PGP Endpoint - 4.4 SR1 Setup Guide

Setup Guide

PGP Endpoint 4.4 SR1

02_102P 4.4 SR1 Setup Guide

- 2 -

Notices

Version Information

PGP Endpoint Setup Guide - PGP Endpoint Version 4.4 SR1 - Released: August 2009
Document Number: 02_102P_4.4 SR1_092391000

Copyright Information

Copyright© 1991-2009 by PGP Corporation. All Rights Reserved. No part of this document can be
reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without
the express written permission of PGP Corporation.

Trademark Information

PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the
US and other countries. IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered
trademarks of Microsoft Corporation. AOL is a registered trademark, and AOL Instant Messenger is a
trademark, of America Online, Inc. Red Hat and Red Hat Linux are trademarks or registered trademarks
of Red Hat, Inc. Linux is a registered trademark of Linus Torvalds. Solaris is a trademark or registered
trademark of Sun Microsystems, Inc. AIX is a trademark or registered trademark of International Business
Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH
and Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X
are trademarks or registered trademarks of Apple Computer, Inc. All other registered and unregistered
trademarks in this document are the sole property of their respective owners.

Licensing and Patent Information

The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech
AG. The CAST-128 encryption algorithm, implemented from RFC 2144, is available worldwide on a royalty­free basis for commercial and non-commercial uses. PGP Corporation has secured a license to the patent
rights contained in the patent application Serial Number 10/655,563 by The Regents of the University of
California, entitled Block Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a
Conventional Block Cipher. Some third-party software included in PGP Universal Server is licensed under
the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL.
If you would like a copy of the source code for the GPL software included in PGP Universal Server, contact
PGP Support (http://www.pgp.com/support). PGP Corporation may have patents and/or pending patent
applications covering subject matter in this software or its documentation; the furnishing of this software or
documentation does not give you any license to these patents.

Acknowledgements

This product includes or may include:

• The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with
permission from the free Info-ZIP implementation, developed by zlib (http://www.zlib.net). • Libxml2,
the XML C parser and toolkit developed for the Gnome project and distributed and copyrighted under
the MIT License found at http://www.opensource.org/licenses/mit-license.html. Copyright © 2007 by
the Open Source Initiative. • bzip2 1.0, a freely available high-quality data compressor, is copyrighted
by Julian Seward, © 1996-2005. • Application server (http://jakarta.apache.org/), web server (http://

- 3 -

PGP Endpoint

www.apache.org/), Jakarta Commons (http://jakarta.apache.org/commons/license.html) and log4j, a
Java-based library used to parse HTML, developed by the Apache Software Foundation. The license
is at www.apache.org/licenses/LICENSE-2.0.txt. • Castor, an open-source, databinding framework for
moving data from XML to Java programming language objects and from Java to databases, is released
by the ExoLab Group under an Apache 2.0-style license, available at http://www.castor.org/license.html.

• Xalan, an open-source software library from the Apache Software Foundation that implements the
XSLT XML transformation language and the XPath XML query language, is released under the Apache
Software License, version 1.1, available at http://xml.apache.org/xalan-j/#license1.1. • Apache Axis is
an implementation of the SOAP (“Simple Object Access Protocol”) used for communications between
various PGP products is provided under the Apache license found at http://www.apache.org/licenses/
LICENSE-2.0.txt. • mx4j, an open-source implementation of the Java Management Extensions (JMX),
is released under an Apache-style license, available at http://mx4j.sourceforge.net/docs/ch01s06.html.

• jpeglib version 6a is based in part on the work of the Independent JPEG Group. (http://www.ijg.org/)

• libxslt the XSLT C library developed for the GNOME project and used for XML transformations is
distributed under the MIT License http://www.opensource.org/licenses/mit-license.html. • PCRE version

4.5 Perl regular expression compiler, copyrighted and distributed by University of Cambridge. ©1997-2006.
The license agreement is at http://www.pcre.org/license.txt. • BIND Balanced Binary Tree Library and
Domain Name System (DNS) protocols developed and copyrighted by Internet Systems Consortium,
Inc. (http://www.isc.org) • Free BSD implementation of daemon developed by The FreeBSD Project, ©
1994-2006. • Simple Network Management Protocol Library developed and copyrighted by Carnegie
Mellon University © 1989, 1991, 1992, Networks Associates Technology, Inc, © 2001- 2003, Cambridge
Broadband Ltd.© 2001- 2003, Sun Microsystems, Inc., © 2003, Sparta, Inc, © 2003-2006, Cisco, Inc and
Information Network Center of Beijing University of Posts and Telecommunications, © 2004. The license
agreement for these is at http://net-snmp.sourceforge.net/about/license.html. • NTP version 4.2 developed
by Network Time Protocol and copyrighted to various contributors. • Lightweight Directory Access Protocol
developed and copyrighted by OpenLDAP Foundation. OpenLDAP is an open-source implementation of
the Lightweight Directory Access Protocol (LDAP). Copyright © 1999-2003, The OpenLDAP Foundation.
The license agreement is at http://www.openldap.org/software/release/license.html. • Secure shell
OpenSSH version 4.2.1 developed by OpenBSD project is released by the OpenBSD Project under
a BSD-style license, available at http://www.openbsd.org/cgibin/cvsweb/src/usr.bin/ssh/LICENCE?
rev=HEAD. • PC/SC Lite is a free implementation of PC/SC, a specification for SmartCard integration is
released under the BSD license. • Postfix, an open source mail transfer agent (MTA), is released under
the IBM Public License 1.0, available at http://www.opensource.org/licenses/ibmpl.php. • PostgreSQL,
a free software object-relational database management system, is released under a BSD-style license,
available at http://www.postgresql.org/about/licence. • PostgreSQL JDBC driver, a free Java program
used to connect to a PostgreSQL database using standard, database independent Java code, (c)
1997-2005, PostgreSQL Global Development Group, is released under a BSD-style license, available
at http://jdbc.postgresql.org/license.html. • PostgreSQL Regular Expression Library, a free software
object-relational database management system, is released under a BSD-style license, available at
http://www.postgresql.org/about/licence. • 21.vixie-cron is the Vixie version of cron, a standard UNIX
daemon that runs specified programs at scheduled times. Copyright © 1993, 1994 by Paul Vixie; used
by permission. • JacORB, a Java object used to facilitate communication between processes written in
Java and the data layer, is open source licensed under the GNU Library General Public License (LGPL)
available at http://www.jacorb.org/lgpl.html. Copyright © 2006 The JacORB Project. • TAO (The ACE
ORB) is an open-source implementation of a CORBA Object Request Broker (ORB), and is used for
communication between processes written in C/C++ and the data layer. Copyright (c) 1993-2006 by
Douglas C. Schmidt and his research group at Washington University, University of California, Irvine, and
Vanderbilt University. The open source software license is available at http://www.cs.wustl.edu/~schmidt/
ACEcopying. html. • libcURL, a library for downloading files via common network services, is open source

- 4 -

software provided under a MIT/X derivate license available at http://curl.haxx.se/docs/copyright.html.
Copyright (c) 1996 - 2007, Daniel Stenberg. • libuuid, a library used to generate unique identifiers, is
released under a BSD-style license, available at http://thunk.org/hg/e2fsprogs/?file/fe55db3e508c/lib/uuid/
COPYING. Copyright (C) 1996, 1997 Theodore Ts’o. • libpopt, a library that parses command line options,
is released under the terms of the GNU Free Documentation License available at http://directory.fsf.org/
libs/COPYING.DOC. Copyright © 2000-2003 Free Software Foundation, Inc. • gSOAP, a development
tool for Windows clients to communicate with the Intel Corporation AMT chipset on a motherboard, is
distributed under the GNU Public License, available at http://www.cs.fsu.edu/~engelen/soaplicense.html.

• Windows Template Library (WRT) is used for developing user interface components and is distributed
under the Common Public License v1.0 found at http://opensource.org/licenses/cpl1.0.php. • The Perl Kit
provides several independent utilities used to automate a variety of maintenance functions and is provided
under the Perl Artistic License, found at http://www.perl.com/pub/a/language/misc/Artistic.html.

Export Information

Export of this software and documentation may be subject to compliance with the rules and regulations
promulgated from time to time by the Bureau of Export Administration, United States Department of
Commerce, which restricts the export and re-export of certain products and technical data.

Limitations

The software provided with this documentation is licensed to you for your individual use under the terms of
the End User License Agreement provided with the software. The information in this document is subject
to change without notice. PGP Corporation does not warrant that the information meets your requirements
or that the information is free of errors. The information may include technical inaccuracies or typographical
errors. Changes may be made to the information and incorporated in new editions of this document, if and
when made available by PGP Corporation.

Notices

- 5 -

PGP Endpoint

- 6 -

Table of Contents

Preface: About This Document..................................................................9

Typographical Conventions............................................................................................ 9

Getting Assistance..........................................................................................................9

Chapter 1: Planning Your Installation.....................................................11

Recommended Security Rules.....................................................................................11

System Requirements...................................................................................................13

Minimum Hardware Requirements........................................................................13

Supported Operating Systems..............................................................................14

Supported Databases............................................................................................15

Other Software Requirements...............................................................................16

Recommended Configuration................................................................................16

Client Supported Languages.................................................................................17

Licensing PGP Endpoint Products............................................................................... 18

Chapter 2: Installing PGP Endpoint Components..................................19

Installation Overview.....................................................................................................20

Installation Checklist.....................................................................................................21

Installing the PGP Endpoint Database.........................................................................23

Generating a Key Pair..................................................................................................26

Installing the Administration Server .............................................................................28

Installing the PGP Endpoint Management Server Console .........................................39

Installing the PGP Endpoint Client...............................................................................43

Chapter 3: Upgrading PGP Endpoint Components................................53

Upgrade Overview........................................................................................................54

Upgrading the PGP Endpoint Database...................................................................... 55

Upgrading the PGP Endpoint Administration Server....................................................60

Upgrading the PGP Endpoint Management Server Console ...................................... 64

Upgrading the PGP Endpoint Client.............................................................................66

- 7 -

Table of Contents

Chapter 4: Installation Checklist..............................................................73

Chapter 5: Using the Tool........................................................................ 75

Appendix A: Configuring DCOM Settings for the Administration Server91

Installation Checklist.....................................................................................................73

PGP Endpoint Client Deployment Window..................................................................76

Packages Panel.....................................................................................................76

Packages Menu.....................................................................................................77

Computers Panel...................................................................................................78

Computers Menu...................................................................................................78

Creating Deployment Packages...................................................................................79

Adding Computers........................................................................................................82

Deploying Packages.....................................................................................................84

Querying Client Status..................................................................................................88

Setting Up Distributed Component Object Model (DCOM)..........................................91

Set Access Control List Security Permissions............................................................. 95

Appendix B: Installing the Client for Windows XP Embedded..............99

Windows XPe Client Limitations.................................................................................100

Supported Devices......................................................................................................100

Installing the Client for Windows XPe........................................................................100

- 8 -

Preface

About This Document

This Setup Guide is a resource written for all users of PGP Endpoint 4.4 SR1. This document
defines the concepts and procedures for installing, configuring, implementing, and using PGP
Endpoint 4.4 SR1.

Tip:

PGP documentation is updated on a regular basis. To acquire the latest version of this or
any other published document, please refer to the PGP Support Portal Web Site (https://

support.pgp.com).

Typographical Conventions

The following conventions are used throughout this documentation to help you identify various
information types.

Convention Usage
bold Buttons, menu items, window and screen objects.

bold italics Wizard names, window names, and page names.

italics New terms, options, and variables.
UPPERCASE SQL Commands and keyboard keys.
monospace File names, path names, programs, executables, command

syntax, and property names.

Getting Assistance

Getting Product Information

Unless otherwise noted, the product documentation is provided as Adobe Acrobat PDF files
that are installed with PGP Endpoint. Online help is available within the PGP Endpoint product.
Release notes are also available, which may have last-minute information not found in the
product documentation.

- 9 -

Preface

Contacting Technical Support

• To learn about PGP support options and how to contact PGP Technical Support, please visit
the PGP Corporation Support Home Page (http://www.pgp.com/support).

• To access the PGP Support Knowledge Base or request PGP Technical Support, please visit
PGP Support Portal Web Site (https://support.pgp.com).

Note:

You may access portions of the PGP Support Knowledge Base without a support agreement;
however, you must have a valid support agreement to request Technical Support.

• For any other contacts at PGP Corporation, please visit the PGP Contacts Page (http://

www.pgp.com/company/contact/index.html).

• For general information about PGP Corporation, please visit the PGP Web Site (http://

www.pgp.com).

• To access the PGP Support forums, please visit PGP Support (http://

forums.pgpsupport.com). These are user community support forums hosted by PGP

Corporation.

- 10 -

Chapter

1

Planning Your Installation

In this chapter:

• Recommended Security

Rules

• System Requirements

• Licensing PGP Endpoint

Products

To assist in gathering the information required for a smooth
installation, PGP recommends that you use the Installation

Checklist on page 21.

Recommended Security Rules

PGP recommends that you define certain administrative security rules before installing PGP
Endpoint.

The recommended security settings are specific to Microsoft® Windows® and complement
operation of PGP Endpoint.

Table 1: Recommended Security Rules

Security Rule Description

Hard Disk Encryption Encrypts computer disk drives to prevent

unauthorized user access to the computer hard
disk drive.

Password Protect the BIOS Prevents administrative user access when using a

CMOS reset jumper, in combination with password
protection for the BIOS and seal/chassis intrusion
protection.

Seal/Chassis Intrusion Protector Uses seal and/or chassis intrusion protection

hardware to prevent administrative user access
using an external boot device to bypass
workstation security software.

- 11 -

PGP Endpoint

Security Rule Description

Administrative Rights Remove local users from the local Administrators

Power Users Remove local users from the Power Users group

Access Policy Restrict network and file access as much as

NTFS Partition Use of NTFS partitioning is required for installation

Recovery Console Password protect user access to the Recovery

Service Pack and Hot Fixes Always install the latest service packs and hot

group to prevent unrestricted local user computer
access.

to prevent users from tampering or bypassing
standard Windows security policies.

possible, including use restriction only to NTFS
partitions.

of PGP Endpoint product solutions.

Console, which is available for the Windows DVD/
CD-ROM or MSDN subscription.

fixes for the operating system supported by PGP
Endpoint product solutions.

Firewalls Use traditional perimeter-based security systems,

like firewalls, to complement PGP Endpoint product

solutions.
Password Policies Maintain strong password security policies.
Private and Public Key Generation Deploy PGP Endpoint product solutions using

secure public and private key pairs.

- 12 -

Planning Your Installation

System Requirements

The following sections describe the minimum system requirements necessary for successful
installation of PGP Endpoint 4.4 SR1 and the languages supported by the client.

Important: For installation or upgrade to PGP Endpoint version 4.4 SR1:

• You must have a new license file that is valid specifically for version 4.4.

• Existing license files issued before PGP Endpoint version 4.4 will not work with the PGP
Endpoint Administration Server and may cause your Administration Servers to stop working.
The PGP Endpoint 4.4 license must be installed before you install or upgrade the PGP
Endpoint database, and then the Administration Server.

• Request a new license file using the Downloads tab on the PGP Licensing and Entitlement

Management System (LEMS) ( https://lems.pgp.com/account/login) .

Minimum Hardware Requirements

The minimum PGP Endpoint hardware requirements depend upon your service network
environment, including the type of database supported, the number of Administration Servers
you need support a distributed network, and the number of subscribed clients.

The hardware requirements for PGP Endpoint 4.4 SR1 vary depending upon the number of
servers and clients you manage. The following minimum hardware requirements will support up
to:

• 200 connected PGP Endpoint clients for PGP Endpoint Device Control

• 50 connected PGP Endpoint clients for PGP Endpoint Application Control

Table 2: Minimum Hardware Requirements

PGP Endpoint Component Requirement

Database

Administration Server

• 1 GB (4 GB recommended) memory

•

Pentium® Dual-Core CPU processor or AMD equivalent

• 3 GB minimum hard disk drive

• 100 MBits/s NIC

• 512 MB (1 GB recommended) memory

•

Pentium® Dual-Core CPU or AMD equivalent

• 3 GB minimum hard disk drive

• 100 MBits/s NIC

- 13 -

PGP Endpoint

PGP Endpoint Component Requirement

Management Server Console

Client

• 512 MB (1 GB recommended) memory

• 15 MB hard disk drive for installation, and 150 MB
additional for application files

• 1024 by 768 pixels for display

• 256 MB (1 GB recommended) memory

• Pentium Dual-Core CPU or AMD equivalent

• 10 MB hard disk drive for installation, and several
additional GB for full shadowing feature of PGP Endpoint
Device Control

• 100 MBits/s NIC

Supported Operating Systems

PGP Endpoint supports multiple Microsoft Windows operations systems for the Administration
Server, Management Server Console, database, and client.

The operating system requirements for PGP Endpoint 4.4 SR1 components are outlined as
follows.

Table 3: Operating System Requirements

PGP Endpoint Component Requirement

Database

One of the following:

•

Microsoft Windows ® XP Professional Service Pack 2 or
higher (SP2+) (32-bit)

• Microsoft Windows XP Service Pack 2 (SP2) (64-bit)

•

Microsoft Windows Server® 2003 Service Pack 2 (SP2)
(32- and 64-bit)

• Microsoft Windows Server 2008 (32-bit and 64-bit)

• Microsoft Windows Server 2008 R2 (64 bit only)

Administration Server One of the following:

• Microsoft Windows Server 2003 SP2 (32-bit)

• Microsoft Windows Server 2008 (32-bit and 64-bit)

• Microsoft Windows Server 2008 R2 (64 bit only)

- 14 -

PGP Endpoint Component Requirement

Management Server Console One of the following:

• Microsoft Windows XP Professional SP2+ (32-bit)

• Microsoft Windows Server 2003 SP2 (32-bit)

• Microsoft Windows Server 2008 (32-bit and 64-bit)

• Microsoft Windows Server 2008 R2 (64 bit only)

•

Microsoft Windows Vista™ SP1+ (32- and 64-bit)

• Microsoft Windows 7 (32- and 64-bit)

Client One of the following:

•

Microsoft Windows® Server 2000 Service Pack 4 or higher
(SP4+) (32-bit)

• Microsoft Windows 2000 Professional SP4+ (32-bit)

• Microsoft Windows XP Professional Service Pack 2 or
higher (SP2+) (32- and 64-bit)

• Microsoft Windows Server 2003 SP2 (32- and 64-bit)

• Microsoft Windows Server 2008 (32-bit and 64-bit)

• Microsoft Windows Server 2008 R2 (64 bit only)

• Microsoft Windows Vista SP1+ (32- and 64-bit)

• Microsoft Windows 7 (32- and 64-bit)

• Microsoft Windows XP Embedded (XPe) Service Pack 2
(SP2) (32-bit)

• Microsoft Windows Embedded Point of Service (WEPOS)
(32-bit)

• Microsoft Windows XP Tablet PC Edition (32-bit)

•

Citrix Access Gateway™ 4.5

•

Citrix Presentation Server™ 4.0 for Windows Server 2003
SP1/SR2+ (32-bit)

• Citrix Presentation Server 4.5 for Windows Server 2003
SP1/SR2+ (32- and 64-bit)

Planning Your Installation

Supported Databases

PGP Endpoint supports multiple releases of Microsoft® SQL Server® . You should choose
the database instance required by your network operating environment and the number of
Administration Server s and subscribed clients the application must support.

The database requirements for PGP Endpoint 4.4 SR1 components are outlined as follows.

- 15 -

PGP Endpoint

Table 4: Database Requirements

PGP Endpoint
Component

Database One of the following:

Requirement

•

Microsoft SQL Server® 2005 Service Pack 2 or higher (SP2+)
(32-bit and 64-bit)

• Microsoft SQL Server 2005 Express Edition SP2+ (32-bit and
64-bit)

• Microsoft SQL Server 2008

• Microsoft SQL Server 2008 Express Edition

Other Software Requirements

The PGP Endpoint 4.4 SR1 release requires the following additional software.
Additional software requirements for PGP Endpoint 4.4 SR1 components are outlined as

follows.

Table 5: Other Software Requirements

PGP Endpoint Component Requirement

Database No additional software requirements.
Administration Server

Install Microsoft® Certificate Authority for PGP Endpoint
Device Control encryption, if you will be encrypting Windows
user accounts. See Microsoft Certificate Authority (http://

technet.microsoft.com/en-us/library/cc756120.aspx) for

additional information about certificates.
Management Server Console Microsoft Visual C++ 2008 Redistributable Package.
Client No additional software requirements.

Recommended Configuration

To maximize PGP Endpoint 4.4 SR1 for operation in a Microsoft Windows environment, you
should configure your network environment database and client components using the following
suggested configurations.

The recommended configurations for PGP Endpoint 4.4 SR1 components are outlined as
follows. These settings represent the usual default settings, but should be confirmed before
beginning PGP Endpoint installation.

- 16 -

Table 6: Recommended Configuration

PGP Endpoint Component Requirement

Planning Your Installation

Database

Administration Server None recommended.
Management Server Console None recommended.
Client

• Change the Windows Event Viewer settings to 1024 KB
and choose to overwrite events as necessary.

• Change Windows Performance settings to prioritize for
background applications.

• If you are using Active Directory, configure a
corresponding Domain Name System (DNS) server as
Active Directory (AD) integrated and create a reverse
lookup zone, to provide for name resolution within the
PGP Endpoint Management Server Console.

• Configure NIC to receive IP from DHCP service.

• Change the Windows Event Viewer settings to 1024 KB
and choose to overwrite events as necessary.

Client Supported Languages

The PGP Endpoint 4.4 SR1 client supports multiple languages in text format.
The PGP Endpoint 4.4 SR1 client is supported in the following languages:

• English

• French

• Italian

• German

• Spanish

• Japanese

• Simplified Chinese

• Traditional Chinese

• Russian

• Dutch

• Portuguese

• Swedish

- 17 -

PGP Endpoint

Licensing PGP Endpoint Products

The following types of licenses are available for PGP Endpoint product solutions:

• An Evaluation License provides you with a fully functioning PGP Endpoint product solution
for a limited time.

• A Perpetual License provides full capacity for an unlimited period.

• A Subscription License provides full capacity for the time period specified by the terms of
your license.

- 18 -

Chapter

2

Installing PGP Endpoint Components

In this chapter:

• Installation Overview

• Installation Checklist

• Installing the PGP

Endpoint Database

• Generating a Key Pair

• Installing the

Administration Server

• Installing the PGP

Endpoint Management
Server Console

• Installing the PGP

Endpoint Client

Successful installation of PGP Endpoint 4.4 SR1 requires
you to install components in the following order:

1. Install the database.

2. Generate and save a public and private key pair.

This action is not required, however, PGP strongly
recommends the use of a public-private key pair to
provide the highest level of security.

3. Install the Administration Server(s).

4. Install the Management Server Console.

5. Install and deploy the client.

- 19 -

PGP Endpoint

Installation Overview

PGP Endpoint component installation requires that you follow a series of interdependent tasks
in a prescribed order. Before you begin, you must have a valid license key for each software
application(s) that your are installing.

Use the following process to identify tasks for installing components installing PGP Endpoint 4.4
SR1, for your convenience this process refers to the Installation Checklist on page 21.

Figure 1: PGP Endpoint Product Solution Installation Process Flow

- 20 -

Installing PGP Endpoint Components

Installation Checklist

The installation checklist outlines the detailed tasks that you must perform when installing the
Application Control and Device Control solutions.

This checklist guides you through the installation process.

Important: For installation or upgrade to PGP Endpoint version 4.4 SR1:

• You must have a new license file that is valid specifically for version 4.4.

• Existing license files issued before PGP Endpoint version 4.4 will not work with the PGP
Endpoint Administration Server and may cause your Administration Servers to stop working.
The PGP Endpoint 4.4 license must be installed before you install or upgrade the PGP
Endpoint database, and then the Administration Server.

• Request a new license file using the Downloads tab on the PGP Licensing and Entitlement

Management System (LEMS) ( https://lems.pgp.com/account/login) .

To begin your installation:

1. Copy the PGP Endpoint license file to the \\Windows\System32 or \\Windows\SysWOW64
folder, and rename the file to Endpoint.lic . The license file may be installed after installing
the database, however, the license file must installed before installing the Administration
Server .

2. Download the PGP Endpoint application software from the PGP Licensing and Entitlement

Management System (LEMS) ( https://lems.pgp.com/account/login) .

3. Create a device, media, or software application inventory which lists the items that you want
PGP Endpoint 4.4 SR1 to control.

4. Document company policy that defines:

• Device permissions.

• Shadowing requirements.

• Device encryption requirements.

• PGP Endpoint administrators and their roles.

• Global domain groups for PGP Endpoint administrators.

5. Plan your PGP Endpoint network architecture, based on capacity requirements, that list the
PGP Endpoint Administration Server host names and IP addresses.

6. Create a dedicated Administration Server domain user rights service account and set the
following:

• User cannot change password .

• Password never expires .

- 21 -

PGP Endpoint

The domain account must have local administration rights when you plan to use the TLS
communication protocol for client- Administration Server and inter- Administration Server
data transfers.

7. Create Impersonate a client after authentication user rights for the Administration Server .
See Impersonate a Client After Authentication ( http://support.microsoft.com/kb/821546 ) for
additional information about impersonating a client after authentication user rights.

8. Verify that the Administration Server domain account has Log on as a service user rights.
See Add the Log on as a service right to an account ( http://technet.microsoft.com/en-us/

library/cc739424(WS.10).aspx ) for additional information about logging on as a service user

rights.

9.

Install Microsoft® Internet Information Services on the same computer as the certification
authority, otherwise the enterprise root certificate cannot be generated. See Internet

Information Services (IIS) ( http://www.iis.net ) for additional information about installing

Internet Information Services.

10.Install a Microsoft enterprise root certification authority to enable removable device
encryption for PGP Endpoint Device Control . See Install a Microsoft enterprise root

certification authority ( http://technet.microsoft.com/en-us/library/cc776709.aspx ) for

additional information about installing an enterprise root certificate.

11.

Install a Microsoft SQL Server® . See Getting Started with SQL Server ( http://

msdn.microsoft.com/en-us/sqlserver/default.aspx ) for additional information about installing

a SQL server.

12.Complete Installing the PGP Endpoint Database on page 23 .

13.To install multiple Administration Server s, create a shared file directory on a file server to

share the Datafile directory component. This action is only required if you will be using more
than one Administration Server .

14.Complete Generating a Key Pair on page 26 . This action is recommended, but not
required.

15.Complete Installing the Administration Server on page 28 .

Important: The Administration Server service account must have database owner (DBO)

rights to the PGP Endpoint database.

16.Complete Installing the PGP Endpoint Management Server Console on page 39 .

17.Complete Installing the PGP Endpoint Client on page 43 .

18.Test your PGP Endpoint product solution installation for functionality.

- 22 -

Installing PGP Endpoint Components

Installing the PGP Endpoint Database

The PGP Endpoint database is the first component that you install. The database serves as the
central repository for device permissions rules and executable file authorizations.

Prerequisites:
Important: For installation or upgrade to PGP Endpoint version 4.4 SR1:

• You must have a new license file that is valid specifically for version 4.4.

• Existing license files issued before PGP Endpoint version 4.4 will not work with the PGP
Endpoint Administration Server and may cause your Administration Servers to stop working.
The PGP Endpoint 4.4 license must be installed before you install or upgrade the PGP
Endpoint database, and then the Administration Server.

• Request a new license file using the Downloads tab on the PGP Licensing and Entitlement

Management System (LEMS) ( https://lems.pgp.com/account/login) .

Before you can successfully install the PGP Endpoint database, you must:

• Verify that you satisfy the minimum hardware and software system requirements.

• If you will be using a database cluster, you must specify an alternate TDS port during SQL
server setup. See Creating a Server Alias for Use by a Client (SQL Server Configuration

Manager) (http://msdn.microsoft.com/en-us/library/ms190445.aspx) for additional information

about creating a server alias. You can install the PGP Endpoint database on a server
cluster, where there are at least two servers in the cluster running SQL Server. For additional
information regarding database clustering, see Microsoft Cluster Service (MSCS) Installation

Resources (http://support.microsoft.com/kb/259267).

1.

Log in to a computer as an administrative user with access to a Microsoft® SQL Server®.

2. Close all programs running on the computer.

3. From the location where you saved the PGP Endpoint application software, run the \server

\db\setup.exe file.

Step Result: The Installation Wizard Welcome page opens.

- 23 -

PGP Endpoint

4. Click Next.

Step Result: The License Agreement page opens.

Figure 2: License Agreement Page

5. Review the license agreement and, if you agree, select I accept the terms in the license
agreement.

6. Click Next.

Step Result: The Destination Folder page opens.

Figure 3: Destination Folder Page

7. You may choose an installation destination folder other than the default folder C:\Program
Files\PGP Corporation\PGP Endpoint.

- 24 -

Installing PGP Endpoint Components

a) Click Change

Step Result: The Change Current Destination Folder page opens.

Figure 4: Change Current Destination Folder Page

b) Select a folder from the Look in: field.
c) Click OK.

Step Result: The Change Current Destination Folder closes, and the Destination

Folder page changes to reflect the new location.

8. Click Next.

Step Result: The Ready to Install the Program page opens.

Figure 5: Ready to Install the Program Dialog

9. Click Install.

- 25 -

PGP Endpoint

A progress bar runs on the page, showing installation progress.

Step Result: The Completed page opens.

10.Click Finish.

Result: PGP Endpoint setup runs the SQL installation scripts and creates the PGP

Endpoint database for the SQL Server database instance that you specified.

Generating a Key Pair

The Administration Server uses a symmetric encryption system to communicate with a client,
using a public-private key pair that you generate during installation.

The Administration Server and PGP Endpoint clients contain a embedded default public and
private key pair that should only be used with an evaluation license. PGP provides a Key Pair
Generator utility, which generates a key pair for fully licensed application installations. The key
pair ensures the integrity for communication between the Administration Server and clients.

When an Administration Server cannot find a valid key pair at startup, the event is logged and
PGP Endpoint uses the default key pair.

Caution: When you are using Device Control, do not change the key pair:

• For media encrypted before exchanging a key pair, which will result in disabling password
recovery for the previously encrypted media.

• During a PGP Endpoint upgrade installation which will result in the loss of access to media
previously encrypted centrally and subsequent loss of data.

• During a PGP Endpoint upgrade installation when client hardening is enabled, which will
cause PGP Endpoint Application Control and PGP Endpoint Device Control installations to
fail.

- 26 -

Installing PGP Endpoint Components

1. From the location where you saved the PGP Endpoint application software, run the server
\keygen\keygen.exe file.

Step Result: The Key Pair Generator dialog opens.

Figure 6: Key Pair Generator Dialog

2. In the Directory field, enter the name of the temporary directory where you will save the key
pair.

3. In the Seed field, type a random alphanumeric text string.
This text is used to initiate the random number generator; the longer the text string the more

secure the key pair.

4. Click Create keys.

Step Result: The Key Pair Generator confirmation dialog opens.

Figure 7: Key Pair Generator Dialog

5. Click OK.

Step Result: You return to the Key Pair Generator dialog.

- 27 -

PGP Endpoint

6. Click Exit.

Result: The keys are saved as sx-private.key and sx-public.key files in the directory you

specified.

After Completing This Task:

Distribute the key pair by copying sx-private.key and sx-public.key files to the \\%windir%
\system 32 directory on the computer(s) where you are installing the Administration Server. At

startup, the Administration Server searches all drive locations for a valid key pair, stopping at the
first valid key pair.

Installing the Administration Server

The Administration Server processes PGP Endpoint client actions and is the only application
component that connects to the database. One or more Administration Server s communicate

- 28 -

Installing PGP Endpoint Components

device and application control information between the PGP Endpoint database and PGP
Endpoint client(s).

Prerequisites:

Before you can successfully install the Administration Server , you must:

• Verify that a valid PGP Endpoint license file is listed in the \Windows\System32 or \\Windows
\SysWOW64 folder, and is name file to Endpoint.lic .

Important: For installation or upgrade to PGP Endpoint version 4.4 SR1:

• You must have a new license file that is valid specifically for version 4.4.

• Existing license files issued before PGP Endpoint version 4.4 will not work with the PGP

Endpoint Administration Server and may cause your Administration Servers to stop
working. The PGP Endpoint 4.4 license must be installed before you install or upgrade the
PGP Endpoint database, and then the Administration Server.

• Request a new license file using the Downloads tab on the PGP Licensing and

Entitlement Management System (LEMS) ( https://lems.pgp.com/account/login) .

• Verify that you satisfy the minimum hardware and software system requirements.

Restriction: If you are installing the PGP Endpoint Application Control Terminal Services

Edition, you must install the Administration Server on a computer separate from the Citrix

®

Metaframe® Presentation Server.

• Confirm that TCP port 33115 and UDP port 65229 (when using TLS protocol), or TCP port
65129 (when not using TLS protocol), are open. Depending upon how firewalls are setup in
your environment, these ports may be closed.

• Configure the TCP/IP protocol to use a fixed IP address for the computer that runs the
Administration Server .

• Configure the Administration Server host computer to perform fully qualified domain
name (FQDN) resolution for the PGP Endpoint clients that the server manages. See How

to Configure the Intranet FQDN of Site Systems ( technet.microsoft.com/en-us/library/
bb694183.aspx ) for additional information about configuring to use DNS name resolution for

computers using FDQNs.

• Configure the Administration Server host computer account to read domain information using
the Microsoft® Windows® Security Account Manager. See Security Account Manager (SAM)
( http://technet.microsoft.com/en-us/library/cc756748.aspx ) for additional information about
the Microsoft Windows Security Account Manager.

• Synchronize the Administration Server system clock with the PGP Endpoint database
using the Microsoft Windows time service. See Time Service ( http://support.microsoft.com/

kb/816042 ) for details about using the Microsoft Windows time service.

- 29 -

PGP Endpoint

1. Log in with administrative user access to the computer where you are installing the
Administration Server .

Important: For Active Directory environments, log in using the dedicated Administration

Server domain user rights service account. The Administration Server installation process
configures the Administration Server service account for access to the database.

2. Close all programs running on the computer.

3. From the location where you saved the PGP Endpoint application software, run \server\sxs

\setup.exe .

4. Click OK .

Step Result: The Installation Wizard Welcome page opens.

5. Click Next .

Step Result: The License Agreement page opens.

Figure 8: License Agreement Page

6. Review the license agreement and, if you agree, select I accept the terms in the license
agreement.

- 30 -