PGP Universal Server
Administrator's Guide
Version Information
PGP Universal Server Administrator's Guide. PGP Universal Server Version 2.7.0. Released December 2007.
Copyright Information
Copyright © 1991–2007 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted in any form or by any
means, electronic or mechanical, for any purpose, without the express written permission of PGP Corporation.
Trademark Information
PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the US and other countries. IDEA is a trademark of
Ascom Tech AG. Windows and ActiveX are registered trademarks of Microsoft Corporation. AOL is a registered trademark, and AOL Instant
Messenger is a trademark, of America Online, Inc. Red Hat and Red Hat Linux are trademarks or registered trademarks of Red Hat, Inc. Linux is a
registered trademark of Linus Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered
trademark of International Business Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH and
Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or registered trademarks of Apple
Computer, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective owners.
Licensing and Patent Information
The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST-128 encryption algorithm,
implemented from RFC 2144, is available worldwide on a royalty-free basis for commercial and non-commercial uses. PGP Corporation has secured a
license to the patent rights contained in the patent application Serial Number 10/655,563 by The Regents of the University of California, entitled Block
Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a Conventional Block Cipher. Some third-party software included in PGP
Universal Server is licensed under the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL. If you would
like a copy of the source code for the GPL software included in PGP Universal Server, contact PGP Support (
Corporation may have patents and/or pending patent applications covering subject matter in this software or its documentation; the furnishing of this
software or documentation does not give you any license to these patents.
http://www.pgp.com/support). PGP
Acknowledgments
This product includes or may include:
• The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with permission from the free Info-ZIP implementation,
developed by zlib (
under the MIT License found at
freely available high-quality data compressor, is copyrighted by Julian Seward, © 1996-2005. • Application server (
http://www.apache.org/), Jakarta Commons (http://jakarta.apache.org/commons/license.html) and log4j, a Java-based library used to parse
server (
HTML, developed by the Apache Software Foundation. The license is at
binding framework for moving data from XML to Java programming language objects and from Java to databases, is released by the ExoLab Group
under an Apache 2.0-style license, available at
Foundation that implements the XSLT XML transformation language and the XPath XML query language, is released under the Apache Software
License, version 1.1, available at
(JMX), is released under an Apache-style license, available at
the work of the Independent JPEG Group. (
MIT License
University of Cambridge. ©1997-2006. The license agreement is at
Name System (DNS) protocols developed and copyrighted by Internet Systems Consortium, Inc. (
daemon developed by The FreeBSD Project, © 1994-2006. • Simple Network Management Protocol Library developed and copyrighted by Carnegie
Mellon University © 1989, 1991, 1992, Networks Associates Technology, Inc, © 2001- 2003, Cambridge Broadband Ltd. © 2001- 2003, Sun
Microsystems, Inc., © 2003, Sparta, Inc, © 2003-2006, Cisco, Inc and Information Network Center of Beijing University of Posts and
Telecommunications, © 2004. The license agreement for these is at
by Network Time Protocol and copyrighted to various contributors. • Lightweight Directory Access Protocol developed and copyrighted by OpenLDAP
Foundation. OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP). Copyright © 1999-2003, The
OpenLDAP Foundation. The license agreement is at
developed by OpenBSD project is released by the OpenBSD Project under a BSD-style license, available at
bin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD. • PC/SC Lite is a free implementation of PC/SC, a specification for SmartCard integration is released
under the BSD license. • Postfix, an open source mail transfer agent (MTA), is released under the IBM Public License 1.0, available at
http://www.opensource.org/licenses/ibmpl.php. • PostgreSQL, a free software object-relational database management system, is released under a
BSD-style license, available at
PostgreSQL database using standard, database independent Java code, (c) 1997-2005, PostgreSQL Global Development Group, is released under a
BSD-style license, available at
specified programs at scheduled times. Copyright © 1993, 1994 by Paul Vixie; used by permission. • JacORB, a Java object used to facilitate
communication between processes written in Java and the data layer, is open source licensed under the GNU Library General Public License (LGPL)
available at
CORBA Object Request Broker (ORB), and is used for communication between processes written in C/C++ and the data layer. Copyright (c) 1993-2006
by Douglas C. Schmidt and his research group at Washington University, University of California, Irvine, and Vanderbilt University. The open source
software license is available at
services, is open source software provided under a MIT/X derivate license available at
2007, Daniel Stenberg. • libuuid, a library used to generate unique identifiers, is released under a BSD-style license, available at
http://thunk.org/hg/e2fsprogs/?file/fe55db3e508c/lib/uuid/COPYING. Copyright (C) 1996, 1997 Theodore Ts'o. • libpopt, a library that parses command
line options, is released under the terms of the GNU Free Documentation License available at
2000-2003 Free Software Foundation, Inc.
http://www.zlib.net). • Libxml2, the XML C parser and toolkit developed for the Gnome project and distributed and copyrighted
http://www.opensource.org/licenses/mit-license.html. Copyright © 2007 by the Open Source Initiative. • bzip2 1.0, a
http://jakarta.apache.org/), web
www.apache.org/licenses/LICENSE-2.0.txt. • Castor, an open-source, data-
http://www.castor.org/license.html. • Xalan, an open-source software library from the Apache Software
http://xml.apache.org/xalan-j/#license1.1. • mx4j, an open-source implementation of the Java Management Extensions
http://mx4j.sourceforge.net/docs/ch01s06.html. • jpeglib version 6a is based in part on
http://www.ijg.org/) • libxslt the XSLT C library developed for the GNOME project and distributed under the
http://www.opensource.org/licenses/mit-license.html. • PCRE version 4.5 Perl regular expression compiler, copyrighted and distributed by
http://www.pcre.org/license.txt. • BIND Balanced Binary Tree Library and Domain
http://www.isc.org) • Free BSD implementation of
http://net-snmp.sourceforge.net/about/license.html. • NTP version 4.2 developed
http://www.openldap.org/software/release/license.html. • Secure shell OpenSSH version 4.2.1
http://www.openbsd.org/cgi-
http://www.postgresql.org/about/licence. • PostgreSQL JDBC driver, a free Java program used to connect to a
http://jdbc.postgresql.org/license.html. • 21.vixie-cron is the Vixie version of cron, a standard UNIX daemon that runs
http://www.jacorb.org/lgpl.html. Copyright © 2006 The JacORB Project. • TAO (The ACE ORB) is an open-source implementation of a
http://www.cs.wustl.edu/~schmidt/ACE-copying.html. • libcURL, a library for downloading files via common network
http://curl.haxx.se/docs/copyright.html. Copyright (c) 1996 -
http://directory.fsf.org/libs/COPYING.DOC. Copyright ©
PGP Universal Server Introduction
Export Information
Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from time to time by the Bureau
of Export Administration, United States Department of Commerce, which restricts the export and re-export of certain products and technical data.
Limitations
The software provided with this documentation is licensed to you for your individual use under the terms of the End User License Agreement provided
with the software. The information in this document is subject to change without notice. PGP Corporation does not warrant that the information meets
your requirements or that the information is free of errors. The information may include technical inaccuracies or typographical errors. Changes may be
made to the information and incorporated in new editions of this document, if and when made available by PGP Corporation.
4
Contents
Introduction 15
What is PGP Universal Server? 15
PGP Universal Server Product Family 16
Who Should Read This Guide 16
Improvements in This Version of PGP Universal Server 16
PGP Universal Server 17
PGP Messaging 17
PGP Keys 18
PGP Desktop 18
PGP Desktop Email 19
PGP NetShare 20
PGP Whole Disk Encryption 20
Using the PGP Universal Server with the Command Line 22
Symbols 22
Getting Assistance 23
Getting product information 23
Contact information 23
The Big Picture 25
Important Terms 25
PGP Products 25
PGP Universal Server Concepts 25
PGP Universal Server Features 26
PGP Universal Server User Types 28
Installation Overview 29
Adding the PGP Universal Server to Your Network
Server Placement 35
Gateway Placement 36
Internal Placement 37
Using a Mail Relay 38
Microsoft Exchange Server 38
Lotus Domino Server 39
Configuration Examples 39
Internal Placement Configuration 40
Gateway Placement Configuration 41
Non-mailstream Placement Configuration 42
Cluster Configuration 43
Clustered Proxy and Keyserver Configuration 44
Gateway Cluster with Load Balancer 46
Gateway and Internal Placement Cluster 47
35
i
PGP Universal Server Contents
Encircled Configuration 49
Large Enterprise Configuration 50
Spam Filters and PGP Universal Server 51
Exchange with PGP Client Software 52
Lotus Domino Server with PGP Client Software 53
Unsupported Configurations 53
Open Ports 55
TCP Ports 55
UDP Ports 57
Naming your PGP Universal Server
Considering a Name for Your PGP Universal Server 59
Methods for Naming a PGP Universal Server 60
59
Installing the PGP Universal Server 61
About the Installation Procedure 61
System Requirements 62
Installation Materials 62
Installation Options 62
Standard Installation Procedure 63
PGP Installation Procedure 64
Setting Up the PGP Universal Server 65
About the Setup Assistant 65
Preparing for Setup after pgp Install 66
Hardware 66
System Information 66
Connect to the PGP Universal Server 67
ii
PGP Universal Server Contents
Initial Configuration with Setup Assistant 67
Primary or Secondary Configuration 76
Restoring From a Server Backup 86
Migrating the Keys from a PGP Keyserver 87
Understanding the Administrative Interface 89
System Requirements 89
Logging In 89
Managing Alerts 92
Logging In For the First Time 93
Administrative Interface Map 94
Icons 95
Licensing Your Software 101
Overview 101
License Changes for PGP Universal Server 2.5 and Later 101
Manual and Automatic Licensing 102
Licensing a PGP Universal Server 103
Licensing the Mail Proxy Feature 103
Operating in Learn Mode 105
Purpose of Learn Mode 105
Checking the Logs 106
Managing Learn Mode 106
Managed Domains 109
About Managed Domains 109
Adding Managed Domains 110
Deleting Managed Domains 111
Managing Organization Keys
About Organization Keys 113
Organization Key 113
Inspecting the Organization Key 114
Regenerating the Organization Key 116
Importing an Organization Key 117
Organization Certificate 119
Inspecting the Organization Certificate 119
Exporting the Organization Certificate 120
Deleting the Organization Certificate 121
Generating the Organization Certificate 122
Importing the Organization Certificate 124
113
iii
PGP Universal Server Contents
Additional Decryption Key (ADK) 125
Importing the ADK 126
Inspecting the ADK 127
Deleting the ADK 128
Verified Directory Key 129
Importing the Verified Directory Key 129
Inspecting the Verified Directory Key 130
Deleting the Verified Directory Key 131
Managing Trusted Keys and Certificates 133
Overview 134
Trusted Keys 135
Trusted Certificates 135
Adding a Trusted Key or Certificate 135
Inspecting and Changing Trusted Key Properties 137
Deleting Trusted Keys and Certificates 138
Searching for Trusted Keys and Certificates 138
Recovering Encrypted Data in an Enterprise Environment 139
Using Key Reconstruction 139
Recovering Encryption Key Material without Key Reconstruction 140
Encryption Key Recovery of CKM Keys 140
Encryption Key Recovery of GKM Keys 141
Encryption Key Recovery of SCKM Keys 141
Encryption Key Recovery of SKM Keys 142
Using an Additional Decryption Key for Data Recovery 142
Setting Mail Policy 145
Overview 146
How Policy Chains Work 147
Mail Policy and Dictionaries 148
Mail Policy and Key Searches 149
Mail Policy and Cached Keys 149
Migrating Settings from Version 2.0.x 149
Understanding the Pre-Installed Policy Chains 150
Mail Policy Outside the Mailflow 151
Building Valid Chains and Rules 152
Using Valid Processing Order 152
Creating Valid Groups 153
Creating a Valid Rule 154
Using the Rule Interface 155
The Conditions Card 156
The Actions Card 158
Managing Policy Chains 158
Mail Policy Best Practices 159
iv
PGP Universal Server Contents
Restoring Mail Policy to Default Settings 159
Editing Policy Chain Settings 159
Adding Policy Chains 160
Deleting Policy Chains 162
Exporting Policy Chains 163
Printing Policy Chains 163
Managing Rules 163
Adding Rules to Policy Chains 163
Deleting Rules from Policy Chains 164
Enabling and Disabling Rules 164
Changing the Processing Order of the Rules 165
Adding Key Searches 165
Choosing Condition Statements, Conditions, and Actions 166
Condition Statements 166
Conditions 166
Actions 174
Working with Common Access Cards 181
Applying Key Not Found Settings to External Users 183
Overview 183
Bounce the Message 184
PDF Messenger 184
Certified Delivery with PDF Messenger 185
Send Unencrypted 186
Smart Trailer 186
PGP Universal Web Messenger 190
Changing Policy Settings 192
Changing User Delivery Method Preference 192
Using Dictionaries with Policy 195
Overview 195
Default Dictionaries 197
Editing Default Dictionaries 198
User-Defined Dictionaries 201
Adding a User-Defined Dictionary 201
Editing a User-Defined Dictionary 203
Deleting a Dictionary 204
Exporting a Dictionary 205
Searching the Dictionaries 205
Keyservers, SMTP Servers, and Mail Policy
207
Overview 207
Keyservers 208
Adding or Editing a Keyserver 209
Deleting a Keyserver 211
v
PGP Universal Server Contents
SMTP Servers 212
Adding or Editing an SMTP Server 212
Deleting an SMTP Server 214
Managing Keys in the Key Cache
Overview 215
Changing Cached Key Timeout 216
Purging Keys from the Cache 217
Trusting Cached Keys 217
Viewing Cached Keys 217
Searching the Key Cache 218
215
Configuring Mail Proxies 219
Overview 219
PGP Universal Server and Mail Proxies 220
Mail Proxies in an Internal Placement 220
Mail Proxies in a Gateway Placement 222
Changes in Proxy Settings from PGP Universal Server 2.0 to 2.5 and later 223
Mail Proxies Card 224
Creating New or Editing Existing Proxies 224
Creating or Editing a POP/IMAP Proxy 225
Creating or Editing an Outbound SMTP Proxy 227
Creating or Editing an Inbound SMTP Proxy 230
Creating or Editing a Unified SMTP Proxy 231
Email in the Mail Queue 235
Overview 235
Deleting Messages from the Mail Queue 236
Specifying Mail Routes
Overview 237
Managing Mail Routes 238
Adding a Mail Route 238
Editing a Mail Route 239
Deleting a Mail Route 239
237
Customizing System Message Templates 241
Overview 241
Templates and Message Size 242
PDF Messenger Templates 242
Templates for New PGP Universal Web Messenger Users 243
vi
PGP Universal Server Contents
Editing a Message Template 243
Setting Internal User Policy
Overview 246
Managing Internal User Policies 247
Adding a New Internal User Policy 247
Editing Internal User Policies 248
Editing the Excluded Users Policy 258
Deleting Internal User Policies 259
Downloading Client Software 259
Directory Synchronization 262
Choosing a Key Mode For Key Management 262
Disabling Key Generation 266
Adding PGP Desktop Solutions to Existing PGP Universal Gateway Email Environments266
Changing Key Modes 266
X.509 Certificate Management in Lotus Notes Environments 268
Trusting Certificates Created by PGP Universal Server 269
Setting the Lotus Notes Key Settings in PGP Universal Server 270
Technical Deployment Information 271
Customizing the Windows Preinstallation Environment for PGP Whole Disk Encryption 272
Introduction 272
Creating a Windows PE CD 274
Customizing the Vista Installation Package to Upgrade Encrypted Operating Systems to
Windows Vista
Using PGP Whole Disk Encryption with IBM Lenovo ThinkPad Systems 280
Using PGP Whole Disk Encryption with the Microsoft Windows XP Recovery Console 281
Pgppe Commands 281
245
277
Using Directory Synchronization to Manage Users 285
Overview 285
Enabling Directory Synchronization 287
Testing the LDAP Connection 290
Excluding Users 290
Including Only Some Users 292
Matching Attributes 292
Base DN and Bind DN 294
Understanding User Enrollment Methods 296
Before Creating a Client Installer 296
Email Enrollment 297
Directory Enrollment 299
vii
PGP Universal Server Contents
Serving PGP Admin 8 Preferences 301
Configuring PGP Desktop Installations
303
Establishing PGP Desktop Settings for Your PGP Desktop Clients 303
PGP Desktop Licensing 304
Configuring PGP Desktop Settings 305
General Tab 309
Licensing Tab 313
Messaging & Keys Tab 316
File & Disk Tab 318
WDE Tab 322
PGP Desktop Installer Policies 326
Creating PGP Desktop Installers 327
Creating an Installer with No Policy Settings 327
Creating an Installer with Auto-Detect Policy 328
Creating an Installer with Preset Policy 329
Controlling PGP Desktop Components 331
PGP Whole Disk Encryption Administration 332
How Does Single Sign-On Work? 332
Enabling Single Sign-On 333
Managing Clients Remotely Using a PGP WDE Administrator Active Directory Group 335
Managing Clients Locally Using the PGP WDE Administrator Key 337
Setting External User Policy 339
Overview 340
Managing External User Policies 341
Regrouping External Users 341
Adding a New External User Policy 341
Editing External User Policies 342
Deleting External User Policies 352
Configuring PGP Universal Web Messenger 353
Overview 353
High Availability Mode 354
Customizing PGP Universal Web Messenger 355
Adding a New Template 356
Troubleshooting Customization 361
Changing the Active Template 365
Deleting a Template 365
Editing a Template 365
Downloading Template Files 366
Restoring to Factory Defaults 366
viii
PGP Universal Server Contents
Configuring the PGP Universal Web Messenger Service 367
Configuring the PGP Verified Directory
373
Overview 373
Enabling the PGP Verified Directory 374
Configuring the PGP Verified Directory 375
Managing Internal User Accounts 379
Overview 379
Certificate Revocation Lists 380
Adding Internal Users Manually 381
Deleting Internal Users 383
Approving Pending Keys 383
Searching for Internal Users 384
Exporting PGP Whole Disk Login Failure Data 385
Internal User Settings 385
Changing Internal User Settings 386
Exporting an Internal User’s X.509 Certificate 387
Revoking the PGP Key of an Internal User 387
Exporting the PGP Key of an Internal User 388
Deleting the PGP Key of an Internal User 389
Deleting a PGP Desktop Key Reconstruction Block 389
Using Whole Disk Recovery Tokens 390
Deleting Whole Disk Recovery Tokens 391
Viewing PGP Whole Disk Encryption Status 391
Viewing Internal User Log Entries 392
Key Reconstruction Blocks 393
Managing External User Accounts 395
Overview 395
Importing External Users 396
Deleting External Users 397
Searching for External Users 397
Exporting Delivery Receipts 398
External User Settings 399
Changing External User Settings 400
Viewing External User Log Entries 401
Exporting an External User’s X.509 Certificate 401
Exporting the PGP Key of an External User 402
Deleting the PGP Key of an External User 402
Changing the Passphrase of an External User 403
ix
PGP Universal Server Contents
Managing PGP Verified Directory User Accounts 405
Overview 405
Importing Verified Directory Users 406
PGP Verified Directory User Settings 408
Changing PGP Verified Directory User Settings 409
Approving Pending Keys 409
Deleting the PGP Key of a PGP Verified Directory User 410
Viewing PGP Verified Directory User Log Entries 410
Deleting PGP Verified Directory Users 410
Exporting PGP Verified Directory Users 411
Searching for PGP Verified Directory Users 411
Managing Administrator Accounts 413
Overview 413
Creating a New Administrator 414
Importing SSH v2 Keys 416
Deleting Administrators 416
Inspecting and Changing the Settings of an Administrator 417
Daily Status Email 417
PGP Universal Satellite 419
Overview 419
Technical Information 420
Distributing the PGP Universal Satellite Software 421
Configuration 422
Deployment Mode 422
Key Mode 422
Satellite Configurations 423
Switching Key Modes 428
Binding 428
Pre-Binding 429
Manual Binding 430
Policy and Key or Certificate Retrieval 431
Retrieving Lost Policies 431
Retrieving Lost Keys or Certificates 433
x
PGP Universal Server Contents
PGP Universal Satellite for Mac OS X 435
Overview 435
System Requirements 436
Obtaining the Installer 436
Installation 436
Updates 437
Files 437
User Interface 438
About PGP Universal Server 439
Help 440
Show Log 440
Clear Log 441
Policies 441
Preferences 448
Purge Caches 449
Hide and Quit PGP Universal Satellite 449
PGP Universal Satellite for Windows 453
Overview 453
System Requirements 454
Obtaining the Installer 454
Installation 455
Updates 457
Files 458
MAPI Support 458
External MAPI Configuration 459
Internal MAPI Configuration 460
Using MAPI 461
Lotus Notes Support 461
External Lotus Notes Configuration 461
Internal Lotus Notes Configuration 463
Using Lotus Notes 464
Notes IDs 464
User Interface 464
The Policy Tab 465
The Log Tab 467
The Satellite Tray Icon 469
xi
PGP Universal Server Contents
Configuring the Integrated Keyserver 473
Overview 473
Configuring the Keyserver Service 473
Managing the Certificate Revocation List Service 479
Overview 479
Enabling and Disabling the CRL Service 480
Editing CRL Service Settings 480
System Graphs
Overview 483
CPU Usage 483
Message Activity 484
Whole Disk Encryption 485
Recipient Statistics 487
Recipient Domain Statistics 487
483
System Logs 489
Overview 489
Filtering the Log View 490
Searching the Log Files 491
Exporting a Log File 491
Enabling External Logging 492
Shutting Down and Restarting Services and Power 495
Overview 496
PGP Universal Server 498
Setting the Time 498
Updating Software 499
Licensing a PGP Universal Server 500
Downloading the Release Notes 500
xii
PGP Universal Server Contents
Shutting Down and Restarting the PGP Universal Server Software Services 501
Shutting Down and Restarting the PGP Universal Server Hardware 501
Configuring SNMP Monitoring 503
Overview 503
Downloading the Custom MIB File 504
Configuring the SNMP Service 505
Setting Network Interfaces 509
Overview 510
Connecting to a Proxy Server 511
Changing Interface Settings 512
Adding Interface Settings 512
Deleting Interface Settings 513
Editing Global Network Settings 513
Assigning a Certificate 513
Working with Certificates 514
Importing an Existing Certificate 515
Generating a Certificate Request 518
Adding a Pending Certificate 519
Inspecting a Certificate 520
Exporting a Certificate 521
Deleting a Certificate 522
Clustering your PGP Universal Servers 523
Overview 523
Clustering and PGP Universal Web Messenger 524
Cluster Status 525
Creating Clusters 527
Deleting Clusters 529
Changing Network Settings in Clusters 529
Managing Secondary Settings in Clusters 530
Protecting PGP Universal Server with Ignition Keys
Overview 531
Ignition Keys and Clustering 533
xiii
531
PGP Universal Server Contents
Preparing Hardware Tokens to be Ignition Keys 533
Configuring a Hardware Token Ignition Key 535
Configuring a Soft-Ignition Passphrase Ignition Key 535
Deleting Ignition Keys 536
Backing Up and Restoring System and User Data 537
Overview 537
Creating Backups 538
Scheduling Backups 538
Performing On-Demand Backups 539
Configuring the Backup Location 539
Restoring From a Backup 541
Restoring On-Demand 541
Restoring Configuration 542
Restoring from a Different Version 546
Updating PGP Universal Server Software 549
Overview 549
Inspecting Update Packages 550
Establishing Software Update Settings 550
Checking for New Updates 551
Uploading Update Packages 551
Manually Installing an Update 551
Index 553
xiv
1
Introduction
This Administrator’s Guide describes both the PGP Universal Server and PGP
Universal Satellite. It tells you how to get them up and running on your network,
how to configure them, and how to maintain them. This section provides a highlevel overview of PGP Universal Server.
In This Chapter
What is PGP Universal Server? ................................................................15
PGP Universal Server Product Family ......................................................16
Who Should Read This Guide ..................................................................16
Improvements in This Version of PGP Universal Server..........................16
Using the PGP Universal Server with the Command Line.......................22
Symbols....................................................................................................22
Getting Assistance ...................................................................................23
What is PGP Universal Server?
PGP Universal Server provides multiple encryption solutions managed from a
single console.
PGP Universal Server with PGP Universal Gateway Email gives you secure
messaging: it transparently protects your enterprise messages with little or no
user interaction.
The PGP Universal Server also replaces the PGP Keyserver product with a builtin keyserver, and the PGP Admin product with PGP Desktop configuration and
deployment capabilities.
It automatically creates and maintains a Self-Managing Security Architecture
(SMSA) by monitoring authenticated users and their email traffic. You can also
send protected messages to addresses that are not part of the SMSA. The PGP
Universal Server encrypts, decrypts, signs, and verifies messages automatically,
providing strong security through policies you control.
PGP Universal Satellite, a client-side feature of PGP Universal Server, extends
PGP security for email messages all the way to the computer of the email user,
it allows external users to become part of the SMSA, and it gives end users the
option to create and manage their keys on their own computer (if allowed by
the PGP administrator).
15
PGP Universal Server Introduction
PGP Universal Server Product Family
PGP Universal Server functions as a management console for a variety of
encryption solutions. You can purchase any of the PGP Desktop applications or
bundles and use PGP Universal Server to create and manage client installations.
You can also purchase a license that enables PGP Gateway Email to encrypt
email in the mailstream.
The PGP Universal Server can manage any combination of PGP encryption
applications. PGP encryption applications are:
PGP Universal Gateway Email provides automatic email encryption in the
gateway, based on centralized mail policy. This product requires
administration by the PGP Universal Server.
PGP Desktop Email provides encryption at the desktop level for mail, files,
and AOL Instant Messenger traffic. This product can be managed by the
PGP Universal Server.
PGP Whole Disk Encryption provides encryption at the desktop level for
an entire disk. This product can be managed by the PGP Universal Server.
PGP NetShare provides transparent file encryption and sharing among
desktops. This product can be managed by the PGP Universal Server.
Who Should Read This Guide
This Administrator’s Guide is for the person or persons who will be
implementing and maintaining your organization’s PGP Universal Server
environment. These are the PGP administrators.
This guide is also intended for anyone else who wants to learn about how PGP
Universal Server works.
Improvements in This Version of PGP Universal Server
This release of PGP Universal Server introduces the following new features:
PGP Universal Server (on page
PGP Messaging (on page
PGP Keys (on page
18)
17)
17)
PGP Desktop (on page
18)
PGP Desktop Email (on page
16
19)
PGP Universal Server Introduction
PGP NetShare (on page 20)
PGP Whole Disk Encryption (on page
PGP Universal Server
Changes in this release
Changes in this release
Where to find
For more information
Additional platform certification. PGP Universal Server is now
certified to operate with VMWare ESX Server Standard 3.0 including
VMWare Tools.
LDAP Ping testing. PGP Universal administrators can now test their
LDAP Directory Synchronization configuration. The configuration test
feature reports success or failure and, to the extent possible, the reason
for any failure.
Policy>Internal User Policy>Directory Synchronization
Testing the LDAP Connection (on page
PGP Messaging
Changes in this release
PDF Messenger and certified delivery. PGP Universal Gateway Email
enables users to send secure content to recipients who do not have PGP
software installed using Portable Document Format (PDF). PGP Universal
Gateway Email can encrypt existing PDFs sent by the user, or also create
secure PDFs out of normal email content. The design of this system
enables secure delivery certification, ensuring that successful delivery of
the message content to the recipient can be recorded at the PGP Universal
Server if selected by an Administrator.
20)
290)
Where to find
For more information
Changes in this release
Where to find
For more information
Changes in this release
Policy>Mail Policy, Policy>External User Policy
Editing External User Policies (on page
Settings to External Users (on page
342) , Applying Key Not Found
183)
Web Messenger customizable user interface. PGP Universal Gateway
Email now provides extensive options for customizing the Web Messenger
interface. Administrators are able to make customizations ranging from
simple color scheme changes to radical alterations of the Web Messenger
HTML itself.
Services>Web Messenger
Customizing PGP Universal Web Messenger (on page
355)
IMAP speed improvements. This release contains significant IMAP
performance improvements. Users will experience quicker responses and
shorter downloads, particularly when accessing large mailboxes, switching
between folders, and checking for new messages.
17
PGP Universal Server Introduction
Changes in this release
Where to find
For more information
Changes in this release
Where to find
For more information
PGP Keys
Changes in this release
Web Messenger connectivity over HTTP. The PGP Universal Gateway
Email administrator can configure Web Messenger to accept connections
over HTTP, enabling interoperability with HTTPS accelerator products.
Services>Web Messenger
Configuring the PGP Universal Web Messenger Service (on page
367)
Improved handling of malformed email messages. PGP Universal
administrators have greater control in specifying how to handle malformed
email messages not in compliance with Internet standards. When a mail
message cannot be parsed in the course of evaluating mail policy,
processing immediately jumps to a special chain, designated as the
“Exception Chain.” This chain has limited capabilities, but allows the
administrator to specify what to do with the malformed mail based on
information outside of the mail itself (what interface it came in on, what
port, and so on).
Policy>Mail Policy
Understanding the Pre-Installed Policy Chains (on page
150)
Certificate Revocation List (CRL) publishing. PGP Universal Server 2.7
now publishes Certificate Revocation Lists (CRLs) for X.509 certificates
that it issues. Administrators are able to revoke individual certificates by
adding them to the CRL. CRLs can be retrieved by via HTTP or LDAP.
Where to find
For more information
Changes in this release
Where to find
Benefits
PGP Desktop
Changes in this release
Services>Certificate Revocation
The Certificate Revocation List Service (see "
Revocation List Service" on page
Controlled
private key generation. PGP Universal administrators can now
479)
Managing the Certificate
disable key generation in the PGP Desktop user interface, making it
impossible for end users to generate their own key pairs.
Policy>Internal User Policy
Configuring PGP Desktop Installations (on page
303)
Additional platform support. PGP Desktop and PGP Universal Satellite
are now available for Microsoft Windows Vista 64-bit and Mac OS X
10.5 (Leopard).
18
PGP Universal Server Introduction
Changes in this release
Where to find
For more information
Changes in this release
Where to find
For more information
Changes in this release
Where to find
Feature deployment control. Administrators can now enforce policy by
providing end users only with authorized client features, enabling or
disabling client capabilities before distributing PGP client software to
end-users. Disabled features are then unavailable in the PGP Desktop
user interface.
Policy>Internal User Policy
Setting Internal User Policy (on page
Installations (on page
303)
245), Configuring PGP Desktop
Updated key reconstruction user interface. The PGP Desktop Key
Reconstruction user interface has been significantly improved in this
release. Primary new features include the ability to select and customize
a set of provided questions, a visually more appealing experience, and a
new Assistant to help guide the user through the process.
PGP Desktop
PGP Desktop User's Guide
Silent enrollment. Silent setup and enrollment enables pre-configured
enrollment settings in PGP Universal-managed environments. PGP Desktop
can now be deployed in most cases without installation or enrollment
prompts other than the creation of a passphrase.
Policy>Internal User Policy
For more information
PGP Desktop Email
Changes in this release
Changes in this release
Changes in this release
Where to find
Setting Internal User Policy (on page
Installations (on page
303)
245), Configuring PGP Desktop
MAPI support for PGP/MIME formatted messages. PGP Desktop and
PGP Universal Satellite now provide the ability to encrypt PGP/MIME
messages in Outlook clients using MAPI. PGP/MIME decryption has also
been significantly improved in this area.
Microsoft CAPI integration. PGP Desktop and PGP Universal Satellite
support the use of Microsoft Cryptographic Application Programming
Interface (CAPI) credentials, enabling the user to make use of existing
X.509 certificates directly from the Microsoft operating system certificate
store. PGP Universal administrators can specify automatic enrollment of
such certificates as well.
Out-of-the-mail-stream support. PGP Desktop and PGP Universal
Satellite will selectively send email messages directly to the PGP Universal
Server via a SOAP connection if required by policy, such that the server
does not need to be in the mail stream to support Web Messenger or
Smart Trailer functionality.
Policy>Internal User Policy>PGP Desktop
19
PGP Universal Server Introduction
For more information
Changes in this release
PGP NetShare
Changes in this release
Where to find
For more information
Changes in this release
Where to find
Configuring PGP Desktop Installations (on page
303)
Weak-cipher decryption. PGP products now decrypt S/MIME encoded
messages encrypted with weak 40-bit RC2 encryption for backwards
compatibility with older email clients. Additional warnings are added to
messages decrypted using that algorithm. Note that PGP Desktop and PGP
Universal Satellite will not encrypt using weak ciphers.
PGP NetShare per-folder administration. PGP NetShare administrative
granularity has been extended to restrict administrator control to a perfolder level, thus limiting administrative access to exactly where it is
needed.
Policy>Internal User Policy>PGP Desktop
Configuring PGP Desktop Installations (on page
303)
Whitelists and blacklists. Administrators can now centrally define PGP
NetShare policy to protect files stored in specific directory locations,
enforcing security policy without impacting user behavior. Conversely,
administrators can also force specific directories to prevent encryption.
Policy>Internal User Policy>PGP Desktop
For more information
Changes in this release
Configuring PGP Desktop Installations (on page
Centralized PGP NetShare logging. Centralized logging on PGP Universal
provides visibility into the activity of PGP NetShare deployments to satisfy
management and auditing requirements.
Where to find
Reporting>Logs
PGP Whole Disk Encryption
Changes in this release
Where to find
For more information
Advanced centralized event logging. PGP Universal now provides
significantly expanded reporting on PGP Whole Disk Encryption usage on
client systems. This logging feature itemizes events such as which
systems have been encrypted, the progress of encryption or decryption for
an individual system, errors encountered during encryption, the status of
recovery tokens, removable storage usage, and failed/successful login
attempts. Administrators can set thresholds that raise alerts in PGP
Universal on the PGP Daily Status Email or dashboard screen after a
configured number of failed logins has been exceeded.
Reporting>Graphs, Reporting>Logs
Managing Alerts (on page
PGP Whole Disk Login Failure Data (on page
303)
92), System Graphs (on page 483), Exporting
385)
20
PGP Universal Server Introduction
Changes in this release
Where to find
For more information
Changes in this release
Changes in this release
Changes in this release
Where to find
Group administration access tokens. PGP Whole Disk Encryption admin
accounts can be added, allowing an administrator with a smart card key to
override the BootGuard prompt. This key can be specified separately for
each Internal User Policy. Using a single keypair copied to multiple smart
cards (each with its own PIN), an organization can enable multiple
administrators for each Policy.
Policy>Internal User Policy>PGP Desktop
Configuring PGP Desktop Installations (on page
303)
Domain administrator restart bypass. Windows System and
Administrator account(s) may now engage a mode to bypass WDE
authentication on the next restart by utilizing the privileges of the
administration account to act as the authenticated user. This feature
enables administrators to perform remote software installations requiring a
restart of the target computer. Use of this feature is logged to the PGP
Universal server.
Extended pre-boot smart card support. PGP Whole Disk Encryption has
greatly expanded pre-boot authentication to a variety of smart cards.
Partition encryption deployment. Administrators in a PGP Universalmanaged environment may now configure encryption of only the boot
partition or only Windows partitions rather than always encrypting entire
disks.
Policy>Internal User Policy>PGP Desktop
For more information
Changes in this release
Where to find
For more information
Changes in this release
Changes in this release
Where to find
For more information
Configuring PGP Desktop Installations (on page
303)
Customizable WDE BootGuard screens. Administrators in a PGP
Universal-managed environment can configure the PGP Whole Disk
Encryption boot screen to display the text and graphics of their choice.
Policy>Internal User Policy>PGP Desktop
Configuring PGP Desktop Installations (on page
303)
Lenovo laptop Recovery button. PGP Whole Disk Encryption now
provides complete support for the Lenovo Rescue and Recovery software
(version 3.x and 4.x) including using the “Access IBM” blue button for
boot-level recovery of the OS even when the disk (or partition) is
encrypted.
User Interface modifications for ADA compliance. As part of our
expanding support for the Americans with Disabilities Act (ADA) standards
for accessible design, the PGP WDE BootGuard screen has been modified
to provide audible feedback when the screen is ready for user input, when
a user types in an incorrect password, and when a user types a correct
password. This audio feedback is optional, configurable using PGP
Universal for managed clients.
Policy>Internal User Policy>PGP Desktop
Configuring PGP Desktop Installations (on page
303)
21
PGP Universal Server Introduction
Changes in this release
Microsoft Windows PE support. PGP Desktop provides administrators
with the ability to create a Windows PE (Preinstallation Environment) boot
disk containing a subset of PGP Whole Disk Encryption. This bootable disc
can be used to perform a variety of management and recovery tasks.
Changes in this release
Trusted Platform Module (TPM) support for PGP WDE. PGP Desktop
supports using the Trusted Platform Module as an additional authentication
device for PGP Whole Disk Encryption if present on the motherboard and
enabled via proper driver installation for your hardware. When use of the
TPM is specified prior to encryption, the user can authenticate to the disk
only on that particular machine, locking the disk to the machine hardware
and thus deterring attacks such as hard disk theft. This feature works with
passphrase users only and is compatible with the PGP WDE Single Sign-On
feature.
Where to find
For more information
Policy>Internal User Policy>PGP Desktop
Configuring PGP Desktop Installations (on page
303)
Using the PGP Universal Server with the Command Line
Accessing the PGP Universal Server command line for read-only purposes (such
as to view settings, services, logs, processes, disk space, query the database,
etc) is supported. However, performing configuration modifications or
customizations via the command line may void your PGP Support agreement
unless the following procedures are followed. Any changes made to the PGP
Universal Server via the command line must be:
Symbols
Authorized in writing by PGP Support.
Implemented by a PGP Partner, reseller or internal employee who is
certified in the PGP Advanced Administration and Deployment Training.
Summarized and documented in a text file in /etc/pso on the PGP Universal
Server itself.
Changes made through the command line may not persist through reboots and
may be incompatible with future releases. PGP Support may also require
reverting any custom configurations on the PGP Universal Server back to a
default state when troubleshooting new issues.
Notes, Cautions, and Warnings are used in the following ways.
Note: Notes are extra, but important, information. A Note calls your attention
to important aspects of the product. You will be able to use the product
better if you read the Notes.
22
PGP Universal Server Introduction
Caution: Cautions indicate the possibility of loss of data or a minor security
breach. A Caution tells you about a situation where problems could occur
unless precautions are taken. Pay attention to Cautions.
Warning: Warnings indicate the possibility of significant data loss or a major
security breach. A Warning means serious problems will occur unless you
take the appropriate action. Please take Warnings very seriously.
Getting Assistance
Getting product information
The following documents and on-line help are companions to the PGP Universal
Administrator’s Guide. This guide occasionally refers to information that can be
found in one or more of the following sources:
PGP Universal Upgrade Guide—Describes the process of upgrading your
PGP Universal Server to version 2.6.
PGP Universal Mail Policy Diagram—Provides a graphical representation
of how email is processed through mail policy. You can access this
document via the PGP Universal Server online help.
Tutorials—Provides animated introductions on how to manage the mail
policy feature in PGP Universal Server 2.6, and how upgraded PGP
Universal Server settings migrate into the new mail policy feature.
You can also access all the documentation and tutorials by clicking the
online help icon in the upper-right corner of the PGP Universal Server
screen.
The administrative interface and PGP Universal Satellite for Windows and
Mac OS X include online help.
Refer to these sections for additional resources.
PGP Universal Server and PGP Satellite release notes are also provided,
Once PGP Universal Server is released, additional information regarding the
product is added to the online Knowledge Base available on PGP Corporation’s
Support Portal (
Contact information
All PGP customers have access to the comprehensive set of tools and
discussion forums available on the PGP Support Portal.
which may have last-minute information not found in the product
documentation.
https://support.pgp.com).
23
PGP Universal Server Introduction
The PGP Support Portal provides access to tutorials, recent support briefs, the
Knowledge Base, and other valuable technical information.
Contacting Technical Support
To learn about PGP support options and how to contact PGP Technical
Support, please visit the PGP Corporation Support Home Page
(
http://www.pgp.com/support).
To access the PGP Support Knowledge Base or request PGP Technical
Support, please visit PGP Support Portal Web Site
(
https://support.pgp.com). Note that you may access portions of the
PGP Support Knowledge Base without a support agreement;
however, you must have a valid support agreement to request
Technical Support.
For any other contacts at PGP, please visit the PGP Contacts Page
http://www.pgp.com/company/contact/index.html).
(
For general information about PGP Corporation, please visit the PGP Web
Site (
http://www.pgp.com).
To access the PGP Support forums, please visit PGP Support
(
http://forums.pgpsupport.com). These are user community support forums
hosted by PGP Corporation.
24
2
The Big Picture
This chapter describes some important terms and concepts and gives you a
high-level overview of the things you need to do to set up and maintain your
PGP Universal Server environment.
In This Chapter
Important Terms.......................................................................................25
Installation Overview................................................................................29
Important Terms
PGP Products
PGP Universal Server: A device you add to your network that provides
secure messaging with little or no user interaction. The PGP Universal
Server automatically creates and maintains a security architecture by
monitoring authenticated users and their email traffic. You can also send
protected messages to addresses that are not part of the security
architecture.
PGP Universal Satellite: The PGP Universal Satellite software resides on
the computer of the email user. It allows email to be encrypted end to end,
all the way to and from the desktop (for both internal and external users).
Using PGP Universal Satellite is one of the ways for external users to
participate in the SMSA. It also allows users the option of controlling their
PGP Universal Server Concepts
keys on their local machines (if allowed by the PGP administrator).
Security Architecture: Behind the scenes, the PGP Universal Server
creates and manages its own security architecture for the users whose
email domain it is securing. Because the security architecture is created
and managed automatically, we call this a self-managing security
architecture (SMSA).
25
PGP Universal Server The Big Picture
keys.<domain> convention: PGP Universal Server automatically looks for
valid public keys for email recipients at a special hostname, if no valid
public key is found locally to secure a message. This hostname is
keys.<domain> (where <domain> is the email domain of the recipient). For
example, Example Corporation’s externally visible PGP Universal Server is
named keys.example.com.
PGP Corporation strongly recommends you name your externally visible
PGP Universal Server according to this convention because it allows other
PGP Universal Servers to easily find valid public keys for email recipients in
your domain.
Refer to Naming your PGP Universal Server (on page
information about this convention.
PGP Universal Server Features
Server Placement: A PGP Universal Server can be placed in one of two
locations in your network to process email.
With an internal placement, the PGP Universal Server logically sits between
your email users and your mail server. It encrypts and signs outgoing SMTP
email and decrypts and verifies incoming mail being picked up by email
clients using POP or IMAP. Email stored on your mail server is stored
secured (encrypted).
With a gateway placement, the PGP Universal Server logically sits between
your mail server and the Internet. It encrypts and signs outgoing SMTP
email and decrypts and verifies incoming SMTP email. Email stored on your
mail server is stored unsecured.
Refer to Adding the PGP Universal Server to Your Network (on page
and Configuring Mail Proxies (on page
server placement.
Administrative Interface: Each PGP Universal Server is controlled via a
Web-based administrative interface. The administrative interface gives you
control over the PGP Universal Server’s operation. While many settings are
initially established using the web-based Setup Assistant, all settings of a
PGP Universal Server can be controlled via the administrative interface.
59) for more
35)
219) for more information about
Setup Assistant: When you attempt to log in for the first time to the
administrative interface of a PGP Universal Server, the Setup Assistant
takes you through the configuration of that PGP Universal Server.
Learn Mode: When you finish configuring a PGP Universal Server using
the Setup Assistant, it begins operation in Learn Mode, which is a special
mode where the PGP Universal Server proxies traffic normally but does not
encrypt or sign any messages.
26
PGP Universal Server The Big Picture
Learn Mode gives the PGP Universal Server a chance to build its SMSA
(creating keys for authenticated users, for example) so that when it goes
live — that is, when Learn Mode is turned off — the PGP Universal Server
knows the environment and can immediately begin securing messages.
It’s also an excellent way for PGP administrators to learn about the product.
You should check the logs of the PGP Universal Server while it is in Learn
Mode to see what it would be doing to email traffic if it were live on your
network. You can make changes to the PGP Universal Server’s policies
while it is in Learn Mode until things are working as expected.
Mail Policy: The PGP Universal Server processes email messages based
on the policies you establish. Mail policy applies to inbound and outbound
email for both PGP Universal Server traffic and email processed by PGP
client software. Mail policy consists of multiple policy chains, comprised of
sequential mail processing rules.
Dictionary: Dictionaries are lists of terms to be matched. The dictionaries
work with mail policy to allow you to define content lists that can trigger
rules.
Cluster: When you have two or more PGP Universal Servers in your
network, you configure them to synchronize with each other; this is called
a “cluster.”
In a cluster, one PGP Universal Server is designated Primary for the cluster;
all other PGP Universal Servers in the cluster are designated Secondary.
The Secondary servers synchronize their users, keys, managed domains,
and policies with the Primary.
Organization Key: The Setup Assistant automatically creates an
Organization Key (actually a keypair) when it configures a PGP Universal
Server. The Organization Key is used to sign all PGP user keys the PGP
Universal Server creates and to encrypt PGP Universal Server backups.
Caution: It is extremely important to back up your Organization Key: all of the
keys the PGP Universal Server creates are signed by the Organization Key,
and all backups are encrypted to the Organization Key. If you lose your
Organization Key and have not backed it up, the signatures on those keys will
be meaningless and you will not be able to restore from backups encrypted
to the Organization Key.
If your organization has one PGP Universal Server, back up the Organization Key
from that PGP Universal Server; if you have multiple PGP Universal Servers in a
cluster, back up the Organization Key from the Primary server in the cluster, as
this Organization Key will be synchronized with the Secondary servers in the
cluster.
Organization Certificate: You must create or obtain an Organization
Certificate to enable S/MIME support by PGP Universal Server. The
Organization Certificate signs all X.509 certificates the server creates.
27
PGP Universal Server The Big Picture
Directory Synchronization: If you have an LDAP directory in your
organization, your PGP Universal Server can be synchronized with this
directory. The PGP Universal Server will automatically import user
information from the directory when users send and receive email; it will
also create internal user accounts for them, including adding and using
X.509 certificates if they are contained in the LDAP directory.
Keyserver: Each PGP Universal Server includes an integrated keyserver
populated with the public keys of your internal users. When an external
user sends a message to an internal user, the external PGP Universal
Server will go to the keyserver to find the public key of the recipient to use
to secure the message. The PGP administrator can enable or disable the
service, and control access to it via the administrative interface.
PGP Verified Directory: The PGP Verified Directory supplements the
internal keyserver by letting internal and external users manage the
publishing of their own public keys. The PGP Verified Directory also serves
as a replacement for the PGP Keyserver product. The PGP Verified
Directory uses next-generation keyserver technology to ensure that the
keys in the directory can be trusted.
Backup and Restore: Because full backups of the data stored on your PGP
Universal Server are critical in the case of a natural disaster or other
unanticipated loss of data or hardware, you can schedule automatic
backups of your PGP Universal Server data or manually perform a backup.
Naturally, you can fully restore a PGP Universal Server from a backup. In
the event of a minor problem, you can restore the PGP Universal Server to
any saved backup. In the event that a PGP Universal Server is no longer
usable, you can restore its data from a backup onto a new PGP Universal
Server during initial setup of the new PGP Universal Server using the Setup
Assistant. All backups are encrypted to the Organization Key and may thus
be stored securely off the PGP Universal Server.
Ignition Keys: You can protect the contents of a PGP Universal Server,
even if the hardware is physically stolen, by requiring the use of a hardware
token or a software passphrase, or both, on start.
PGP Universal Server User Types
Internal and External Users: Internal users are email users from the
domains being managed by your PGP Universal Server; external users are
email users from other domains (domains not being managed by your PGP
Universal Server) who have been added to the SMSA.
Multiple Administrators: Only PGP administrators are allowed to access
the administrative interface that controls PGP Universal Server. A PGP
Universal Server supports multiple PGP administrators, each of which can
be assigned one of five levels of authority: from read-only access to full
control over every feature and function.
28
PGP Universal Server The Big Picture
Management of PGP Desktop Users: PGP Universal Servers allow you to
manage PGP Desktop deployments to your internal users. The PGP
administrator can control which PGP Desktop features are automatically
implemented at install, and establish and update mail security policy for
PGP Desktop users that those users cannot override (except on the side of
being more secure).
Other Email Users: Users within your organization can securely send
email to recipients outside the SMSA.
First, the PGP Universal Server will attempt to find a key for the recipient. If
that fails, there are four fallback options, all controlled by mail policy:
bounce the message back to the sender (so it’s not sent unencrypted),
send unencrypted, Smart Trailer, and PGP Universal Web Messenger mail.
Smart Trailer sends the message unencrypted and adds text giving the
recipient the option of joining the SMSA by installing PGP Universal
Satellite, using an existing key or certificate, or using PGP Universal Web
Messenger. PGP Universal Web Messenger lets the recipient securely
read the message on a secure website; it also gives the recipient options
for handling subsequent messages from the same domain: read the
messages on a secure website using a passphrase they establish, install
PGP Universal Satellite, or add an existing key or certificate to the SMSA.
Installation Overview
The following steps are a broad overview of what it takes to plan, set up, and
maintain your PGP Universal Server environment.
All of the steps described briefly here are described in detail in later chapters.
1 Plan where in your network you want to locate your PGP Universal
Server(s).
Where you put PGP Universal Servers in your network, how many PGP
Universal Servers you have in your network, and other factors all have a
major impact on how you add them to your existing network.
It’s a good idea to create a diagram of your network that includes all
network components and shows how email flows; having this diagram may
help you understand how adding a PGP Universal Server will impact your
network.
Refer to Adding the PGP Universal Server to Your Network (on page
information that will help you plan how to add PGP Universal Servers to
your existing network.
2 Perform necessary DNS changes.
Add IP addresses for your PGP Universal Servers, an alias to your
keyserver, update the MX record if necessary, add keys.<domain>,
hostnames of potential Secondary servers for a cluster, and so on.
35) for
29
PGP Universal Server The Big Picture
Properly configured DNS settings (including root servers and appropriate
reverse lookup records) are required in all cases to support PGP Universal
Server. Make sure both host and pointer records are correct. IP addresses
must be resolvable to hostnames, as well as hostnames resolvable to IP
addresses.
3 Prepare a hardware token Ignition Key.
If you want to add a hardware token Ignition Key during setup, install the
drivers and configure the token before you begin the PGP Universal Server
setup process. See Protecting PGP Universal Server with Ignition Keys (on
531) for information on how to prepare a hardware token Ignition Key.
page
4 If you are going to have more than one PGP Universal Server in your
network, install and configure the Primary server of the cluster first.
The Setup Assistant runs automatically when you first access the
administrative interface for the PGP Universal Server.
To configure the Secondary servers in the cluster, you must configure the
Primary server first and then add the Secondary servers on the Primary
server before you can actually configure the Secondary servers.
Refer to Setting Up the PGP Universal Server (on page
65) for more
information on the Setup Assistant.
5 License your Primary server.
You cannot take a PGP Universal Server out of Learn Mode or install
updates until the product is licensed. Once it is licensed, you should check
for product updates and install them if found. See Licensing Your Software
(on page
101) for more information.
If you want the PGP Universal Server to provide mail proxy services, you
must have a PGP Universal Server license with the mailstream feature
enabled. See Licensing Your Software (on page
101) for more information.
6 If you have a PGP key you want to use as your Organization Key with
PGP Universal Server, import it and then back it up on your Primary
server.
Your Organization Key does two important things: it is used to sign all user
keys the PGP Universal Server creates and it is used to encrypt PGP
Universal Server backups. This key represents the identity of your
organization, and is the root of the Web-of-Trust for your users.
If your organization uses PGP Desktop and already has an Corporate Key or
Organization Key, and you want to use that key with PGP Universal Server,
you should import it as soon as you have configured your Primary server
and then create a backup of the key.
If your organization does not have an existing key that you want to use as
your Organization Key, use the Organization Key the Setup Assistant
automatically creates with default values. See Managing Organization Keys
(on page
113) for more information.
30
PGP Universal Server The Big Picture
No matter which key you use as your Organization Key, it is very important
to make a backup of the key in case of a problem with your PGP Universal
Server. Since PGP Universal Server’s built-in back-up feature always
encrypts backups to this key, you will need to provide a copy of your
Organization Key to restore your data.
Refer to Organization Certificate (on page
119) for more information on
Organization Certificates.
7 If you have a PGP Additional Decryption Key (ADK) that you want to
use with PGP Universal Server, add it on your Primary server.
An ADK is a way to recover an email message if the recipient is unable or
unwilling to do so; every message that is also encrypted to the ADK can be
opened by the holder(s) of the ADK. You cannot create an ADK with the
PGP Universal Server, but if you have an existing PGP ADK (generated by
PGP Desktop, an ideal scenario for a split key; refer to the PGP Desktop
User’s Guide for more information), you can add it to your PGP Universal
Server and use it. You can only have one ADK. Refer to Additional
Decryption Key (ADK) (on page
125) for more information.
8 Create a SSL/TLS certificate or obtain a valid SSL/TLS certificate.
You can create a self-signed certificate for use with SSL/TLS traffic.
Because this certificate is self signed, however, it may not be trusted by
email or Web browser clients. PGP Corporation recommends that you
obtain a valid SSL/TLS certificate for each of your PGP Universal Servers
from a reputable Certificate Authority, such as GeoTrust, available at the
PGP Online Store (
www.pgpstore.com).
This is especially important for PGP Universal Servers that will be accessed
publicly. Older Web browsers may reject self-signed certificates or not
know how to handle them correctly when they encounter them via PGP
Universal Web Messenger or Smart Trailer.
Refer to Working with Certificates (on page
514) for more information.
9 Add trusted keys, configure internal and external user policy, and
establish mail policy.
All of these settings are important for secure operation of PGP Universal
Server. Refer to Managing Trusted Keys and Certificates (on page
133) for
information on adding trusted keys from outside the SMSA. Read Setting
Internal User Policy (on page
245) and Setting External User Policy (on page
339) for information about user policy settings. See Setting Mail Policy (on
page
145) to learn about setting up mail policy.
10 Configure the Directory Synchronization feature if you want to
synchronize an LDAP directory with your PGP Universal Server.
Using the Directory Synchronization feature gives you more control over
who is included in your SMSA, if you have an existing LDAP server.
31
PGP Universal Server The Big Picture
If you are going to use the Directory Synchronization feature, it’s best to
configure it before you install and configure your Secondary servers. Refer
to Using Directory Synchronization to Manage Users (on page
285) for
more information about the Directory Synchronization feature.
11 Install and configure the Secondary servers.
The Setup Assistant runs automatically when you first access a PGP
Universal Server. Remember that you must configure the Primary server in
the cluster first and tell it about the Secondary servers before you can
configure them. See Clustering your PGP Universal Servers (on page
523)
to learn more about Clustering.
12 Reconfigure the settings of your email clients and servers, if
necessary.
Depending on how you are adding the PGP Universal Server to your
network, some setting changes may be necessary. For example, if you are
using a PGP Universal Server placed internally, the email clients must have
SMTP authentication turned on. For PGP Universal Servers placed
externally, you must configure your mail server to relay SMTP traffic to the
PGP Universal Server.
13 Enable SNMP Polling and Traps.
You can configure PGP Universal Server to allow network management
applications to monitor system information for the device on which PGP
Universal Server is installed and to send system and application information
to an external destination. See Configuring SNMP Monitoring (on page
for more information.
14 Distribute PGP Universal Satellite and/or PGP Desktop to your
internal users, if appropriate.
If you want to provide seamless, end-to-end PGP message security without
the need for any user training, have them use PGP Universal Satellite.
Exchange/MAPI and Lotus Notes environments also require the use of PGP
Universal Satellite. PGP Desktop provides more features and user control
than PGP Universal Satellite. Refer to PGP Universal Satellite (on page
and Configuring PGP Desktop Installations (on page
303) for more
information.
15 Analyze the data from Learn Mode.
In Learn Mode, your PGP Universal Server monitors email traffic and
dynamically creates a SMSA; in fact, it does everything it would ordinarily
do except encrypt and sign. You can see what the PGP Universal Server
would have done without Learn Mode by monitoring the system logs.
Learn Mode lets you become familiar with how the PGP Universal Server
operates and it lets you see the effects of the policy settings you have
established before the PGP Universal Server actually goes live on your
network. Naturally, you can fine tune settings while in Learn Mode, so that
the PGP Universal Server is operating just how you want before you go
live.
503)
419)
32
PGP Universal Server The Big Picture
See Operating in Learn Mode (on page 105) for more information.
16 Adjust policies as necessary.
It may take a few tries to get everything working just the way you want.
For example, you may decide to revise your mail policy.
17 Perform backups of all PGP Universal Servers before you take them
out of Learn Mode.
This gives you a baseline backup in case you need to return to a clean
installation. To learn how to back up the PGP Universal Server, refer to
Backing Up and Restoring System and User Data (on page
537) for more
information.
18 Take your PGP Universal Servers out of Learn Mode.
Once this is done, email messages will be encrypted, signed, and
decrypted/verified, according to the relevant policy rules. Make sure you
have licensed each of your PGP Universal Servers; you cannot take a PGP
Universal Server out of Learn Mode until it has been licensed.
19 Monitor the system logs to make sure your PGP Universal Server
environment is operating as expected.
33
Adding the PGP Universal
3
Server to Your Network
This chapter provides information about how your PGP Universal Server
processes email, to help you decide how to integrate your PGP Universal
Servers into your existing network. It also includes information about using
Microsoft Exchange Server and Lotus Domino Server with PGP Universal
Satellite.
These topics are covered in the following sections:
In This Chapter
Server Placement .................................................................................... 35
Using a Mail Relay ................................................................................... 38
Microsoft Exchange Server ..................................................................... 38
Lotus Domino Server............................................................................... 39
Configuration Examples........................................................................... 39
Server Placement
A PGP Universal Server can be placed in your network in either of two locations
in the logical flow of data:
Internal placement. The PGP Universal Server is located between your
Gateway placement. The PGP Universal Server is located between your
Caution: The PGP Universal Server must not be behind a proxy server,
unless it is a transparent proxy, to receive licensing and update information
automatically. This is true for both gateway and internal placement.
email users and their local mail server in the logical flow of data.
external facing mail server and the Internet in the logical flow of data.
35
PGP Universal Server Adding the PGP Universal Server to Your Network
Gateway Placement
With a gateway placement, your PGP Universal Server sits between your mail
server and the Internet in the logical flow of data.
PGP Universal Server gateway placement
Example Corp. DMZ
External email user
Logical flow of data
Example Corp. internal network
Example Corp. email users
Example Corp. email server
Note: The physical location of the PGP Universal Server and the mail server
are not important. What is important is that, from a mail relay point of view,
the PGP Universal Server is between the mail server and the Internet. Both
could be on the internal network or in the DMZ.
With a gateway placement, email messages are secured before they are sent to
the Internet (on the way to their destination) and decrypted/verified when
received from the Internet, over SMTP in both cases.
Be sure to require authentication of incoming mail, or you risk creating an open
relay.
36
PGP Universal Server Adding the PGP Universal Server to Your Network
Note: Email users on your internal network should not be allowed direct
access to a PGP Universal Server in gateway placement. PGP Universal
Server will attempt to enforce this automatically based on your configuration.
The mail server should also be configured to verify From addresses if you
intend to use the signing features of PGP Universal Server.
With a gateway placement, messages are stored unsecured on the mail server
(unless PGP Universal Satellite is being used).
For PGP Universal Server to create the SMSA, you must make sure to correctly
configure your mail server when you are using PGP Universal Servers in
gateway placements.
Internal Placement
With an internal placement, your PGP Universal Server sits between your email
users and their email server in the logical flow of data.
1
2
3
4
5
6
7
PGP Universal Server internally placed
Example Corp. email server
Example Corp. DMZ
External email user
Logical flow of data
Example Corp. internal network
Example Corp. email users
37
PGP Universal Server Adding the PGP Universal Server to Your Network
Note: The physical location of the PGP Universal Server and the mail server
are not important. What is important is that, from a mail relay point of view,
the PGP Universal Server is between the email users and the mail server.
Both could be on the internal network or in the DMZ. From a performance
perspective, it is generally advisable to put them next to each other on the
same network.
With an internal placement of your PGP Universal Server, messages are
secured based on the applicable policies when they are sent to the mail server
using SMTP; they are decrypted and verified when they are retrieved from the
mail server using POP or IMAP.
With an internal placement, messages are stored secured on the mail server.
Messages are only transmitted unencrypted between the internal user and the
PGP Universal Server, and then only if PGP Universal Satellite has not been
deployed globally to your internal users. If your mail server is configured for
SSL/TLS communications with the email client, the messages can be passed
through that encrypted channel thus maintaining encryption along the entire
path.
For PGP Universal Server to create the SMSA, email clients must have SMTP
authentication turned on when they are communicating with a PGP Universal
Server in an internal placement.
Using a Mail Relay
PGP Universal Server can forward outgoing email, after processing, to a central
mail gateway acting as a mail relay. Sites that use explicit mail routing can use
the mail relay feature to forward outgoing email to a mail relay that performs
this explicit routing.
You cannot configure the mail relay when you initially configure the server using
the Setup Assistant. Instead, you have to configure the server for gateway
placement and then use the administrative interface to configure the mail relay.
Configure the relay on the Outbound or Unified SMTP proxy. Refer to Creating
New or Editing Existing Proxies (on page
Microsoft Exchange Server
Messaging Application Programming Interface (MAPI) support is available for
Microsoft Exchange Server environments by using PGP Desktop or PGP
Universal Satellite for Windows. MAPI support is not available in PGP Universal
Satellite for Mac OS X because there are no MAPI email clients for Mac OS X.
For more information about using MAPI, see Exchange with PGP Client
Software (on page
52) and MAPI Support (on page 458).
224) for more information.
38
PGP Universal Server Adding the PGP Universal Server to Your Network
Lotus Domino Server
Lotus Domino Servers and the Lotus Notes email client (versions 5.x and above)
are supported in PGP Desktop and PGP Universal Satellite for Windows.
For more information about using the Lotus Notes email client, see Lotus
Domino Server with PGP Client Software (on page
(on page
461).
53) and Lotus Notes Support
Configuration Examples
This section shows and describes potential configurations for PGP Universal
Server:
Internal Placement Configuration (on page
Gateway Placement Configuration (on page
Non-mailstream Placement Configuration (on page
Cluster Configuration (on page
43)
Clustered Proxy and Keyserver Configuration (on page
Gateway Cluster with Load Balancer (on page
Gateway and Internal Placement Cluster (on page
Encircled Configuration (on page
49)
Large Enterprise Configuration (on page
Spam Filters and PGP Universal Server (on page
Exchange with PGP Client Software (on page
Lotus Domino Server with PGP Client Software (on page
Unsupported Configurations (on page
40)
41)
42)
44)
46)
47)
50)
51)
52)
53)
53)
39
PGP Universal Server Adding the PGP Universal Server to Your Network
Internal Placement Configuration
In this example, Example Corporation has one main office but wants to support
external email users.
1
PGP Universal Server internally placed
2
Example Corp. email server
3
External email user
4
Logical flow of data
5
Example Corp. internal network
6
Example Corp. email users
Settings for 1: Notes
Server type: Primary
Mail processing: Internal placement
Hostname: mail.example.com
Mail server: mail-1.example.com
Change mail.example.com to mail-
1.example.com and the PGP Universal
Server becomes mail.example.com.
End users may require no changes to
their configuration; SMTP Authentication
may need to be enabled for end users.
IP Address, Subnet Mask, Gateway, and
DNS Servers: As appropriate
Create a DNS alias for
keys.example.com to also point to the
PGP Universal Server.
By placing the server in the DMZ, the company can use an internal placement
(which means its messages are encrypted even while on its mail server) and
still support external email users via Smart Trailers, PGP Universal Web
Messenger mail, or PGP Universal Satellite.
40
PGP Universal Server Adding the PGP Universal Server to Your Network
Gateway Placement Configuration
In this example, Example Corporation has its PGP Universal Server in a gateway
placement.
1
PGP Universal Server gateway placement
2
Example Corp. DMZ
3
External email user
4
Logical flow of data
5
Example Corp. internal network
6
Example Corp. email users
7
Example Corp. email server
Settings for 1: Notes:
Server type: Primary
Mail processing: Gateway placement
Hostname: mail-gw.example.com
Mail server: mail.example.com
Add or modify the MX record for
example.com to point to PGP
Universal Server’s IP address on
mail-gw.example.com.
Also in DNS, create an alias
keys.example.com that points to
IP Address, Subnet Mask, Gateway, and
DNS Servers: As appropriate
mail-gw.example.com.
Mail server must be configured to
relay through the PGP Universal
Server.
Gateway placement also supports external email users via Smart Trailers or
PGP Universal Web Messenger mail.
41
PGP Universal Server Adding the PGP Universal Server to Your Network
Non-mailstream Placement Configuration
In this example, Example Corporation has a PGP Universal Server placed
outside the mailstream. The PGP Universal Server integrates with PGP Desktop
to provide automated user enrollment and real-time end-user security policy
management. This is a common configuration for a PGP Universal Server
managing client installations without PGP Gateway Email.
1
PGP Universal Server policy/management
2
Example Corp. email server
3
Example Corp. DMZ
4
External email user
5
Logical flow of data
6
Example Corp. internal network
7
Example Corp. PGP Desktop & email users
Settings for 1: Notes:
Server type: Primary
Mail processing: None
PGP Universal Server is outside of
mailstream.
All encryption, decryption, signing, and
IP Address, Subnet Mask, Gateway, and
DNS Servers: As appropriate
verification is done through PGP
Desktop.
42
PGP Universal Server Adding the PGP Universal Server to Your Network
Cluster Configuration
In this example, Example Corporation has a cluster, with multiple PGP Universal
Servers proxying messages on its internal network, and another server in the
DMZ that performs keyserver and PGP Universal Web Messenger functions
only.
1
PGP Universal Server Keyserver/Web Messenger
2
Example Corp. email server
3
Logical flow of data
4
Example Corp. internal network
5
Manufacturing - PGP Universal Server internally
placed
6
Development - PGP Universal Server internally
placed
7
Administration - PGP Universal Server internally
8
Example Corp. DMZ
43
PGP Universal Server Adding the PGP Universal Server to Your Network
Notes:
One internally placed PGP Universal Server configured as
Primary in the Cluster; the other and the keyserver
configured as Secondary.
Mail server does not relay through the keyserver PGP
Universal Server.
Cluster port (444) on firewall between the internally placed
servers and the keyserver must be opened.
No mail proxies configured on the keyserver.
Clustered Proxy and Keyserver Configuration
In this example, Example Corporation has a cluster, with one PGP Universal
Server proxying messages on its internal network, and another server in the
DMZ that performs keyserver and PGP Universal Web Messenger functions
only.
1
PGP Universal Server internally placed
2
PGP Universal Server Keyserver/Web
Messenger
3
Example Corp. email server
4
Example Corp. DMZ
5
External email user
6
Logical flow of data
7
Example Corp. internal network
44
PGP Universal Server Adding the PGP Universal Server to Your Network
8
Example Corp. email users
Settings for 1: Settings for 2:
Server type: Primary
Server type: Secondary
Mail processing: Internal placement
Hostname: mail.example.com
Mail server: mail-1.example.com
IP Address, Subnet Mask, Gateway, and
Mail processing: Disabled
Hostname: keys.example.com
IP Address, Subnet Mask, Gateway, and
DNS Servers: As appropriate
DNS Servers: As appropriate
Notes:
mail.example.com becomes mail-1.example.com. PGP Universal Server becomes
mail.example.com.
Mail server does not relay through 2.
Cluster port (444) on firewall between the two servers must be opened.
To support external users via PGP Universal Web Messenger, Example Corp.
could also designate the keyserver as a PGP Universal Web Messenger server.
45
PGP Universal Server Adding the PGP Universal Server to Your Network
Gateway Cluster with Load Balancer
In this example, Example Corporation is using an F5 BIG-IP load balancer to
handle address rotation between the PGP Universal Servers in the cluster,
ensuring that traffic goes through all of them.
1
F5 BIG-IP Load Balancer
2
PGP Universal Server 1
3
PGP Universal Server 2
4
PGP Universal Server 3
5
Logical flow of data
6
Example Corp. internal network
7
Example Corp. email user
8
Example Corp. DMZ
9
Example Corp. email server
46
PGP Universal Server Adding the PGP Universal Server to Your Network
Settings for 1: Settings for 2:
Virtual server for trusted interface:
cluster-gw-internal.example.com
Virtual server addresses: Trusted
interfaces for hosts 2, 3, and 4, port
25
Virtual server for untrusted interface:
cluster-gw.example.com
Virtual server addresses: Untrusted
interfaces for hosts 2, 3, and 4, ports
Server type: Primary
Mail processing: Gateway
placement
Hostname: cluster1-
gw.example.com
Mail server: mail.example.com
IP Address, Subnet Mask, Gateway,
and DNS Servers: As appropriate
25 and 389
IP Address, Subnet Mask, Gateway,
and DNS Servers: As appropriate
Settings for 3:
Server type: Secondary
Hostname: cluster2-
gw.example.com
IP Address, Subnet Mask, Gateway,
and DNS Servers: As appropriate
Notes:
Add DNS MX record that points to cluster-gw.example.com.
Also in DNS, create an alias from cluster-gw.example.com to
keys.example.com.
The mail server must be reconfigured to relay through
cluster-gw-internal.example.com.
Gateway and Internal Placement Cluster
You can have a cluster that includes both a PGP Universal Server internally
placed and a PGP Universal Server in a gateway placement managing a single
mail server, but you should carefully consider why you need both at a single
location.
Settings for 4:
Server type: Secondary
Hostname: cluster3-
gw.example.com
IP Address, Subnet Mask, Gateway,
and DNS Servers: As appropriate
One good reason would be for the PGP Universal Server in gateway placement
to act exclusively as a keyserver or as a PGP Universal Web Messenger server,
while the PGP Universal Server(s) internally placed handles message
processing.
47
PGP Universal Server Adding the PGP Universal Server to Your Network
The most common usage for this configuration is when you have internal MAPI
clients running PGP Universal Satellite in addition to non-MAPI clients using
POP, IMAP, and SMTP. In such a scenario, those using standards-based
protocols connect to the internally placed PGP Universal Server while the PGP
Universal Server in gateway placement ensures proper handling of PGP
Universal Web Messenger and Smart Trailer messages for the MAPI clients.
1
PGP Universal Server gateway placed
2
Example Corp. DMZ
3
External email user
4
Example Corp. internal network
5
PGP Universal Server internally placed
6
Example Corp. email users
7
Example Corp. email server
Notes:
If the same user sends messages from different
locations (such as from the internal network using a
desktop computer and then from a remote location using
a laptop), they may create multiple user accounts and/or
keys.
The Primary server is internally placed, with PGP
Universal Web Messenger disabled. The Secondary
server is in the DMZ, in gateway placement, with PGP
Universal Web Messenger enabled.
48
PGP Universal Server Adding the PGP Universal Server to Your Network
Encircled Configuration
Using PGP Universal Server in an encircled configuration is an alternative to
placing two PGP Universal Servers in a clustered internal/gateway placement,
when you have internal MAPI clients running PGP Universal Satellite in addition
to non-MAPI clients using POP, IMAP, and SMTP.
1
PGP Universal Server internally
placed
2
Example Corp. email server
3
Example Corp. DMZ
4
External email user
5
Example Corp. internal network
6
Example Corp. email users
Settings for 1: Notes:
Server type: Primary
Mail processing: Internal placement
Add DNS MX record that points to
mail.example.com.
Optional: to hide internal PGP Universal
Hostname: mail.example.com
Mail server: mail-1.example.com
Server IP from outside, use 2nd IP in the
DMZ.
IP Address, Subnet Mask, Gateway, and DNS
Servers: As appropriate
PGP Universal Web Messenger and keyserver
functionality enabled
49
PGP Universal Server Adding the PGP Universal Server to Your Network
Large Enterprise Configuration
As a large enterprise, Example Corporation has a sophisticated network that
includes multiple PGP Universal Servers that are load balanced, PGP Universal
Satellite users, a separate PGP Universal Server for PGP Universal Web
Messenger and keyserver support, and a standalone Mail Transfer Agent (MTA).
1
2
3
4
5
6
7
8
9
10, 11
PGP Universal Server Keyserver/Web Messenger
Example Corp. DMZ
Example Corp. email server
F5 BIG-IP Load Balancer
PGP Universal Server 1
PGP Universal Server 2
PGP Universal Server 3
MTA
Example Corp. internal network
Example Corp. email user with PGP Universal
Satellite
50
PGP Universal Server Adding the PGP Universal Server to Your Network
The company uses its MTA to perform static email routing and to establish rules
that govern which email messages are processed by PGP Universal Server and
which are not. Naturally, the features of the MTA being used govern what it can
be used for.
Note: PGP Corporation does not recommend any specific MTA for use with
PGP Universal Server. Make sure the MTA you decide to use is correctly
configured for use with PGP Universal Server.
Spam Filters and PGP Universal Server
Example Corporation has both a content-based and a Realtime Blackhole List
(RBL) spam filter that it wants to use in conjunction with its PGP Universal
Server. (An RBL is a list of servers that are known to send out spam or to be
open relays.)
The company is careful to locate the respective spam filters in the appropriate
locations in the logical flow of data and to configure them correctly.
PGP Universal Server internally placed
1
Example Corp. email user
2
Content-based spam filter
3
PGP Universal Server internally placed
4
Example Corp. email server
5
RBL-based spam filter
PGP Universal Server in gateway placement
1
Example Corp. email user
2
Example Corp. email server
3
Content-based spam filter
4
PGP Universal Server externally placed
5
RBL-based spam filter
51
PGP Universal Server Adding the PGP Universal Server to Your Network
Notes:
The content-based spam filter sits between the internal email
users and the PGP Universal Server in the logical flow of data so
that messages are decrypted before they are checked for spam.
This allows even PGP Universal Server–encrypted messages to be
checked. Other SMTP filtering devices (such as a standalone
antivirus gateway, for example) would be placed in the same
location.
Both spam filters must be correctly configured. For example, the
content-based spam filter must not treat the PGP Universal Server
as a “trusted mail relay” to avoid creating an open relay; this
requirement could mean the spam filter must disable its reverse
MX lookups feature.
For the gateway placement scenario, the content-based spam filter
must be configured on the PGP Universal Server as a mail server.
This is done on the inbound or Unified SMTP proxy.
With an internal placement, the content-based spam filter is not
filtering SMTP, only POP/IMAP, so no special configuration on the
PGP Universal Server is required.
As an alternative configuration, Example Corporation could put both spam filters
between its PGP Universal Server and its firewall in the logical flow of data.
Although PGP Universal Server–encrypted messages would still be scanned for
spam, because they would not yet be decrypted, it is unlikely that any spam
would be found.
This alternative configuration would catch any spam that was not in a PGP
Universal Server–encrypted message, however. So it would be effective if
Example Corp. assumes that its PGP Universal Server–encrypted messages are
free of spam or if another factor requires the content-based spam filter to be in
this location; for example, if the content-based spam filter requires the use of
reverse MX lookups.
Caution: If Example Corporation began receiving encrypted spam, it could
relocate its content-based spam filter to sit between its internal email users
and its PGP Universal Server, or it could add another content-based spam
filter there. Because spam encryption is CPU-intensive and therefore
inefficient, it is unlikely that Example Corporation would receive any.
Exchange with PGP Client Software
Microsoft Exchange Server environments (MAPI) are supported in PGP Desktop
and PGP Universal Satellite for Windows for both internal and external PGP
Universal Server users.
For more information about Microsoft Exchange Server environments and MAPI
support, refer to MAPI Support (on page
458).
52
PGP Universal Server Adding the PGP Universal Server to Your Network
Lotus Domino Server with PGP Client Software
Lotus Domino Server environments, including the Lotus Notes email client, are
supported in PGP Desktop and PGP Universal Satellite for Windows for both
internal and external PGP Universal Server users.
For more information about Lotus Domino Server environments and Lotus
Notes email client support, refer to Lotus Notes Support (on page
461).
Unsupported Configurations
Not every PGP Universal Server deployment scenario is a supported
Multiple Gateway–Placed Servers
configuration.
You cannot have multiple PGP Universal Servers operating in gateway
placements in one DMZ.
1
PGP Universal Server 1
2
PGP Universal Server 2
3
PGP Universal Server 3
4
PGP Universal Server 4
53
PGP Universal Server Adding the PGP Universal Server to Your Network
5
Acmecorp email server
6
Example Corp. DMZ
7
Logical flow of data
8
Example Corp. email user
9
Example Corp. internal network
Notes:
This configuration will not work as expected because the mail
server will only route outbound email through one of the PGP
Universal Servers.
You can use load balancing to achieve a similar result; refer to Gateway Cluster
with Load Balancer (on page
46) for more information.
54
4
Open Ports
This chapter lists and describes the ports a PGP Universal Server has open and
on which it is listening.
All of the protocols listed are described in the Glossary.
In This Chapter
TCP Ports................................................................................................. 55
UDP Ports ................................................................................................ 57
TCP Ports
Port Protocol/Service Comment
21
22
25
80
110
FTP (File Transfer Protocol)
Open SSH (Secure Shell)
SMTP (Simple Mail Transfer
Protocol)
HTTP (HyperText Transfer
Protocol)
POP (Post Office Protocol)
Used for transmitting encrypted
backup archives to other servers.
Data is sent via passive FTP, so
port 20 (FTP Data) is not used.
Used for remote shell access to
the server for low-level system
administration.
Used for sending mail. With a
gateway placement, the PGP
Universal Server listens on port 25
for both incoming and outgoing
SMTP traffic
Used to allow user access to the
Verified Directory. If the Verified
Directory is not enabled, access on
this port will automatically be
redirected to port 443 over HTTPS.
Used for retrieving mail by users
with POP accounts with internal
placements only. Closed for
gateway placements.
55
PGP Universal Server Open Ports
Port Protocol/Service Comment
143
389
443
444
465
636
IMAP (Internet Message Access
Protocol)
LDAP (Lightweight Directory
Access Protocol)
HTTPS (HyperText Transfer
Protocol, Secure)
SOAPS (Simple Object Access
Protocol, Secure)
SMTPS (Simple Mail Transfer
Protocol, Secure)
LDAPS (Lightweight Directory
Access Protocol, Secure)
Used for retrieving mail by users
with IMAP accounts with internal
placements only. Closed for
gateway placements.
Used to allow remote hosts to look
up public keys of local users.
Used for PGP Universal Satellite
policy distribution and PGP
Universal Web Messenger access.
Used for clustering, and
communication with PGP Desktop
installations.
Used for sending mail securely
with internal placements only.
Closed for gateway placements.
This is a non-standard port used
only by legacy mail servers. We
recommend not using this port,
and instead always using
STARTTLS on port 25.
Used to securely allow remote
hosts to look up public keys of
local users.
993
995
9000
IMAPS (Internet Message Access
Protocol, Secure)
POPS (Post Office Protocol,
Secure)
HTTPS (HyperText Transfer
Protocol, Secure)
Used for retrieving mail securely
by users with IMAP accounts with
internal placements only. Closed
for gateway placements.
Used for retrieving mail securely
by users with POP accounts with
internal placements only. Closed
for gateway placements.
Used to allow access to the PGP
Universal Server administrative
interface.
56
PGP Universal Server Open Ports
UDP Ports
Port Protocol/Service Comment
123
161
NTP (Network Time
Protocol)
SNMP (Simple Network
Management Protocol)
Used to synchronize the system’s clock
with a reference time source on a different
server.
Used by network management
applications to query the health and
activities of PGP Universal Server software
and the computer on which it is installed.
57
Naming your PGP
5
Universal Server
This section describes how and why to name your PGP Universal Server using
the keys.<domain> convention.
In This Chapter
Considering a Name for Your PGP Universal Server ............................... 59
Methods for Naming a PGP Universal Server ......................................... 60
Considering a Name for Your PGP Universal Server
Unless a valid public key is found locally, PGP Universal Servers automatically
look for valid public keys for email recipients by attempting to contact a
keyserver at a a special hostname, keys.<domain>, where <domain> is the
email domain of the recipient.
For example, let’s assume an internal user at example.com is sending email to
susanjones@widgetcorp.com.” If no valid public key for Susan is found on the
“
Example Corp. PGP Universal Server (keys would be found locally if they are
cached, or if Susan was an external user who explicitly supplied her key via the
PGP Universal Web Messenger service), it will automatically look for a valid
public key for Susan at keys.widgetcorp.com, even if there is no domain policy
for widgetcorp.com on Example’s PGP Universal Server.
Naturally, the Example Corp. PGP Universal Server will only be able to find a
valid public key for “
Widgetcorp PGP Universal Server is named using the keys.<domain>
convention.
Caution: PGP Corporation strongly recommends you name your PGP
Universal Server according to this convention, because doing so allows other
PGP Universal Servers to easily find valid public keys for email recipients in
your domain. Make sure to name your externally visible PGP Universal Server
using this convention.
If your organization uses email addresses like “mingp@example.com” as well
mingp@corp.example.com,” then you need your PGP Universal Server to
as “
be reachable at both keys.example.com and keys.corp.example.com.
susan@widgetcorp.com” at keys.widgetcorp.com if the
59
PGP Universal Server Naming your PGP Universal Server
If you have multiple PGP Universal Servers in a cluster managing an email
domain, only one of those PGP Universal Servers needs to use the
keys.<domain> convention.
Note: Keys that are found using the keys.<domain> convention are treated
as valid and trusted by default.
Alternately, keys.<domain> should be the address of a load-balancing device
which then distributes connections to your PGP Universal Server’s keyserver
service. The ports that would need to be load-balanced are the ones on which
you’re running your keyserver service (typically port 389 for LDAP and 636 for
LDAPS).
Another acceptable naming convention would be to name your PGP Universal
Server according to the required naming convention your company uses, and
make sure the server has a DNS alias of keys.<domain>.com.
If you are administering multiple email domains, you should establish the
keys.<domain> convention for each email domain.
If your PGP Universal Server is behind your corporate firewall (as it should be),
you will need to make sure that ports 389 (LDAP) and 636 (LDAPS) are open to
support the keys.<domain> convention.
Methods for Naming a PGP Universal Server
There are three ways to name your PGP Universal Server to support the
keys.<domain> convention:
Name your PGP Universal Server “keys.<domain>” on the Host Name
field of the Network Setup screen in the Setup Assistant.
Change the Host Name of your PGP Universal Server to keys.<domain>
using the administrative interface on the Network Settings card of the
System>Network screen.
Create a DNS alias to your PGP Universal Server that uses the
keys.<domain> convention that is appropriate for your DNS server
configuration.
60
Installing the PGP
6
Universal Server
This section describes how to set up your PGP Universal Server; it lists the
system requirements, gives an overview of the installation procedure, and
provides step-by-step instructions on how to install the software.
Refer to Installation Overview (on page
procedure.
In This Chapter
About the Installation Procedure ............................................................. 61
System Requirements............................................................................. 62
Installation Materials................................................................................ 62
Installation Options.................................................................................. 62
Standard Installation Procedure............................................................... 63
PGP Installation Procedure ...................................................................... 64
29) to understand the entire installation
About the Installation Procedure
You should install and test the upgrade in a lab or staging environment before
integrating the upgrade into your network.
Every PGP Universal Server requires a dedicated computer that meets the
system requirements listed below. The installation process deletes all data on
the system and reconfigures it as a PGP Universal Server.
Warning: Make sure there is no data on the system that you need to save
before you begin the installation process.
The installation software is included on the Server Installation CD. PGP
Universal Server also includes a second CD with documentation, software
license, PGP Universal Satellite and PGP Desktop software installers, necessary
USB token drivers, and Release Notes.
Note: PGP Corporation strongly recommends locating your PGP Universal
Servers in secured areas with restricted access. Only authorized individuals
should be granted physical access to PGP Universal Servers.
61
PGP Universal Server Installing the PGP Universal Server
System Requirements
Refer to the Release Notes for the latest system requirement information.
You must install the PGP Universal Server software on PGP Universal Server
Certified Hardware. You can find the latest PGP Universal Server Certified
Hardware List available on PGP Corporation's website (
www.pgp.com).
Installation Materials
PGP Universal Server is distributed on two CDs. One CD contains the installer.
Use this CD to install the server on PGP Universal Server Certified Hardware.
The other CD contains documentation, PGP Universal Satellite and PGP
Desktop software installers, and the necessary USB token drivers to initialize
PGP Universal Server Ignition Keys.
Installation Options
When you insert the installation CD and reboot the server, you can choose a
standard or pgp installation.
If you choose to run a standard installation, during installation you will be asked
to provide the following information for the PGP Universal Server:
IP address
Subnet mask
Default gateway
DNS information
Hostname
Refer to Standard Installation Procedure (on page
If you provide the network information during installation, you will not have to
enter it into the Setup Assistant interface later in the configuration procedure.
The standard installation also simplifies the steps necessary to connect to the
PGP Universal Server during setup.
If you choose to run a pgp installation, you will enter network information after
the installation process, through the browser-based Setup Assistant. Refer to
PGP Installation Procedure (on page
initially, requires a more complicated procedure to connect and continue setting
up your PGP Universal Server.
63).
64). The pgp installation, while simpler
62
PGP Universal Server Installing the PGP Universal Server
Standard Installation Procedure
To install the PGP Universal Server software using the standard
installation
1 Set up the system that will be hosting the server in a secure location.
2 Attach a keyboard and monitor to the server on which you are installing
PGP Universal Server.
3 Insert the PGP Universal Server Installation CD into the drive.
4 Reboot the system.
When the system reboots, the install begins.
5 At the prompt, press Enter.
The pre-installation will run for approximately 2 minutes.
The Network Configuration screen will appear.
6 Type the IP address and Prefix (Netmask) for the PGP Universal Server, and
select OK.
The Miscellaneous Network Settings screen appears.
7 Type the Gateway, Primary DNS, and Secondary DNS, and select OK.
The Hostname Configuration screen appears.
8 Type the Hostname for the PGP Universal Server, and select OK.
PGP Corporation strongly recommends you name your externally visible
PGP Universal Server according to the keys.<domain> convention, which
allows other PGP Universal Servers to easily find valid public keys for email
recipients in your domain. Refer to Naming your PGP Universal Server (on
page
59) for more information.
Installation takes approximately 15 minutes.
When the software is installed, the system will automatically reboot. After
the system reboots, you will see a login prompt. Do not log in here. You
will not need to log in to complete the setup.
9 Connect to the server through the Setup Assistant browser interface at
https://<hostname>:9000 or https://<IP address>:9000. See Initial
Configuration with Setup Assistant (on page
67) to continue with the
installation and setup.
63
PGP Universal Server Installing the PGP Universal Server
PGP Installation Procedure
To install the PGP Universal Server software using the pgp option
1 Set up the system that will be hosting the server in a secure location.
2 Attach a keyboard and monitor to the server on which you are installing
PGP Universal Server.
3 Insert the PGP Universal Server Installation CD into the drive.
4 Reboot the system.
When the system reboots, the install begins.
5 Type pgp at the prompt and press Enter at the first installation screen to
choose the pgp installation.
The pre-installation will run for approximately 2 minutes.
Installation will take approximately 15 minutes.
When the software is installed, the system will automatically reboot. After
the system reboots, you will see the prompt “pgpuniversal login.” Do not
log in here. You will not need to log in to complete the setup.
6 Connect to the server through the Setup Assistant browser interface. See
Preparing for Setup after pgp Install (on page
66) to continue with the
installation and setup.
64
Setting Up the PGP
7
Universal Server
This section describes how to access and use the Setup Assistant, which is a
set of screens you use to configure your PGP Universal Server.
In This Chapter
About the Setup Assistant .......................................................................65
Preparing for Setup after pgp Install ........................................................66
Initial Configuration with Setup Assistant ................................................67
Primary or Secondary Configuration.........................................................76
Restoring From a Server Backup .............................................................86
Migrating the Keys from a PGP Keyserver ..............................................87
About the Setup Assistant
The Setup Assistant only appears the first time you access the PGP Universal
Server. The Setup Assistant displays a series of screens that ask you questions
about your network and about how you want your PGP Universal Server to
work; the Setup Assistant uses the answers to those questions to configure
your PGP Universal Server.
In many cases, the Setup Assistant will do the majority of the configuration for
your PGP Universal Server. You can change any settings you establish with the
Setup Assistant anytime after you run it using the administrative interface of the
PGP Universal Server; you can also use the administrative interface to configure
those features not covered in the Setup Assistant.
The Setup Assistant supports four types of setups:
Primary. You are configuring a PGP Universal Server that will be your only
PGP Universal Server or the Primary server in a cluster.
Secondary. You are configuring a PGP Universal Server that will be a
Secondary server in a cluster. You must have already set up the Primary
server in the cluster or this setup will not work.
Restore. You are restoring backed-up data from another PGP Universal
Server onto a new PGP Universal Server. You will need the backed-up data
file and the Organization Key used to encrypt the backup file.
65
PGP Universal Server Setting Up the PGP Universal Server
Refer to the PGP Universal Server Upgrade Guide for more information
about configuring a PGP Universal Server with data from a backup.
Keyserver. You are migrating the keys and data from a PGP Keyserver to a
PGP Universal Server.
Refer to the PGP Universal Server Upgrade Guide for more information
about configuring a PGP Universal Server with the keys from a
PGP Keyserver.
All four setup types have a common beginning: you read the End User License
Agreement, specify the type of setup, and configure the network settings for
your PGP Universal Server, then the PGP Universal Server is restarted. Once
the PGP Universal Server is restarted, you can connect to it via a Web browser
and continue with the rest of the Setup Assistant.
Preparing for Setup after pgp Install
If you chose the standard installation option, you can skip this procedure and
refer to Initial Configuration with Setup Assistant (on page
pgp installation, you must gather some necessary materials and information
before you can continue with the setup.
67). If you chose the
Hardware
To configure your PGP Universal Server using the Setup Assistant You must
have the following:
A Windows or Mac OS X computer from which you will connect to the
A crossover Ethernet cable to connect a Windows or Mac OS X computer
System Information
You will also need some information to configure your PGP Universal Server:
Connect through the temporary IP address and subnet of the newly
PGP Universal Server using a Web browser so that you can run the Setup
Assistant.
to the PGP Universal Server.
installed PGP Universal Server, which will be used for the initial
configuration portion of the Setup Assistant:
IP: 192.168.1.100:9000
Subnet: 255.255.255.0
66
PGP Universal Server Setting Up the PGP Universal Server
You will use this data to connect to the PGP Universal Server you are
configuring in the initial configuration portion of the Setup Assistant, before
the PGP Universal Server is available via a Web browser.
An IP address, name, gateway, and DNS server information for the PGP
Universal Server.
A license or license authorization from PGP Corporation. Which one you
need depends on your Internet connection:
If your PGP Universal Server can connect to the PGP Licensing Server
over the Internet, the license server will authorize your PGP Universal
Server license.
If your PGP Universal Server cannot connect to the PGP Licensing
Server over the Internet, you will need the License Authorization file
to correctly license your PGP Universal Server. The License
Authorization file is a text file you will need during the configuration
process.
Other data, such as your Organization Key or a saved backup, may also be
needed, depending on the type of setup you are performing.
Connect to the PGP Universal Server
Connect to the PGP Universal Server to continue the installation and setup.
Configure the client machine with a fixed IP address and access the PGP
Universal Server from this machine.
You will need a crossover Ethernet cable when connecting the PGP Universal
Server.
1 Configure the client machine:
IP: 192.168.1.99
Subnet: 255.255.255.0
If you are using a Mac OS X client machine, you can save this temporary
setup as a separate location in Network Preferences (such as “setup”) for
future use.
2 Continue setup as described in the section Initial Configuration with Setup
Assistant (on page
67).
Initial Configuration with Setup Assistant
The Setup Assistant guides you through establishing the PGP Universal Server’s
network configuration and setup type.
67
PGP Universal Server Setting Up the PGP Universal Server
After the software installs and the server restart, you can connect to the PGP
Universal Server via a Web browser at the configured IP address and finish
running the Setup Assistant.
1 Open a Web browser and connect to the PGP Universal Server:
If you chose the standard installation, connect to
https://<hostname>:9000, using the hostname or IP address you
assigned to the PGP Universal Server.
If you chose the pgp installation, and you are using a client machine
with a fixed IP address, connect to
https://192.168.1.100:9000, as
explained in the section Preparing for Setup after pgp Install (on page
66).
The Welcome screen of the Setup Assistant appears.
2 Read the text, then click the Forward arrow to continue.
68
PGP Universal Server Setting Up the PGP Universal Server
The End User License Agreement screen appears.
3 Read the text of the License Agreement, then click the I Agree button at
the end of the agreement.
69
PGP Universal Server Setting Up the PGP Universal Server
The Setup Type screen appears.
4 Make the appropriate selection:
Select Primary if you want this to be the Primary PGP Universal
Server in a cluster or if this is the only PGP Universal Server in your
network.
Select Secondary if this is a Secondary PGP Universal Server in a
cluster (secondary servers synchronize their settings with the
Primary).
If you are setting up a cluster of PGP Universal Servers, you must
configure the Primary first, then the Secondary servers. Refer to
Clustering your PGP Universal Servers (on page
523) for more
information.
If you are upgrading a Secondary cluster member, you will need to
recreate certain settings manually after installation and setup. Follow
the procedure in the PGP Universal Server Upgrade Guide for more
details.
70
PGP Universal Server Setting Up the PGP Universal Server
Select Restore if you want to restore the data from a server backup.
You will need your Organization Key and access to the backup file to
proceed with this installation. Refer to the PGP Universal Server
Upgrade Guide for more information.
Select Keyserver if you want to migrate the keys on an existing PGP
Keyserver to the PGP Universal Server you are configuring. See the
PGP Universal Server Upgrade Guide for more information.
5 Click the Forward arrow to continue.
The Date & Time screen appears.
Your server preforms many time-based operations, so it is important to set
up the correct time.
6 Pull down the Time Zone drop-down list and select your location.
7 Choose Time Format and Date Format settings.
8 Set the correct Time and Date.
9 Optionally, specify an NTP time server in the NTP Server field. The PGP
Universal Server will automatically synchronize the time when the Setup
Assistant is finished.
71
PGP Universal Server Setting Up the PGP Universal Server
10 Click the Forward arrow to continue.
The Network Setup screen appears.
11 If you chose the standard installation, this information is already present.
Otherwise, enter the appropriate information:
a In the Hostname field, enter a name for this PGP Universal
Server. This must be a fully-qualified domain name of the
external, untrusted interface.
PGP Corporation strongly recommends you name your externally visible
PGP Universal Server according to the keys.<domain> convention,
which allows other PGP Universal Servers to easily find valid public keys
for email recipients in your domain.
For example, Example Corporation names its externally visible PGP
Universal Server “keys.example.com.” Refer to Naming your PGP
Universal Server (on page
59) for more information.
b In the IP Address field, enter an IP address for this PGP
Universal Server.
c In the Subnet Mask field, enter a subnet mask for this PGP
Universal Server.
72
PGP Universal Server Setting Up the PGP Universal Server
d In the Gateway field, enter the IP address of the default
gateway for the network.
e In the DNS Servers field, enter the IP address(es) of the DNS
servers for your network.
12 Click the Forward arrow to continue.
The Proxy Configuration screen appears.
If your PGP universal Server has a direct Internet connection, or you want
to set up a proxy server configuration at a later time, click Skip and go on
to step 13.
If your PGP Universal Server does not have a direct Internet connection,
you can still receive licensing authorization and automatic system software
updates from PGP Corporation through an HTTP proxy server.
Configure the proxy server to authenticate and authorize the PGP Universal
Server, and to proxy HTTP traffic for updates and license authorization
requests. Make sure the proxy access list and authentication parameters
are correct. The proxy server must also be able to contact and relay HTTP
traffic to and from PGP Corporation.
Type in the following proxy server information:
73
PGP Universal Server Setting Up the PGP Universal Server
Hostname/IP
Port number
Username (optional)
Passphrase (optional)
13 Click the Forward arrow to continue.
The Confirmation screen appears.
14 Make sure the information is correct, then click Done.
Click the Back arrow if you need to go back and make any changes.
74
PGP Universal Server Setting Up the PGP Universal Server
The Network Configuration Changed dialog appears, while the server
restarts automatically.
If you chose the standard installation, skip step 14 and go on to the next
section.
If you chose the pgp installation, go on to the next step. At this point, your
PGP Universal Server has accepted the new network settings you entered,
so you can disconnect the temporary setup.
15 Disconnect the cable between the client machine and the PGP Universal
Server, return the settings of the client machine back to what they were,
connect the two machines back to the original network, and continue with
the Setup Assistant.
75
PGP Universal Server Setting Up the PGP Universal Server
Primary or Secondary Configuration
If you selected a Primary or Secondary configuration for the PGP Universal
Server you are configuring with the Setup Assistant, the Licensing screen
appears automatically.
1 Enter your PGP Universal Server license information, then click the
Forward arrow.
If your PGP Universal Server has an active connection to the Internet, the
PGP Universal Server license will be authorized.
2 If your PGP Universal Server does not have an active connection to the
Internet, and you did not previously provide proxy server configuration
during setup, your license authorization will be needed; click Manual.
The Manual Licensing screen appears.
76
PGP Universal Server Setting Up the PGP Universal Server
3 If you want to license your PGP Universal Server at a later time, click Skip,
and go on to step 9.
4 Enter the appropriate license information, paste your license authorization
information in the License Authorization box, then click the Forward arrow.
5 If you want to license your PGP Universal Server at a later time, click Skip.
77
PGP Universal Server Setting Up the PGP Universal Server
The Administrator Name & Passphrase screen appears.
6 In the Login Name field, enter the administrator’s login name.
7 In the Passphrase field, enter the administrator’s passphrase.
8 In the Confirm field, re-enter the same passphrase.
9 In the Email Address field, enter the administrator’s email address. This is
optional and enables the administrator to receive a daily status email.
10 Click the Forward arrow to continue.
78
PGP Universal Server Setting Up the PGP Universal Server
The Mail Processing screen appears.
11 Specify the placement of this PGP Universal Server in your network:
Select Gateway Placement if your PGP Universal Server is logically
located between your mail server and the Internet.
Select Internal Placement if your PGP Universal Server is logically
located between your email users and your mail server, or if your PGP
Universal Server is out of the mailstream.
12 Click the Forward arrow to continue.
79
PGP Universal Server Setting Up the PGP Universal Server
The Mail Server Selection screen appears.
13 In the Mail Server field, enter the hostname or IP address of the mail
server that this PGP Universal Server will be interacting with.
14 In the Proxy Server field, enter an optional additional mail server to which
all outbound mail will be sent. This only applies if you are installing your
PGP Universal server in gateway placement.
15 In the Primary Domain field, enter the email domain that the PGP
Universal Server is going to be managing.
16 Click the Forward arrow to continue.
80
PGP Universal Server Setting Up the PGP Universal Server
The Directory Server screen appears.
17 In the Directory Server field, enter the hostname or IP address of your
corporate LDAP directory so that PGP Universal Server can synchronize
user information with that LDAP directory.
18 Select your LDAP Directory Type. Choose Active Directory or
OpenLDAP (RFC 1274). Refer to Enabling Directory Synchronization (on
287) for more information.
page
Using a directory server is optional. If you do not have one on your network
or do not wish to use one, leave the Directory Server field empty and click
Skip to continue with the Setup Assistant.
19 Click the Forward arrow to continue.
81
PGP Universal Server Setting Up the PGP Universal Server
The Ignition Keys screen appears.
Ignition Keys protect the data on your PGP Universal Server if an
unauthorized person gets control of it. If you want to use a hardware
Ignition Key, you will need to prepare the token before you add it to the
system here. See Protecting PGP Universal Server with Ignition Keys (on
531) for information on how to prepare a hardware token Ignition Key.
page
20 Select the type of Ignition Key you would like to use, then click the
Forward arrow.
Click Skip to proceed with the Setup Assistant without configuring an
Ignition Key.
82
PGP Universal Server Setting Up the PGP Universal Server
The appropriate Ignition Key screen appears. The Passphrase Ignition Key
screen is shown here.
21 Enter a name for the Ignition Key, a passphrase, confirm the passphrase,
then click the Forward arrow.
83
PGP Universal Server Setting Up the PGP Universal Server
The Backup Organization Key screen appears.
The PGP Universal Server generates an Organization Key for you. If you
want to generate an S/MIME Organization Certificate, you should do so
immediately after finishing setup. Refer to Managing Organization Keys (on
113) for information about the Organization Key and Organization
page
Certificate.
22 If desired, enter and confirm the passphrase that will protect the
Organization Key (this is optional, but highly recommended), then click
Backup Key to back up the key. Be aware that without a backup of your
Organization Key, you will not be able to restore your PGP Universal Server
from backed-up data.
To skip backing up your Organization Key (not recommended), click
Forward without backing up the key.
23 Click the Forward arrow to continue.
84
PGP Universal Server Setting Up the PGP Universal Server
The Confirmation screen appears.
This screen summarizes the configuration of your PGP Universal Server.
24 Click Done to finish setup.
85
PGP Universal Server Setting Up the PGP Universal Server
The Configuration Changed screen appears, and the server restarts
automatically.
You will be redirected to the administrative interface of the PGP Universal
Server you just configured.
Your PGP Universal Server is initially configured in Learn Mode. Refer to
Operating in Learn Mode (on page
Restoring From a Server Backup
To configure a PGP Universal Server with the data from the backup, you need to
have both the appropriate backup file and the Organization Key on the setup
machine. Restoring from a backup restores everything configured, including
proxy and policy settings, as well as keys and user information.
Refer to the PGP Universal Server Upgrade Guide for complete information
about how to configure a PGP Universal Server with the data from a backup.
86
105) for more information about Learn Mode.
PGP Universal Server Setting Up the PGP Universal Server
Migrating the Keys from a PGP Keyserver
The process that allows you to migrate the keys on a PGP Keyserver to a PGP
Universal Server includes two steps: getting the keys out of the PGP Keyserver
into a format that can be imported into a PGP Universal Server and then using
the Setup Assistant to configure a PGP Universal Server and add the PGP keys
from the PGP Keyserver.
Refer to the PGP Universal Server Upgrade Guide for complete information
about migrating PGP keys from a PGP Keyserver to a PGP Universal Server.
Note: You can find more information online about moving to PGP Universal
Server at the PGP Corporation website.
87
Understanding the
8
Administrative Interface
This section describes the PGP Universal Server’s Web-based administrative
interface.
In This Chapter
System Requirements............................................................................. 89
Logging In ................................................................................................ 89
Managing Alerts....................................................................................... 92
Logging In For the First Time .................................................................. 93
Administrative Interface Map .................................................................. 94
Icons ........................................................................................................ 95
System Requirements
The PGP Universal Server administrative interface has been fully tested with the
following Web browsers:
Logging In
Windows: Internet Explorer 6, Mozilla Firefox 1.0 (or greater)
Mac OS X: Safari 1.0 (or greater), Mozilla Firefox 1.0 (or greater)
While you may find that the administrative interface works with other Web
browsers, we recommend these browsers for maximum compatibility.
The login name and password for the administrative interface were originally
established when you configured the server using the Setup Assistant.
To log in to your server’s administrative interface
1 In a Web browser, type https://<domain name of server>:9000/ and
press Enter.
89
PGP Universal Server Understanding the Administrative Interface
Note: If you see a Security Alert dialog relating to the security certificate,
it means you need to replace the self-signed certificate created
automatically with a certificate from a public Certificate Authority.
The Login screen appears.
2 Enter the current login name in the Username field.
3 Enter the current passphrase in the Passphrase field.
4 Click the Login button or press Enter.
90
PGP Universal Server Understanding the Administrative Interface
The System Overview screen is the first screen you see when you log on
to PGP Universal Server. You can also view it from Reporting>Overview.
The screen provides a general report of system information and statistics.
The information displayed includes:
System alerts, including licensing issues and PGP Whole Disk
Encryption login failures. System alerts appear at the top of the
screen.
System graphs for CPU usage, message activity, and Whole Disk
Encryption. Click the buttons to switch the graphs. See System
Graphs (on page
483) for more information about system graphs.
Services information, including which services are running or stopped.
91
PGP Universal Server Understanding the Administrative Interface
Statistics, including software version number, system uptime, and
total messages processed.
Number of users in each user policy group.
Number of email messages in the queue waiting to be processed, if
applicable.
Number of messages in the mail queue.
5 Click Refresh (at the top of the System Overview screen) to refresh the
information.
Managing Alerts
The PGP Universal Server groups failed login attempts into reported login
failures. This feature is intended to make reporting about failed login attempts
more useful, because one or several failed login attempts by a PGP Whole Disk
Encryption user does not necessarily mean an attempted break-in. Use the
Alerts dialog to choose how many failed login attempts constitutes a login
failure. For example, you can specify that an alert should be triggered after 3
failed login attempts. If 6 failed attempts occur, 2 login failure alerts appear.
Alerts about PGP Whole Disk Encryption login failures appear on the System
Overview screen and in the Daily Status Email. Alerts for devices belonging to
specific users appear on the user's Internal Users dialog.
To specify how you want to be notified of PGP Whole Disk Encryption
login failures
1 From the System Overview screen, click Manage Alerts.
92
PGP Universal Server Understanding the Administrative Interface
The Alerts dialog appears.
2 Specify how many consecutive failed login attempts a single device must
report before the administrator is notified.
3 Choose how long you want login failure alerts to be displayed on System
Overview screen, the Daily Status Email, and the Internal Users dialog, in
hours or days.
4 Specify how long you want to keep login failure records in the database, in
days.
Logging In For the First Time
The first time you log in to the PGP Universal Server, you will see a welcome
dialog. The welcome dialog provides access to tutorials and documentation. You
can choose to have the welcome dialog appear every time you log in.
What’s New—Lists the new features in PGP Universal Server 2.7.
Mail Policy Diagram—Provides a graphical representation of how email is
processed through mail policy.
PGP Universal Upgrade Guide—Provides instructions on how to migrate
PGP Keyserver data, how to upgrade your PGP Universal Server, and how
version 2.0.6 settings migrate into the mail policy environment.
93
PGP Universal Server Understanding the Administrative Interface
Tutorials—Provides animated introductions on how to manage the new
mail policy feature in PGP Universal Server, and how upgraded PGP
Universal Server settings migrate into the new mail policy feature.
You can also access all the documentation and tutorials by clicking the online
help icon in the upper right corner of the PGP Universal Server screen.
Administrative Interface Map
The administrative interface is organized as follows:
Sections
Reporting
Policy
Users
Mail
Screens
Overview
Graphs
Logs
Mail Policy
Internal User Policy
External User Policy
Dictionaries
Servers
Internal
External
Verified Directory (If enabled)
Administrators
Proxies
Mail Queue
Mail Routes
Organization
Services
Message Templates
Organization Keys
Trusted Keys
Managed Domains
Web Messenger
Keyserver
SNMP
Verified Directory
94
PGP Universal Server Understanding the Administrative Interface
Icons
System
Certificate Revocation
General Settings
Backups
Updates
Network
Clustering
Ignition Keys
Key Cache
The administrative interface uses the following icons.
Type
Actions
Icon Description
Add
Remove
Connect
Delete
Clear Search
Install/Export
Reinstall/Regenerate
Restore
Revoke
Forward
95
PGP Universal Server Understanding the Administrative Interface
Type Icon Description
Back
First
Last
Move priority up
Move priority down
Closed Action
Opened Action
Help
Update software
Print
Users
Internal user
Administrative user
Excluded user
Internal user, revoked
Expired internal user
External user, revoked
External user
External user, pending
96
Loading...