Fortra Data Classification Suite For Windows Administration Console Deployment Guide
Fortra Data Classification Suite For Windows Administration Console Deployment Guide
Copyright © Fortra, LLC and its group of companies. All trademarks and registered trademarks are the property of their respective
owners.
The content in this document is protected by the Copyright Laws of the United States of America and other countries worldwide.
The unauthorized use and/or duplication of this material without express and written permission from Fortra is strictly prohibited.
Excerpts and links may be used, provided that full and clear credit is given to Fortra with appropriate and specific direction to the
original content.
202409181056 - 5.1
Table of Contents
Audience 5
Purpose 5
Configure captions 18
Logging information 24
Kerberos authentication 36
Contacting Fortra 40
Purpose
This guide describes:
NOTE: DCS Administration Console supports issues related only to products that are
currently supported by Microsoft. If any issues related to unsupported Microsoft
products are found, DCS Administration Console may not be able to address them. You
might have to upgrade to the latest supported Microsoft product and the latest Data
Classification Suite release.
The information in this section reflects the supported software environments at the time of
the product release. To obtain the latest information, contact Customer Support.
App Pool An App Pool User account is required to run the Data Classification
account Administration Console. This account requires db_owner permission
in the Titus database. The Network Service or the System account are
added automatically, but if a different account is used, they are added
separately.
Active Directory Connectivity to the Active Directory (AD) is required to assign
administrator privileges to the Data Classification Administration
Console, and to assign a Configuration to an AD user or group.
Microsoft Visual If it does not already exist, Microsoft Visual C++ Redistributable 2017
C++ will be installed.
Redistributable
Microsoft .NET .NET Framework V4.8 Redistributable Package or later. To download,
go to: https://dotnet.microsoft.com/download/dotnet-framework.
Microsoft IIS 10
Internet
Information IIS support depends on the operating system on the machine running
Services (IIS) the Administration Console. For more information, see:
https://docs.microsoft.com/en-us/dynamics-nav/how-to--install-and-
configure-internet-information-services-for-microsoft-dynamics-nav-
web-client.
SSL Certificate To securely access the DCS Administration Console from a remote
machine, we recommend using HTTPS. An SSL Certificate is required
to allow encrypted communication. Your organization must obtain a
publicly trusted SSL Certificate prior to installing the DCS
Administration Console. You must ensure that it is in the machine’s
local computer Personal or Web Hosting store. The certificate must
match the DNS name used to access the website or be a wildcard
certificate. We recommend an authentic SSL certificate be used. Self-
signed certificates are not recommended.
RAM/ Processor l Minimum: 2 GB, Recommended: 8 GB
Requirements l 1.0 Ghz dual core x64
l 4 GB hard disk storage
NOTE: RAM and CPU requirements are not validated during
installation.
Tools for If you are using Custom Conditions, the following executables/tools
Custom are available to run when you install the Administration Console:
Conditions l DDConnector.OnPremApp.exe (located, by default, at
C:\inetpub\TitusWebAdministration\CustomFunctions\
Titus.DataDetection.Extensibility)
l TITUS.SmartRegex.QueryFileEncryptor.exe and
Titus.SmartRegex.Test.App.exe (located, by default, at
C:\inetpub\TitusWebAdministration\CustomFunctions\Titus.
SmartRegex.Extensibility)
If you run these executables, you require .NET Core Runtime V3.1 or
later. To download, go to:
https://dotnet.microsoft.com/download/dotnet-core. For more
information on Custom Conditions, see the Fortra's Data Classification
Suite (DCS) Administration Console (On-premises) User Guide and
Fortra's Data Classification Suite (DCS) Data Detection Engine
Deployment Guide.
NOTE: The application that you can configure depends on your license key.
The Administration Console is required on at least one machine used to create and edit
Configurations. Do not install the Administration Console and client applications on the
same machine.
You can install the Administration Console using MSI files or using the command line. For
more information, see Use the MSI files on page 37 and Use the executable in a command
line on page 39 respectively.
4. Select the I accept the terms in the License Agreement checkbox and click Install.
The Setup Progress bar appears.
5. Click Next.
6. In the Destination Folder dialog, either accept the default location or click Change to
select a new location where the Administration Console is installed. The default
value can only be changed to a directory that has been configured to work with IIS.
7. Click Next.
The SQL Database Options window appears.
8. In the Name of the SQL server\instance field, enter a database server or instance
name to which the Administration Console is connecting. The default value shown is
the name of the Server or desktop computer you are currently running.
9. Enter the name of the new or existing database.
10. Select one of the following database authentication methods:
l Trusted (Windows Authentication) to use the current user’s (user running
setup) credentials to create the database. The username defaults to your
current login credentials. See Roles and permissions on page 26 for more
information.
l Specify Username and Password (SQL Authentication) to use a SQL user
account to create the database. Enter your SQL account username and
password. Make sure that the account referenced exists and that the account
has the required privileges specified in SQL Server Database Privileges. See
Roles and permissions on page 26 for more information.
11. Click Next.
The SQL Server Database Selection window appears.
12. Select the checkbox if you are ready to create a new database or migrate an existing
one to the latest version.
13. Click Next.
The Change Web Site Information window appears.
14. Accept the default or change the name of Web site and site port.
Port number 34350 is used as a default. If this port is currently used in your
environment, select another port number.
15. Select the HTTPS checkbox if you want to access the Administration Console
remotely via a web browser using the following URL: http://localhost:34350/
NOTE:The HTTPS option is available only when you select Connect to an existing
SQL Server instance in step 4.
16. Enter the username in the Web App Pool user text box. By default, the Web Pool user
is the user who is currently logged in.
The “application pool account” needs “read” rights for the default AD containers
“CN=Users” and “CN=Computers”. If you cannot connect to Active Directory, the
Domain Name is not auto-populated during the installation and the setup fails.
We recommend that you create a username and password that cannot change or
expire.
If you are using a domain account to run the website, enter the domain account to be
used as the Web App Pool user and enter the password in the Web App Pool user
password text box.
If you are using a built-in IIS account as the username instead of domain account, a
password is not required. The following IIS built-in accounts are available to use:
l LocalSystem
l NetworkService
l ApplicationPoolIdentity
NOTE: The Local Service built-in account is not supported. If you are using
ApplicationPoolIdentity built-in account, ensure it is set correctly. See the
Fortra's Data Classification Suite (DCS) Analytics Collector (On-premises)
Deployment Guide. Contact Support for the Data Classification Suite Analytics
Collector Deployment Guide.
l enter the host name for the web site manually, if you have installed a wildcard
SSL Certificate. In many cases, the host name for the web site is the server
name.
20. Leave the location of the Reporting Collector Service blank. This relates to the
Reporting Collector Dashboard which was deprecated.
21. Click Next, then click Install. The installation process begins.
22. Click Finish.
The Completed the Administration Console Wizard Setup screen appears.
23. When finished, click Launch Administration Console.
NOTE: Insome instances, systems must be restarted to complete an installation. If you
are prompted, restart your system.
l prior to 2021.4, you must uninstall that version before installing this version. You can
select an existing database; the database will be migrated as part of the installation.
l 2021.4 or later, you can do an in-place upgrade (that is, you do not need to uninstall
the previous version before installing this version)
NOTE: You can publish the configuration to a JSON file for the DCS SDK. For more
information, see the Fortra's Data Classification Suite SDK Developers Guide.
NOTE: The default interval to detect a new or updated TCPG file is 60 minutes. To change
this interval, use the Sync Interval parameter in the System Settings of the Data
Classification Administration Console. See Change the sync interval to five minutes on
page 14.
This change allows you to receive Configuration updates on client machines five minutes
after an updated TCPG file has been provided.
By default, the background color of the bars is based on the Classification color. If no
Classification color is available, it is set to Microsoft Windows ‘InactiveCaption’ (pale blue).
Only Schema fields with valid values display in the bars. The bars do not display date or
time values.
If you are using Policy Manager, you can configure, enable, and disable the Preview bars
using the Application settings. See Fortra's Data Classification Suite (DCS) Policy Manager
(Cloud) Online Help for more information.
If you are using the Administration Console, you can disable these bars using registry keys.
Contact Support to get these registry keys.
To configure the Preview bar, open the registry editor and go to one of the following:
l HKEY_CURRENT_USER\SOFTWARE\Policies\TITUS
l HKEY_CURRENT_USER\SOFTWARE\Titus
l HKEY_LOCAL_MACHINE\SOFTWARE\Policies\TITUS
Configure Classification
Information bars
When a recipient receives a classified file, document, or email, the Classification appears at
the bottom in a Classification Information bar, for example:
By default, the background color of the bars is based on the Classification color. If no
Classification color is available, it is set to Microsoft Windows ‘InactiveCaption’ (pale blue).
Only Schema fields with valid values display in the bars. The bars do not display date or
time values.
If you are using Policy Manager, you can configure, enable, and disable the Classification
Information bars using the Application settings. See Fortra's Data Classification Suite (DCS)
Policy Manager (Cloud) Online Help for more information.
If you are using the Administration Console, you can disable these bars using registry keys.
Contact Support to get these registry keys.
To configure the Classification Information bar, open the registry editor and go to one of the
following:
l HKEY_LOCAL_MACHINE\SOFTWARE\Policies\TITUS\Document Classification
for Microsoft <application>
l HKEY_CURRENT_USER\SOFTWARE\Titus\TITUS\Document Classification for
Microsoft <application>
l HKEY_LOCAL_MACHINE\SOFTWARE\Policies\TITUS\TITUS\Document
Classification for Microsoft <application>
where <application> is Microsoft Word, Excel, or PowerPoint
1. Right-click one of the options in the registry editor above, select New > Key, and
enter ClassificationInformationBar.
2. Right-click ClassificationInformationBar, select New > DWORD (32-bit) Value, and
enter Enabled.
3. Right-click Enabled and select Modify.
4. Enter 1 in the Value data field, and click OK.
5. Restart Microsoft Outlook or your Microsoft Office application.
Configure captions
You can configure the caption text and how you want the text to display.
1. Right-click ClassificationInformationBar.
2. Select New > String Value.
3. If you want to add and Then
configure a
Caption a. Enter Caption.
b. Right-click Caption and click Modify.
c. Enter any text you would like to have as a caption,
for example, Selected Classification.
d. Click OK.
Display Format a. Enter DisplayFormat.
b. Right-click DisplayFormat and click Modify.
c. Enter field codes and the order you want them
displayed. Enclose the values with {{ }}. For
example, if you want to add a Classification, enter
{{Metadata.Classification|Prefix=Classification:
|}}.
d. Click OK.
No Classification a. Enter NoClassificationCaption.
Caption b. Right-click DisplayFormat and click Modify.
c. Enter any text to indicate that you have not
selected any classification, for example, None
Selected.
d. Click OK.
4. Restart Microsoft Outlook or your Microsoft Office application.
l Titus.Enterprise.Management1
l Titus.Enterprise.AuditLog2
l Titus.Enterprise.Settings3
Service Role
Titus.Enterprise.Management Manages communication with the Administration
Console and local Titus Services. When this Service
starts, it automatically starts the other Titus Services.
Titus.Enterprise.AuditLog Processes audit log messages from Titus services and
Fortra-enabled applications.
Titus.Enterprise.Settings Processes requests for Configurations from Fortra-
enabled applications and services.
NOTE: You can configure all ports in the installer or with assistance from technical
support.
1- Manages communication with the Data Classification Administration Console and local
Titus Services. When this Service starts, it automatically starts the other Titus Services.
2- Processes audit log messages from Titus Services and Fortra-enabled applications.
3- Processes requests for Configurations from Fortra-enabled applications and services.
When a Configuration is targeted to an Active Directory (AD) Group and AD is offline, the
user will only receive the targeted Configuration if the AD information is still available in the
cache. If the AD information is not available in the cache, the user will receive the Default
Configuration. If no Default Configuration exists, the user will be disabled.
NOTE: Thedefault interval to detect a new or updated .tcpg file is 60 minutes. You can
change this interval in the System Settings of the Administration Console.
The information in the following table applies if the Configuration file is provided to
machines after installing the client. The information in this table pertains to logged-in users.
Logging information
If you are experiencing problems with DCS for Windows, log into the Support portal.
Provide Support for a client log, Services logs from the client machine, the client
Configuration file Titus.tcpg, Titus.new.tcpg, and any additional information that can help
replicate the issue.
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
Reg_SZ: Logging
Value: voicewarmupx
Classification Logs information associated with the DCS for Desktop application
For Desktop
Message Logs information associated with DCS for Outlook application
Classification
Document Logs information associated with DCS for Officek application
Classification
for Word
Document
Classification
for PPT
Document
Classification
for Excel
File Watcher Logs information about files that have been placed in Watched Folders
in the Patrol Add-In Settings. See the Fortra's Data Classification Suite
(DCS) for Windows (On-premises) User Guide for more information.
To simplify deployment, we recommend that you install the Administration Console using a
single account with the following characteristics:
l is a domain user
l is a local administrator on the server where you are installing Administration Console
l is part of the sysadmin role on the SQL Server that hosts the Administration Console
database (securityadmin and dbcreator at minimum)
This account provides the access required to the accounts running the Titus services. For
more information, see Accounts running the Titus services on page 32.
If you want to communicate with your Data Classification Administration Console database
using Windows authentication, this account must be part of the required database roles.
See The account creating or updating the database on page 27 for more information.
You can also use this account as your Web Application Pool user. See The web application
pool user on page 31 for the additional requirements.
Permissions Details
Local This permission is required to create the Administration Console
administrator website in IIS and to install the required services.
If you want to use Windows authentication, the domain user, who has sufficient access to
the SQL server instance (for new databases) or database (for upgrades), must launch the
installer. These credentials are not used for any future communication with the database.
If you want to use SQL authentication, the SQL credentials entered are used for all
communication with the database. You can use any local administrator account to launch
the installer, but the machine must be joined to a domain or the installation fails.
If you are using SQL authentication, choose an account where the password will not expire.
If the SQL password expires, you must reinstall the Data Classification Administration
Console.
TIP:
You can downgrade these
permissions after the
database is created.
At runtime, this account
must be a member of the
db_owner role in the Data
Classification
Administration Console
database.
TIP:
You can downgrade these
permissions after the
database is created.
At runtime, this account
must be a member of the
db_owner role in the Data
Classification
Administration Console
database.
l db_datareader
l db_datawriter
l db_owner
These roles are required for the Titus services to communicate with the remote database.
When the machine's Network Service and LocalSystem accounts attempt to communicate
with another machine, they represent themselves as the originating machine.
Add the machine name to the database roles in the following format:
Domain\MachineName$
Permissions Details
Read rights for the following Active Directory This account reads Active Directory
containers: containers to grant Administrator rights
and configure Configuration targeting.
CN=Users
If connectivity to Active Directory is not
CN=Computers available, the domain name is not auto-
populated during the installation and the
setup will fail.
Permissions Details
Read/write access to the following folders Access to %programdata% is required for
on the machine hosting the Data logging.
Classification Administration Console:
Access to
l %programdata% C:\inetpub\TITUSWebAdministration is
required to publish Configurations
l C:\inetpub\TITUSWebAdministration
(TCPGs).
(or the location specified during
install)
TIP: Accessto
C:\inetpub\TITUSWebAdministration
can be granted after the product is
installed.
Member of the db_owner role in the Data Required so the Data Classification
Classification Administration Console Administration Console website can
database communicate with the database.
This role is only required if you use Windows See to learn how to grant the access
Authentication to communicate with the required.
database.
TIP: Theuser can be added to the db_
owner role after the database is
created.
If you are communicating with your SQL Server using Windows authentication, service
accounts for Titus services must be added to the following roles in the Data Classification
Administration Console database:
l db_datareader
l db_datawriter
l db_owner
If the Windows account running the installer has sufficient permissions, the default service
accounts are added to these roles when the database is created. See The account creating
or updating the database on page 27 for more information.
The Administration Console uses two system accounts by default for its services. These
accounts cannot be changed.
Kerberos authentication
To further secure your environment, you can enforce Kerberos authentication when
authenticating to a remote SQL database. You must use Windows NT while installing the
Data Classification Administration Console to enable Kerberos authentication. The Kerberos
protocol prevents phishing by preventing client machines from being redirected to an
endpoint hosted by a malicious service.
When installing on a remote database, change the management service or the permissions
in the database to successfully publish the Configuration file.
1. Stop all Titus Services. See Stop and start Titus Services on the Administration
Console on page 21.
2. Double-click the Titus Enterprise Management Service. A Titus Enterprise
Management Service Properties window appears.
3. Select the Log On tab and select This account .
3. Enter the <domain nameTITUS Service account> in the text box and the password
and click OK .
4. Restart all Titus Services. See Stop and start Titus Services on the Administration
Console on page 21.
l CONFIGUTILLOGLEVEL
Sets the logging to DEBUG,
WARN, INFO, or ERROR:
CONFIGUTILLOGLEVEL=DEBUG
By default, the logging level is
WARN.
l SERVICESLOGLEVEL
Sets the services logging to
DEBUG, WARN, INFO, or ERROR
enter:
SERVICESLOGLEVEL=DEBUG
By default, the logging level is
WARN.
l SERVICESLOGLEVEL
Sets the services logging to
DEBUG, WARN, INFO, or ERROR
enter:
SERVICESLOGLEVEL=DEBUG
By default, the logging level is
WARN.
l EVENT_LOG_FILE_SIZE
Sets the size of the Event
source log file in MBs.
EVENT_LOG_FILE_SIZE=20
By default, the maximum size is
set at 5MB.
8 VC_redist.x64.exe
The following properties are optional but can be used to configure the software installation.
For details on how to perform the install see Install the Administration Console on page 9.
Property Description
EXISTINGSQLRADIOBUTTON Enables or disables the “Connect to an existing SQL
Server instance” radio button during installation
EXISTINGSQLRADIOBUTTON=0
CONFIGUTILLOGLEVEL=DEBUG
SERVICESLOGLEVEL=DEBUG
Contacting Fortra
Please contact Fortra for questions or to receive information about Data Classification Suite
for Windows (On-premises).
Gather and organize as much information as possible about the problem including job/error
logs, screen shots or anything else to document the issue.