Windows Agent / Bundle Installation

This describes how to install the Proofpoint Windows Agent / Bundle for ITM /Endpoint DLP on the endpoint(s).

The Windows Agent Bundle includes IT Client Utility for the endpoint agent setup and IT Content Analyzer for the content scanning component.

You must install the IT Client Utility and you can optionally select to install the IT Content Analyzer if you want to include content scanning.

For more information, see Supported Platforms and System Requirements for ITM / Endpoint DLP.

In addition, you can install the bundle via Proxy or as a Master Image.

Both Static Proxy and Dynamic Proxy are supported.

Use one of the following to install the Windows agent:

• Installing the Agent Bundle using the Wizard
• Installing the Agent Bundle from the Command Line
• Windows Agent Automated Installation

Prerequisites:

• Windows Management Instrumentation (WMI) must be enabled.

• The Run all Administration Admin Approval Mode setting must be enabled in the User Account Control settings (in the Local Security Policy) to successfully detect file upload via the Open dialog (AKA, File Picker).

  This setting is critical. If disabled, the Win Agent will not detect file uploads.

   

• You must complete Installation Configuration File. You will need the name and location of the config.json file to continue the installation.

• Before installing, select Run as Administrator.

• If using a Proxy server, make sure it is set up and you have connectivity to it.

  Self-signed certificate is required for Proxy setup.

• For Dynamic Proxy: 

When the customer selects Dynamic Proxy during installation, the Proofpoint Agent relies entirely on the operating system’s proxy configuration. The agent does not have its own proxy settings; instead, it uses whatever rules are defined in the PAC (Proxy Auto-Configuration) file.

A PAC file is a small script hosted by the customer’s IT team that tells the system which traffic should go directly to the destination and which traffic should go through the proxy. Because the agent runs under the Local System account, the PAC file must be configured for that account specifically.

To verify or update this configuration, run the following commands as Administrator on the endpoint:

• Check the current PAC file setting:

bitsadmin /util /getieproxy localsystem

• Point the system account to the PAC file:

bitsadmin /util /setieproxy localsystem AUTOSCRIPT http://yourproxy.example.com/proxy.pac

Notes:

• Proxy authentication (username/password) is not supported with Dynamic Proxy.

• Changes to PAC files may not take effect immediately; restarting the endpoint will apply them.

• Make sure all required Proofpoint backend URLs are safelisted to ensure communication works as expected (see ITM / Endpoint DLP Safelist for Firewall).

Valid Root Certificate

For the installation to succeed, you must make sure that the endpoint has a valid root certificate.

Proofpoint signs the Agent with this valid root certificate. Proofpoint signs the Agent with a certificate to ensure that the customer knows that the Agent is from Proofpoint. The certificate has an expiration date. The certificate is renewed annually and is dependent on a valid root certificate.

Downloading the Agent Bundle Installation Files

1. From Proofpoint Data Security, select the Administration app. Select Endpoints > Downloads.

2. In the Windows area, from the Agent Bundle section, select the latest-stable version and click Download..

   

3. Save the downloaded .zip file locally.

4. When you extract the contents of the .zip file, you'll have the following files:

   • ITMSaaSBundle-<version>.exe: Agent Setup file
   • WinagentInstall.cmd: Executable installation file
   • WinagentUninstall.cmd: Executable file for uninstall
     

Installing the Agent Bundle using the Wizard

This describes how to install the Proofpoint Windows Agent / Bundle for ITM /Endpoint DLP  using the Installation wizard. The wizard always installs the IT Client Utility module and optionally the IT Content Analyzer.

1. From the files you extracted, run ITMSaaSBundle-<version>.exe and the wizard opens. (Make sure you Run as administrator.)

2. Select the components you want to install and then click Install.

   • IT Client Utility installs the Windows agent. This option is selected and must be installed.

   • IT Content Analyzer installs the Content Scanning utility. (For more information about Content Scanning, see Content Scanning.)

3. Click Next and accept the license agreement. Click Next.

4. Enter the location for:

   • Installation folder: this is the location where you want to install the IT Client Utility module.
   • Installation configuration folder: this is the config.json file you previously downloaded from Realms and saved locally.

   If you are using a master image, select Install for a master image. For more information, see Windows Agent and Auto Updater VMs and VDI Support.

   Click Next.

5. If you are using a Static Proxy server, complete the details.

   Select Static proxy.

   Provide the Proxy Server Hostname and Port.

   Optionally, if you want to set default credentials, complete the Domain, Username and/or Password fields.

   

   Click Next.

6. If you are using a Dynamic Proxy servers, complete the details.

   Dynamic Proxy requires that a PAC file is preconfigured to select the appropriate proxy server.

   Select Dynamic Proxy.

   If you want to set authentication credentials, select Set authentication credentials and provide the Username, Passowrd and Doman (optional).

   

   Click Next.

7. The Windows SaaS agent Setup runs and when complete a success message displays. Click Close.

Installing the Agent Bundle from the Command Line

You can install the Agent Bundle components by running WinagentInstall.cmd as administrator. The IT Utility Client will be installed by default. You can set contentdetection parameter to install/not install the IT Content Analyzer content scanning component.

From Windows agent version 1.2.x.xxx, a new command line replaces the previous one. Parameters are no longer uppercase only. Copy/paste according to the list below.

1. Open WinagentInstall.cmd with a text editor.

   msiexec /i "winagent.msi" TARGETDIR="%ProgramW6432%\IT Client Utility\Client Utility" /quiet /norestart PRECONFIGPATH="C:\Temp\preconfig.json" /leo "ClientUtility_setup.txt"

   1. Define the parameters below for your installation:

      Required Parameters

      TargetDir: Installation directory (default: "%ProgramFiles%\IT Client Utility\Client Utility")

      PreConfigPath: Full path for the Pre-Configuration file downloaded from the server, for example <config>.json

      Optional Components Parameters

      contentdetction is the component that includes content scanning:

      • contentdetection=0:Do not install content detection component

      • contentdetection=1:Install content detection component

      ItxMstrImage=True: Install as Master image

      Proxy Settings

      Dynamic proxy is supported from version 2.0.0.57. Make sure to use the ProxyType parameter. EnableProxy parameter is no longer valid.

      ProxyType=0 No proxy (default)

      ProxyType=1 Static proxy

      ProxyType=2 Dynamic proxy

      ProxyServerHostname="<URL/IP>" This field is required if ProxyType = 1 (Static Proxy is on ).

      ProxyServerPort="<Proxy Port>" This field is required if ProxyType = 1 (Static Proxy is on).

      ProxyAuth_Credentials=1 to use authentication credentials

      ProxyDefault_Credentials=1 to set to true. To disable, do not send this parameter.

      ProxyDomain="<Domain Login>" (Optional)

      ProxyUsername="<Proxy Username>" *This field is required if ProxyAuthCredentials = 1(authentication credentials is on).

      ProxyPassword="<Proxy Password>" *This field is required if ProxyAuthCredentials = 1 (authentication credentials is on).

      Installation Log

      /log [Path_To_Log_File] – by default will be create in %TEMP% directory

2. Left-click WinagentInstall.cmd and select Run as administrator.

   

Installing the Windows Agent and Proxy from the Command Line

You set proxy configuration from it-utility.exe.

1. Stop Windows service IT Cloud Service (it-servicecontroller.exe)

2. Use CMD or Powershell as administrator and from the command line.

   it-utilty.exe proxy -h <proxy host> - p <proxy port> -e

   For example: 

   it-utilty.exe proxy -h <MyProxyServer> - p <500> -e

   where the Proxy Server Host is MyProxyServer and the Proxy Port is 500.

   Use these parameters with the command:

   • -h, --host (Default: ) Proxy host (-h). This parameter is required.

   • -p, --port (Default: 0) Proxy port (-p). This parameter is required.

   • -c, --dcred (Default: false) Proxy use default credentials (-c)

   • -e, --enabled (Default: false) Proxy enabled (-e)

   • -r, --reset (Default: false) Reset proxy to default values (-r)

   • -u, --user (Default: ) Proxy username (-u)

   • -x, --pass (Default: ) Proxy password (-x)

   • -d, --domain (Default: ) Proxy domain (-d)

3. Start Windows service.

Related Topics:

Uninstalling the Windows Agent