PGP Endpoint - 4.4 SR5 Setup Guide

Setup Guide

PGP Endpoint 4.4 SR5

PGP Endpoint

- 2 -

Notices

Version Information

PGP Endpoint Setup Guide - PGP Endpoint Version 4.4SR5 - Released: September 2010

Document Number: 02_102P_4.4SR5_102711504

Copyright Information

Copyright© 1991-2010 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or
transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written
permission of PGP Corporation.

Trademark Information

PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the US and other
countries. IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered trademarks of Microsoft
Corporation. AOL is a registered trademark, and AOL Instant Messenger is a trademark, of America Online, Inc.
Red Hat and Red Hat Linux are trademarks or registered trademarks of Red Hat, Inc. Linux is a registered trademark
of Linus Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a trademark or
registered trademark of International Business Machines Corporation. HP-UX is a trademark or registered trademark
of Hewlett-Packard Company. SSH and Secure Shell are trademarks of SSH Communications Security, Inc.
Rendezvous and Mac OS X are trademarks or registered trademarks of Apple Computer, Inc. All other registered
and unregistered trademarks in this document are the sole property of their respective owners.

Licensing and Patent Information

The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The
CAST-128 encryption algorithm, implemented from RFC 2144, is available worldwide on a royalty-free basis for
commercial and non-commercial uses. PGP Corporation has secured a license to the patent rights contained in the
patent application Serial Number 10/655,563 by The Regents of the University of California, entitled Block Cipher
Mode of Operation for Constructing a Wide-blocksize block Cipher from a Conventional Block Cipher. Some third­party software included in PGP Universal Server is licensed under the GNU General Public License (GPL). PGP
Universal Server as a whole is not licensed under the GPL. If you would like a copy of the source code for the GPL
software included in PGP Universal Server, contact PGP Support (http://www.pgp.com/support). PGP Corporation
may have patents and/or pending patent applications covering subject matter in this software or its documentation;
the furnishing of this software or documentation does not give you any license to these patents.

Acknowledgements

This product includes or may include:

• The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with permission from
the free Info-ZIP implementation, developed by zlib (http://www.zlib.net). • Libxml2, the XML C parser and
toolkit developed for the Gnome project and distributed and copyrighted under the MIT License found at http://
www.opensource.org/licenses/mit-license.html. Copyright © 2007 by the Open Source Initiative. • bzip2 1.0, a freely
available high-quality data compressor, is copyrighted by Julian Seward, © 1996-2005. • Application server (http://
jakarta.apache.org/), web server (http://www.apache.org/), Jakarta Commons (http://jakarta.apache.org/commons/
license.html) and log4j, a Java-based library used to parse HTML, developed by the Apache Software Foundation.
The license is at www.apache.org/licenses/LICENSE-2.0.txt. • Castor, an open-source, databinding framework
for moving data from XML to Java programming language objects and from Java to databases, is released by the
ExoLab Group under an Apache 2.0-style license, available at http://www.castor.org/license.html. • Xalan, an open­source software library from the Apache Software Foundation that implements the XSLT XML transformation
language and the XPath XML query language, is released under the Apache Software License, version 1.1, available

- 3 -

PGP Endpoint

at http://xml.apache.org/xalan-j/#license1.1. • Apache Axis is an implementation of the SOAP (“Simple Object
Access Protocol”) used for communications between various PGP products is provided under the Apache license
found at http://www.apache.org/licenses/LICENSE-2.0.txt. • mx4j, an open-source implementation of the Java
Management Extensions (JMX), is released under an Apache-style license, available at http://mx4j.sourceforge.net/
docs/ch01s06.html. • jpeglib version 6a is based in part on the work of the Independent JPEG Group. (http://
www.ijg.org/) • libxslt the XSLT C library developed for the GNOME project and used for XML transformations
is distributed under the MIT License http://www.opensource.org/licenses/mit-license.html. • PCRE version 4.5
Perl regular expression compiler, copyrighted and distributed by University of Cambridge. ©1997-2006. The
license agreement is at http://www.pcre.org/license.txt. • BIND Balanced Binary Tree Library and Domain Name
System (DNS) protocols developed and copyrighted by Internet Systems Consortium, Inc. (http://www.isc.org)

• Free BSD implementation of daemon developed by The FreeBSD Project, © 1994-2006. • Simple Network
Management Protocol Library developed and copyrighted by Carnegie Mellon University © 1989, 1991, 1992,
Networks Associates Technology, Inc, © 2001- 2003, Cambridge Broadband Ltd.© 2001- 2003, Sun Microsystems,
Inc., © 2003, Sparta, Inc, © 2003-2006, Cisco, Inc and Information Network Center of Beijing University of Posts
and Telecommunications, © 2004. The license agreement for these is at http://net-snmp.sourceforge.net/about/
license.html. • NTP version 4.2 developed by Network Time Protocol and copyrighted to various contributors.

• Lightweight Directory Access Protocol developed and copyrighted by OpenLDAP Foundation. OpenLDAP is
an open-source implementation of the Lightweight Directory Access Protocol (LDAP). Copyright © 1999-2003,
The OpenLDAP Foundation. The license agreement is at http://www.openldap.org/software/release/license.html.

• Secure shell OpenSSH version 4.2.1 developed by OpenBSD project is released by the OpenBSD Project under
a BSD-style license, available at http://www.openbsd.org/cgibin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD.

• PC/SC Lite is a free implementation of PC/SC, a specification for SmartCard integration is released under the
BSD license. • Postfix, an open source mail transfer agent (MTA), is released under the IBM Public License 1.0,
available at http://www.opensource.org/licenses/ibmpl.php. • PostgreSQL, a free software object-relational database
management system, is released under a BSD-style license, available at http://www.postgresql.org/about/licence. •
PostgreSQL JDBC driver, a free Java program used to connect to a PostgreSQL database using standard, database
independent Java code, (c) 1997-2005, PostgreSQL Global Development Group, is released under a BSD-style
license, available at http://jdbc.postgresql.org/license.html. • PostgreSQL Regular Expression Library, a free
software object-relational database management system, is released under a BSD-style license, available at http://
www.postgresql.org/about/licence. • 21.vixie-cron is the Vixie version of cron, a standard UNIX daemon that runs
specified programs at scheduled times. Copyright © 1993, 1994 by Paul Vixie; used by permission. • JacORB, a Java
object used to facilitate communication between processes written in Java and the data layer, is open source licensed
under the GNU Library General Public License (LGPL) available at http://www.jacorb.org/lgpl.html. Copyright
2006 The JacORB Project. • TAO (The ACE ORB) is an open-source implementation of a CORBA Object Request
Broker (ORB), and is used for communication between processes written in C/C++ and the data layer. Copyright
(c) 1993-2006 by Douglas C. Schmidt and his research group at Washington University, University of California,
Irvine, and Vanderbilt University. The open source software license is available at http://www.cs.wustl.edu/
~schmidt/ACEcopying. html. • libcURL, a library for downloading files via common network services, is open
source software provided under a MIT/X derivate license available at http://curl.haxx.se/docs/copyright.html.
Copyright (c) 1996 - 2007, Daniel Stenberg. • libuuid, a library used to generate unique identifiers, is released under
a BSD-style license, available at http://thunk.org/hg/e2fsprogs/?file/fe55db3e508c/lib/uuid/COPYING. Copyright
(C) 1996, 1997 Theodore Ts’o. • libpopt, a library that parses command line options, is released under the terms
of the GNU Free Documentation License available at http://directory.fsf.org/libs/COPYING.DOC. Copyright

©

2000-2003 Free Software Foundation, Inc. • gSOAP, a development tool for Windows clients to communicate with
the Intel Corporation AMT chipset on a motherboard, is distributed under the GNU Public License, available at
http://www.cs.fsu.edu/~engelen/soaplicense.html. • Windows Template Library (WRT) is used for developing user

©

- 4 -

interface components and is distributed under the Common Public License v1.0 found at http://opensource.org/
licenses/cpl1.0.php. • The Perl Kit provides several independent utilities used to automate a variety of maintenance
functions and is provided under the Perl Artistic License, found at http://www.perl.com/pub/a/language/misc/
Artistic.html.

Export Information

Export of this software and documentation may be subject to compliance with the rules and regulations promulgated
from time to time by the Bureau of Export Administration, United States Department of Commerce, which restricts
the export and re-export of certain products and technical data.

Limitations

The software provided with this documentation is licensed to you for your individual use under the terms of the End
User License Agreement provided with the software. The information in this document is subject to change without
notice. PGP Corporation does not warrant that the information meets your requirements or that the information is
free of errors. The information may include technical inaccuracies or typographical errors. Changes may be made to
the information and incorporated in new editions of this document, if and when made available by PGP Corporation.

Notices

- 5 -

PGP Endpoint

- 6 -

Table of Contents

Table of Contents

Preface: About This Document..................................................................................................................................9

Typographical Conventions..........................................................................................................................................................9

Getting Assistance........................................................................................................................................................................9

Chapter 1: Planning Your Installation................................................................................................................... 11

Recommended Security Rules................................................................................................................................................... 11

System Requirements.................................................................................................................................................................12

Minimum Hardware Requirements......................................................................................................................................13

Supported Operating Systems..............................................................................................................................................14

Supported Databases............................................................................................................................................................17

Other Software Requirements..............................................................................................................................................17

Recommended Configuration.............................................................................................................................................. 18

Client Supported Languages................................................................................................................................................18

Licensing PGP Endpoint Products.............................................................................................................................................19

Chapter 2: Installing PGP Endpoint Components................................................................................................ 21

Installation Overview................................................................................................................................................................. 22

Installation Checklist..................................................................................................................................................................22

Installing the Database...............................................................................................................................................................24

Generating a Key Pair................................................................................................................................................................26

Installing the Administration Server..........................................................................................................................................28

Installing the Management Server Console...............................................................................................................................37

Installing the Client....................................................................................................................................................................41

Chapter 3: Upgrading PGP Endpoint Components.............................................................................................. 49

Upgrade Overview......................................................................................................................................................................50

Upgrading the Database.............................................................................................................................................................51

Upgrading the Administration Server........................................................................................................................................54

Upgrading the Management Server Console.............................................................................................................................57

Upgrading the Client..................................................................................................................................................................58

Chapter 4: Installation Checklist.............................................................................................................................65

Installation Checklist..................................................................................................................................................................65

Chapter 5: Using PGP Endpoint Client Deployment............................................................................................67

- 7 -

PGP Endpoint

PGP Endpoint Client Deployment Window..............................................................................................................................68

Packages Panel.....................................................................................................................................................................68

Packages Menu.....................................................................................................................................................................69

Computers Panel.................................................................................................................................................................. 69

Computers Menu..................................................................................................................................................................70

Creating Deployment Packages................................................................................................................................................. 71

Adding Computers......................................................................................................................................................................74

Deploying Packages................................................................................................................................................................... 76

Querying Client Status...............................................................................................................................................................80

Appendix A: Configuring DCOM Settings for the Administration Server.........................................................83

Setting Up Distributed Component Object Model (DCOM)....................................................................................................83

Set Access Control List Security Permissions.......................................................................................................................... 86

Appendix B: Installing the Client for Windows XP Embedded...........................................................................89

Windows XPe Client Limitations..............................................................................................................................................89

Supported Devices......................................................................................................................................................................90

Installing the Client for Windows XPe.....................................................................................................................................91

- 8 -

Preface

About This Document

This Setup Guide is a resource written for all users of PGP Endpoint 4.4 SR5. This document defines the
concepts and procedures for installing, configuring, implementing, and using PGP Endpoint 4.4 SR5.

Tip:

PGP documentation is updated on a regular basis. To acquire the latest version of this or any other published
document, please refer to the PGP Support Portal Web Site (https://support.pgp.com).

Typographical Conventions

The following conventions are used throughout this documentation to help you identify various information
types.

Table 1: Typographical Conventions

Convention Usage
bold Buttons, menu items, window and screen objects.

bold italics

italics New terms, options, and variables.

MONOSPACE UPPERCASE Keyboard keys.

BOLD UPPERCASE SQL Commands.

monospace File names, path names, programs, executables, command syntax, and

Wizard names, window names, and page names.

property names.

Getting Assistance

Getting Product Information

Unless otherwise noted, the product documentation is provided as Adobe Acrobat PDF files that are installed
with PGP Endpoint. Online help is available within the PGP Endpoint product. Release notes are also available,
which may have last-minute information not found in the product documentation.

- 9 -

PGP Endpoint

Contacting Technical Support

• To learn about PGP support options and how to contact PGP Technical Support, please visit the PGP
Corporation Support Home Page (http://www.pgp.com/support).

• To access the PGP Support Knowledge Base or request PGP Technical Support, please visit PGP Support
Portal Web Site (https://support.pgp.com).

Note:

You may access portions of the PGP Support Knowledge Base without a support agreement; however, you
must have a valid support agreement to request Technical Support.

• For any other contacts at PGP Corporation, please visit the PGP Contacts Page (http://www.pgp.com/

company/contact/index.html).

• For general information about PGP Corporation, please visit the PGP Web Site (http://www.pgp.com).

• To access the PGP Support forums, please visit PGP Support (http://forums.pgpsupport.com). These are user
community support forums hosted by PGP Corporation.

- 10 -

Chapter

1

Planning Your Installation

In this chapter:

• Recommended Security Rules

• System Requirements

• Licensing PGP Endpoint Products

Planning for your software installation requires knowledge of the
minimum system requirements necessary to support Application
Control and Device Control coupled with recommendations for
network security rules that can enhance the security state of your
environment.

To assist in gathering the information required for a smooth
installation, PGP recommends that you use the Installation Checklist
on page 22.

Recommended Security Rules

PGP recommends that you define certain administrative security rules before installing PGP Endpoint.
The recommended security settings are specific to Microsoft® Windows® and complement operation of PGP

Endpoint.

Table 2: Recommended Security Rules

Security Rule Description

Hard Disk Encryption Encrypts computer disk drives to prevent unauthorized user

access to the computer hard disk drive.

Password Protect the BIOS Prevents administrative user access when using a CMOS

reset jumper, in combination with password protection for
the BIOS and seal/chassis intrusion protection.

Seal/Chassis Intrusion Protector Uses seal and/or chassis intrusion protection hardware to

prevent administrative user access using an external boot
device to bypass workstation security software.

Administrative Rights Remove local users from the local Administrators group to

prevent unrestricted local user computer access.

Power Users Remove local users from the Power Users group to prevent

users from tampering or bypassing standard Windows
security policies.

- 11 -

PGP Endpoint

Security Rule Description

Access Policy Restrict network and file access as much as possible,

including use restriction only to NTFS partitions.

NTFS Partition Use of NTFS partitioning is required for installation of PGP

Endpoint product solutions.

Recovery Console

Service Pack and Hot Fixes Always install the latest service packs and hot fixes for

Firewalls Use traditional perimeter-based security systems, like

Password Policies Maintain strong password security policies.
Private and Public Key Generation Deploy PGP Endpoint product solutions using secure public

Password protect user access to the Recovery Console,
which is available for the Windows DVD/CD-ROM or
MSDN subscription.

the operating system supported by PGP Endpoint product
solutions.

firewalls, to complement PGP Endpoint product solutions.

and private key pairs.

System Requirements

The following sections describe the minimum system requirements necessary for successful installation of PGP
Endpoint and the languages supported by the client.

The listed specifications are a minimum; larger network environments, may require additional hardware and
software resources. The system requirements for PGP Endpoint are listed in the following topics.

- 12 -

Planning Your Installation

Minimum Hardware Requirements

The minimum PGP Endpoint hardware requirements depend upon your service network environment, including
the type of database supported, the number of Administration Servers you need to support a distributed network,
and the number of subscribed clients.

The hardware requirements for PGP Endpoint vary depending upon the number of servers and clients you
manage. The following minimum hardware requirements will support up to:

• 200 connected PGP Endpoint clients for PGP Endpoint Device Control

• 50 connected PGP Endpoint clients for PGP Endpoint Application Control

Table 3: Minimum Hardware Requirements

PGP Endpoint Component Requirement

Database

Administration Server

Management Server Console

Client

• 1 GB (4 GB recommended) memory

• Pentium® Dual-Core CPU processor or AMD equivalent

• 3 GB minimum hard disk drive

• 100 MBits/s NIC

• 512 MB (1 GB recommended) memory

• Pentium® Dual-Core CPU or AMD equivalent

• 3 GB minimum hard disk drive

• 100 MBits/s NIC

• 512 MB (1 GB recommended) memory

• 15 MB hard disk drive for installation, and 150 MB additional for
application files

• 1024 by 768 pixels for display

• 256 MB (1 GB recommended) memory

• 10 MB hard disk drive for installation, and several additional GB for
full shadowing feature of PGP Endpoint Device Control

• 100 MBits/s NIC

- 13 -

PGP Endpoint

Supported Operating Systems

PGP Endpoint supports multiple Microsoft Windows operations systems for the Administration Server,
Management Server Console, database, and client.

The operating system requirements for PGP Endpoint components are outlined as follows.

Table 4: Operating System Requirements

PGP Endpoint Component Requirement

Database One of the following:

• Microsoft Windows ® XP Professional Service Pack 2 or higher
(SP2+) (32-bit)

• Windows XP Service Pack 2 (SP2) (64-bit)

• Microsoft Windows Server 2003, Standard Edition with Service
Pack 2 (SP2) or later (32-bit)

• Microsoft Windows Server 2003, Enterprise Edition with SP2
or later (32-bit)

• Microsoft Windows Server 2008, Standard Edition with SP2 or
later (32-bit and 64-bit)

• Microsoft Windows Server 2008, Enterprise Edition with SP2
or later (32-bit and 64-bit)

• Microsoft Windows Server 2008 R2 (64 bit only)

Administration Server One of the following:

• Windows Server 2003, Standard Edition with SP2 or later (32­bit)

• Windows Server 2003, Enterprise Edition with SP2 or later (32­bit)

• Windows Server 2008, Standard Edition with SP2 or later (32­bit and 64-bit)

• Windows Server 2008, Enterprise Edition with SP2 or later (32­bit and 64-bit)

• Windows Server 2008 R2 (64 bit only)

- 14 -

PGP Endpoint Component Requirement

Management Server Console One of the following:

• Windows XP Professional SP2+ (32-bit)

• Windows Server 2003, Standard Edition with SP2 or later (32­bit)

• Windows Server 2003, Enterprise Edition with SP2 or later (32­bit)

• Windows Server 2008, Standard Edition with SP2 or later (32­bit and 64-bit)

• Windows Server 2008, Enterprise Edition with SP2 or later (32­bit and 64-bit)

• Windows Server 2008 R2 (64 bit only)

• Microsoft Windows Vista™ SP1+ (32- and 64-bit)

• Microsoft Windows 7 (32- and 64-bit)

Planning Your Installation

- 15 -

PGP Endpoint

PGP Endpoint Component Requirement

Client One of the following:

• Microsoft Windows® Server 2000 Service Pack 4 or higher
(SP4+) (32-bit)

• Microsoft Windows 2000 Professional SP4+ (32-bit)

• Microsoft Windows XP Professional Service Pack 2 or higher
(SP2+) (32- and 64-bit)

• Windows Server 2003, Standard Edition with SP2 or later (32­bit)

• Windows Server 2003, Enterprise Edition with SP2 or later (32­bit)

• Windows Server 2008, Standard Edition with SP2 or later (32­bit and 64-bit)

• Windows Server 2008, Enterprise Edition with SP2 or later (32­bit and 64-bit)

• Windows Server 2008 R2 (64 bit only)

• Windows Vista SP1+ (32- and 64-bit)

• Windows 7 (32- and 64-bit)

• Microsoft Windows XP Embedded (XPe) Service Pack 2 (SP2)
(32-bit)

• Microsoft Windows Embedded Point of Service (WEPOS) (32­bit)

• Microsoft Windows XP Tablet PC Edition (32-bit)

• Citrix Access Gateway™ 4.5

• Citrix Presentation Server™ 4.0 for Windows Server 2003 SP1/
SR2+ (32-bit)

• Citrix Presentation Server 4.5 for Windows Server 2003 SP1/
SR2+ (32- and 64-bit)

- 16 -

Planning Your Installation

Supported Databases

PGP Endpoint supports multiple releases of Microsoft® SQL Server®. You should choose the database instance
required by your network operating environment and the number of Administration Servers and subscribed
clients the application must support.

The database requirements for PGP Endpoint components are outlined as follows.

Table 5: Database Requirements

PGP Endpoint Component Requirement

Database One of the following:

• Microsoft SQL Server® 2005 Service Pack 2 or higher (SP2+) (32-bit and
64-bit)

• Microsoft SQL Server 2005 Express Edition SP2+ (32-bit and 64-bit)

• Microsoft SQL Server 2008

• Microsoft SQL Server 2008 Express Edition

Other Software Requirements

PGP Endpoint requires the following additional software.
Additional software requirements for PGP Endpoint components are outlined as follows.

Table 6: Other Software Requirements

PGP Endpoint Component Requirement

Database No additional software requirements.
Administration Server If you will be encrypting Windows user accounts for centralized

Device Control encryption, you will need to install an enterprise level
Certificate Authority. See Microsoft Certificate Authority (http://

technet.microsoft.com/en-us/library/cc756120.aspx) for additional

information about certificates.

Attention: Certificate authority installation applies to Device Control

only for centralized encryption capability.
A Certificate Authority is required to use secure communications

between clients and servers, and intra-server communications.

Attention: Certificate authority installation applies to both Device

Control and Application Control for secure server communications.

Management Server Console Microsoft Visual C++ 2008 Redistributable Package.
Client No additional software requirements.

- 17 -

PGP Endpoint

Recommended Configuration

To maximize PGP Endpoint for operation in a Microsoft Windows environment, you should configure your
network environment database and client components using the following suggested configurations.

The recommended configurations for PGP Endpoint components are outlined as follows. These settings represent
the usual default settings, but should be confirmed before beginning PGP Endpoint installation.

Table 7: Recommended Configuration

PGP Endpoint Component Requirement

Database

Administration Server None recommended.
Management Server Console None recommended.
Client

• Change the Windows Event Viewer settings to 1024 KB and

choose to overwrite events as necessary.

• Change Windows Performance settings to prioritize for background

applications.

• If you are using Active Directory, configure a corresponding
Domain Name System (DNS) server as Active Directory (AD)
integrated and create a reverse lookup zone, to provide for name
resolution within the Management Server Console.

• Configure NIC to receive IP from DHCP service.

• Change the Windows Event Viewer settings to 1024 KB and
choose to overwrite events as necessary.

Client Supported Languages

The PGP Endpoint client supports multiple languages in text format.
The PGP Endpoint client is supported in the following languages:

• English

• French

• Italian

• German

• Spanish

• Japanese

• Simplified Chinese

• Traditional Chinese

• Russian

• Dutch

• Portuguese

• Swedish

- 18 -

Planning Your Installation

Licensing PGP Endpoint Products

The following types of licenses are available for PGP Endpoint product solutions:

• An Evaluation License provides you with a fully functioning PGP Endpoint product solution for a limited
time.

• A Perpetual License provides full capacity for an unlimited period.

• A Subscription License provides full capacity for the time period specified by the terms of your license.

- 19 -

PGP Endpoint

- 20 -

Chapter

2

Installing PGP Endpoint Components

In this chapter:

• Installation Overview

• Installation Checklist

• Installing the Database

• Generating a Key Pair

• Installing the Administration Server

• Installing the Management Server

Console

• Installing the Client

PGP Endpoint component installation requires that you follow a series
of interdependent tasks in a prescribed order. Before you begin, you
must have a valid license key for each software application(s) that your
are installing.

Successful installation of PGP Endpoint requires you to install
components in the following order:

Install the database.

1.

Generate and save a public and private key pair. This action is not

2.

required, however, PGP strongly recommends the use of a public­private key pair to provide the highest level of security.

Install the Administration Server(s).

3.

Install the Management Server Console.

4.

Install and deploy the client.

5.

- 21 -

PGP Endpoint

Installation Overview

PGP Endpoint component installation requires that you follow a series of interdependent tasks in a prescribed
order. Before you begin, you must have a valid license key for each software application(s) that your are
installing.

Use the following process to identify tasks for installing components installing PGP Endpoint, for your
convenience this process refers to the Installation Checklist on page 22.

Figure 1: PGP Endpoint Product Solution Installation Process Flow

Installation Checklist

The installation checklist outlines the detailed tasks that you must perform when installing the PGP Endpoint
solutions.

This checklist guides you through the installation process.
To begin your installation:

- 22 -

Installing PGP Endpoint Components

Copy the PGP Endpoint license file to the \\Windows\System32 or \\Windows\SysWOW64 folder, and

1.

rename the file to Endpoint.lic. The license file may be installed after installing the database, however,
the license file must installed before installing the Administration Server.

Download the PGP Endpoint application software from the https://lems.pgp.com/account/login

2.

Create a device, media, or software application inventory which lists the items that you want PGP Endpoint

3.

to control.
Document company policy that defines:

4.

• Device permissions.

• Shadowing requirements.

• Device encryption requirements.

• PGP Endpoint administrators and their roles.

• Global domain groups for PGP Endpoint administrators.
Plan your PGP Endpoint network architecture, based on capacity requirements, that list the Administration

5.

Server host names and IP addresses.
Create a dedicated Administration Server domain user rights service account and set the following:

6.

• User cannot change password.

• Password never expires.
The domain account must have local administration rights when you plan to use the TLS communication

protocol for client- Administration Server and inter- Administration Server data transfers.
Create Impersonate a client after authentication user rights for the Administration Server. See Impersonate

7.

a Client After Authentication ( http://support.microsoft.com/kb/821546 ) for additional information about

impersonating a client after authentication user rights.
Verify that the Administration Server domain account has Log on as a service user rights. See Add the Log

8.

on as a service right to an account ( http://technet.microsoft.com/en-us/library/cc739424(WS.10).aspx ) for

additional information about logging on as a service user rights.
Install Microsoft® Internet Information Services on the same computer as the certification authority,

9.

otherwise the enterprise root certificate cannot be generated. See Internet Information Services (IIS) ( http://

www.iis.net ) for additional information about installing Internet Information Services.

Install a Microsoft enterprise root certification authority to enable removable device encryption for

10.

PGP Endpoint Device Control. See Install a Microsoft enterprise root certification authority ( http://

technet.microsoft.com/en-us/library/cc776709.aspx ) for additional information about installing an enterprise

root certificate.
Install a Microsoft SQL Server® . See Getting Started with SQL Server ( http://msdn.microsoft.com/en-us/

11.

sqlserver/default.aspx ) for additional information about installing a SQL server.

Complete Installing the Database on page 24.

12.

To install multiple Administration Server s, create a shared file directory on a file server to share the Datafile

13.

directory component. This action is only required if you will be using more than one Administration Server.
Complete Generating a Key Pair on page 26. This action is recommended, but not required.

14.

Complete Installing the Administration Server on page 28.

15.

Important: The Administration Server service account must have database owner (DBO) rights to the PGP

Endpoint database.

- 23 -

PGP Endpoint

Complete Installing the Management Server Console on page 37.

16.

Complete Installing the Client on page 41.

17.

Test your PGP Endpoint product solution installation for functionality.

18.

Installing the Database

The PGP Endpoint database is the first component that you install. The database serves as the central repository
for device permissions rules and executable file authorizations.

Prerequisites:

Before you can successfully install the PGP Endpoint database, you must:

• Verify that you satisfy the minimum hardware and software system requirements.

• If you will be using a database cluster, you must specify an alternate TDS port during SQL server
setup. See Creating a Server Alias for Use by a Client (SQL Server Configuration Manager) (http://

msdn.microsoft.com/en-us/library/ms190445.aspx) for additional information about creating a server alias.

You can install the PGP Endpoint database on a server cluster, where there are at least two servers in the
cluster running SQL Server. For additional information regarding database clustering, see Microsoft Cluster

Service (MSCS) Installation Resources (http://support.microsoft.com/kb/259267).

Log in to a computer as an administrative user with access to a Microsoft® SQL Server®.

1.

Close all programs running on the computer.

2.

From the location where you saved the PGP Endpoint application software, run the \server\db

3.

\setup.exe file.

Step Result:

Click Next.

4.

Step Result:

Figure 2: License Agreement Page

Review the license agreement and, if you agree, select I accept the terms in the license agreement.

5.

The Installation Wizard Welcome page opens.

The License Agreement page opens.

- 24 -

Installing PGP Endpoint Components

Click Next.

6.

Step Result:

Figure 3: Destination Folder Page

You may choose an installation destination folder other than the default folder C:\Program Files\PGP

7.

Corporation\PGP Endpoint.

The Destination Folder page opens.

a) Click Change

Step Result:

Figure 4: Change Current Destination Folder Page

The Change Current Destination Folder page opens.

b) Select a folder from the Look in: field.
c) Click OK.

Step Result:

The Change Current Destination Folder closes, and the Destination Folder page changes
to reflect the new location.

- 25 -

PGP Endpoint

Click Next.

8.

Step Result:

Figure 5: Ready to Install the Program Dialog

Click Install.

9.

A progress bar runs on the page, showing installation progress.

The Ready to Install the Program page opens.

Step Result:

Click Finish.

10.

Result:

PGP Endpoint setup runs the SQL installation scripts and creates the PGP Endpoint database for the
SQL Server database instance that you specified.

The Completed page opens.

Generating a Key Pair

The Administration Server uses a symmetric encryption system to communicate with a client, using a public­private key pair that you generate during installation.

The Administration Server and PGP Endpoint clients contain a embedded default public and private key pair that
should only be used with an evaluation license. PGP provides a Key Pair Generator utility, which generates a
key pair for fully licensed application installations. The key pair ensures the integrity for communication between
the Administration Server and clients.

- 26 -

Installing PGP Endpoint Components

When an Administration Server cannot find a valid key pair at startup, the event is logged and PGP Endpoint
uses the default key pair.

Caution: When you are using Device Control, do not change the key pair:

• For media encrypted before exchanging a key pair, which will result in disabling password recovery for the
previously encrypted media.

• During a PGP Endpoint upgrade installation which will result in the loss of access to media previously
encrypted centrally and subsequent loss of data.

• During a PGP Endpoint upgrade installation when client hardening is enabled, which will cause PGP
Endpoint Application Control and PGP Endpoint Device Control installations to fail.

From the location where you saved the PGP Endpoint application software, run the server\keygen

1.

\keygen.exe file.

Step Result:

Figure 6: Key Pair Generator Dialog

In the Directory field, enter the name of the temporary directory where you will save the key pair.

2.
In the Seed field, type a random alphanumeric text string.

3.

The Key Pair Generator dialog opens.

This text is used to initiate the random number generator; the longer the text string the more secure the key
pair.

Click Create keys.

4.

Step Result:

The Key Pair Generator confirmation dialog opens.

Figure 7: Key Pair Generator Dialog

- 27 -

PGP Endpoint

Click OK.

5.

Step Result:

Click Exit.

6.

Result:
After Completing This Task:

Distribute the key pair by copying sx-private.key and sx-public.key files to the \\%windir%

\system 32 directory on the computer(s) where you are installing the Administration Server. At startup, the

Administration Server searches all drive locations for a valid key pair, stopping at the first valid key pair.

The keys are saved as sx-private.key and sx-public.key files in the directory you specified.

You return to the Key Pair Generator dialog.

Installing the Administration Server

The Administration Server processes PGP Endpoint client activities and is the only application component that
connects to the database. One or more Administration Servers communicate device and application control
information between the PGP Endpoint database and PGP Endpoint client(s).

Prerequisites:

Before you can successfully install the Administration Server, you must:

• Verify that a valid PGP Endpoint license file is listed in the \Windows\System32 or \\Windows

\SysWOW64 folder, and is name file to Endpoint.lic.

• Verify that you satisfy the minimum hardware and software system requirements.

Restriction: If you are installing the PGP Endpoint Application Control Terminal Services Edition, you

must install the Administration Server on a computer separate from the Citrix® Metaframe® Presentation
Server.

• When using TLS protocol confirm TCP ports 33115 and 65229 are open. When not using TLS protocol open
TCP port 65129. Depending upon how firewalls are setup in your environment, these ports may be closed.

• Configure the TCP/IP protocol to use a fixed IP address for the computer that runs the Administration Server.

• Configure the Administration Server host computer to perform fully qualified domain name (FQDN)
resolution for the PGP Endpoint clients that the server manages.

• Ensure that the Administration Server host computer account is configured to read domain information
using the Microsoft® Windows® Security Account Manager. See Security Account Manager (SAM) ( http://

technet.microsoft.com/en-us/library/cc756748.aspx ) for additional information about the Microsoft Windows

Security Account Manager.

• Synchronize the Administration Server's system clock with the PGP Endpoint database server's system clock
using the Microsoft Windows time service. See Time Service ( http://support.microsoft.com/kb/816042 ) for
details about using the Microsoft Windows time service.

Log in with administrative user access to the computer where you are installing the Administration Server.

1.

Important: For Active Directory environments, log in using the dedicated Administration Server domain

user rights service account. The Administration Server installation process configures the Administration
Server service account for access to the database.

- 28 -

Installing PGP Endpoint Components

Close all programs running on the computer.

2.

From the location where you saved the PGP Endpoint application software, run \server\sxs\setup.exe.

3.
Click OK.

4.

Step Result:

Click Next.

5.

The Installation Wizard Welcome page opens.

Step Result:

Figure 8: License Agreement Page

Review the license agreement and, if you agree, select I accept the terms in the license agreement.

6.
Click Next.

7.

Step Result:

The License Agreement page opens.

The Setup dialog opens when the setup process detects an operating system that is subject to
security changes concerning Remote Procedure Calls (RPC).

Figure 9: Setup Dialog

- 29 -

PGP Endpoint

Click Yes.

8.

Step Result:

Figure 10: The Setup Dialog

Click OK.

9.

Step Result:

A confirmation dialog opens after the registry value is reset.

The Destination Folder page opens.

Figure 11: Destination Folder Page

- 30 -