Set Up PROTECT Server

This guide provides step-by-step instructions on configuring the GuardWare PROTECT Server on a Windows Server. It includes installing required dependencies like Microsoft Visual C++ Redistributable, MySQL, and Redis, installing the GuardWare PROTECT Server and the IIS Rewrite Module, and setting up the Azure Key Vault. Once all steps are completed, you’ll be able to access the GuardWare Management Console.

1. Prerequisites

Before proceeding, make sure the following requirements are met. Meeting these prerequisites helps avoid installation errors and ensures GuardWare PROTECT Server functions properly.

2. Pre-Installation Requirements

Before installing the GuardWare PROTECT Server, ensure the following dependencies are installed on your Windows Server in the order listed below. These components are necessary to support the core server functions and backend operations of PROTECT.

GuardWare will provide all required installer files for these components as part of the PROTECT Server installation package. You can also download the installer files from their official websites.

1. Microsoft Visual C++ Redistributable: Required to run applications built with Visual C++ libraries, including runtime components used by MySQL and its associated services.

2. MySQL: Serves as the database backend for PROTECT. It stores configuration details, encryption metadata, user profiles, and other operational data.

3. Redis: Used as an in-memory cache and message broker to support real-time processing and improve system performance.

2.1. Install Microsoft Visual C++ Redistributable

1. Download the installer file for Microsoft Visual C++ 2015-2022 Redistributable.

2. Double-click the Microsoft Visual C++ Redistributable installer file to begin the installation.

3. Read and agree to the license terms and conditions and click Install.

2.2. Install and Configure MySQL

1. Download the installer file for MySQL (v8.4.4).

   
2. Double-click the MySQL installer file to begin the installation and click Next.

3. Read and accept the End User Licence Agreement (EULA) and click Next.

4. When selecting the setup type, you have the option to choose the following:

   1. Typical: Installs the server, client, and essential tools quickly. Provides everything PROTECT needs without extra components.

   2. Complete: Includes all optional components, sample databases, and documentation.

   3. Custom: Lets you select only required components (server + client). Useful if you want to reduce disk usage, omit unnecessary tools, or deploy on a constrained system.

5. Select Typical and click Next.

   
6. Click Install to begin the installation.

   
7. Select Run MySQL Configurator to automatically launch the MySQL Configurator after clicking Finish.

   
8. If you did not select Run MySQL Configurator on MySQL Server Setup, search for MySQL Configurator on your PC and click Open to launch it.

1. Click Next on the Welcome screen.

1. Select a path to the data directory. By default, it will be installed in: C:\ProgramData\. Click Next.

1. In the Type and Networking window, select Server Computer as Config Type and note down the assigned Port number. Click Next.

   
2. Enter a password for the root account and click Next.

1. In Windows Service, enable Configure MySQL Server as a Windows Service and Start the MySQL Server at System Startup.

1. In Server File Permissions, select file permission as required for your environment, and click Next.

1. Skip sample database creation (not necessary for PROTECT).

2. Review the configuration summary and click Execute.

   
3. After the configuration is completed, click Next and click Finish.

   

2.3. Install Redis

1. Download the MSI installer file for Redis.

2. Double-click the Redis installer file to begin the installation, and click Next.

1. Read and accept the EULA and click Next.

2. Select the installation directory for Redis and click Next.

1. Enter the desired port number or leave the default value. Select Add an exception to the Windows Firewall to create a firewall rule in Windows Defender Firewall that allows inbound network traffic to the Redis server’s default port. Click Next.

1. Set the max memory limit to 1024 MB and click Next.

   
2. Click Install to begin the installation.

   

3. Set up Azure Key Vault

GuardWare PROTECT uses Azure Key Vault to store the encryption keys securely. Azure Key Vault is a cloud service that provides centralised, secure storage for secrets such as encryption keys, passwords, certificates, and connection strings. By integrating with Azure Key Vault, GuardWare PROTECT ensures that encryption keys are never exposed within the application environment and remain under strict access control.

To set up Azure Key Vault, you need to do the following in the Azure Portal:

1. Register an Application

2. Create a Key Vault

3. Assign RBAC Roles to Service Principal

Ensure that you sign in to the Azure Portal with an account that has the necessary admin permissions (such as Global Administrator or Key Vault Administrator) before proceeding.

During this process, make sure to note down and securely store the following details, as they will be required later while setting up the PROTECT server:

• Azure Tenant ID

• Azure Client ID

• Azure Client Secret

• Azure Subscription ID

• Azure Key Vault Name

• Resource group

3.1. Register an Application (Service Principal)

A Service Principal provides an identity for GuardWare PROTECT Server to authenticate with Azure services. It acts as a secure, application-level account that allows GuardWare PROTECT Server to access the Azure Key Vault without requiring a user’s credentials.

1. Go to the Azure Portal and sign in with your Azure Administrator account.

2. Navigate to Microsoft Entra ID.

1. Click +Add, and select App registration.

1. Configure:

   1. Name: Enter a user-facing descriptive display name (e.g., GWProtectApp).

   2. Supported account types: Select Accounts in this organizational directory only (Single tenant).

   3. Redirect URI: Leave empty for service-to-service authentication.

1. Click Register.

After registration is complete, you will get the Application (client) ID and Directory (tenant) ID in the Overview page. Copy and store them in a secure place. These are the AZURE CLIENT ID and AZURE TENANT ID that you’ll need to set up PROTECT Server.

3.1.1. Create Client Secret

A Client Secret acts like a password for the Service Principal and is used by GuardWare PROTECT to authenticate securely with Azure Active Directory. The Client Secret is required during initial configuration to establish a trusted connection with Azure Key Vault and enable GuardWare PROTECT to retrieve encryption keys when needed.

1. In the Overview page, click Add a certificate or secret.

1. Click + New client secret.

2. Configure:

   1. Description: Enter a description for the Client Secret.

   2. Expires: Select an expiration date for the Client Secret.

3. Click Add. Copy and securely store the Client Secret Value (not the Secret ID). It will no longer be visible after you close the window. This is the AZURE CLIENT SECRET that you’ll need to set up the PROTECT Server.

3.1.2. Required API Permissions

GuardWare PROTECT needs specific Microsoft Graph API permissions to authenticate with Azure AD, securely access encryption keys stored in Azure Key Vault, and integrate with Microsoft Information Protection (MIP) for file labelling and encryption.

1. Navigate to API Permissions and click Add a permission.

1. Under Microsoft APIs, click Microsoft Graph.

1. Select Application permissions.

1. Search and select the following permissions and click Add permissions.

   1. User.Invite.All: Invite guests to the organisation

   2. User.Read.All: Read all users’ profiles for registration

1. Click Add a permission again and click APIs my organization uses.

2. Search and select Microsoft Information Protection Sync Service.

   
3. Click Application permissions.

4. Search and select the following permission and click Add permissions.

   1. UnifiedPolicy.Tenant.Read: Read all unified policies of the tenant

      
5. Click Add a permission again and under Microsoft APIs, click Azure Rights Management Services.

   
6. Click Application permissions.

7. Search and select the following permissions and click Add permissions.

   1. Content.SuperUser: Read all protected content for this tenant

   2. Content.Writer: Create protected content

   3. Content.DelegatedWriter: Create protected content on behalf of a user

      
8. After adding these permissions, click Grant admin consent for [Your Organisation] to authorise them for your tenant.

   

3.2. Create a Key Vault

Azure Key Vault is where GuardWare PROTECT securely stores and manages the encryption keys used for data protection. By creating a dedicated Key Vault, you ensure sensitive keys remain under strict access control and are available only to the authorised Service Principal.

1. Go to the Azure Portal, sign in with your Azure Administrator account, and search for Key vaults and click the first result.

   
2. Click +Create.

1. In Basics, configure:

   1. Subscription: Select your subscription.

   2. Resource group: Choose existing or create new. Copy and store the Resource group name; you’ll need it to set up PROTECT Server.

   3. Key vault name: Enter a unique name (e.g., gwprotect-vault-prod). Copy the name and store it securely. This is the AZURE KEY VAULT NAME that you’ll need to set up PROTECT Server.

   4. Region: Select the appropriate region.

   5. Pricing tier: Select your pricing.

1. Click Next.

2. In Access configuration, configure:

   • Permission model: Select Azure role-based access control.

1. Click Review + Create and then click Create. The Create button may appear disabled for a few moments while Azure validates your configuration.

2. After creating the Key vault, go to the Key vaults Overview page, and copy the Subscription ID and store it securely. This is the AZURE SUBSCRIPTION ID that you’ll need to set up PROTECT Server.

   

3.3. Assign RBAC Roles to Service Principal

After creating the Service Principal, you must assign the required Role-Based Access Control (RBAC) roles, so GuardWare PROTECT can securely access the Key Vault, manage key operations, and control resource-level permissions when needed. These roles ensure the Service Principal has the minimum permissions necessary to perform encryption, decryption, and access management tasks without exposing broader access.

3.3.1. Assign the Key Vault Administrator role

This role is required so the Service Principal can fully manage the Key Vault, including creating, updating, deleting, and recovering keys, secrets, and certificates.

1. Navigate to the Key Vault that you created and click Access control (IAM).

2. Click Add and then Add role assignment.

3. Search and select the Key Vault Administrator role and click Next.

4. In Assign access to, select User, group, or service principal.

5. Click + Select members, search and select your registered application (eg, GWProtectApp).

6. Click Next and then Review + assign.

   

3.3.2. Assign the User Access Administrator role

This role is required so the Service Principal can manage access permissions on the resource. With this role, it can grant, modify, or revoke user and service access when needed, ensuring the correct identities have the appropriate permissions.

1. Navigate to the Key Vault that you created and click Access control (IAM).

2. Click Add and then Add role assignment.

3. Click Privileged administrator roles.

4. Search and select the User Access Administrator role and click Next.

   
5. In Assign access to, select User, group, or service principal.

6. Click + Select members, search and select your registered application (eg, GWProtectApp).

   
7. Click Next.

8. In What user can do, select the second option: Allow user to assign all roles except privileged administrator roles Owner, UAA, RBAC (Recommended) and click Next.

   
9. Click Review + assign.

3.3.3. Assign the Role-Based Access Control Administrator

This role is required so the Service Principal can not only access the Key Vault, but also update or manage key-related permissions within the resource when necessary.

1. Navigate to the Key Vault that you created and click Access control (IAM).

2. Click Add and then Add role assignment.

3. Click Privileged administrator roles.

   
4. Search and select the Role Based Access Control Administrator role and click Next.

5. In Assign access to, select User, group, or service principal.

6. Click + Select members, search and select your registered application (eg, GWProtectApp).

   
7. Click Next.

8. In What user can do, select the second option: Allow user to assign all roles except privileged administrator roles Owner, UAA, RBAC (Recommended) and click Next.

   
9. Click Review + assign.

4. Install the PROTECT Server

The GuardWare PROTECT Server Setup prepares the runtime environment for PROTECT by installing supporting services and dependencies.

1. Double-click the PROTECT Server installer file to begin the installation, and click Next.

   
2. Read and accept the End User Licence Agreement (EULA) and click Next.

   
3. Choose the folder where you want to install GuardWare PROTECT Server and click Next. By default, it will be installed in: C:\Program Files (x86)\.

   
4. Select the location where you want to install IIS, and click Next.

   
5. On the Database Connection Setting page, fill in the required fields and click Next.

   1. Enter the same DB Host, DB Port, DB Username, and DB Password that you used during the MySQL installation.

      1. DB Host: localhost

      2. DB Port: 3306 (default)

      3. DB Name:

         • If you want to create a new database, enter a unique name and select Fresh Installation.

         • If you have already created a database, enter the existing database name, and select Database Exists to connect PROTECT to an existing MySQL database. This option is usually selected during upgrades or when combining reports in a single database; however, it may modify or remove existing data, so make a backup of the database beforehand.

      4. DB Username: root (default)

      5. DB Password: Enter the password that you used while installing MySQL.

   2. Click Test Connection to check whether the entered information is valid or not. After the successful connection, click OK in the confirmation box and click Next.

      

Database hostnames in MySQL are not case-sensitive. For example, localhost, LocalHost, and LOCALHOST will all connect to the same server.

Database names on Windows are also not case-sensitive, so variations in letter case (e.g., PROTECT vs. protect) will still point to the same database. However, MySQL usernames and passwords are always case-sensitive, so ensure that you enter them exactly as configured.

1. In the Super Admin Credential window, enter the Super Admin’s name, email, password, confirm password, and click Next. The Super Admin will be required to change this password upon first sign-in.

   

These Super Admin credentials are required to log in to the GuardWare PROTECT Management Console, so store them securely.

1. In Protocol, select https.

2. Enter the domain name that you would like the IIS to access. You can have the following domain name formats:

1. When selecting https protocol, you must select an SSL Certificate. This certificate may be self-signed or issued by a Certificate Authority. If you select a self-signed certificate, you must bind it to IIS for encrypted communication. For details on creating a self-signed certificate, see Create a Self-Signed Certificate. For details on binding a self-signed certificate, see Create an SSL Binding.

   
2. If the certificate file (e.g., .pfx) is password-protected, enter the same password in Certificate Password and click Next.

3. Follow the steps provided in Set up Azure Key Vault to configure AKV Handler.

4. In AKV Handler, enter the following details you noted while setting up Azure Key Vault.

   1. AZURE TENANT ID= "your-tenant-id"

   2. AZURE CLIENT ID= "your-client-id"

   3. AZURE CLIENT SECRET= "your-client-secret"

   4. AZURE SUBSCRIPTION ID= "your-subscription-id"

   5. AZURE KEY VAULT NAME= "your-key-vault-name"

   6. API HOST= localhost

   7. API PORT= 8000 To check if port 8000 is already in use:

      1. Open Command Prompt.

      2. Run the following command:

         This command helps identify if another process is already using port 8000. If the port is occupied, you may need to stop the conflicting service or choose a different available port.

      After entering all details, click Next.

5. Click Install to start the installation process. This may take a few minutes.

Once the setup is complete, the GuardWare PROTECT Management Console should launch automatically at https://localhost/gwapp/login. If you encounter an error at this stage, it is likely due to the missing IIS URL Rewrite Module. This module is required to correctly process incoming web requests and route them to the appropriate application paths. Installing the module will resolve the error and allow the console to load as expected. See Install the IIS URL Rewrite Module for details on installing it.

5. Post-Installation Requirement

Once the PROTECT Server setup is successfully completed, you must install the IIS URL Rewrite Module. The IIS URL Rewrite Module is an add-on for Internet Information Services (IIS) that allows you to create rules for manipulating URLs, such as rewriting requests internally, redirecting traffic, enforcing HTTPS or canonical domains, and mapping clean, user-friendly URLs to backend query strings. The module ensures that all incoming requests are properly routed through index.php, allowing Laravel’s internal router to handle application paths and APIs.

5.1. Install the IIS URL Rewrite Module

1. Download the installer file for the IIS URL Rewrite Module.

2. Double-click the IIS URL Rewrite Module installer file to begin the installation.

3. Read and accept the Licence Agreement terms and click Install.

1. Click Finish to exit the Setup Wizard.

6. Log in to the GuardWare PROTECT Management Console

After completing the setup, you can access the GuardWare PROTECT Management Console from a web browser at https://localhost/gwapp/login.

1. Log in using the Super Admin credentials.

2. On your first login, you will be prompted to set up two-factor authentication (2FA) using an Authenticator app on your mobile device. Open the Authenticator app and scan the QR code displayed on the screen.

3. Enter the verification code generated by the app.

4. Read and accept the End User Licence Agreement (EULA).

5. You will now be prompted to create a new password. Enter and confirm the new password.

6. Once the password is updated, you’ll again be asked to enter the verification code from the Authenticator app. Enter the code and log in using your newly created password to access the GuardWare PROTECT Management Console.

   

7. Enable the AIP Service for MIP

Before GuardWare PROTECT can use Microsoft Information Protection (MIP) for file sharing, the Azure Information Protection (AIP) service must be active in your tenant. The AIP service manages the encryption and labelling framework used by MIP to protect files. You can enable and verify the AIP service by running a few PowerShell commands with administrative privileges.

To use AIP/MIP labelling, your organisation must have a supported Microsoft Purview licence (such as Microsoft 365 E3/E5, Azure Information Protection P1/P2, or Microsoft Purview Information Protection).

1. Open PowerShell as an administrator.

2. Run the following commands in order:

If the service status returns Enabled, MIP is ready for use with PROTECT.

If the service status returns Disabled, run the following command to enable the service:

Your PROTECT Server is now successfully set up. You can start managing security groups, users, user policies, user access, authorised applications and websites through the PROTECT Management Console.