IP guard V+

User Manual

Chapter 1: Server 1.1 Registration Under the system tray of the server, right Click “Service Controller” Tools Register, and then enter the administrator’s password to enter the registration interface.

After installing,IP-guard, there is a 30 days trial period for demo purpose. In demo version, it does not contain the “Document Security/Encryption Management” function. You need to contact us for requesting the trial Encryption SN, and register under the registration window to enable the “Document Security/Encryption Management” function.

Administrator has to press the “Upgrade” button to modify the Primary SN or/and the Encryption SN, and then confirm the input SN by clicking the Confirm button. If the input is correct, system will pop up a confirmation dialogue and remind you to activate the system. You have to register the product to obtain the register ID/Code (RID). There are two methods to activate the IP-guard and obtain the RID:

1. Online Please fill in the product registration information with Company Name, Contact Person, Contact Number and email address. Click Register Online button, then the Register ID will be returned and displayed in the Register ID [RID] field. A dialogue box with system message will pop up to confirm the registration. Click Close button to leave the registration interface.

2. Email Please fill in the product registration information with Company Name, Contact Person, Contact Number and email address. Click Send Email button. Email will be sent to your registered email address with Register ID, please copy and paste the Register ID into Register ID [RID] field, then click Register button to confirm the registration. A dialogue box with system message will pop up to confirm the registration

Chapter 2: Console 2.1 Enable / Disable Encryption Authorization After IP-guard agent is installed , the user is needed to be authorized by the administrator to use the Document Encryption Management Function. It prevents the illegal user from installing the agent and open the encrypted file. About the status of authorized encryption agent, administrator can check this status on the Console’s computer tree and the basic information of the computer. The authorized encryption agent will be shown in the computer tree with a lock sign icon. Moreover, the “Encryption Authorization” status in the Tab Audit basic information will change to “Enable” for authorized encryption agent. The Encryption Management Function is disabled by default. Administrator can enable this setting using the computer tree, basic information or computer management. Computer Tree: In IP-guard Console, choose the computer group or a single PC, right click Encryption Management Function Enable Encryption Authorization. It will enable the encryption function for all agents in the whole group, or for that single PC. If the administrator want to disable the Encryption Management Function, they can choose the computer group or the single PC, right click Encryption Management Function Disable Encryption Authorization. Basic Information: In IP-guard Audit Basic Information Tab, choose the computer group, it will display the agents which belong to this group. Administrator can select a single agent or multiple agents, right click Encryption Management Function Enable Encryption Authorization. If the administrator wants to disable the Encryption Management Function, they can select a single agent or multiple agents, right click Encryption Management Function Disable Encryption Authorization. Computer Management: In IP-guard Console, select Tools Computer Management. It will display the PC with agent installed. Administrator can select the agent and press the “Enable Encryption” button to enable Encryption Management Function. Or the administrator can press the “Disable Encryption” button to disable Encryption Management Function.

2.2 Account Management In IP-guard Console, select Tools Accounts from the menu. System administrator can create new administrator account for the encryption management system.

Icon Description Create new account, enter description to the account Delete the created account Disable the user account Change the password of the user account

Different encryption privileges can be set in different Tabs below: General, Authorities, Computer Groups/User Groups and Encryption Function.

Management Privilege Tab Description General Specify the type of account and the logon modeAuthorities Assign the management right to the selected

account, for example: policy control, log viewing etc.

Computer Groups/User Groups

Specify the computer group or the user group which the selected account will manage

Encryption Function Assign the encryption right to the select account. It contains Management Permissions and Security Zone.

General: General Privilege Privilege Right Super Administrator Able to manage the authorized software and

the security zone Encryption Management Permission

Able to mange the Document Encryption Function

Proxy Administrator Only allowed to login via the agent PC and process the encryption request. Not allowed to login using the Console

Encryption Management System

Only allowed to use the Encryption Management Function in the Console. Not allowed to manage other IP-guard functions.

Encryption Function:

Encryption Function Description Audit Logs Able to view the audit logs for encrypted

documents operation Operation Permissions Able to operate on the encrypted documents Approve Permissions Able to approve the decrypt request and

outgoing request sent from the agent computer.

Security Zone Description All Security Zones and levels

Able to manage all encrypted documents in all Security Zones and levels

Specify the Security level of all Security Zones

Able to manage all encrypted documents with the Security Level below the specified one in All Security Zone. The Security Level can be classified as 5 types: Unclassified, Restricted, Confidential, Secret and Top Secret. If we specify the security level as Top Secret, this account can manage documents classified as Unclassified, Restricted, Confidential and Secret level

Specify the Security Zone and the Corresponding Security Level

Able to manage the encrypted documents with the security level below the specified one within the specified security zone

2.3 Authorized Software In IP-guard Console, choose Tools Document Security Management Authorized Software from the menu.

Icon Description Import the Authorized Software Database Export the Authorized Software Database

If the software needed to use is not included in the default authorized software list, administrator can define new authorized software list, and then import it for the new authorized software to be used. The Administrator can also export the list using the Export function, and the exported list can act as the backup copy of the authorized software list.

2.4 Security Zone Under the Security Zone Interface, administrator can view and edit new/existing security zone.

Icon Description Add new security zone Edit the security zone and description Delete the security zone

The pubic security zone is the default security zone, it cannot be edited or deleted. All the encrypted documents generated from the authorized software will be automatically classified as public security zone with Unclassified security level. By default, all the agents with encryption permission have the access right to the public security zone.

2.5 Outbound Recipients Outbound Recipients is the user/recevier which can open the encrypted document outside the encrypted company environment. Administrator can view and modify the authorized user/receiver under the “Outbound Recipients” Interface. Also, administrator can generate the authorized file to authorize the user/receiver outside the company.

The upper part of the Outbound Recipients interface is the list of the Outbound Recipient group. The lower part is the authorized state of each Outbound Recipient group. List of Outbound Recipient group:

Icon Description Add New Outbound Recipient group Edit Outbound Recipient group Delete Outbound Recipient group

Administrator can add, edit, delete or enable the Outbound Recipient group by clicking the relevant button. The administrator can enable or disable the specific Outbound Recipient group by checking-in or checking-out the checkbox in the State column.

Authorization State: For each Outbound Recipient group, administrator can assign different authorized user to view the encrypted document by using different IP-guard OEA Viewer. Procedure of generate authorized file for IP-guard OEA Viewer:

1. Right click in the empty area of the Authorize State Import ID number. 2. Enter the Authorized user ID, Name, Remarks and Expired Date in the

popup windows, and then press the “OK” button. 3. Right click the newly created user record Authorize. 4. Click “Generate Authorized File” and save the AOR file. 5. Send the AOR File to the authorized user to import into the IP-guard OEA

Viewer.

2.6 Encryption Permission Setting Encryption Permission Setting is used to assign the permission right of the online encrypted agent.

Icon Description Expand the Computer tree and User tree Edit the Encryption Permission Delete the Encryption Permission

Administrator can set the encryption permission right for the agent PC or domain user. After the encryption permission setting is set, A star icon will be appeared on the agent PC. If no encryption permission setting is set for an agent PC or domain user, the encryption permission setting will be inherited from its computer group or user group. The priority of the user encryption permission setting is higher than the computer encryption permission setting.

General:

General permission Description Allow to decrypt documents

Agent can directly encrypt/decrypt document without administrator approved. Also, there are options for backup the decrypted document and backup decrypted document with specific size.

Allow to request to send out documents

Agent can request to send out the document but need to be approved by the administrator

Allow to directly send out documents

Agent can directly send out document without administrator approved. Also, there are options for backup the sent out document and backup the document with specific size.

Allow to log on as a proxy administrator

Allow to use administrator right to login in the agent PC and process the approval/rejection of the send outgoing file request/decrypt request.

Authorized Software:

The chosen authorized software will auto encrypt the document file when it save the file. The software will also auto decrypt the document file it open. This setting can also grant the permission right for printing, virtual printing, screen capture and copy to clipboard inside that software. Security Zone:

Specify the security zone and the security level of the agent PC.For example: An agent PC is assigned with the right to open top secret accounting security zone documents. It cannot open the marketing security zone documents. Within the same security zone, the agent PC with lower security level cannot open the document with higher security level.

2.7 Offline Permission Setting Offline Permission Setting is activated only when the agent computer cannot connect to the IP-guard Server.

Icon Description Expand the Computer tree and User tree Edit the Encryption Permission Delete the Encryption Permission Export the Offline Permission File

Administrator can assign the effective time range for the offline agent to open the encrypted document in the Offline Permission Setting. The administrator can also set the decrypt, send out, authorized software and security zone for Offline Permission here. Those settings are similar to the Encryption Permission Setting. Refer to section 2.6 for details. When the agent is online, the Offline Permission Setting will be push to agent directly. But when the agent is offline, it is not able to receive the Offline Permission Setting from directly. The administrator has to export the Offline Permission Setting into file and import the file in the offline agent computer. For the detail procedures, refer to section 3.2.

2.8 Encrypted Document Operation Logs Under Encrypted Document Operation Logs window, administrator can view the history of the agent computer about encrypt file, decrypt file, generate outgoing file, modify the document security permission, request to decrypt file, and request to generate outgoing file. Administrator can use the power search function to query the logs. Double-clicking the log record will show the details of that log. If the administrator has enabled the setting to backup the encrypted/outgoing file, the backup file can be viewed under the detail log. 2.9 Decrypt Request Under Decrypt Request window, administrator can view all types of approval messages by default: Waiting for approval, approved, rejected, completed and cancel.

Online Approve: The procedures to approve decrypt request for online agent:

1. Client applies for decrypt request. Refer to section 3.6 for details. 2. IP-guard Console will detect the request from the client agent. A record

with the status waiting for approval will be shown under the Decrypt Request window,

3. Administrator can view the details and the document content by double-clicking the record.

4. If the administrator approve this request, click the approve button. Otherwise, click the reject button.

5. After approved or rejected, the agent will receive the result in its View Request Info window. Then the agent can decrypt the file under View Request Info window. Refer to section 3.8 for details.

Offline Approve: The procedures to approve decrypt request for offline agent:

1. Client applies for decrypt request. Refer to section 3.6 and 3.8 for details. 2. Administrator gets the request file. Under the Decrypt Request window,

right click Import to import the request file. 3. Then a record with the status waiting for approval will be shown under the

Decrypt Request window, the administrator can view the details and the document content by double-clicking the record.

4. If the administrator approve this request, click the approve button. Otherwise, click the reject button.

5. Export the Approved result by right-clicking this record and select Export Approved file.

6. Send the exported approved file to the offline agent. Import the approved file in the agent computer. Refer to section 3.8 for details.

2.10 Send Request Under Send Request window, administrator can view all types of approval messages by default: Waiting for approval, approved, rejected, completed and cancel.

Online Approve: The procedures to approve outgoing file request for online agent:

1. Client applies for outgoing file request. Refer to section 3.7 for details. 2. IP-guard Console will detect the request from the client agent. A record

with the status waiting for approval will be shown under the Send Request window.

3. Administrator can view the details and the document content by double-clicking the record.

4. If the administrator approve this request, click the approve button. Otherwise, click the reject button.

5. After approved or rejected, the agent will receive the result in its View Request Info window. Then the agent can generate the outgoing file under View Request Info window. Refer to section 3.8 for details.

Offline Approve: The procedures to approve outgoing file request for offline agent:

1. Client applies for outgoing file request. Refer to section 3.7 and 3.8 for details.

2. Administrator gets the request file. Under the Send Request window, right click Import to import the request file.

3. Then a record with the status waiting for approval will be shown under the Send Request window, the administrator can view the details and the document content by double-clicking the record.

4. If the administrator approve this request, click the approve button. Otherwise, click the reject button.

5. Export the Approved result by right-clicking this record and select Export Outgoing Approved file.

6. Send the exported approved file to the offline agent. Import the outgoing approved file in the agent computer. Refer to section 3.8 for details.

2.11 Local Scanner In IP-guard Console, select Encryption Local Scanner from menu. Local Scanner can scan all the encrypted documents located in the Console computer, Moreover. it can encrypt, decrypt, generate an outgoing document and modify file security properties for those encrypted documents. It is the same as the Local Scanner for agent computer. Refer to section 3.4 for detailed operation.

2.12 Remote Encrypted Document Management In IP-guard Console, under the Agent PC Panel in the left, select a computer agent and right click Encryption Management Function Remote Encrypted Document Management. It scans all the encrypted documents located in that remote agent computer. The administrator can then encrypt, decrypt, generate an outgoing document and modify file security for those remote encrypted documents.

2.13 Standby Server Management In IP-guard Console, select Encryption Standby Server Management from menu. It contains 2 options: Setting and Change Password Setting:

1. In IP-guard Console, select Encryption Standby Server

Management Setting from menu 2. Under the section of Permitted Range, enter the range of the IP

address of the Standby server which is allowed to connect to the main IP-guard server. For example: Enter 192.168.0.1-192.168.0.100. Any

standby server with the IP address besides this range cannot connect to the main IP-guard server.

Under the section of Standby Server List, all the standby servers authorized by the main IP-guard server will be listed. Administrator can click the “Change Password” function to edit the password used for establishing the connection between the main server and the standby server. Change Password:

1. In IP-guard Console, select Encryption Standby Server Management Change Password from menu

2. Enter the new password and confirm After setting the password, administration can enter this password in the standby server. Once the main server receive the request, it check the password and IP address of the standby server. When all criteria pass, the main server authorizes the standby server, and then transfer the setting to the standby server.

Chapter 3: Agent 3.1 Agent running After the administrator enabled the encryption authorization for the agent in IP-guard Console, the encryption function will be enabled for the agent, an icon can be seen in the system tray of that agent computer: Status of the icon Description

Encryption function started Encryption function stop The agent is not connected to the server (Offline mode) Offline Encryption mode Emergency mode

3.2 Import Offline Authorized File In the system tray of the agent computer, right click the encryption icon and select ‘Import authorized files’. After selecting the .OAP offline authorized file to open, the agent will then obtain the offline encryption authority.

3.3 Right click menu Being viewed under the File explorer, there will be a lock sign at the bottom right of the encrypted document icon.

By choosing the encrypted document right click Properties Encryption, the permission of the document can be viewed and set. Refer to section 3.5 for details. The right click menu of the encrypted document contains the operation options to Decrypt file, Generate outgoing file, Apply decryption, Apply generating outgoing file. Refer to section 3.6 and 3.7 for detail operations.

3.4 Scan Local Files In the system tray of the agent computer, right click the encryption icon Scan Local File. The Scan Files window will be pop-up. Under the Scan Local File window, user can scan all encrypted document located in the agent computer. Moreover, user can encrypt, decrypt, generate outing files, modify File Security Properties, request decryption and request sending out files. Refer to section 3.5, 3.6 and 3.7 for details.

3.5 Modify File Security Properties By choosing the encrypted document right click Properties Encryption, administrator can modify the security encryption property of the document

The Setting Right specifies the security zone and the security level of the agent which can change security encryption setting of this document. For example, if it is assigned with the secret security level within the accounting zone, then the agent PC which has the secret security level and with the accounting zone right can change the security encryption setting of this document. Only 1 security zone and security level can be assigned for each document. The Access Right specifies which security zone and security level can open or edit this document. Multiple security zones and security levels can be assigned for each document.

3.6 Encryption and Decryption Direct Decryption: The agent pc which has the decryption permission can directly decrypt the document using the right click menu or the Scan Local Files window. Manual Encryption: The agent pc which has the decryption permission also contains the encryption permission right. User can use the manual encryption function to encrypt the document in the Scan Local Files window. After the encryption, the user can also modify the setting right and access right under the security properties of the document. Apply for Decryption: If the agent pc does not have the decryption permission, the user can apply for decryption by right-clicking the document file Apply Decryption. User need to fill in the reason why it is needed to decrypt the file and submit. If the agent PC is online, the request will send to the IP-guard server immediately. The administrator can then approved the request in the Console. If the agent PC is offline, after apply for decryption, the user also need to export the request into the offline request file under the View Request Info window, and send the offline request file to the administrator. The administrator can then import the offline request file to the Console and approve/reject the request. For the procedures about the approval, refer to section 2.9.

3.7 Outgoing File Direct Outgoing: The agent pc which has the permission to create the outgoing files can directly generate the outgoing file using the right click menu or the Scan Local Files window. Under the create outgoing document window, user can set the target group and the valid date of the outgoing file. The user can also set the access properties of the file, such as the approval for the operation of Printing, Virtual Printing, Screen Capture and Copy and Paste to the outgoing file. Apply Outgoing: If the agent pc does not have the permission right to create the outgoing files, the user can apply for Outgoing files by right-clicking the document file Apply Outgoing. The user needs to fill in the reason for this request, and also the target group and the access properties of the file. After the request submit, if the agent PC is online, the request will send to the IP-guard server immediately. The administrator can then approved the request in the Console. If the agent PC is offline, after apply for outgoing, the user also need to export the request into the offline request file under the View Request Info window, and send the offline request file to the administrator. The administrator can then import the offline request file to the Console and approve/reject the request. For the procedures about the approval, refer to section 2.10. 3.8 View Request Info In the system tray of the agent computer, right click the encryption icon View Request Info. User can view the status of the decrypt request/outgoing request.

Operation Description View View the details of decrypt request and offline

request Import Approvement For offline agent, use this option to import the

approved request to the agent PC and check the result

Offline Request Create offline request file used for sending to Console administrator for the approvement

Cancel Request Cancel Decrypt / Outgoing request Decrypt Request: User can view the time, status, document name, size, quantity, security zone and level of the decrypt request. By double-clicking the record of Decrypt Request, the details will be pop-up, the user can decrypt the file (after approved by administrator), generate offline request (if the agent is offline), or cancel the request under this window.

Apply Outgoing: User can view the time, status, document name, size, quantity, security zone and level of the Outgoing file request. By double-clicking the record of Outgoing Request, the details will be pop-up, the user can generate the outgoing file (after approved by administrator), generate offline request (if the agent is offline), or cancel the request under this window.

3.9 Security Password 3.9.1 Set Security Password To prevent illegal user use other people’s agent pc to decrypt the important documents, every agent pc should set the Security Password to prevent the unauthorized decryption or generation of outgoing file. Under the system tray of the agent PC, user can right click the Encrypted System icon Set Security Password in order to set the security password. The user can also reset the password here. 3.9.2 Clear Security Password Administrator can follow the procedures below to clear the security password. Procedures:

1. In agent PC, click Start Run Enter “agt3tool”. 2. Choose the “Clear Security Password” option and Click “Generate”. 3. Send the “Original Opcode” to the administrator. 4. In the IP-guard Console, administrator select Tools Agent Tool

Confirm-Code Generator from the menu. Enter the “Original Opcode” received in the Agent Operation Code textbox and Press “Parse”.

5. Administrator clicks the “Generate” button. 6. Administrator sends the confirmation code to the agent and the user

enters the code in the Confirmation textbox in the Agent Tool.

Chapter 4: Proxy Administrator Administrator can login the proxy console in the agent PC to process the decrypt or outgoing request. If the proxy administrator permission is given to that agent PC, the proxy administrator console can be found in the Encrypted System icon under the system tray of the agent PC. 4.1 Login Under the system tray of the agent PC, right-click the Encrypted System Icon Login Proxy Manager. Enter the Login ID and Password to login the Console.

4.2 Approve Management Just like the Console, in Proxy Console, administrator can view, approve/reject the decryption request/outgoing request. Moreover, the offline request file/offline approve file can be imported/exported in the Proxy Console. Refer to section 2.9 and 2.10 for details.

4.3 Lock To prevent the illegal user in using the Proxy Console, the administrator can lock the Proxy Console before leaving. Proxy Console still receives request notice when it is locked. Password is needed to unlock the Proxy Console. There are 3 methods to lock the Proxy Console: Direct Lock: In Proxy Console, proxy administrator select Operations Lock under the menu to performance the locking action. Timer Lock: In Proxy Console, select Request Management Options Basic Setting under the menu. Proxy administrator can set the time allowed for away before locking the Proxy Console. By default, the time allowed for away is 15 minutes. For example, if the proxy administrator is away for 20 minutes, the Proxy Console will be locked automatically. Minimize Lock: In Proxy Console, select Request Management Options Basic Setting under the menu. The Proxy Console will be locked when it is minimized into the system tray.

Chapter 5: IP-guard OeaViewer IP-guard OeaViewer can be installed in 3rd party company which is not using V+. The OeaViewer is a tool used for viewing the Outgoing files generated from V+. 5.1 Installation Execute the installation kit and choose the installation path. The installer will install OeaViewer until it is finish. 5.2 Authorization The 3rd party company has to ask for the authorization from the Company which is using V+ before they can view the outgoing OEA file.

Procedures to authorize OeaViewer:

1. User Click Start All Programs IP-guard OeaViewer IP-guard Outgoing Encrypted Archive Viewer

2. Under the Authorization Management Tab, copy the ID code 3. Send the ID code to the V+ administrator 4. In Outbound Recipient windows of the Console, IP-guard administrator will

generate the AOR file to the 3rd party company. Refer to section 2.5. 5. In IP-guard OeaViewer, Click “Add” to import the AOR file in Authorization

Management Tab. 6. Under the Authorization Object section, it shows this OeaViewer obtains

the authorization from which company and the corresoponding expiry date.

5.3 Process Management The outgoing file is in .OEA file extension format. There are 2 ways to open the file:

1. Double click the .OEA file directly 2. Right click the .OEA file, and choose Open Outgoing File with…, and then

choose the software to open the file. In IP-guard OeaViewer Process Management, there is a process list, user can assign different softwares to open the files with corresponding extension format. For example, using Microsoft Office Word to open a .DOC file.