PGP Universal Server - 3.2 Installation Manual
PGP™ Universal Server
Installation Guide
3.2
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Version 3.2.0. Last updated: July 2011.
Legal Notice
Copyright (c) 2011 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, PGP, Pretty Good Privacy, and the PGP logo are trademarks or registered trademarks of Symantec Corporation or its
affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering.
No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if
any.
THE DOCUMENTATION IS PROVIDED"AS IS"AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING
ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT
TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR
INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION.
THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights
as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. “Commercial Computer
Software and Commercial Computer Software Documentation”, as applicable, and any successor regulations. Any use, modification, reproduction
release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with
the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
Symantec Home Page (
Printed in the United States of America.
10 9 8 7 6 5 4 3 2 1
http://www.symantec.com)
Contents
About the PGP Universal Server Installation Guide 1
What is PGP Universal Server? 1
PGP Universal Server Product Family 2
Who Should Read This Guide 2
Common Criteria Environments 2
Using the PGP Universal Server with the Command Line 2
Symbols 3
Getting Assistance 3
Getting product information 3
Technical Support 4
Contacting Technical Support 4
Licensing and registration 5
Customer service 5
Support agreement resources 5
Add the PGP Universal Server to Your Network 7
Server Placement 7
Gateway Placement 7
Internal Placement 8
Mail Relay 9
Microsoft Exchange Server 9
Lotus Domino Server 9
Installation Overview 10
About Open Ports 15
TCP Ports 15
UDP Ports 16
About Naming your PGP Universal Server 17
How to Name Your PGP Universal Server 17
Naming Methods 18
About Installing PGP Universal Server
Installation Considerations 19
System Requirements 19
PGP Universal Server on a VMware ESX Virtual Machine 20
Installing VMware Tools for PGP Universal Server 20
Installation Materials 21
Installation Options 22
Set Up after "pgp" Install 25
Hardware 25
System Information 25
Connecting to the PGP Universal Server 26
19
ii Contents
About Setting Up PGP Universal Server 27
The Setup Assistant 27
Initial Configuration with Setup Assistant 28
Configuring a New Installation 29
Configuring a Cluster Member 31
Restore From a Server Backup 32
Migrate Keys from a PGP Keyserver 33
Configuration Examples 35
Internal Placement Configuration 35
Gateway Placement Configuration 36
Non-mailstream Placement Configuration 37
Cluster Configuration 38
Clustered Proxy and Keyserver Configuration 39
Gateway Cluster with Load Balancer 40
Gateway and Internal Placement Cluster 41
Encircled Configuration 43
Large Enterprise Configuration 44
Spam Filters and PGP Universal Server 45
Exchange with PGP Client Software 46
Lotus Domino Server with PGP Client Software 46
Unsupported Configurations 47
Multiple Gateway–Placed Servers 47
About the PGP Universal Server Installation Guide
1
The PGP Universal Server Installation Guide provides important PGP™ Universal Server
concepts and presents a high-level overview of the tasks required to install, set up, and
use PGP Universal Server. This guide provides information about how your PGP
Universal Server processes email, which helps you integrate your PGP Universal
Servers into your network. There is also information on using Microsoft
Server and Lotus® Domino® Server with PGP Universal Satellite.
What is PGP Universal Server?
PGP Universal Server is a console that manages the applications that provide email,
disk, and network file encryption. PGP Universal Server with PGP Universal Gateway
Email provides secure messaging by transparently protecting your enterprise messages
with little or no user interaction. The PGP Universal Server replaces PGP Keyserver
with a built-in keyserver, and PGP Admin with PGP Desktop configuration and
deployment capabilities.
PGP Universal Server also does the following:
Automatically creates and maintains a Self-Managing Security Architecture
(SMSA) by monitoring authenticated users and their email traffic.
Allows you to send protected messages to addresses that are not part of the SMSA.
Automatically encrypts, decrypts, signs, and verifies messages.
Provides strong security through policies you control.
PGP Universal Satellite, a client-side feature of PGP Universal Server, does the
following:
Extends security for email messages to the computer of the email user.
Allows external users to become part of the SMSA.
If allowed by an administrator, gives end users the option to create and manage
their keys on their computers.
PGP Desktop, a client product, is created and managed through PGP Universal Server
policy and does the following:
Creates PGP keypairs.
Manages user keypairs.
Stores the public keys of others.
Encrypts user email and instant messaging (IM).
Encrypts entire, or partial, hard drives.
Enables secure file sharing with others over a network.
®
Exchange
2 About the PGP Universal Server Installation Guide
PGP Universal Server Product Family
PGP Universal Server Product Family
PGP Universal Server functions as a management console for a variety of encryption
solutions. You can purchase any of the PGP Desktop applications or bundles and use
PGP Universal Server to create and manage client installations. You can also purchase a
license that enables PGP Universal Gateway Email to encrypt email in the mailstream.
The PGP Universal Server can manage any combination of the following PGP
encryption applications:
PGP Universal Gateway Email provides automatic email encryption in the
gateway, based on centralized mail policy.
This product requires administration by the PGP Universal Server.
PGP Desktop Email provides encryption at the desktop for mail, files, and AOL
Instant Messenger traffic.
This product can be managed by the PGP Universal Server.
PGP Whole Disk Encryption provides encryption at the desktop for an entire disk.
This product can be managed by the PGP Universal Server.
PGP NetShare provides transparent file encryption and sharing among desktops.
This product can be managed by the PGP Universal Server.
Who Should Read This Guide
This guide is for administrators who will install PGP Universal Server for your
organization’s PGP Universal Server environment.
Common Criteria Environments
To be Common Criteria compliant, see the best practices in PGP Universal Server 2.9
Common Criteria Supplemental. These best practices supersede recommendations made
elsewhere in this and other documentation.
Using the PGP Universal Server with the Command Line
You can use the PGP Universal Server command line for read-only access to, for
example, view settings, services, logs, processes, disk space, query the database, and so
on.
Note: If you modify your configuration using the command line, and you do not
follow these procedures, your Technical Support agreement is void.
Symbols
About the PGP Universal Server Installation Guide
Symbols 3
Changes to the PGP Universal Server using command line must be:
Authorized in writing by Technical Support.
Implemented by a partner, reseller, or employee who is certified in the PGP
Advanced Administration and Deployment Training.
Summarized and documented in a text file in /var/lib/ovid/customization
on the PGP Universal Server.
Changes made through the command line may not persist through reboots and may
become incompatible in a future release. When troubleshooting new issues, Technical
Support can require you to revert custom configurations on the PGP Universal Server
to a default state.
Notes, Cautions, and Warnings are used in the following ways.
Note: Notes are extra, but important, information. A Note calls your attention to
important aspects of the product. You can use the product better if you read the
Notes.
Caution: Cautions indicate the possibility of loss of data or a minor security breach. A
Caution tells you about a situation where problems can occur unless precautions are
taken. Pay attention to Cautions.
Warning: Warnings indicate the possibility of significant data loss or a major security
breach. A Warning means serious problems will occur unless you take the
appropriate action. Please take Warnings very seriously.
Getting Assistance
For additional resources, see these sections.
Getting product information
The following documents and online help are companions to the PGP Universal Server
Administrator’s Guide. This guide occasionally refers to information that can be found
in one or more of these sources:
Online help is installed and is available in the PGP Universal Server product.
PGP Universal Server Installation Guide—Describes how to install the PGP
Universal Server.
PGP Universal Server Upgrade Guide—Describes the process of upgrading your
PGP Universal Server.
PGP Universal Mail Policy Diagram—Provides a graphical representation of how
email is processed through mail policy. You can access this document via the PGP
Universal Server online help.
4 About the PGP Universal Server Installation Guide
Getting Assistance
Tutorials—Provides animated introductions on how to manage the mail policy
feature in PGP Universal Server 2.5 and later, and how upgraded PGP Universal
Server settings migrate into the new mail policy feature.
You can also access all the documentation and tutorials by clicking the online help
icon in the upper-right corner of the PGP Universal Server screen.
PGP Universal Satellite for Windows and Mac OS X includes online help.
PGP Universal Server and PGP Satellite release notes are also provided, which may
have last-minute information not found in the product documentation.
Technical Support
Symantec Technical Support maintains support centers globally. Technical Support’s
primary role is to respond to specific queries about product features and functionality.
The Technical Support group also creates content for our online Knowledge Base. The
Technical Support group works collaboratively with the other functional areas within
Symantec to answer your questions in a timely fashion. For example, the Technical
Support group works with Product Engineering and Symantec Security Response to
provide alerting services and virus definition updates.
Symantec’s support offerings include the following:
A range of support options that give you the flexibility to select the right amount
of service for any size organization
Telephone and/or Web-based support that provides rapid response and up-to-the-
minute information
Upgrade assurance that delivers software upgrades
Global support purchased on a regional business hours or 24 hours a day, 7 days a
week basis
Premium service offerings that include Account Management Services
For information about Symantec’s support offerings, you can visit our Web site at the
following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreement and
the then-current enterprise technical support policy.
Contacting Technical Support
Customers with a current support agreement may access Technical Support
information at the following URL:
www.symantec.com/business/support/
Before contacting Technical Support, make sure you have satisfied the system
requirements that are listed in your product documentation. Also, you should be at the
computer on which the problem occurred, in case it is necessary to replicate the
problem.
When you contact Technical Support, please have the following information available:
Product release level
Hardware information
Available memory, disk space, and NIC information
Operating system
Version and patch level
Network topology
Router, gateway, and IP address information
Problem description:
Error messages and log files
Troubleshooting that was performed before contacting Symantec
Recent software configuration changes and network changes
Licensing and registration
If your Symantec product requires registration or a license key, access our technical
support Web page at the following URL:
www.symantec.com/business/support/
About the PGP Universal Server Installation Guide
Getting Assistance 5
Customer service
Customer service information is available at the following URL:
www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as the
following types of issues:
Questions regarding product licensing or serialization
Product registration updates, such as address or name changes
General product information (features, language availability, local dealers)
Latest information about product updates and upgrades
Information about upgrade assurance and support contracts
Information about the Symantec Buying Programs
Advice about Symantec's technical support options
Nontechnical presales questions
Issues that are related to CD-ROMs or manuals
Support agreement resources
If you want to contact Symantec regarding an existing support agreement, please
contact the support agreement administration team for your region as follows:
Asia-Pacific and Japan customercare_apac@symantec.com
Europe, Middle-East, Africa
North America, Latin America
semea@symantec.com
supportsolutions@symantec.com
6 About the PGP Universal Server Installation Guide
Getting Assistance
Add the PGP Universal Server to Your Network
2
This chapter provides information about how your PGP Universal Server processes
email, which can help you decide how to integrate your PGP Universal Servers into your
network. It also includes information about using Microsoft Exchange Server and Lotus
Domino Server with PGP Universal Satellite.
Server Placement
In your network, a PGP Universal Server can be placed in one of the following locations:
Internal placement, where the PGP Universal Server is located between your
Gateway placement, where the PGP Universal Server is located between your
email users and their local mail server.
external facing mail server and the Internet.
Gateway Placement
Caution: Unless it is a transparent proxy, do not place the PGP Universal Server
behind a proxy server to automatically receive licensing and update information.
In a gateway placement, your PGP Universal Server sits between your mail server and
the Internet in the logical flow of data.
1
2
PGP Universal Server gateway placement
Example Corp. DMZ
3
4
5
6
External email user
Logical flow of data
Example Corp. internal network
Example Corp. email users
8 Add the PGP Universal Server to Your Network
Server Placement
7
Example Corp. email server
Note: The physical location of the PGP Universal Server and the mail server are not
important. From a mail relay perspective, it is more important that the PGP
Universal Server is between the mail server and the Internet. Both can be on the
internal network or in the DMZ.
In this placement, remember the following:
When you use SMTP, email messages are secured before they are sent to the
Internet and decrypted/verified when received from the Internet.
Email users on your internal network should not have direct access to a PGP
Universal Server in the gateway placement.
Based on your configuration, PGP Universal Server attempts to enforce this lack of
access automatically .
If you plan to use the signing features in PGP Universal Server, configure the mail
server to verify the From addresses.
Unless PGP Universal Satellite is used, messages are stored unsecured on the mail
server.
For PGP Universal Server to create the SMSA, you must configure your mail server
correctly.
Internal Placement
In this placement, your PGP Universal Server sits between your email users and their
email server.
1
2
3
4
5
6
PGP Universal Server internally placed
Example Corp. email server
Example Corp. DMZ
External email user
Logical flow of data
Example Corp. internal network
Add the PGP Universal Server to Your Network
Mail Relay 9
Mail Relay
7
Example Corp. email users
Note: The physical location of the PGP Universal Server and the mail server are not
important. From a mail relay perspective, it is more important that the PGP
Universal Server is between the email users and the mail server; both can be on the
internal network or in the DMZ. From a performance perspective, you should place
users and the mail server next to each other on the same network.
In this PGP Universal Server placement, when messages are sent to the mail server
using SMTP, they are secured based on the applicable policies. Using POP or IMAP,
messages are decrypted and verified when they are retrieved from the mail server. If
PGP Universal Satellite has not been deployed globally to your internal users, messages
are stored secured on the mail server and are only transmitted unencrypted between
the internal user and the PGP Universal Server. If your mail server is configured for
SSL/TLS communications with the email client, messages are sent through that
encrypted channel and remain encrypted through the entire path. For PGP Universal
Server to create the SMSA, email clients must have SMTP authentication switched on
when they communicate with a PGP Universal Server.
After processing outgoing email, PGP Universal Server can forward the email to a
central mail gateway, which acts as a mail relay. Sites that use explicit mail routing can
use mail relay to forward outgoing email to a mail relay that performs explicit routing.
You cannot configure the mail relay during the initial configuration in the Setup
Assistant. Instead, you have to configure the server for gateway placement and
configure the mail relay in the administrative interface. For more information on
configuring the relay on the Outbound or Unified SMTP proxy, see Creating New or
Editing Existing Proxies in the PGP Universal Server Administrator's Guide.
Microsoft Exchange Server
Messaging Application Programming Interface (MAPI) support is available for
Microsoft Exchange Server environments by using PGP Desktop or PGP Universal
Satellite for Windows. MAPI support is not available in PGP Universal Satellite for Mac
OS X because there are no MAPI email clients for Mac OS X.
For more information about using MAPI, see Exchange with PGP Client Software (on
46) and MAPI Support in the PGP Universal Server Administrator's Guide.
page
Lotus Domino Server
Lotus Domino Servers and the Lotus Notes email client (versions 7.0.3 and later) are
supported in PGP Desktop and PGP Universal Satellite for Windows
®
.
10 Add the PGP Universal Server to Your Network
Installation Overview
For more information about using the Lotus Notes email client, see Lotus Domino Server
with PGP Client Software (on page 46) and Lotus Notes Support in the PGP Universal
Server Administrator's Guide.
Installation Overview
This a broad overview of the process to plan, set up, and maintain your PGP Universal
Server environment.
Steps 1 and 4 are described in this guide, but the other steps are described in the PGP
Universal Server Administrator's Guide. This process applies a new, stand-alone
installation of PGP Universal Server. If you plan to install a cluster, you must install
and configure one PGP Universal Server following this process. Additional cluster
members receive most of their configuration settings from the initial PGP Universal
Server through data replication.
1 Plan where in your network you want to locate your PGP Universal Server(s).
Where you put PGP Universal Servers in your network, how many PGP Universal
Servers you have in your network, and other factors impact how you add the PGP
Universal Servers to your existing network. To help you plan, you should create a
diagram of your network that includes the network components and your email
flows. This diagram should also include details about the impact on your network
of adding a PGP Universal Server. For more information on how to add PGP
Universal Servers to your existing network, see Adding the PGP Universal Server to
Your Network (see "
2 Perform the necessary DNS changes.
This involves tasks such as the following:
Adding IP addresses for your PGP Universal Servers and an alias to your
keyserver.
Updating the MX record if necessary.
Adding keys.<domain>, hostnames of potential Secondary servers for a
cluster, and so on.
Properly configured DNS settings, such as root servers and appropriate reverse
lookup records, are required to support PGP Universal Server. You host and
pointer records must be correct. IP addresses must be resolvable to hostnames,
and hostnames must be resolvable to IP addresses.
3 Prepare a hardware token Ignition Key.
To add a hardware token Ignition Key during set up, you must install the drivers
and configure the token before you set up the PGP Universal Server. For
information on preparing a hardware token Ignition Key, see Protecting PGP
Universal Server with Ignition Keys in the PGP Universal Server Administrator's
Guide .
Add the PGP Universal Server to Your Network" on page 7).
Note: In a cluster, the Ignition Key that is configured on the first PGP Universal
Server in the cluster also applies to subsequent members of the cluster.
4 Install and configure PGP Universal Server.
Add the PGP Universal Server to Your Network
Installation Overview
11
The Setup Assistant runs automatically when you access the PGP Universal Server
administrative interface for the first time. You can set or confirm a number of
basic settings, such as your network settings, administrator password, server
placement option, mail server address, and so on. For more information on this
process, see Setting Up the PGP Universal Server (see "
Universal Server" on page
27).
About Setting Up PGP
Note:To configure multiple servers as a cluster, you must first configure one
server and add the additional servers as cluster members. You can do this
through the Setup Assistant when you install a server that will join an existing
cluster or through the PGP Universal Server administrative interface. For more
information, see Cluster Member Configuration (see "
Member" on page
31).
Configuring a Cluster
5 License your server.
You must license PGP Universal Server to take it out of Learn Mode or install
updates. After it is licensed, you should check for and install product updates. If
you want the PGP Universal Server to provide mail proxy services, you must have
a PGP Universal Server license with the mailstream feature enabled and select the
Enable Mail Proxies checkbox on the System Settings page. For more
information, see Licensing Your Software in the PGP Universal Server
Administrator's Guide.
6 Import the PGP key you want to use as your Organization Key with PGP
Universal Server and back it up.
Your Organization Key is used to sign all user keys the PGP Universal Server
creates and encrypt PGP Universal Server backups. This key represents the
identity of your organization and is the root of the Web-of-Trust for your users.
If your organization uses PGP Desktop and has an Corporate Key or Organization
Key that you want to use with PGP Universal Server, you should import it after
configuring your server. If your organization does not have a key to use as your
Organization Key, you can use the Organization Key that the Setup Assistant
automatically created with default values. For more information, see Managing
Organization Keys in the PGP Universal Server Administrator's Guide.
Note: Regardless of which key you use as your Organization Key, you must back
up the key.
Since PGP Universal Server’s built-in back-up feature always encrypts backups to
this key, you must provide a copy of your Organization Key to restore your data.
For more information, see Organization Certificate in the PGP Universal Server
Administrator's Guide.
7 Add the PGP Additional Decryption Key (ADK) that you want to use with PGP
Universal Server.
An Additional Decryption Key (ADK) allows you to recover an email message if the
recipient is unable or unwilling to do so; every message that is encrypted to the
ADK can be opened by the holder(s) of the ADK. You cannot create an ADK with
the PGP Universal Server, but if you have an existing PGP ADK generated by PGP
Desktop, you can add it to your PGP Universal Server and use it. For more
information, see the PGP Desktop User’s Guide and Additional Decryption Key
(ADK) in the PGP Universal Server Administrator's Guide.
8 Create a SSL/TLS certificate or obtain a valid SSL/TLS certificate.
Loading...