PGP Universal Server - 2.6 Administrator’s Guide
PGP® Universal Server
Administrator’s Guide
Version Information
PGP Universal Server Administrator’s Guide. PGP Universal Server
2007.
(TM)
and PGP Universal Satellite version 2.6.3. Released August
Copyright Information
Copyright © 1991– 2007 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted
in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of PGP
Corporation.
Trademark Information
PGP, Pretty Good Privacy, and the PGP logo are registered trademarks and Rest Secured is a trademark of PGP Corporation in
the US and other countries. IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered trademarks of
Microsoft Corporation. AOL is a registered trademark, and AOL Instant Messenger is a trademark, of America Online, Inc. Red
Hat and Red Hat Linux are trademarks or registered trademarks of Red Hat, Inc. Linux is a registered trademark of Linus
Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered trademark
of International Business Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company.
SSH and Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or
registered trademarks of Apple Computer, Inc. Symantec, the Symantec logo, and LiveUpdate are registered trademarks of
Symantec Corporation. All other registered and unregistered trademarks in this document are the sole property of their
respective owners.
Licensing and Patent Information
The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST
encryption algorithm is licensed from Northern Telecom, Ltd. PGP Corporation has secured a license to the patent rights
contained in the patent application Serial Number 10/655,563 by The Regents of the University of California, entitled Block
Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a Conventional Block Cipher. Some third-party
software included in PGP Universal Server is licensed under the GNU General Public License (GPL). PGP Universal Server as a
whole is not licensed under the GPL. If you would like a copy of the source code for the GPL software included in PGP
Universal Server, contact PGP Support (http://www.pgp.com/support). PGP Corporation may have patents and/or pending
patent applications covering subject matter in this software or its documentation; the furnishing of this software or
documentation does not give you any license to these patents.
Acknowledgments
This product includes or may include:
• The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gaill, is used with permission from the free
Info-ZIP implementation, developed by zlib (http://www.zlib.net). • Libxml2, the XML C parser and toolkit developed for the
Gnome project and distributed and copyrighted under the MIT License found at
http://www.opensource.org/licenses/mit-license.html. Copyright © 2007 by the Open Source Initiative. • bzip2 1.0, a freely
available high-quality data compressor, is copyrighted by Julian Seward, © 1996-2005. • Application server
(http://www.jakarta.apache.org/), web server (http://www.apache.org/), Jakarta Commons
(http://jakarta.apache.org/commons/license.html) and log4j, a Java-based library used to parse HTML, developed by the Apache
Software Foundation. The license is at www.apache.org/licenses/LICENSE-2.0.txt. • Castor, an open-source, data-binding
framework for moving data from XML to Java programming language objects and from Java to databases, is released by the
ExoLab Group under an Apache 2.0-style license, available at http://www.castor.org/license.html. • Xalan, an open-source
software library from the Apache Software Foundation that implements the XSLT XML transformation language and the XPath
XML query language, is released under the Apache Software License, version 1.1, available at
http://xml.apache.org/xalan-j/#license1.1. • mx4j, an open-source implementation of the Java Management Extensions (JMX),
is released under an Apache-style license, available at http://mx4j.sourceforge.net/docs/ch01s06.html. • jpeglib version 6a is
based in part on the work of the Independent JPEG Group. (http://www.ijg.org/) • libxslt the XSLT C library developed for the
GNOME project and distributed under the MIT License http://www.opensource.org/licenses/mit-license.html. • PCRE version
4.5 Perl regular expression compiler, copyrighted and distributed by University of Cambridge. ©1997-2006. The license
agreement is at http://www.pcre.org/license.txt. • BIND Balanced Binary Tree Library and Domain Name System (DNS)
protocols developed and copyrighted by Internet Systems Consortium, Inc. (http://www.isc.org) • Free BSD implementation of
daemon developed by The FreeBSD Project, © 1994-2006. • Simple Network Management Protocol Library developed and
copyrighted by Carnegie Mellon University © 1989, 1991, 1992, Networks Associates Technology, Inc, © 2001- 2003,
Cambridge Broadband Ltd. © 2001- 2003, Sun Microsystems, Inc., © 2003, Sparta, Inc, © 2003-2006, Cisco, Inc and
Information Network Center of Beijing University of Posts and Telecommunications, © 2004. The license agreement for these
is at http://net-snmp.sourceforge.net/about/license.html. • NTP version 4.2 developed by Network Time Protocol and
copyrighted to various contributors. • Lightweight Directory Access Protocol developed and copyrighted by OpenLDAP
Foundation. OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP). Copyright ©
1999-2003, The OpenLDAP Foundation. The license agreement is at http://www.openldap.org/software/release/license.html.
• Secure shell OpenSSH version 4.2.1 developed by OpenBSD project is released by the OpenBSD Project under a BSD-style
license, available at http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD. • PC/SC Lite is a free
implementation of PC/SC, a specification for SmartCard integration is released under the BSD license. • Postfix, an open
source mail transfer agent (MTA), is released under the IBM Public License 1.0, available at
http://www.opensource.org/licenses/ibmpl.php. • PostgreSQ, a free software object-relational database management system,
is released under a BSD-style license, available at http://www.postgresql.org/about/licence. • 21.vixie-cron is the Vixie version
of cron, a standard UNIX daemon that runs specified programs at scheduled times. Copyright © 1993, 1994 by Paul Vixie; used
by permission.
Export Information
Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from
time to time by the Bureau of Export Administration, United States Department of Commerce, which restricts the export and
re-export of certain products and technical data.
Limitations
The software provided with this documentation is licensed to you for your individual use under the terms of the End User
License Agreement provided with the software. The information in this document is subject to change without notice. PGP
Corporation does not warrant that the information meets your requirements or that the information is free of errors. The
information may include technical inaccuracies or typographical errors. Changes may be made to the information and
incorporated in new editions of this document, if and when made available by PGP Corporation.
Contents
An Overview of the PGP Universal Server
1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
What is PGP Universal Server? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
PGP Universal Server Product Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Who Should Read This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Improvements in This Version of PGP Universal Server . . . . . . . . . . . . . . . . 2
Symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Getting Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 The Big Picture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Important Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Deploying your Server
3 Adding the PGP Universal Server to Your Network . . . . . . . . . . . . . 16
Server Placement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Using a Mail Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Microsoft Exchange Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Lotus Domino Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
4 Open Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
TCP Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
UDP Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
5 Naming your PGP Universal Server . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Installing the PGP Universal Server Software
6 Installing the PGP Universal Server . . . . . . . . . . . . . . . . . . . . . . . . . . 39
About the Installation Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Installation Materials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
iv
PGP Universal Administrator’s Guide Contents
Installation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Standard Installation Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
PGP Installation Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
7 Setting Up the PGP Universal Server . . . . . . . . . . . . . . . . . . . . . . . . . 43
About the Setup Assistant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Preparing for Setup after pgp Install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Initial Configuration with Setup Assistant . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Primary or Secondary Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Restoring From a Server Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Migrating the Keys from a PGP Keyserver. . . . . . . . . . . . . . . . . . . . . . . . . . 61
8 Understanding the Administrative Interface . . . . . . . . . . . . . . . . . . . 63
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Logging In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Logging In For the First Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Administrative Interface Map. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
9 Licensing Your Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
License Changes for PGP Universal Server 2.5 and Later . . . . . . . . . . . . . . 74
Manual and Automatic Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Licensing a PGP Universal Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Licensing the AntiVirus Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Licensing the File Blocking Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Licensing the Mail Proxy Feature. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
10 Operating in Learn Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Purpose of Learn Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Checking the Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Managing Learn Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Organization Information
11 Managed Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Working with Managed Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
12 Managing Organization Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
v
PGP Universal Administrator’s Guide Contents
Organization Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Organization Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Additional Decryption Key (ADK) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Verified Directory Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
13 Managing Trusted Keys and Certificates . . . . . . . . . . . . . . . . . . . . . . 98
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Adding a Trusted Key or Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Inspecting and Changing Trusted Key Properties . . . . . . . . . . . . . . . . . . . 101
Deleting Trusted Keys and Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Searching for Trusted Keys and Certificates . . . . . . . . . . . . . . . . . . . . . . . 102
14 Recovering Encrypted Data in an Enterprise Environment . . . . . . 104
Using Key Reconstruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Recovering Encryption Key Material without Key Reconstruction. . . . . . . 105
Using an Additional Decryption Key for Data Recovery . . . . . . . . . . . . . . . 107
Managing Mail Processing
15 Setting Mail Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Migrating Settings from Version 2.0.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Understanding the Pre-Installed Policy Chains. . . . . . . . . . . . . . . . . . . . . . 113
Mail Policy Outside the Mailflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Building Valid Chains and Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Using the Rule Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Managing Policy Chains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Managing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Adding Key Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Choosing Condition Statements, Conditions, and Actions. . . . . . . . . . . . . 127
Working with Common Access Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
16 Applying Key Not Found Settings to External Users . . . . . . . . . . . 139
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Changing Policy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Changing User Delivery Method Preference . . . . . . . . . . . . . . . . . . . . . . . 144
17 Using Dictionaries with Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Default Dictionaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
User-Defined Dictionaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
vi
PGP Universal Administrator’s Guide Contents
Exporting a Dictionary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Searching the Dictionaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
18 Keyservers, SMTP Servers, and Mail Policy . . . . . . . . . . . . . . . . . . . 157
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Keyservers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
SMTP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
19 Managing Keys in the Key Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Changing Cached Key Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Searching the Key Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
20 Scanning Email for Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
AntiVirus Scanning and Mail Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
The AntiVirus Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
AntiVirus Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Scanning Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
21 Blocking Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
File Blocking and Mail Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Adding a Filename to be Blocked . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
22 Configuring Mail Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
PGP Universal Server and Mail Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Changes in Proxy Settings from PGP Universal Server 2.0 to 2.5 and Later . .
183
Mail Proxies Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Creating New or Editing Existing Proxies. . . . . . . . . . . . . . . . . . . . . . . . . . 184
Mail Processing Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
23 Email in the Mail Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Deleting Messages from the Mail Queue . . . . . . . . . . . . . . . . . . . . . . . . . 195
24 Specifying Mail Routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Managing Mail Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
25 Customizing System Message Templates . . . . . . . . . . . . . . . . . . . . 201
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Editing a Message Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
vii
PGP Universal Administrator’s Guide Contents
Managing Users
26 Setting Internal User Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Managing Internal User Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Downloading Client Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Directory Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Choosing a Key Mode For Key Management . . . . . . . . . . . . . . . . . . . . . . 217
X.509 Certificate Management in Lotus Notes Environments. . . . . . . . . . 221
27 Using Directory Synchronization to Manage Users . . . . . . . . . . . . 226
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Enabling Directory Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Excluding Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Including Only Some Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Matching Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Base DN and Bind DN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Understanding User Enrollment Methods . . . . . . . . . . . . . . . . . . . . . . . . . 234
Serving PGP Admin 8 Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
28 Configuring PGP Desktop Installations . . . . . . . . . . . . . . . . . . . . . . 240
PGP Desktop Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
PGP Whole Disk Encryption Administration. . . . . . . . . . . . . . . . . . . . . . . . 241
PGP Desktop Installer Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Creating PGP Desktop Installers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Configuring PGP Desktop Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
29 Setting External User Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Managing External User Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
30 Configuring PGP Universal Web Messenger . . . . . . . . . . . . . . . . . . 266
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Configuring the PGP Universal Web Messenger Service . . . . . . . . . . . . . 267
31 Configuring the PGP Verified Directory . . . . . . . . . . . . . . . . . . . . . . 272
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Enabling the PGP Verified Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Configuring the PGP Verified Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
32 Managing Internal User Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
viii
PGP Universal Administrator’s Guide Contents
Certificate Revocation Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Adding Internal Users Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Deleting Internal Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Approving Pending Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Searching for Internal Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Internal User Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Key Reconstruction Blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
33 Managing External User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Importing External Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Deleting External Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Searching for External Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
External User Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
34 Managing PGP Verified Directory User Accounts . . . . . . . . . . . . . . 298
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Importing Verified Directory Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
PGP Verified Directory User Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Deleting PGP Verified Directory Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Exporting PGP Verified Directory Users. . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Searching for PGP Verified Directory Users. . . . . . . . . . . . . . . . . . . . . . . . 303
35 Managing Administrator Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . 304
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Creating a New Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Importing SSH v2 Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Deleting Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Inspecting and Changing the Settings of an Administrator . . . . . . . . . . . . 308
Daily Status Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
36 PGP Universal Satellite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Technical Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Distributing the PGP Universal Satellite Software . . . . . . . . . . . . . . . . . . . 312
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Policy and Key or Certificate Retrieval . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
37 PGP Universal Satellite for Mac OS X. . . . . . . . . . . . . . . . . . . . . . . . 324
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
ix
PGP Universal Administrator’s Guide Contents
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Obtaining the Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
38 PGP Universal Satellite for Windows . . . . . . . . . . . . . . . . . . . . . . . . 338
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Obtaining the Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
MAPI Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Lotus Notes Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
39 Configuring the Integrated Keyserver . . . . . . . . . . . . . . . . . . . . . . . 354
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Configuring the Keyserver Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Managing Your PGP Universal Server
40 System Graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
CPU Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Message Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Recipient Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Recipient Domain Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
41 System Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Filtering the Log View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Searching the Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Exporting a Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Enabling External Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
42 Shutting Down and Restarting Services and Power. . . . . . . . . . . . 367
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
PGP Universal Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
x
PGP Universal Administrator’s Guide Contents
Shutting Down and Restarting the PGP Universal Server Software Services .
369
Shutting Down and Restarting the PGP Universal Server Hardware. . . . . 370
43 Configuring SNMP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Downloading the Custom MIB File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Configuring the SNMP Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
44 Setting Network Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Changing Interface Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Adding Interface Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Deleting Interface Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Editing Global Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Assigning a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Working with Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
45 Clustering your PGP Universal Servers . . . . . . . . . . . . . . . . . . . . . . 385
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Clustering and PGP Universal Web Messenger. . . . . . . . . . . . . . . . . . . . . 386
Cluster Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Creating Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Deleting Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Changing Network Settings in Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Managing Secondary Settings in Clusters . . . . . . . . . . . . . . . . . . . . . . . . . 389
46 Protecting PGP Universal Server with Ignition Keys . . . . . . . . . . . 391
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Preparing Hardware Tokens to be Ignition Keys . . . . . . . . . . . . . . . . . . . . 392
Configuring a Hardware Token Ignition Key. . . . . . . . . . . . . . . . . . . . . . . . 394
Configuring a Soft-Ignition Passphrase Ignition Key . . . . . . . . . . . . . . . . . 395
Deleting Ignition Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
47 Backing Up and Restoring System and User Data . . . . . . . . . . . . . 397
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Creating Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Configuring the Backup Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Restoring From a Backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
48 Updating PGP Universal Server Software . . . . . . . . . . . . . . . . . . . . 405
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
xi
PGP Universal Administrator’s Guide Contents
Inspecting Update Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Establishing Software Update Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Checking for New Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Uploading Update Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Manually Installing an Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
49 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
xii
PGP Universal Administrator’s Guide Contents
xiii
SECTION 1
An Overview of the PGP
Universal Server
This section provides a high-level overview of the components, concepts, and terminology of the PGP Universal
Server. It also provides a high-level overview of the entire installation and setup process.
Chapter 1, “Introduction”
Chapter 2, “The Big Picture”
1
Introduction
This Administrator’s Guide describes both the PGP Universal Server and PGP Universal
Satellite. It tells you how to get them up and running on your network, how to configure
them, and how to maintain them. This section provides a high-level overview of PGP
Universal Server. Topics include:
“What is PGP Universal Server?”
“PGP Universal Server Product Family” on page 2
“Who Should Read This Guide” on page 2
“Improvements in This Version of PGP Universal Server” on page 2
“Symbols” on page 3
“Getting Assistance” on page 4
What is PGP Universal Server?
PGP Universal Server provides multiple encryption solutions managed from a single
console.
PGP Universal Server with PGP Universal Gateway Email gives you secure messaging: it
transparently protects your enterprise messages with little or no user interaction.
The PGP Universal Server also replaces the PGP Keyserver product with a built-in
keyserver, and the PGP Admin product with PGP Desktop configuration and deployment
capabilities.
It automatically creates and maintains a Self-Managing Security Architecture (SMSA) by
monitoring authenticated users and their email traffic. You can also send protected
messages to addresses that are not part of the SMSA. The PGP Universal Server
encrypts, decrypts, signs, and verifies messages automatically, providing strong security
through policies you control.
PGP Universal Satellite, a client-side feature of PGP Universal Server, extends PGP
security for email messages all the way to the computer of the email user, it allows
external users to become part of the SMSA, and it gives end users the option to create
and manage their keys on their own computer (if allowed by the PGP administrator).
1
PGP Universal Server Administrator’s Guide 1: Introduction
PGP Universal Server Product Family
PGP Universal Server functions as a management console for a variety of encryption
solutions. You can purchase any of the PGP Desktop applications or bundles and use PGP
Universal Server to create and manage client installations. You can also purchase a
license that enables PGP Gateway Email to encrypt email in the mailstream.
The PGP Universal Server can manage any combination of PGP encryption applications.
PGP encryption applications are:
PGP Universal Gateway Email provides automatic email encryption in the gateway,
based on centralized mail policy. This product requires administration by the PGP
Universal Server.
PGP Desktop Email provides encryption at the desktop level for mail, files, and AOL
Instant Messenger traffic. This product can be managed by the PGP Universal
Server.
PGP Whole Disk Encryption provides encryption at the desktop level for an entire
disk. This product can be managed by the PGP Universal Server.
PGP NetShare provides transparent file encryption and sharing among desktops.
This product can be managed by the PGP Universal Server.
Who Should Read This Guide
This Administrator’s Guide is for the person or persons who will be implementing and
maintaining your organization’s PGP Universal Server environment. These are the PGP
administrators.
This guide is also intended for anyone else who wants to learn about how PGP Universal
Server works.
Improvements in This Version of PGP Universal Server
This release of PGP Universal introduces the following new features:
“General” on page 3
“PGP Messaging” on page 3
“PGP Whole Disk Encryption” on page 3
“PGP Keys” on page 3
2
PGP Universal Server Administrator’s Guide 1: Introduction
General
Changes in this
release
Microsoft Internet Explorer 7 support. The PGP Universal Server administrative
interface now runs in Internet Explorer 7.
PGP Messaging
Changes in this
release
Benefits
Where to find
For more
information
PGP Verified Directory enhancements. You can now specify a “From” address that
will display on all PGP Verified Directory-initiated email messages.
The customized sender address prevents your PGP Universal Server’s hostname from
appearing in the “From” email line.
Services>Verified Directory screen.
See Chapter 31, “Configuring the PGP Verified Directory” for more information.
PGP Whole Disk Encryption
Changes in this
release
Benefits
PGP Whole Disk Encryption (WDE) Recovery Token encryption. Whole Disk
Recovery Tokens are now encrypted to the PGP Universal Server Ignition Key.
Improves user data security.
PGP Keys
Changes in this
release
Where to find
For more
information
Symbols
Key Reconstruction for Mac OS X. Key reconstruction is now available in PGP
Desktop for Mac OS X.
Policy>Internal User Policy screen.
See Chapter 28, “Configuring PGP Desktop Installations” and Chapter 32, “Managing
Internal User Accounts” for more information on key reconstruction.
Notes, Cautions, and Warnings are used in the following ways.
Notes are extra, but important, information. A Note calls your attention to important aspects
Caution
of the product. You will be able to use the product better if you read the Notes.
3
PGP Universal Server Administrator’s Guide 1: Introduction
Cautions indicate the possibility of loss of data or a minor security breach. A Caution tells you
Caution
about a situation where problems could occur unless precautions are taken. Pay attention to
Cautions.
Warnings indicate the possibility of significant data loss or a major security breach. A
Caution
Warning means serious problems will occur unless you take the appropriate action. Please
take Warnings very seriously.
Getting Assistance
Refer to these sections for additional resources.
Getting product information
The following documents and on-line help are companions to the PGP Universal
Administrator’s Guide. This guide occasionally refers to information that can be found in
one or more of the following sources:
PGP Universal Upgrade Guide—Describes the process of upgrading your PGP
PGP Universal Mail Policy Diagram—Provides a graphical representation of how
Tu t o r i a l s —Provides animated introductions on how to manage the mail policy
The administrative interface and PGP Universal Satellite for Windows and Mac OS X
PGP Universal and PGP Satellite release notes are also provided, which may have
Once PGP Universal is released, additional information regarding the product is added to
the online Knowledge Base available on PGP Corporation’s Support Portal at
www.pgpsupport.com.
Contact information
All PGP customers have access to the comprehensive set of tools and discussion forums
available on the PGP Support Portal.
Universal Server to version 2.6
email is processed through mail policy. You can access this document via the PGP
Universal Server online help.
feature in PGP Universal Server, and how upgraded PGP Universal Server settings
migrate into the new mail policy feature.
You can also access all the documentation and tutorials by clicking the online help
icon in the upper-right corner of the PGP Universal Server screen.
include online help.
last-minute information not found in the product documentation.
The PGP Support Portal provides access to tutorials, recent support briefs, the
Knowledge Base, and other valuable technical information.
You must have a valid support agreement to request Technical Support.
4
PGP Universal Server Administrator’s Guide 1: Introduction
Contacting Technical Support
To access the PGP Support Knowledge Base or request PGP Technical Support:
https://support.pgp.com. Note that you must have a valid support agreement to
request Technical Support.
To learn about PGP support options and how to contact PGP Technical Support:
http://www.pgp.com/support/
To access the PGP Universal section of the PGP Support forums: http://
forums.pgpsupport.com
For any other contacts at PGP, please visit the PGP Contacts Page: http://
www.pgp.com/company/contact/index.html.
For general information about PGP Corporation, please visit the PGP Web Site: http:/
/www.pgp.com.
5
PGP Universal Server Administrator’s Guide 1: Introduction
6
The Big Picture
2
This chapter describes some important terms and concepts and gives you a high-level
overview of the things you need to do to set up and maintain your PGP Universal Server
environment.
Topics include:
“Important Terms”
“Installation Overview” on page 11
Important Terms
PGP Products
PGP Universal Server: A device you add to your network that provides secure
messaging with little or no user interaction. The PGP Universal Server automatically
creates and maintains a security architecture by monitoring authenticated users and
their email traffic. You can also send protected messages to addresses that are not
part of the security architecture.
PGP Universal Satellite: The PGP Universal Satellite software resides on the
computer of the email user. It allows email to be encrypted end to end, all the way to
and from the desktop (for both internal and external users). Using PGP Universal
Satellite is one of the ways for external users to participate in the SMSA. It also
allows users the option of controlling their keys on their local machines (if allowed by
the PGP administrator).
PGP Universal Server Concepts
Security Architecture: Behind the scenes, the PGP Universal Server creates and
manages its own security architecture for the users whose email domain it is
securing. Because the security architecture is created and managed automatically,
we call this a self-managing security architecture (SMSA).
keys.<domain> convention: PGP Universal Server automatically looks for valid
public keys for email recipients at a special hostname, if no valid public key is found
locally to secure a message. This hostname is keys.<domain> (where <domain> is
the email domain of the recipient). For example, Example Corporation’s externally
visible PGP Universal Server is named keys.example.com.
PGP Corporation strongly recommends you name your externally visible PGP
Universal Server according to this convention because it allows other PGP Universal
Servers to easily find valid public keys for email recipients in your domain.
Refer to Appendix 5, “Naming your PGP Universal Server” for more information
about this convention.
7
PGP Universal Administrator’s Guide 2: The Big Picture
PGP Universal Server Features
Server Placement: A PGP Universal Server can be placed in one of two locations in
your network to process email.
With an internal placement, the PGP Universal Server logically sits between your
email users and your mail server. It encrypts and signs outgoing SMTP email and
decrypts and verifies incoming mail being picked up by email clients using POP or
IMAP. Email stored on your mail server is stored secured (encrypted).
With a gateway placement, the PGP Universal Server logically sits between your
mail server and the Internet. It encrypts and signs outgoing SMTP email and
decrypts and verifies incoming SMTP email. Email stored on your mail server is
stored unsecured.
Refer to Chapter 3, “Adding the PGP Universal Server to Your Network” and Chapter
22, “Configuring Mail Proxies” for more information about server placement.
Administrative Interface: Each PGP Universal Server is controlled via a Web-based
administrative interface. The administrative interface gives you control over the PGP
Universal Server’s operation. While many settings are initially established using the
web-based Setup Assistant, all settings of a PGP Universal Server can be controlled
via the administrative interface.
Setup Assistant: When you attempt to log in for the first time to the administrative
interface of a PGP Universal Server, the Setup Assistant takes you through the
configuration of that PGP Universal Server.
Learn Mode: When you finish configuring a PGP Universal Server using the Setup
Assistant, it begins operation in Learn Mode, which is a special mode where the PGP
Universal Server proxies traffic normally but does not encrypt or sign any messages.
Learn Mode gives the PGP Universal Server a chance to build its SMSA (creating
keys for authenticated users, for example) so that when the it goes live — that is,
when Learn Mode is turned off — the PGP Universal Server knows the environment
and can immediately begin securing messages. It’s also an excellent way for PGP
administrators to learn about the product.
You should check the logs of the PGP Universal Server while it is in Learn Mode to
see what it would be doing to email traffic if it were live on your network. You can
make changes to the PGP Universal Server’s policies while it is in Learn Mode until
things are working as expected.
Mail Policy: The PGP Universal Server processes email messages based on the
policies you establish. Mail policy applies to inbound and outbound email for both
PGP Universal Server traffic and email processed by PGP client software. Mail policy
consists of multiple policy chains, comprised of sequential mail processing rules.
Dictionary: Dictionaries are lists of terms to be matched. The dictionaries work with
mail policy to allow you to define content lists that can trigger rules.
Cluster: When you have two or more PGP Universal Servers in your network, you
configure them to synchronize with each other; this is called a “cluster.”
8
PGP Universal Administrator’s Guide 2: The Big Picture
In a cluster, one PGP Universal Server is designated Primary for the cluster; all other
PGP Universal Servers in the cluster are designated Secondary. The Secondary
servers synchronize their users, keys, managed domains, and policies with the
Primary.
Organization Key: The Setup Assistant automatically creates an Organization Key
(actually a keypair) when it configures a PGP Universal Server. The Organization Key
is used to sign all PGP user keys the PGP Universal Server creates and to encrypt
PGP Universal Server backups.
It is extremely important to back up your Organization Key: all of the keys the PGP Universal
Caution
Server creates are signed by the Organization Key, and all backups are encrypted to the
Organization Key. If you lose your Organization Key and have not backed it up, the signatures
on those keys will be meaningless and you will not be able to restore from backups
encrypted to the Organization Key.
If your organization has one PGP Universal Server, back up the Organization Key
from that PGP Universal Server; if you have multiple PGP Universal Servers in a
cluster, back up the Organization Key from the Primary server in the cluster, as this
Organization Key will be synchronized with the Secondary servers in the cluster.
Organization Certificate: Create or obtain an Organization Certificate to enable S/
MIME support by PGP Universal Server. The Organization Certificate signs all X.509
certificates the server creates.
Directory Synchronization: If you have an LDAP directory in your organization, your
PGP Universal Server can be synchronized with this directory. The PGP Universal
Server will automatically import user information from the directory when users send
and receive email; it will also create internal user accounts for them, including adding
and using X.509 certificates if they are contained in the LDAP directory.
Integrated Virus Scanning and File Blocking: Each PGP Universal Server in your
organization can be configured with integrated virus scanning from Symantec such
that messages and attachments can be scanned for viruses. You can also block
attachments based on filenames you specify.
Keyserver: Each PGP Universal Server includes an integrated keyserver populated
with the public keys of your internal users. When an external user sends a message
to an internal user, the external PGP Universal Server will go to the keyserver to find
the public key of the recipient to use to secure the message. The PGP administrator
can enable or disable the service, and control access to it via the administrative
interface.
PGP Verified Directory: The PGP Verified Directory supplements the internal
keyserver by letting internal and external users manage the publishing of their own
public keys. The PGP Verified Directory also serves as a replacement for the PGP
Keyserver product. The PGP Verified Directory uses next-generation keyserver
technology to ensure that the keys in the directory can be trusted.
Backup and Restore: Because full backups of the data stored on your PGP Universal
Server are critical in the case of a natural disaster or other unanticipated loss of data
or hardware, you can schedule automatic backups of your PGP Universal Server data
or manually perform a backup.
9
PGP Universal Administrator’s Guide 2: The Big Picture
Naturally, you can fully restore a PGP Universal Server from a backup. In the event of
a minor problem, you can restore the PGP Universal Server to any saved backup. In
the event that a PGP Universal Server is no longer usable, you can restore its data
from a backup onto a new PGP Universal Server during initial setup of the new PGP
Universal Server using the Setup Assistant. All backups are encrypted to the
Organization Key and may thus be stored securely off the PGP Universal Server.
Ignition Keys: You can protect the contents of a PGP Universal Server, even if the
hardware is physically stolen, by requiring the use of a hardware token or a software
passphrase, or both, on start.
PGP Universal Server User Types
Internal and External Users: Internal users are email users from the domains being
managed by your PGP Universal Server; external users are email users from other
domains (domains not being managed by your PGP Universal Server) who have been
added to the SMSA.
Multiple Administrators: Only PGP administrators are allowed to access the
administrative interface that controls PGP Universal Server. A PGP Universal Server
supports multiple PGP administrators, each of which can be assigned one of five
levels of authority: from read-only access to full control over every feature and
function.
Management of PGP Desktop Users: PGP Universal Servers allow you to manage
PGP Desktop deployments to your internal users. The PGP administrator can control
which PGP Desktop features are automatically implemented at install, and establish
and update mail security policy for PGP Desktop users that those users cannot
override (except on the side of being more secure).
Other Email Users: Users within your organization can securely send email to
recipients outside the SMSA.
First, the PGP Universal Server will attempt to find a key for the recipient. If that fails,
there are four fallback options, all controlled by mail policy: bounce the message
back to the sender (so it’s not sent unencrypted), send unencrypted, Smart Trailer,
and PGP Universal Web Messenger mail.
Smart Trailer sends the message unencrypted and adds text giving the recipient the
option of joining the SMSA by installing PGP Universal Satellite, using an existing key
or certificate, or using PGP Universal Web Messenger. PGP Universal Web
Messenger lets the recipient securely read the message on a secure website; it also
gives the recipient options for handling subsequent messages from the same
domain: read the messages on a secure website using a passphrase they establish,
install PGP Universal Satellite, or add an existing key or certificate to the SMSA.
10
PGP Universal Administrator’s Guide 2: The Big Picture
Installation Overview
The following steps are a broad overview of what it takes to plan, set up, and maintain
your PGP Universal Server environment.
All of the steps described briefly here are described in detail in later chapters.
1. Plan where in your network you want to locate your PGP Universal Server(s).
Where you put PGP Universal Servers in your network, how many PGP Universal Servers
you have in your network, and other factors all have a major impact on how you add them
to your existing network.
It’s a good idea to create a diagram of your network that includes all network components
and shows how email flows; having this diagram may help you understand how adding a
PGP Universal Server will impact your network.
Refer to Chapter 3, “Adding the PGP Universal Server to Your Network” for information
that will help you plan how to add PGP Universal Servers to your existing network.
2. Perform necessary DNS changes.
Add IP addresses for your PGP Universal Servers, an alias to your keyserver, update the
MX record if necessary, add keys.<domain>, hostnames of potential Secondary servers
for a cluster, and so on.
Properly configured DNS settings (including root servers and appropriate reverse lookup
records) are required in all cases to support PGP Universal Server. Make sure both host
and pointer records are correct. IP addresses must be resolvable to hostnames, as well as
hostnames resolvable to IP addresses.
3. Prepare a hardware token Ignition Key.
If you want to add a hardware token Ignition Key during setup, install the drivers and
configure the token before you begin the PGP Universal Server setup process. See
Chapter 46, “Protecting PGP Universal Server with Ignition Keys” for information on how
to prepare a hardware token Ignition Key.
4. If you are going to have more than one PGP Universal Server in your network, install and
configure the Primary server of the cluster first.
The Setup Assistant runs automatically when you first access the administrative interface
for the PGP Universal Server.
To configure the Secondary servers in the cluster, you must configure the Primary server
first and then add the Secondary servers on the Primary server before you can actually
configure the Secondary servers.
Refer to Chapter 7, “Setting Up the PGP Universal Server” for more information on the
Setup Assistant.
11
PGP Universal Administrator’s Guide 2: The Big Picture
5. License your Primary server.
You cannot take a PGP Universal Server out of Learn Mode or install updates until the
product is licensed. Once it is licensed, you should check for product updates and install
them if found. See Chapter 9, “Licensing Your Software” for more information.
If you want the PGP Universal Server to provide mail proxy services, you must have a
PGP Universal Server license with the mailstream feature enabled. See Chapter 9,
“Licensing Your Software” for more information.
If you want to implement virus scanning and file blocking, make sure to use a PGP
Universal Server license with the Symantec AntiVirus feature enabled. You will also need
a license from Symantec; see Chapter 20, “Scanning Email for Viruses” for more
information.
6. If you have a PGP key you want to use as your Organization Key with PGP Universal
Server, import it and then back it up on your Primary server.
Your Organization Key does two important things: it is used to sign all user keys the PGP
Universal Server creates and it is used to encrypt PGP Universal Server backups. This key
represents the identity of your organization, and is the root of the Web-of-Trust for your
users.
If your organization uses PGP Desktop and already has an Corporate Key or Organization
Key, and you want to use that key with PGP Universal Server, you should import it as
soon as you have configured your Primary server and then create a backup of the key.
If your organization does not have an existing key that you want to use as your
Organization Key, use the Organization Key the Setup Assistant automatically creates
with default values. See Chapter 12, “Managing Organization Keys” for more information.
No matter which key you use as your Organization Key, it is very important to make a
backup of the key in case of a problem with your PGP Universal Server. Since PGP
Universal Server’s built-in back-up feature always encrypts backups to this key, you will
need to provide a copy of your Organization Key to restore your data.
Refer to “Organization Certificate” on page 88 for more information on Organization
Certificates.
7. If you have a PGP Additional Decryption Key (ADK) that you want to use with PGP
Universal Server, add it on your Primary server.
An ADK is a way to recover an email message if the recipient is unable or unwilling to do
so; every message that is also encrypted to the ADK can be opened by the holder(s) of
the ADK. You cannot create an ADK with the PGP Universal Server, but if you have an
existing PGP ADK (generated by PGP Desktop, an ideal scenario for a split key; refer to
the PGP Desktop User’s Guide for more information), you can add it to your PGP
Universal Server and use it. You can only have one ADK. Refer to “Additional Decryption
Key (ADK)” on page 93 for more information.
12
PGP Universal Administrator’s Guide 2: The Big Picture
8. Create a SSL/TLS certificate or obtain a valid SSL/TLS certificate.
You can create a self-signed certificate for use with SSL/TLS traffic. Because this
certificate is self signed, however, it may not be trusted by email or Web browser clients.
PGP Corporation recommends that you obtain a valid SSL/TLS certificate for each of your
PGP Universal Servers from a reputable Certificate Authority, such as GeoTrust, available
at the PGP Online Store (www.pgpstore.com).
This is especially important for PGP Universal Servers that will be accessed publicly. Older
Web browsers may reject self-signed certificates or not know how to handle them
correctly when they encounter them via PGP Universal Web Messenger or Smart Trailer.
Refer to “Working with Certificates” on page 377 for more information.
9. Add trusted keys, configure internal and external user policy, and establish mail policy.
All of these settings are important for secure operation of PGP Universal Server. Refer to
Chapter 13, “Managing Trusted Keys and Certificates” for information on adding trusted
keys from outside the SMSA. Read Chapter 26, “Setting Internal User Policy” and
Chapter 29, “Setting External User Policy” for information about user policy settings. See
Chapter 15, “Setting Mail Policy” to learn about setting up mail policy.
10. Configure the Directory Synchronization feature if you want to synchronize an LDAP
directory with your PGP Universal Server.
Using the Directory Synchronization feature gives you more control over who is included
in your SMSA, if you have an existing LDAP server.
If you are going to use the Directory Synchronization feature, it’s best to configure it
before you install and configure your Secondary servers. Refer to Chapter 27, “Using
Directory Synchronization to Manage Users” for more information about the Directory
Synchronization feature.
11. Install and configure the Secondary servers.
The Setup Assistant runs automatically when you first access a PGP Universal Server.
Remember that you must configure the Primary server in the cluster first and tell it about
the Secondary servers before you can configure them. See Chapter 45, “Clustering your
PGP Universal Servers” to learn more about Clustering.
12. License and configure virus scanning and file blocking on those PGP Universal Servers for
which you want them enabled.
You must be using a PGP Universal Server license that supports these features. Once
enabled (on a per-service basis), virus scanning and file blocking are active, even while the
PGP Universal Server is in Learn Mode. In a cluster, you only need to enter the virus
scanning license once for the Primary server in the cluster.
13. Reconfigure the settings of your email clients and servers, if necessary.
Depending on how you are adding the PGP Universal Server to your network, some
setting changes may be necessary. For example, if you are using a PGP Universal Server
placed internally, the email clients must have SMTP authentication turned on. For PGP
Universal Servers placed externally, you must configure your mail server to relay SMTP
traffic to the PGP Universal Server.
13
PGP Universal Administrator’s Guide 2: The Big Picture
14. Enable SNMP Polling and Traps.
You can configure PGP Universal Server to allow network management applications to
monitor system information for the device on which PGP Universal Server is installed and
to send system and application information to an external destination. See Chapter 43,
“Configuring SNMP Monitoring” for more information.
15. Distribute PGP Universal Satellite and/or PGP Desktop to your internal users, if
appropriate.
If you want to provide seamless, end-to-end PGP message security without the need for
any user training, have them use PGP Universal Satellite. Exchange/MAPI and Lotus
Notes environments also require the use of PGP Universal Satellite. PGP Desktop
provides more features and user control than PGP Universal Satellite. Refer to Chapter
36, “PGP Universal Satellite” and Chapter 28, “Configuring PGP Desktop Installations”
for more information.
16. Analyze the data from Learn Mode.
In Learn Mode, your PGP Universal Server monitors email traffic and dynamically creates
a SMSA; in fact, it does everything it would ordinarily do except encrypt and sign. You can
see what the PGP Universal Server would have done without Learn Mode by monitoring
the system logs.
Learn Mode lets you become familiar with how the PGP Universal Server operates and it
lets you see the effects of the policy settings you have established before the PGP
Universal Server actually goes live on your network. Naturally, you can fine tune settings
while in Learn Mode, so that the PGP Universal Server is operating just how you want
before you go live.
See Chapter 10, “Operating in Learn Mode” for more information.
17. Adjust policies as necessary.
It may take a few tries to get everything working just the way you want. For example, you
may decide to revise your mail policy.
18. Perform backups of all PGP Universal Servers before you take them out of Learn Mode.
This gives you a baseline backup in case you need to return to a clean installation. To learn
how to back up the PGP Universal Server, refer to Chapter 47, “Backing Up and Restoring
System and User Data” for more information.
19. Take your PGP Universal Servers out of Learn Mode.
Once this is done, email messages will be encrypted, signed, and decrypted/verified,
according to the relevant policy rules. Make sure you have licensed each of your PGP
Universal Servers; you cannot take a PGP Universal Server out of Learn Mode until it has
been licensed.
20. Monitor the system logs to make sure your PGP Universal Server environment is
operating as expected.
14
SECTION 2
Deploying your Server
This section describes what you need to know to plan how to incorporate your PGP Universal Server into your
network.
Chapter 3, “Adding the PGP Universal Server to Your Network”
Chapter 4, “Open Ports”
Chapter 5, “Naming your PGP Universal Server”
Adding the PGP Universal Server
3
to Your Network
This chapter provides information about how your PGP Universal Server processes email,
to help you decide how to integrate your PGP Universal Servers into your existing
network. It also includes information about using Microsoft Exchange Server and Lotus
Domino Server with PGP Universal Satellite.
These topics are covered in the following sections:
“Server Placement”
“Using a Mail Relay” on page 19
“Microsoft Exchange Server” on page 19
“Lotus Domino Server” on page 19
“Configuration Examples” on page 20
Server Placement
A PGP Universal Server can be placed in your network in either of two locations in the
logical flow of data:
Internal placement. The PGP Universal Server is located between your email users
and their local mail server in the logical flow of data.
Gateway placement. The PGP Universal Server is located between your external
facing mail server and the Internet in the logical flow of data.
The PGP Universal Server must not be behind a proxy server, unless it is a transparent proxy,
Caution
to receive licensing and update information automatically. This is true for both gateway and
internal placement.
16
Loading...