Azure Information Protection Insight for Symantec Data Loss

Prevention Deployment Guide

Last updated: August 13, 2020

Table of Contents
About AIP Insight for Symantec Data Loss Prevention............................................................... 3
Enabling AIP Insight on the Azure portal......................................................................................5
Configuring proxy server details for AIP Insight deployment.....................................................6
Updating the DLP content extraction software on Windows detection servers........................ 7
Downloading the AIP Insight plugin on Windows detection servers..........................................8
Configuring Windows detection servers with Azure access credentials................................... 9
Configuring content extraction timeouts and enabling the plugin on Windows detection
servers............................................................................................................................................. 10
Updating the DLP content extraction software on Linux detection servers............................ 11
Downloading the AIP Insight plugin on Linux detection servers..............................................12
Configuring Linux detection servers with Azure access credentials....................................... 13
Configuring content extraction timeouts and enabling the plugin on Linux detection
servers............................................................................................................................................. 14
Migrating your AIP Insight deployment after upgrading your detection servers.....................15
Troubleshooting AIP Insight for Data Loss Prevention............................................................. 16
Known issues in deploying AIP Insight.......................................................................................17
Copyright Statement.......................................................................................................................... 18

2
About AIP Insight for Symantec Data Loss Prevention
AIP Insight for Symantec Data Loss Prevention combines the classification and encryption capabilities of Azure RMS with
the powerful data inspection features of DLP. Using the AIP Insight solution helps you meet your compliance and data
protection requirements.

You and the users in your organization can continue to secure information using Azure RMS in the way that you’re
accustomed; with AIP Insight deployed, your InfoSec team can gain visibility to sensitive information in RMS-encrypted
files and email messages, including messages sent using Microsoft Exchange on-premises and Exchange Online.
The AIP Insight solution works on both Linux and Windows platforms, and is supported on any platform on which you can
install a Data Loss Prevention detection server.
For details about supported server platforms, see Operating system requirements for servers in the Data Loss Prevention
online help.
AIP Insight is available for use on Data Loss Prevention 15.1, 15.5, and 15.7 (server support varies depending on DLP
version).

Here's an overview of the process to deploy AIP Insight:

Step 1: Enable AIP Insight on the Azure portal.
Step 2: Configure proxy server details for AIP Insight. Includes whitelisting Azure URLs.
Step 3: Update DLP content extraction software. Download a patch specific to your platform and DLP version.
Step 4: Download the DLP AIP plugin on your Windows or Linux detection servers.
Step 5: Configure detection servers with Azure access credentials.
Step 6: Configure content extraction timeouts in Advance server settings.
Step 7: Enable the plugin and restart the server.

3
 NOTE
Data Loss Prevention supports a previous integration with Azure RMS, which also involves deploying a plugin.
The previous integration supports file decryption and inspection only, and there is no support for decrypting
and inspecting email. The previous integration supports both Active Directory RMS and Azure RMS; the AIP
Insight solution supports Azure RMS only. However, the AIP Insight plugin uses more up-to-date technology for
integrating with Microsoft Azure Information Protection.

To begin to deploy the AIP Insight Solution, see Enabling AIP Insight on the Azure portal.

4
Enabling AIP Insight on the Azure portal
Follow these steps to enable use of AIP Insight for Data Loss Prevention on the Azure portal
1. Log in to http://portal.azure.com/ with administrator privileges.
2. Go to Azure Active Directory → App Registrations → New Registration.
3. Under Support account types choose the Single tenant account type option.
4. Provide a display name.
5. Leave the Redirect URI field empty.
6. Click Register.
7. After the application is registered, go to the applications page and click API Permissions, then click Add a
permission.
8. Select Azure Rights Management Services from the Microsoft APIs tab.
9. Choose Application Permissions scope.
10. Select the Content.SuperUser permission, then click Add a permission.
11. Click Grant Admin Consent and then click Yes.
12. Go to Certificates & Secrets.
13. Click New Client Secret under Client secrets.
14. Add a description.
15. Choose a validity period and click Add.
16. Copy the Client Secret. Copy this immediately; it will not be visible later. You will use this client secret in Configuring
Windows detection servers with Azure access credentials or in Configuring Linux detection servers with Azure access
credentials.
17. Go to the Overview page and copy the Application (client) ID and Directory (tenant) ID.
18. See Configuring proxy server details for AIP Insight deployment.

5
Configuring proxy server details for AIP Insight deployment
If you have a proxy server in your environment, follow these steps to make AIP Insight work in your proxy environment.
Symantec supports the following proxy types for AIP decryption:
• Transparent proxies: Transparent proxies are supported on both RHEL 7.x and Windows. If you have a proxy
configured in transparent mode, you do not have to configure detection servers to make the proxy work for AIP
decryption. However you do need to make sure the appropriate Azure URLs are whitelisted on your proxy server.
Follow the steps in this topic for whitelisting the URLs. The detection servers must be able to reach the Internet and
access these URLs.
• Explicit proxies: Explicit proxies are only supported on Windows-based detection servers; they are not supported on
Linux-based detection servers. Follow the steps later in this topic for configuring explicit proxies for Windows detection
servers.
• Authenticated proxies and proxies configured in TLS termination mode: These proxies are not supported on
either RHEL 7.x or Windows.

Follow these steps for using proxy servers with AIP Insight:
1. Go to Safelist the Azure portal URLs on your firewall or proxy serve
2. At this site, find the Azure RMS server URLs and whitelist these URLs at your proxy server.
3. Also whitelist api.aadrm.com.
4. Run the following command at the Windows command prompt: netsh winhttp set proxy <proxy IP/
hostname>:<port>.
5. See Updating the DLP content extraction software on Windows detection servers or Updating the DLP content
extraction software on Linux detection servers.

6
Updating the DLP content extraction software on Windows
detection servers
Before you download and configure the AIP Insight plugin, you must download and apply a patch to update the content
extraction software for Data Loss Prevention. Follow the instructions here to update the software.
1. Download the KeyView patch that corresponds to your installed Data Loss Prevention product version and
copy it to the detection server. For example: If the installed version is 15.5 MP2 for Windows, download
Symantec_DLP_15_5_KeyView_11.6.0.20200310_Patch_Windows.zip.
Symantec_DLP_15_7_KeyView_12.2.5.20200306_Patch_Windows.zip
Symantec_DLP_15_5_KeyView_11.6.0.20200310_Patch_Windows.zip
Symantec_DLP_15_1_KeyView_11.4.1.20200310_Patch_Windows.zip

2. Extract the downloaded zip file contents to a folder on the detection server computer. The contents has the following
directory structure: DLP\KeyView\x64.
3. Copy the x64 directory to the following location (make sure to overwrite the files; do not delete any files): <Program
Files>\Symantec\DataLossPrevention\KeyView\<version>\Protect\plugins\contentextraction
\Verity\.
4. Open the <Program Files>\Symantec\DataLossPrevention\ContentExtractionService\<version>
\Plugins\Protect\plugins\contentextraction\Verity\manifest.xml file and add the following entries:

<documentType type="encrypted_msg">
<supportedOperations>
<operation type="FileTypeIdentification"/>
<operation type="SubFileExtraction"/>
</supportedOperations>
</documentType>

<documentType type="encrypted_eml">
<supportedOperations>
<operation type="FileTypeIdentification"/>
<operation type="SubFileExtraction"/>
</supportedOperations>
</documentType>

<documentType type="encrypted_RMSEncryptedOPC">
<supportedOperations>
<operation type="MetaDataExtraction"/>
</supportedOperations>
</documentType>

5. See Downloading the AIP Insight plugin on Windows detection servers.

7
Downloading the AIP Insight plugin on Windows detection
servers
Perform the following steps to deploy AIP Insight on Windows detection servers.
1. Go to the Data Loss Prevention Downloads site at the Broadcom Support Portal and download the
Symantec_DLP_AIP_Plugin_Windows_March_2020.zip file. Extract the downloaded file to
a folder on the detection server computer. The extracted folder DLP contains the following folders:
MicrosoftInformationProtectionPlugin and ceh.
2. Copy the MicrosoftInformationProtectionPlugin directory to <Program Files>\Symantec
\DataLossPrevention\ContentExtractionService\<version>\Plugins\Protect\plugins
\contentextraction\ folder.
3. Copy the contents of the extracted ceh folder (containing the mip_ClientTelemetry.dll, mip_core.dll,
mip_protection_sdk.dll, and mip_upe_sdk.dll) into this location: <Program Files>\Symantec
\DataLossPrevention\ContentExtractionService\<version>\Protect\lib\native.
4. See Configuring Windows detection servers with Azure access credentials.

8
Configuring Windows detection servers with Azure access
credentials
You need to ensure that the detection server can access the Azure service. To do so, you'll need to create a text file with
the appropriate credentials for each Azure tenant, and then run a configuration utility that consumes the information in the
text file and configures the credentials for use by the detection server.
Follow these steps for configuring credentials:
1. Create a new text file.
2. Add the entries in the file as shown in the following example, which has two entries for two tenancies:
ClientID=<Application (client) ID value>TenantID=<Directory (tenant) ID value>ClientSecret=<client secret
value>ClientID=<Application (client) ID value>TenantID=<Directory (tenant) ID value>ClientSecret=<client secret
value>
3. Save the file.
4. Launch a new command line in service-user context by pressing CTRL+Shift and then right-clicking cmd.exe and
selecting Run as a different user. Then, enter the credentials of the DLP user under which the detection services
run.
5. Change the directory to <Program Files>\Symantec\DataLossPrevention
\ContentExtractionService\<version>\Plugins\Protect\plugins\contentextraction
\MicrosoftInformationProtectionPlugin.
6. Run the configuration creator utility by specifying the correct arguments. For example:
ConfigurationCreator.exe CredentialFile <credential text file>.
7. Delete the credential text file. This file contains the client secret that you created in Enabling AIP Insight on the Azure
portal.
8. See Configuring content extraction timeouts and enabling the plugin on Windows detection servers.

9
Configuring content extraction timeouts and enabling the
plugin on Windows detection servers
1. Since the decryption call needs connectivity with the Azure server, you should increase the ContentExtraction-related
timeouts on the detection server Advanced settings page to the following values:

ContentExtraction.ShortTimeout = 30000
ContentExtraction.LongTimeout = 120000

2. Enable the AIP plugin by changing disabled="true" to disabled="false" in: <Program Files>\Symantec
\DataLossPrevention\ContentExtractionService\<version>\Plugins\Protect\plugins
\contentextraction\MicrosoftInformationProtectionPlugin\manifest.xml.
3. Restart the detection server and ensure that the plugin is loaded by verifying the log statements from the
ContentExtractionHost_FileReader.log file:

01/20/20 18:25:13 | INFO | cehost | MicrosoftInformationProtectionPlugin [8072] | [4276] | Initialing

Plugin | microsoftinformationprotectionpluginimpl.cpp (59)

01/20/20 18:25:13 | INFO | cehost | MicrosoftInformationProtectionPlugin [8072]

| [4276] | Temporary directory set to C:\Users\SYMANT~1\AppData\Local\Temp
\DetectionServerContentExtractionTemporary467456173111188608 | context.cpp (48)

01/20/20 18:25:13 | INFO | cehost | MicrosoftInformationProtectionPlugin [8072] | [4276] | Configuration

dir- C:\Program Files\Symantec\DataLossPrevention\ContentExtractionService\16.0\Plugins\Protect\plugins
\contentextraction/MicrosoftInformationProtectionPlugin/x64 | configurationreader.cpp (59)

01/20/20 18:25:13 | INFO | cehost | MicrosoftInformationProtectionPlugin [8072] | [4276] | Plugin

Initialized | microsoftinformationprotectionpluginimpl.cpp (74)

4. See Migrating your AIP Insight deployment after upgrading your detection servers.

10
Updating the DLP content extraction software on Linux
detection servers
Before you download and configure the AIP Insight plugin, you must download and apply a patch to update the content
extraction software for Data Loss Prevention. Follow the instructions here to update the software.
1. Download the KeyView patch that corresponds to your installed Data Loss Prevention product version and
copy it to the detection server. For example, if your installed DLP version is 15.5 MP2 for Windows, download
Symantec_DLP_15_5_KeyView_11.6.0.20200310_Patch_Linux.zip. Here are the KeyView patches:
Symantec_DLP_15_7_KeyView_12.2.5.20200306_Patch_Linux.zip
Symantec_DLP_15_5_KeyView_11.6.0.20200310_Patch_Linux.zip
Symantec_DLP_15_1_KeyView_11.4.1.20200310_Patch_Linux.zip

2. Extract the downloaded zip file contents to a folder on the detection server computer. The contents will have the
following directory structure: DLP/KeyView/x86_64.
3. Copy the x86_64 directory to the following location, but make sure to overwrite the files and do not delete any files:
opt/Symantec/DataLossPrevention/KeyView/<version>/Protect/plugins/contentextraction/
Verity/.
4. Open the /opt/Symantec/DataLossPrevention/ContentExtractionService/<version>/Plugins/
Protect/plugins/contentextraction/Verity/ manifest.xml file and add the following entries:

<documentType type="encrypted_msg">
<supportedOperations>
<operation type="FileTypeIdentification"/>
<operation type="SubFileExtraction"/>
</supportedOperations>
</documentType>

<documentType type="encrypted_eml">
<supportedOperations>
<operation type="FileTypeIdentification"/>
<operation type="SubFileExtraction"/>
</supportedOperations>
</documentType>

<documentType type="encrypted_RMSEncryptedOPC">
<supportedOperations>
<operation type="MetaDataExtraction"/>
</supportedOperations>
</documentType>

5. See Downloading the AIP Insight plugin on Linux detection servers.

11
Downloading the AIP Insight plugin on Linux detection servers
Follow these steps to download the AIP Insight for on RHEL 7.x detection servers. Prior to downloading the plugin, check
to see if the appropriate libraries, as indicated in step 1, are present on each detection server.
1. The libraries libsecret and libgsf are required. Run the following commands to install them if they are not
present:

# yum install libsecret

# yum install libgsf

2. Go to the Data Loss Prevention Product Downloads site at the Broadcom Support Portal and download
the Symantec_DLP_AIP_Plugin_Linux_March_2020.zip file and extract the contents. The contents
will be extracted into a directory named DLP. This DLP directory contains a single directory named
MicrosoftInformationProtectionPlugin.
3. Copy the MicrosoftInformationProtectionPlugin directory into the following location:/opt/Symantec/
DataLossPrevention/ContentExtractionService/<version>/Plugins/Protect/plugins/
contentextraction/.
4. Set the read/execute (chmod 0755 CreateConfiguration.sh) file permissions for the
CreateConfiguration.sh script file and the read permissions for the manifest.xml file (if it is not set correctly).
5. See Configuring Linux detection servers with Azure access credentials.

12
Configuring Linux detection servers with Azure access
credentials
You need to ensure that the detection server can access the Azure service. To do so, you'll need to create a text file with
the appropriate credentials for each Azure tenant, and then run a configuration utility that consumes the information in the
text file and configures the credentials for use by the detection server.
Follow these steps for configuring credentials:
1. Create a new text file.
2. Add the entries in the file as shown in the following example, which has two entries for two tenancies:
ClientID=<Application (client) ID value>TenantID=<Directory (tenant) ID value>ClientSecret=<client secret
value>ClientID=<Application (client) ID value>TenantID=<Directory (tenant) ID value>ClientSecret=<client secret
value>
3. Save the file.
4. Set the read/execute (chmod 0755 CreateConfiguration.sh) file permissions for the CreateConfiguration.sh
script file and the read permissions for the manifest.xml file (if it is not set correctly).
5. Launch a new terminal window and change to the following directory: /opt/Symantec/DataLossPrevention/
ContentExtractionService/<version>/Plugins/Protect/plugins/contentextraction/
MicrosoftInformationProtectionPlugin.
6. Run the following shell script and specify the credential text file that you created: CreateConfiguration.sh
<service user account name> <credential text file>.
7. Delete the credential text file. This file contains the client secret that you created in Enabling AIP Insight on the Azure
portal.
8. See Configuring content extraction timeouts and enabling the plugin on Linux detection servers.

13
Configuring content extraction timeouts and enabling the
plugin on Linux detection servers

1. Since the decryption call needs connectivity with the Azure server, you should increase the ContentExtraction-
relatedtimeouts on the detection server Advanced settings page to the following values:

ContentExtraction.ShortTimeout = 30000
ContentExtraction.LongTimeout = 120000

2. Enable the plugin by changing disabled=true to disabled=false in /opt/Symantec/DataLossPrevention/

ContentExtractionService/<version>/Plugins/Protect/ plugins/contentextraction/
MicrosoftInformationProtectionPlugin/manifest.xml.
3. Restart the detection server and ensure that the plugin is loaded by verifying the log statements from the
ContentExtractionHost_FileReader.log file:
03/20/20 18:30:49 | INFO | cehost | MicrosoftInformationProtectionPlugin [61582] | [1997154048] |
Temporary directory set to /tmp/DetectionServerContentExtractionTemporary1594012076851822016 | ./
Context.cpp (53)

03/20/20 18:30:49 | INFO | cehost | MicrosoftInformationProtectionPlugin [61582] | [1997154048] |

Initialing Plugin | MicrosoftInformationProtectionPluginImpl.cpp (62)

03/20/20 18:30:49 | INFO | cehost | MicrosoftInformationProtectionPlugin [61582] | [1997154048] |

Configuration dir- /opt/Symantec/DataLossPrevention/Content Extraction Service/15.1/Plugins/Protect/
plugins/contentextraction/MicrosoftInformationProtectionPlugin/x86_64 | ./ConfigurationReader.cpp (52)

03/20/20 18:30:49 | INFO | cehost | MicrosoftInformationProtectionPlugin [61582] | [1997154048] |Plugin

Initialized | MicrosoftInformationProtectionPluginImpl.cpp (77)

4. See Migrating your AIP Insight deployment after upgrading your detection servers.

14
Migrating your AIP Insight deployment after upgrading your
detection servers
If a Data Loss Prevention detection server on which the AIP Insight plugin was installed is upgraded (for example,
upgraded from version 15.5 to 15.7), you need to perform all of the the AIP Insight plugin deployment steps except for
copying the plugin directory to the platform-specific location on the detection server.
The Data Loss Prevention migrator copies over the AIP Insight plugin during the upgrade. You must confirm that the
plugin folder has been copied after you migrate.
All other steps must be performed again, including:
• Updating content content extraction software.
• On Windows detection servers, copying the contents of the ceh folder from the downloaded plugin bundle to the
native folder
• Running the ConfigurationCreator utility to configure Azure service credentials.

See Troubleshooting AIP Insight for Data Loss Prevention.

15
Troubleshooting AIP Insight for Data Loss Prevention
For troubleshooting issues with AIP Insight for Symantec Data Loss Prevention, verbose-level logging for the content
extraction service (ContextExtractionHost_fileReader.log) and the MIP SDK can be enabled by performing the
following steps.
1. Open <installation_dir>/Symantec/DataLossPrevention/DetectionServer/<version>/Protect/
config/log4cxx_config_filereader.xml.
2. Change the default value from info to trace in the following XML section in the file:

<category name="cehost">
<priority value ="info"/>
<appender-ref ref="cehostAppender"/>
</category>
3. Open <installation_dir>/Symantec/DataLossPrevention/ContentExtractionService/<version>/
Plugins/Protect/plugins/ contentextraction/MicrosoftInformationProtectionPlugin/
plugin_settings.txt.
4. Set the value of mip_log_level to Trace.
NOTE
On Windows, the mip SDK log file is created under
C:\Users\<dlp user>\AppData\Local\Temp
\DetectionServerContentExtractionTemporary<temp id>\mip\logs.
On Linux, the mip SDJ log file is created under
/tmp/DetectionServer/ContentExtractionTemporary<temp id>/mip/logs.
Share the steps to reproduce the issue and the verbose logs with Symantec Enterprise Security Support. If possible,
share the original, unprotected email or file with Support.
See Known issues in deploying AIP Insight.

16
Known issues in deploying AIP Insight
The following items are known issues in the deployment of AIP Insight for Symantec Data Loss Prevention.
The File type policy rule does not work if the file is encrypted and attached to an email message that is also
encrypted for following file types:
• Microsoft RMS Encrypted Office Binary File (RMS-enabled Windows servers only)
• Microsoft RMS Encrypted Open Packaging Conventions File (RMS-enabled Windows servers only)
• Microsoft RMS Encrypted Generic File (RMS-enabled Windows servers only)

There are known issues with failure to decrypt encrypted Excel Binary Workbook (*.xlsb) files authored with the
2019 version of Excel.

Sensitive content in the body of the an email formatted as plain text does not get detected.

There is no support provided for configuring the file type policy rule for:
• Encrypted email messages
• Encrypted native PDF formats with the .pdf extension

NOTE
In legacy Data Loss Prevention systems, the message "RMS-enabled Windows servers only" may appear. This
message was applicable for the older, Windows-only RMS plugin and is not applicable with new plugin, because
the file type rule now works on both Windows and Linux platforms.

In some cases, a truncated RPMSG can cause the CEH process to crash. This results in the failure of the RPMSG
content extraction.

AIP labels cannot be extracted from Microsoft Office binary files (legacy Office files) if they were labeled using
the unified labeling client.

Data Loss Prevention cannot extract AIP labels from email attachments as metadata if the attachments are
labeled but not encrypted and the outer email is itself encrypted and labeled.

17
Copyright Statement
Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom.
Copyright ©2020 Broadcom. All Rights Reserved.
The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit
www.broadcom.com.
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability,
function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does
not assume any liability arising out of the application or use of this information, nor the application or use of any product or
circuit described herein, neither does it convey any license under its patent rights nor the rights of others.

18