SafeGuard Enterprise 5.50.8

Table of Contents

1 Whats new.. 3

1.1 Whats included in the SGN 5.50.8 Release. 3

1.1.1 Windows 7 Support for Configuration Protection. 3

1.1.2 Fast Initial Encryption. 3

1.1.3 Improved Encryption Performance. 3

1.2 Whats included in the SGN 5.50.1 Release. 3

1.2.1 64-Bit Platform Support for Data Exchange. 3

1.3 Whats included in the SGN 5.50 Release. 3

1.3.1 Extended Windows Platform Support: 64 bit and Windows 7. 3

1.3.2 Local Self Help for managed clients replacing Web Selfhelp. 3

1.3.3 Web Helpdesk is now included in the SafeGuard Management Center license. 3

1.3.4 Management Center / Server installation Wizard for new installations. 4

1.3.5 Service Accounts. 4

1.3.6 POA only User Accounts. 4

1.3.7 Hierarchical Officer Management 4

1.3.8 Improved Hardware/Operating System Compatibility. 4

1.3.9 Extended Smart Card and Card-Reader Support 4

1.3.10 SafeGuard Easy 5.50. 4

1.3.11 Windows PE recovery CD (Virtual Client) 5

1.3.12 Simplified Installation and Key Backup. 5

1.3.13 Various Improvements. 5

2 Installation. 6

3 General Information. 7

3.1 Network infrastructure. 7

3.2 SafeGuard Management Center 7

3.3 SafeGuard Enterprise Server 8

3.4 SafeGuard Enterprise Device Encryption / Data Exchange Client 9

3.5 SafeGuard Configuration Protection Client 9

3.6 Supported Smartcard Readers. 10

3.7 Supported Smartcards. 13

3.8 Supported USB tokens. 14

3.9 Smartcard middleware tested in SafeGuard Device Encryption under Windows. 15

3.10 SGN Update Matrix. 16

3.11 SGN Migration Matrix. 17

3.12 SGN Client/Server Matrix. 17

3.13 SGN Windows Operating System Support 18

3.14 SGN Database Server Support 19

4 Resolved Issues (Release 5.50.x compared to Release 5.40) 20

4.1 SafeGuard Enterprise Management Center 20

4.2 SafeGuard Enterprise Server 20

4.3 SafeGuard Enterprise Client 20

5 Known Issues. 21

5.1 SGN 5.50 Release. 21

5.2 SafeGuard Management Center 23

5.3 SafeGuard Enterprise Server 25

5.4 SafeGuard Enterprise Data Exchange Client 25

5.5 SafeGuard Enterprise Device Encryption Client 27

5.6 SafeGuard Configuration Protection Client 35

5.7 Web Helpdesk. 36

5.8 Update SGN 5.35 and higher to SGN 5.50. 37

5.9 SafeGuard Easy 4.x. 37

5.10 SafeGuard LAN Crypt 38

5.11 Token/Smartcards/Smartcard Reader 38

5.12 Fingerprint Reader 39

5.13 Interoperability Issues. 39

5.14 SCSI Hard Drives. 39

6 Technical Support 40

 

 

 

1       Whats new

1.1      Whats included in the SGN 5.50.8 Release

1.1.1       Windows 7 Support for Configuration Protection

SafeGuard Enterprise 5.50.8 Configuration Protection fully supports the 32-bit and 64-bit versions of Microsoft Windows 7.

 

1.1.2       Fast Initial Encryption

A new, optimized handling of initial encryption using full-disk encryption is now available which typically leads to a significantly reduced duration of the initial encryption process. By limiting the initial encryption to hard disk space that is actually 'used' and not all the available physical disk space, the performance gain can be dramatic, of course depending on the percentage of used disk space. This new operation mode can be controlled along with the other encryption policy settings and is deactivated by default.

 

1.1.3       Improved Encryption Performance

A new, improved and optimized implementation of the AES256 encryption algorithm provides better run-time performance when accessing encrypted data. Since the very same encryption module is used for full-disk as well as file-based encryption both modules (DE and DX) benefit from the improvements and yield better performance figures.

 

1.2      Whats included in the SGN 5.50.1 Release

1.2.1       64-Bit Platform Support for Data Exchange

SafeGuard Enterprise 5.50.1 Data Exchange fully supports the 32-bit and 64-bit versions of Microsoft Windows Vista and Microsoft Windows 7 as well as 32-bit Windows XP.

1.3      Whats included in the SGN 5.50 Release

1.3.1       Extended Windows Platform Support: 64 bit and Windows 7

SafeGuard Enterprise 5.50 Device Encryption fully supports the 32-bit and 64-bit versions of Microsoft Windows Vista and Microsoft Windows 7 as well as 32-bit Windows XP. The Server and Management Center support the 32-bit and 64-bit versions of Windows Server 2003 and Windows Server 2008/R2.

1.3.2       Local Self Help for managed clients replacing Web Selfhelp

Local Self Help allows users who have forgotten their passwords to recover their password themselves by answering a set of previously enrolled questions without the need of central helpdesk involvement. This saves helpdesk costs and reduces downtime on the users side keeping them more productive. The Local Self Help function has already been available in the standalone mode of SafeGuard Enterprise 5.40 and is now extended to managed clients as well. In turn, the formerly available Web Selfhelp add-on to SafeGuard Enterprise is discontinued for new customers, since its functionality can be covered by Local Self Help more efficiently.

1.3.3       Web Helpdesk is now included in the SafeGuard Management Center license

The Web Helpdesk add-on to SafeGuard Enterprise is now included in the Management Center license and thus available to all customers out of the box with no extra cost. It provides a Web user interface to helpdesk employees who do not use the full management console application.

1.3.4       Management Center / Server installation Wizard for new installations

Installing SafeGuard Enterprise managed has never been easier. The new setup wizard makes installing the SafeGuard Enterprise management components a straightforward and easy task. It takes care of all component dependencies necessary to run the server including those from Microsoft. This makes initial installations much faster while at the same time reducing the possibilities for wrong configurations thus leading to faster successful product evaluations.

1.3.5       Service Accounts

SafeGuard Enterprise 5.50 introduces the capability to assign users to Service Account Lists. When applied to a newly set up client machine where the POA is not yet activated, users on this list will not be added to the POAs user list and hence not take ownership of the machine or turn on the POA after having logged on to Windows. This enables them to service and configure the machine but leaving the SafeGuard Enterprise configuration apparently untouched before handing it over to its intended owner, something that is often required in roll-out scenarios.

1.3.6       POA only User Accounts

Special accounts (easily recognizable by belonging to a special virtual <POA> domain) have been introduced with SGN 5.50 to provide, e.g., administrators with the ability to boot a POA-protected machine without having to know any of the machines regular users credentials or having to be registered as a regular user themselves on each machine. They are always entitled to boot the machine from external media and when logging onto Windows, this will not trigger any of the default logon actions of the SafeGuard Enterprise client. For example, the user will not be registered with SGN irrespective of the credentials that were used for the Windows logon.

1.3.7       Hierarchical Officer Management

SafeGuard Enterprise 5.50 makes managing a larger number of Security Officers a lot easier. Not only have the officers rights been revised and extended to allow more detailed control, they are also intelligently grouped together to take care of dependencies when assigned. Security Officers can now also delegate a subset of their rights to sub-officers.

1.3.8       Improved Hardware/Operating System Compatibility

Compatibility of SafeGuard Enterprise has been further improved in many ways, e.g.:

1.3.9       Extended Smart Card and Card-Reader Support

As in every SafeGuard Enterprise release, the number of supported cards and smartcard readers has been expanded. See chapters 3.6 through 3.9 for details.

1.3.10    SafeGuard Easy 5.50

SafeGuard Enterprise Device Encryption without central Management Server the so-called standalone mode now becomes SafeGuard Easy 5.50 and is meant to be the successor of the SafeGuard Easy 4.x series for those customers who prefer the standalone mode in contrast to the server managed variant. Technically SafeGuard Easy 5.50 is simply the new product name for SafeGuard Enterprise 5.50 standalone mode. It provides Windows Vista, Windows 7 and 64-bit support along with all other SafeGuard Enterprise benefits. Smartcard / crypto token logon however requires the managed variant of SafeGuard Enterprise Device Encryption. Migration from SafeGuard Easy 4.x is supported under the same conditions as with previous SafeGuard Enterprise releases except for the dropped Windows 2000 support.

1.3.11    Windows PE recovery CD (Virtual Client)

The advanced recovery functions for SafeGuard Enterprise encrypted hard drives, e.g., booting a Windows PE recovery environment in case of a broken, misconfigured operating system are now also available for SafeGuard Easy 5.50 clients.

1.3.12    Simplified Installation and Key Backup

A new installation wizard simplifies the first time setup of the management components including default policies. To invoke this wizard for new SGN installations, start SGNInstallAdvisor.bat from the root directory of the product DVD. Standalone mode (= SafeGuard Easy / ESDP) recovery files can now be easily and automatically collected on a central network share if desired by the administrator. Also options to easily backup and restore the company certificate of new installations have been added.
Furthermore, the knowledgebase now contains an SGN Installation Best Practice Guide, see
http://www.sophos.com/support/knowledgebase/article/110259.html.

1.3.13    Various Improvements

Various other improvements in usability, storage use, performance, key management and handling have been made in SafeGuard Enterprise. These include:

         Initial encryption speed in Windows 7 has been significantly improved over SGN 5.40 for Windows 7 and is now comparable or better than under Windows XP.

 

2       Installation

 

Administrator rights are necessary to install the software. To find out the correct procedure for installing the software, please consult the relevant chapter in the installation manual.

 

If an existing installation of SGN is modified or selected modules are installed at a later time, the installation program might complain that the certain components (e.g. Safe Guard Removable Media Manager) are currently in use. This message is caused by the fact that these modules share common components that are currently in use and therefore cant be updated immediately. This message can be ignored since the affected components will be updated upon reboot anyway.

Note: This is also the default behavior when using the unattended installation mode.

 

Although it is possible to install only a subset of product features initially and add other features later on, it is advised to have the Device Encryption feature installed from the start.

 

Note: This only applies to installation of the SafeGuard Easy 5.50 client.

 

If you are upgrading from SafeGuard Easy 4.x please be sure to read the corresponding section of the installation manual and Knowledge base articles.

 

 

 

3       General Information

 

3.1      Network infrastructure

 

Network server with user and computer administration:

         Microsoft Windows 2008 Server (32 bit and 64 bit) with Active Directory

         Microsoft Windows 2003 Server (32 bit and 64 bit) with Active Directory

 

Database:

         Microsoft SQL Server 2005 SP2, SP3

         Microsoft SQL Server 2008 SP1

         Microsoft SQL Server 2005 Express SP2, SP3

         Microsoft SQL Server 2008 Express SP1

 

Connectivity:

The Clients must be able to connect to

         SGN Server on Ports 80/TCP or 443/TCP

The SafeGuard Management Center must be able to connect the

         SQL database: Ports 1433/TCP & 1434/TCP for SQL 2005 (Express) & SQL 2008 (Express)

         Active Directory: Port 389/TCP, Port 636 SLDAP, Port 1025/TCP (RPC), 135/TCP (end-point mapper - RPC).

The SafeGuard Enterprise Server must be able to connect to the

         SQL database:Port 1433/TCP Port & 1434/TCP for SQL 2005 (Express) & SQL 2008 (Express)

3.2      SafeGuard Management Center

 

Hardware:

Intel or AMD X86 CPU

512 MB RAM

1 GB free hard disk space (recommended)

 

Supported Authentication Tokens (some tokens support no more than 1024-bit RSA)

 

Software:

Microsoft Windows Operating Systems in English, French, German or Japanese

         XP SP2 SP3 32 bit

         Vista SP1 SP2 32 bit 64 bit

         7 32 bit 64 bit

         2003 Server SP1 SP2 32 bit 64 bit

         2003 Server R2 SP1 SP2 32 bit 64 bit

         2008 Server SP1 SP2 32 bit 64 bit

         2008 Server R2 64 bit

 

 

Microsoft ASP.net

         .NET Framework 3.0 SP1

 

The Windows user must have R/W access to the database using one of the following authentication methods:

         Windows NT authentication

         SQL database authentication

 

Tested X.509 certificates

3.3      SafeGuard Enterprise Server

 

Hardware:

Intel or AMD X86 CPU

512 MB RAM

1 GB free hard disk space (recommended)

 

Software:

Microsoft Windows Operating Systems in German or English (other OS languages were not tested but should work)

         2003 Server SP1 SP2 32 bit 64 bit

         2003 Server R2 SP1 SP2 32 bit 64 bit

         2008 Server SP1 SP2 32 bit 64 bit

         2008 Server R2 64 bit

 

Microsoft ASP.net

         .NET Framework 3.0 SP1

 

Microsoft Internet Information Services

         Version 6.0 on Windows Server 2003

         Version 7.0 on Windows Server 2008

         Version 7.5 on Windows Server 2008 R2

         IIS Update according to Microsoft KB934903 article recommended

 

The Windows user must have R/W access to the database using one of the following authentication methods:

Note: Sophos strongly recommends using SSL-encrypted communication between SGN Client workstations and the SGN Server for use in any system except demo or test setups. If, for some reason, this is not possible and proprietary SGN encryption must be used, there is an upper limit of 1000 client workstations that connect to a single server instance. When using SSL, the necessary settings have to be configured manually in the SGN Management Center to enable this functionality. Please refer to the installation manual for further details.

 

Note: SGN server load will be influenced by the number of clients connected to it, by the number of SGN users per client, by the number of group memberships per SGN user (if keys have been generated during Active Directory synchronization) and by the frequency the clients contact the SGN server regarding policy updates. You can tune SGN server load and performance by adjusting these parameters. With a single SGN user, few group memberships and one update per day 40,000 clients have been experienced to work fine with one SGN server using SSL.

 

3.4      SafeGuard Enterprise Device Encryption / Data Exchange Client

 

Hardware:

 

Microsoft Windows Operating Systems:

 

The SGN BitLocker client feature is installable only on platforms where MS BitLocker is available.

 

Software:

 

3.5      SafeGuard Configuration Protection Client

 

Hardware:

 

Microsoft Windows Operating Systems:

 

Software:

Internet Explorer Version 6.0 or higher

.NET Framework 2.0


 

3.6      Supported Smartcard Readers

 

Readers tested in SafeGuard Device Encryption Power-on Authentication

 

The smartcard readers below were tested by Quality Assurance (current and/or prior versions).

 

Manufacturer

Card Reader

Interface

Comment

ACS

ACR 38U-CCID

USB-CCID

Requires firmware version v1.12c

ActivIdentity

USB Reader 3.0

USB-CCID

 

 

PCMCIA Reader

PC-Card

SCR 243 OEM

Broadcom

BCM 5880

integrated (USB)

 

Cherry

ST-1044U

USB-CCID

 

 

ST-2000

USB-CCID

PIN pad for secure PIN entry is not supported

 

ST-4044

PC-Card

CardMan 4040 OEM

 

G83-6644
G83-6733
G83-6744

USB-CCID

keyboards; secure PIN entry is not supported

Dell

RT7D60
SK-3105

USB-CCID

keyboards

Eutronsec

SIM Pocket
(incl. combo versions)

USB-CCID

SIM and standard size cards

 

Smart Pocket
(incl. combo versions)

USB-CCID

 

Fujitsu Siemens

Smartcase SCR (USB)

USB-CCID

a.k.a. Solo

Gemalto

GemPC Express

ExpressCard

 

 

GemPC Twin

USB-CCID

 

 

GemPC Key

USB-CCID

SIM size

 

Reflex USB v3

USB-CCID

 

HP

SC Terminal
(KUS0133)

USB-CCID

keyboard

 

PC Smart Card Reader

PC-Card

SCR 243 OEM

Kobil

KAAN Base

USB-CCID

 

 

KAAN Advanced

USB-CCID

PIN pad for secure PIN entry is not supported

Lenovo

Integrated Smart Card Reader

integrated (USB)

Reader might be replaced by another type depending on market situation

o2micro

Oz711 series

integrated (CardBus)

 

 

Oz776

integrated-CCID

 


 

Omnikey

CardMan 3021
CardMan 3121

USB-CCID

 

 

CardMan 4040

PC-Card

 

 

CardMan 4321

ExpressCard

 

 

CardMan 5125
CardMan 5321

USB-CCID

contactless interface is not supported

 

CardMan 6121

USB-CCID

SIM size

Ricoh

R/RL/5C476

Integrated (CardBus)

 

SCM

SCR 243

PC-Card

 

 

SCR 331

USB-CCID

Requires firmware version 5.18 or higher!

 

SCR 335
SCR 3310
SCR 3311

USB-CCID

 

 

SCR 3320

USB-CCID

SIM size

 

SCR 3340

ExpressCard

 

 

SDI 010

USB-CCID

contactless interface is not supported

Texas Instruments

PCI 6515a
PCI 7621

integrated (CardBus)

Generic support for PCI xx21 readers

 

In case that more than one smartcard reader is present on a client, it is recommendable to disable the ones that are not in use to avoid unwanted side effects. For internal readers it can be necessary to disable the device in the BIOS


 

Readers supposed to work with SafeGuard Device Encryption Power-on Authentication

 

The smartcard readers below are integrated in SafeGuard Enterprise and should work according to vendor compatibility information.

 

Manufacturer

Card Reader

Interface

Comment

ACS

ACR 38T
ACR 38U-BMC
ACR 38F
ACR 38K
ACR 100F

USB-CCID

SIM size

 

ACR 122U
ACR 122T

 

contactless interface is not supported

Cherry

G81-7040
G81-7043
G81-8040
G81-8043

USB-CCID

keyboards; secure PIN entry is not supported

 

G83-14200
G83-14400
G83-14600

USB-CCID

biometric keyboards; secure PIN entry and biometric functions are not supported

Eutronsec

SIM Reader
(incl. combo versions)

USB-CCID

SIM size

Fujitsu Siemens

Smartcase SCR (PC Card)

PC-Card

CardMan 4040 OEM

 

Smartcase SCR (Express Card)

ExpressCard

SCR 3340 OEM

Gemalto

Reflex 20 v3

PC-Card

SCR 243 OEM

Ricoh

R5C835
R5C853

integrated

 

SCM

SPR 532

USB-CCID

PIN pad for secure PIN entry is not supported

Requires firmware version 5.10 and updated Windows drivers

Vasco

DigiPass 905

USB-CCID

 


3.7      Supported Smartcards

 

Supported smartcards in SafeGuard Device Encryption Power-on Authentication

 

Vendor

Card

Versions

Card Type

Data Format

ActivIdentity

Smart Card 64K

v2 (Oberthur)
v2c (Axalto)

Java Card

ActivIdentity

AET [1]

G&D Sm@rtCafe

64K

Java Card

PKCS#15

 

G&D STARCOS SPK

2.3
3.0

ISO 7816

PKCS#15

 

IBM JCOP

20
31
41 72K

Java Card

PKCS#15

 

Siemens CardOS

M4.3b

ISO 7816

PKCS#15

Charismathics

Siemens CardOS

M4.3b

ISO 7816

CSSID

IT Solution

Siemens CardOS

M4.3b

ISO 7816

PKCS#15

Siemens

Siemens CardOS

M4.3b

ISO 7816

PKCS#15

T-Systems

TCOS

3.0

ISO 7816

NetKey

 

Tested national EID cards in SafeGuard Device Encryption Power-on Authentication

 

Country/Type

Card

Versions

Card Type

Data Format

Austria [2]

AustriaCard ACOS

3.01
4.0

ISO 7816

A-Trust

Estonia [3]

Orga Micardo

V1
V2

ISO 7816

 

 

Note: The following smart cards/token are not supported on the Windows Vista or Windows 7 platforms:
- CardOS, Siemens profile
- Estonian ID Card
- A-trust
- RSA


 

3.8      Supported USB tokens

 

Supported USB tokens in SafeGuard Device Encryption 5.50 Power-on Authentication

 

Vendor

USB Token

Middleware Supplier

Comment

ActivIdentity

ActivKey SIM

ActivIdentity

 

 

ActivKey Display

ActivIdentity

OTP function not supported

Aladdin (CardOS)

eToken Pro
eToken NG-Flash

Aladdin

 

 

eToken NG-OTP

Aladdin

OTP function is not supported

Aladdin
(Java)

eToken Pro
eToken NG-Flash

Aladdin

 

Charismathics

OTP Sign

Charismathics

OTP function is not supported

 

plugncrypt ID

Charismathics

 

Eutronsec

CryptoIdentity ITSEC-I

Charismathics

 

 

CryptoIdentity ITSEC-P

AET

 

 

OTP Sign

Charismathics

OTP function is not supported

Kobil

mIDentity Light

Siemens

Includes flash memory

MARX

CrypToken

AET

 

RSA

SecurID 800 v1 [4]
SecurID 800 v2

RSA

OTP function is not supported

 

Please note: The USB Tokens in bold were tested explicitly by Quality Assurance (current and/or in previous versions).

 

Hint: Using Smartcards/Tokens for authentication at OS level requires the installation of an additional middleware application (see column Middleware Supplier).

 


3.9      Smartcard middleware tested in SafeGuard Device Encryption under Windows

 

 

Vendor

Middleware

Version

XP
32 bit

Vista 32 bit

Vista
64 bit

7
32 bit

7
64 bit

Comments

ActivIdentity

ActivClient

6.2

x

x

x

x

x

 

AET

SafeSign

3.0.33

x

x

c)

x

 

 

Aladdin

PKI Client

5.1 SP1
a)

x

x

x

x

x

 

A-Trust

a.sign client

1.2.7.0

x

 

 

 

 

 

Charismathics

Smart Security Interface

4.8.1

x

x

 

 

 

 

* Estonian ID card

<multiple>

 

x

 

 

 

 

 

IT Solution

trustWare CSP+

1.0.1.23

x

 

 

 

 

 

Gemalto

.NET

2.1.3.1

x d)

x

x

x

x

 

Gemalto

Access Client

5.6.4

x

x

x

x

x

d)

Gemalto

Classic Client

6.0

x

x

x

 

 

 

RSA

RSA Smart Card Middleware

2.0.1

x

 

 

 

 

 

 

3.0.1

x

 

 

 

 

 

Siemens

CardOS API

3.1

x

 

 

 

 

 

T-Systems

NetKey 3.0

1.6.0.10 + 1.3.0.4
b)

c)

c)

c)

c)

c)

 

 

 

a) Tokens must be initialized with PKI Client 4.55, else POA logon wont work.

b) CSP Minidriver 1.6.0.10 + PKCS#11 module 1.3.0.4

c) Please contact Sophos support for more information.

d) Regarding crypto tokens, please contact Sophos support for more information.

 


 

3.10    SGN Update Matrix

The following table shows which previous versions of SGN can be updated with SGN 5.50.8

 

 

SGN Update Matrix

 

 

 

Update from

Update To

SGN 5.20

SGN

5.20.1

SGN 5.20.2

SGN 5.20.3

SGN 5.20.4

SGN 5.20.5

SGN 5.21

SGN 5.21.1

SGN 5.30 RC1

SGN 5.30

GA

SGN 5.30.1

SGN 5.30.2

SGN 5.30.3

SGN

5.35

GA

SGN

5.35.x

SGN 5.40.x

SGN 5.50

SGN 5.50.8

 

 

 

 

 

 

 

 

 

 

 

 

 

l

l

l

l

SGN 5.50.1

 

 

 

 

 

 

 

 

 

 

 

 

 

l

l

l

l

SGN 5.50 GA

 

 

 

 

 

 

 

 

 

 

 

 

 

l

l

l

 

SGN 5.40.x

 

 

 

 

 

 

 

 

 

l

l

l

l

l

l

 

 

SGN 5.35.x

 

 

 

 

 

 

 

 

 

l

l

l

l

l

 

 

 

SGN 5.35 GA

 

 

 

 

 

 

 

 

 

l

l

l

l

 

 

 

 

SGN 5.30.3

1

1

1

1

1

1

1

1

l

l

l

l

 

 

 

 

 

SGN 5.30.2

l

l

l

l

l

l

l

l

l

l

l

 

 

 

 

 

 

SGN 5.30.1

l

l

l

l

l

l

l

l

l

l

 

 

 

 

 

 

 

SGN 5.30 GA

l

l

l

l

l

l

l

l

l

 

 

 

 

 

 

 

 

SGN 5.30 RC 1

l

l

l

l

l

l

l

l

 

 

 

 

 

 

 

 

 

SGN 5.21.1 (Patch)

 

 

 

 

 

 

l

 

 

 

 

 

 

 

 

 

 

SGN 5.21

l

l

l

l

l

l

 

 

 

 

 

 

 

 

 

 

 

SGN 5.20.5 (Patch)

l

l

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

SGN 5.20.4 (Patch)

l

l

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

SGN 5.20.3 (Patch)

l

l

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

SGN 5.20.2 (Patch)

l

l

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

SGN 5.20.1 (Lenovo)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

SGN 5.20

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Legend:

l Update supported

1 Update supported only for SGN Server and SGN Management Console

 


 

3.11    SGN Migration Matrix

The following table shows which versions of SafeGuard Easy can be migrated to SGN 5.50.8

 

SGE- SGN Migration Matrix

 

IDEA

DES

3DES

AES

128

AES

256

Blowfish

Stealth

XOR

SGE 4.50

l

 

l

l

l

 

 

 

SGE 4.40

l

 

l

l

l

 

 

 

SGE 4.30

l

 

l

l

l

 

 

 

SGE 4.20

 

 

 

 

 

 

 

 

SGE 4.1x

 

 

 

 

 

 

 

 

SGE 3.x

 

 

 

 

 

 

 

 

 

3.12    SGN Client/Server Matrix

The following table shows which previous versions of SGN Clients can be serviced by which SGN Server.

Basically the SGN Server version has to be equal to or higher as the respective client version.

 

 

SGN - Client/Server Matrix

 

 

 

 


SGN Clients

 

SGN Server

5.2x

5.30

5.35

5.40

5.50.x

SGN 5.50.x

 

 

l

l

l

SGN 5.40.x

 

l

l

l

 

SGN 5.35.x

 

l

l

 

 

SGN 5.35 GA

 

l

l

 

 

SGN 5.30.2

l

l

 

 

 

SGN 5.30.2

l

l

 

 

 

SGN 5.30.1

l

l

 

 

 

SGN 5.30 GA

l

l

 

 

 

SGN 5.21

l

 

 

 

 

SGN 5.20

l

 

 

 

 

 

1 no auto-registration

 

Legend:

l  supported

1 no auto-registration

 

 

Note: In some scenarios a SGN Client with a lower version number can receive policies from a Server that runs a newer version of SGN. Nevertheless the Client will not be able to support features that have been newly introduced with the new version.


 

3.13    SGN Windows Operating System Support

The following table lists all supported operating system platforms along with the SGN modules available on that platform.

 

 

 

SGN Microsoft Windows Platform Support

 

SGN 5.50.x

DE

DE

BitLocker

DX

CP

SGN Server

MC

XP

Professional Edition

SP2

SP3

32 Bit

l

 

l

.NET 2.0

 

.NET 3.01

Vista

 

Home Premium

Business

Enterprise

Ultimate

SP1

SP2

32 Bit

l

 

-

-

l

l

l

l

 

.NET 3.01

Vista

 

Home Premium

Business

Enterprise

Ultimate

SP1

SP2

64 Bit

l

 

-

-

l

l

l

 

 

.NET 3.01

7

Home Premium

Professional

Enterprise

Ultimate

 

32 Bit

 

l

 

-

-

l

l

l

l

 

NET 3.01

7

Home Premium

Professional

Enterprise

Ultimate

 

64 Bit

l

 

-

-

l

l

l

l

 

NET 3.01

Server 2003 / R2

.NET 3.0

IIS 6

SP1

SP2

32 Bit

64 Bit

 

 

 

 

l

l

l

l

Server 2008

Server 2008 R2

.NET 3.0

IIS 7.0

IIS 7.5

SP1

64 Bit

64 Bit

 

 

 

 

l

l

l

l

 

1 .Net 3.0 SP1 required

 

 

Note 1: SafeGuard Enterprise can be installed and does support systems that are equipped with Solid State Disks (SSDs).

 

Note 2: SafeGuard Enterprise can be installed and operated in virtualization environments as well. Please be aware that there might be interoperability issues regarding encryption on devices that are attached via the USB bus. Depending on the virtualization environment and the attached device this issue might cause a system fault.

 

3.14    SGN Database Server Support

The following table lists all supported database server platforms.

 

SGN Server - Database Server Support

 

 

 

SGN 5.40

SGN 5.50

Microsoft SQL Server 2005 SP1

l

 

Microsoft SQL Server 2005 Express SP1

l

 

Microsoft SQL Server 2005 SP2

l

l

Microsoft SQL Server 2005 Express SP2

l

l

Microsoft SQL Server 2005 SP3

l

l

Microsoft SQL Server 2005 Express SP3

l

l

Microsoft SQL Server 2008 SP1

 

l

Microsoft SQL Server 2008 Express SP1

 

l

 

 

4       Resolved Issues (Release 5.50.x compared to Release 5.40)

 

4.1      SafeGuard Enterprise Management Center

4.2      SafeGuard Enterprise Server

 

4.3      SafeGuard Enterprise Client

-       The A-Trust V4 token caused some issues

-       The Estonian ID card is now supported (Windows XP only)

-       In some scenarios, the autologon of the POA was broken

-       Newly assigned keys required a reboot before being available to the user

-       The installer lacked a POACFG property

-       There were incorrect log entries indicating that a drive is decrypting when in fact it was encrypting

-       Installing (or re-imaging) a machine with a previously used hostname may leave this machine inaccessible and unrecoverable if the old machine object has not been deleted in the SGN Management Center beforehand.

-       No plain text folder was created when burning CDs using Windows integrated wizard

-       The SGPortable shortcut was displayed but did not work

-       Menu items disappeared in Corel Draw X4 after the installation of the Data Exchange client. Similar issues with Adobe Fireworks and Candela have also been solved.

-       It was not always possible to change the Media Passphrase because the option was not available in the System Tray.

-       In Mindjet MindManager, opening the Save As... dialog caused the application to hang.

-       Password changes at Windows XP logon were lost when the Evidian SSO watch application was installed on an SGN client. A generic fix has been applied that also solves the issue of invalid password changes after a failed logon attempt.

-       Depending on the applied white list, internal SCSI and IDE Storage devices were possibly blocked.


 

5       Known Issues

5.1      SGN 5.50 Release

 

  In the Management Center, go to Tools -> Configuration Package Tool -> Register Server Tab -> Add...

 

 

 

         The maximum number of registered SGN users on a client is 200.
Please do also consider the following maximum file sizes for files imported to a client by policy:

o    Text files should not be larger than 50 kB.

o    Banner Bitmaps should not be larger than 100 kB.

o    Background bitmaps should not be larger than 500 kB.

Note: The amount of assigned users, especially in combination with a lot of group-memberships has a noticeable impact on the SGN Server performance.

 

 

5.2      SafeGuard Management Center

 

         Uninstallation of SGN client on a MC machine renders the MC unusable.
When the SafeGuard Management Center is being run on a machine with a SGN client installation, uninstalling the client will leave the MC in an unusable state. This issue does not depend on the order of installation of the two modules. If you want to continue running the MC on such a machine, you must reinstall the MC.

 

         Database Naming Scheme
SGN Databases names should comply with the following naming scheme in order to prevent localization issues.

SGN Database names should only contain:
- Characters (A-Z, a-z)
- Numbers (0-9)
- Underscores (_)

         If a Management Center is installed on a SGN client machine, both components (client + MC) have to be updated to SGN 5.50, where the client has to be updated first. Updating only the Management Center can lead to failed logons at Windows level.

 

         Possible configuration of SQL Database access methods:
The Windows NT Authentication option requires further mandatory configuration steps proposed by Microsoft (please search the Sophos knowledge base for SGN & service account). The SQL Authentication is the less complex way and does not require additional configuration.

         The SGN password rules are implemented completely separate from the settings in AD and, if both rule sets are in use at the same time, deadlocks can occur. If a set of password policies is already implemented in the AD, it is recommended not to define additional password rules in the SafeGuard Management Center.

         If AD synchronization is carried out with a Windows user account that has less access rights on the AD than the one which performed the initial import, all objects which cannot be accessed will be treated as no longer available and therefore be deleted or moved to the Authenticated Computers node.
It is recommended to create one dedicated service account that is used for the authentication of all import and synchronization tasks, to prevent an accidental deletion of objects in the SGN Database (please search the Sophos knowledge base for SGN & synchronization).

         If elements have been moved from one subtree to another in Active Directory, then both subtrees have to be synchronized with the SQL database. Synchronizing just one sub tree will result in deleting instead of moving the objects.

         AD synchronization will not synchronize the pre-Windows 2000 (NetBIOS) name of the Domain, if the Domain Controller is configured with an IP address. Please configure the Domain Controller to use the server name (NetBIOS or DNS) instead. The client (on which the AD synchronization is running) must be either part of the domain, or it has to be ensured that it can resolve the DNS name to the target Domain Controller.

         Certificates provided by the customer and imported into SGN are currently not verified according to RFC3280. For example, we do not prevent using signature certificates for encryption purposes.

 

5.3      SafeGuard Enterprise Server

         HTTP authentication (of the client at the IIS) is not supported.

         For network traffic reduction it is recommended to use connection transfer intervals of more than 240 minutes.

         It is recommended to activate the Memory Recycling Options of IIS with default settings.

         Accessing the default page of the WEB service may result in an unhandled exception. This can be resolved by re-registration of ASP.NET: aspnet_regiis /i

         To avoid incompatibility to existing applications it is recommended installing the SGN Server on a dedicated IIS server.

         SGN 5.50 Enterprise Server does not support SGN 5.00/5.10/5.20/5.30 clients. They have to be migrated to SGN release 5.35 or higher before migrating SGN Enterprise Server to release 5.50

5.4      SafeGuard Enterprise Data Exchange Client

 

         The installation of DX on a system with SafeGuard Removable Media is not prevented. Both SGRM and SGN DX are file encryption products that are not designed to coexist. However, the DX installer does not check for this condition. SGRM must be uninstalled before the installation of SGN DX.

         Recovery offorgotten passwords
SafeGuard Data Exchange without Device Encryption does not provide Challenge/Response recovery, when the user has forgotten his password. In this case you must change the password in the Active Directory, logon without a Sophos Credential Provider and restore the user configuration on the client. Consult the Sophos knowledge base for further details.

         Compatibility with SG RemovableMedia 1.20
Local keys created with SafeGuard Removable Media older than version 1.20 before switching to SafeGuard Data Exchange can be used in the SGN Client. But they are not transferred to the SGN Database automatically.

         Compatibility with SG Easy 4.x
When using SafeGuard Data Exchange together with SafeGuard Easy 4.x note that the SGE GINA mechanisms (especially secure auto logon - SAL) will no longer work, SGE must be installed first and both products should only be uninstalled together (without reboot) to avoid GINA conflicts.

         Compatibility with Microsoft Office 2007
Microsoft Office 2007 applications (e.g. Word, Excel) will abort stating an error when saving modifications to a plain file that actually needs to be encrypted according to the current encryption policy.

Solution:
- Adjust the files encryption status to comply with the policy, or
- add the Office Programs to the Special Rename Processes registry key.

Here is a sample registry setting which adds WinWord.exe and Excel.exe to this key.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\UTIMACO\SGLCENC]
"SpecialRenamePrograms"="winword.exe;excel.exe;"

Please refer to the Sophos knowledge base SGI 109474 for further information.

         User elevation for encrypted executables
If an encrypted executable or installation package is started and requires a user elevation in Windows Vista or Windows 7, it may happen that the elevation doesn't take place and the executable is not started.

         SafeGuard Portable Link on Read-Only Media
The link to the SafeGuard Portable application created in the root of a removable media might not work under certain conditions (on Windows 7 only). When the media is inserted into a device which device letter differs from the one when SafeGuard Portable was copied to, the link does not work if the drive with this letter is available on the device too. For example: The SafeGuard Portable link was created on a media in drive D:. The media is the used on a different machine in drive E:. The link is broken if this machine also has a drive D:, otherwise the link works as expected.

 

         Access to Key Ring after closing a Remote Session
A user's key-ring is no longer accessible after an established remote-session has been closed. The client machine has to be rebooted in order to restore full access to the user's key ring. Just logging off and on is not sufficient to regain access.

 

5.5      SafeGuard Enterprise Device Encryption Client

 

         BitLocker To Go-encrypted devices may prevent Device Encryption installation
If a BitLocker To Go-encrypted USB stick is attached to a machine during the setup of SGN, the installation will fail because Windows reports the system as being BitLocker-enabled, which is a valid failure condition for the DE client installation. The solution is to remove any BitLocker to Go-encrypted devices before installing SGN DE.

         Device Encryption may fail on some USB sticks
Some rare USB stick models report an incorrect storage capacity (usually larger than their actual physically available capacity). On these models, a volume-based initial encryption will fail and the data on the stick will be lost. Sophos generally recommends using file-based encryption (DX module) for removable media encryption.

         User profile location on encrypted volumes
When encrypting the volume that contains the user profile(s) only keys should be used that are available to any user whose profile is located on the encrypted volume. To ensure proper system configuration user profiles must not be located on encrypted volumes which a user does not have the encryption key for, or only keys available to all users must be used for encryption of this volume. This will only be an issue when changing the default location of the user profiles from the system volume to any other local volume which is encrypted.

         SafeGuard Easy
The client requires an extra reboot after the first logon to ensure the registration of the logged on user.

         Update
When updating an older version of SGN Client it is recommended to choose the Custom installation mode and manually select all the desired features whether they were already installed by the previous version or not. Optionally, you can use the Complete mode instead. If typical mode is chosen, some of the features might not be updated properly.
In case of an unattended installation you have to use the ADDLOCAL= property to select all desired features (existing and new). If this option is not specified, only features installed by the previous version will be updated.

         Installation of the client configuration package
After installation of the client configuration package, the user should wait for ~5-10 seconds before acknowledging the final reboot. Then, after rebooting, the user should wait again for approximately 3 minutes at the Windows logon screen before proceeding to log on. Otherwise, the initial user synchronization may not be completed until rebooting again.

         Local Self Help
For the Local Self Help option the Recovery option in the POA will never be shown if the user who is logged on to the POA has the option to log on with a token or via fingerprint. LSH only works if the user logs on to the POA with user ID and password.

         Delayed Write Errors during Initial Encryption
During the installation of SafeGuard Enterprise Base Encryption, delayed write failures may be reported by the operating system. This happens right after installing the kernel onto the file system. This may be forced by executing many parallel file I/O operations during the next boot right after manipulating the file system.

Solution:
An alternate way to install the SafeGuard Enterprise Base Encryption Kernel can be forced by adding the registry value:

Hive: HKEY_LOCAL_MACHINE
Key:
System\CurrentControlSet\Control\Session Manager
Value Name: AllocMode (DWORD)
Value: 1

This registry value should be added before executing the SafeGuard Enterprise Base
Encryption setup

         Device Protection Policy for removable drives
A policy to encrypt removable Drives volume based that allows the user to choose a key from a list (for example all keys in key ring) can be circumvented by the user by not choosing a key. To make sure removable drives are always encrypted the security officer should either use a file based encryption policy, or explicitly set a key in the volume based encryption policy.

         Device Protection Policy together with Configuration Protection Policy for non-boot drives
If both volume based encryption and configuration protection features are installed on Windows Vista systems, policies to encrypt non-boot volumes can cause the initial encryption process to freeze. This can be avoided by copying the bootmgr file to these non-boot volumes before the installation of SGN and the encryption policy has to be defined for Bootvolumes.

 

         Data Exchange Policy and SafeGuard Easy
Data Exchange policies cannot use the defined machine key on SafeGuard Easy 5.50. Please use a different key if the policy will be applied to SafeGuard Easy clients.

 

         Kerberos Support w/ A-Trust Token
Client setup for Kerberos logon with A-Trust smartcards:

The A-Trust middleware must be installed with the following parameters:

acSetup.exe /CALAIS=Yes

Use the A-Trust tray icon to perform an update of the middleware. This step is also necessary if you have already installed the latest version of A-Trust middleware because it will download and install the A-Trust root certificate.

Install the registry settings from
\Tools\ATrustSetup.reg.

Note: The user key store cannot be opened with version 1.2.5.2 or earlier of A-Trust middleware. A-Trust is already working on this issue.

         Kerberos Support w/ Aladdin eToken Pro
The Aladdin PKI Client 5.0 is required for Windows Kerberos Logon with Aladdin eToken PRO 72k (Java). However, these tokens must be initialized with Aladdin PKI Client 4.55 in order to be compatible with SGN's POA.

         Novell Client
To use SGN Client in conjunction with a Novell Client there are some project specific adaptations necessary. Please contact Sophos Support for further information.

         Fast User Switching
Fast user switching is not supported and must be disabled.

         Built-in floppy drive
After installation of SGN Device Encryption on Windows Vista the built-in floppy drive is no longer available. This limitation does not apply to external floppy drives attached via the USB bus.

         Boot time
Boot time increases by about one minute after installing the SGN Client software.

         Encryption of Virtual Drives
Virtual drives that are mounted on the client workstation (e.g. VHD file into Windows using MS Virtual Server mounter) are considered as local hard drives and therefore their contents will be encrypted too if an encryption policy for other volumes is defined.

         It is not possible to use Volume-based device encryption together with BitLocker. The SGN Client setup does not allow installing both features simultaneously.

         During the initial encryption of the system partition (i.e. the partition, where the hiberfil.sys file is located) suspend to disk may fail and should therefore be avoided. After the initial encryption of the system partition a reboot is required before suspend to disk works properly again.

         Uninstallation of the SGN Device Encryption Client performs automatic decryption of volumes which have been encrypted using the default machine key. Other volumes encrypted using other keys are not decrypted automatically. They have to be decrypted using an appropriate policy before uninstalling the SGN Device Encryption Client.

         You should decrypt all encrypted removable media before uninstalling the last accessible SGN client. Otherwise you may not be able to access your data any more. As long as you keep your SGN database the data on the removable media can be recovered.

         It is recommended to reboot a SGN Client PC at least once after activating the SGN Power-on Authentication. SGN performs a backup of its kernel data on every Windows boot. This backup would never happen if the PC is only hibernated or transferred into stand-by mode.

         Microsoft Windows XP has a technical limitation of its kernel stack. If several file system filter drivers (e.g. antivirus software) are installed, the memory might not be sufficient. In this case you might get a BSOD. Sophos cannot be made liable for this Windows limitation and cannot solve this issue.

         Sometimes token insert events are lost during Windows Welcome dialog. This requires re-inserting the token until the token is successfully recognized. Alternatively, it is possible to press CTRL-ALT-DELETE to change into the Logon dialog, where this problem does not exist.

         If an error occurs during Kerberos logon to Windows the PIN dialog does not close automatically after quitting the corresponding error message box. The user has to press ESC or CTRL-ALT-DELETE to get back to the logon dialog."

         On clients using OHCI for the USB interface some smartcard readers or USB tokens may not work.

         For correct support of USB smartcard readers Dell 620 Notebooks need the Compatible Mode BIOS setting (in Onboard Devices/Integrated USB). This is the default value.

         In combination with Aladdin PKI client 4.5x a massive logon delay at GINA level can occur. We therefore recommend using version 5.0.

         In the case of Volume-based encryption, volumes that are located on "dynamic disks" or GPT disks are not supported.

         When performing uninstall, some files and registry entries may remain. Please consult the Sophos knowledge database (keywords SGN & uninstall) on how to clean the installation manually. Such a cleanup is necessary in order to reinstall SGN on the same computer

         Due to technical limitations the single sign on in conjunction with Kerberos (smartcard/token) requires are re-insertion of the smartcard or token at GINA level when running on Windows XP.

         If an uninstall of the SGN client is triggered via Active Directory it has to be ensured that all volume-based encrypted volumes have been decrypted properly beforehand.

         Compatibility to imaging tools has not been tested and is therefore not supported.

         If an Aladdin token storing User ID, password and certificate is used for logon, currently only 1024 bit certificates are working properly.

         Special characters (e.g. ,,,) have to be entered case sensitive at POA level.

         Some computers cannot boot from a floppy disk once they have booted the POA from the hard disk. This is a limitation of their BIOS implementation and cannot be solved by Sophos.

         Special characters should be used with caution in the legal notice text for the POA. Some of these characters may not be displayed properly.

         Before encrypting a partition with volume-based encryption, it is recommended to run chkdsk c: /f /v /l /x in order to touch every sector of the partition. The firmware of the hard disk will then replace every defect sector before SGN tries to encrypt it.

         When using SafeGuard Portable in combination with SGN Client, AES-256 algorithm has to be used for encryption of removable media.

         Clients using BitLocker encryption will detect USB hard disks as Other volumes and not as Removables. Do not use encryption policies for Other volumes if you want to use USB hard disks on BitLocker clients.

         If you have installed SGN Device Encryption and SGN Data Exchange on one client, you cannot uninstall Device Encryption alone. You must uninstall the complete package.

         File-based and volume-based encryption have been successfully tested against concurrent installations of antivirus products by Sophos as well as the following:

If problems during startup are encountered, please try the following:

In HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\ Filesystem\RealTimeScan

Set the DWORD value KStackMinFree to 0x2200.

To find a detailed explanation of the key, click this link:

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/f5ee041a924af12d8825709d00509eb2?OpenDocument

         If only SGN Data Exchange is installed on a client and users are imported, these users will not be imported in the POA automatically, when SGN Device Encryption is installed later on. You must trigger an user update e.g. by temporarily assigning a key to the directory root

         When you uninstall a SGN Client you must uninstall the client configuration package first.

         The BE_RESTORE tool always tries to access disk0. This may not be the hard disk, e.g., if a USB stick is connected or a ram disk is being used.

         The BE_RESTORE tool has some limitations on Windows Vista / Windows PE 2.0 if the hard disk is not encrypted yet.

         Using the BE_RESTORE tool with Windows PE 2.0 needs at least 512 MB of memory.

         A floppy media change is not always detected properly. Try to access the floppy, while no media is in the drive (e.g. with the Explorer) to ensure that the media change is detected.

         The Windows XP operating system up to Service Pack 2 shows a problem on some machines, where a resume after standby does not show the locked desktop but directly opens the user desktop. The problem also applies to machines with SafeGuard Enterprise. This should be fixed with Windows XP SP3.

         On rare occasions, some smartcard middleware showed problems in our tests where it unexpectedly lost its session state after unlocking the desktop. By design of the product SGN locks the desktop again in this case. If you experience this problem, a workaround is to set the policy Action if token logon status is lost to no action.

         Very rarely the SGN Device Encryption Client setup will end with error 5001. Meaning that your hard disk is too fragmented to install this software. The SGN kernel needs 96MB contiguous, free disk space on the first hard disk.

         The enforcement of the SafeGuard Enterprise password history policy can be avoided by the user during execution of the password change due to enforcement of the system administrator.

         If cryptographic token logon (Kerberos) is configured as possible logon method on a SGN Client, logon to this SGN Client via Remote Desktop is not supported.

         Users with umlaut characters in the user ID other than the keys on the chosen keyboard layout are not able to log on in POA, e.g. in combination with German keyboard layout.

         The following keyboard layouts are supported in the pre-boot authentication module. "x" indicates that the language is fully supported. All other languages will default as specified. Please beware of special characters in passwords if users have an unsupported keyboard which defaults to US keyboard.

 

Language ID Keyboard Language / Comments

====================================================================

0x0000 US Language Neutral

0x0400 US Process or User Default Language

0x0800 US System Default Language

0x0401 US Arabic (Saudi Arabia)

0x0801 US Arabic (Iraq)

0x0c01 US Arabic (Egypt)

0x1001 US Arabic (Libya)

0x1401 US Arabic (Algeria)

0x1801 US Arabic (Morocco)

0x1c01 US Arabic (Tunisia)

0x2001 US Arabic (Oman)

0x2401 US Arabic (Yemen)

0x2801 US Arabic (Syria)

0x2c01 US Arabic (Jordan)

0x3001 US Arabic (Lebanon)

0x3401 US Arabic (Kuwait)

0x3801 US Arabic (U.A.E.)

0x3c01 US Arabic (Bahrain)

0x4001 US Arabic (Qatar)

US Arabic (102) AZERTY

X 0x0402 BG Bulgarian No font available

0x0403 ES Catalan

0x0404 US Chinese (Taiwan) No font available

0x0804 US Chinese (PRC) No font available

0x0c04 US Chinese (Hong Kong SAR, PRC)

0x1004 US Chinese (Singapore) No font available

0x1404 US Chinese (Macao SAR) (98/ME,2K/XP)

X 0x0405 cz Czech

X 0x1402 cz_qwerty Czech (QWERTY)

US Czech (Programmers)

X 0x0406 dk Danish

X 0x0407 de German (Standard)

X 0x0807 de_CH German (Switzerland)

0x0c07 de German (Austria)

0x1007 de German (Luxembourg)

0x1407 de German (Liechtenstein)

X 0x0408 el Greek No font available

X 0x0409 us English (United States)

X 0x0809 gb English (United Kingdom)

0x0c09 us English (Australian)

0x1009 us English (Canadian)

0x1409 us English (New Zealand)

X 0x1809 ie English (Ireland)

0x1c09 US English (South Africa)

0x2009 US English (Jamaica)

0x2409 US English (Caribbean)

0x2809 US English (Belize)

0x2c09 US English (Trinidad)

0x3009 US English (Zimbabwe) (98/ME,2K/XP)

0x3409 US English (Philippines) (98/ME,2K/XP)

X 0x040a ES Spanish (Spain, Traditional Sort)

0x080a ES Spanish (Mexican)

0x0c0a ES Spanish (Spain, Modern Sort)

0x100a ES Spanish (Guatemala)

0x140a ES Spanish (Costa Rica)

0x180a ES Spanish (Panama)

0x1c0a ES Spanish (Dominican Republic)

0x200a ES Spanish (Venezuela)

0x240a ES Spanish (Colombia)

0x280a ES Spanish (Peru)

0x2c0a ES Spanish (Argentina)

0x300a ES Spanish (Ecuador)

0x340a ES Spanish (Chile)

0x380a ES Spanish (Uruguay)

0x3c0a ES Spanish (Paraguay)

0x400a ES Spanish (Bolivia)

0x440a ES Spanish (El Salvador)

0x480a ES Spanish (Honduras)

0x4c0a ES Spanish (Nicaragua)

0x500a ES Spanish (Puerto Rico)

X 0x040b fi Finnish

US Finnish (with Sami)

X 0x040c fr French (Standard)

X 0x080c be French (Belgian)

0x1080c be Belgian(Comma)

X 0x0c0c ca_enhanced French (Canadian)

US French (Canadian, Legacy)

US Canadian (Multilingual)

X 0x100c fr_CH French (Switzerland)

0x140c fr_CH French (Luxembourg)

0x180c fr French (Monaco) (98/ME,2K/XP)

0x040d US Hebrew

X 0x040e hu Hungarian

X 0x040f is Icelandic

X 0x0410 it Italian (Standard)

0x0810 it Italian (Switzerland)

X 0x0411 jp Japanese

X 0x0412 ko Korean No font available

0x0812 US Korean (Johab) (95,NT)

X 0x0413 nl Dutch (Netherlands)

X 0x0813 be Dutch (Belgium)

X 0x0414 no Norwegian (Bokmal)

0x0814 no Norwegian (Nynorsk)

X 0x0415 pl Polish No font available

X 0x0416 br Portuguese (Brazil)

X 0x0816 pt Portuguese (Portugal)

X 0x0418 ro Romanian

0x0419 US Russian

0x041a US Croatian

0x081a US Serbian (Latin)

0x0c1a US Serbian (Cyrillic)

0x101a US Croatian (Bosnia and Herzegovina)

0x141a US Bosnian (Bosnia and Herzegovina)

0x181a US Serbian (Latin, Bosnia, and Herzegovina)

0x1c1a US Serbian (Cyrillic, Bosnia, and Herzegovina)

0x041b sk Slovak

0x041c US Albanian

X 0x041d se Swedish

0x081d se Swedish (Finland)

0x041e US Thai

X 0x041f tr Turkish No font available

0x0420 US Urdu (Pakistan) (98/ME,2K/XP)

0x0820 US Urdu (India)

0x0421 US Indonesian

0x0422 uk Ukrainian

0x0423 US Belarusian

0x0424 sl Slovenian

0x0425 US Estonian

0x0426 lv Latvian

0x0427 lt Lithuanian

0x0827 US Lithuanian (Classic) (98)

0x0429 US Farsi

0x042a US Vietnamese (98/ME,NT,2K/XP)

0x042b US Armenian. This is Unicode only. (2K/XP)

US Armenian Eastern

US Armenian Western

0x042c US Azeri (Latin)

0x082c US Azeri (Cyrillic)

0x042d US Basque

0x042f US Macedonian (FYROM)

0x0430 US Sutu

0x0432 US Setswana/Tswana (South Africa)

0x0434 US isiXhosa/Xhosa (South Africa)

0x0435 US isiZulu/Zulu (South Africa)

0x0436 US Afrikaans

0x0437 US Georgian. This is Unicode only. (2K/XP)

0x0438 US Faeroese

0x0439 US Hindi. This is Unicode only. (2K/XP)

0x043a US Maltese (Malta)

0x043b US Sami, Northern (Norway)

0x083b US Sami, Northern (Sweden)

0x0c3b US Sami, Northern (Finland)

0x103b US Sami, Lule (Norway)

0x143b US Sami, Lule (Sweden)

0x183b US Sami, Southern (Norway)

0x1c3b US Sami, Southern (Sweden)

0x203b US Sami, Skolt (Finland)

0x243b US Sami, Inari (Finland)

0x043e US Malay (Malaysian)

0x083e US Malay (Brunei Darussalam)

0x0440 US Kyrgyz. (XP)

0x0441 US Swahili (Kenya)

0x0443 uz Uzbek (Latin)

0x0843 US Uzbek (Cyrillic)

0x0444 US Tatar (Tatarstan)

0x0445 US Bengali (India)

US Bengali (Inscript)

0x0446 US Punjabi. This is Unicode only. (XP)

0x0447 US Gujarati. This is Unicode only. (XP)

0x0449 US Tamil. This is Unicode only. (2K/XP)

0x044a US Telugu. This is Unicode only. (XP)

0x044b US Kannada. This is Unicode only. (XP)

0x044c US Malayalam (India)

0x044e US Marathi. This is Unicode only. (2K/XP)

0x044f US Sanskrit. This is Unicode only. (2K/XP)

0x0450 US Mongolian (XP)

0x0452 US Welsh (United Kingdom)

0x0455 US Burmese

0x0456 US Galician (XP)

0x0457 US Konkani. This is Unicode only. (2K/XP)

0x045a US Syriac. This is Unicode only. (XP)

0x0465 US Divehi. This is Unicode only. (XP)

US Divehi (Phonetic)

US Divehi (Typewriter)

0x046b US Quechua (Bolivia)

0x086b US Quechua (Ecuador)

0x0c6b US Quechua (Peru)

0x046c US Sesotho sa Leboa/Northern Sotho (South Africa)

0x007f US LOCALE_INVARIANT. See MAKELCID.

0x0481 US Maori (New Zealand)

 

5.6      SafeGuard Configuration Protection Client

 

  System Requirements
.NET Framework 2.0

  Installation
To install SGN Configuration Protection, please follow the following installation order:

         SGNClient.msi

         SGN_CP_Client.msi; Do not restart!

         SGNClientConfig.msi

  Uninstallation
To uninstall SGN Configuration Protection, please follow the following installation order:

         SGNClientConfig.msi

         SGNClient.msi; Do not restart!

         SGN_CP_Client.msi

 

  Log-Event regarding open registry handle
Configuration Protection Client (SimonPro.exe) keeps a handle to the registry (for anti tampering reason) which cause this warning on Vista OS

  User-policy is not loaded
If users do not have to press Ctrl+Alt+Del to log on to Vista (interactive logon setting), the user policy does not get loaded properly. In that scenario the machine policy is used instead.


5.7      Web Helpdesk

5.8      Update SGN 5.35 and higher to SGN 5.50

 

         Upgrade path for SGN ConfigurationProtection Module
SGN ConfigurationProtection Module cannot be updated to SGN 5.50 directly due to security constraints. In order to get the new version of the ConfigurationProtection Module installed properly the existing version has to be removed beforehand.

The approved update procedure is the following:

1.     Install the SGxClientPreinstall.msi package

2.     Update the SafeGuard Enterprise Client (SGNClient.msi), which includes the configuration protection module (do not reboot afterwards!).

3.     Remove the SafeGuard Enterprise ConfigurationProtection PortProtector client (SGN_CP_Client.msi)

4.     Reboot.

5.     Install the new SafeGuard Enterprise ConfigurationProtection PortProtectorClient (SGN_CP_Client.msi).

6.     Reboot.




5.9      SafeGuard Easy 4.x

 

5.10    SafeGuard LAN Crypt

         SafeGuard LAN Crypt 3.70 is the first version that is fully compatible with SafeGuard Enterprise. If an older version of SafeGuard LAN Crypt is installed, we do strongly suggest upgrading to the latest version of SafeGuard LAN Crypt first.

         If SafeGuard Enterprise 5.50 is installed on-top of SafeGuard LAN Crypt the installation program will complain that the component SGLC Profile Loader being upgraded is currently in use. This message is caused by the fact that SafeGuard LAN Crypt and SafeGuard Enterprise share common components and therefore can be ignored. The affected components will be updated upon reboot.

5.11    Token/Smartcards/Smartcard Reader

         Vista Fast User Switching after Token Logon
Using Fast User Switching after the preceding logon has been performed with a token/smartcard may lead to the situation where non-Sophos Credential Providers are unable to unlock the user desktop. It is recommended to either use Sophos Credential Provider or logoff the current user before switching to a different account.

         Uninstallation fails on Windows Vista 64 bit/Windows 7 64 bit when using ActivIdentity ActivClient for token logon
When using the ActivIdentity ActivClient software for token logon on Windows Vista 64 bit or Windows 7 64 bit, uninstallation of the SGN client software fails with a hint that some components could not be removed. As a workaround, before deinstallation starts the first time, the policy must be changed so that ActivIdentity ActivClient is no longer the PKCS#11 module in use and a restart must be performed. Uninstallation works after that.

 

5.12    Fingerprint Reader

5.13    Interoperability Issues

5.14    SCSI Hard Drives

 

 

6       Technical Support

 

You can find technical support for Sophos products in any of these ways:

 

 

Oberursel, November 4th, 2010

 

Copyright 1996 - 2010 Sophos Group and Utimaco Safeware AG. All rights reserved.

 

No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the licence terms or you otherwise have the prior permission in writing of the copyright owner.

 

Sophos is a registered trademark of Sophos Plc and the Sophos Group. SafeGuard is a registered trademark of Utimaco Safeware AG - a member of the Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.

 

All SafeGuard products are copyright of Utimaco Safeware AG - a member of the Sophos Group, or, as applicable, its licensors. All other Sophos products are copyright of Sophos plc., or, as applicable, its licensors.

 

You will find copyright information on third party suppliers in the file entitled Disclaimer and Copyright for 3rd Party Software.rtf in your product directory.

 

 



[1] Please refer to AET SafeSign documentation for smartcard details (supported Java Card versions, card completions and configuration).

[2] Support for A-Trust cards in SafeGuard Enterprise requires cards to be issued by A-Trust with Kerberos Windows logon extensions and installation of A-Trust middleware.

[3] Support of Estonian EID cards requires:

          Standard middleware: OpenSC PKCS#11 version 0.8.3, and the EstEID Card CSP.

          Additional software from JaJa Arendus OU (http://www.jaja.ee), i.e. their additional ITLogon CSP and their scripting tool to link the Estonian citizen ID with Active Directory users.

[4] Tested with RSA Middleware Client 2.01.