Installation and Deployment Guide

Forcepoint Endpoint Context Agent

v1.0
©2017 Forcepoint
All rights reserved.
10900-A Stonelake Blvd, Quarry Oaks 1, Suite 350, Austin, TX 78759, USA
Published 2017
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint. Raytheon is a registered trademark of Raytheon Company. All
other trademarks used in this document are the property of their respective owners.
This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or
machine-readable form without prior consent in writing from Forcepoint. Every effort has been made to ensure the accuracy of this
manual. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of
merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages
in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is
subject to change without notice.
Contents
Chapter 1 Introducing Forcepoint Endpoint Context Agent . . . . . . . . . . . . . . . . . . . . . . . 1
System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Operating system requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Chapter 2 Deploying the Endpoint Context Agent in Your Enterprise. . . . . . . . . . . . . . . 3
Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Obtaining the ECA Installation Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Deploying Windows Endpoint Context Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Manual Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Distributing ECA via GPO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Testing Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Deploying on XenApp Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Uninstalling ECA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Local Uninstallation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Remote Uninstallation Using Deployment Server. . . . . . . . . . . . . . . . . . . 10
Remote Uninstallation Using Distribution Systems . . . . . . . . . . . . . . . . . 11
Chapter 3 Copyrights and Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Copyrights and trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Other acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

ECA Installation and Deployment Guide i

Contents

ii Forcepoint Endpoint Context Agent

1 Introducing Forcepoint
Endpoint Context Agent

ECA | v1.0

The Forcepoint Endpoint Context Agent (ECA) is a client application monitoring tool
that intercepts network system calls on Windows endpoints to provide user and
application information to the Forcepoint Next Generation Firewall (NGFW) about
connections being formed by the endpoint machine. The policy installed on each
NGFW Engine determines the action that is taken for each connection using the
additional information from ECA.

System requirements

Operating system requirements

ECA is currently only available for Windows endpoints.
Windows Endpoint requirements:
● Windows 10
■ x64 and 86 (Pro and Enterprise)
● Win 8/8.1 with KB3033929 and KB2999226
■ x64 and 86 (Pro and Enterprise)
● Win 7 SP1 with KB3033929 and KB2999226
■ x64 and 86 (Pro, Enterprise, and Ultimate)
● Citrix XenDesktop 7.12
Windows Server requirements:
● Windows Server 2012
● Windows Server 2016
● Citrix XenApp 7.12

ECA Installation and Deployment Guide  1

Introducing Forcepoint Endpoint Context Agent

Prerequisites

To install and use ECA, you must have NGFW v6.3.0 or later.
ECA configuration options were added to NGFW v6.3.0. See the Forcepoint Next
Generation Firewall Product Guide for more information about configuring
integration with ECA.

2  Forcepoint Endpoint Context Agent

2 Deploying the Endpoint
Context Agent in Your
Enterprise
ECA | v1.0

Before You Begin

● As a best practice, start by deploying and testing the Forcepoint Endpoint Context
Agent (ECA) software on a few local network machines, then increase to a limited
number of remote machines before deploying the software throughout your
enterprise.
● Ensure that there are no network address translation (NAT) devices between the
Forcepoint Next Generation Firewall Engine and the endpoint machine.
● Before installing ECA on an end user’s endpoint machine, perform the following
steps:
a. Create a Certificate Authority (CA) for the domain.
b. In the Management Client, create an ECA Configuration element that uses the
newly created CA.
c. Enable ECA on the NGFW Engine, and use the created ECA Configuration
element.
d. Export the ECA configuration file from the Engine Editor. This configuration
file is required before installing ECA on an end user’s endpoint machine.
See the Forcepoint Next Generation Firewall Product Guide for more
information.

Obtaining the ECA Installation Package

The ECA installation package is available for download from the Forcepoint website:
1. Log on to My Account.
2. Open the DOWNLOADS page from the top menu.
3. Navigate to NETWORK SECURITY, select an ECA version, and then
download the software.

ECA Installation and Deployment Guide  3

Deploying the Endpoint Context Agent in Your Enterprise

Deploying Windows Endpoint Context Agents

There are a few ways to distribute the ECA software on Windows endpoint machines,
including virtual desktop clients running Windows:
● Manually on each endpoint machine.
See Manual Deployment, page 4.
● Using a Microsoft Group Policy Object (GPO) or other third-party deployment
tool for Windows.
See Distributing ECA via GPO, page 7
● Using System Center Configuration Manager (SCCM) or Systems Management
Server (SMS).
See Creating and distributing Forcepoint endpoints using SCCM or SMS for
details.

Important
After deploying the installation package, you must restart
ECA to complete the installation process.

Manual Deployment
Before you begin deployment, you must obtain both the configuration file from the
Forcepoint NGFW Security Management Center and the ECA installation package
from Forcepoint.
Copy the eca.conf configuration file into the folder that contains the ECA installation
files. If the eca.conf file is not located in this folder, the installation will fail.
To manually deploy ECA on individual endpoints:

4  Forcepoint Endpoint Context Agent

 Deploying the Endpoint Context Agent in Your Enterprise

1. Double-click setup.exe. The Installation Wizard performs a check to ensure that

the endpoint meets the installation requirements, and the Installation Wizard
opens.

2. Click Next. The Forcepoint Subscription Agreement displays.

3. Select I accept the terms in the license agreement, then click Next.

ECA Installation and Deployment Guide  5

Deploying the Endpoint Context Agent in Your Enterprise

4. By default, ECA installs into C:\Program Files\Forcepoint\ECA. To install it in

a different folder, click Change and select the folder.

5. Once the installation folder is set, click Next.

The Ready to Install the Program screen displays.

6. (Optional) If you would like to review the previous steps in the installer and
change anything, click Back. When you finish making changes, click Next to
return to this window.
7. To install the ECA, click Install.
The Installation Wizard displays a progress bar that indicates the status of the
installation.

6  Forcepoint Endpoint Context Agent

 Deploying the Endpoint Context Agent in Your Enterprise

To stop the installation, click Cancel. Otherwise, wait until the installation is
complete.

When the installation is complete, the Installation Wizard displays a confirmation

page.
8. Click Finish to exit the Installation Wizard.

Distributing ECA via GPO

Follow the steps below to deploy ECA through an Active Directory group policy
object (GPO). You must write different installation scripts for a 32-bit versus a 64-bit
operating system. Ensure that your script checks if ECA is installed. The script should
only install ECA if ECA has not already been installed.
1. To create a shared folder, first create the folder you want to share, then enable
sharing in the Properties menu.

ECA Installation and Deployment Guide  7

Deploying the Endpoint Context Agent in Your Enterprise

2. Create a batch file (.bat) in the shared folder, for example, installmsi.bat. This
can be done in any text editor.
3. Type the following msiexec command into the batch file and save it.
msiexec /package "\\path\Forcepoint Endpoint Context
Agent.msi" /quiet /norestart
where path is the path to the ECA MSI file.
4. Test your batch file manually to make sure it runs on other workstations. To do
this, open the server path to the file on a workstation and attempt to run the file. If
the file does not run, check your permissions.
5. Open the Group Policy Management Console (GPMC).
6. Create a new (or open an existing) GPO on the organization unit (OU) in which
your computer accounts reside:
a. In the console tree, right-click Group Policy Objects in the forest and
domain in which you want to create a GPO.
b. Click New.
c. In the New GPO dialog box, specify a name for the new GPO, and click OK.
7. Open Computer Configuration > Windows Settings > Scripts, and double-
click Startup in the right pane of the screen.
8. Click Add.
9. In the Script Name field, type the full network path and filename of the script
batch file you created in step 2.
10. Click OK.
11. Close the GPMC.
12. Run the gpupdate /force command at the command prompt to refresh the group
policy.
The application should be installed on startup. The endpoint may not be fully
functional until a reboot occurs.

Testing Deployment
When ECA is installed, an icon ( ) displays on the endpoint machine’s system tray.
If you hover over the icon, it displays FORCEPOINT ECA along with the
connection status to Forcepoint NGFW Security Management Center.
To confirm that the ECA software is installed and running on a machine, go to Start >
Control Panel > Administrative Tools > Services. Verify that Forcepoint Endpoint
Context Agent is present in the Services list and is started.
Most failed ECA installation issues are related to permissions. An ECA installation
requires local administrator rights.

8  Forcepoint Endpoint Context Agent

 Deploying the Endpoint Context Agent in Your Enterprise

Deploying on XenApp Endpoints

ECA can be deployed on Citrix XenApp servers to prevent data loss and data theft on
endpoint machines.
1. Follow the instructions in Deploying Windows Endpoint Context Agents, page 4,
but instead of deploying the software on each endpoint machine, deploy it on a
network server.
2. To support XenApp hardware resources, configure the endpoint to support
additional threads and improve memory usage. You must make this change on
each XenApp server running ECA.
To customize the configuration, do the following:
1. Open the AlternateResource.config.xml file in a text editor and do the following:
a. Set <numOfThreads>, the number of threads per processor, to at least twice
the number of cores on the Terminal Services server. For example, if you have
4 cores on the Terminal Services server, set
<numOfThreads>8</numOfThreads>.
b. Change all resource IDs in the document to reflect the number of threads you
wish to use.
c. Increase <MemoryInfo> to optimize endpoint memory usage. To do so,
multiply the number of supported sessions * 50M * .125. For example, if
there are 8 supported sessions, multiply 8 * 50 * .125 = 50.
Round up the result to the nearest integer in multiples of 50M not less than
100M. Set <MaxRamSpace> to this value. In the example, set
<MaxRamSpace> to 100.
2. Save and copy the AlternateResource.config.xml file to the ECA directory
(default is C:\Program Files\Forcepoint\ECA):
a. From the command line, navigate to C:\Program Files\Forcepoint\ECA.
b. Run the following command:
fpecasvc.exe -set
c. Copy AlternateResource.config.xml to the directory.
3. Restart the service through the Windows Task Manager or the command line:
■ In the Windows Task Manager:
a. Open the Services tab.
b. Locate the fpeca service, right-click and select Stop Service, then right-
click and select Start Service.
■ From the command line, navigate to C:\Program Files\Forcepoint\ECA and
run the following commands:
fpecasvc.exe -stop
fpecasvc.exe -start

ECA Installation and Deployment Guide  9

Deploying the Endpoint Context Agent in Your Enterprise

Uninstalling ECA

There are two ways to uninstall ECA:

● Locally on each endpoint machine
● Remotely through a deployment server or distribution system

Local Uninstallation
1. Go to Start > Control Panel > Add/Remove Programs.
The Add/Remove Programs screen displays.
2. Scroll down the list of installed programs, select Forcepoint Endpoint Context
Agent, and click Uninstall.
A confirmation window displays, asking you to confirm that you want to delete
ECA.
3. Click Yes.
A system message displays, indicating that you must restart your system.
4. Click Yes to restart your system now, or No to restart later. Once the computer has
restarted, the configuration changes are applied.

Remote Uninstallation Using Deployment Server

If you use a deployment server to deploy ECA, you can perform a silent uninstallation
by running the following command:
msiexec /x {product_code} /qn

where {product_code} is a unique identifier (GUID) that can be found in the

setup.ini file of each installation package or the system registry. It is different for each
version and bit type (32-bit versus 64-bit).
To find the setup.ini file, use a file compression tool like WinZip or 7-Zip to extract
the contents of the installation package executable.
To perform a silent uninstallation that does not require a reboot, add the /norestart
parameter as follows:
msiexec /x {ProductCode} /qn /norestart

The command switches are summarized below.

Function Switch
Silent uninstall msiexec /x {ProductCode} /qn

Silent uninstall without msiexec /x {ProductCode} /qn /norestart

reboot

10  Forcepoint Endpoint Context Agent

 Deploying the Endpoint Context Agent in Your Enterprise

Remote Uninstallation Using Distribution Systems

You can uninstall ECA software remotely by using distribution systems.
If you used an SMS distribution system to create installation packages, those packages
can be reused, with a slight modification, for uninstalling the software. If you did not
create a package for deploying ECA, you must create a new one for uninstallation.
To uninstall with a package:
1. Follow the procedure for Creating and distributing Forcepoint endpoints using
SCCM or SMS.
2. In step 1, select Per-system uninstall.
3. Complete the remaining procedures.
After deploying the package, the ECA software will be uninstalled from the defined
list of endpoints.

ECA Installation and Deployment Guide  11

Deploying the Endpoint Context Agent in Your Enterprise

12  Forcepoint Endpoint Context Agent

3 Copyrights and Trademarks

ECA | v1.0

Published 2017
Printed in the United States of America
Every effort has been made to ensure the accuracy of this manual. However,
Forcepoint makes no warranties with respect to this documentation and disclaims any
implied warranties of merchantability and fitness for a particular purpose. Forcepoint
shall not be liable for any error or for incidental or consequential damages in
connection with the furnishing, performance, or use of this manual or the examples
herein. The information in this documentation is subject to change without notice.

Copyrights and trademarks

© 2017 Forcepoint. This document may not, in whole or in part, be reproduced,
translated, or reduced to any electronic medium or machine-readable form without
prior consent in writing from Forcepoint.
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint. Raytheon is a
registered trademark of Raytheon Company. All other trademarks used in this
document are the property of their respective owners.

Other acknowledgments
This Forcepoint product includes the following open source software:
OpenSSL, developed by the OpenSSL Project for use in the OpenSSL Toolkit (https:/
/www.openssl.org), © 1998-2017 The OpenSSL Project, © 1995-1998 Eric Young
(eay@cryptsoft.com), and is distributed under a double license, the OpenSSL License
and the original SSLeay License (https://www.openssl.org/source/license.html) 
LIBEVENT 2.0.22-STABLE, © 2000-2007 Niels Provos <provos@citi.umich.edu>,
© 2007-2012 Niels Provos and Nick Mathewson, is distributed under the BSD 3-
Clause License (https://opensource.org/licenses/BSD-3-Clause) EZXML, ©
2004, 2005 Aaron Voisine, is distributed under the MIT License (https://
opensource.org/licenses/mit-license)

© 2017 Forcepoint

ECA Installation and Deployment Guide  13

Copyrights and Trademarks

14  Forcepoint Endpoint Context Agent