PGP Endpoint - 4.4 SR5 Setup Guide

Setup Guide
PGP Endpoint 4.4 SR5
PGP Endpoint
- 2 -
Notices
Version Information
PGP Endpoint Setup Guide - PGP Endpoint Version 4.4SR5 - Released: September 2010
Document Number: 02_102P_4.4SR5_102711504
Copyright© 1991-2010 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of PGP Corporation.
Trademark Information
PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the US and other countries. IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered trademarks of Microsoft Corporation. AOL is a registered trademark, and AOL Instant Messenger is a trademark, of America Online, Inc. Red Hat and Red Hat Linux are trademarks or registered trademarks of Red Hat, Inc. Linux is a registered trademark of Linus Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered trademark of International Business Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH and Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or registered trademarks of Apple Computer, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective owners.
Licensing and Patent Information
The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST-128 encryption algorithm, implemented from RFC 2144, is available worldwide on a royalty-free basis for commercial and non-commercial uses. PGP Corporation has secured a license to the patent rights contained in the patent application Serial Number 10/655,563 by The Regents of the University of California, entitled Block Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a Conventional Block Cipher. Some third­party software included in PGP Universal Server is licensed under the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL. If you would like a copy of the source code for the GPL software included in PGP Universal Server, contact PGP Support (http://www.pgp.com/support). PGP Corporation may have patents and/or pending patent applications covering subject matter in this software or its documentation; the furnishing of this software or documentation does not give you any license to these patents.
Acknowledgements
This product includes or may include:
• The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with permission from the free Info-ZIP implementation, developed by zlib (http://www.zlib.net). • Libxml2, the XML C parser and toolkit developed for the Gnome project and distributed and copyrighted under the MIT License found at http:// www.opensource.org/licenses/mit-license.html. Copyright © 2007 by the Open Source Initiative. • bzip2 1.0, a freely available high-quality data compressor, is copyrighted by Julian Seward, © 1996-2005. • Application server (http:// jakarta.apache.org/), web server (http://www.apache.org/), Jakarta Commons (http://jakarta.apache.org/commons/ license.html) and log4j, a Java-based library used to parse HTML, developed by the Apache Software Foundation. The license is at www.apache.org/licenses/LICENSE-2.0.txt. • Castor, an open-source, databinding framework for moving data from XML to Java programming language objects and from Java to databases, is released by the ExoLab Group under an Apache 2.0-style license, available at http://www.castor.org/license.html. • Xalan, an open­source software library from the Apache Software Foundation that implements the XSLT XML transformation language and the XPath XML query language, is released under the Apache Software License, version 1.1, available
- 3 -
PGP Endpoint
at http://xml.apache.org/xalan-j/#license1.1. • Apache Axis is an implementation of the SOAP (“Simple Object Access Protocol”) used for communications between various PGP products is provided under the Apache license found at http://www.apache.org/licenses/LICENSE-2.0.txt. • mx4j, an open-source implementation of the Java Management Extensions (JMX), is released under an Apache-style license, available at http://mx4j.sourceforge.net/ docs/ch01s06.html. • jpeglib version 6a is based in part on the work of the Independent JPEG Group. (http:// www.ijg.org/) • libxslt the XSLT C library developed for the GNOME project and used for XML transformations is distributed under the MIT License http://www.opensource.org/licenses/mit-license.html. • PCRE version 4.5 Perl regular expression compiler, copyrighted and distributed by University of Cambridge. ©1997-2006. The license agreement is at http://www.pcre.org/license.txt. • BIND Balanced Binary Tree Library and Domain Name System (DNS) protocols developed and copyrighted by Internet Systems Consortium, Inc. (http://www.isc.org)
• Free BSD implementation of daemon developed by The FreeBSD Project, © 1994-2006. • Simple Network Management Protocol Library developed and copyrighted by Carnegie Mellon University © 1989, 1991, 1992, Networks Associates Technology, Inc, © 2001- 2003, Cambridge Broadband Ltd.© 2001- 2003, Sun Microsystems, Inc., © 2003, Sparta, Inc, © 2003-2006, Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, © 2004. The license agreement for these is at http://net-snmp.sourceforge.net/about/ license.html. • NTP version 4.2 developed by Network Time Protocol and copyrighted to various contributors.
• Lightweight Directory Access Protocol developed and copyrighted by OpenLDAP Foundation. OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP). Copyright © 1999-2003, The OpenLDAP Foundation. The license agreement is at http://www.openldap.org/software/release/license.html.
• Secure shell OpenSSH version 4.2.1 developed by OpenBSD project is released by the OpenBSD Project under a BSD-style license, available at http://www.openbsd.org/cgibin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD.
• PC/SC Lite is a free implementation of PC/SC, a specification for SmartCard integration is released under the BSD license. • Postfix, an open source mail transfer agent (MTA), is released under the IBM Public License 1.0, available at http://www.opensource.org/licenses/ibmpl.php. • PostgreSQL, a free software object-relational database management system, is released under a BSD-style license, available at http://www.postgresql.org/about/licence. • PostgreSQL JDBC driver, a free Java program used to connect to a PostgreSQL database using standard, database independent Java code, (c) 1997-2005, PostgreSQL Global Development Group, is released under a BSD-style license, available at http://jdbc.postgresql.org/license.html. • PostgreSQL Regular Expression Library, a free software object-relational database management system, is released under a BSD-style license, available at http:// www.postgresql.org/about/licence. • 21.vixie-cron is the Vixie version of cron, a standard UNIX daemon that runs specified programs at scheduled times. Copyright © 1993, 1994 by Paul Vixie; used by permission. • JacORB, a Java object used to facilitate communication between processes written in Java and the data layer, is open source licensed under the GNU Library General Public License (LGPL) available at http://www.jacorb.org/lgpl.html. Copyright 2006 The JacORB Project. • TAO (The ACE ORB) is an open-source implementation of a CORBA Object Request Broker (ORB), and is used for communication between processes written in C/C++ and the data layer. Copyright (c) 1993-2006 by Douglas C. Schmidt and his research group at Washington University, University of California, Irvine, and Vanderbilt University. The open source software license is available at http://www.cs.wustl.edu/ ~schmidt/ACEcopying. html. • libcURL, a library for downloading files via common network services, is open source software provided under a MIT/X derivate license available at http://curl.haxx.se/docs/copyright.html. Copyright (c) 1996 - 2007, Daniel Stenberg. • libuuid, a library used to generate unique identifiers, is released under a BSD-style license, available at http://thunk.org/hg/e2fsprogs/?file/fe55db3e508c/lib/uuid/COPYING. Copyright (C) 1996, 1997 Theodore Ts’o. • libpopt, a library that parses command line options, is released under the terms of the GNU Free Documentation License available at http://directory.fsf.org/libs/COPYING.DOC. Copyright
©
2000-2003 Free Software Foundation, Inc. • gSOAP, a development tool for Windows clients to communicate with the Intel Corporation AMT chipset on a motherboard, is distributed under the GNU Public License, available at http://www.cs.fsu.edu/~engelen/soaplicense.html. • Windows Template Library (WRT) is used for developing user
©
- 4 -
interface components and is distributed under the Common Public License v1.0 found at http://opensource.org/ licenses/cpl1.0.php. • The Perl Kit provides several independent utilities used to automate a variety of maintenance functions and is provided under the Perl Artistic License, found at http://www.perl.com/pub/a/language/misc/ Artistic.html.
Export Information
Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from time to time by the Bureau of Export Administration, United States Department of Commerce, which restricts the export and re-export of certain products and technical data.
Limitations
The software provided with this documentation is licensed to you for your individual use under the terms of the End User License Agreement provided with the software. The information in this document is subject to change without notice. PGP Corporation does not warrant that the information meets your requirements or that the information is free of errors. The information may include technical inaccuracies or typographical errors. Changes may be made to the information and incorporated in new editions of this document, if and when made available by PGP Corporation.
Notices
- 5 -
PGP Endpoint
- 6 -

Table of Contents

Table of Contents
Preface: About This Document..................................................................................................................................9
Typographical Conventions..........................................................................................................................................................9
Getting Assistance........................................................................................................................................................................9
Chapter 1: Planning Your Installation................................................................................................................... 11
Recommended Security Rules................................................................................................................................................... 11
System Requirements.................................................................................................................................................................12
Minimum Hardware Requirements......................................................................................................................................13
Supported Operating Systems..............................................................................................................................................14
Supported Databases............................................................................................................................................................17
Other Software Requirements..............................................................................................................................................17
Recommended Configuration.............................................................................................................................................. 18
Client Supported Languages................................................................................................................................................18
Licensing PGP Endpoint Products.............................................................................................................................................19
Chapter 2: Installing PGP Endpoint Components................................................................................................ 21
Installation Overview................................................................................................................................................................. 22
Installation Checklist..................................................................................................................................................................22
Installing the Database...............................................................................................................................................................24
Generating a Key Pair................................................................................................................................................................26
Installing the Administration Server..........................................................................................................................................28
Installing the Management Server Console...............................................................................................................................37
Installing the Client....................................................................................................................................................................41
Chapter 3: Upgrading PGP Endpoint Components.............................................................................................. 49
Upgrade Overview......................................................................................................................................................................50
Upgrading the Database.............................................................................................................................................................51
Upgrading the Administration Server........................................................................................................................................54
Upgrading the Management Server Console.............................................................................................................................57
Upgrading the Client..................................................................................................................................................................58
Chapter 4: Installation Checklist.............................................................................................................................65
Installation Checklist..................................................................................................................................................................65
Chapter 5: Using PGP Endpoint Client Deployment............................................................................................67
- 7 -
PGP Endpoint
PGP Endpoint Client Deployment Window..............................................................................................................................68
Packages Panel.....................................................................................................................................................................68
Packages Menu.....................................................................................................................................................................69
Computers Panel.................................................................................................................................................................. 69
Computers Menu..................................................................................................................................................................70
Creating Deployment Packages................................................................................................................................................. 71
Adding Computers......................................................................................................................................................................74
Deploying Packages................................................................................................................................................................... 76
Querying Client Status...............................................................................................................................................................80
Appendix A: Configuring DCOM Settings for the Administration Server.........................................................83
Setting Up Distributed Component Object Model (DCOM)....................................................................................................83
Set Access Control List Security Permissions.......................................................................................................................... 86
Appendix B: Installing the Client for Windows XP Embedded...........................................................................89
Windows XPe Client Limitations..............................................................................................................................................89
Supported Devices......................................................................................................................................................................90
Installing the Client for Windows XPe.....................................................................................................................................91
- 8 -
Preface

About This Document

This Setup Guide is a resource written for all users of PGP Endpoint 4.4 SR5. This document defines the concepts and procedures for installing, configuring, implementing, and using PGP Endpoint 4.4 SR5.
Tip:
PGP documentation is updated on a regular basis. To acquire the latest version of this or any other published document, please refer to the PGP Support Portal Web Site (https://support.pgp.com).

Typographical Conventions

The following conventions are used throughout this documentation to help you identify various information types.
Table 1: Typographical Conventions
Convention Usage bold Buttons, menu items, window and screen objects.
bold italics
italics New terms, options, and variables.
MONOSPACE UPPERCASE Keyboard keys.
BOLD UPPERCASE SQL Commands.
monospace File names, path names, programs, executables, command syntax, and
Wizard names, window names, and page names.
property names.

Getting Assistance

Getting Product Information
Unless otherwise noted, the product documentation is provided as Adobe Acrobat PDF files that are installed with PGP Endpoint. Online help is available within the PGP Endpoint product. Release notes are also available, which may have last-minute information not found in the product documentation.
- 9 -
PGP Endpoint
Contacting Technical Support
To learn about PGP support options and how to contact PGP Technical Support, please visit the PGP Corporation Support Home Page (http://www.pgp.com/support).
To access the PGP Support Knowledge Base or request PGP Technical Support, please visit PGP Support Portal Web Site (https://support.pgp.com).
Note:
You may access portions of the PGP Support Knowledge Base without a support agreement; however, you must have a valid support agreement to request Technical Support.
For any other contacts at PGP Corporation, please visit the PGP Contacts Page (http://www.pgp.com/
company/contact/index.html).
For general information about PGP Corporation, please visit the PGP Web Site (http://www.pgp.com).
To access the PGP Support forums, please visit PGP Support (http://forums.pgpsupport.com). These are user community support forums hosted by PGP Corporation.
- 10 -
Chapter
1

Planning Your Installation

In this chapter:
Recommended Security Rules
System Requirements
Licensing PGP Endpoint Products
Planning for your software installation requires knowledge of the minimum system requirements necessary to support Application Control and Device Control coupled with recommendations for network security rules that can enhance the security state of your environment.
To assist in gathering the information required for a smooth installation, PGP recommends that you use the Installation Checklist on page 22.

Recommended Security Rules

PGP recommends that you define certain administrative security rules before installing PGP Endpoint. The recommended security settings are specific to Microsoft® Windows® and complement operation of PGP
Endpoint.
Table 2: Recommended Security Rules
Security Rule Description
Hard Disk Encryption Encrypts computer disk drives to prevent unauthorized user
access to the computer hard disk drive.
Password Protect the BIOS Prevents administrative user access when using a CMOS
reset jumper, in combination with password protection for the BIOS and seal/chassis intrusion protection.
Seal/Chassis Intrusion Protector Uses seal and/or chassis intrusion protection hardware to
prevent administrative user access using an external boot device to bypass workstation security software.
Administrative Rights Remove local users from the local Administrators group to
prevent unrestricted local user computer access.
Power Users Remove local users from the Power Users group to prevent
users from tampering or bypassing standard Windows security policies.
- 11 -
PGP Endpoint
Security Rule Description
Access Policy Restrict network and file access as much as possible,
including use restriction only to NTFS partitions.
NTFS Partition Use of NTFS partitioning is required for installation of PGP
Endpoint product solutions.
Recovery Console
Service Pack and Hot Fixes Always install the latest service packs and hot fixes for
Firewalls Use traditional perimeter-based security systems, like
Password Policies Maintain strong password security policies. Private and Public Key Generation Deploy PGP Endpoint product solutions using secure public
Password protect user access to the Recovery Console, which is available for the Windows DVD/CD-ROM or MSDN subscription.
the operating system supported by PGP Endpoint product solutions.
firewalls, to complement PGP Endpoint product solutions.
and private key pairs.

System Requirements

The following sections describe the minimum system requirements necessary for successful installation of PGP Endpoint and the languages supported by the client.
The listed specifications are a minimum; larger network environments, may require additional hardware and software resources. The system requirements for PGP Endpoint are listed in the following topics.
- 12 -
Planning Your Installation

Minimum Hardware Requirements

The minimum PGP Endpoint hardware requirements depend upon your service network environment, including the type of database supported, the number of Administration Servers you need to support a distributed network, and the number of subscribed clients.
The hardware requirements for PGP Endpoint vary depending upon the number of servers and clients you manage. The following minimum hardware requirements will support up to:
200 connected PGP Endpoint clients for PGP Endpoint Device Control
50 connected PGP Endpoint clients for PGP Endpoint Application Control
Table 3: Minimum Hardware Requirements
PGP Endpoint Component Requirement
Database
Administration Server
Management Server Console
Client
1 GB (4 GB recommended) memory
Pentium® Dual-Core CPU processor or AMD equivalent
3 GB minimum hard disk drive
100 MBits/s NIC
512 MB (1 GB recommended) memory
Pentium® Dual-Core CPU or AMD equivalent
3 GB minimum hard disk drive
100 MBits/s NIC
512 MB (1 GB recommended) memory
15 MB hard disk drive for installation, and 150 MB additional for application files
1024 by 768 pixels for display
256 MB (1 GB recommended) memory
10 MB hard disk drive for installation, and several additional GB for full shadowing feature of PGP Endpoint Device Control
100 MBits/s NIC
- 13 -
PGP Endpoint

Supported Operating Systems

PGP Endpoint supports multiple Microsoft Windows operations systems for the Administration Server, Management Server Console, database, and client.
The operating system requirements for PGP Endpoint components are outlined as follows.
Table 4: Operating System Requirements
PGP Endpoint Component Requirement
Database One of the following:
Microsoft Windows ® XP Professional Service Pack 2 or higher (SP2+) (32-bit)
Windows XP Service Pack 2 (SP2) (64-bit)
Microsoft Windows Server 2003, Standard Edition with Service Pack 2 (SP2) or later (32-bit)
Microsoft Windows Server 2003, Enterprise Edition with SP2 or later (32-bit)
Microsoft Windows Server 2008, Standard Edition with SP2 or later (32-bit and 64-bit)
Microsoft Windows Server 2008, Enterprise Edition with SP2 or later (32-bit and 64-bit)
Microsoft Windows Server 2008 R2 (64 bit only)
Administration Server One of the following:
Windows Server 2003, Standard Edition with SP2 or later (32­bit)
Windows Server 2003, Enterprise Edition with SP2 or later (32­bit)
Windows Server 2008, Standard Edition with SP2 or later (32­bit and 64-bit)
Windows Server 2008, Enterprise Edition with SP2 or later (32­bit and 64-bit)
Windows Server 2008 R2 (64 bit only)
- 14 -
PGP Endpoint Component Requirement
Management Server Console One of the following:
Windows XP Professional SP2+ (32-bit)
Windows Server 2003, Standard Edition with SP2 or later (32­bit)
Windows Server 2003, Enterprise Edition with SP2 or later (32­bit)
Windows Server 2008, Standard Edition with SP2 or later (32­bit and 64-bit)
Windows Server 2008, Enterprise Edition with SP2 or later (32­bit and 64-bit)
Windows Server 2008 R2 (64 bit only)
Microsoft Windows Vista™ SP1+ (32- and 64-bit)
Microsoft Windows 7 (32- and 64-bit)
Planning Your Installation
- 15 -
PGP Endpoint
PGP Endpoint Component Requirement
Client One of the following:
Microsoft Windows® Server 2000 Service Pack 4 or higher (SP4+) (32-bit)
Microsoft Windows 2000 Professional SP4+ (32-bit)
Microsoft Windows XP Professional Service Pack 2 or higher (SP2+) (32- and 64-bit)
Windows Server 2003, Standard Edition with SP2 or later (32­bit)
Windows Server 2003, Enterprise Edition with SP2 or later (32­bit)
Windows Server 2008, Standard Edition with SP2 or later (32­bit and 64-bit)
Windows Server 2008, Enterprise Edition with SP2 or later (32­bit and 64-bit)
Windows Server 2008 R2 (64 bit only)
Windows Vista SP1+ (32- and 64-bit)
Windows 7 (32- and 64-bit)
Microsoft Windows XP Embedded (XPe) Service Pack 2 (SP2) (32-bit)
Microsoft Windows Embedded Point of Service (WEPOS) (32­bit)
Microsoft Windows XP Tablet PC Edition (32-bit)
Citrix Access Gateway™ 4.5
Citrix Presentation Server™ 4.0 for Windows Server 2003 SP1/ SR2+ (32-bit)
Citrix Presentation Server 4.5 for Windows Server 2003 SP1/ SR2+ (32- and 64-bit)
- 16 -
Planning Your Installation

Supported Databases

PGP Endpoint supports multiple releases of Microsoft® SQL Server®. You should choose the database instance required by your network operating environment and the number of Administration Servers and subscribed clients the application must support.
The database requirements for PGP Endpoint components are outlined as follows.
Table 5: Database Requirements
PGP Endpoint Component Requirement
Database One of the following:
Microsoft SQL Server® 2005 Service Pack 2 or higher (SP2+) (32-bit and 64-bit)
Microsoft SQL Server 2005 Express Edition SP2+ (32-bit and 64-bit)
Microsoft SQL Server 2008
Microsoft SQL Server 2008 Express Edition

Other Software Requirements

PGP Endpoint requires the following additional software. Additional software requirements for PGP Endpoint components are outlined as follows.
Table 6: Other Software Requirements
PGP Endpoint Component Requirement
Database No additional software requirements. Administration Server If you will be encrypting Windows user accounts for centralized
Device Control encryption, you will need to install an enterprise level Certificate Authority. See Microsoft Certificate Authority (http://
technet.microsoft.com/en-us/library/cc756120.aspx) for additional
information about certificates.
Attention: Certificate authority installation applies to Device Control
only for centralized encryption capability. A Certificate Authority is required to use secure communications
between clients and servers, and intra-server communications.
Attention: Certificate authority installation applies to both Device
Control and Application Control for secure server communications.
Management Server Console Microsoft Visual C++ 2008 Redistributable Package. Client No additional software requirements.
- 17 -
PGP Endpoint

Recommended Configuration

To maximize PGP Endpoint for operation in a Microsoft Windows environment, you should configure your network environment database and client components using the following suggested configurations.
The recommended configurations for PGP Endpoint components are outlined as follows. These settings represent the usual default settings, but should be confirmed before beginning PGP Endpoint installation.
Table 7: Recommended Configuration
PGP Endpoint Component Requirement
Database
Administration Server None recommended. Management Server Console None recommended. Client
Change the Windows Event Viewer settings to 1024 KB and
choose to overwrite events as necessary.
Change Windows Performance settings to prioritize for background
applications.
If you are using Active Directory, configure a corresponding Domain Name System (DNS) server as Active Directory (AD) integrated and create a reverse lookup zone, to provide for name resolution within the Management Server Console.
Configure NIC to receive IP from DHCP service.
Change the Windows Event Viewer settings to 1024 KB and choose to overwrite events as necessary.

Client Supported Languages

The PGP Endpoint client supports multiple languages in text format. The PGP Endpoint client is supported in the following languages:
English
French
Italian
German
Spanish
Japanese
Simplified Chinese
Traditional Chinese
Russian
Dutch
Portuguese
Swedish
- 18 -
Planning Your Installation

Licensing PGP Endpoint Products

The following types of licenses are available for PGP Endpoint product solutions:
An Evaluation License provides you with a fully functioning PGP Endpoint product solution for a limited time.
A Perpetual License provides full capacity for an unlimited period.
A Subscription License provides full capacity for the time period specified by the terms of your license.
- 19 -
PGP Endpoint
- 20 -
Chapter
2

Installing PGP Endpoint Components

In this chapter:
Installation Overview
Installation Checklist
Installing the Database
Generating a Key Pair
Installing the Administration Server
Installing the Management Server
Console
Installing the Client
PGP Endpoint component installation requires that you follow a series of interdependent tasks in a prescribed order. Before you begin, you must have a valid license key for each software application(s) that your are installing.
Successful installation of PGP Endpoint requires you to install components in the following order:
Install the database.
1.
Generate and save a public and private key pair. This action is not
2.
required, however, PGP strongly recommends the use of a public­private key pair to provide the highest level of security.
Install the Administration Server(s).
3.
Install the Management Server Console.
4.
Install and deploy the client.
5.
- 21 -
PGP Endpoint

Installation Overview

PGP Endpoint component installation requires that you follow a series of interdependent tasks in a prescribed order. Before you begin, you must have a valid license key for each software application(s) that your are installing.
Use the following process to identify tasks for installing components installing PGP Endpoint, for your convenience this process refers to the Installation Checklist on page 22.
Figure 1: PGP Endpoint Product Solution Installation Process Flow

Installation Checklist

The installation checklist outlines the detailed tasks that you must perform when installing the PGP Endpoint solutions.
This checklist guides you through the installation process. To begin your installation:
- 22 -
Installing PGP Endpoint Components
Copy the PGP Endpoint license file to the \\Windows\System32 or \\Windows\SysWOW64 folder, and
1.
rename the file to Endpoint.lic. The license file may be installed after installing the database, however, the license file must installed before installing the Administration Server.
Download the PGP Endpoint application software from the https://lems.pgp.com/account/login
2.
Create a device, media, or software application inventory which lists the items that you want PGP Endpoint
3.
to control. Document company policy that defines:
4.
Device permissions.
Shadowing requirements.
Device encryption requirements.
PGP Endpoint administrators and their roles.
Global domain groups for PGP Endpoint administrators. Plan your PGP Endpoint network architecture, based on capacity requirements, that list the Administration
5.
Server host names and IP addresses. Create a dedicated Administration Server domain user rights service account and set the following:
6.
User cannot change password.
Password never expires. The domain account must have local administration rights when you plan to use the TLS communication
protocol for client- Administration Server and inter- Administration Server data transfers. Create Impersonate a client after authentication user rights for the Administration Server. See Impersonate
7.
a Client After Authentication ( http://support.microsoft.com/kb/821546 ) for additional information about
impersonating a client after authentication user rights. Verify that the Administration Server domain account has Log on as a service user rights. See Add the Log
8.
on as a service right to an account ( http://technet.microsoft.com/en-us/library/cc739424(WS.10).aspx ) for
additional information about logging on as a service user rights. Install Microsoft® Internet Information Services on the same computer as the certification authority,
9.
otherwise the enterprise root certificate cannot be generated. See Internet Information Services (IIS) ( http://
www.iis.net ) for additional information about installing Internet Information Services.
Install a Microsoft enterprise root certification authority to enable removable device encryption for
10.
PGP Endpoint Device Control. See Install a Microsoft enterprise root certification authority ( http://
technet.microsoft.com/en-us/library/cc776709.aspx ) for additional information about installing an enterprise
root certificate. Install a Microsoft SQL Server® . See Getting Started with SQL Server ( http://msdn.microsoft.com/en-us/
11.
sqlserver/default.aspx ) for additional information about installing a SQL server.
Complete Installing the Database on page 24.
12.
To install multiple Administration Server s, create a shared file directory on a file server to share the Datafile
13.
directory component. This action is only required if you will be using more than one Administration Server. Complete Generating a Key Pair on page 26. This action is recommended, but not required.
14.
Complete Installing the Administration Server on page 28.
15.
Important: The Administration Server service account must have database owner (DBO) rights to the PGP
Endpoint database.
- 23 -
PGP Endpoint
Complete Installing the Management Server Console on page 37.
16.
Complete Installing the Client on page 41.
17.
Test your PGP Endpoint product solution installation for functionality.
18.

Installing the Database

The PGP Endpoint database is the first component that you install. The database serves as the central repository for device permissions rules and executable file authorizations.
Prerequisites:
Before you can successfully install the PGP Endpoint database, you must:
Verify that you satisfy the minimum hardware and software system requirements.
If you will be using a database cluster, you must specify an alternate TDS port during SQL server setup. See Creating a Server Alias for Use by a Client (SQL Server Configuration Manager) (http://
msdn.microsoft.com/en-us/library/ms190445.aspx) for additional information about creating a server alias.
You can install the PGP Endpoint database on a server cluster, where there are at least two servers in the cluster running SQL Server. For additional information regarding database clustering, see Microsoft Cluster
Service (MSCS) Installation Resources (http://support.microsoft.com/kb/259267).
Log in to a computer as an administrative user with access to a Microsoft® SQL Server®.
1.
Close all programs running on the computer.
2.
From the location where you saved the PGP Endpoint application software, run the \server\db
3.
\setup.exe file.
Step Result:
Click Next.
4.
Step Result:
Figure 2: License Agreement Page
Review the license agreement and, if you agree, select I accept the terms in the license agreement.
5.
The Installation Wizard Welcome page opens.
The License Agreement page opens.
- 24 -
Installing PGP Endpoint Components
Click Next.
6.
Step Result:
Figure 3: Destination Folder Page
You may choose an installation destination folder other than the default folder C:\Program Files\PGP
7.
Corporation\PGP Endpoint.
The Destination Folder page opens.
a) Click Change
Step Result:
Figure 4: Change Current Destination Folder Page
The Change Current Destination Folder page opens.
b) Select a folder from the Look in: field. c) Click OK.
Step Result:
The Change Current Destination Folder closes, and the Destination Folder page changes to reflect the new location.
- 25 -
PGP Endpoint
Click Next.
8.
Step Result:
Figure 5: Ready to Install the Program Dialog
Click Install.
9.
A progress bar runs on the page, showing installation progress.
The Ready to Install the Program page opens.
Step Result:
Click Finish.
10.
Result:
PGP Endpoint setup runs the SQL installation scripts and creates the PGP Endpoint database for the SQL Server database instance that you specified.
The Completed page opens.

Generating a Key Pair

The Administration Server uses a symmetric encryption system to communicate with a client, using a public­private key pair that you generate during installation.
The Administration Server and PGP Endpoint clients contain a embedded default public and private key pair that should only be used with an evaluation license. PGP provides a Key Pair Generator utility, which generates a key pair for fully licensed application installations. The key pair ensures the integrity for communication between the Administration Server and clients.
- 26 -
Installing PGP Endpoint Components
When an Administration Server cannot find a valid key pair at startup, the event is logged and PGP Endpoint uses the default key pair.
Caution: When you are using Device Control, do not change the key pair:
For media encrypted before exchanging a key pair, which will result in disabling password recovery for the previously encrypted media.
During a PGP Endpoint upgrade installation which will result in the loss of access to media previously encrypted centrally and subsequent loss of data.
During a PGP Endpoint upgrade installation when client hardening is enabled, which will cause PGP Endpoint Application Control and PGP Endpoint Device Control installations to fail.
From the location where you saved the PGP Endpoint application software, run the server\keygen
1.
\keygen.exe file.
Step Result:
Figure 6: Key Pair Generator Dialog
In the Directory field, enter the name of the temporary directory where you will save the key pair.
2. In the Seed field, type a random alphanumeric text string.
3.
The Key Pair Generator dialog opens.
This text is used to initiate the random number generator; the longer the text string the more secure the key pair.
Click Create keys.
4.
Step Result:
The Key Pair Generator confirmation dialog opens.
Figure 7: Key Pair Generator Dialog
- 27 -
PGP Endpoint
Click OK.
5.
Step Result:
Click Exit.
6.
Result: After Completing This Task:
Distribute the key pair by copying sx-private.key and sx-public.key files to the \\%windir%
\system 32 directory on the computer(s) where you are installing the Administration Server. At startup, the
Administration Server searches all drive locations for a valid key pair, stopping at the first valid key pair.
The keys are saved as sx-private.key and sx-public.key files in the directory you specified.
You return to the Key Pair Generator dialog.

Installing the Administration Server

The Administration Server processes PGP Endpoint client activities and is the only application component that connects to the database. One or more Administration Servers communicate device and application control information between the PGP Endpoint database and PGP Endpoint client(s).
Prerequisites:
Before you can successfully install the Administration Server, you must:
Verify that a valid PGP Endpoint license file is listed in the \Windows\System32 or \\Windows
\SysWOW64 folder, and is name file to Endpoint.lic.
Verify that you satisfy the minimum hardware and software system requirements.
Restriction: If you are installing the PGP Endpoint Application Control Terminal Services Edition, you
must install the Administration Server on a computer separate from the Citrix® Metaframe® Presentation Server.
When using TLS protocol confirm TCP ports 33115 and 65229 are open. When not using TLS protocol open TCP port 65129. Depending upon how firewalls are setup in your environment, these ports may be closed.
Configure the TCP/IP protocol to use a fixed IP address for the computer that runs the Administration Server.
Configure the Administration Server host computer to perform fully qualified domain name (FQDN) resolution for the PGP Endpoint clients that the server manages.
Ensure that the Administration Server host computer account is configured to read domain information using the Microsoft® Windows® Security Account Manager. See Security Account Manager (SAM) ( http://
technet.microsoft.com/en-us/library/cc756748.aspx ) for additional information about the Microsoft Windows
Security Account Manager.
Synchronize the Administration Server's system clock with the PGP Endpoint database server's system clock using the Microsoft Windows time service. See Time Service ( http://support.microsoft.com/kb/816042 ) for details about using the Microsoft Windows time service.
Log in with administrative user access to the computer where you are installing the Administration Server.
1.
Important: For Active Directory environments, log in using the dedicated Administration Server domain
user rights service account. The Administration Server installation process configures the Administration Server service account for access to the database.
- 28 -
Installing PGP Endpoint Components
Close all programs running on the computer.
2.
From the location where you saved the PGP Endpoint application software, run \server\sxs\setup.exe.
3. Click OK.
4.
Step Result:
Click Next.
5.
The Installation Wizard Welcome page opens.
Step Result:
Figure 8: License Agreement Page
Review the license agreement and, if you agree, select I accept the terms in the license agreement.
6. Click Next.
7.
Step Result:
The License Agreement page opens.
The Setup dialog opens when the setup process detects an operating system that is subject to security changes concerning Remote Procedure Calls (RPC).
Figure 9: Setup Dialog
- 29 -
PGP Endpoint
Click Yes.
8.
Step Result:
Figure 10: The Setup Dialog
Click OK.
9.
Step Result:
A confirmation dialog opens after the registry value is reset.
The Destination Folder page opens.
Figure 11: Destination Folder Page
- 30 -
Loading...
+ 70 hidden pages