PGP, Pretty Good Privacy, and the PGP logo are registered trademarks and Rest Secured is a trademark of PGP Corporation in
the US and other countries. IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered trademarks of
Microsoft Corporation. AOL is a registered trademark, and AOL Instant Messenger is a trademark, of America Online, Inc. Red
Hat and Red Hat Linux are trademarks or registered trademarks of Red Hat, Inc. Linux is a registered trademark of Linus
Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered trademark
of International Business Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company.
SSH and Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or
registered trademarks of Apple Computer, Inc. Symantec, the Symantec logo, and LiveUpdate are registered trademarks of
Symantec Corporation. All other registered and unregistered trademarks in this document are the sole property of their
respective owners.
Licensing and Patent Information
The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST
encryption algorithm is licensed from Northern Telecom, Ltd. PGP Corporation has secured a license to the patent rights
contained in the patent application Serial Number 10/655,563 by The Regents of the University of California, entitled Block
Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a Conventional Block Cipher. Some third-party
software included in PGP Universal Server is licensed under the GNU General Public License (GPL). PGP Universal Server as a
whole is not licensed under the GPL. If you would like a copy of the source code for the GPL software included in PGP
Universal Server, contact PGP Support (http://www.pgp.com/support). PGP Corporation may have patents and/or pending
patent applications covering subject matter in this software or its documentation; the furnishing of this software or
documentation does not give you any license to these patents.
Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from
time to time by the Bureau of Export Administration, United States Department of Commerce, which restricts the export and
re-export of certain products and technical data.
Limitations
The software provided with this documentation is licensed to you for your individual use under the terms of the End User
License Agreement provided with the software. The information in this document is subject to change without notice. PGP
Corporation does not warrant that the information meets your requirements or that the information is free of errors. The
information may include technical inaccuracies or typographical errors. Changes may be made to the information and
incorporated in new editions of this document, if and when made available by PGP Corporation.
This section provides a high-level overview of the components, concepts, and terminology of the PGP Universal
Server. It also provides a high-level overview of the entire installation and setup process.
Chapter 1, “Introduction”
Chapter 2, “The Big Picture”
1
Introduction
This Administrator’s Guide describes both the PGP Universal Server and PGP Universal
Satellite. It tells you how to get them up and running on your network, how to configure
them, and how to maintain them. This section provides a high-level overview of PGP
Universal Server. Topics include:
“What is PGP Universal Server?”
“PGP Universal Server Product Family” on page 2
“Who Should Read This Guide” on page 2
“Improvements in This Version of PGP Universal Server” on page 2
“Symbols” on page 3
“Getting Assistance” on page 4
What is PGP Universal Server?
PGP Universal Server provides multiple encryption solutions managed from a single
console.
PGP Universal Server with PGP Universal Gateway Email gives you secure messaging: it
transparently protects your enterprise messages with little or no user interaction.
The PGP Universal Server also replaces the PGP Keyserver product with a built-in
keyserver, and the PGP Admin product with PGP Desktop configuration and deployment
capabilities.
It automatically creates and maintains a Self-Managing Security Architecture (SMSA) by
monitoring authenticated users and their email traffic. You can also send protected
messages to addresses that are not part of the SMSA. The PGP Universal Server
encrypts, decrypts, signs, and verifies messages automatically, providing strong security
through policies you control.
PGP Universal Satellite, a client-side feature of PGP Universal Server, extends PGP
security for email messages all the way to the computer of the email user, it allows
external users to become part of the SMSA, and it gives end users the option to create
and manage their keys on their own computer (if allowed by the PGP administrator).
1
PGP Universal Server Administrator’s Guide1: Introduction
PGP Universal Server Product Family
PGP Universal Server functions as a management console for a variety of encryption
solutions. You can purchase any of the PGP Desktop applications or bundles and use PGP
Universal Server to create and manage client installations. You can also purchase a
license that enables PGP Gateway Email to encrypt email in the mailstream.
The PGP Universal Server can manage any combination of PGP encryption applications.
PGP encryption applications are:
PGP Universal Gateway Email provides automatic email encryption in the gateway,
based on centralized mail policy. This product requires administration by the PGP
Universal Server.
PGP Desktop Email provides encryption at the desktop level for mail, files, and AOL
Instant Messenger traffic. This product can be managed by the PGP Universal
Server.
PGP Whole Disk Encryption provides encryption at the desktop level for an entire
disk. This product can be managed by the PGP Universal Server.
PGP NetShare provides transparent file encryption and sharing among desktops.
This product can be managed by the PGP Universal Server.
Who Should Read This Guide
This Administrator’s Guide is for the person or persons who will be implementing and
maintaining your organization’s PGP Universal Server environment. These are the PGP
administrators.
This guide is also intended for anyone else who wants to learn about how PGP Universal
Server works.
Improvements in This Version of PGP Universal Server
This release of PGP Universal introduces the following new features:
“General” on page 3
“PGP Messaging” on page 3
“PGP Whole Disk Encryption” on page 3
“PGP Keys” on page 3
2
PGP Universal Server Administrator’s Guide1: Introduction
General
Changes in this
release
Microsoft Internet Explorer 7 support. The PGP Universal Server administrative
interface now runs in Internet Explorer 7.
PGP Messaging
Changes in this
release
Benefits
Where to find
For more
information
PGP Verified Directory enhancements. You can now specify a “From” address that
will display on all PGP Verified Directory-initiated email messages.
The customized sender address prevents your PGP Universal Server’s hostname from
appearing in the “From” email line.
Services>Verified Directory screen.
See Chapter 31, “Configuring the PGP Verified Directory” for more information.
PGP Whole Disk Encryption
Changes in this
release
Benefits
PGP Whole Disk Encryption (WDE) Recovery Token encryption. Whole Disk
Recovery Tokens are now encrypted to the PGP Universal Server Ignition Key.
Improves user data security.
PGP Keys
Changes in this
release
Where to find
For more
information
Symbols
Key Reconstruction for Mac OS X. Key reconstruction is now available in PGP
Desktop for Mac OS X.
Policy>Internal User Policy screen.
See Chapter 28, “Configuring PGP Desktop Installations” and Chapter 32, “Managing
Internal User Accounts” for more information on key reconstruction.
Notes, Cautions, and Warnings are used in the following ways.
Notes are extra, but important, information. A Note calls your attention to important aspects
Caution
of the product. You will be able to use the product better if you read the Notes.
3
PGP Universal Server Administrator’s Guide1: Introduction
Cautions indicate the possibility of loss of data or a minor security breach. A Caution tells you
Caution
about a situation where problems could occur unless precautions are taken. Pay attention to
Cautions.
Warnings indicate the possibility of significant data loss or a major security breach. A
Caution
Warning means serious problems will occur unless you take the appropriate action. Please
take Warnings very seriously.
Getting Assistance
Refer to these sections for additional resources.
Getting product information
The following documents and on-line help are companions to the PGP Universal
Administrator’s Guide. This guide occasionally refers to information that can be found in
one or more of the following sources:
PGP Universal Upgrade Guide—Describes the process of upgrading your PGP
PGP Universal Mail Policy Diagram—Provides a graphical representation of how
Tu t o r i a l s —Provides animated introductions on how to manage the mail policy
The administrative interface and PGP Universal Satellite for Windows and Mac OS X
PGP Universal and PGP Satellite release notes are also provided, which may have
Once PGP Universal is released, additional information regarding the product is added to
the online Knowledge Base available on PGP Corporation’s Support Portal at
www.pgpsupport.com.
Contact information
All PGP customers have access to the comprehensive set of tools and discussion forums
available on the PGP Support Portal.
Universal Server to version 2.6
email is processed through mail policy. You can access this document via the PGP
Universal Server online help.
feature in PGP Universal Server, and how upgraded PGP Universal Server settings
migrate into the new mail policy feature.
You can also access all the documentation and tutorials by clicking the online help
icon in the upper-right corner of the PGP Universal Server screen.
include online help.
last-minute information not found in the product documentation.
The PGP Support Portal provides access to tutorials, recent support briefs, the
Knowledge Base, and other valuable technical information.
You must have a valid support agreement to request Technical Support.
4
PGP Universal Server Administrator’s Guide1: Introduction
Contacting Technical Support
To access the PGP Support Knowledge Base or request PGP Technical Support:
https://support.pgp.com. Note that you must have a valid support agreement to
request Technical Support.
To learn about PGP support options and how to contact PGP Technical Support:
http://www.pgp.com/support/
To access the PGP Universal section of the PGP Support forums: http://
forums.pgpsupport.com
For any other contacts at PGP, please visit the PGP Contacts Page: http://
www.pgp.com/company/contact/index.html.
For general information about PGP Corporation, please visit the PGP Web Site: http:/
/www.pgp.com.
5
PGP Universal Server Administrator’s Guide1: Introduction
6
The Big Picture
2
This chapter describes some important terms and concepts and gives you a high-level
overview of the things you need to do to set up and maintain your PGP Universal Server
environment.
Topics include:
“Important Terms”
“Installation Overview” on page 11
Important Terms
PGP Products
PGP Universal Server: A device you add to your network that provides secure
messaging with little or no user interaction. The PGP Universal Server automatically
creates and maintains a security architecture by monitoring authenticated users and
their email traffic. You can also send protected messages to addresses that are not
part of the security architecture.
PGP Universal Satellite: The PGP Universal Satellite software resides on the
computer of the email user. It allows email to be encrypted end to end, all the way to
and from the desktop (for both internal and external users). Using PGP Universal
Satellite is one of the ways for external users to participate in the SMSA. It also
allows users the option of controlling their keys on their local machines (if allowed by
the PGP administrator).
PGP Universal Server Concepts
Security Architecture: Behind the scenes, the PGP Universal Server creates and
manages its own security architecture for the users whose email domain it is
securing. Because the security architecture is created and managed automatically,
we call this a self-managing security architecture (SMSA).
keys.<domain> convention: PGP Universal Server automatically looks for valid
public keys for email recipients at a special hostname, if no valid public key is found
locally to secure a message. This hostname is keys.<domain> (where <domain> is
the email domain of the recipient). For example, Example Corporation’s externally
visible PGP Universal Server is named keys.example.com.
PGP Corporation strongly recommends you name your externally visible PGP
Universal Server according to this convention because it allows other PGP Universal
Servers to easily find valid public keys for email recipients in your domain.
Refer to Appendix 5, “Naming your PGP Universal Server” for more information
about this convention.
7
PGP Universal Administrator’s Guide2: The Big Picture
PGP Universal Server Features
Server Placement: A PGP Universal Server can be placed in one of two locations in
your network to process email.
With an internal placement, the PGP Universal Server logically sits between your
email users and your mail server. It encrypts and signs outgoing SMTP email and
decrypts and verifies incoming mail being picked up by email clients using POP or
IMAP. Email stored on your mail server is stored secured (encrypted).
With a gateway placement, the PGP Universal Server logically sits between your
mail server and the Internet. It encrypts and signs outgoing SMTP email and
decrypts and verifies incoming SMTP email. Email stored on your mail server is
stored unsecured.
Refer to Chapter 3, “Adding the PGP Universal Server to Your Network” and Chapter
22, “Configuring Mail Proxies” for more information about server placement.
Administrative Interface: Each PGP Universal Server is controlled via a Web-based
administrative interface. The administrative interface gives you control over the PGP
Universal Server’s operation. While many settings are initially established using the
web-based Setup Assistant, all settings of a PGP Universal Server can be controlled
via the administrative interface.
Setup Assistant: When you attempt to log in for the first time to the administrative
interface of a PGP Universal Server, the Setup Assistant takes you through the
configuration of that PGP Universal Server.
Learn Mode: When you finish configuring a PGP Universal Server using the Setup
Assistant, it begins operation in Learn Mode, which is a special mode where the PGP
Universal Server proxies traffic normally but does not encrypt or sign any messages.
Learn Mode gives the PGP Universal Server a chance to build its SMSA (creating
keys for authenticated users, for example) so that when the it goes live — that is,
when Learn Mode is turned off — the PGP Universal Server knows the environment
and can immediately begin securing messages. It’s also an excellent way for PGP
administrators to learn about the product.
You should check the logs of the PGP Universal Server while it is in Learn Mode to
see what it would be doing to email traffic if it were live on your network. You can
make changes to the PGP Universal Server’s policies while it is in Learn Mode until
things are working as expected.
Mail Policy: The PGP Universal Server processes email messages based on the
policies you establish. Mail policy applies to inbound and outbound email for both
PGP Universal Server traffic and email processed by PGP client software. Mail policy
consists of multiple policy chains, comprised of sequential mail processing rules.
Dictionary: Dictionaries are lists of terms to be matched. The dictionaries work with
mail policy to allow you to define content lists that can trigger rules.
Cluster: When you have two or more PGP Universal Servers in your network, you
configure them to synchronize with each other; this is called a “cluster.”
8
PGP Universal Administrator’s Guide2: The Big Picture
In a cluster, one PGP Universal Server is designated Primary for the cluster; all other
PGP Universal Servers in the cluster are designated Secondary. The Secondary
servers synchronize their users, keys, managed domains, and policies with the
Primary.
Organization Key: The Setup Assistant automatically creates an Organization Key
(actually a keypair) when it configures a PGP Universal Server. The Organization Key
is used to sign all PGP user keys the PGP Universal Server creates and to encrypt
PGP Universal Server backups.
It is extremely important to back up your Organization Key: all of the keys the PGP Universal
Caution
Server creates are signed by the Organization Key, and all backups are encrypted to the
Organization Key. If you lose your Organization Key and have not backed it up, the signatures
on those keys will be meaningless and you will not be able to restore from backups
encrypted to the Organization Key.
If your organization has one PGP Universal Server, back up the Organization Key
from that PGP Universal Server; if you have multiple PGP Universal Servers in a
cluster, back up the Organization Key from the Primary server in the cluster, as this
Organization Key will be synchronized with the Secondary servers in the cluster.
Organization Certificate: Create or obtain an Organization Certificate to enable S/
MIME support by PGP Universal Server. The Organization Certificate signs all X.509
certificates the server creates.
Directory Synchronization: If you have an LDAP directory in your organization, your
PGP Universal Server can be synchronized with this directory. The PGP Universal
Server will automatically import user information from the directory when users send
and receive email; it will also create internal user accounts for them, including adding
and using X.509 certificates if they are contained in the LDAP directory.
Integrated Virus Scanning and File Blocking: Each PGP Universal Server in your
organization can be configured with integrated virus scanning from Symantec such
that messages and attachments can be scanned for viruses. You can also block
attachments based on filenames you specify.
Keyserver: Each PGP Universal Server includes an integrated keyserver populated
with the public keys of your internal users. When an external user sends a message
to an internal user, the external PGP Universal Server will go to the keyserver to find
the public key of the recipient to use to secure the message. The PGP administrator
can enable or disable the service, and control access to it via the administrative
interface.
PGP Verified Directory: The PGP Verified Directory supplements the internal
keyserver by letting internal and external users manage the publishing of their own
public keys. The PGP Verified Directory also serves as a replacement for the PGP
Keyserver product. The PGP Verified Directory uses next-generation keyserver
technology to ensure that the keys in the directory can be trusted.
Backup and Restore: Because full backups of the data stored on your PGP Universal
Server are critical in the case of a natural disaster or other unanticipated loss of data
or hardware, you can schedule automatic backups of your PGP Universal Server data
or manually perform a backup.
9
PGP Universal Administrator’s Guide2: The Big Picture
Naturally, you can fully restore a PGP Universal Server from a backup. In the event of
a minor problem, you can restore the PGP Universal Server to any saved backup. In
the event that a PGP Universal Server is no longer usable, you can restore its data
from a backup onto a new PGP Universal Server during initial setup of the new PGP
Universal Server using the Setup Assistant. All backups are encrypted to the
Organization Key and may thus be stored securely off the PGP Universal Server.
Ignition Keys: You can protect the contents of a PGP Universal Server, even if the
hardware is physically stolen, by requiring the use of a hardware token or a software
passphrase, or both, on start.
PGP Universal Server User Types
Internal and External Users: Internal users are email users from the domains being
managed by your PGP Universal Server; external users are email users from other
domains (domains not being managed by your PGP Universal Server) who have been
added to the SMSA.
Multiple Administrators: Only PGP administrators are allowed to access the
administrative interface that controls PGP Universal Server. A PGP Universal Server
supports multiple PGP administrators, each of which can be assigned one of five
levels of authority: from read-only access to full control over every feature and
function.
Management of PGP Desktop Users: PGP Universal Servers allow you to manage
PGP Desktop deployments to your internal users. The PGP administrator can control
which PGP Desktop features are automatically implemented at install, and establish
and update mail security policy for PGP Desktop users that those users cannot
override (except on the side of being more secure).
Other Email Users: Users within your organization can securely send email to
recipients outside the SMSA.
First, the PGP Universal Server will attempt to find a key for the recipient. If that fails,
there are four fallback options, all controlled by mail policy: bounce the message
back to the sender (so it’s not sent unencrypted), send unencrypted, Smart Trailer,
and PGP Universal Web Messenger mail.
Smart Trailer sends the message unencrypted and adds text giving the recipient the
option of joining the SMSA by installing PGP Universal Satellite, using an existing key
or certificate, or using PGP Universal Web Messenger. PGP Universal Web
Messenger lets the recipient securely read the message on a secure website; it also
gives the recipient options for handling subsequent messages from the same
domain: read the messages on a secure website using a passphrase they establish,
install PGP Universal Satellite, or add an existing key or certificate to the SMSA.
10
PGP Universal Administrator’s Guide2: The Big Picture
Installation Overview
The following steps are a broad overview of what it takes to plan, set up, and maintain
your PGP Universal Server environment.
All of the steps described briefly here are described in detail in later chapters.
1. Plan where in your network you want to locate your PGP Universal Server(s).
Where you put PGP Universal Servers in your network, how many PGP Universal Servers
you have in your network, and other factors all have a major impact on how you add them
to your existing network.
It’s a good idea to create a diagram of your network that includes all network components
and shows how email flows; having this diagram may help you understand how adding a
PGP Universal Server will impact your network.
Refer to Chapter 3, “Adding the PGP Universal Server to Your Network” for information
that will help you plan how to add PGP Universal Servers to your existing network.
2. Perform necessary DNS changes.
Add IP addresses for your PGP Universal Servers, an alias to your keyserver, update the
MX record if necessary, add keys.<domain>, hostnames of potential Secondary servers
for a cluster, and so on.
Properly configured DNS settings (including root servers and appropriate reverse lookup
records) are required in all cases to support PGP Universal Server. Make sure both host
and pointer records are correct. IP addresses must be resolvable to hostnames, as well as
hostnames resolvable to IP addresses.
3. Prepare a hardware token Ignition Key.
If you want to add a hardware token Ignition Key during setup, install the drivers and
configure the token before you begin the PGP Universal Server setup process. See
Chapter 46, “Protecting PGP Universal Server with Ignition Keys” for information on how
to prepare a hardware token Ignition Key.
4. If you are going to have more than one PGP Universal Server in your network, install and
configure the Primary server of the cluster first.
The Setup Assistant runs automatically when you first access the administrative interface
for the PGP Universal Server.
To configure the Secondary servers in the cluster, you must configure the Primary server
first and then add the Secondary servers on the Primary server before you can actually
configure the Secondary servers.
Refer to Chapter 7, “Setting Up the PGP Universal Server” for more information on the
Setup Assistant.
11
PGP Universal Administrator’s Guide2: The Big Picture
5. License your Primary server.
You cannot take a PGP Universal Server out of Learn Mode or install updates until the
product is licensed. Once it is licensed, you should check for product updates and install
them if found. See Chapter 9, “Licensing Your Software” for more information.
If you want the PGP Universal Server to provide mail proxy services, you must have a
PGP Universal Server license with the mailstream feature enabled. See Chapter 9,
“Licensing Your Software” for more information.
If you want to implement virus scanning and file blocking, make sure to use a PGP
Universal Server license with the Symantec AntiVirus feature enabled. You will also need
a license from Symantec; see Chapter 20, “Scanning Email for Viruses” for more
information.
6. If you have a PGP key you want to use as your Organization Key with PGP Universal
Server, import it and then back it up on your Primary server.
Your Organization Key does two important things: it is used to sign all user keys the PGP
Universal Server creates and it is used to encrypt PGP Universal Server backups. This key
represents the identity of your organization, and is the root of the Web-of-Trust for your
users.
If your organization uses PGP Desktop and already has an Corporate Key or Organization
Key, and you want to use that key with PGP Universal Server, you should import it as
soon as you have configured your Primary server and then create a backup of the key.
If your organization does not have an existing key that you want to use as your
Organization Key, use the Organization Key the Setup Assistant automatically creates
with default values. See Chapter 12, “Managing Organization Keys” for more information.
No matter which key you use as your Organization Key, it is very important to make a
backup of the key in case of a problem with your PGP Universal Server. Since PGP
Universal Server’s built-in back-up feature always encrypts backups to this key, you will
need to provide a copy of your Organization Key to restore your data.
Refer to “Organization Certificate” on page 88 for more information on Organization
Certificates.
7. If you have a PGP Additional Decryption Key (ADK) that you want to use with PGP
Universal Server, add it on your Primary server.
An ADK is a way to recover an email message if the recipient is unable or unwilling to do
so; every message that is also encrypted to the ADK can be opened by the holder(s) of
the ADK. You cannot create an ADK with the PGP Universal Server, but if you have an
existing PGP ADK (generated by PGP Desktop, an ideal scenario for a split key; refer to
the PGP Desktop User’s Guide for more information), you can add it to your PGP
Universal Server and use it. You can only have one ADK. Refer to “Additional Decryption
Key (ADK)” on page 93 for more information.
12
PGP Universal Administrator’s Guide2: The Big Picture
8. Create a SSL/TLS certificate or obtain a valid SSL/TLS certificate.
You can create a self-signed certificate for use with SSL/TLS traffic. Because this
certificate is self signed, however, it may not be trusted by email or Web browser clients.
PGP Corporation recommends that you obtain a valid SSL/TLS certificate for each of your
PGP Universal Servers from a reputable Certificate Authority, such as GeoTrust, available
at the PGP Online Store (www.pgpstore.com).
This is especially important for PGP Universal Servers that will be accessed publicly. Older
Web browsers may reject self-signed certificates or not know how to handle them
correctly when they encounter them via PGP Universal Web Messenger or Smart Trailer.
Refer to “Working with Certificates” on page 377 for more information.
9. Add trusted keys, configure internal and external user policy, and establish mail policy.
All of these settings are important for secure operation of PGP Universal Server. Refer to
Chapter 13, “Managing Trusted Keys and Certificates” for information on adding trusted
keys from outside the SMSA. Read Chapter 26, “Setting Internal User Policy” and
Chapter 29, “Setting External User Policy” for information about user policy settings. See
Chapter 15, “Setting Mail Policy” to learn about setting up mail policy.
10. Configure the Directory Synchronization feature if you want to synchronize an LDAP
directory with your PGP Universal Server.
Using the Directory Synchronization feature gives you more control over who is included
in your SMSA, if you have an existing LDAP server.
If you are going to use the Directory Synchronization feature, it’s best to configure it
before you install and configure your Secondary servers. Refer to Chapter 27, “Using
Directory Synchronization to Manage Users” for more information about the Directory
Synchronization feature.
11. Install and configure the Secondary servers.
The Setup Assistant runs automatically when you first access a PGP Universal Server.
Remember that you must configure the Primary server in the cluster first and tell it about
the Secondary servers before you can configure them. See Chapter 45, “Clustering your
PGP Universal Servers” to learn more about Clustering.
12. License and configure virus scanning and file blocking on those PGP Universal Servers for
which you want them enabled.
You must be using a PGP Universal Server license that supports these features. Once
enabled (on a per-service basis), virus scanning and file blocking are active, even while the
PGP Universal Server is in Learn Mode. In a cluster, you only need to enter the virus
scanning license once for the Primary server in the cluster.
13. Reconfigure the settings of your email clients and servers, if necessary.
Depending on how you are adding the PGP Universal Server to your network, some
setting changes may be necessary. For example, if you are using a PGP Universal Server
placed internally, the email clients must have SMTP authentication turned on. For PGP
Universal Servers placed externally, you must configure your mail server to relay SMTP
traffic to the PGP Universal Server.
13
PGP Universal Administrator’s Guide2: The Big Picture
14. Enable SNMP Polling and Traps.
You can configure PGP Universal Server to allow network management applications to
monitor system information for the device on which PGP Universal Server is installed and
to send system and application information to an external destination. See Chapter 43,
“Configuring SNMP Monitoring” for more information.
15. Distribute PGP Universal Satellite and/or PGP Desktop to your internal users, if
appropriate.
If you want to provide seamless, end-to-end PGP message security without the need for
any user training, have them use PGP Universal Satellite. Exchange/MAPI and Lotus
Notes environments also require the use of PGP Universal Satellite. PGP Desktop
provides more features and user control than PGP Universal Satellite. Refer to Chapter
In Learn Mode, your PGP Universal Server monitors email traffic and dynamically creates
a SMSA; in fact, it does everything it would ordinarily do except encrypt and sign. You can
see what the PGP Universal Server would have done without Learn Mode by monitoring
the system logs.
Learn Mode lets you become familiar with how the PGP Universal Server operates and it
lets you see the effects of the policy settings you have established before the PGP
Universal Server actually goes live on your network. Naturally, you can fine tune settings
while in Learn Mode, so that the PGP Universal Server is operating just how you want
before you go live.
See Chapter 10, “Operating in Learn Mode” for more information.
17. Adjust policies as necessary.
It may take a few tries to get everything working just the way you want. For example, you
may decide to revise your mail policy.
18. Perform backups of all PGP Universal Servers before you take them out of Learn Mode.
This gives you a baseline backup in case you need to return to a clean installation. To learn
how to back up the PGP Universal Server, refer to Chapter 47, “Backing Up and Restoring
System and User Data” for more information.
19. Take your PGP Universal Servers out of Learn Mode.
Once this is done, email messages will be encrypted, signed, and decrypted/verified,
according to the relevant policy rules. Make sure you have licensed each of your PGP
Universal Servers; you cannot take a PGP Universal Server out of Learn Mode until it has
been licensed.
20. Monitor the system logs to make sure your PGP Universal Server environment is
operating as expected.
14
SECTION 2
Deploying your Server
This section describes what you need to know to plan how to incorporate your PGP Universal Server into your
network.
Chapter 3, “Adding the PGP Universal Server to Your Network”
Chapter 4, “Open Ports”
Chapter 5, “Naming your PGP Universal Server”
Adding the PGP Universal Server
3
to Your Network
This chapter provides information about how your PGP Universal Server processes email,
to help you decide how to integrate your PGP Universal Servers into your existing
network. It also includes information about using Microsoft Exchange Server and Lotus
Domino Server with PGP Universal Satellite.
These topics are covered in the following sections:
“Server Placement”
“Using a Mail Relay” on page 19
“Microsoft Exchange Server” on page 19
“Lotus Domino Server” on page 19
“Configuration Examples” on page 20
Server Placement
A PGP Universal Server can be placed in your network in either of two locations in the
logical flow of data:
Internal placement. The PGP Universal Server is located between your email users
and their local mail server in the logical flow of data.
Gateway placement. The PGP Universal Server is located between your external
facing mail server and the Internet in the logical flow of data.
The PGP Universal Server must not be behind a proxy server, unless it is a transparent proxy,
Caution
to receive licensing and update information automatically. This is true for both gateway and
internal placement.
16
PGP Universal Administrator’s Guide3: Adding the PGP Universal Server to Your Network
Gateway Placement
With a gateway placement, your PGP Universal Server sits between your mail server and
the Internet in the logical flow of data.
Firewall
Internet
Logical flow
of da ta
External
Email User
PGP Universal
Example Corp.
Email Users
Example Corp.
Email Server
gateway
placement
Example Corp.
Internal network
The physical location of the PGP Universal Server and the mail server are not important.
Caution
What is important is that, from a mail relay point of view, the PGP Universal Server is
between the mail server and the Internet. Both could be on the internal network or in the
DMZ.
Example Corp. DMZ
With a gateway placement, email messages are secured before they are sent to the
Internet (on the way to their destination) and decrypted/verified when received from the
Internet, over SMTP in both cases.
Be sure to require authentication of incoming mail, or you risk creating an open relay.
Email users on your internal network should not be allowed direct access to a PGP Universal
Caution
Server in gateway placement. PGP Universal Server will attempt to enforce this
automatically based on your configuration. The mail server should also be configured to verify
From addresses if you intend to use the signing features of PGP Universal Server.
With a gateway placement, messages are stored unsecured on the mail server (unless
PGP Universal Satellite is being used).
For PGP Universal Server to create the SMSA, you must make sure to correctly configure
your mail server when you are using PGP Universal Servers in gateway placements.
17
PGP Universal Administrator’s Guide3: Adding the PGP Universal Server to Your Network
Internal Placement
With an internal placement, your PGP Universal Server sits between your email users and
their email server in the logical flow of data.
Firewall
Internet
Logical flow
of data
External
Email User
Example Corp.
Example Corp.
Email Users
PGP Universal
internally placed
Email Server
Example Corp.
Internal network
The physical location of the PGP Universal Server and the mail server are not important.
Caution
What is important is that, from a mail relay point of view, the PGP Universal Server is
between the email users and the mail server. Both could be on the internal network or in the
DMZ. From a performance perspective, it is generally advisable to put them next to each
other on the same network.
Example Corp. DMZ
With an internal placement of your PGP Universal Server, messages are secured based
on the applicable policies when they are sent to the mail server using SMTP; they are
decrypted and verified when they are retrieved from the mail server using POP or IMAP.
With an internal placement, messages are stored secured on the mail server. Messages
are only transmitted unencrypted between the internal user and the PGP Universal
Server, and then only if PGP Universal Satellite has not been deployed globally to your
internal users. If your mail server is configured for SSL/TLS communications with the
email client, the messages can be passed through that encrypted channel thus
maintaining encryption along the entire path.
For PGP Universal Server to create the SMSA, email clients must have SMTP
authentication turned on when they are communicating with a PGP Universal Server in an
internal placement.
18
PGP Universal Administrator’s Guide3: Adding the PGP Universal Server to Your Network
Using a Mail Relay
PGP Universal Server can forward outgoing email, after processing, to a central mail
gateway acting as a mail relay. Sites that use explicit mail routing can use the mail relay
feature to forward outgoing email to a mail relay that performs this explicit routing.
You cannot configure the mail relay when you initially configure the server using the
Setup Assistant. Instead, you have to configure the server for gateway placement and
then use the administrative interface to configure the mail relay.
Configure the relay on the Outbound or Unified SMTP proxy. Refer to “Creating New or
Editing Existing Proxies” on page 184 for more information.
Microsoft Exchange Server
Messaging Application Programming Interface (MAPI) support is available for Microsoft
Exchange Server environments by using PGP Desktop or PGP Universal Satellite for
Windows. MAPI support is not available in PGP Universal Satellite for Mac OS X because
there are no MAPI email clients for Mac OS X.
For more information about using MAPI, see “Exchange with PGP Client Software” on
page 31 and “MAPI Support” on page 342.
Lotus Domino Server
Lotus Domino Servers and the Lotus Notes email client (versions 5.x and above) are
supported in PGP Desktop and PGP Universal Satellite for Windows.
For more information about using the Lotus Notes email client, see “Lotus Domino
Server with PGP Client Software” on page 31 and “Lotus Notes Support” on page 344.
19
PGP Universal Administrator’s Guide3: Adding the PGP Universal Server to Your Network
Configuration Examples
This section shows and describes potential configurations for PGP Universal Server:
“Internal Placement Configuration”
“Gateway Placement Configuration”
“Non-mailstream Placement Configuration”
“Cluster Configuration”
“Clustered Proxy and Keyserver Configuration”
“Gateway Cluster with Load Balancer”
“Gateway and Internal Placement Cluster”
“Encircled Configuration”
“Large Enterprise Configuration”
“Spam Filters and PGP Universal Server”
“Exchange with PGP Client Software”
“Lotus Domino Server with PGP Client Software”
“Unsupported Configurations”
20
PGP Universal Administrator’s Guide3: Adding the PGP Universal Server to Your Network
Internal Placement Configuration
In this example, Example Corporation has one main office but wants to support external
email users.
Firewall
Internet
Logical flow
of data
External
Email User
1
Example Corp.
Email Users
Example Corp.
Internal network
Settings for 1:
Server type: Primary
Mail processing: Internal placement
Hostname: mail.example.com
Mail server: mail-1.example.com
IP Address, Subnet Mask, Gateway, and
DNS Servers: As appropriate
PGP Universal
internally placed
Example Corp. DMZ
Example Corp.
Email Server
Notes:
• Change mail.example.com to
mail-1.example.com and the PGP
Universal Server becomes
mail.example.com.
• End users may require no changes to
their configuration; SMTP Authentication
may need to be enabled for end users.
• Create a DNS alias for
keys.example.com to also point to the
PGP Universal Server.
By placing the server in the DMZ, the company can use an internal placement (which
means its messages are encrypted even while on its mail server) and still support external
email users via Smart Trailers, PGP Universal Web Messenger mail, or PGP Universal
Satellite.
21
PGP Universal Administrator’s Guide3: Adding the PGP Universal Server to Your Network
Gateway Placement Configuration
In this example, Example Corporation has its PGP Universal Server in a gateway
placement.
Firewall
Internet
Logical flow
of data
External
Ema il User
PGP Universal
1
Server
Example Corp.
Example Corp.
Email User
Example Corp.
Interna l ne twork
Settings for 1:
Server type: Primary
Mail processing: Gateway placement
Hostname: mail-gw.example.com
Mail server: mail.example.com
IP Address, Subnet Mask, Gateway, and
DNS Servers: As appropriate
Email Server
Example Corp. DMZ
Notes:
• Add or modify the MX record for
example.com to point to PGP Universal
Server’s IP address on
mail-gw.example.com.
• Also in DNS, create an alias
keys.example.com that points to
mail-gw.example.com.
• Mail server must be configured to relay
through the PGP Universal Server.
gateway
placement
Gateway placement also supports external email users via Smart Trailers or PGP
Universal Web Messenger mail.
22
PGP Universal Administrator’s Guide3: Adding the PGP Universal Server to Your Network
Non-mailstream Placement Configuration
In this example, Example Corporation has a PGP Universal Server placed outside the
mailstream. The PGP Universal Server integrates with PGP Desktop to provide automated
user enrollment and real-time end-user security policy management. This is a common
configuration for a PGP Universal Server managing client installations without PGP
Gateway Email.
Firewall
Internet
Logical flow
of data
Example Corp .
PGP Desktop &
Email Users
1
PGP Universal
Server
Policy /
Management
Example Corp .
Internal network
Settings for 1:
Server type: Primary
Mail processing: None
IP Address, Subnet Mask, Gateway, and
DNS Servers: As appropriate
External
Email User
Example Corp .
Email Server
Example Corp . DMZ
Notes:
• PGP Universal Server is outside of
mailstream.
• All encryption, decryption, signing, and
verification is done through PGP Desktop.
23
PGP Universal Administrator’s Guide3: Adding the PGP Universal Server to Your Network
Cluster Configuration
In this example, Example Corporation has a cluster, with multiple PGP Universal Servers
proxying messages on its internal network, and another server in the DMZ that performs
keyserver and PGP Universal Web Messenger functions only.
Manufacturing
Firewall
Logical flow
PGP Universal
Serve r
internally p la ced
Development
PGP Universal
Server
internally place d
of data
Internet
Example Corp.
Administration
PGP Universal
Serve r
internally p la ced
Example Corp.
Internal network
Notes:
• One internally placed PGP Universal Server configured as Primary in the
Cluster; the other and the keyserver configured as Secondary.
• Mail server does
• Cluster port (444) on firewall between the internally placed servers and the
keyserver
• No mail proxies configured on the keyserver.
must be opened.
not relay through the keyserver PGP Universal Server.
PGP Universal
Serve r
Keyserver/Web
Messenger
Example Corp. DMZ
Email Server
24
PGP Universal Administrator’s Guide3: Adding the PGP Universal Server to Your Network
Clustered Proxy and Keyserver Configuration
In this example, Example Corporation has a cluster, with one PGP Universal Server
proxying messages on its internal network, and another server in the DMZ that performs
keyserver and PGP Universal Web Messenger functions only.
Firewall
Internet
Logical flow
of data
Example Corp.
Ema il Use rs
2
Example Corp.
1
PGP Universal
Server
internally place d
Example Corp.
Internal network
Settings for 1:
Server type: Primary
Mail processing: Internal placement
Hostname: mail.example.com
Mail server: mail-1.example.com
IP Address, Subnet Mask, Gateway, and
DNS Servers: As appropriate
Notes:
• mail.example.com becomes mail-1.example.com. PGP Universal Server becomes
mail.example.com.
• Mail server does
not relay through 2.
PGP Universal
Server
Keyserver/Web
Messenger
Example Corp. DMZ
Ema il Serve r
Settings for 2:
Server type: Secondary
Mail processing: Disabled
Hostname: keys.example.com
IP Address, Subnet Mask, Gateway, and
DNS Servers: As appropriate
External
Ema il Use r
• Cluster port (444) on firewall between the two servers
must be opened.
To support external users via PGP Universal Web Messenger, Example Corp. could also
designate the keyserver as a PGP Universal Web Messenger server.
25
PGP Universal Administrator’s Guide3: Adding the PGP Universal Server to Your Network
Gateway Cluster with Load Balancer
In this example, Example Corporation is using an F5 BIG-IP load balancer to handle
address rotation between the PGP Universal Servers in the cluster, ensuring that traffic
goes through all of them.
Firewall
Example Corp.
Email User
Example Corp.
Internal network
Logical
flow
of data
Internet
PGP Universal
4
Server 3
Example
Corp.
Email Server
Example Corp. DMZ
Settings for 1:
Virtual server for trusted interface:
cluster-gw-internal.example.com
Virtual server addresses: Trusted interfaces
for hosts 2, 3, and 4, port 25
Virtual server for untrusted interface:
cluster-gw.example.com
Virtual server addresses: Untrusted
interfaces for hosts 2, 3, and 4, ports 25
and 389
IP Address, Subnet Mask, Gateway, and DNS
Servers: As appropriate
Notes:
• Add DNS MX record that points to
cluster-gw.example.com.
• Also in DNS, create an alias from
cluster-gw.example.com to
keys.example.com.
• The mail server must be reconfigured to
relay through
cluster-gw-internal.example.com.
1
F5 BIG-IP
Load Balancer
Settings for 2:
Server type: Primary
Mail processing: Gateway placement
Hostname: cluster1-gw.example.com
Mail server: mail.example.com
IP Address, Subnet Mask, Gateway, and DNS
Servers: As appropriate
Settings for 3:
Server type: Secondary
Hostname: cluster2-gw.example.com
IP Address, Subnet Mask, Gateway, and DNS
Servers: As appropriate
Settings for 4:
Server type: Secondary
Hostname: cluster3-gw.example.com
IP Address, Subnet Mask, Gateway, and DNS
Servers: As appropriate
PGP Universal
3
Server 2
PGP Universal
2
Server 1
26
PGP Universal Administrator’s Guide3: Adding the PGP Universal Server to Your Network
Gateway and Internal Placement Cluster
You can have a cluster that includes both a PGP Universal Server internally placed and a
PGP Universal Server in a gateway placement managing a single mail server, but you
should carefully consider why you need both at a single location.
One good reason would be for the PGP Universal Server in gateway placement to act
exclusively as a keyserver or as a PGP Universal Web Messenger server, while the PGP
Universal Server(s) internally placed handles message processing.
The most common usage for this configuration is when you have internal MAPI clients
running PGP Universal Satellite in addition to non-MAPI clients using POP, IMAP, and
SMTP. In such a scenario, those using standards-based protocols connect to the internally
placed PGP Universal Server while the PGP Universal Server in gateway placement
ensures proper handling of PGP Universal Web Messenger and Smart Trailer messages
for the MAPI clients.
Firewall
Internet
PGP Universal
Server
Example Corp.
Email Users
Example Corp.
Internal network
Notes:
• If the same user sends messages from different locations (such as from the internal
network using a desktop computer and then from a remote location using a laptop), they
may create multiple user accounts and/or keys.
• The Primary server is internally placed, with PGP Universal Web Messenger disabled.
The Secondary server is in the DMZ, in gateway placement, with PGP Universal Web
Messenger enabled.
internally placed
Example Corp.
Email Server
Example Corp. DMZ
PGP Universal
Server
gateway pla ce d
External
Ema il Use r
27
PGP Universal Administrator’s Guide3: Adding the PGP Universal Server to Your Network
Encircled Configuration
Using PGP Universal Server in an encircled configuration is an alternative to placing two
PGP Universal Servers in a clustered internal/gateway placement, when you have internal
MAPI clients running PGP Universal Satellite in addition to non-MAPI clients using POP,
IMAP, and SMTP.
Firewall
1
Internet
PGP Universal
Server
Example Corp.
Email Use rs
Example Corp.
Internal network
internally p la ced
External
Ema il User
Example Corp.
Email Server
Example Corp. DMZ
Settings for 1:
Server type: Primary
Mail processing: Internal placement
Hostname: mail.example.com
Mail server: mail-1.example.com
IP Address, Subnet Mask, Gateway, and DNS
Servers: As appropriate
PGP Universal Web Messenger and
keyserver functionality enabled
Notes:
• Add DNS MX record that points to
mail.example.com.
•Optional: to hide internal PGP Universal
Server IP from outside, use 2nd IP in the
DMZ.
28
PGP Universal Administrator’s Guide3: Adding the PGP Universal Server to Your Network
Large Enterprise Configuration
As a large enterprise, Example Corporation has a sophisticated network that includes
multiple PGP Universal Servers that are load balanced, PGP Universal Satellite users, a
separate PGP Universal Server for PGP Universal Web Messenger and keyserver support,
and a standalone Mail Transfer Agent (MTA).
Firewall
Internet
MTA
Example Corp.
Email User
with PGP
Universal
Satellite
PGP Universal Server:
Web Messenger,
Keyserver
PGP Universal
Server 3
Example Corp.
Email User
with PGP
Universal
Satellite
Example Corp.
Internal network
Example Corp.
Email Server
Example Corp.
DMZ
F5 BIG-IP
Load Balancer
PGP Universal
Server 2
PGP Universal
Server 1
The company uses its MTA to perform static email routing and to establish rules that
govern which email messages are processed by PGP Universal Server and which are not.
Naturally, the features of the MTA being used govern what it can be used for.
PGP Corporation does not recommend any specific MTA for use with PGP Universal Server.
Caution
Make sure the MTA you decide to use is correctly configured for use with PGP Universal
Server.
29
PGP Universal Administrator’s Guide3: Adding the PGP Universal Server to Your Network
Spam Filters and PGP Universal Server
Example Corporation has both a content-based and a Realtime Blackhole List (RBL) spam
filter that it wants to use in conjunction with its PGP Universal Server. (An RBL is a list of
servers that are known to send out spam or to be open relays.)
The company is careful to locate the respective spam filters in the appropriate locations in
the logical flow of data and to configure them correctly.
PGP Universal Server internally placed
Firewall
Internet
Example
Corp.
Internal
Email User
PGP Universal Server in gateway placement
Content-
Based
Spam
Filter
PGP Universal
Server
internally placed
Mail Server
RBL-
Based
Spam
Filter
Example
Corp.
Internal
Email User
Firewall
Internet
Mail Server
Notes:
• The content-based spam filter sits between the internal email users and the PGP Universal
Server in the logical flow of data so that messages are decrypted before they are checked for
spam. This allows even PGP Universal Server–encrypted messages to be checked. Other SMTP
filtering devices (such as a standalone antivirus gateway, for example) would be placed in the
same location.
• Both spam filters must be correctly configured. For example, the content-based spam filter must
not treat the PGP Universal Server as a “trusted mail relay” to avoid creating an open relay; this
requirement could mean the spam filter must disable its reverse MX lookups feature.
• For the gateway placement scenario, the content-based spam filter must be configured on the
PGP Universal Server as a mail server. This is done on the inbound or Unified SMTP proxy.
• With an internal placement, the content-based spam filter is not filtering SMTP, only POP/IMAP,
so no special configuration on the PGP Universal Server is required.
Content-
Based
Spam
Filter
PGP Universal
Server
(externally
placed)
RBL-
Based
Spam
Filter
As an alternative configuration, Example Corporation could put both spam filters between
its PGP Universal Server and its firewall in the logical flow of data. Although PGP
Universal Server–encrypted messages would still be scanned for spam, because they
would not yet be decrypted, it is unlikely that any spam would be found.
30
PGP Universal Administrator’s Guide3: Adding the PGP Universal Server to Your Network
This alternative configuration would catch any spam that was not in a PGP Universal
Server–encrypted message, however. So it would be effective if Example Corp. assumes
that its PGP Universal Server–encrypted messages are free of spam or if another factor
requires the content-based spam filter to be in this location; for example, if the
content-based spam filter requires the use of reverse MX lookups.
If Example Corporation began receiving encrypted spam, it could relocate its content-based
Caution
spam filter to sit between its internal email users and its PGP Universal Server, or it could
add another content-based spam filter there. Because spam encryption is CPU-intensive and
therefore inefficient, it is unlikely that Example Corporation would receive any.
Exchange with PGP Client Software
Microsoft Exchange Server environments (MAPI) are supported in PGP Desktop and PGP
Universal Satellite for Windows for both internal and external PGP Universal Server users.
For more information about Microsoft Exchange Server environments and MAPI support,
refer to “MAPI Support” on page 342.
Lotus Domino Server with PGP Client Software
Lotus Domino Server environments, including the Lotus Notes email client, are supported
in PGP Desktop and PGP Universal Satellite for Windows for both internal and external
PGP Universal Server users.
For more information about Lotus Domino Server environments and Lotus Notes email
client support, refer to “Lotus Notes Support” on page 344.
31
PGP Universal Administrator’s Guide3: Adding the PGP Universal Server to Your Network
Unsupported Configurations
Not every PGP Universal Server deployment scenario is a supported configuration.
Multiple Gateway–Placed Servers
You cannot have multiple PGP Universal Servers operating in gateway placements in one
DMZ.
Firewall
Example Corp.
Email User
Example Corp.
Internal network
Logical flow
of data
Internet
Acmecorp
Email Server
PGP Universal
Server 1
Notes:
• This configuration will not work as expected because the mail server will only
route outbound email through one of the PGP Universal Servers.
PGP Universal
Server 2
Example Corp. DMZ
PGP Universal
Server 4
PGP Universal
Server 3
You can use load balancing to achieve a similar result; refer to “Gateway Cluster with
Load Balancer” on page 26 for more information.
32
PGP Universal Administrator’s Guide3: Adding the PGP Universal Server to Your Network
33
4
TCP Ports
Open Ports
This chapter lists and describes the ports a PGP Universal Server has open and on which
it is listening.
All of the protocols listed are described in the Glossary.
PortProtocol/ServiceComment
21FTP (File Transfer Protocol)Used for transmitting encrypted
backup archives to other servers. Data
is sent via passive FTP, so port 20
(FTP Data) is not used.
22Open SSH (Secure Shell)Used for remote shell access to the
server for low-level system
administration.
25SMTP (Simple Mail Transfer Protocol)Used for sending mail. With a gateway
placement, the PGP Universal Server
listens on port 25 for both incoming
and outgoing SMTP traffic
80HTTP (HyperText Transfer
Protocol)
110POP (Post Office Protocol)Used for retrieving mail by users with
143IMAP (Internet Message Access
Protocol)
389LDAP (Lightweight Directory Access
Protocol)
443HTTPS (HyperText Transfer Protocol,
Secure)
444SOAPS (Simple Object Access Protocol,
Secure)
Used to allow user access to the
Verified Directory. If the Verified
Directory is not enabled, access on
this port will automatically be
redirected to port 443 over HTTPS.
POP accounts with internal
placements only. Closed for gateway
placements.
Used for retrieving mail by users with
IMAP accounts with internal
placements only. Closed for gateway
placements.
Used to allow remote hosts to look up
public keys of local users.
Used for PGP Universal Satellite policy
distribution and PGP Universal Web
Messenger access.
Used for clustering, and
communication with PGP Desktop
installations.
34
PGP Universal Administrator’s Guide4: Open Ports
PortProtocol/ServiceComment
465SMTPS (Simple Mail Transfer Protocol,
Secure)
636LDAPS (Lightweight Directory Access
Protocol, Secure)
993IMAPS (Internet Message Access
Protocol, Secure)
995POPS (Post Office Protocol, Secure)Used for retrieving mail securely by
9000HTTPS (HyperText Transfer Protocol,
Secure)
Used for sending mail securely with
internal placements only. Closed for
gateway placements. This is a
non-standard port used only by legacy
mail servers. We recommend not
using this port, and instead always
using STARTTLS on port 25.
Used to securely allow remote hosts
to look up public keys of local users.
Used for retrieving mail securely by
users with IMAP accounts with
internal placements only. Closed for
gateway placements.
users with POP accounts with internal
placements only. Closed for gateway
placements.
Used to allow access to the PGP
Universal Server administrative
interface.
UDP Ports
PortProtocol/ServiceComment
123NTP (Network Time Protocol)Used to synchronize the system’s clock with a
reference time source on a different server.
161SNMP (Simple Network
Management Protocol)
Used by network management applications to
query the health and activities of PGP
Universal Server software and the computer
on which it is installed.
35
Naming your PGP Universal
5
Overview
Server
This appendix describes how and why to name your PGP Universal Server using the
keys.<domain> convention.
Unless a valid public key is found locally, PGP Universal Servers automatically look for
valid public keys for email recipients by attempting to contact a keyserver at a a special
hostname, keys.<domain>, where <domain> is the email domain of the recipient.
For example, let’s assume an internal user at example.com is sending email to
“susanjones@widgetcorp.com.” If no valid public key for Susan is found on the Example
Corp. PGP Universal Server (keys would be found locally if they are cached, or if Susan
was an external user who explicitly supplied her key via the PGP Universal Web
Messenger service), it will automatically look for a valid public key for Susan at
keys.widgetcorp.com, even if there is no domain policy for widgetcorp.com on Example’s
PGP Universal Server.
Naturally, the Example Corp. PGP Universal Server will only be able to find a valid public
key for “susan@widgetcorp.com” at keys.widgetcorp.com if the Widgetcorp PGP
Universal Server is named using the keys.<domain> convention.
PGP Corporation strongly recommends you name your PGP Universal Server according to
Caution
this convention, because doing so allows other PGP Universal Servers to easily find valid
public keys for email recipients in your domain. Make sure to name your externally visible
PGP Universal Server using this convention.
If your organization uses email addresses like “mingp@example.com” as well as
“mingp@corp.example.com,” then you need your PGP Universal Server to be reachable
at both keys.example.com and keys.corp.example.com.
If you have multiple PGP Universal Servers in a cluster managing an email domain, only
one of those PGP Universal Servers needs to use the keys.<domain> convention.
Keys that are found using the keys.<domain> convention are treated as valid and trusted by
Caution
default.
Alternately, keys.<domain> should be the address of a load-balancing device which then
distributes connections to your PGP Universal Server’s keyserver service. The ports that
would need to be load-balanced are the ones on which you’re running your keyserver
service (typically port 389 for LDAP and 636 for LDAPS).
Another acceptable naming convention would be to name your PGP Universal Server
according to the required naming convention your company uses, and make sure the
server has a DNS alias of keys.<domain>.com.
36
PGP Universal Administrator’s Guide5: Naming your PGP Universal Server
If you are administering multiple email domains, you should establish the keys.<domain>
convention for each email domain.
If your PGP Universal Server is behind your corporate firewall (as it should be), you will
need to make sure that ports 389 (LDAP) and 636 (LDAPS) are open to support the
keys.<domain> convention.
Configuration
There are three ways to name your PGP Universal Server to support the keys.<domain>
convention:
Name your PGP Universal Server “keys.<domain>” on the Host Name field of the
Network Setup screen in the Setup Assistant
Change the Host Name of your PGP Universal Server to keys.<domain> using the
administrative interface on the Network Settings card of the System>Network
screen
Create a DNS alias to your PGP Universal Server that uses the keys.<domain>
convention that is appropriate for your DNS server configuration
37
SECTION 3
Installing the PGP Universal
Server Software
This section describes how to install the software on your server hardware, how to set up PGP Universal Server, and
provides a description of the user interface.
Chapter 6, “Installing the PGP Universal Server”
Chapter 7, “Setting Up the PGP Universal Server”
Chapter 8, “Understanding the Administrative Interface”
Chapter 9, “Licensing Your Software”
Chapter 10, “Operating in Learn Mode”
Chapter 11, “The System Overview Screen”
Installing the PGP Universal
6
Server
This chapter tells you how to set up your PGP Universal Server; it lists the system
requirements and tells you how to install the software. Topics include:
“About the Installation Procedure”
“System Requirements” on page 39
“Installation Materials” on page 40
“Installation Options” on page 40
“Standard Installation Procedure” on page 40
“PGP Installation Procedure” on page 41
Refer to “Installation Overview” on page 11 for an overview of the entire installation
procedure.
About the Installation Procedure
You should install and test the upgrade in a lab or staging environment before integrating
the upgrade into your network.
Every PGP Universal Server requires a dedicated computer that meets the system
requirements listed below. The installation process deletes all data on the system and
reconfigures it as a PGP Universal Server.
Make sure there is no data on the system that you need to save before you begin the
Caution
installation process.
The installation software is included on the Server Installation CD. PGP Universal Server
also includes a second CD with documentation, software license, PGP Universal Satellite
and PGP Desktop software installers, necessary USB token drivers, and Release Notes.
PGP Corporation strongly recommends locating your PGP Universal Servers in secured areas
Caution
with restricted access. Only authorized individuals should be granted physical access to PGP
Universal Servers.
System Requirements
Refer to the Release Notes for the latest system requirement information.
39
PGP Universal Administrator’s Guide6: Installing the PGP Universal Server
You must install the PGP Universal Server software on PGP Universal Server Certified
Hardware. You can find the latest PGP Universal Server Certified Hardware List available
on PGP Corporation's website (www.pgp.com).
Installation Materials
PGP Universal Server is distributed on two CDs. One CD contains the installer. Use this
CD to install the server on PGP Universal Server Certified Hardware. The other CD
contains documentation, PGP Universal Satellite and PGP Desktop software installers,
and the necessary USB token drivers to initialize PGP Universal Server Ignition Keys.
Installation Options
When you insert the installation CD and reboot the server, you can choose a standard or
pgp installation.
If you choose to run a standard installation, during installation you will be asked to provide
the following information for the PGP Universal Server:
IP address
Subnet mask
Default gateway
DNS information
Hostname
Refer to “Standard Installation Procedure” on page 40.
If you provide the network information during installation, you will not have to enter it into
the Setup Assistant interface later in the configuration procedure. The standard
installation also simplifies the steps necessary to connect to the PGP Universal Server
during setup.
If you choose to run a pgp installation, you will enter network information after the
installation process, through the browser-based Setup Assistant. Refer to “PGP
Installation Procedure” on page 41. The pgp installation, while simpler initially, requires a
more complicated procedure to connect and continue setting up your PGP Universal
Server.
Standard Installation Procedure
To install the PGP Universal Server software using the standard installation:
1Set up the system that will be hosting the server in a secure location.
40
PGP Universal Administrator’s Guide6: Installing the PGP Universal Server
2Attach a keyboard and monitor to the server on which you are installing PGP
Universal Server.
3Insert the PGP Universal Server Installation CD into the drive.
4Reboot the system.
When the system reboots, the install begins.
5At the prompt, press Enter.
The pre-installation will run for approximately 2 minutes.
The Network Configurations screen will appear.
6Enter the IP address and Netmask for the PGP Universal Server, and select OK.
The Miscellaneous Network Settings screen appears.
7Enter the Gateway, Primary DNS, Secondary DNS, and an optional Tertiary DNS, and
select OK.
The Hostname Configuration screen appears.
8Enter the Hostname for the PGP Universal Server, and select OK.
PGP Corporation strongly recommends you name your externally visible PGP
Universal Server according to the keys.<domain> convention, which allows other
PGP Universal Servers to easily find valid public keys for email recipients in your
domain. Refer to Chapter 5, “Naming your PGP Universal Server” for more
information.
Installation will take approximately 15 minutes.
When the software is installed, the system will automatically reboot. After the
system reboots, you will see a login prompt. Do not log in here. You will not need to
log in to complete the setup.
9Connect to the server through the Setup Assistant browser interface at https://
<hostname>:9000 or https://<IP address>:9000. See Chapter 7, “Initial
Configuration with Setup Assistant” to continue with the installation and setup.
PGP Installation Procedure
To install the PGP Universal Server software using the pgp option:
1Set up the system that will be hosting the server in a secure location.
2Attach a keyboard and monitor to the server on which you are installing PGP
Universal Server.
3Insert the PGP Universal Server Installation CD into the drive.
4Reboot the system.
41
PGP Universal Administrator’s Guide6: Installing the PGP Universal Server
When the system reboots, the install begins.
5Ty p e pgp at the prompt and press Enter at the first installation screen to choose the
pgp installation.
The pre-installation will run for approximately 2 minutes.
Installation will take approximately 15 minutes.
When the software is installed, the system will automatically reboot. After the
system reboots, you will see the prompt “pgpuniversal login.” Do not log in here.
You will not need to log in to complete the setup.
6Connect to the server through the Setup Assistant browser interface. See
“Preparing for Setup after pgp Install” on page 44 to continue with the installation
and setup.
42
Setting Up the PGP Universal
7
Server
This chapter describes how to access and use the Setup Assistant, which is a set of
screens you use to configure your PGP Universal Server. Topics include:
“About the Setup Assistant”
“Preparing for Setup after pgp Install” on page 44
“Initial Configuration with Setup Assistant” on page 45
“Primary or Secondary Configuration” on page 51
“Restoring From a Server Backup” on page 61
“Migrating the Keys from a PGP Keyserver” on page 61
Refer to “Installation Overview” on page 11 for an overview of the entire installation
procedure.
About the Setup Assistant
The Setup Assistant only appears the first time you access the PGP Universal Server. The
Setup Assistant displays a series of screens that ask you questions about your network
and about how you want your PGP Universal Server to work; the Setup Assistant uses the
answers to those questions to configure your PGP Universal Server.
In many cases, the Setup Assistant will do the majority of the configuration for your PGP
Universal Server. You can change any settings you establish with the Setup Assistant
anytime after you run it using the administrative interface of the PGP Universal Server;
you can also use the administrative interface to configure those features not covered in
the Setup Assistant.
The Setup Assistant supports four types of setups:
Primary. You are configuring a PGP Universal Server that will be your only PGP
Universal Server or the Primary server in a cluster.
Secondary. You are configuring a PGP Universal Server that will be a Secondary
server in a cluster. You must have already set up the Primary server in the cluster or
this setup will not work.
Restore. You are restoring backed-up data from another PGP Universal Server onto a
new PGP Universal Server. You will need the backed-up data file and the
Organization Key used to encrypt the backup file.
Refer to the PGP Universal Server Upgrade Guide for more information about
configuring a PGP Universal Server with data from a backup.
Keyserver. You are migrating the keys and data from a PGP Keyserver to a PGP
Universal Server.
43
PGP Universal Administrator’s Guide7: Setting Up the PGP Universal Server
Refer to the PGP Universal Server Upgrade Guide for more information about
configuring a PGP Universal Server with the keys from a PGP Keyserver.
All four setup types have a common beginning: you read the End User License
Agreement, specify the type of setup, and configure the network settings for your PGP
Universal Server, then the PGP Universal Server is restarted. Once the PGP Universal
Server is restarted, you can connect to it via a Web browser and continue with the rest of
the Setup Assistant.
Preparing for Setup after pgp Install
If you chose the standard installation option, you can skip this procedure and refer to
“Initial Configuration with Setup Assistant” on page 45. If you chose the pgp installation,
you must gather some necessary materials and information before you can continue with
the setup.
Hardware
To configure your PGP Universal Server using the Setup Assistant, you need to have the
following:
A Windows or Mac OS X computer from which you will connect to the PGP
A crossover Ethernet cable to connect a Windows or Mac OS X computer to the PGP
System Information
You will also need some information to configure your PGP Universal Server:
Connect through the temporary IP address and subnet of the newly installed PGP
An IP address, name, gateway, and DNS server information for the PGP Universal
A license or license authorization from PGP Corporation. Which one you need
Universal Server using a Web browser so that you can run the Setup Assistant.
Universal Server.
Universal Server, which will be used for the initial configuration portion of the Setup
Assistant:
IP: 192.168.1.100:9000
Subnet: 255.255.255.0
You will use this data to connect to the PGP Universal Server you are configuring in
the initial configuration portion of the Setup Assistant, before the PGP Universal
Server is available via a Web browser.
Server.
depends on your Internet connection:
– If your PGP Universal Server can connect to the PGP Licensing Server over the
Internet, the license server will authorize your PGP Universal Server license.
44
PGP Universal Administrator’s Guide7: Setting Up the PGP Universal Server
– If your PGP Universal Server cannot connect to the PGP Licensing Server over
the Internet, you will need the License Authorization file to correctly license your
PGP Universal Server. The License Authorization file is a text file you will need
during the configuration process.
Other data, such as your Organization Key or a saved backup, may also be needed,
depending on the type of setup you are performing.
Connect to the PGP Universal Server
Connect to the PGP Universal Server to continue the installation and setup. Configure the
client machine with a fixed IP address and access the PGP Universal Server from this
machine.
You will need a crossover Ethernet cable when connecting the PGP Universal Server.
1Configure the client machine:
IP: 192.168.1.99
Subnet: 255.255.255.0
If you are using a Mac OS X client machine, you can save this temporary setup as a
separate location in Network Preferences (such as “setup”) for future use.
2Continue setup as described in the section “Initial Configuration with Setup
Assistant” on page 45.
Initial Configuration with Setup Assistant
The Setup Assistant guides you through establishing the PGP Universal Server’s network
configuration and setup type.
After the software installs and the server restart, you can connect to the PGP Universal
Server via a Web browser at the configured IP address and finish running the Setup
Assistant.
1Open a Web browser and connect to the PGP Universal Server:
– If you chose the standard installation, connect to https://<hostname>:9000,
using the hostname or IP address you assigned to the PGP Universal Server.
– If you chose the pgp installation, and you are using a client machine with a fixed
IP address, connect to https://192.168.1.100:9000, as explained in the section
“Preparing for Setup after pgp Install” on page 44.
The Welcome screen of the Setup Assistant appears.
45
PGP Universal Administrator’s Guide7: Setting Up the PGP Universal Server
2Read the text, then click the Forward arrow to continue.
The End User License Agreement screen appears.
3Read the text of the License Agreement, then click the I Agree button at the end of
the agreement.
The Setup Type screen appears.
46
PGP Universal Administrator’s Guide7: Setting Up the PGP Universal Server
4Make the appropriate selection:
– Select Primary if you want this to be the Primary PGP Universal Server in a
cluster or if this is the only PGP Universal Server in your network.
– Select Secondary if this is a Secondary PGP Universal Server in a cluster
(secondary servers synchronize their settings with the Primary).
If you are setting up a cluster of PGP Universal Servers, you must configure the
Primary first, then the Secondary servers. Refer to Chapter 45, “Clustering your
PGP Universal Servers” for more information.
If you are upgrading a Secondary cluster member, you will need to recreate
certain settings manually after installation and setup. Follow the procedure in the
PGP Universal Server Upgrade Guide for more details.
– Select Restore if you want to restore the data from a server backup. You will
need your Organization Key and access to the backup file to proceed with this
installation. Refer to the PGP Universal Server Upgrade Guide for more
information.
– Select Keyserver if you want to migrate the keys on an existing PGP Keyserver
to the PGP Universal Server you are configuring. See the PGP Universal Server Upgrade Guide for more information.
5Click the Forward arrow to continue.
The Date & Time screen appears.
47
PGP Universal Administrator’s Guide7: Setting Up the PGP Universal Server
Your server preforms many time-based operations, so it is important to set up the
correct time.
6Pull down the Time Zone drop-down list and select your location.
7Choose Time Format and Date Format settings.
8Set the correct Time and Date.
9Optionally, specify an NTP time server in the NTP Server field. The PGP Universal
Server will automatically synchronize the time when the Setup Assistant is finished.
10Click the Forward arrow to continue.
The Network Setup screen appears.
48
PGP Universal Administrator’s Guide7: Setting Up the PGP Universal Server
11If you chose the standard installation, this information is already present. Otherwise,
enter the appropriate information:
– In the Hostname field, enter a name for this PGP Universal Server. This must be
a fully-qualified domain name of the external, untrusted interface.
PGP Corporation strongly recommends you name your externally visible PGP
Universal Server according to the keys.<domain> convention, which allows
other PGP Universal Servers to easily find valid public keys for email recipients in
your domain.
For example, Example Corporation names its externally visible PGP Universal
Server “keys.example.com.” Refer to Chapter 5, “Naming your PGP Universal
Server” for more information.
aIn the IP Address field, enter an IP address for this PGP Universal Server.
bIn the Subnet Mask field, enter a subnet mask for this PGP Universal Server.
cIn the Gateway field, enter the IP address of the default gateway for the
network.
dIn the DNS Servers field, enter the IP address(es) of the DNS servers for your
network.
12Click the Forward arrow to continue.
The Confirmation screen appears.
49
PGP Universal Administrator’s Guide7: Setting Up the PGP Universal Server
13Make sure the information is correct, then click Done.
Click the Back arrow if you need to go back and make any changes.
The Network Configuration Changed dialog appears, while the server restarts
automatically.
If you chose the standard installation, skip step 14 and go on to the next section.
If you chose the pgp installation, go on to the next step. At this point, your PGP
Universal Server has accepted the new network settings you entered, so you can
disconnect the temporary setup.
14Disconnect the cable between the client machine and the PGP Universal Server,
return the settings of the client machine back to what they were, connect the two
machines back to the original network, and continue with the Setup Assistant.
50
PGP Universal Administrator’s Guide7: Setting Up the PGP Universal Server
Primary or Secondary Configuration
If you selected a Primary or Secondary configuration for the PGP Universal Server you are
configuring with the Setup Assistant, the Licensing screen appears automatically.
1Enter your PGP Universal Server license information, then click the Forward arrow.
If your PGP Universal Server has an active connection to the Internet, the PGP
Universal Server license will be authorized.
2If your PGP Universal Server does not have an active connection to the Internet, for
example because it is behind a proxy server, your license authorization will be
needed; click Manual.
The Manual Licensing screen appears.
3If you want to license your PGP Universal Server at a later time, click Skip, and go on
to step 9.
51
PGP Universal Administrator’s Guide7: Setting Up the PGP Universal Server
4Enter the appropriate license information, paste your license authorization
information in the License Authorization box, then click the Forward arrow.
5If you want to license your PGP Universal Server at a later time, click Skip.
If your PGP Universal Server license supports the Symantec AntiVirus option, the
AntiVirus screen appears. See Chapter 9, “Licensing Your Software” for more
information on AntiVirus licensing.
52
PGP Universal Administrator’s Guide7: Setting Up the PGP Universal Server
6Enter your Symantec AntiVirus serial number in the Serial Number field.
Click Skip to continue with the Setup Assistant without licensing the AntiVirus
feature.
7In the License File field, locate your Symantec license file using the Choose File
button or paste the contents of your Symantec license file into the License
Contents box.
8Click the Forward arrow to continue.
The Administrator Name & Passphrase screen appears.
53
PGP Universal Administrator’s Guide7: Setting Up the PGP Universal Server
9In the Login Name field, enter the administrator’s login name.
10In the Passphrase field, enter the administrator’s passphrase.
11In the Confirm field, re-enter the same passphrase.
12In the Email Address field, enter the administrator’s email address. This is optional
and enables the administrator to receive a daily status email.
13Click the Forward arrow to continue.
The Mail Processing screen appears.
54
PGP Universal Administrator’s Guide7: Setting Up the PGP Universal Server
14Specify the placement of this PGP Universal Server in your network:
– Select Gateway Placement if your PGP Universal Server is logically located
between your mail server and the Internet.
– Select Internal Placement if your PGP Universal Server is logically located
between your email users and your mail server, or if your PGP Universal Server
is out of the mailstream.
15Click the Forward arrow to continue.
The Mail Server Selection screen appears.
55
PGP Universal Administrator’s Guide7: Setting Up the PGP Universal Server
16In the Mail Server field, enter the hostname or IP address of the mail server that this
PGP Universal Server will be interacting with.
17In the Proxy Server field, enter an optional additional mail server to which all
outbound mail will be sent. This only applies if you are installing your PGP Universal
server in gateway placement.
18In the Primary Domain field, enter the email domain that the PGP Universal Server
is going to be managing.
19Click the Forward arrow to continue.
The Directory Server screen appears.
56
PGP Universal Administrator’s Guide7: Setting Up the PGP Universal Server
.
20In the Directory Server field, enter the hostname or IP address of your corporate
LDAP directory so that PGP Universal Server can synchronize user information with
that LDAP directory.
By default, PGP Universal Server adds your LDAP directory as an Active Directory. If
your directory is OpenLDAP-based, when you log in for the first time after setup, go
to Policy>Internal User Policy, click Directory Synchronization, and select the correct
LDAP directory type from the drop-down menu. Refer to “Enabling Directory
Synchronization” on page 228 for more information.
Using a directory server is optional. If you do not have one on your network or do not
wish to use one, leave the Directory Server field empty and click Skip to continue
with the Setup Assistant.
21Click the Forward arrow to continue.
The Ignition Keys screen appears.
57
PGP Universal Administrator’s Guide7: Setting Up the PGP Universal Server
Ignition Keys protect the data on your PGP Universal Server if an unauthorized
person gets control of it. If you want to use a hardware Ignition Key, you will need to
prepare the token before you add it to the system here. See Chapter 46, “Protecting
PGP Universal Server with Ignition Keys” for information on how to prepare a
hardware token Ignition Key.
22Select the type of Ignition Key you would like to use, then click the Forward arrow.
Click Skip to proceed with the Setup Assistant without configuring an Ignition Key.
The appropriate Ignition Key screen appears. The Passphrase Ignition Key screen is
shown here.
58
PGP Universal Administrator’s Guide7: Setting Up the PGP Universal Server
23Enter a name for the Ignition Key, a passphrase, confirm the passphrase, then click
the Forward arrow.
The Backup Organization Key screen appears.
59
PGP Universal Administrator’s Guide7: Setting Up the PGP Universal Server
The PGP Universal Server generates an Organization Key for you. If you want to
generate an S/MIME Organization Certificate, you should do so immediately after
finishing setup. Refer to Chapter 12, “Managing Organization Keys” for information
about the Organization Key and Organization Certificate.
24If desired, enter the passphrase that will protect the Organization Key (this is
optional, but highly recommended), then click Backup Key to back up the key. Be
aware that without a backup of your Organization Key, you will not be able to restore
your PGP Universal Server from backed-up data.
To skip backing up your Organization Key (not recommended), click Forward without
backing up the key.
25Click the Forward arrow to continue.
The Confirmation screen appears.
This screen summarizes the configuration of your PGP Universal Server.
26Click Done to finish setup.
The Configuration Changed screen appears, and the server restarts automatically.
60
PGP Universal Administrator’s Guide7: Setting Up the PGP Universal Server
You will be redirected to the administrative interface of the PGP Universal Server you
just configured.
Your PGP Universal Server is initially configured in Learn Mode. Refer to Chapter 10,
“Operating in Learn Mode” for more information about Learn Mode.
Restoring From a Server Backup
To configure a PGP Universal Server with the data from the backup, you need to have
both the appropriate backup file and the Organization Key on the setup machine.
Restoring from a backup restores everything configured, including proxy and policy
settings, as well as keys and user information.
Refer to the PGP Universal Server Upgrade Guide for complete information about how to
configure a PGP Universal Server with the data from a backup.
Migrating the Keys from a PGP Keyserver
The process that allows you to migrate the keys on a PGP Keyserver to a PGP Universal
Server includes two steps: getting the keys out of the PGP Keyserver into a format that
can be imported into a PGP Universal Server and then using the Setup Assistant to
configure a PGP Universal Server and add the PGP keys from the PGP Keyserver.
Refer to the PGP Universal Server Upgrade Guide for complete information about
migrating PGP keys from a PGP Keyserver to a PGP Universal Server.
You can find more information online about moving to PGP Universal Server at the
Caution
PGP Corporation website. The latest version of that document is always available at
www.pgp.com/products/upgrade/index.html.
61
PGP Universal Administrator’s Guide7: Setting Up the PGP Universal Server
62
Understanding the Administrative
8
Interface
This chapter tells you about the PGP Universal Server’s Web-based administrative
interface: it lists the following:
“System Requirements”
“Logging In”
“Administrative Interface Map” on page 66
“Icons” on page 67
System Requirements
The PGP Universal Server administrative interface has been fully tested with the following
Web browsers:
Windows: Internet Explorer 6, Mozilla Firefox 1.0 (or greater)
Mac OS X: Safari 1.0 (or greater), Mozilla Firefox 1.0 (or greater)
Logging In
While you may find that the administrative interface works with other Web browsers, we
recommend these browsers for maximum compatibility.
The login name and password for the administrative interface were originally established
when you configured the server using the Setup Assistant.
To log in to your server’s administrative interface:
1In a Web browser, enter https://<domain name of server>:9000/ and press Enter.
If you see a Security Alert dialog relating to the security certificate, it means you need to
Caution
replace the self-signed certificate created automatically with a certificate from a public
Certificate Authority.
The Login screen appears.
63
PGP Universal Administrator’s Guide8: Understanding the Administrative Interface
2Enter the current login name in the Username field.
3Enter the current passphrase in the Passphrase field.
4Click the Login button or press Enter.
The System Overview screen is the first screen you see when you log on to PGP
Universal Server. You can also view it from Reporting>Overview.
64
PGP Universal Administrator’s Guide8: Understanding the Administrative Interface
The screen provides a general report of system information and statistics. The
information displayed includes:
System graphs for CPU usage and message activity. Click the buttons to switch the
graphs. See Chapter 40, “System Graphs” for more information about system
graphs.
Services information, including which services are running or stopped.
Statistics, including software version number, system uptime, and total messages
processed.
Number of users in each user policy group.
Number of email messages in the queue waiting to be processed, if applicable.
AntiVirus information, if licensed, including Symantec AntiVirus version, date of
latest virus definitions, number of viruses found and repaired, and number of scan
requests.
Number of messages in the mail queue.
Click Refresh (at the top of the System Overview screen) to refresh the information.
Logging In For the First Time
The first time you log in to the PGP Universal Server, you will see a welcome dialog. The
welcome dialog provides access to tutorials and documentation. You can choose to have
the welcome dialog appear every time you log in.
What’s New—Lists the new features in PGP Universal Server 2.6.
Mail Policy Diagram—Provides a graphical representation of how email is
processed through mail policy.
PGP Universal Upgrade Guide—Provides instructions on how to migrate PGP
Keyserver data, how to upgrade your PGP Universal Server, and how version 2.0.6
settings migrate into the 2.6 environment.
Tu t o r i a l s —Provides animated introductions on how to manage the mail policy
feature in PGP Universal Server, and how upgraded PGP Universal Server settings
migrate into the new mail policy feature.
You can also access all the documentation and tutorials by clicking the online help icon in
the upper right corner of the PGP Universal Server screen.
65
PGP Universal Administrator’s Guide8: Understanding the Administrative Interface
Administrative Interface Map
The administrative interface is organized as follows:
SectionsScreens
ReportingOverview
Graphs
Logs
PolicyMail Policy
Internal User Policy
External User Policy
Dictionaries
Servers
UsersInternal
External
Verified Directory (If enabled)
Administrators
MailProxies
AntiVirus*
File Blocking*
Mail Queue
Mail Routes
Message Templates
OrganizationOrganization Keys
Trusted Keys
Managed Domains
ServicesWeb Messenger
Keyserver
SNMP
Verified Directory
SystemGeneral Settings
Backups
Updates
Network
Clustering
Ignition Keys
Key Cache
* Requires a PGP Universal Server license that supports these features.
66
PGP Universal Administrator’s Guide8: Understanding the Administrative Interface
Icons
The administrative interface uses the following icons.
TypeIconDescription
Actions
Add
Remove
Connect
Delete
Clear Search
Install/Export
Reinstall/Regenerate
Restore
Revoke
Forward
67
Back
First
Last
Move priority up
Move priority down
Closed Action
Opened Action
PGP Universal Administrator’s Guide8: Understanding the Administrative Interface
TypeIconDescription
Help
Update software
Print
Users
Internal user
Administrative user
Disabled user
Internal user, revoked
Expired internal user
External user, revoked
External user
External user, pending
Expired external user
Directory user
Expired directory user
Directory user, pending
Keys and
Certificates
Key
Key, expired
Key, revoked
Key reconstruction
68
PGP Universal Administrator’s Guide8: Understanding the Administrative Interface
TypeIconDescription
Whole Disk Recovery Token
Keypair
Keypair, expired
Keypair, revoked
Certificate
Expired certificate
Revoked certificate
Expired certificate pair
Certificate pair
Revoked certificate pair
ADK (Additional Decryption Key)
Organization Key
Verified Directory Key
Mail Policy
Default policy chain
Policy chain
Policy rul e
Dictionary term
Excluded address
Pending excluded address
69
PGP Universal Administrator’s Guide8: Understanding the Administrative Interface
TypeIconDescription
Keyserver
Default keyserver
User Policy
Default internal user policy
Excluded internal user policy
External user policy
Internal user policy
Backup
Backup successful
Backup pending
Backup failed
Update
Successful install
Update ready to be installed
Failed install
Clustering
Cluster
Active cluster
Inactive cluster
Logs
Info
Notice
Warning
Error
70
PGP Universal Administrator’s Guide8: Understanding the Administrative Interface
TypeIconDescription
Miscellaneous
Domain
Mail proxy (SMTP, POP, IMAP)
Inbound mailserver
Outbound mailserver
SMTP server
Mail route
Network interface
Learn mode
Access control enabled
71
PGP Universal Administrator’s Guide8: Understanding the Administrative Interface
72
9
Licensing Your Software
This chapter tells you about how to license your PGP Universal Server.
Topics include:
“Over view”
“License Changes for PGP Universal Server 2.5 and Later” on page 74
“Manual and Automatic Licensing” on page 75
“Licensing a PGP Universal Server” on page 75
“Licensing the AntiVirus Feature” on page 75
“Licensing the File Blocking Feature” on page 75
“Licensing the Mail Proxy Feature” on page 75
Overview
Your PGP Universal Server must have a valid license to be taken out of Learn Mode. In
other words, without a valid license, your PGP Universal Server will never encrypt or sign
any email messages.
If you licensed your PGP Universal Server using the Setup Assistant, you do not have to
license it again. If you did not, then you can license it at any time afterwards using the
administrative interface.
Some of the features available on the PGP Universal Server can only be used if you have
the appropriate license. These features include:
Email proxying
Virus scanning
File blocking
To enable mail proxying, you must have a Gateway Email license. The PGP Universal
Server can provide security for email messaging by inserting itself into the flow of email
traffic in your network, intercepting, or proxying, that traffic, and processing it (encrypt,
sign, decrypt, verify) based on the applicable policies.
You also have the option of licensing the Symantec AntiVirus™
either while using the Setup Assistant or later using the administrative interface.
Scan Engine feature,
73
PGP Universal Administrator’s Guide9: Licensing Your Software
To license the Symantec AntiVirus feature, you will need both a license from PGP
Corporation that includes support for the Symantec AntiVirus feature (this license is
different from the standard PGP Universal Server license, which does not activate the
Symantec AntiVirus feature) and a license from Symantec to enable virus scanning and
LiveUpdate.
You should have received a Symantec AntiVirus serial number when you purchased your
PGP Universal Server. Register that serial number with Symantec at http://
licensing.symantec.com, and Symantec will email you a license file to enter through the
Setup Assistant, or later through the AntiVirus interface.
If you have a license for the Symantec AntiVirus feature, you can also enable the File
Blocking feature. File Blocking lets you block attachments that match any of the
filenames you specify. For example, if a new virus application appears, you can quickly
prevent it from entering your network using File Blocking.
License Changes for PGP Universal Server 2.5 and Later
The PGP Universal Server product line has been updated. The PGP Universal Server 100/
200/500 family has been replaced with more flexible options. When you upgrade to PGP
Universal Server 2.5 and later, your options are preserved but your license has been
renamed. The following table explains how your previous PGP Universal Server license
has changed:
2.0/9.0 License2.6/9.6 License
PGP Whole Disk Encryption for Enterprises 9.0PGP Universal Server 2.6 and PGP Whole Disk Encryption
9.6
PGP Universal Server 100 Gateway Email PGP Universal Server 2.6 with PGP Gateway Email 2.6
PGP Universal Server 200 with PGP Desktop 9.0 PGP Universal Server 2.6 and PGP Desktop Email 9.6
PGP Universal Server 200 with PGP Desktop 9.0
and PGP Whole Disk Encryption
PGP Universal Server 500 Gateway Mail with
PGP Desktop 9.0
PGP Universal Server 500 with PGP Desktop 9.0
and PGP Whole Disk Encryption
PGP Universal Server 500 with PGP Whole Disk
Encryption
PGP Universal Server is no longer being bundled with PGP Desktop. PGP Universal Server
functions as a management console for a variety of encryption solutions. You can
purchase any of the PGP Desktop applications or bundles and use PGP Universal Server
to create and manage client installations. You can also purchase a license that enables
PGP Gateway Email to encrypt email in the mailstream.
PGP Universal Server 2.6 and PGP Desktop Professional 9.6
PGP Universal Server 2.6 with PGP Gateway Email 2.6, and
PGP Gateway Email 2.6, and PGP Desktop Mail 9.6
PGP Universal Server 2.6 with PGP Gateway Email 2.6 and
PGP Whole Disk Encryption 9.6
PGP Universal Server 2.6 with PGP Gateway Email 2.6 and
PGP Desktop Professional 9.6
74
PGP Universal Administrator’s Guide9: Licensing Your Software
Manual and Automatic Licensing
When you enter your license number, the PGP Universal Server will contact PGP
Corporation’s authorization servers to automatically authorize the license number. If your
PGP Universal Server does not have an active connection to the Internet, you must
contact PGP Support to acquire a manual authorization block.
The PGP Universal Server must not be behind a proxy server, unless it is a transparent proxy,
Caution
to receive licensing information automatically. If the PGP Universal Server is behind a proxy
server, you will need to use manual license authorization.
Licensing a PGP Universal Server
Refer to “Licensing a PGP Universal Server” on page 368 for information about how to
license a PGP Universal Server using the administrative interface.
Licensing the AntiVirus Feature
Refer to “AntiVirus Licensing” on page 170 for information about how to license the
AntiVirus feature.
Licensing the File Blocking Feature
Refer to Chapter 21, “Blocking Files” for information about how to license the File
Blocking feature.
Licensing the Mail Proxy Feature
You must have a PGP Universal Gateway Email license or you will not be able to use the
Mail Proxies feature on the administrative interface. Refer to Chapter 22, “Configuring
Mail Proxies” for information about the Mail Proxies feature.
75
PGP Universal Administrator’s Guide9: Licensing Your Software
76
10
Operating in Learn Mode
This chapter describes Learn Mode. When you finish configuring a PGP Universal Server
using the Setup Assistant, it begins operation in Learn Mode.
In this mode, PGP Universal Servers with PGP Gateway Email proxy traffic normally but
do not encrypt or sign any messages. PGP Universal Satellite also will not encrypt and
sign mail when the PGP Universal Server is in Learn Mode.
You must license a PGP Universal Server before you can take it out of Learn Mode.
Caution
Topics include:
“Purpose of Learn Mode”
“Checking the Logs” on page 78
“Managing Learn Mode” on page 78
Purpose of Learn Mode
Learn Mode has three purposes:
It gives you a chance to see (by examining the logs) how the policies you established
would affect email traffic if they were implemented.
It allows the PGP Universal Server a chance to build its SMSA (creating keys for
authenticated users, for example) so that when the server goes live—when Learn
Mode is turned off—the server can immediately begin securing messages.
It provides the PGP Universal Server a chance to identify mailing lists your users
send messages to and add those mailing list addresses to the dictionaries of
Excluded Email Addresses. It does this because you normally do not want to send
encrypted messages to a mailing list.
PGP Universal Server decrypts and verifies incoming email while operating in Learn
Mode.
PGP Universal Server still automatically detects mailing lists when Learn Mode is off,
but unless the addresses were retrieved via the Directory Synchronization feature,
they will require approval from the PGP Universal Server administrator to be added to
the list of excluded email addresses. Refer to Chapter 17, “Using Dictionaries with
Policy” for more information.
Mailing lists are identified per RFC 2919, List-Id: A Structured Field and Namespace
for the Identification of Mailing Lists, as well as by using default exclusion rules.
77
PGP Universal Administrator’s Guide10: Operating in Learn Mode
Checking the Logs
The effects of your policies can be checked while Learn Mode is on, even though the
server isn’t actually encrypting or signing messages.
To check the server’s logs:
1Access the administrative interface for the server.
The administrative interface appears.
2Click Reporting, then Logs.
The System Logs card appears.
3Check the logs to see what effect your policies are having on email traffic.
Managing Learn Mode
A PGP Universal Server is put into Learn Mode by the Setup Assistant. If your server is in
learn mode, you will see a yellow icon, the Change Mode button, in the upper right
corner of your browser screen.
To turn Learn Mode off:
1Access the administrative interface for the server.
The administrative interface appears.
2Click the Change Mode button in the upper right corner of the screen.
The Mail Processing Settings dialog appears.
78
PGP Universal Administrator’s Guide10: Operating in Learn Mode
3Clear the checkbox next to Operate in Learn Mode.
4Click the Save button.
Learn Mode is turned off.
To turn Learn Mode on:
1Access the administrative interface for the server.
The administrative interface appears.
2Click the Change Mode button in the upper right corner of the screen.
The Mail Processing Settings dialog appears.
3Put a check in the checkbox next to Operate in Learn Mode.
4Click the Save button.
Learn Mode is turned on.
79
PGP Universal Administrator’s Guide10: Operating in Learn Mode
80
SECTION 4
Organization Information
This section describes how to manage the information that forms the basis of your Self-Managing Security
Architecture, including your managed domains and your Organization Key. The section also describes options for
recovering encrypted data.
Chapter 11, “Managed Domains”
Chapter 12, “Managing Organization Keys”
Chapter 13, “Managing Trusted Keys and Certificates”
Chapter 14, “Recovering Encrypted Data in an Enterprise Environment”
11
Overview
Managed Domains
This chapter describes how to create and manage the internal domains for which your
PGP Universal Server will protect email messages.
Topics in this chapter include:
“Over view”
“Working with Managed Domains” on page 83
The Managed Domains card gives you control over the domains for which the PGP
Universal Server is handling email.
The Managed Domains card only appears on the administrative interface for Primary server
Caution
in a cluster; it is not shown on Secondary servers.
Email users from domains being managed by your server are called “internal users.”
Conversely, email users from domains not being managed by your server but who are
part of the SMSA are called “external users.”
For example, if your company is “Example Corporation,” you could have the domain
“example.com” and your employees would have email addresses something like
“jsmith@example.com.”
If this were the case, you would want to establish “example.com” as a domain to be
managed by your server. You use the Managed Domains card to do that.
Managed domains automatically include sub-domains, so in the example above, users
such as “mingp@corp.example.com” would also be considered internal users. Multi-level
domain structures as used by some countries are also acceptable: for example, the
domain “example.co.uk.”
The Managed Domains card accepts only Internet DNS domain names. WINS names (for
example, \\EXAMPLE) and Notes domains (O=notes6@notes6) do not belong here.
Mail to and from your managed domains is processed according to your mail policy. You
can also create mail policy rules specifically for your managed domains. See Chapter 15,
“Setting Mail Policy” for more information on creating mail policies.
Managed domains entered on the Managed Domains card populate the Managed
Domains dictionary. The dynamic Managed Domains dictionary automatically includes
subdomains. See Chapter 17, “Using Dictionaries with Policy” for more information on
dictionaries.
Working with Managed Domains
Adding Managed Domains
To add a domain to the list of managed domains:
1Click Add Managed Domain.
The Add Managed Domain dialog appears.
2Enter a domain name in the Domain field.
Do not enter WINS names (for example, \\EXAMPLE) and Notes domains
(O=notes6@notes6) here. Enter only Internet DNS domain names.
3Click Save.
Deleting Managed Domains
If you delete a managed domain, all the user IDs within that domain will remain in the
system. Users will still be able to encrypt and sign messages with their keys.
To remove a domain name already on the list of managed domains:
1Click the icon in the Delete column of the domain you want to remove from the list.
A confirmation dialog appears.
2Click OK.
The confirmation dialog disappears and the selected domain name is removed from
the list of managed domains.
83
12
Overview
Managing Organization Keys
This chapter describes the various keys and certificates you can configure and use with
your PGP Universal Server.
Topics in this chapter include:
“Over view”
“Organization Key” on page 84
“Organization Certificate” on page 88
“Additional Decryption Key (ADK)” on page 93
“Verified Directory Key” on page 95
There are multiple keys and certificates you can use with your PGP Universal Server:
Organization Key. Used to sign all user keys the PGP Universal Server creates and
Organization Certificate. Required to support S/MIME environments.
Additional Decryption Key (ADK). Used to reconstruct messages if the recipient is
Verified Directory Key. Used to sign keys submitted to the PGP Verified Directory
The Organization Keys card gives you access to all of these.
Organization Key
Your Organization Key is used to sign all user keys the PGP Universal Server creates and
to encrypt server backups. The Organization Key is what was referred to as the Corporate
Key in the old PGP Keyserver environment.
to encrypt server backups.
unable or unwilling to do so. Every message encrypted to an external recipient by an
internal user is also encrypted to the ADK, allowing the PGP administrator to decrypt
any message sent by internal users, if required to do so by regulations or security
policy.
by external users.
Yo u must make a backup of your Organization Key, in case of a problem with the server.
Caution
That way, you can restore your server from a backup using the backup Organization Key.
Each PGP Universal Server is pre-configured with a unique Organization Key generated by
the Setup Assistant. If you would like to use different settings for this key, you may
regenerate the key with the settings you prefer. This should only be done prior to live
deployment of the server or creation of user keys by the server.
The Organization Key will automatically renew itself one day before its expiration date. It
will renew with all the same settings.
If you have multiple PGP Universal Servers in a cluster, the Organization Keys on the
Secondary servers in the cluster will be synchronized with the Primary server in the
cluster.
An Organization Key’s identification is based on the name of the managed domain for
which the key was created. Organization Keys by convention have one ID per managed
domain so that they can be easily found via a directory lookup.
The Organization Key information includes the Public Keyserver URL, as specified on the
Services>Keyserver page. Anytime the Public Keyserver URL changes, that information
on the Organization Key will immediately change.
Inspecting the Organization Key
To inspect the properties of an Organization Key:
1Click the name of the Organization Key.
The Organization Key Info dialog appears.
2Inspect the properties of the Organization Key.
3To export either just the public key portion of the Organization Key or the entire
keypair, click the Export button and save the file to the desired location.
When you export the Organization Key you also get the Organization Certificate. You
can use PGP Desktop to extract the Organization Certificate from the Organization
Key.
If you are going to regenerate your Organization Key, you should use a fairly high bit size,
such as 2048. However, if you are going to be using X.509 certificates and S/MIME, be
aware that many clients only support up to 1024 bits; thus you may want to use 1024 bits
for maximum compatibility with S/MIME. All PGP clients can be expected to support at
least 4096 bits.
Regenerating the Organization Key
Changing the Organization Key makes all previous backups undecryptable and all of the
Caution
validity signatures on the keys of internal users will be unverifiable until they are
automatically renewed.
consequences of this action.
Changing the Organization Key deletes Ignition Keys. If you have hard or soft token Ignition
Caution
Keys configured, regenerating the Organization Key will delete them. Deleting the Ignition
Key stops PGP Universal Web Messenger from being stored encrypted.
Only change the Organization Key if you fully understand the
The Organization Key signs all Trusted Keys and Certificates. If you regenerate the
Caution
Organization Key, the signature on the Trusted Keys and Certificates becomes invalid. You
must re-import all Trusted Keys and Certificates to have them signed by the new
Organization Certificate. Refer to Chapter 13, “Managing Trusted Keys and Certificates” for
more information on Trusted Keys.
To regenerate an Organization Key:
1Click the Regenerate icon in the Action column of the Organization Key whose
properties you want to change.
2The following warning dialog appears:
Regenerating the Organization Key will cause problems with existing key signatures
and backups. Any existing Ignition Keys and Organization Certificate will also be
removed. Are you sure you want to proceed?
3Click OK.
The Organization Key Generation dialog appears.
86
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.