
- Microsoft SQL Server 2008
- Microsoft SQL Server 2005 Express edition
Microsoft Windows Server 2008- Oracle OutsideIn v8.2
Orchestria APM version 6.0 incorporates all the fixes distributed with Orchestria APM 5.0 service pack 2. For full lists of these fixes, please see the readme files that accompanied service pack 2. This readme file is available on the Orchestria extranet:
- Go to https://extranet.orchestria.com and choose the Downloads page.
- Go to the Orchestria 5.3 Updates section.
- Download the readme files for APM_5.0_SP2.
i All releases are cumulative; fixes included in this release incorporate and supersede fixes in earlier releases.
This Orchestria APM CD contains all the software you need to deploy Orchestria APM. It includes product software for installing Orchestria APM on servers and client machines, plus the Windows Installer removal utility. It contains the following folders.
This folder contains various guides, including the Deployment guide, Administrator guide, and Upgrade guide. These guides are in Adobe PDF format; you can download the latest free version of Acrobat Reader from the Adobe web site: http://www.adobe.com/products/acrobat/readstep2.html
This contains software for installing Orchestria APM on Linux machines. It contains the following folder.
- 'WgnMilter' folder
- This folder contains the install.sh file for installing the Milter MTA agent. This agent enables Orchestria APM to integrate with Sendmail and Postfix; see section 2.1.
- For full installation instructions, see the Deployment guide; search the index for 'Milter MTA agent'.
This folder contains the software and other files necessary to install the standard iConsole reports version R4.2. Each report is stored in a separate subfolder. For installation instructions, see the readme.htm file in each subfolder. In the current release, these reports are:
- Alert Summary Report
- Compliance Audit Report
- Detailed Issue Report
- Employees Not Reviewed Report
- Proof of Supervision Report
- Repeat Offender Report
This Orchestria APM CD contains all the software you need to deploy Orchestria APM. It includes product software for installing Orchestria APM on servers and client machines, plus the Windows Installer removal utility. It contains the following folders.
- 'Client' folder
- This folder contains the software for installing Orchestria APM on client machines. This typically includes the Orchestria APM infrastructure plus browser and e-mail integration software.
- 'Integration' folder
- This folder contains software for integrating Orchestria APM with third party products, including Microsoft Exchange, Lotus Domino and archive solutions.
- 'Server' folder
- This folder contains the software for installing Orchestria APM on a CMS and gateway servers. This typically includes the Orchestria APM infrastructure, enterprise server functionality, and the Administration console. Other features are optional.
- 'Support' folder
- This folder contains various administrative utilities. These include: scripts for generating transforms used in managed deployment operations; an Orchestria APM deactivation utility; and a secure data management utility to export and re-import protected registry keys. For full details about each of these utilities, see the Support.htm file in this folder.
- 'Web' folder
- This folder contains the software for installing the Orchestria APM iConsole. This is a browser-based application providing event searching and auditing features. It is primarily aimed at auditors, reviewers and compliance personnel.
This contains software for installing Orchestria APM components on 64-bit Windows machines. It contains the following folder.
- 'Integration' folder
- This folder contains software for installing the Exchange 2007 server agent.
Hardware and software requirements for Orchestria APM components are provided in the Deployment guide—see section 4.1.
Hardware and software requirements for Orchestria APM components are provided in the Deployment guide and Bloomberg Integration guide. These are described in sections 4.1 and 4.3 respectively.
Installation and uninstallation instructions are provided in the Deployment guide—see section 4.1.
Installation and uninstallation instructions are provided in the Deployment guide. This guide is described above in section4.1.
! For Oracle 9.2 databases, be aware of known issue 319-93, described below in section 7.
Tracking ID 319-93 Error message when upgrading Oracle servers to 6.0
For Oracle 9.2 servers only. When you upgrade older versions of your Orchestria APM servers to version 6.0, this may generate the following error message: "Error 25004. Error writing database schema : A Java runtime error occurred." If this error occurs, you must do the following:
- Install Orchestria APM 6.0. If the error message appears, the resulting error dialog will have two buttons: Retry and Cancel. You must choose Retry and continue with the service pack installation.
- The installation appears to complete successfully, but the WGNUE package may have failed to compile successfully.
- If it has failed, you must now compile the WGNUE package manually. For example, you can do this using Oracle Enterprise Manager:
- 3.1 Navigate to the WGNUE package. Its status is shown as 'Invalid'.
- 3.2 Manually compile the package; its status changes to 'Valid'.
- i Ensure that your Oracle user has appropriate privileges (for example, SYSDBA) to compile packages.
Tracking ID 399-34 Group history and event audit corruption fixes not always applied correctly
During upgrades of existing CMS installations, the 6.0 release of Orchestria APM will attempt to detect and fix corruptions of user group histories and event audit trails (for details, see the Upgrade guide—see section 4.1). Last minute testing has identified that in some cases the fix is not always applied correctly to all corrupted items – sometimes leading to ‘older’ group and audit records to incorrectly be made ‘current’. This only happens for some items that were already corrupted.
Group history and event audit corruptions are rare and may not affect your system. However we recommend that you run the following SQL queries against your CMS prior to attempting to upgrade. If both of the queries return a value of 0 then you should be safe to proceed with your upgrade; otherwise please contact Orchestria support for assistance, providing them the results of each of these queries. Orchestria plans to provide a fix for this issue in the future.
Query to determine if corrupt group histories exist:
SELECT COUNT(*) FROM ( SELECT DISTINCT useridm,USERID FROM ( SELECT useridm,USERID,NEXTGROUPHISTORYUID FROM WGN3USERGROUP GROUP BY USERIDM,USERID,NEXTGROUPHISTORYUID HAVING COUNT(*) > 1 ) dup_grp2 ) dup_grp1 Query to determine if corrupt event audit trail exist:
SELECT COUNT(*) FROM ( SELECT DISTINCT EVENTUID,EVENTTIMESTAMP,AUDITTYPE,ISSUEUID FROM ( SELECT EVENTUID,EVENTTIMESTAMP,AUDITTYPE,ISSUEUID,NEXTAUDITUID FROM WGN3EVENTAUDIT GROUP BY EVENTUID,EVENTTIMESTAMP,AUDITTYPE,ISSUEUID,NEXTAUDITUID HAVING COUNT(*) > 1 ) dup_aud2 ) dup_aud1
Tracking ID 449-72 FSA sometimes reports 'access denied' when access to SharePoint sites is available
If you intend to use the FSA to scan items on Microsoft SharePoint sites, you must ensure that the user running wgnfstub.exe on the FSA SharePoint Connector has sufficient List and Site permissions to the Microsoft SharePoint site being scanned. For example, a capture only policy requires at least the 'View Items' and 'View Application Pages' List permissions and the 'Browse Directories' Site Permission.
Orchestria APM uses the e-mail address patterns listed below to identify 'long domains' when extracting the domain element from an SMTP address. Long domains are defined as comprising three segments after the @ symbol, for example, lsteel@unipraxis.co.uk. You can also supplement this list in the user policy; to do this, edit the Additional Long Domain Endings setting in the Definitions folder.
i The ability to identify long domains is required by msgattr lookup commands when counting the number of unique domains in a list of e-mail recipients. For further details, see the Administrator guide; search the index for 'unique domains, identifying'. To locate this guide, see section 4.1.
.*.au
.bj.cn
.fm.br
.he.cn
.mi.th
.odo.br
.ru.com
.*.hk
.br.com
.fot.br
.hi.cn
.mil.*
.on.ca
.sa.com
.*.nz
.cn.com
.fst.br
.hk.cn
.mo.cn
.or.ac
.sc.cn
.*.uk
.cng.br
.g12.br
.hl.cn
.muni.il
.or.at
.school.za
.ab.ca
.cnt.br
.gb.com
.hn.cn
.nb.ca
.or.jp
.sd.cn
.ac.*
.co.*
.gb.net
.hu.com
.ne.jp
.or.kr
.se.com
.ad.jp
.com.*
.gd.cn
.ind.br
.ne.kr
.or.th
.sh.cn
.adm.br
.cq.cn
.geo.jp
.inf.br
.net.*
.org.*
.sk.ca
.adv.br
.de.com
.go.jp
.info.ro
.nf.ca
.pe.ca
.slg.br
.ah.cn
.ecn.br
.go.kr
.jl.cn
.ngo.za
.ppg.br
.sn.cn
.alt.za
.ed.jp
.go.th
.jor.br
.nm.cn
.presse.fr
.store.ro
.am.br
.edu.*
.gov.*
.js.cn
.nm.kr
.pro.br
.sx.cn
.arq.br
.eng.br
.gov.*
.jx.cn
.no.com
.psc.br
.tj.cn
.art.br
.ernet.in
.gr.jp
.k12.il
.nom.br
.psi.br
.tm.fr
.arts.ro
.esp.br
.gs.cn
.k12.tr
.nom.ro
.qc.ca
.tm.mc
.asso.fr
.etc.br
.gv.ac
.lel.br
.nom.za
.qc.com
.asso.mc
.eti.br
.gv.at
.lg.jp
.ns.ca
.qh.cn
.au.com
.eu.com
.gx.cn
.ln.cn
.nt.ca
.re.kr
.bbs.tr
.fin.ec
.gz.cn
.mb.ca
.nt.ro
.rec.br
.bc.ca
.firm.ro
.ha.cn
.med.br
.ntr.br
.rec.ro
.bio.br
.fj.cn
.hb.cn
.med.ec
.nx.cn
.res.in
Optional Content Search and Agent technology used under license from and Copyright ©2007 Fast Search and Transfer International AS. Outside In® Content Access Copyright ©1991, 2007 Oracle Corporation. Domino, Lotus and Notes are trademarks of IBM Corporation. Enterprise Vault is a registered trademark of Symantec Corporation. FAST is a trademark of Fast Search and Transfer ASA. Microsoft, Windows and Internet Explorer are trademarks or registered trademarks of Microsoft Corporation.
| Copyright ©2001-2008 Orchestria Limited. All Rights Reserved. |
|