PGP Endpoint - 4.4 SR1 Setup Guide

Download

Setup Guide

PGP Endpoint 4.4 SR1

02_102P 4.4 SR1 Setup Guide

- 2 -

Notices

Version Information

PGP Endpoint Setup Guide - PGP Endpoint Version 4.4 SR1 - Released: August 2009 Document Number: 02_102P_4.4 SR1_092391000

Copyright© 1991-2009 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of PGP Corporation.

Trademark Information

PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the US and other countries. IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered trademarks of Microsoft Corporation. AOL is a registered trademark, and AOL Instant Messenger is a trademark, of America Online, Inc. Red Hat and Red Hat Linux are trademarks or registered trademarks of Red Hat, Inc. Linux is a registered trademark of Linus Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered trademark of International Business Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH and Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or registered trademarks of Apple Computer, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective owners.

Licensing and Patent Information

The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST-128 encryption algorithm, implemented from RFC 2144, is available worldwide on a royaltyfree basis for commercial and non-commercial uses. PGP Corporation has secured a license to the patent rights contained in the patent application Serial Number 10/655,563 by The Regents of the University of California, entitled Block Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a Conventional Block Cipher. Some third-party software included in PGP Universal Server is licensed under the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL. If you would like a copy of the source code for the GPL software included in PGP Universal Server, contact PGP Support (http://www.pgp.com/support). PGP Corporation may have patents and/or pending patent applications covering subject matter in this software or its documentation; the furnishing of this software or documentation does not give you any license to these patents.

Acknowledgements

This product includes or may include:

• The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with permission from the free Info-ZIP implementation, developed by zlib (http://www.zlib.net). • Libxml2, the XML C parser and toolkit developed for the Gnome project and distributed and copyrighted under the MIT License found at http://www.opensource.org/licenses/mit-license.html. Copyright © 2007 by the Open Source Initiative. • bzip2 1.0, a freely available high-quality data compressor, is copyrighted by Julian Seward, © 1996-2005. • Application server (http://jakarta.apache.org/), web server (http://

- 3 -

PGP Endpoint

www.apache.org/), Jakarta Commons (http://jakarta.apache.org/commons/license.html) and log4j, a Java-based library used to parse HTML, developed by the Apache Software Foundation. The license is at www.apache.org/licenses/LICENSE-2.0.txt. • Castor, an open-source, databinding framework for moving data from XML to Java programming language objects and from Java to databases, is released by the ExoLab Group under an Apache 2.0-style license, available at http://www.castor.org/license.html.

• Xalan, an open-source software library from the Apache Software Foundation that implements the XSLT XML transformation language and the XPath XML query language, is released under the Apache Software License, version 1.1, available at http://xml.apache.org/xalan-j/#license1.1. • Apache Axis is an implementation of the SOAP (“Simple Object Access Protocol”) used for communications between various PGP products is provided under the Apache license found at http://www.apache.org/licenses/ LICENSE-2.0.txt. • mx4j, an open-source implementation of the Java Management Extensions (JMX), is released under an Apache-style license, available at http://mx4j.sourceforge.net/docs/ch01s06.html.

• jpeglib version 6a is based in part on the work of the Independent JPEG Group. (http://www.ijg.org/)

• libxslt the XSLT C library developed for the GNOME project and used for XML transformations is distributed under the MIT License http://www.opensource.org/licenses/mit-license.html. • PCRE version

4.5 Perl regular expression compiler, copyrighted and distributed by University of Cambridge. ©1997-2006. The license agreement is at http://www.pcre.org/license.txt. • BIND Balanced Binary Tree Library and Domain Name System (DNS) protocols developed and copyrighted by Internet Systems Consortium, Inc. (http://www.isc.org) • Free BSD implementation of daemon developed by The FreeBSD Project, © 1994-2006. • Simple Network Management Protocol Library developed and copyrighted by Carnegie Mellon University © 1989, 1991, 1992, Networks Associates Technology, Inc, © 2001- 2003, Cambridge Broadband Ltd.© 2001- 2003, Sun Microsystems, Inc., © 2003, Sparta, Inc, © 2003-2006, Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, © 2004. The license agreement for these is at http://net-snmp.sourceforge.net/about/license.html. • NTP version 4.2 developed by Network Time Protocol and copyrighted to various contributors. • Lightweight Directory Access Protocol developed and copyrighted by OpenLDAP Foundation. OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP). Copyright © 1999-2003, The OpenLDAP Foundation. The license agreement is at http://www.openldap.org/software/release/license.html. • Secure shell OpenSSH version 4.2.1 developed by OpenBSD project is released by the OpenBSD Project under a BSD-style license, available at http://www.openbsd.org/cgibin/cvsweb/src/usr.bin/ssh/LICENCE? rev=HEAD. • PC/SC Lite is a free implementation of PC/SC, a specification for SmartCard integration is released under the BSD license. • Postfix, an open source mail transfer agent (MTA), is released under the IBM Public License 1.0, available at http://www.opensource.org/licenses/ibmpl.php. • PostgreSQL, a free software object-relational database management system, is released under a BSD-style license, available at http://www.postgresql.org/about/licence. • PostgreSQL JDBC driver, a free Java program used to connect to a PostgreSQL database using standard, database independent Java code, (c) 1997-2005, PostgreSQL Global Development Group, is released under a BSD-style license, available at http://jdbc.postgresql.org/license.html. • PostgreSQL Regular Expression Library, a free software object-relational database management system, is released under a BSD-style license, available at http://www.postgresql.org/about/licence. • 21.vixie-cron is the Vixie version of cron, a standard UNIX daemon that runs specified programs at scheduled times. Copyright © 1993, 1994 by Paul Vixie; used by permission. • JacORB, a Java object used to facilitate communication between processes written in Java and the data layer, is open source licensed under the GNU Library General Public License (LGPL) available at http://www.jacorb.org/lgpl.html. Copyright © 2006 The JacORB Project. • TAO (The ACE ORB) is an open-source implementation of a CORBA Object Request Broker (ORB), and is used for communication between processes written in C/C++ and the data layer. Copyright (c) 1993-2006 by Douglas C. Schmidt and his research group at Washington University, University of California, Irvine, and Vanderbilt University. The open source software license is available at http://www.cs.wustl.edu/~schmidt/ ACEcopying. html. • libcURL, a library for downloading files via common network services, is open source

- 4 -

software provided under a MIT/X derivate license available at http://curl.haxx.se/docs/copyright.html. Copyright (c) 1996 - 2007, Daniel Stenberg. • libuuid, a library used to generate unique identifiers, is released under a BSD-style license, available at http://thunk.org/hg/e2fsprogs/?file/fe55db3e508c/lib/uuid/ COPYING. Copyright (C) 1996, 1997 Theodore Ts’o. • libpopt, a library that parses command line options, is released under the terms of the GNU Free Documentation License available at http://directory.fsf.org/ libs/COPYING.DOC. Copyright © 2000-2003 Free Software Foundation, Inc. • gSOAP, a development tool for Windows clients to communicate with the Intel Corporation AMT chipset on a motherboard, is distributed under the GNU Public License, available at http://www.cs.fsu.edu/~engelen/soaplicense.html.

• Windows Template Library (WRT) is used for developing user interface components and is distributed under the Common Public License v1.0 found at http://opensource.org/licenses/cpl1.0.php. • The Perl Kit provides several independent utilities used to automate a variety of maintenance functions and is provided under the Perl Artistic License, found at http://www.perl.com/pub/a/language/misc/Artistic.html.

Export Information

Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from time to time by the Bureau of Export Administration, United States Department of Commerce, which restricts the export and re-export of certain products and technical data.

Limitations

The software provided with this documentation is licensed to you for your individual use under the terms of the End User License Agreement provided with the software. The information in this document is subject to change without notice. PGP Corporation does not warrant that the information meets your requirements or that the information is free of errors. The information may include technical inaccuracies or typographical errors. Changes may be made to the information and incorporated in new editions of this document, if and when made available by PGP Corporation.

Notices

- 5 -

PGP Endpoint

- 6 -

Preface: About This Document..................................................................9

Typographical Conventions............................................................................................ 9

Getting Assistance..........................................................................................................9

Chapter 1: Planning Your Installation.....................................................11

Recommended Security Rules.....................................................................................11

System Requirements...................................................................................................13

Minimum Hardware Requirements........................................................................13

Supported Operating Systems..............................................................................14

Supported Databases............................................................................................15

Other Software Requirements...............................................................................16

Recommended Configuration................................................................................16

Client Supported Languages.................................................................................17

Licensing PGP Endpoint Products............................................................................... 18

Chapter 2: Installing PGP Endpoint Components..................................19

Installation Overview.....................................................................................................20

Installation Checklist.....................................................................................................21

Installing the PGP Endpoint Database.........................................................................23

Generating a Key Pair..................................................................................................26

Installing the Administration Server .............................................................................28

Installing the PGP Endpoint Management Server Console .........................................39

Installing the PGP Endpoint Client...............................................................................43

Chapter 3: Upgrading PGP Endpoint Components................................53

Upgrade Overview........................................................................................................54

Upgrading the PGP Endpoint Database...................................................................... 55

Upgrading the PGP Endpoint Administration Server....................................................60

Upgrading the PGP Endpoint Management Server Console ...................................... 64

Upgrading the PGP Endpoint Client.............................................................................66

- 7 -

Table of Contents

Chapter 4: Installation Checklist..............................................................73

Chapter 5: Using the Tool........................................................................ 75

Appendix A: Configuring DCOM Settings for the Administration Server91

Installation Checklist.....................................................................................................73

PGP Endpoint Client Deployment Window..................................................................76

Packages Panel.....................................................................................................76

Packages Menu.....................................................................................................77

Computers Panel...................................................................................................78

Computers Menu...................................................................................................78

Creating Deployment Packages...................................................................................79

Adding Computers........................................................................................................82

Deploying Packages.....................................................................................................84

Querying Client Status..................................................................................................88

Setting Up Distributed Component Object Model (DCOM)..........................................91

Set Access Control List Security Permissions............................................................. 95

Appendix B: Installing the Client for Windows XP Embedded..............99

Windows XPe Client Limitations.................................................................................100

Supported Devices......................................................................................................100

Installing the Client for Windows XPe........................................................................100

- 8 -

Preface

About This Document

This Setup Guide is a resource written for all users of PGP Endpoint 4.4 SR1. This document defines the concepts and procedures for installing, configuring, implementing, and using PGP Endpoint 4.4 SR1.

Tip:

PGP documentation is updated on a regular basis. To acquire the latest version of this or any other published document, please refer to the PGP Support Portal Web Site (https://

support.pgp.com).

Typographical Conventions

The following conventions are used throughout this documentation to help you identify various information types.

Convention Usage bold Buttons, menu items, window and screen objects.

bold italics Wizard names, window names, and page names.

italics New terms, options, and variables. UPPERCASE SQL Commands and keyboard keys. monospace File names, path names, programs, executables, command

syntax, and property names.

Getting Assistance

Getting Product Information

Unless otherwise noted, the product documentation is provided as Adobe Acrobat PDF files that are installed with PGP Endpoint. Online help is available within the PGP Endpoint product. Release notes are also available, which may have last-minute information not found in the product documentation.

- 9 -

Preface

Contacting Technical Support

• To learn about PGP support options and how to contact PGP Technical Support, please visit the PGP Corporation Support Home Page (http://www.pgp.com/support).

• To access the PGP Support Knowledge Base or request PGP Technical Support, please visit PGP Support Portal Web Site (https://support.pgp.com).

Note:

You may access portions of the PGP Support Knowledge Base without a support agreement; however, you must have a valid support agreement to request Technical Support.

• For any other contacts at PGP Corporation, please visit the PGP Contacts Page (http://

www.pgp.com/company/contact/index.html).

• For general information about PGP Corporation, please visit the PGP Web Site (http://

www.pgp.com).

• To access the PGP Support forums, please visit PGP Support (http://

forums.pgpsupport.com). These are user community support forums hosted by PGP

Corporation.

- 10 -

Chapter

Planning Your Installation

In this chapter:

• Recommended Security

Rules

• System Requirements

• Licensing PGP Endpoint

Products

To assist in gathering the information required for a smooth installation, PGP recommends that you use the Installation

Checklist on page 21.

Recommended Security Rules

PGP recommends that you define certain administrative security rules before installing PGP Endpoint.

The recommended security settings are specific to Microsoft® Windows® and complement operation of PGP Endpoint.

Table 1: Recommended Security Rules

Security Rule Description

Hard Disk Encryption Encrypts computer disk drives to prevent

unauthorized user access to the computer hard disk drive.

Password Protect the BIOS Prevents administrative user access when using a

CMOS reset jumper, in combination with password protection for the BIOS and seal/chassis intrusion protection.

Seal/Chassis Intrusion Protector Uses seal and/or chassis intrusion protection

hardware to prevent administrative user access using an external boot device to bypass workstation security software.

- 11 -

PGP Endpoint

Security Rule Description

Administrative Rights Remove local users from the local Administrators

Power Users Remove local users from the Power Users group

Access Policy Restrict network and file access as much as

NTFS Partition Use of NTFS partitioning is required for installation

Recovery Console Password protect user access to the Recovery

Service Pack and Hot Fixes Always install the latest service packs and hot

group to prevent unrestricted local user computer access.

to prevent users from tampering or bypassing standard Windows security policies.

possible, including use restriction only to NTFS partitions.

of PGP Endpoint product solutions.

Console, which is available for the Windows DVD/ CD-ROM or MSDN subscription.

fixes for the operating system supported by PGP Endpoint product solutions.

Firewalls Use traditional perimeter-based security systems,

like firewalls, to complement PGP Endpoint product

solutions. Password Policies Maintain strong password security policies. Private and Public Key Generation Deploy PGP Endpoint product solutions using

secure public and private key pairs.

- 12 -

Planning Your Installation

System Requirements

The following sections describe the minimum system requirements necessary for successful installation of PGP Endpoint 4.4 SR1 and the languages supported by the client.

Important: For installation or upgrade to PGP Endpoint version 4.4 SR1:

• You must have a new license file that is valid specifically for version 4.4.

• Existing license files issued before PGP Endpoint version 4.4 will not work with the PGP Endpoint Administration Server and may cause your Administration Servers to stop working. The PGP Endpoint 4.4 license must be installed before you install or upgrade the PGP Endpoint database, and then the Administration Server.

• Request a new license file using the Downloads tab on the PGP Licensing and Entitlement

Management System (LEMS) ( https://lems.pgp.com/account/login) .

Minimum Hardware Requirements

The minimum PGP Endpoint hardware requirements depend upon your service network environment, including the type of database supported, the number of Administration Servers you need support a distributed network, and the number of subscribed clients.

The hardware requirements for PGP Endpoint 4.4 SR1 vary depending upon the number of servers and clients you manage. The following minimum hardware requirements will support up to:

• 200 connected PGP Endpoint clients for PGP Endpoint Device Control

• 50 connected PGP Endpoint clients for PGP Endpoint Application Control

Table 2: Minimum Hardware Requirements

PGP Endpoint Component Requirement

Database

Administration Server

• 1 GB (4 GB recommended) memory

•

Pentium® Dual-Core CPU processor or AMD equivalent

• 3 GB minimum hard disk drive

• 100 MBits/s NIC

• 512 MB (1 GB recommended) memory

•

Pentium® Dual-Core CPU or AMD equivalent

• 3 GB minimum hard disk drive

• 100 MBits/s NIC

- 13 -

PGP Endpoint

PGP Endpoint Component Requirement

Management Server Console

Client

• 512 MB (1 GB recommended) memory

• 15 MB hard disk drive for installation, and 150 MB additional for application files

• 1024 by 768 pixels for display

• 256 MB (1 GB recommended) memory

• Pentium Dual-Core CPU or AMD equivalent

• 10 MB hard disk drive for installation, and several additional GB for full shadowing feature of PGP Endpoint Device Control

• 100 MBits/s NIC

Supported Operating Systems

PGP Endpoint supports multiple Microsoft Windows operations systems for the Administration Server, Management Server Console, database, and client.

The operating system requirements for PGP Endpoint 4.4 SR1 components are outlined as follows.

Table 3: Operating System Requirements

PGP Endpoint Component Requirement

Database

One of the following:

•

Microsoft Windows ® XP Professional Service Pack 2 or higher (SP2+) (32-bit)

• Microsoft Windows XP Service Pack 2 (SP2) (64-bit)

•

Microsoft Windows Server® 2003 Service Pack 2 (SP2) (32- and 64-bit)

• Microsoft Windows Server 2008 (32-bit and 64-bit)

• Microsoft Windows Server 2008 R2 (64 bit only)

Administration Server One of the following:

• Microsoft Windows Server 2003 SP2 (32-bit)

• Microsoft Windows Server 2008 (32-bit and 64-bit)

• Microsoft Windows Server 2008 R2 (64 bit only)

- 14 -

PGP Endpoint Component Requirement

Management Server Console One of the following:

• Microsoft Windows XP Professional SP2+ (32-bit)

• Microsoft Windows Server 2003 SP2 (32-bit)

• Microsoft Windows Server 2008 (32-bit and 64-bit)

• Microsoft Windows Server 2008 R2 (64 bit only)

•

Microsoft Windows Vista™ SP1+ (32- and 64-bit)

• Microsoft Windows 7 (32- and 64-bit)

Client One of the following:

•

Microsoft Windows® Server 2000 Service Pack 4 or higher (SP4+) (32-bit)

• Microsoft Windows 2000 Professional SP4+ (32-bit)

• Microsoft Windows XP Professional Service Pack 2 or higher (SP2+) (32- and 64-bit)

• Microsoft Windows Server 2003 SP2 (32- and 64-bit)

• Microsoft Windows Server 2008 (32-bit and 64-bit)

• Microsoft Windows Server 2008 R2 (64 bit only)

• Microsoft Windows Vista SP1+ (32- and 64-bit)

• Microsoft Windows 7 (32- and 64-bit)

• Microsoft Windows XP Embedded (XPe) Service Pack 2 (SP2) (32-bit)

• Microsoft Windows Embedded Point of Service (WEPOS) (32-bit)

• Microsoft Windows XP Tablet PC Edition (32-bit)

•

Citrix Access Gateway™ 4.5

•

Citrix Presentation Server™ 4.0 for Windows Server 2003 SP1/SR2+ (32-bit)

• Citrix Presentation Server 4.5 for Windows Server 2003 SP1/SR2+ (32- and 64-bit)

Planning Your Installation

Supported Databases

PGP Endpoint supports multiple releases of Microsoft® SQL Server® . You should choose the database instance required by your network operating environment and the number of Administration Server s and subscribed clients the application must support.

The database requirements for PGP Endpoint 4.4 SR1 components are outlined as follows.

- 15 -

PGP Endpoint

Table 4: Database Requirements

PGP Endpoint Component

Database One of the following:

Requirement

•

Microsoft SQL Server® 2005 Service Pack 2 or higher (SP2+) (32-bit and 64-bit)

• Microsoft SQL Server 2005 Express Edition SP2+ (32-bit and 64-bit)

• Microsoft SQL Server 2008

• Microsoft SQL Server 2008 Express Edition

Other Software Requirements

The PGP Endpoint 4.4 SR1 release requires the following additional software. Additional software requirements for PGP Endpoint 4.4 SR1 components are outlined as

follows.

Table 5: Other Software Requirements

PGP Endpoint Component Requirement

Database No additional software requirements. Administration Server

Install Microsoft® Certificate Authority for PGP Endpoint Device Control encryption, if you will be encrypting Windows user accounts. See Microsoft Certificate Authority (http://

technet.microsoft.com/en-us/library/cc756120.aspx) for

additional information about certificates. Management Server Console Microsoft Visual C++ 2008 Redistributable Package. Client No additional software requirements.

Recommended Configuration

To maximize PGP Endpoint 4.4 SR1 for operation in a Microsoft Windows environment, you should configure your network environment database and client components using the following suggested configurations.

The recommended configurations for PGP Endpoint 4.4 SR1 components are outlined as follows. These settings represent the usual default settings, but should be confirmed before beginning PGP Endpoint installation.

- 16 -

Table 6: Recommended Configuration

PGP Endpoint Component Requirement

Planning Your Installation

Database

Administration Server None recommended. Management Server Console None recommended. Client

• Change the Windows Event Viewer settings to 1024 KB and choose to overwrite events as necessary.

• Change Windows Performance settings to prioritize for background applications.

• If you are using Active Directory, configure a corresponding Domain Name System (DNS) server as Active Directory (AD) integrated and create a reverse lookup zone, to provide for name resolution within the PGP Endpoint Management Server Console.

• Configure NIC to receive IP from DHCP service.

• Change the Windows Event Viewer settings to 1024 KB and choose to overwrite events as necessary.

Client Supported Languages

The PGP Endpoint 4.4 SR1 client supports multiple languages in text format. The PGP Endpoint 4.4 SR1 client is supported in the following languages:

• English

• French

• Italian

• German

• Spanish

• Japanese

• Simplified Chinese

• Traditional Chinese

• Russian

• Dutch

• Portuguese

• Swedish

- 17 -

PGP Endpoint

Licensing PGP Endpoint Products

The following types of licenses are available for PGP Endpoint product solutions:

• An Evaluation License provides you with a fully functioning PGP Endpoint product solution for a limited time.

• A Perpetual License provides full capacity for an unlimited period.

• A Subscription License provides full capacity for the time period specified by the terms of your license.

- 18 -

Chapter

Installing PGP Endpoint Components

In this chapter:

• Installation Overview

• Installation Checklist

• Installing the PGP

Endpoint Database

• Generating a Key Pair

• Installing the

Administration Server

• Installing the PGP

Endpoint Management Server Console

• Installing the PGP

Endpoint Client

Successful installation of PGP Endpoint 4.4 SR1 requires you to install components in the following order:

1. Install the database.

2. Generate and save a public and private key pair.

This action is not required, however, PGP strongly recommends the use of a public-private key pair to provide the highest level of security.

3. Install the Administration Server(s).

4. Install the Management Server Console.

5. Install and deploy the client.

- 19 -

PGP Endpoint

Installation Overview

PGP Endpoint component installation requires that you follow a series of interdependent tasks in a prescribed order. Before you begin, you must have a valid license key for each software application(s) that your are installing.

Use the following process to identify tasks for installing components installing PGP Endpoint 4.4 SR1, for your convenience this process refers to the Installation Checklist on page 21.

Figure 1: PGP Endpoint Product Solution Installation Process Flow

- 20 -

Installing PGP Endpoint Components

Installation Checklist

The installation checklist outlines the detailed tasks that you must perform when installing the Application Control and Device Control solutions.

This checklist guides you through the installation process.

Important: For installation or upgrade to PGP Endpoint version 4.4 SR1:

• You must have a new license file that is valid specifically for version 4.4.

• Request a new license file using the Downloads tab on the PGP Licensing and Entitlement

Management System (LEMS) ( https://lems.pgp.com/account/login) .

To begin your installation:

1. Copy the PGP Endpoint license file to the \\Windows\System32 or \\Windows\SysWOW64 folder, and rename the file to Endpoint.lic . The license file may be installed after installing the database, however, the license file must installed before installing the Administration Server .

2. Download the PGP Endpoint application software from the PGP Licensing and Entitlement

Management System (LEMS) ( https://lems.pgp.com/account/login) .

3. Create a device, media, or software application inventory which lists the items that you want PGP Endpoint 4.4 SR1 to control.

4. Document company policy that defines:

• Device permissions.

• Shadowing requirements.

• Device encryption requirements.

• PGP Endpoint administrators and their roles.

• Global domain groups for PGP Endpoint administrators.

5. Plan your PGP Endpoint network architecture, based on capacity requirements, that list the PGP Endpoint Administration Server host names and IP addresses.

6. Create a dedicated Administration Server domain user rights service account and set the following:

• User cannot change password .

• Password never expires .

- 21 -

PGP Endpoint

The domain account must have local administration rights when you plan to use the TLS communication protocol for client- Administration Server and inter- Administration Server data transfers.

7. Create Impersonate a client after authentication user rights for the Administration Server . See Impersonate a Client After Authentication ( http://support.microsoft.com/kb/821546 ) for additional information about impersonating a client after authentication user rights.

8. Verify that the Administration Server domain account has Log on as a service user rights. See Add the Log on as a service right to an account ( http://technet.microsoft.com/en-us/

library/cc739424(WS.10).aspx ) for additional information about logging on as a service user

rights.

Install Microsoft® Internet Information Services on the same computer as the certification authority, otherwise the enterprise root certificate cannot be generated. See Internet

Information Services (IIS) ( http://www.iis.net ) for additional information about installing

Internet Information Services.

10.Install a Microsoft enterprise root certification authority to enable removable device encryption for PGP Endpoint Device Control . See Install a Microsoft enterprise root

certification authority ( http://technet.microsoft.com/en-us/library/cc776709.aspx ) for

additional information about installing an enterprise root certificate.

11.

Install a Microsoft SQL Server® . See Getting Started with SQL Server ( http://

msdn.microsoft.com/en-us/sqlserver/default.aspx ) for additional information about installing

a SQL server.

12.Complete Installing the PGP Endpoint Database on page 23 .

13.To install multiple Administration Server s, create a shared file directory on a file server to

share the Datafile directory component. This action is only required if you will be using more than one Administration Server .

14.Complete Generating a Key Pair on page 26 . This action is recommended, but not required.

15.Complete Installing the Administration Server on page 28 .

Important: The Administration Server service account must have database owner (DBO)

rights to the PGP Endpoint database.

16.Complete Installing the PGP Endpoint Management Server Console on page 39 .

17.Complete Installing the PGP Endpoint Client on page 43 .

18.Test your PGP Endpoint product solution installation for functionality.

- 22 -

Installing PGP Endpoint Components

Installing the PGP Endpoint Database

The PGP Endpoint database is the first component that you install. The database serves as the central repository for device permissions rules and executable file authorizations.

Prerequisites: Important: For installation or upgrade to PGP Endpoint version 4.4 SR1:

• You must have a new license file that is valid specifically for version 4.4.

• Request a new license file using the Downloads tab on the PGP Licensing and Entitlement

Management System (LEMS) ( https://lems.pgp.com/account/login) .

Before you can successfully install the PGP Endpoint database, you must:

• Verify that you satisfy the minimum hardware and software system requirements.

• If you will be using a database cluster, you must specify an alternate TDS port during SQL server setup. See Creating a Server Alias for Use by a Client (SQL Server Configuration

Manager) (http://msdn.microsoft.com/en-us/library/ms190445.aspx) for additional information

about creating a server alias. You can install the PGP Endpoint database on a server cluster, where there are at least two servers in the cluster running SQL Server. For additional information regarding database clustering, see Microsoft Cluster Service (MSCS) Installation

Resources (http://support.microsoft.com/kb/259267).

2. Close all programs running on the computer.

3. From the location where you saved the PGP Endpoint application software, run the \server

\db\setup.exe file.

Step Result: The Installation Wizard Welcome page opens.

- 23 -

PGP Endpoint

4. Click Next.

Step Result: The License Agreement page opens.

Figure 2: License Agreement Page

5. Review the license agreement and, if you agree, select I accept the terms in the license agreement.

6. Click Next.

Step Result: The Destination Folder page opens.

Figure 3: Destination Folder Page

7. You may choose an installation destination folder other than the default folder C:\Program Files\PGP Corporation\PGP Endpoint.

- 24 -

Installing PGP Endpoint Components

a) Click Change

Step Result: The Change Current Destination Folder page opens.

Figure 4: Change Current Destination Folder Page

b) Select a folder from the Look in: field. c) Click OK.

Step Result: The Change Current Destination Folder closes, and the Destination

Folder page changes to reflect the new location.

8. Click Next.

Step Result: The Ready to Install the Program page opens.

Figure 5: Ready to Install the Program Dialog

9. Click Install.

- 25 -

PGP Endpoint

A progress bar runs on the page, showing installation progress.

Step Result: The Completed page opens.

10.Click Finish.

Result: PGP Endpoint setup runs the SQL installation scripts and creates the PGP

Endpoint database for the SQL Server database instance that you specified.

Generating a Key Pair

The Administration Server uses a symmetric encryption system to communicate with a client, using a public-private key pair that you generate during installation.

The Administration Server and PGP Endpoint clients contain a embedded default public and private key pair that should only be used with an evaluation license. PGP provides a Key Pair Generator utility, which generates a key pair for fully licensed application installations. The key pair ensures the integrity for communication between the Administration Server and clients.

When an Administration Server cannot find a valid key pair at startup, the event is logged and PGP Endpoint uses the default key pair.

Caution: When you are using Device Control, do not change the key pair:

• For media encrypted before exchanging a key pair, which will result in disabling password recovery for the previously encrypted media.

• During a PGP Endpoint upgrade installation which will result in the loss of access to media previously encrypted centrally and subsequent loss of data.

• During a PGP Endpoint upgrade installation when client hardening is enabled, which will cause PGP Endpoint Application Control and PGP Endpoint Device Control installations to fail.

- 26 -

Installing PGP Endpoint Components

1. From the location where you saved the PGP Endpoint application software, run the server \keygen\keygen.exe file.

Step Result: The Key Pair Generator dialog opens.

Figure 6: Key Pair Generator Dialog

2. In the Directory field, enter the name of the temporary directory where you will save the key pair.

3. In the Seed field, type a random alphanumeric text string. This text is used to initiate the random number generator; the longer the text string the more

secure the key pair.

4. Click Create keys.

Step Result: The Key Pair Generator confirmation dialog opens.

Figure 7: Key Pair Generator Dialog

5. Click OK.

Step Result: You return to the Key Pair Generator dialog.

- 27 -

PGP Endpoint

6. Click Exit.

Result: The keys are saved as sx-private.key and sx-public.key files in the directory you

specified.

After Completing This Task:

Distribute the key pair by copying sx-private.key and sx-public.key files to the \\%windir% \system 32 directory on the computer(s) where you are installing the Administration Server. At

startup, the Administration Server searches all drive locations for a valid key pair, stopping at the first valid key pair.

Installing the Administration Server

The Administration Server processes PGP Endpoint client actions and is the only application component that connects to the database. One or more Administration Server s communicate

- 28 -

Installing PGP Endpoint Components

device and application control information between the PGP Endpoint database and PGP Endpoint client(s).

Prerequisites:

Before you can successfully install the Administration Server , you must:

• Verify that a valid PGP Endpoint license file is listed in the \Windows\System32 or \\Windows \SysWOW64 folder, and is name file to Endpoint.lic .

Important: For installation or upgrade to PGP Endpoint version 4.4 SR1:

• You must have a new license file that is valid specifically for version 4.4.

• Existing license files issued before PGP Endpoint version 4.4 will not work with the PGP

Endpoint Administration Server and may cause your Administration Servers to stop working. The PGP Endpoint 4.4 license must be installed before you install or upgrade the PGP Endpoint database, and then the Administration Server.

• Request a new license file using the Downloads tab on the PGP Licensing and

Entitlement Management System (LEMS) ( https://lems.pgp.com/account/login) .

• Verify that you satisfy the minimum hardware and software system requirements.

Restriction: If you are installing the PGP Endpoint Application Control Terminal Services

Edition, you must install the Administration Server on a computer separate from the Citrix

Metaframe® Presentation Server.

• Confirm that TCP port 33115 and UDP port 65229 (when using TLS protocol), or TCP port 65129 (when not using TLS protocol), are open. Depending upon how firewalls are setup in your environment, these ports may be closed.

• Configure the TCP/IP protocol to use a fixed IP address for the computer that runs the Administration Server .

• Configure the Administration Server host computer to perform fully qualified domain name (FQDN) resolution for the PGP Endpoint clients that the server manages. See How

to Configure the Intranet FQDN of Site Systems ( technet.microsoft.com/en-us/library/ bb694183.aspx ) for additional information about configuring to use DNS name resolution for

computers using FDQNs.

• Configure the Administration Server host computer account to read domain information using the Microsoft® Windows® Security Account Manager. See Security Account Manager (SAM) ( http://technet.microsoft.com/en-us/library/cc756748.aspx ) for additional information about the Microsoft Windows Security Account Manager.

• Synchronize the Administration Server system clock with the PGP Endpoint database using the Microsoft Windows time service. See Time Service ( http://support.microsoft.com/

kb/816042 ) for details about using the Microsoft Windows time service.

- 29 -

PGP Endpoint

1. Log in with administrative user access to the computer where you are installing the Administration Server .

Important: For Active Directory environments, log in using the dedicated Administration

Server domain user rights service account. The Administration Server installation process configures the Administration Server service account for access to the database.

2. Close all programs running on the computer.

3. From the location where you saved the PGP Endpoint application software, run \server\sxs

\setup.exe .

4. Click OK .

Step Result: The Installation Wizard Welcome page opens.

5. Click Next .

Step Result: The License Agreement page opens.

Figure 8: License Agreement Page

6. Review the license agreement and, if you agree, select I accept the terms in the license agreement.

- 30 -

Installing PGP Endpoint Components

7. Click Next .

Step Result: The Setup dialog opens when the setup process detects an operating system

that is subject to security changes concerning Remote Procedure Calls (RPC).

Figure 9: Setup Dialog

8. Click Yes .

Step Result: A confirmation dialog opens after the registry value is reset.

Figure 10: The Setup Dialog

9. Click OK .

Step Result: The Destination Folder page opens.

Figure 11: Destination Folder Page

- 31 -

PGP Endpoint

10.You may choose an installation destination folder other than the PGP Endpoint default folder C:\Program Files\PGP Corporation\PGP Endpoint .

a) Click Change .

Step Result: The Change Current Destination Folder page opens.

Figure 12: Change Current Destination Folder Page

b) Select a folder from the Look in: field. c) Click OK .

Step Result: The Change Current Destination Folder closes, and the Destination

Folder page changes to reflect the new location.

- 32 -

11.Click Next .

Step Result: The Service Account page opens.

Figure 13: Service Account Page

Installing PGP Endpoint Components

12.Type the name of the user or domain in the User Account field for access to the Administration Server .

Enter domain account information using the Domain\User format, and local account information using the Computer\User format. PGP Endpoint supports use of standard NetBIOS computer names up to fifteen (15) characters long.

Tip: This is the user name that you created when you configured the domain service

account for the Administration Server .

13.In the Password field, type the user account access password.

- 33 -

PGP Endpoint

14.Click Next .

Step Result: The Database Server page opens.

Figure 14: Database Server Page

15.Type the name of the database instance for the Administration Server connection, using the servername\instancename format.

The default database instance is automatically populated, when installed on the same computer. Alternately, the instancename is not required if the database is installed in the default instance of Microsoft SQL Server.

- 34 -

Installing PGP Endpoint Components

16.Click Next .

Step Result: The Datafile directory page opens.

Figure 15: Datafile Directory Page

17.You may choose a folder other than the PGP Endpoint default folder, C:\DataFileDirectory\ , where Administration Server log, shadow, and scan files are stored.

Tip: Use a permanent network share when you are installing more than one Administration

Server or a dedicated file server. To improve performance for a multi-server installation, assign a separate data file directory to each server to provide load balancing; although more than one server can access the same data file directory. Use a Universal\Uniform Name Convention path name; do not use a mapped drive name.

a) Click Change .

Step Result: The Select datafile directory page opens.

Figure 16: Select Datafile Directory Page

- 35 -

PGP Endpoint

b) Type the name of the datafile directory in the Folder name: field. c) Click OK .

18.Click Next .

Step Result: The Server communication protocol page opens.

Figure 17: Server Communication Protocol Page

19.Select an encryption option.

Restriction: The server communication protocol options shown depend upon the client

version supported and whether a certification authority digital certificate is installed.

20.Click Next .

Step Result: The Server communication protocol page opens.

Figure 18: Server Communication Protocol Ports Page

- 36 -

Installing PGP Endpoint Components

21.Specify the communication port(s).

Restriction: The port field(s) shown depend upon the encryption communication protocol

that you selected previously.

22.Click Next .

Step Result: The Syslog Server page opens.

Figure 19: Syslog Server Page

23.Type the name or the IP address of the SysLog server in the SysLog server address field.

Important: This step is optional. You do not have to specify a Syslog server.

24.Select from the following options:

Option Description

Audit Logs Logs changes to policy administered through the

Management Server Console .

System Logs Logs system events. Agent Logs Logs events uploaded directly from the PGP Endpoint

client.

- 37 -

PGP Endpoint

25.Click Next .

Step Result: The Ready to Install Program page opens.

Figure 20: Ready to Install Program Page

26.Click Install. A progress bar runs on the page, showing installation progress.

Step Result: The Completed page opens.

27.Click Finish.

Result: The Administration Server files are installed and the server establishes a

connection to the PGP Endpoint database.

After Completing This Task:

If you intend to install the Management Server Console on a different computer or server than the Administration Server , you must configure the Distributed Component Object Model (DCOM) settings and security permissions for all Administration Server s in your environment, as outlined in Configuring DCOM Settings for the Administration Server on page 91 .

- 38 -

Installing PGP Endpoint Components

Installing the PGP Endpoint Management Server Console

The PGP Endpoint Management Server Console is the administrative tool that used to configure and run the PGP Endpoint 4.4 SR1 software.

Prerequisites:

Before you can successfully install the PGP Endpoint Management Server Console , you must:

• Verify that you satisfy the minimum hardware and software system requirements.

Restriction: If you are installing the PGP Endpoint Application Control Terminal Services

Edition, you must install the PGP Endpoint Management Server Console on a computer separate from the Citrix® Metaframe® Presentation Server.

• Install the PGP Endpoint Administration Server.

• If you intend to install the Management Server Console on a different computer or server than the Administration Server , you must configure DCOM settings and access restrictions as outlined for Configuring DCOM Settings for the Administration Server on page 91 .

1. Log in as an administrative user to the computer where you are installing the PGP Endpoint Management Server Console .

2. Close all programs running on the computer.

3. From the location where you saved the PGP Endpoint application software, run the \server

\smc\setup.exe .

Attention: The Management Server Console requires the Microsoft® Visual C++ 2008

Redistributable Package for proper operation. You may receive a message prompting you to allow setup to trigger the redistributable package installation, if Visual C++ Libraries are not already installed. After the redistributable package installs, the Management Server Console resumes installation as follows.

Figure 21: Microsoft Visual C++ 2008 Redistributable Package Setup

Step Result: The Installation Wizard Welcome page opens.

- 39 -

PGP Endpoint

4. Click Next .

Step Result: The License Agreement page opens.

Figure 22: License Agreement Page

5. Review the license agreement and, if you agree, select I accept the terms in the license agreement.

6. Click Next .

Step Result: The Setup Type page opens.

Figure 23: Setup Type Page

7. Select one of the following options:

- 40 -

Installing PGP Endpoint Components

Option Description

Complete Installs all program features. Custom Install selected program features where you specify the

location.

a) If you select Custom , the Custom Setup page opens.

Step Result:

Figure 24: Custom Setup Page

b) Select the features you want to install.

The installation features shown depend upon the application you are licensed for.

Feature License Type(s) PGP Endpoint Management

PGP Endpoint Device Control

Server Console

PGP Endpoint Application Control

PGP Endpoint Client

PGP Endpoint Device Control

Deployment Tool

PGP Endpoint Application Control

Standard File Definitions PGP Endpoint Application Control Authorization Wizard PGP Endpoint Application Control

- 41 -

PGP Endpoint

c) You may choose C:\Program Files\PGP Corporation\PGP Endpoint\Console .

d) Select a folder from the Look in: field. e) Click OK .

Step Result: The Change Destination Folder Page opens.

Figure 25: Change Destination Folder Page

Step Result: The Change Current Destination Folder closes, and the Destination

Folder page changes to reflect the new location.

8. Click Next .

Step Result: The Ready to Install page opens.

Figure 26: Ready to Install Page

9. Click Install.

- 42 -

Installing PGP Endpoint Components

A progress bar runs on the page, showing installation progress.

Step Result: The Completed page opens.

10.Click Finish.

Result: The PGP Endpoint Management Server Console files are installed. After Completing This Task:

Define PGP Endpoint administrator access as described in the PGP Endpoint Device Control

User Guide or the PGP Endpoint Application Control User Guide , depending upon your license

type. By default, only users who are members of the Administrators group for the computer running the PGP Endpoint Management Server Console can connect to the PGP Endpoint Administration Server .

Installing the PGP Endpoint Client

The PGP Endpoint client manages permissions for device access and user access to software applications for endpoint computers.

Prerequisites:

Before you can successfully install the PGP Endpoint client, you must:

• Verify that you satisfy the minimum hardware and software system requirements.

• Copy the sx-public.key file for the PGP Endpoint client to the Client folder located where you downloaded the PGP Endpoint software. The PGP Endpoint client installer detects the public key during installation and copies the key to the target directory ( %windir%\sxdata ).

Note: If you are installing the PGP Endpoint client for Windows XP Embedded (XPe),

please refer to Installing the Client for Windows XP Embedded on page 99 , for specific installation instructions.

• Install the PGP Endpoint Administration Server .

• Install the PGP Endpoint Management Server Console .

• When installing PGP Endpoint Application Control , you must create a list of authorized executable files, scripts and macros before setting Execution blocking default option to Non-blocking mode .

• When installing PGP Endpoint Application Control , you must ensure that the Execution blocking default option is set to Non-blocking mode ; otherwise the PGP Endpoint client computer will not restart after PGP Endpoint client installation because executable system files cannot run until they are centrally authorized from the PGP Endpoint Management Server Console .

1. Verify that the domain information in the PGP Endpoint database is synchronized as follows:

- 43 -

PGP Endpoint

a) From the PGP Endpoint Management Server Console , select Tools > Synchronize

b) Enter the name of the domain that you want to synchronize.

c) Click OK.

Domain Members .

Step Result: The Synchronize Domain dialog opens.

Figure 27: Synchronize Domain Dialog

Note: When you enter a computer name that is a domain controller, the domain

controller is used for synchronization. This is useful when replication between domain controllers is slow.

Attention: When you use PGP Endpoint in a Novell environment, you must run the

ndssync_ldap.vbs synchronization script found in the scripts folder where you stored the application software after downloading. This can be done manually when there are few changes in your eDirectory structure or you use automatically scheduling software.

2. Log in as an administrative user to the computer where you are deploying the PGP Endpoint client.

3. Close all programs running on the computer.

4. From the location where you saved the PGP Endpoint application software, run \client

\setup.exe file.

Step Result: The Installation Wizard Welcome page opens.

- 44 -

Installing PGP Endpoint Components

5. Click Next .

Step Result: The License Agreement page opens.

Figure 28: License Agreement Page

6. Review the license agreement, and, if you agree, select I accept the terms in the license agreement .

7. Click Next .

Step Result: The Encrypted Communication page opens.

Figure 29: Encrypted Communication Page

8. Select one of the following options that matches the option you selected when installing the PGP Endpoint Administration Server :

- 45 -

PGP Endpoint

Option Description

Server is using unencrypted protocol

Communication between the PGP Endpoint Administration Server and PGP Endpoint client is not using the TLS communication protocol. Communication is not encrypted but is signed using the private key.

Authentication certificate will be generated by setup

Communication between the PGP Endpoint Administration Server and PGP Endpoint client uses the TLS communication protocol. Communication is encrypted and the digital certificate is generated manually during installation.

Authentication certificate will be retrieved from a CA

Tip: PGP recommends that you use the automatic TLS retrieval option to deploy Certificate

Authority infrastructure for issuing valid digital certificates.

Step Result: If you opt to manually generate a certificate during setup, the Client

Authentication dialog opens.

Figure 30: Client Authentication Dialog

9. To manually generate a certificate during setup specify the computer certificate location and parameters from the following options.

- 46 -

Option Description

Installing PGP Endpoint Components

Generate certificate signed by certificate located in

Generates a digital certificate during installation by using a signature certificate located in the local user store.

store Generate certificate signed

by certificate located in file

Generates a digital certificate during installation by using a signature certificate located in a specified file.

Import into store Imports a signature certificate into the local user store. Certificate parameters Specifies the certificate parameters for the Cryptographic

service provider , Key length , Validity , and Signature

10.Click Next .

Step Result: The PGP Endpoint Administration Server s page opens.

Figure 31: PGP Endpoint Administration Server s Page

11.Specify up to three server names using fully qualified domain names (FQDN) or IP addresses that are managed from the PGP Endpoint Management Server Console .

Caution: Do not use IP address(es) when using the TLS communication protocol for

encryption. You can only use FQDNs for when using the TLS communication protocol.

- 47 -

PGP Endpoint

12.Verify that the PGP Endpoint client connects to the PGP Endpoint Administration Server by clicking Test .

Caution: You can proceed with client installation if the PGP Endpoint Administration Server

is unavailable, by clicking OK in the following dialog. The client can establish a connection with the server later, when the server is available.

Figure 32: Error Dialog

Step Result: By default, PGP Endpoint connects with the first available server and retrieves

13.If you are specifying more than one server, select or deselect the Select a server at random to spread the load option.

14.Click Next .

Step Result: The Destination Folder page opens.

default policy settings from the server.

Figure 33: Destination Folder Page

- 48 -

Installing PGP Endpoint Components

15.You may choose an installation destination folder other than the PGP Endpoint default folder

C:\Program Files\PGP Corporation\PGP Endpoint , by clicking Change .

Step Result: The Change Current Destination Folder page opens.

Figure 34: Change Current Destination Folder Page

16.Select a folder from the Look in: field.

17.Click OK .

Step Result: The Change Current Destination Folder closes, and the Destination Folder

page changes to reflect the new location.

18.Click Next .

Step Result: The “Add or Remove Programs” list page opens.

Figure 35: Add or Remove Programs List Page

19.You may select one of the following options, which are not required to proceed with installation:

- 49 -

PGP Endpoint

Option Description

Don’t display this product Does not display the PGP Endpoint component names

in the Add or Remove Programs list in the Windows

Control Panel .

Don’t display the Remove button for this product

Displays the PGP Endpoint component names in the Add or Remove Programs list in the Windows Control Panel without the Remove option.

20.Click Next .

Step Result: The NDIS Device Control page opens.

Note: NDIS enables Device Control to control 802.1x wireless adapters. If

you do not need this protection, you may disable it here.

Figure 36: NDIS Device Control Page

21.Select the disable protection for NDIS devices check box to allow the use of wireless devices.

22.Click Next .

Step Result: The Ready to Install the Program page opens.

23.Click Install .

Step Result: A progress bar runs on the page, showing installation progress.

Attention: The Setup dialog warning opens when there is an invalid, non-

reachable server address and no policy file exists.

24.Select one of the following options.

- 50 -

Installing PGP Endpoint Components

Option Description

Abort Does not retrieve the policy file and cancels the

installation process.

Retry Attempts to retrieve the policy file and continue setup. Ignore Skips policy file retrieval and continues setup, creating

the risk of blocking the computer from all device and executable file access .

Danger: If you select Ignore, the PGP Endpoint suite installs with the most restrictive

default file execution policy that denies use of all devices and/or executable files. This type of installation will deny you access to devices and software that you use on your computer, which can make the computer inaccessible. When you install a client offline for use with PGP Endpoint Application Control you must provide a policy settings file. Refer the PGP Endpoint Application Control User Guide for more information about creating and exporting policy settings files.

Step Result: The Completed page opens.

25.Click Finish.

Result: The PGP Endpoint client is installed and connects to the PGP Endpoint

Administration Server .

After Completing This Task:

You must restart your computer system for the PGP Endpoint client configuration changes to become effective and enable the use of the PGP Endpoint client.

- 51 -

PGP Endpoint

- 52 -

Chapter

Upgrading PGP Endpoint Components

In this chapter:

• Upgrade Overview

• Upgrading the PGP

Endpoint Database

• Upgrading the PGP

Endpoint Administration Server

• Upgrading the PGP

Endpoint Management Server Console

• Upgrading the PGP

Endpoint Client

With PGP Endpoint 4.4 SR1, you can upgrade your PGP Endpoint product solution components that are versions 4.0 and higher.

- 53 -

PGP Endpoint

Upgrade Overview

The PGP Endpoint upgrade process requires that you upgrade the primary software components, including the database, Administration Server, Management Server Console, and client(s).

The following diagram illustrates the PGP Endpoint upgrade process.

Figure 37: PGP Endpoint Component Upgrade Process

Danger: Do not change the key pair during an upgrade process when the Client Hardening

mode is enabled, or the upgrade will fail.

- 54 -

Upgrading PGP Endpoint Components

Upgrading the PGP Endpoint Database

Using the PGP Endpoint installation software, the Installation Wizard upgrades the PGP Endpoint database, the first PGP Endpoint component that you upgrade.

Prerequisites: Important: For installation or upgrade to PGP Endpoint version 4.4 SR1:

• You must have a new license file that is valid specifically for version 4.4.

• Request a new license file using the Downloads tab on the PGP Licensing and Entitlement

Management System (LEMS) ( https://lems.pgp.com/account/login) .

• Back-up your database before performing any upgrade. Please refer to the following for more information about database back-up and restore

procedures for Microsoft SQL Server 2005.

• See Backup Overview (SQL Server) ( http://msdn.microsoft.com/en-us/library/

ms175477(SQL.90).aspx ) for more information backing up the database.

• See Backing Up and Restoring How-to Topics (SQL Server Management Studio) ( http://

msdn.microsoft.com/en-us/library/ms189621(SQL.90).aspx ) for more information about

backing up and restoring the database.

• See Backing Up and Restoring How-to Topics (Transact-SQL) ( http://

msdn.microsoft.com/en-us/library/aa337534(SQL.90).aspx ) for more information about

backing up and restoring the database.

Please refer to the following for more information about database back-up and restore procedures for Microsoft SQL Server 2008.

• See Backup Overview ( http://msdn.microsoft.com/en-us/library/ms175477.aspx ) for

more information about backing up the database.

• See Backing Up and Restoring How-to Topics (SQL Server Management Studio) ( http://

msdn.microsoft.com/en-us/library/ms189621.aspx ) for more information about backing up

and restoring the database.

• See Backing Up and Restoring How-to Topics (Transact-SQL) ( http://

msdn.microsoft.com/en-us/library/aa337534.aspx ) for more information about backing up

and restoring the database.

- 55 -

PGP Endpoint

1. Log in to the computer running the SQL server.

Tip: If you are upgrading a database that was not installed on a SQL Server with the

PGP Endpoint installation executable file, for example the database was moved to another server after initial installation or the database was installed using SQL script files, you must manually upgrade the PGP Endpoint database.

2. Close all programs running on the computer.

3. Open SQL Server Management Studio.

During database migration, the size of the database may double. You must ensure enough disk space is available.

Caution: If a database size cap is set in SQL, database migration may fail.

a) Expand the Databases directory in the Object Explorer panel and right-click the target

database.

Step Result: A right-mouse menu opens.

Figure 38: Right-Mouse Menu

- 56 -

b) Select Properties from the right-mouse menu.

Step Result: The Database Properties window opens.

Upgrading PGP Endpoint Components

Figure 39: Database Properties Window

c) Select Files . d) Click the ellipses [...] in Autogrowth column.

Step Result: The Change Autogrowth dialog opens.

Figure 40: Change Autogrowth Dialog

e) Select Enable Autogrowth .

- 57 -

PGP Endpoint

f) Select Unrestricted File Growth .

g) Click OK .

h) Click OK .

4. From the location where you saved the PGP Endpoint application software, run \server\db \setup.exe .

Step Result: The Installation Wizard Welcome page opens.

Important: You must maintain these settings until the database migration is finished.

Database migration begins the first time the PGP Endpoint starts after upgrading the application. Database migration can take several hours or days, depending on the size of the database.

Step Result: The Change Autogrowth dialog closes.

Figure 41: Welcome Page

5. Click OK .

- 58 -

Upgrading PGP Endpoint Components

6. Click Upgrade .

Step Result: The PGP Endpoint Database page opens showing a progress bar that

indicates the installation status.

Figure 42: Installing PGP Endpoint Database Page

7. Click Next .

Step Result: The Completed page opens.

8. Click Finish .

Result: PGP Endpoint setup upgrades the existing PGP Endpoint database.

- 59 -

PGP Endpoint

Upgrading the PGP Endpoint Administration Server

Using the PGP Endpoint installation software, the Installation Wizard upgrades the PGP Endpoint Administration Server, the second PGP Endpoint component that you upgrade.

Prerequisites:

•

Important: For installation or upgrade to PGP Endpoint version 4.4 SR1:

• You must have a new license file that is valid specifically for version 4.4.

• Existing license files issued before PGP Endpoint version 4.4 will not work with the PGP

• Request a new license file using the Downloads tab on the PGP Licensing and

Entitlement Management System (LEMS) ( https://lems.pgp.com/account/login) .

1. Log in to the computer that runs the PGP Endpoint Administration Server.

2. Close all programs running on the computer.

3. From the location where you saved the PGP Endpoint application software, run \server\sxs

\setup.exe file.

4. Click OK.

Step Result: The Installation Wizard Welcome page opens.

- 60 -

Upgrading PGP Endpoint Components

5. Click Next.

Step Result: The Upgrade default Log Explorer templates page opens.

Figure 43: Upgrade Default Log Explorer Templates Page

6. Select a Log Explorer template upgrade option.

7. Click Next.

Step Result: The Server communication protocol page opens.

Figure 44: Server Communication Protocol Page

- 61 -

PGP Endpoint

8. Select an encryption option.

Restriction: The server communication protocol options shown depend upon the client

version supported and whether a certification authority digital certificate is installed.

9. Click Next.

Step Result: The Server communication protocol page opens.

Figure 45: Server Communication Protocol Ports Page

10.Specify the communication port(s).

Restriction: The port field(s) shown depend upon the encryption communication protocol

that you selected previously.

- 62 -

11.Click Next.

Step Result: The Syslog Server page opens.

Figure 46: Syslog Server Page

Upgrading PGP Endpoint Components

12.Type the name or the IP address of the SysLog server in the SysLog server address field.

Important: This step is optional. You do not have to specify a Syslog server.

13.Select from the following options:

Option Description

Audit Logs Logs changes to policy administered through the

Management Server Console.

System Logs Logs system events. Agent Logs Logs events upload directly from the PGP Endpoint client.

- 63 -

PGP Endpoint

14.Click Next.

Step Result: The Ready to Upgrade the Program page opens.

Figure 47: Ready to Upgrade Program Page

15.Click Upgrade. A progress bar runs on the page, showing installation progress.

Step Result: The Completed page opens.

16.Click Finish.

Result: PGP Endpoint setup upgrades and restarts the existing PGP Endpoint

Administration Server service.

Upgrading the PGP Endpoint Management Server Console

Using the PGP Endpoint installation software, the Installation Wizard upgrades the PGP Endpoint Management Server Console , the third PGP Endpoint component that you upgrade.

1. Log in to the computer where you are installing the PGP Endpoint Management Server Console .

2. Close all programs running on the computer.

3. From the location where you saved the PGP Endpoint application software, run the \server

\smc\setup.exe file.

- 64 -

4. Click OK .

Step Result: The Installation Wizard Welcome page opens.

Figure 48: Welcome Page

Upgrading PGP Endpoint Components

5. Click Upgrade .

Step Result: The PGP Endpoint Management Server Console page opens showing a

progress bar that indicates the installation status.

Figure 49: Installing PGP Endpoint Management Server Console Dialog

6. Click Next .

Step Result: The Completed page opens.

- 65 -

PGP Endpoint

7. Click Finish .

Result: PGP Endpoint setup upgrades the existing PGP Endpoint Management Server

Console .

Upgrading the PGP Endpoint Client

Using the PGP Endpoint installation software, the Installation Wizard upgrades the PGP Endpoint client, the fourth PGP Endpoint component that you upgrade.

Caution: When installing the client for PGP Endpoint Application Control , you may need to set

the Execution blocking default option to Non-blocking mode . This is only necessary if the new client .exe and .msi files were not previously added to the central file authorization list and assigned to the corresponding file group. Otherwise, the PGP Endpoint client computer may not restart after PGP Endpoint client installation because executable system files cannot run until they are centrally authorized from the PGP Endpoint Management Server Console .

1. Log in to the computer that will run the PGP Endpoint client.

2. Close all programs running on the computer.

3. From the location where you saved the PGP Endpoint application software, run the \server

\client\setup.exe file.

Step Result: The Installation Wizard Welcome page opens.

4. Click Next .

Step Result: The Encrypted communication page opens.

Figure 50: Encrypted Communication Page

- 66 -

Upgrading PGP Endpoint Components

5. Select one of the following options that matches the options you selected when you upgraded the PGP Endpoint Administration Server :

Option Description

Server is using unencrypted protocol

Communication between the PGP Endpoint Administration Server and PGP Endpoint client is not using the TLS communication protocol. Communication is not encrypted but is signed using the private key.

Authentication certificate will be generated by setup

Authentication certificate will be retrieved from a CA

Tip: PGP recommends that you use the automatic TLS retrieval option to deploy Certificate

Authority infrastructure for issuing valid digital certificates.

Step Result: If you opt to manually generate a certificate during setup, the Client

Authentication dialog opens.

Figure 51: Client Authentication Dialog

6. To manually generate a certificate during setup specify the computer certificate location and parameters from the following options.

- 67 -

PGP Endpoint

Option Description

Generate certificate signed by certificate located in

Generates a digital certificate during installation by using a signature certificate located in the local user store.

store Generate certificate signed

by certificate located in file

Generates a digital certificate during installation by using a signature certificate located in a specified file.

Import into store Imports a signature certificate into the local user store. Certificate parameters Specifies the certificate parameters for the Cryptographic

service provider , Key length , Validity , and Signature

7. Click Next .

Step Result: The PGP Endpoint Administration Server s page opens.

Figure 52: PGP Endpoint Administration Server s Page

8. Specify up to three server names using fully qualified domain names (FQDN) or IP addresses that are managed from the PGP Endpoint Management Server Console .

Caution: Do not use IP address(es) when using the TLS communication protocol for

encryption. You can only use FQDNs for when using the TLS communication protocol.

- 68 -

Upgrading PGP Endpoint Components

9. Verify that the PGP Endpoint client connects to the PGP Endpoint Administration Server by clicking Test .

Step Result: If the server name is correctly specified, the PGP Endpoint Administration

Server connects successfully with the client.

10.Click Next .

Step Result: The “Add or Remove Programs” list page opens.

Figure 53: Add or Remove Programs List Page

11.You may select one of the following options, which are not required to proceed with the upgrade:

Option Description

Don’t display this product Displays the PGP Endpoint product name in the Add or

Removes Programs list in the Windows Control Panel with the Remove option.

Don’t display the Remove button for this product

Displays the PGP Endpoint product name in the Add or Removes Programs list in the Windows Control Panel

without the Remove option.

- 69 -

PGP Endpoint

12.Click Next .

Attention: If NDIS was configured for the previously installed client version, the upgrade

process may skip this step and proceed directly to the following step.

Step Result: The NDIS Device Control page opens.

Note: NDIS enables Device Control to control 802.1x wireless adapters. If

you do not need this protection, you may disable it here.

Figure 54: NDIS Device Control Page

13.Select the disable protection for NDIS devices check box to allow the use of wireless devices.

- 70 -

14.Click Next .

Step Result: The Ready to Upgrade the Program page opens.

Figure 55: Ready to Upgrade the Program Page

Upgrading PGP Endpoint Components

15.Click Upgrade . A progress bar runs on the page, showing installation progress.

Step Result: The Completed page opens.

16.Click Finish.

Result: PGP Endpoint setup upgrades the existing PGP Endpoint client. After Completing This Task:

You must restart your computer system as soon as possible, to prevent any existing file authorizations or device permission from becoming unstable and for the PGP Endpoint client configuration changes to become effective.

- 71 -

PGP Endpoint

- 72 -

Chapter

Installation Checklist

In this chapter:

• Installation Checklist

The installation checklist identifies tasks necessary for installing the PGP Endpoint product solution.

Installation Checklist

The installation checklist outlines the detailed tasks that you must perform when installing the Application Control and Device Control solutions.

This checklist guides you through the installation process.

Important: For installation or upgrade to PGP Endpoint version 4.4 SR1:

• You must have a new license file that is valid specifically for version 4.4.

• Request a new license file using the Downloads tab on the PGP Licensing and Entitlement

Management System (LEMS) ( https://lems.pgp.com/account/login) .

To begin your installation:

2. Download the PGP Endpoint application software from the PGP Licensing and Entitlement

Management System (LEMS) ( https://lems.pgp.com/account/login) .

3. Create a device, media, or software application inventory which lists the items that you want PGP Endpoint 4.4 SR1 to control.

4. Document company policy that defines:

• Device permissions.

• Shadowing requirements.

- 73 -

PGP Endpoint

• Device encryption requirements.

• PGP Endpoint administrators and their roles.

• Global domain groups for PGP Endpoint administrators.

5. Plan your PGP Endpoint network architecture, based on capacity requirements, that list the PGP Endpoint Administration Server host names and IP addresses.

6. Create a dedicated Administration Server domain user rights service account and set the following:

• User cannot change password .

• Password never expires . The domain account must have local administration rights when you plan to use the TLS

communication protocol for client- Administration Server and inter- Administration Server data transfers.

8. Verify that the Administration Server domain account has Log on as a service user rights. See Add the Log on as a service right to an account ( http://technet.microsoft.com/en-us/

library/cc739424(WS.10).aspx ) for additional information about logging on as a service user

rights.

Install Microsoft® Internet Information Services on the same computer as the certification authority, otherwise the enterprise root certificate cannot be generated. See Internet

Information Services (IIS) ( http://www.iis.net ) for additional information about installing

Internet Information Services.

10.Install a Microsoft enterprise root certification authority to enable removable device encryption for PGP Endpoint Device Control . See Install a Microsoft enterprise root

certification authority ( http://technet.microsoft.com/en-us/library/cc776709.aspx ) for

additional information about installing an enterprise root certificate.

11.

Install a Microsoft SQL Server® . See Getting Started with SQL Server ( http://

msdn.microsoft.com/en-us/sqlserver/default.aspx ) for additional information about installing

a SQL server.

12.Complete Installing the PGP Endpoint Database on page 23 .

13.To install multiple Administration Server s, create a shared file directory on a file server to

share the Datafile directory component. This action is only required if you will be using more than one Administration Server .

14.Complete Generating a Key Pair on page 26 . This action is recommended, but not required.

15.Complete Installing the Administration Server on page 28 .

Important: The Administration Server service account must have database owner (DBO)

rights to the PGP Endpoint database.

16.Complete Installing the PGP Endpoint Management Server Console on page 39 .

17.Complete Installing the PGP Endpoint Client on page 43 .

18.Test your PGP Endpoint product solution installation for functionality.

- 74 -

Chapter

Using the Tool

In this chapter:

• PGP Endpoint Client

Deployment Window

• Creating Deployment

Packages

• Adding Computers

• Deploying Packages

• Querying Client Status

Client deployment employs the Microsoft Installer (MSI) service that distributes installation packages that you create. After deployment is complete, you can monitor the computers and status of the client deployment packages throughout your network.

Attention: You cannot use the Client Deployment Tool

to deploy PGP Endpoint clients for Windows XP Embedded (XPe) implementations.

- 75 -

PGP Endpoint

PGP Endpoint Client Deployment Window

The PGP Endpoint Client Deployment dialog is the primary administrative interface used for creating and deploying client installation packages.

The PGP Endpoint Client Deployment dialog consists of two panels:

• Packages

• Computers

Figure 56: PGP Endpoint Client Deployment Window

Packages Panel

The following table describes the columns in the Packages panel.

Table 7: Packages Panel Column Descriptions

Column Description Name Shows the name of the deployment package.

Key Indicates whether the public key is included in the deployment package. Progress Shows the installation progress of the deployment package for a

computer.

Product Shows the name of the PGP Endpoint product included in the deployment

package.

Version Shows the version of the PGP Endpoint product included in the

deployment package.

- 76 -

Column Description Servers(s) Shows the name of the server(s) that connect to the selected client

computer.

Last deployment Shows the date and time of the last client package deployment. License Shows the type of product licensed. Policies Shows whether permission policies are imported. TLS Shows whether the TLS communication protocol is in use.

Packages Menu

You can administer deployment packages from the Packages menu. The following table describes the Packages menu.

Table 8: Packages Menu Options

Option Description New Creates new deployment packages.

Using the Tool

Delete Deletes a selected deployment package. Rename Renames a selected deployment package. Import public key Copies the sx-public.key in to the deployment package directory folder. Set Licenses Adds a license to deployment package installed in the serverless

mode.

Set Policies Allows addition of a Administration Server to retrieve the policy file

(*.dat) for a specific deployment package.

Test Connection Allows verification of connection with the Administration Server for the

specific deployment package, before deploying the package.

Install Installs the selected deployment package. Uninstall Uninstalls the selected deployment package for the computers listed in

the Computers panel.

Open last report Displays a report describing the last install or uninstall, indicating the

status of the install or uninstall activity.

Options Allows modification of the directory where deployment packages are

stored.

- 77 -

PGP Endpoint

Computers Panel

The following table describes the columns in the Computers panel.

Table 9: Computers Panel Column Descriptions

Column Description Name Shows the name of the computer associated with a deployment

Domain/Workgroup Shows the domain or workgroup that a computer belongs to. Progress Shows the installation progress of the deployment package for a

Status Describes the attributes associated with the deployment package

package.

computer.

for a computer, including the:

• Client operating system and version

• TLS communication protocol used

• Client hardening status

Computers Menu

You can administer deployment packages by computer from the Computers menu. The following table describes Computers the Computers menu.

Table 10: Computers Menu Options

Option Description Add Adds one or more computers to the list of computers for the specific

deployment package.

Remove Removes one or more computers from the list of computers for the

specific deployment package.

Import Imports a list of computers from an external ASCII or Unicode text

file.

Export Exports a list of computers to an external ASCII or Unicode text file. Change TLS mode Allow changes to the TLS communication protocol used for specific

computers.

Reboot Forces specific computers to restart. Query Queries the client version and driver status for every computer listed.

- 78 -

Option Description Progress details Displays the results of the install, uninstall, or query operation for

specific computers.

Open last log Opens the last installation log for specific computers.

Creating Deployment Packages

When you create a PGP Endpoint client deployment package, the tool copies the local client setup .MSI file and creates an .MST transform file that is linked to the .MSI file.

Prerequisites:

Before you can successfully create a PGP Endpoint client deployment package, you must:

• Have access to the PGPEndpointClient.msi or PGPEndpointClient64.msi file on the computer where you will deploy the client packages.

• If there is a firewall between the tool installed on the client computer and the targeted computer(s), you must verify that firewall ports are open.

• Synchronize the Administration Server system clock with the PGP Endpoint database using the Microsoft Windows time service. See Time Service ( http://support.microsoft.com/

kb/816042 ) for details about using the Microsoft Windows time service.

• Start the Windows Remote Registry service on the remote client computer.

• Have a valid digital certificate on the client computer that deploys the client and test the TLS connection between the Administration Server .

Using the Tool

The .MSI file contains the information necessary deploy the PGP Endpoint client to targeted computers.

1. From the PGP Endpoint Client Deployment dialog, click New Package .

Step Result: The New Packages dialog opens.

Figure 57: New Packages Dialog

2. To select deployment package, select the ellipses from the Source panel.

- 79 -

PGP Endpoint

3. In the Package panel, enter a name for the deployment package in the Name field.

4. Click OK .

Step Result: The Options - PGP Endpoint Installation Transform dialog opens.

Figure 58: Options - PGP Endpoint Installation Transform Dialog

Attention: The shaded options are only valid when are installing versions

client lower than 4.3. These options are:

• Do not validate name or IP before installing - Provides an Administration Server address or name that is not currently available but is accessible after deployment.

• Enable wireless LAN protection - An option available in 2.8 clients lower that is now deprecated by permissions rules.

- 80 -

Using the Tool

5. Click Import public key .

6. Select the sx-public.key file.

If there is no sx-public.key file in your client setup folder, then the installation continues using the default public key.

Step Result: The copies the selected public key to the appropriated folder for client

deployment.

7. In the Name or IP field(s), enter the fully qualified domain name(s) or IP address(es) for the Administration Server (s) installed in your environment.

Tip: You may enter alternative port numbers, as necessary. When you do not specify fully

qualified domain name(s) or IP address(es), the PGP Endpoint clients are deployed in a serverless mode.

8. If PGP Endpoint is set up to use more than one Administration Server , you may select the Automatic Load Balancing check box to allow clients to contact any available Administration Server .

9. To specify that the PGP Endpoint client uses the TLS communication protocol, select the TLS check box.

10.To disable Device Control for NDIS devices, select the Disable NDIS protection for devices check box.

Note: NDIS enables Device Control to control 802.1x wireless adapters. If you do not need

this protection, you may disable it here.

11.To validate the fully qualified domain name(s) or IP address(es) for the Administration Server (s), click Test Connection .

Step Result: You will receive a confirmation message indicating whether the server

connection is successful or not. If not, you follow the error resolution directions.

12.From the “Add or Remove Programs” list options panel, select one of the following options:

Option Description

List the program with a “Remove button”

List the program but suppress the “Remove button”

Displays the PGP Endpoint product name in the Add or Remove Program list in the Windows Control Panel with

the Remove option. Displays the PGP Endpoint product name in the Add or

Removes Program list in the Windows Control Panel without the Remove option.

- 81 -

PGP Endpoint

13.To suppress preventive actions associated with Application Control , select the Suppress preventive actions related to the Application Control feature check box.

14.In the Specify the policy import time-out (in minutes) field, enter a numerical value.

15.Click OK .

Result: The client deployment package files are copied to the specified directory. The new

After Completing This Task:

Verify the location of the PGP Endpoint Client.mst file created in the deployment package folder you specified, by selecting Packages > Options from the PGP Endpoint Client Deployment window.

Option Description

Do not list the program Does not display the PGP Endpoint product name in the

Add or Remove Program list in the Windows Control

Panel .

deployment package is listed in the Packages panel of the PGP Endpoint Client Deployment window.

Adding Computers

You can add computers where the client is deployed with the .

1. Select Start > Programs > PGP .

Step Result: The PGP Endpoint Client Deployment dialog opens.

Figure 59: PGP Endpoint Client Deployment Dialog

- 82 -

Using the Tool

2. Click Add Computer.

Step Result: The Select Computers dialog opens.

Figure 60: Select Computers Dialog

3. In the Enter the object names to select field, select ObjectName to enter the names of the computers to add to the list.

Note: ObjectName is the only format you can select to add computers.

Object Name Example

Display Name FirstName LastName ObjectName Computer1 UserName User1 ObjectName@DomainName User1@Domain1 DomainName\ObjectName Domain\User1

a) To verify the object name, click Check Names.

Step Result: The object name is verified and underlined when correctly entered.

4. Click OK.

Result: The computer names are listed in the Computers panel of the PGP Endpoint

Client Deployment window.

- 83 -

PGP Endpoint

Deploying Packages

The tool silently deploys PGP Endpoint client for unattended installation, using deployment installation packages.

Prerequisites:

Before you can successfully deploy PGP Endpoint clients, you must:

• Create deployment packages.

• Be a member of the Local Administrators group for all targeted computers.

1. Select Start > Programs > PGP .

Step Result: The PGP Endpoint Client Deployment dialog opens.

Figure 61: PGP Endpoint Client Deployment Dialog

2. If you are deploying the client to computers that are not connected to the Administration Server , you must first export the policy file *.dat to the targeted computer(s), as follows.

- 84 -

a) Select Packages > Options .

Step Result: The Options dialog opens.

Figure 62: Options Dialog

b) To select the directory to store deployment copies, click the ellipses .

You must specify a directory different than a system drive root directory or directory containing existing files. When the tool runs on different computers, you may want to specify a shared directory where all instances of the tool have access to the deployment packages.

c) Click OK .

Step Result: The Options dialog closes.

Using the Tool

3. To add computers for client deployment, select the computer name(s). You can select multiple computers while pressing the CTRL key.

4. Click OK .

5. From the Packages panel, select a deployment package from the list.

a) From the Computers panel, you may also select a subset of targeted computers for

package deployment.

- 85 -

PGP Endpoint

6. Click Install .

Step Result: Because deployment requires restarting the target computer(s), the Install/

Uninstall/Reboot/Options dialog opens.

Figure 63: Install/Uninstall/Reboot/Options Dialog

7. From the When a reboot is needed at the end of a deployment panel, select the following options, as necessary:

Option Description

Reboot after (x) second(s) Restarts the target computer(s) after deployment, within

the period that you specify.

Force reboot even if some applications are opened

Forces the target computer(s) to restart after deployment, regardless of open applications.

Apply to Applies reboot options to All target computers or a

Selection of computers, representing the subset chosen

when selecting the deployment package.

Message You can type a message that users receive when the

target computer(s) restart.

8. To generate a certificate semi-automatically during setup, select the computer certificate location and parameters from the following options.

- 86 -

Using the Tool

Option Description

Use local certificate store Generates a digital certificate during installation by using a

signature certificate located in the local user store.

Use memory certificate store

Generates a digital certificate during installation by using a signature certificate located in a specified file.

Import Imports a signature certificate into the local user store. Select Allows you to select a signature certificate located in a

specified file

Advanced Specifies the certificate parameters for the Cryptographic

service provider , Key length , Validity , and Signature

9. Click Next .

10.Click OK .

Step Result: The PGP Endpoint Client Deployment dialog reopens showing the

deployment progress for the computer(s) added to the deployment package selected.

Figure 64: PGP Endpoint Client Deployment Dialog - Computer Progress

The Progress column in the Computers panel displays a progress bar showing the deployment status for each computer. The Progress column in

- 87 -

PGP Endpoint

Result: The deployment package is silently deployed the designated computer(s) or

After Completing This Task:

If you chose to restart the client after deployment is complete, the System Shutdown dialog displays with the message created when selecting the reboot option(s), as illustrated by the following example.

the Packages panel displays a progress bar showing the overall deployment status the deployment package. The following table describes the status bar.

Color Status Condition Turquoise Task completed successfully.

Green Task in progress with no warning. Yellow Task in progress or completed with warnings. Red Task in progress or stopped with an error.

computer group(s).

Figure 65: System Shutdown Dialog

Querying Client Status

You can use the Query for target computers to determine the operating system that is running, whether a client is installed and which version, whether hardening is enabled, and whether the PGP Endpoint components are running.

1. Select Start > Programs > PGP .

Step Result: The PGP Endpoint Client Deployment dialog opens.

2. Click Query .

- 88 -

Using the Tool

3. From the Packages panel, select a deployment package from the list.

Result: The Computers panel lists the computers where the deployment package(s) are

installed. The Status column describes the client operating system and version, TLS protocol selection, and client hardening status.

Figure 66: PGP Endpoint Client Deployment Dialog

- 89 -

PGP Endpoint

- 90 -

Appendix

Configuring DCOM Settings for the Administration Server

In this appendix:

• Setting Up Distributed

Component Object Model (DCOM)

• Set Access Control List

Security Permissions

The Log Explorer module uses the Microsoft® Distributed Component Object Model (DCOM) protocol to retrieve log entries from the Management Server Console that is connected to theAdministration Server. The other Management Server Console modules use Remote procedure calls (RPC) for network communication. If you intend to install the Management Server Console on a different computer or server than the Administration Server, the network administrator must:

1. Configure the DCOM settings for the Administration Server.

2. Set the security permissions for the computer-wide access control lists (ACLs) that govern access to all call, activation, or launch requests on the server, using Microsoft Group Policy to manage computer-wide DCOM access restrictions.

Note: DCOM does not work across non-trusted domains,

especially when using workgroups.

Setting Up Distributed Component Object Model (DCOM)

The network administrator(s) that are responsible for using the PGP Endpoint Management Server Console must have the security access permissions set in Windows Component Services for DCOM properties.

1. Select Start > Run.

- 91 -

PGP Endpoint

2. Type dcomcnfg in the Open: field.

Step Result: The Component Services dialog opens.

Figure 67: Component Services Dialog

Attention: The steps described in this procedure are based on using a

Windows® Server 2003 SP1 operating system (OS). If you are using a different Windows OS, the steps and step results may vary.

3. Double-click Component Services.

4. Double-click Computers.

Step Result: My Computer is listed in the right pane.

5. Right-click My Computer.

- 92 -

Configuring DCOM Settings for the Administration Server

6. Select Properties.

Step Result: The My Computer Properties dialog opens.

Figure 68: My Computer Properties Dialog

7. Select the COM Security tab.

8. In the Access Permissions panel, click Edit Default.

- 93 -

PGP Endpoint

a) Click No, for any warning screens that appear.

Step Result: The Access Permissions dialog opens.

Figure 69: Access Dialog

9. Verify that:

• SELF (the logged in user) is listed.

• SYSTEM is listed.

• The Permissions for SELF (and SYSTEM) Allow check boxes are selected for Local

Access and Remote Access.

- 94 -

Configuring DCOM Settings for the Administration Server

10.To create a new profile with the necessary permissions, click Add.

Step Result: The Select Users or Groups dialog opens.

Figure 70: Select Users or Groups

11.In the Select this object type field, verify that at least Users is entered. If not: a) Click Object Types and select Users.

b) In the From this location field, verify your computer name is entered. c) Or, click Locations and select your computer name. d) In the Enter objects name to select field, type a new object. e) Click OK. f) In the Access dialog, select the new object. g) Select the Allow check box.

12.Click OK.

13.Click OK.

14.Close the Component Services dialog.

Set Access Control List Security Permissions

The network administrator(s) that are responsible for using the PGP Endpoint Management Server Console must have Access Control List (ACL) permissions configured for network Distributed Component Object Model (DCOM) security.

1. Select Start > Run.

- 95 -

PGP Endpoint

2. Type gpedit.msc in the Open: field.

Step Result: The Group Policy Object Editor dialog opens.

Figure 71: Group Policy Object Editor Dialog

3. Select Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

Step Result: The right pane refreshes, listing the Policy settings.

Figure 72: Group Policy Object Editor - Security Settings

4. Double-click DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax from the Policy column in right pane.

5. Click Edit Security.

- 96 -

Configuring DCOM Settings for the Administration Server

6. Add users and/or groups.

7. Select any or all of the following options for each user or group:

• Local Access

• Remote Access

8. Click OK.

9. Double-click DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax from the Policy column in the right pane.

10.Click Edit Security.

11.Add users and/or groups.

12.Select any or all of the following options for each user or group:

• Local Launch

• Remote Launch

• Local Activation

• Remote Activation

13.Click OK.

14.Close Group Policy Object Editor dialog.

15.Select Start > Run.

16.Run gpupdate.exe from the command line.

Result: Group policy settings are refreshed with the DCOM settings that you specified.

- 97 -

PGP Endpoint

- 98 -

Appendix

Installing the Client for Windows XP Embedded

In this appendix:

• Windows XPe Client

Limitations

• Supported Devices

• Installing the Client for

Windows XPe

Windows XPe is an edition of Windows XP that contains the full feature set of Windows XP Professional, but has restrictions on licensing that require the resulting device to boot directly into the original equipment manufacturer (OEM) application. Windows XPe is a componentized version of Windows XP Professional. When building the operating system (OS) image, the OEM chooses only necessary software components, which reduces the OS footprint, compared to XP Professional. Component behavior is defined by component script and dynamic HTML.

The componentized PGP Endpoint client is a modular application that expresses driver functionality as:

• Properties sets.

• Optional scripts.

• Resources including files, registry entries, and dependencies.

- 99 -

PGP Endpoint

Windows XPe Client Limitations

The client has some limitations when used with Windows XPe. The following limitations apply to using the PGP Endpoint client with Windows XP Embedded

(XPe).

• User notification displays only in the Explorer shell.

• The Rtnotify icon displays only when the Show notification in the Taskbar option is enabled in the Explorer shell.

• The PGP Endpoint client cannot be deployed on Windows XPe thin clients using the PGP Endpoint Client Deployment Tool.

• The public key sx-public.key cannot be imported using the componentized PGP Endpoint client installation.

Supported Devices

The PGP Endpoint client for Windows XPe supports a limited number of device groups for removable storage devices.

The devices supported by the PGP Endpoint client running Windows XP® Embedded compared to Windows XP Professional are listed in the following table.

Table 11: Device Groups Supported by PGP Endpoint

Device Group Window XP Windows XPe DVD/CD Drives Supported Supported

Floppy Disk Drives Supported Supported Removable Storage Devices Supported Supported

Installing the Client for Windows XPe

You install the PGP Endpoint client for Windows XPe using the same installation software as a Windows XP installation. However, you must disable the Windows XPe Enhanced Write Filter

- 100 -

PGP Endpoint - 4.4 SR1 Setup Guide

Specifications and Main Features

Frequently Asked Questions

User Manual

Table of Contents

About This Document

Typographical Conventions

Getting Assistance

Planning Your Installation

Recommended Security Rules

System Requirements

Minimum Hardware Requirements

Supported Operating Systems

Supported Databases

Other Software Requirements

Recommended Configuration

Client Supported Languages

Licensing PGP Endpoint Products

Installing PGP Endpoint Components

Installation Overview

Installation Checklist

Installing the PGP Endpoint Database

Generating a Key Pair

Installing the Administration Server

Installing the PGP Endpoint Management Server Console

Installing the PGP Endpoint Client

Upgrading PGP Endpoint Components

Upgrade Overview

Upgrading the PGP Endpoint Database

Upgrading the PGP Endpoint Administration Server

Upgrading the PGP Endpoint Management Server Console

Upgrading the PGP Endpoint Client

Installation Checklist

Installation Checklist

Using the Tool

PGP Endpoint Client Deployment Window

Packages Panel

Packages Menu

Computers Panel

Computers Menu

Creating Deployment Packages

Adding Computers

Deploying Packages

Querying Client Status

Configuring DCOM Settings for the Administration Server

Setting Up Distributed Component Object Model (DCOM)

Set Access Control List Security Permissions

Installing the Client for Windows XP Embedded

Windows XPe Client Limitations

Supported Devices

Installing the Client for Windows XPe