PRE-INSTALLATION CHECKLIST
RIGHTSWATCH®
Watchful
2
Pre-Installation Checklist
This form is designed to gather information about the environment where RightsWATCH is going to be installed. Please complete one copy and
return it to your Watchful Software point of contact.
1. CLIENT CONTACT
Company Name: ______________________________________________________________________________________________
Address: _________________________________________________________________________________________________
POC Name: ______________________________________________________________________________________________
POC Telephone:___________________________________________________________________________________________
POC E-mail: _____________________________________________________________________________________________
Technical POC Name: ______________________________________________________________________________________
Technical POC Telephone: __________________________________________________________________________________
Technical POC E-mail:______________________________________________________________________________________
2. INSTALLATION DETAILS
Number of end-users: ____
Desired start date: ___ / ___ / ______
Desired Modules:
 RightsWATCH for Email (Outlook)
 RightsWATCH for Office (Word, Excel, PowerPoint)
 RightsWATCH for iOS (iPhone/iPad)
 RightsWATCH for Windows Phone 7
 RightsWATCH for Exchange 2010 SP1 OWA
3. TECHNICAL ENVIRONMENT
3.1. END-USERS
3.1.1.
Regarding the end-users to be included, how are the versions of their Operating
Systems distributed (number of Users for each)?
Microsoft Windows XP
____
Microsoft Windows Vista ____
Microsoft Windows 7
____
3.1.2.
Regarding the end-users to be included, how are the versions of their Microsoft
Office distributed? Please note that only Professional or Enterprise versions are
supported by RightsWATCH.
www.watchfulsoftware.com
© Copyright Watchful Software S.A. 2012 All Rights Reserved.
Watchful
3
Pre-Installation Checklist
Microsoft Office 2003 Professional Edition ____
Microsoft Office 2007 Professional Edition ____
Microsoft Office 2010 Professional Edition ____
3.1.3.
Provided that RightsWATCH Mobile module is set to be installed, how are the
Mobile devices distributed (number of users):
Windows Phone
____
iOS (iPhone/iPad) ____
3.2. AD-RMS
3.2.1.
Is your organization already using Microsoft Rights Management Services? (Y/N)
___
If you answered yes please answer the following questions, if not, skip the rest of this section.
3.2.2.
Do you have more than one AD-RMS server installed? (AD-RMS Cluster) (Y/N)
___
If you answered No to the previous question, please skip the next question
3.2.3.
What kind of AD-RMS cluster typology is installed (X):
 Full-featured cluster
 Licensing-Only cluster
 Other. Please specify: ___________________________________________________________________________________
_________________________________________________________________________________________________________
3.2.4.
Is your RMS Cluster registered in the Active Directory Service Connection Point
(SCP) (Y/N)? __
3.2.5.
Are you using a hardware-based CSP (Cryptographic Service Provider) to protect
you AD RMS cluster key (Y/N)? __
If you answered Yes please specify:
a)
CSP Model: ___________________________
b)
CSP Version: __________________________
3.2.6.
Does your organization use RMS Rights-Templates to protect the produced
information (Y/N)?
If you answered Yes to the previous question:
c)
How are the defined RMS Templates organized (e.g: by project, by department, other)?
_______________________________________________________________________________________________________
d)
Is the defined RMS Templates access granted to Groups of Users, to specific users, or both?
_______________________________________________________________________________________________________
e)
Please provide information about the RMS Templates already defined in your organization that are intended to be used.
www.watchfulsoftware.com
© Copyright Watchful Software S.A. 2012 All Rights Reserved.
Watchful
Pre-Installation Checklist
Template Name
Template GUID
e.g.: HR-CONFIDENTIAL {ab6e1002-ac6c-47db-937bc443cfbf12a1}
Licensing Options
Who has access:
- Use-License Expire after ____ days
- Client-side caching enabled (Y/N) ____
Human Resources User Group: Full Rights
Commercial Group: Read, Reply, Reply All
- Use-License Expire after ____ days
- Client-side caching enabled (Y/N) ____
- Use-License Expire after ____ days
- Client-side caching enabled (Y/N) ____
- Use-License Expire after ____ days
- Client-side caching enabled (Y/N) ____
- Use-License Expire after ____ days
- Client-side caching enabled (Y/N) ____
- Use-License Expire after ____ days
- Client-side caching enabled (Y/N) ____
- Use-License Expire after ____ days
- Client-side caching enabled (Y/N) ____
f)
Please provide in attach the XrML files for each AD-RMS Template listed (X) __
g)
Identify the Active Directory Global Distribution Groups used for AD-RMS Templates:
Group Name
Distinguished Name
Object-GUID (objectGUID) property
e.g.: HR-Management
CN=HR-Management,OU=Groups,DC=company,DC=com
{ab6e1002-ac6c-47db-937b-c443cfbf12a1}
www.watchfulsoftware.com
© Copyright Watchful Software S.A. 2012 All Rights Reserved.
4
Watchful
5
Pre-Installation Checklist
4. PRE-INSTALLATION CHECKLIST
Before starting the installation, RightsWATCH team needs to ensure that the following requirements have been satisfied. Please check (X) that
each of the following requirements is met.
4.1. ACTIVE DIRECTORY REQUIREMENTS
 RightsWATCH end-users’ workstations are registered in your organization Windows domain
 The e-mail field of the user’s part of the installation on the Active Directory is filled (not empty)
 All users log into their computers using the Active Directory Domain account and not a local account
 The network and security configurations of end-users’ workstations ensure integrated authentication (Windows Authentication)
between Workstation and AD-RMS/RightsWATCH services.
 There is a Global Catalog (GC) service running that allows queries for listing of users and groups (this is standard and many
Microsoft services depend on it, but may be disabled by the Administrator)
 Please identify the following LDAP Paths:
 Global Catalog: ____________________________________ (e.g. ldap://ad.company.com:3268)
 LDAP Path:________________________________________ (e.g. ldap://ad.company.com)
 An Active Directory Organizational Unit is created for RightsWATCH (anywhere on the AD structure). This OU shall contain the
User Groups and service accounts for the RightsWATCH installation
 OU Name: _________________________________ (e.g. RightsWATCH)
 OU DN: ____________________________________ (e.g. OU=RightsWATCH,DN=company,DN=domain)
 An Active Directory domain user is created for RightsWATCH (service user) and this user has the following rights:
 Read and list users
 Create and manage User Groups and User Groups membership (only in the OU identified in the previous point)
 AD Username: ___________________________ (e.g. RightsWATCH-User)
 AD Principal Name: ______________________ (e.g. RightsWATCH-User@company.com)
 AD Password: ___________________________
 If you do not have AD-RMS already installed in your organization, the following two service accounts must be created:
 AD-RMS Administrator (e.g. adrmsadmin): ______________________________________
 AD-RMS Service (e.g. adrmssrvc): ____________________________________________
 All RightsWATCH created and managed Universal Distribution User Groups shall have an e-mail associated with them. This e-mail
shall be in the form of <user_group_id>@yourdomain.com. This will be done automatically by the application. Please identify the email domain of your organization __________________ (e.g. yourdomain.com)
 RightsWATCH uses Security Groups to Control access to the administration and monitoring interfaces of the application. Please
create and identify the details of the security groups to be used (please note that for pilot purposes, the same security group might
be used for all distinguished roles):
www.watchfulsoftware.com
© Copyright Watchful Software S.A. 2012 All Rights Reserved.
Watchful
6
Pre-Installation Checklist
Type of Access
Group Name
Distinguished Name
Users Management
e.g. RightsWATCH_USERS_ADMIN
CN= RightsWATCH_USER_MANAGEMENT,OU=RightsWATCH,DC=company,DC=com
Users Management
Classification Management
Roles (Access Policies)
Management
Classification Rules
Management
Software License Management
RightsWATCH System Setup
Management
Users Actions Monitoring
Administrators
Monitoring
Document
Management
Actions
BlackList
4.2. DATABASE REQUIREMENTS
 An instance of SQL Server 2005 or 2008 (any edition) is available for RightsWATCH/AD-RMS use.
 If you intend to have SQL Server Clustering, this should be pre-configured beforehand. Please identify the SQL Cluster Server
name.
(If you are not using SQL clustering, please ignore this step):
_____________________________________________________________________________________________________
 A Database SQL User that is SysAdmin of that same SQL instance is created and made available to RightsWATCH team:
Username: ________________________ (e.g. RightsWATCH-db-user)
Password: ________________________
 A Database SQL User has read-only (SELECT rights) granted to the AD-RMS Configuration database (usually named:
DRMS_Config_<server_name>_<domain_name>_<tcp_port>) – Only applicable if you have AD-RMS already installed
 Please fill out the following details regarding the Databases:
RightsWATCH Databases:
 IP/Hostname of the Server: _____________________ (e.g. sql-server.company.com)
 SQL Instance Name: ___________________________ (e.g. SQLSERVER)
AD-RMS Configuration Database:
If AD-RMS is not already installed, please skip this step:

IP/Hostname
of
the
______________________________________________________________________________
(e.g. sql-server.company.com)
Server:
 SQL Instance Name: ___________________________________________________________________________________
www.watchfulsoftware.com
© Copyright Watchful Software S.A. 2012 All Rights Reserved.
Watchful
7
Pre-Installation Checklist
(e.g. SQLSERVER)
 Catalog Name: ____________________________________________________________________
(e.g. DRMS_Config_rms_server_name_company_com_443)
4.3. AD-RMS SERVER REQUIREMENTS
 In the case of an existent Microsoft RMS installation, provided that the RMS templates configured are to be imported from
RightsWATCH, these templates must be assigned to Groups in the Active Directory (and not to individual users).
 The username/password of the rms-admin and rms-service accounts shall be made available or typed by an Administrator when
installing RightsWATCH components
 Please identify AD-RMS Administration Web-Service location:
__________________________________ _____________________________________________________________________
(e.g. http://<RMS Custer name>/_wmcs/Admin/TemplateMgr.asmx
 The main AD-RMS Server is eligible for installation of the RightsWATCH components:
 IIS 7.0 or higher
 ASP.NET 3.5 Supports
 The created AD users (see Active Directory Requirements) are local administrators of the AD-RMS Server
 If you intend to have AD-RMS installed over SSL, please make sure the following requirements are met:
 An SSL Certificate recognized by all domain workstations has been issued for the AD-RMS server name
 Please fill out the FQDN of the AD-RMS:
__
______________________________________________________________________________________________________
(e.g RightsWATCH.organization.com)
 In order to have AD-RMS clustering, a CNAME has to be created on the DNS server with the name of the AD-RMS server. This
CNAME must be resolved correctly by all domain machines.
4.4. MOBILE SUPPORT REQUIREMENTS
4.4.1.
Windows Phone requirements
 Windows Phone Devices are able to connect (either through the Internet or using a VPN connection) to the Exchange 2010 CAS
server using the default Web-Site configured TCP Port
 Exchange 2010 ActiveSync (v.14.1 or higher) is activated
4.4.2.
iOS Support Requirements
 iOS Devices are able to connect (either through the Internet or using a VPN connection) to the AD-RMS Server using the default
Web-Site configured TCP Port
 It is possible for users to access the AD-RMS server through the iOS Devices by inputting their domain username/password. (You
can
test
this
by
trying
to
access
through
your
iOS
device
to
the
http(s)://<rms_cluster_fqdn>:<tcp_port>/_wmcs/Licensing/License.asmx)
4.5. RIGHTSWATCH FOR EXCHANGE 2010 SP1 OWA
This section should only be filled out if you intend to install RightsWATCH for Exchange 2010 SP1 Outlook Web Application (OWA)
www.watchfulsoftware.com
© Copyright Watchful Software S.A. 2012 All Rights Reserved.
Watchful
8
Pre-Installation Checklist
RightsWATCH for OWA enables users to create RightsWATCH classified e-mails directly in the OWA interface, using the same UI
provided for other platforms.
In order to be able to install the RightsWATCH for OWA, the following requirements must be met:
 Please identify the current version of Microsoft Exchange 2010: __________________________________________________
 Please list the current CAS server where the OWA service is installed:_____________________________________________
(e.g. exch-cas.company.com)
 OWA is configured to support the opening and creation of RMS protected content. (only applicable if you already have AD-RMS
installed)
www.watchfulsoftware.com
© Copyright Watchful Software S.A. 2012 All Rights Reserved.
Watchful
9
Pre-Installation Checklist
5. PROCESS REQUIREMENTS
5.1. AD-RMS INSTALLED PREVIOUSLY
If you do not have AD-RMS servers running on your organization or you will not use the existent RMS Templates for RightsWATCH, please skip to
section 5.2.
If you already have AD-RMS servers and will be using the existent RMS Templates for RightsWATCH, please fill out the following
form:
5.1.1.
Please fill the following table with the information of the users to be included.
ID
Domain\User
E-mail
Distinguished Name
e.g.:
COMPANY\user
user@company.com
CN=user,OU=RIGHTSWATCH,DC=company,DC=com
1
2
3
4
5
6
7
8
5.1.2.
If you had to group the existent RMS Templates in categories (information
scopes), how many and what would they be (e.g. HR, Commercial, Customer,
ProjectX, etc.):
ID
Information Scopes
Allow unprotected content1
e.g.: 0
Commercial
X
1
2
3
4
5.1.3.
Please identify the AD-RMS Templates that should be placed on each scope:
Check this column to create a Public (no encryption) classification under this scope. This will allow users to classify information without applying encryption. Example: In the scope
Commercial, along with the Templates already defined, a “Public” classification option would be displayed.
1
www.watchfulsoftware.com
© Copyright Watchful Software S.A. 2012 All Rights Reserved.
Watchful
10
Pre-Installation Checklist
Scope
ID
e.g. 0
Order2
AD-RMS Template Name
Brief Description 3
e.g. 1
HR-Internal-Information
Information related to Human Resources for internal use
e.g. 0
HR-External-Information
Information related to Human Resources for external use
1
2
3
5.2. NO AD-RMS INSTALLED PREVIOUSLY
Please note that this section only applies if your organization is not already using Microsoft RMS, or if the existent RMS Templates will be
imported from RightsWATCH.
Before starting the product installation, RightsWATCH team needs to ensure that the following requirements have been satisfied.
5.2.1.
Server Specifications
Please specify the following data for the server to be installed:
 Will you use SSL (HTTPS) for AD-RMS installation (Y/N) ___
 Server FQDN: __________________________________________________________________________________________
(e.g. https://rms-server.company.com:443/)
5.2.2.
Information Scopes
Please fill the following table with the information scopes to be configured for RightsWATCH. From Critical Software experience we
recommend that, for trial purposes, you should define no more than 2 or 3 information scopes.
2 This number (confidentiality order) determines
3 This information will be
the order in which the classifications appear on the end-user interface. Example: Public (0); Internal (1); Secret (2);
displayed on the end-user interface and is intended to describe the application of this Level.
www.watchfulsoftware.com
© Copyright Watchful Software S.A. 2012 All Rights Reserved.
Watchful
11
Pre-Installation Checklist
ID
Information Scopes
Allow unprotected content4
e.g.:
HR, Financial, Other.
X
1
CompanyX
X
2
DSI
-
3
4
5.2.3.
Classification Levels
Please fill the following table with the classification levels to be configured for RightsWATCH. From Critical Software experience we
recommend that, for trial purposes, you should define no more than 2 or 3 classification levels.
Order5
Classification Levels
Brief Description6
AD-RMS Cache Period7
e.g.: 0
Public, Internal, Secret.
Information for internal use of the
0 days
0
0-Public
No protection applied
N/A
1
1-Internal
Internal information
0
2
2-Confidential
Confidential information
0
3
3-Restricted
Restricted information
0
4
5
5.2.4.
Roles Matrix
In order to have a classification rights matrix, the first task is to define Roles (User Groups) that shall have access to the
information. Using the groups of users defined for RightsWATCH and the information scopes and classification levels defined above
please fill the following matrix. RightsWATCH team is available to provide any help or clarifications you may need. Use F for Full
Rights, N for No Rights and P for Partial Rights (to be defined later on). Blank cells will mean No Rights.
Check this column to create a Public (no encryption) classification under this scope. This will allow users to classify information without applying encryption. Example: In the scope
Commercial, along with the Templates already defined, a “Public” classification option would be displayed.
4
5 This number (confidentiality order) determines
6 This information will be
the order in which the classifications appear on the end-user interface. Example: Public (0); Internal (1); Secret (2);
displayed on the end-user interface and is intended to describe the application of this Level.
The number of days before the client checks the AD-RMS server for new Rights. Example: if 1 day is set, the Rights for a specific user regarding a specific document is requested from the
server every time 1 day passes from the initial check.
7
www.watchfulsoftware.com
© Copyright Watchful Software S.A. 2012 All Rights Reserved.
12
Watchful
Pre-Installation Checklist
Users
Groups
XPTO
1-Inte
E.g.: Group 1
2-Conf
F
DSI
3-Rest
P
1-Inte
N
2-Conf
P
3-Rest
N
N
XPTO-GENERAL
F
F
F
N
N
N
XPTO-DSI
F
F
F
F
F
F
5.2.5.
Checklist
Please check (X) that each of the following requirements is met.
 The Scopes and Classification levels are defined.
 The User Groups/Classifications matrix is defined
www.watchfulsoftware.com
© Copyright Watchful Software S.A. 2012 All Rights Reserved.
Watchful
13
Pre-Installation Checklist
6. HARDWARE REQUIREMENTS
Please note that this section only applies if your organization is not already using Microsoft RMS.
 The previously identified hardware requirements are met.
7. AUTOMATIC CLASSIFICATION OF E-MAILS
RightsWATCH provides the possibility to automatically classify e-mails based on their header information. This may be particularly
useful if you want to advise your users to classify information in a certain manner. For example, you might configure a classification
automation schema so that all e-mails with certain keywords on their subject are classified with a certain AD-RMS Template.
Please identify the Automatic Classification rules to apply to e-mails:
Rule
ID
E-mail Field(s):
(Select one of these:
Subject/To/Cc/Bcc/AllTo/
AllCc/AllBcc)
Condition:
(Select one of these:
Contains/Not
Contains/Equals/Not
Equals/RegEx)
Content
AD-RMS Template Name
e.g.:
Subject
Contains
budget
FINANCIAL-CONFIDENTIAL
e.g.:
AllTo
Contains
@yourdomain.com
GENERIC-INTERNAL
1
2
3
4
www.watchfulsoftware.com
© Copyright Watchful Software S.A. 2012 All Rights Reserved.