PGP Universal Server - 3.2 Installation Manual

PGP™ Universal Server
Installation Guide
3.2
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Version 3.2.0. Last updated: July 2011.
Legal Notice
Symantec, the Symantec Logo, PGP, Pretty Good Privacy, and the PGP logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED"AS IS"AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. “Commercial Computer Software and Commercial Computer Software Documentation”, as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation 350 Ellis Street Mountain View, CA 94043
Symantec Home Page (
Printed in the United States of America.
10 9 8 7 6 5 4 3 2 1
http://www.symantec.com)
Contents
About the PGP Universal Server Installation Guide 1
What is PGP Universal Server? 1 PGP Universal Server Product Family 2 Who Should Read This Guide 2 Common Criteria Environments 2 Using the PGP Universal Server with the Command Line 2 Symbols 3 Getting Assistance 3
Getting product information 3 Technical Support 4 Contacting Technical Support 4 Licensing and registration 5 Customer service 5 Support agreement resources 5
Add the PGP Universal Server to Your Network 7
Server Placement 7
Gateway Placement 7
Internal Placement 8 Mail Relay 9 Microsoft Exchange Server 9 Lotus Domino Server 9 Installation Overview 10
About Open Ports 15
TCP Ports 15 UDP Ports 16
About Naming your PGP Universal Server 17
How to Name Your PGP Universal Server 17
Naming Methods 18
About Installing PGP Universal Server
Installation Considerations 19 System Requirements 19
PGP Universal Server on a VMware ESX Virtual Machine 20
Installing VMware Tools for PGP Universal Server 20 Installation Materials 21
Installation Options 22 Set Up after "pgp" Install 25
Hardware 25
System Information 25
Connecting to the PGP Universal Server 26
19
ii Contents
About Setting Up PGP Universal Server 27
The Setup Assistant 27 Initial Configuration with Setup Assistant 28 Configuring a New Installation 29 Configuring a Cluster Member 31 Restore From a Server Backup 32 Migrate Keys from a PGP Keyserver 33
Configuration Examples 35
Internal Placement Configuration 35 Gateway Placement Configuration 36 Non-mailstream Placement Configuration 37 Cluster Configuration 38 Clustered Proxy and Keyserver Configuration 39 Gateway Cluster with Load Balancer 40 Gateway and Internal Placement Cluster 41 Encircled Configuration 43 Large Enterprise Configuration 44 Spam Filters and PGP Universal Server 45 Exchange with PGP Client Software 46 Lotus Domino Server with PGP Client Software 46 Unsupported Configurations 47
Multiple Gateway–Placed Servers 47

About the PGP Universal Server Installation Guide

1
The PGP Universal Server Installation Guide provides important PGP™ Universal Server concepts and presents a high-level overview of the tasks required to install, set up, and use PGP Universal Server. This guide provides information about how your PGP Universal Server processes email, which helps you integrate your PGP Universal Servers into your network. There is also information on using Microsoft Server and Lotus® Domino® Server with PGP Universal Satellite.

What is PGP Universal Server?

PGP Universal Server is a console that manages the applications that provide email, disk, and network file encryption. PGP Universal Server with PGP Universal Gateway Email provides secure messaging by transparently protecting your enterprise messages with little or no user interaction. The PGP Universal Server replaces PGP Keyserver with a built-in keyserver, and PGP Admin with PGP Desktop configuration and deployment capabilities.
PGP Universal Server also does the following: Automatically creates and maintains a Self-Managing Security Architecture
(SMSA) by monitoring authenticated users and their email traffic.
Allows you to send protected messages to addresses that are not part of the SMSA. Automatically encrypts, decrypts, signs, and verifies messages. Provides strong security through policies you control.
PGP Universal Satellite, a client-side feature of PGP Universal Server, does the following:
Extends security for email messages to the computer of the email user. Allows external users to become part of the SMSA. If allowed by an administrator, gives end users the option to create and manage
their keys on their computers.
PGP Desktop, a client product, is created and managed through PGP Universal Server policy and does the following:
Creates PGP keypairs. Manages user keypairs. Stores the public keys of others. Encrypts user email and instant messaging (IM). Encrypts entire, or partial, hard drives. Enables secure file sharing with others over a network.
®
Exchange
2 About the PGP Universal Server Installation Guide

PGP Universal Server Product Family

PGP Universal Server Product Family
PGP Universal Server functions as a management console for a variety of encryption solutions. You can purchase any of the PGP Desktop applications or bundles and use PGP Universal Server to create and manage client installations. You can also purchase a license that enables PGP Universal Gateway Email to encrypt email in the mailstream.
The PGP Universal Server can manage any combination of the following PGP encryption applications:
PGP Universal Gateway Email provides automatic email encryption in the
gateway, based on centralized mail policy. This product requires administration by the PGP Universal Server.
PGP Desktop Email provides encryption at the desktop for mail, files, and AOL
Instant Messenger traffic. This product can be managed by the PGP Universal Server.
PGP Whole Disk Encryption provides encryption at the desktop for an entire disk.
This product can be managed by the PGP Universal Server.
PGP NetShare provides transparent file encryption and sharing among desktops.
This product can be managed by the PGP Universal Server.

Who Should Read This Guide

This guide is for administrators who will install PGP Universal Server for your organization’s PGP Universal Server environment.

Common Criteria Environments

To be Common Criteria compliant, see the best practices in PGP Universal Server 2.9 Common Criteria Supplemental. These best practices supersede recommendations made
elsewhere in this and other documentation.

Using the PGP Universal Server with the Command Line

You can use the PGP Universal Server command line for read-only access to, for example, view settings, services, logs, processes, disk space, query the database, and so on.
Note: If you modify your configuration using the command line, and you do not
follow these procedures, your Technical Support agreement is void.

Symbols

About the PGP Universal Server Installation Guide
Symbols 3
Changes to the PGP Universal Server using command line must be:
Authorized in writing by Technical Support. Implemented by a partner, reseller, or employee who is certified in the PGP
Advanced Administration and Deployment Training.
Summarized and documented in a text file in /var/lib/ovid/customization
on the PGP Universal Server.
Changes made through the command line may not persist through reboots and may become incompatible in a future release. When troubleshooting new issues, Technical Support can require you to revert custom configurations on the PGP Universal Server to a default state.
Notes, Cautions, and Warnings are used in the following ways.
Note: Notes are extra, but important, information. A Note calls your attention to
important aspects of the product. You can use the product better if you read the Notes.
Caution: Cautions indicate the possibility of loss of data or a minor security breach. A
Caution tells you about a situation where problems can occur unless precautions are taken. Pay attention to Cautions.
Warning: Warnings indicate the possibility of significant data loss or a major security
breach. A Warning means serious problems will occur unless you take the appropriate action. Please take Warnings very seriously.

Getting Assistance

For additional resources, see these sections.

Getting product information

The following documents and online help are companions to the PGP Universal Server Administrator’s Guide. This guide occasionally refers to information that can be found
in one or more of these sources:
Online help is installed and is available in the PGP Universal Server product. PGP Universal Server Installation Guide—Describes how to install the PGP
Universal Server.
PGP Universal Server Upgrade Guide—Describes the process of upgrading your
PGP Universal Server.
PGP Universal Mail Policy Diagram—Provides a graphical representation of how
email is processed through mail policy. You can access this document via the PGP Universal Server online help.
4 About the PGP Universal Server Installation Guide
Getting Assistance
Tutorials—Provides animated introductions on how to manage the mail policy
feature in PGP Universal Server 2.5 and later, and how upgraded PGP Universal Server settings migrate into the new mail policy feature.
You can also access all the documentation and tutorials by clicking the online help
icon in the upper-right corner of the PGP Universal Server screen. PGP Universal Satellite for Windows and Mac OS X includes online help. PGP Universal Server and PGP Satellite release notes are also provided, which may
have last-minute information not found in the product documentation.

Technical Support

Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates.
Symantec’s support offerings include the following: A range of support options that give you the flexibility to select the right amount
of service for any size organization Telephone and/or Web-based support that provides rapid response and up-to-the-
minute information
Upgrade assurance that delivers software upgrades Global support purchased on a regional business hours or 24 hours a day, 7 days a
week basis Premium service offerings that include Account Management Services For information about Symantec’s support offerings, you can visit our Web site at the
following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy.

Contacting Technical Support

Customers with a current support agreement may access Technical Support information at the following URL:
www.symantec.com/business/support/
Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem.
When you contact Technical Support, please have the following information available:
Product release level Hardware information
Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description:
Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes

Licensing and registration

If your Symantec product requires registration or a license key, access our technical support Web page at the following URL:
www.symantec.com/business/support/
About the PGP Universal Server Installation Guide
Getting Assistance 5

Customer service

Customer service information is available at the following URL:
www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as the following types of issues:
Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and support contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals

Support agreement resources

If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows:
Asia-Pacific and Japan customercare_apac@symantec.com Europe, Middle-East, Africa North America, Latin America
semea@symantec.com supportsolutions@symantec.com
6 About the PGP Universal Server Installation Guide
Getting Assistance

Add the PGP Universal Server to Your Network

2
This chapter provides information about how your PGP Universal Server processes email, which can help you decide how to integrate your PGP Universal Servers into your network. It also includes information about using Microsoft Exchange Server and Lotus Domino Server with PGP Universal Satellite.

Server Placement

In your network, a PGP Universal Server can be placed in one of the following locations:
Internal placement, where the PGP Universal Server is located between your
Gateway placement, where the PGP Universal Server is located between your
email users and their local mail server.
external facing mail server and the Internet.

Gateway Placement

Caution: Unless it is a transparent proxy, do not place the PGP Universal Server
behind a proxy server to automatically receive licensing and update information.
In a gateway placement, your PGP Universal Server sits between your mail server and the Internet in the logical flow of data.
1 2
PGP Universal Server gateway placement Example Corp. DMZ
3 4 5 6
External email user Logical flow of data Example Corp. internal network Example Corp. email users
8 Add the PGP Universal Server to Your Network
Server Placement
7
Example Corp. email server
Note: The physical location of the PGP Universal Server and the mail server are not
important. From a mail relay perspective, it is more important that the PGP Universal Server is between the mail server and the Internet. Both can be on the internal network or in the DMZ.
In this placement, remember the following: When you use SMTP, email messages are secured before they are sent to the
Internet and decrypted/verified when received from the Internet. Email users on your internal network should not have direct access to a PGP
Universal Server in the gateway placement.
Based on your configuration, PGP Universal Server attempts to enforce this lack of
access automatically . If you plan to use the signing features in PGP Universal Server, configure the mail
server to verify the From addresses. Unless PGP Universal Satellite is used, messages are stored unsecured on the mail
server. For PGP Universal Server to create the SMSA, you must configure your mail server
correctly.

Internal Placement

In this placement, your PGP Universal Server sits between your email users and their email server.
1 2 3 4 5 6
PGP Universal Server internally placed Example Corp. email server Example Corp. DMZ External email user Logical flow of data Example Corp. internal network
Add the PGP Universal Server to Your Network
Mail Relay 9

Mail Relay

7
Example Corp. email users
Note: The physical location of the PGP Universal Server and the mail server are not
important. From a mail relay perspective, it is more important that the PGP Universal Server is between the email users and the mail server; both can be on the internal network or in the DMZ. From a performance perspective, you should place users and the mail server next to each other on the same network.
In this PGP Universal Server placement, when messages are sent to the mail server using SMTP, they are secured based on the applicable policies. Using POP or IMAP, messages are decrypted and verified when they are retrieved from the mail server. If PGP Universal Satellite has not been deployed globally to your internal users, messages are stored secured on the mail server and are only transmitted unencrypted between the internal user and the PGP Universal Server. If your mail server is configured for SSL/TLS communications with the email client, messages are sent through that encrypted channel and remain encrypted through the entire path. For PGP Universal Server to create the SMSA, email clients must have SMTP authentication switched on when they communicate with a PGP Universal Server.
After processing outgoing email, PGP Universal Server can forward the email to a central mail gateway, which acts as a mail relay. Sites that use explicit mail routing can use mail relay to forward outgoing email to a mail relay that performs explicit routing.
You cannot configure the mail relay during the initial configuration in the Setup Assistant. Instead, you have to configure the server for gateway placement and configure the mail relay in the administrative interface. For more information on configuring the relay on the Outbound or Unified SMTP proxy, see Creating New or Editing Existing Proxies in the PGP Universal Server Administrator's Guide.

Microsoft Exchange Server

Messaging Application Programming Interface (MAPI) support is available for Microsoft Exchange Server environments by using PGP Desktop or PGP Universal Satellite for Windows. MAPI support is not available in PGP Universal Satellite for Mac OS X because there are no MAPI email clients for Mac OS X.
For more information about using MAPI, see Exchange with PGP Client Software (on
46) and MAPI Support in the PGP Universal Server Administrator's Guide.
page

Lotus Domino Server

Lotus Domino Servers and the Lotus Notes email client (versions 7.0.3 and later) are supported in PGP Desktop and PGP Universal Satellite for Windows
®
.
10 Add the PGP Universal Server to Your Network

Installation Overview

For more information about using the Lotus Notes email client, see Lotus Domino Server with PGP Client Software (on page 46) and Lotus Notes Support in the PGP Universal Server Administrator's Guide.
Installation Overview
This a broad overview of the process to plan, set up, and maintain your PGP Universal Server environment.
Steps 1 and 4 are described in this guide, but the other steps are described in the PGP Universal Server Administrator's Guide. This process applies a new, stand-alone installation of PGP Universal Server. If you plan to install a cluster, you must install and configure one PGP Universal Server following this process. Additional cluster members receive most of their configuration settings from the initial PGP Universal Server through data replication.
1 Plan where in your network you want to locate your PGP Universal Server(s).
Where you put PGP Universal Servers in your network, how many PGP Universal
Servers you have in your network, and other factors impact how you add the PGP
Universal Servers to your existing network. To help you plan, you should create a
diagram of your network that includes the network components and your email
flows. This diagram should also include details about the impact on your network
of adding a PGP Universal Server. For more information on how to add PGP
Universal Servers to your existing network, see Adding the PGP Universal Server to
Your Network (see " 2 Perform the necessary DNS changes.
This involves tasks such as the following:
Adding IP addresses for your PGP Universal Servers and an alias to your
keyserver.
Updating the MX record if necessary. Adding keys.<domain>, hostnames of potential Secondary servers for a
cluster, and so on.
Properly configured DNS settings, such as root servers and appropriate reverse
lookup records, are required to support PGP Universal Server. You host and
pointer records must be correct. IP addresses must be resolvable to hostnames,
and hostnames must be resolvable to IP addresses. 3 Prepare a hardware token Ignition Key.
To add a hardware token Ignition Key during set up, you must install the drivers
and configure the token before you set up the PGP Universal Server. For
information on preparing a hardware token Ignition Key, see Protecting PGP
Universal Server with Ignition Keys in the PGP Universal Server Administrator's
Guide .
Add the PGP Universal Server to Your Network" on page 7).
Note: In a cluster, the Ignition Key that is configured on the first PGP Universal
Server in the cluster also applies to subsequent members of the cluster. 4 Install and configure PGP Universal Server.
Add the PGP Universal Server to Your Network
Installation Overview
11
The Setup Assistant runs automatically when you access the PGP Universal Server
administrative interface for the first time. You can set or confirm a number of
basic settings, such as your network settings, administrator password, server
placement option, mail server address, and so on. For more information on this
process, see Setting Up the PGP Universal Server (see "
Universal Server" on page
27).
About Setting Up PGP
Note:To configure multiple servers as a cluster, you must first configure one
server and add the additional servers as cluster members. You can do this
through the Setup Assistant when you install a server that will join an existing
cluster or through the PGP Universal Server administrative interface. For more
information, see Cluster Member Configuration (see "
Member" on page
31).
Configuring a Cluster
5 License your server.
You must license PGP Universal Server to take it out of Learn Mode or install
updates. After it is licensed, you should check for and install product updates. If
you want the PGP Universal Server to provide mail proxy services, you must have
a PGP Universal Server license with the mailstream feature enabled and select the
Enable Mail Proxies checkbox on the System Settings page. For more
information, see Licensing Your Software in the PGP Universal Server
Administrator's Guide.
6 Import the PGP key you want to use as your Organization Key with PGP
Universal Server and back it up.
Your Organization Key is used to sign all user keys the PGP Universal Server
creates and encrypt PGP Universal Server backups. This key represents the
identity of your organization and is the root of the Web-of-Trust for your users.
If your organization uses PGP Desktop and has an Corporate Key or Organization
Key that you want to use with PGP Universal Server, you should import it after
configuring your server. If your organization does not have a key to use as your
Organization Key, you can use the Organization Key that the Setup Assistant
automatically created with default values. For more information, see Managing
Organization Keys in the PGP Universal Server Administrator's Guide.
Note: Regardless of which key you use as your Organization Key, you must back
up the key.
Since PGP Universal Server’s built-in back-up feature always encrypts backups to
this key, you must provide a copy of your Organization Key to restore your data.
For more information, see Organization Certificate in the PGP Universal Server
Administrator's Guide.
7 Add the PGP Additional Decryption Key (ADK) that you want to use with PGP
Universal Server.
An Additional Decryption Key (ADK) allows you to recover an email message if the
recipient is unable or unwilling to do so; every message that is encrypted to the
ADK can be opened by the holder(s) of the ADK. You cannot create an ADK with
the PGP Universal Server, but if you have an existing PGP ADK generated by PGP
Desktop, you can add it to your PGP Universal Server and use it. For more
information, see the PGP Desktop User’s Guide and Additional Decryption Key
(ADK) in the PGP Universal Server Administrator's Guide. 8 Create a SSL/TLS certificate or obtain a valid SSL/TLS certificate.
Loading...
+ 37 hidden pages