How it Works
PGP
Loading...
#
C
D
E
M
N
P
R
U
W
Loading...
Loading...
Universal Server - 3.2
Administrator’s Guide
398 pgs9.31 Mb0
Installation Manual
54 pgs486.36 Kb1
Upgrade Manual
35 pgs523.78 Kb0
Table of contents
Loading...

PGP Universal Server - 3.2 Administrator’s Guide

PGP Universal Server
Administrator's Guide
3.2
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Version 3.2.0. Last updated: July 2011.
Legal Notice
Copyright (c) 2011 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, PGP, Pretty Good Privacy, and the PGP logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED"AS IS"AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. “Commercial Computer Software and Commercial Computer Software Documentation”, as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation 350 Ellis Street Mountain View, CA 94043
Symantec Home Page (
Printed in the United States of America.
10 9 8 7 6 5 4 3 2 1
http://www.symantec.com)
Contents
Introduction
What is PGP Universal Server? 13 PGP Universal Server Product Family 14 Who Should Read This Guide 14 Common Criteria Environments 14 Improvements in this Version of PGP Universal Server 14 Using the PGP Universal Server with the Command Line 15 Symbols 16 Getting Assistance 16
Getting product information 16 Technical Support 17 Contacting Technical Support 17 Licensing and registration 18 Customer service 18 Support agreement resources 18
13
The Big Picture 19
Important Terms 19
PGP Products 19 PGP Universal Server Concepts 20 PGP Universal Server Features 21
PGP Universal Server User Types 22 Installation Overview 23 About Integration with Symantec Protection Center 28
Before You Integrate with Protection Center 28
About Open Ports 31
TCP Ports 31 UDP Ports 32
About Naming your PGP Universal Server
How to Name Your PGP Universal Server 33 Naming Methods 34
33
Understanding the Administrative Interface 35
System Requirements 35 Logging In 35 The System Overview Page 36 Managing Alerts 37 Logging In For the First Time 38 Administrative Interface Map 38 Icons 39
ii Contents
Licensing Your Software 45
Overview 45 Licensing a PGP Universal Server 45 License Authorization 45 Licensing the Mail Proxy Feature 45 Licensing PGP Desktop 46
Operating in Learn Mode 47
Purpose of Learn Mode 47 Checking the Logs 48 Managing Learn Mode 48
Managed Domains 49
About Managed Domains 49 Adding Managed Domains 50 Deleting Managed Domains 50
Understanding Keys 51
Choosing a Key Mode For Key Management 51
Changing Key Modes 53 How PGP Universal Server Uses Certificate Revocation Lists 54 Key Reconstruction Blocks 54 Managed Key Permissions 55
Managing Organization Keys 57
About Organization Keys 57 Organization Key 57
Inspecting the Organization Key 58
Regenerating the Organization Key 58
Importing an Organization Key 59 Organization Certificate 60
Inspecting the Organization Certificate 60
Exporting the Organization Certificate 61
Deleting the Organization Certificate 61
Generating the Organization Certificate 61
Importing the Organization Certificate 62
Renewing the Organization Certificate 62 Additional Decryption Key (ADK) 63
Importing the ADK 64
Inspecting the ADK 64
Deleting the ADK 64 External User Root Key 65
Generating the External User Root Key 65
Importing the External User Root Key 65
Deleting the External User Root Key 66
External User Root Certificate 66
Generating the External User Root Certificate 66
Importing the External User Root Certificate 67
Deleting the External User Root Certificate 67 Verified Directory Key 68
Importing the Verified Directory Key 68
Inspecting the Verified Directory Key 68
Deleting the Verified Directory Key 69
iii Contents
Administering Managed Keys
Viewing Managed Keys 71 Managed Key Information 72
Email Addresses 74
Subkeys 74
Certificates 75
Permissions 75
Attributes 76 Symmetric Key Series 76 Symmetric Keys 78 Custom Data Objects 79 Exporting Consumer Keys 80
Exporting the Managed Key of an Internal User 80
Exporting the Managed Key of an External User 81
Exporting PGP Verified Directory User Keys 81
Exporting the Managed Key of a Managed Device 81 Deleting Consumer Keys 82
Deleting the Managed Key of an Internal User 82
Deleting the Managed Key of an External User 82
Deleting the Key of a PGP Verified Directory User 83
Deleting the Managed Key of a Managed Device 83 Approving Pending Keys 83 Revoking Managed Keys 84
Managing Trusted Keys and Certificates
71
87
Overview 87
Trusted Keys 87
Trusted Certificates 87 Adding a Trusted Key or Certificate 88 Inspecting and Changing Trusted Key Properties 88 Deleting Trusted Keys and Certificates 89 Searching for Trusted Keys and Certificates 89
Managing Group Keys 91
Overview 91 Establishing Default Group Key Settings 91 Adding a Group Key to an Existing Group 92 Creating a New Group with a Group Key 92 Removing a Group Key from a Group 93 Deleting a Group Key 93
iv Contents
Revoking a Group Key 94 Exporting a Group Key 94
Setting Mail Policy 95
Overview 95
How Policy Chains Work 95
Mail Policy and Dictionaries 96
Mail Policy and Key Searches 97
Mail Policy and Cached Keys 97 Migrating Settings from Version 2.0.x 97 About Restoring Mail Policy Rules 98 Understanding the Pre-Installed Policy Chains 104 Mail Policy Outside the Mailflow 105 Using the Rule Interface 105
The Conditions Card 106
The Actions Card 108 Building Valid Chains and Rules 108
Using Valid Processing Order 109
Creating Valid Groups 110
Creating a Valid Rule 111 Managing Policy Chains 112
Mail Policy Best Practices 112
Restoring Mail Policy to Default Settings 112
Editing Policy Chain Settings 112
Adding Policy Chains 113
Deleting Policy Chains 114
Exporting Policy Chains 114
Printing Policy Chains 115 Managing Rules 115
Adding Rules to Policy Chains 115
Deleting Rules from Policy Chains 115
Enabling and Disabling Rules 116
Changing the Processing Order of the Rules 116 Adding Key Searches 116 Choosing Condition Statements, Conditions, and Actions 117
Condition Statements 117
Conditions 118
Actions 122 Working with Common Access Cards 134
Applying Key Not Found Settings to External Users
Overview 135
Bounce the Message 135
PDF Messenger 136
PDF Messenger Secure Reply 136 Working with Passphrases 137
Certified Delivery with PDF Messenger 137
Send Unencrypted 138
Smart Trailer 138
PGP Universal Web Messenger 140 Changing Policy Settings 141
135
Contents v
Changing User Delivery Method Preference 141
Using Dictionaries with Policy 143
Overview 143 Default Dictionaries 144
Editing Default Dictionaries 145 User-Defined Dictionaries 146
Adding a User-Defined Dictionary 146
Editing a User-Defined Dictionary 147
Deleting a Dictionary 147 Exporting a Dictionary 148 Searching the Dictionaries 148
Keyservers, SMTP Archive Servers, and Mail Policy 151
Overview 151 Keyservers 151
Adding or Editing a Keyserver 152
Deleting a Keyserver 154 SMTP Servers 154
Adding or Editing an Archive Server 154
Deleting an Archive Server 155
Managing Keys in the Key Cache 157
Overview 157 Changing Cached Key Timeout 157
Purging Keys from the Cache 157
Trusting Cached Keys 158
Viewing Cached Keys 158 Searching the Key Cache 159
Configuring Mail Proxies 161
Overview 161 PGP Universal Server and Mail Proxies 161
Mail Proxies in an Internal Placement 162
Mail Proxies in a Gateway Placement 163 Changes in Proxy Settings from PGP Universal Server 2.0 to 2.5 and later 164 Mail Proxies Page 165 Creating New or Editing Existing Proxies 165
Creating or Editing a POP/IMAP Proxy 165
Creating or Editing an Outbound SMTP Proxy 167
Creating or Editing an Inbound SMTP Proxy 169
Creating or Editing a Unified SMTP Proxy 170
Email in the Mail Queue
Overview 175 Deleting Messages from the Mail Queue 175
175
vi Contents
Specifying Mail Routes 177
Overview 177 Managing Mail Routes 178
Adding a Mail Route 178
Editing a Mail Route 178
Deleting a Mail Route 179
Customizing System Message Templates 181
Overview 181
Templates and Message Size 181
PDF Messenger Templates 182
Templates for New PGP Universal Web Messenger Users 183 Editing a Message Template 183
Managing Groups 185
Understanding Groups 185
Sorting Consumers into Groups 185
Everyone Group 186
Excluded Group 186 Policy Group Order 186
Migrate Groups from PGP Universal Server 2.12 SP4 187
Setting Policy Group Order 187 Creating a New Group 187 Deleting a Group 188 Viewing Group Members 188 Manually Adding Group Members 188 Manually Removing Members from a Group 189 Group Permissions 190
Adding Group Permissions 190
Deleting Group Permissions 190 Setting Group Membership 191 Searching Groups 192 Creating Group Client Installations 193
How Group Policy is Assigned to PGP Desktop Installers 193
When to Bind a Client Installation 194
Creating PGP Desktop Installers 195
Managing Devices 199
Managed Devices 199
Adding and Deleting Managed Devices 200
Adding Managed Devices to Groups 200
Managed Device Information 202 Deleting Devices from PGP Universal Server 205 Deleting Managed Devices from Groups 206 WDE Devices (Computers and Disks) 207
WDE Computers 207
WDE Disks 208
Contents vii
Searching for Devices 210
Administering Consumer Policy 213
Understanding Consumer Policy 213 Managing Consumer Policies 213
Adding a Consumer Policy 213
Editing a Consumer Policy 214
Deleting a Consumer Policy 215 Making Sure Users Create Strong Passphrases 215
Understanding Entropy 216 Using the Windows Preinstallation Environment 216 X.509 Certificate Management in Lotus Notes Environments 216
Trusting Certificates Created by PGP Universal Server 217
Setting the Lotus Notes Key Settings in PGP Universal Server 219
Technical Deployment Information 219 Offline Policy 220 Using a Policy ADK 221 Out of Mail Stream Support 221 Enrolling Users through Silent Enrollment 223
Silent Enrollment with Windows 223
Silent Enrollment with Mac OS X 223 PGP Whole Disk Encryption Administration 224
PGP Whole Disk Encryption on Mac OS X with FileVault 224
How Does Single Sign-On Work? 224
Enabling Single Sign-On 225
Managing Clients Remotely Using a PGP WDE Administrator Active Directory Group 226
Managing Clients Locally Using the PGP WDE Administrator Key 227
Setting Policy for Clients 229
Client and PGP Universal Server Version Compatibility 229
Serving PGP Admin 8 Preferences 230 Establishing PGP Desktop Settings for Your PGP Desktop Clients 231
PGP Desktop Feature License Settings 231
Enabling PGP Desktop Client Features in Consumer Policies 232
Controlling PGP Desktop Components 233 PGP Portable 234 PGP Mobile 234 PGP NetShare 235
How the PGP NetShare Policy Settings Work Together 235
Multi-user environments and managing PGP NetShare 235
Backing Up PGP NetShare-Protected Files 236
Using Directory Synchronization to Manage Consumers 237
How PGP Universal Server Uses Directory Synchronization 237
Base DN and Bind DN 238
Consumer Matching Rules 239 Understanding User Enrollment Methods 239
Before Creating a Client Installer 240
Email Enrollment 241
viii Contents
Directory Enrollment 243
Certificate Enrollment 244 Enabling Directory Synchronization 246 Adding or Editing an LDAP Directory 246
The LDAP Servers Tab 247
The Base Distinguished Name Tab 248
The Consumer Matching Rules Tab 248
Testing the LDAP Connection 249
Using Sample Records to Configure LDAP Settings 249 Deleting an LDAP Directory 249 Setting LDAP Directory Order 250 Directory Synchronization Settings 250
Managing User Accounts 253
Understanding User Account Types 253 Viewing User Accounts 253 User Management Tasks 253
Setting User Authentication 253
Editing User Attributes 254
Adding Users to Groups 254
Editing User Permissions 254
Deleting Users 255
Searching for Users 255
Viewing User Log Entries 256
Changing Display Names and Usernames 256
Exporting a User’s X.509 Certificate 257
Revoking a User's X.509 Certificate 257
Managing User Keys 258 Managing Internal User Accounts 258
Importing Internal User Keys Manually 259
Creating New Internal User Accounts 259
Exporting PGP Whole Disk Encryption Login Failure Data 260
Internal User Settings 260 Managing External User Accounts 264
Importing External Users 264
Exporting Delivery Receipts 265
External User Settings 266 Offering X.509 Certificates to External Users 267 Managing Verified Directory User Accounts 268
Importing Verified Directory Users 269
PGP Verified Directory User Settings 269
Recovering Encrypted Data in an Enterprise Environment 271
Using Key Reconstruction 271 Recovering Encryption Key Material without Key Reconstruction 272
Encryption Key Recovery of CKM Keys 272
Encryption Key Recovery of GKM Keys 272
Encryption Key Recovery of SCKM Keys 272
Encryption Key Recovery of SKM Keys 273 Using an Additional Decryption Key for Data Recovery 274
PGP Universal Satellite 275
Overview 275 Technical Information 275 Distributing the PGP Universal Satellite Software 276 Configuration 276
Key Mode 276
PGP Universal Satellite Configurations 277
Switching Key Modes 280 Policy and Key or Certificate Retrieval 280
Retrieving Lost Policies 280
Retrieving Lost Keys or Certificates 281
PGP Universal Satellite for Mac OS X 283
Overview 283 System Requirements 283 Obtaining the Installer 283 Installation 284 Updates 284 Files 284
ix Contents
PGP Universal Satellite for Windows 287
Overview 287 System Requirements 287 Obtaining the Installer 287 Installation 288 Updates 288 Files 289 MAPI Support 289
External MAPI Configuration 289 Lotus Notes Support 290
External Lotus Notes Configuration 291
Configuring PGP Universal Web Messenger 293
Overview 293
PGP Universal Web Messenger and Clustering 294
External Authentication 294 Customizing PGP Universal Web Messenger 296
Adding a New Template 296
Troubleshooting Customization 300
Changing the Active Template 302
Deleting a Template 302
Editing a Template 302
Downloading Template Files 303
Restoring to Factory Defaults 303 Configuring the PGP Universal Web Messenger Service 303
Starting and Stopping PGP Universal Web Messenger 304
Selecting the PGP Universal Web Messenger Network Interface 304
x Contents
Setting Up External Authentication 305
Creating Settings for PGP Universal Web Messenger User Accounts 306
Setting Message Replication in a Cluster 307
Configuring the Integrated Keyserver 309
Overview 309 Starting and Stopping the Keyserver Service 309 Configuring the Keyserver Service 309
Configuring the PGP Verified Directory 311
Overview 311 Starting and Stopping the PGP Verified Directory 312 Configuring the PGP Verified Directory 312
Managing the Certificate Revocation List Service 315
Overview 315 Starting and Stopping the CRL Service 315 Editing CRL Service Settings 316
Configuring Universal Services Protocol 317
Starting and Stopping USP 317 Adding USP Interfaces 317
Managing PGP Remote Disable & Destroy for Encrypted Disks 319
Deploying PGP RDD 319
Network and Clustering Considerations 320
Hardware and System Requirements 320
Licensing PGP Remote Disable & Destroy with Intel Anti-Theft Technology 321
Setting PGP RDD in Consumer Policies 322
Setting Up the PGP RDD Service 323
Managing PGP RDD Policy 323 Starting and Stopping the PGP RDD Service 325 PGP RDD Administrator Tasks 325 Viewing Anti-Theft Information 326 Managing Intel Anti-Theft Status 327
AT Activated 327
Decommissioned 328
AT Deactivated 328
Stolen 329
Changing a Computer's Status 329 Recovering Locked Systems 329 Reporting and Logging 331
System Graphs
Overview 333
333
CPU Usage 333 Message Activity 333 Whole Disk Encryption 334
System Logs 337
Overview 337 Filtering the Log View 338 Searching the Log Files 338 Exporting a Log File 339 Enabling External Logging 339
xi Contents
Configuring SNMP Monitoring
Overview 341 Starting and Stopping SNMP Monitoring 342 Configuring the SNMP Service 342 Downloading the Custom MIB File 343
341
Viewing Server and License Settings and Shutting Down Services 345
Overview 345 Server Information 345
Setting the Time 345
Licensing a PGP Universal Server 346
Downloading the Release Notes 346 Shutting Down and Restarting the PGP Universal Server Software Services 347 Shutting Down and Restarting the PGP Universal Server Hardware 347
Managing Administrator Accounts 349
Overview 349
Administrator Roles 349
Administrator Authentication 351 Creating a New Administrator 351 Importing SSH v2 Keys 352 Deleting Administrators 352 Inspecting and Changing the Settings of an Administrator 353 Configuring RSA SecurID Authentication 354 Resetting SecurID PINs 355 Daily Status Email 356
Protecting PGP Universal Server with Ignition Keys 357
Overview 357
Ignition Keys and Clustering 358 Preparing Hardware Tokens to be Ignition Keys 358 Configuring a Hardware Token Ignition Key 360 Configuring a Soft-Ignition Passphrase Ignition Key 360 Deleting Ignition Keys 361
xii Contents
Backing Up and Restoring System and User Data 363
Overview 363 Creating Backups 363
Scheduling Backups 364
Performing On-Demand Backups 364 Configuring the Backup Location 364 Restoring From a Backup 365
Restoring On-Demand 366
Restoring Configuration 366
Restoring from a Different Version 367
Updating PGP Universal Server Software 369
Overview 369 Inspecting Update Packages 370
Setting Network Interfaces 371
Understanding the Network Settings 371 Changing Interface Settings 372 Adding Interface Settings 372 Deleting Interface Settings 372 Editing Global Network Settings 373 Assigning a Certificate 373 Working with Certificates 373
Importing an Existing Certificate 374
Generating a Certificate Signing Request (CSR) 374
Adding a Pending Certificate 375
Inspecting a Certificate 376
Exporting a Certificate 376
Deleting a Certificate 376
Clustering your PGP Universal Servers
Overview 377 Cluster Status 378 Creating a Cluster 379 Deleting Cluster Members 381 Clustering and PGP Universal Web Messenger 382 Managing Settings for Cluster Members 382 Changing Network Settings in Clusters 383 About Clustering Diagnostics 383
Monitoring Data Replication in a Cluster 384
377
Index
387

Introduction

1
This Administrator’s Guide describes both the PGP™ Universal Server and Client software. It tells you how to get them up and running on your network, how to configure them, and how to maintain them. This section provides a high-level overview of PGP Universal Server.

What is PGP Universal Server?

PGP Universal Server is a console that manages the applications that provide email, disk, and network file encryption. PGP Universal Server with PGP Universal Gateway Email provides secure messaging by transparently protecting your enterprise messages with little or no user interaction. The PGP Universal Server replaces PGP Keyserver with a built-in keyserver, and PGP Admin with PGP Desktop configuration and deployment capabilities.
PGP Universal Server also does the following: Automatically creates and maintains a Self-Managing Security Architecture
(SMSA) by monitoring authenticated users and their email traffic.
Allows you to send protected messages to addresses that are not part of the SMSA. Automatically encrypts, decrypts, signs, and verifies messages. Provides strong security through policies you control.
PGP Universal Satellite, a client-side feature of PGP Universal Server, does the following:
Extends security for email messages to the computer of the email user. Allows external users to become part of the SMSA. If allowed by an administrator, gives end users the option to create and manage
their keys on their computers.
PGP Desktop, a client product, is created and managed through PGP Universal Server policy and does the following:
Creates PGP keypairs. Manages user keypairs. Stores the public keys of others. Encrypts user email and instant messaging (IM). Encrypts entire, or partial, hard drives. Enables secure file sharing with others over a network.
14 Introduction

PGP Universal Server Product Family

PGP Universal Server Product Family
PGP Universal Server functions as a management console for a variety of encryption solutions. You can purchase any of the PGP Desktop applications or bundles and use PGP Universal Server to create and manage client installations. You can also purchase a license that enables PGP Universal Gateway Email to encrypt email in the mailstream.
The PGP Universal Server can manage any combination of the following PGP encryption applications:
PGP Universal Gateway Email provides automatic email encryption in the
gateway, based on centralized mail policy.
This product requires administration by the PGP Universal Server.
PGP Desktop Email provides encryption at the desktop for mail, files, and AOL
Instant Messenger traffic.
This product can be managed by the PGP Universal Server.
PGP Whole Disk Encryption provides encryption at the desktop for an entire disk.
This product can be managed by the PGP Universal Server.
PGP NetShare provides transparent file encryption and sharing among desktops.
This product can be managed by the PGP Universal Server.

Who Should Read This Guide

This Administrator’s Guide is for the person or persons who implement and maintain your organization’s PGP Universal Server environment. These are the PGP Universal Server administrators.
This guide is also intended for anyone else who wants to learn about how PGP Universal Server works.

Common Criteria Environments

To be Common Criteria compliant, see the best practices in PGP Universal Server 2.9 Common Criteria Supplemental. These best practices supersede recommendations made
elsewhere in this and other documentation.

Improvements in this Version of PGP Universal Server

PGP Universal Server 3.2 introduces the following new and improved features:

Using the PGP Universal Server with the Command Line

X.509 certificates are available to your external users through the PGP Universal
Web Messenger interface. External users download the certificates, add them to their mail clients, and use them to communicate securely with users in your managed domain.
The PGP Universal Server user interface and all end user documentation have
been rebranded to include the Symantec logo and colors. The product name remains the same.
We improved performance and page load times for many parts of the interface. You can now allow your external users to securely reply to PDF Messenger
messages.
You can now monitor the how well data is being replicated throughout your
cluster members.
After you migrate to PGP Universal Server 3.2.0, you can verify whether your
backup/restore or PUP update was successful.
You can now require users to authenticate at the PGP BootGuard screen with their
user name, domain, and passphrase.
Symantec Patch Distribution Center now provides all software updates, which
replaces PGP update servers. Automatic updates through the PGP update servers are no longer available.
PGP Universal Server is now integrated with Symantec Protection Center, which
offers a single point of administration and helps you manage PGP Universal Server and other security products.
PGP Universal Server now supports group keys, which allows you to protect
shared files and folders in PGP NetShare. Group keys allow you to easily add or remove group members without affecting the PGP NetShare metadata associated with the protected files and folders.
You can now allow users, who use certificates or smart cards to log in to Microsoft
Windows, to enroll in PGP Desktop using those certificates.
15 Introduction
Using the PGP Universal Server with the Command Line
You can use the PGP Universal Server command line for read-only access to, for example, view settings, services, logs, processes, disk space, query the database, and so on.
Note: If you modify your configuration using the command line, and you do not
follow these procedures, your Technical Support agreement is void.
Changes to the PGP Universal Server using command line must be:
Authorized in writing by Technical Support. Implemented by a partner, reseller, or employee who is certified in the PGP
Advanced Administration and Deployment Training.
Summarized and documented in a text file in /var/lib/ovid/customization
on the PGP Universal Server.
16 Introduction

Symbols

Symbols
Changes made through the command line may not persist through reboots and may become incompatible in a future release. When troubleshooting new issues, Technical Support can require you to revert custom configurations on the PGP Universal Server to a default state.
Notes, Cautions, and Warnings are used in the following ways.
Note: Notes are extra, but important, information. A Note calls your attention to
important aspects of the product. You can use the product better if you read the Notes.
Caution: Cautions indicate the possibility of loss of data or a minor security breach. A
Caution tells you about a situation where problems can occur unless precautions are taken. Pay attention to Cautions.
Warning: Warnings indicate the possibility of significant data loss or a major security
breach. A Warning means serious problems will occur unless you take the appropriate action. Please take Warnings very seriously.

Getting Assistance

For additional resources, see these sections.

Getting product information

The following documents and online help are companions to the PGP Universal Server Administrator’s Guide. This guide occasionally refers to information that can be found
in one or more of these sources:
Online help is installed and is available in the PGP Universal Server product. PGP Universal Server Installation Guide—Describes how to install the PGP
Universal Server.
PGP Universal Server Upgrade Guide—Describes the process of upgrading your
PGP Universal Server.
PGP Universal Mail Policy Diagram—Provides a graphical representation of how
email is processed through mail policy. You can access this document via the PGP Universal Server online help.
Tutorials—Provides animated introductions on how to manage the mail policy
feature in PGP Universal Server 2.5 and later, and how upgraded PGP Universal Server settings migrate into the new mail policy feature.
You can also access all the documentation and tutorials by clicking the online help icon in the upper-right corner of the PGP Universal Server screen.
PGP Universal Satellite for Windows and Mac OS X includes online help.
PGP Universal Server and PGP Satellite release notes are also provided, which may have last-minute information not found in the product documentation.

Technical Support

Getting Assistance
17 Introduction
Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates.
Symantec’s support offerings include the following: A range of support options that give you the flexibility to select the right amount
of service for any size organization
Telephone and/or Web-based support that provides rapid response and up-to-the-
minute information
Upgrade assurance that delivers software upgrades Global support purchased on a regional business hours or 24 hours a day, 7 days a
week basis
Premium service offerings that include Account Management Services
For information about Symantec’s support offerings, you can visit our Web site at the following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy.

Contacting Technical Support

Customers with a current support agreement may access Technical Support information at the following URL:
www.symantec.com/business/support/
Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem.
When you contact Technical Support, please have the following information available:
Product release level Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description:
18 Introduction
Getting Assistance
Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes

Licensing and registration

If your Symantec product requires registration or a license key, access our technical support Web page at the following URL:
www.symantec.com/business/support/

Customer service

Customer service information is available at the following URL:
www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as the following types of issues:
Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and support contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals

Support agreement resources

If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows:
Asia-Pacific and Japan customercare_apac@symantec.com
Europe, Middle-East, Africa
North America, Latin America
semea@symantec.com
supportsolutions@symantec.com

The Big Picture

2
This chapter describes some important terms and concepts and gives you a high-level overview of the things you need to do to set up and maintain your PGP Universal Server environment.

Important Terms

The following sections define important terms you will encounter throughout the PGP Universal Server and this documentation.

PGP Products

PGP Universal Server: A device you add to your network that provides secure
messaging with little or no user interaction. The PGP Universal Server automatically creates and maintains a security architecture by monitoring authenticated users and their email traffic. You can also send protected messages to addresses that are not part of the security architecture.
PGP Global Directory: A free, public keyserver hosted by Symantec
Corporation. The PGP Global Directory provides quick and easy access to the universe of PGP keys. It uses next-generation keyserver technology that queries the email address on a key (to verify that the owner of the email address wants their key posted) and lets users manage their own keys. Using the PGP Global Directory significantly enhances your chances of finding a valid public key of someone to whom you want to send secured messages.
For external users without encryption keys, PGP Universal Server offers multiple secure delivery options, leveraging third-party software that is already installed on typical computer systems, such as a web browser or Adobe Acrobat Reader. For email recipients who do not have an encryption solution, you can use of of the following secure delivery options from PGP Universal Server:
PGP Universal Satellite: The PGP Universal Satellite software resides on the
computer of the email user. It allows email to be encrypted end to end, all the way to and from the desktop (for both internal and external users). Using PGP Universal Satellite is one of the ways for external users to participate in the SMSA. It also allows users the option of controlling their keys on their local computers (if allowed by the administrator).
PGP Universal Web Messenger: The PGP Universal Web Messenger service
allows an external user to securely read a message from an internal user before the external user has a relationship with the SMSA. If PGP Universal Web Messenger is available via mail policy for a user and the recipient’s key cannot be found, the message is stored on the PGP Universal Server and an unprotected message is sent to the recipient. The unprotected message includes a link to the original message, held on the PGP Universal Server. The recipient must create a passphrase, and then can access his encrypted messages stored on PGP Universal Server.
20 The Big Picture
Important Terms
PDF Messenger: PDF Messenger enables sending encrypted PDF messages to
external users who do not have a relationship with the SMSA. In the normal mode, as with PGP Universal Web Messenger, the user receives a message with a link to the encrypted message location and uses a PGP Universal Web Messenger passphrase to access the message. PDF Messenger also provides Certified Delivery, which encrypts the message to a one-time passphrase, and creates and logs a delivery receipt when the user retrieves the passphrase.
PGP Desktop: A client software tool that uses cryptography to protect your data
against unauthorized access. PGP Desktop is available for Mac OS X and Windows.
PGP Whole Disk Encryption: Whole Disk Encryption is a feature of PGP
Desktop that encrypts your entire hard drive or partition (on Windows systems), including your boot record, thus protecting all your files when you are not using them.
PGP NetShare: A feature of PGP Desktop for Windows with which you can
securely and transparently share files and folders among selected individuals. PGP NetShare users can protect their files and folders simply by placing them within a folder that is designated as protected.
PGP Virtual Disk: PGP Virtual Disk volumes are a feature of PGP Desktop
that let you use part of your hard drive space as an encrypted virtual disk. You can protect a PGP Virtual Disk volume with a key or a passphrase. You can also create additional users for a volume, so that people you authorize can also access the volume.
PGP Zip: A feature of PGP Desktop that lets you put any combination of files
and folders into a single encrypted, compressed package for convenient transport or backup. You can encrypt a PGP Zip archive to a PGP key or to a passphrase.
PGP Portable: A separately-licensed feature that enables you to send encrypted
files to users who do not have PGP Desktop software, and to transport files securely to systems that do not or cannot have PGP software installed.

PGP Universal Server Concepts

keys.<domain> convention: PGP Universal Server automatically looks for valid
public keys for email recipients at a special hostname, if no valid public key is found locally to secure a message. This hostname is keys.<domain> (where <domain> is the email domain of the recipient). For example, Example Corporation’s externally visible PGP Universal Server is named keys.example.com.
Symantec Corporation strongly recommends you name your externally visible PGP Universal Server according to this convention because it allows other PGP Universal Servers to easily find valid public keys for email recipients in your domain.
For more information, see Naming your PGP Universal Server (see " your PGP Universal Server" on page
Security Architecture: Behind the scenes, the PGP Universal Server creates and
manages its own security architecture for the users whose email domain it is securing. Because the security architecture is created and managed automatically, we call this a self-managing security architecture (SMSA).
About Naming
33).

PGP Universal Server Features

Administrative Interface: Each PGP Universal Server is controlled via a Web-
based administrative interface. The administrative interface gives you control over PGP Universal Server. While many settings are initially established using the web-based Setup Assistant, all settings of a PGP Universal Server can be controlled via the administrative interface.
Backup and Restore: Because full backups of the data stored on your PGP
Universal Server are critical in a natural disaster or other unanticipated loss of data or hardware, you can schedule automatic backups of your PGP Universal Server data or manually perform a backup.
You can fully restore a PGP Universal Server from a backup. In the event of a minor problem, you can restore the PGP Universal Server to any saved backup. In the event that a PGP Universal Server is no longer usable, you can restore its data from a backup onto a new PGP Universal Server during initial setup of the new PGP Universal Server using the Setup Assistant. All backups are encrypted to the Organization Key and can be stored securely off the PGP Universal Server.
Cluster: When you have two or more PGP Universal Servers in your network, you
configure them to synchronize with each other; this is called a “cluster.”
Dictionary: Dictionaries are lists of terms to be matched. The dictionaries work
with mail policy to allow you to define content lists that can trigger rules.
Directory Synchronization: If you have LDAP directories in your organization,
your PGP Universal Server can be synchronized with the directories. The PGP Universal Server automatically imports user information from the directories when users send and receive email; it also creates internal user accounts for them, including adding and using X.509 certificates if they are contained in the LDAP directories.
Ignition Keys: You can protect the contents of a PGP Universal Server, even if the
hardware is stolen, by requiring the use of a hardware token or a software passphrase, or both, on start.
Keyserver: Each PGP Universal Server includes an integrated keyserver populated
with the public keys of your internal users. When an external user sends a message to an internal user, the external PGP Universal Server goes to the keyserver to find the public key of the recipient to use to secure the message. The PGP Universal Server administrator can enable or disable the service, and control access to it via the administrative interface.
Learn Mode: When you finish configuring a PGP Universal Server using the Setup
Assistant, it begins in Learn Mode, where the PGP Universal Server sends messages through mail policy without taking any action on the messages, and does not encrypt or sign any messages.
Learn Mode gives the PGP Universal Server a chance to build its SMSA (creating keys for authenticated users, for example) so that when when Learn Mode is turned off, the PGP Universal Server can immediately begin securing messages. It is also an excellent way for administrators to learn about the product.
You should check the logs of the PGP Universal Server while it is in Learn Mode to see what it would be doing to email traffic if it were live on your network. You can make changes to the PGP Universal Server’s policies while it is in Learn Mode until things are working as expected.
Important Terms
21 The Big Picture
22 The Big Picture
Important Terms
Mail Policy: The PGP Universal Server processes email messages based on the
policies you establish. Mail policy applies to inbound and outbound email processed by both PGP Universal Server and client software. Mail policy consists of multiple policy chains, comprised of sequential mail processing rules.
Organization Certificate: You must create or obtain an Organization Certificate to
enable S/MIME support by PGP Universal Server. The Organization Certificate signs all X.509 certificates the server creates.
Organization Key: The Setup Assistant automatically creates an Organization Key
(actually a keypair) when it configures a PGP Universal Server. The Organization Key is used to sign all PGP keys the PGP Universal Server creates and to encrypt PGP Universal Server backups.
Caution: It is extremely important to back up your Organization Key: all keys the
PGP Universal Server creates are signed by the Organization Key, and all backups are encrypted to the Organization Key. If you lose your Organization Key and have not backed it up, the signatures on those keys are meaningless and you cannot restore from backups encrypted to the Organization Key.
PGP Verified Directory: The PGP Verified Directory supplements the internal
keyserver by letting internal and external users manage the publishing of their own public keys. The PGP Verified Directory also serves as a replacement for the PGP Keyserver product. The PGP Verified Directory uses next-generation keyserver technology to ensure that the keys in the directory can be trusted.
Server Placement: A PGP Universal Server can be placed in one of two locations in
your network to process email.
With an internal placement, the PGP Universal Server logically sits between your email users and your mail server. It encrypts and signs outgoing SMTP email and decrypts and verifies incoming mail being picked up by email clients using POP or IMAP. Email stored on your mail server is stored secured (encrypted).
With a gateway placement, the PGP Universal Server logically sits between your mail server and the Internet. It encrypts and signs outgoing SMTP email and decrypts and verifies incoming SMTP email. Email stored on your mail server is stored unsecured.
For more information, see Configuring Mail Proxies (on page Universal Server Installation Guide.
Setup Assistant: When you attempt to log in for the first time to the
administrative interface of a PGP Universal Server, the Setup Assistant takes you through the configuration of that PGP Universal Server.
Group Key: A server-managed keypair shared by a group of users. A Group Key is
assigned to a group based on membership in an Active Directory security group. This allows membership in the Active Directory security group to be modified without affecting the metadata associated with the protected data. To create a Group Key, the Directory Synchronization feature must be enabled and synchronized with an Active Directory database.
161) and the PGP

PGP Universal Server User Types

Administrators: Any user who manages the PGP Universal Server and its security
configuration from inside the internal network.

Installation Overview

Only administrators are allowed to access the administrative interface that controls PGP Universal Server. A PGP Universal Server supports multiple administrators, each of which can be assigned a different authority: from read­only access to full control over every feature and function.
Consumers: Internal, external, and Verified Directory users, and devices.
External Users: External users are email users from other domains (domains
not being managed by your PGP Universal Server) who have been added to the SMSA.
Internal Users: Internal users are email users from the domains being
managed by your PGP Universal Server.
PGP Universal Server allows you to manage PGP Desktop deployments to your internal users. The administrator can control which PGP Desktop features are automatically implemented at install, and establish and update security policy for PGP Desktop users that those users cannot override (except on the side of being more secure).
PGP Verified Directory Users: Internal and external users who have
submitted their public keys to the PGP Verified Directory, a Web-accessible keyserver.
Devices: Managed devices, WDE computers, and WDE disks. Managed
devices are arbitrary objects whose keys are managed by PGP Universal Server. WDE computers, and WDE disks are devices that are detected when users enroll.
Other Email Users: Users within your organization can securely send email to
recipients outside the SMSA.
First, the PGP Universal Server attempts to find a key for the recipient. If that fails, there are four fallback options, all controlled by mail policy: bounce the message back to the sender (so it is not sent unencrypted), send unencrypted, Smart Trailer, and PGP Universal Web Messenger mail.
Smart Trailer sends the message unencrypted and adds text giving the recipient the option of joining the SMSA by installing PGP Universal Satellite, using an existing key or certificate, or using PGP Universal Web Messenger. PGP Universal Web Messenger lets the recipient securely read the message on a secure website; it also gives the recipient options for handling subsequent messages from the same domain: read the messages on a secure website using a passphrase they establish, install PGP Universal Satellite, or add an existing key or certificate to the SMSA.
23 The Big Picture
Installation Overview
The following steps are a broad overview of what it takes to plan, set up, and maintain your PGP Universal Server environment.
Most of the steps described here are described in detail in later chapters. Steps 1 and 4 are described in the PGP Universal Server Installation Guide. Note that these steps apply to the installation of a new, stand-alone PGP Universal Server.
If you plan to install a cluster, you must install and configure one PGP Universal Server following the steps outlined here. Subsequent cluster members will get most of their configuration settings from the initial server by replication.
The steps to install and configure a PGP Universal Server are as follows:
24 The Big Picture
Installation Overview
1 Plan where in your network you want to locate your PGP Universal Server(s).
Where you put PGP Universal Servers in your network, how many PGP Universal Servers you have in your network, and other factors all have a major impact on how you add them to your existing network.
Create a diagram of your network that includes all network components and shows how email flows; this diagram details how adding a PGP Universal Server impacts your network.
For more information on planning how to add PGP Universal Servers to your existing network, see Adding the PGP Universal Server to Your Network in the PGP Universal Server Installation Guide.
2 Perform necessary DNS changes.
Add IP addresses for your PGP Universal Servers, an alias to your keyserver, update the MX record if necessary, add keys.<domain>, hostnames of potential Secondary servers for a cluster, and so on.
Properly configured DNS settings (including root servers and appropriate reverse lookup records) are required to support PGP Universal Server. Make sure both host and pointer records are correct. IP addresses must be resolvable to hostnames, as well as hostnames resolvable to IP addresses.
3 Prepare a hardware token Ignition Key.
If you want to add a hardware token Ignition Key during setup, install the drivers and configure the token before you begin the PGP Universal Server setup process. See Protecting PGP Universal Server with Ignition Keys (on page
357) for
information on how to prepare a hardware token Ignition Key.
Note: In a cluster, the Ignition Key configured on the first PGP Universal Server
in the cluster will also apply to the subsequent members of the cluster.
4 Install and configure this PGP Universal Server.
The Setup Assistant runs automatically when you first access the administrative interface for the PGP Universal Server. The Setup Assistant is where you can set or confirm a number of basic settings such as your network settings, administrator password, server placement option, mail server address and so on. The details of this process are described in Setting Up the PGP Universal Server in the PGP Universal Server Installation Guide.
Note: If you plan to configure multiple servers as a cluster, you must configure
one server first in the normal manner, then add the additional servers as cluster members. You can do this through the Setup Assistant when you install a server that will join an existing cluster, or you can do this through the PGP Universal Server administrative interface. For more information see Cluster Member Configuration in the PGP Universal Server Installation Guide.
5 License your server.
You cannot take a PGP Universal Server out of Learn Mode or install updates until the product is licensed. Once it is licensed, you should check for product updates and install them if found. For more information, see Licensing Your Software (on
45).
page
Installation Overview
If you want the PGP Universal Server to provide mail proxy services, you must have a PGP Universal Server license with the mailstream feature enabled, and you must check the Enable Mail Proxies check box on the System Settings page in the PGP Universal Server administrative interface. For more information, see Licensing Your Software (on page
45).
6 If you have a PGP key you want to use as your Organization Key with PGP
Universal Server, import it, then back it up.
Your Organization Key does two important things: it is used to sign all user keys the PGP Universal Server creates and it is used to encrypt PGP Universal Server backups. This key represents the identity of your organization, and is the root of the Web-of-Trust for your users.
If your organization uses PGP Desktop and already has an Corporate Key or Organization Key, and you want to use that key with PGP Universal Server, you should import it as soon as you have configured your server, then create a backup of the key.
If your organization does not have an existing key that you want to use as your Organization Key, use the Organization Key the Setup Assistant automatically creates with default values. For more information, see Managing Organization Keys (on page
57).
No matter which key you use as your Organization Key, it is very important to make a backup of the key. Since PGP Universal Server’s built-in back-up feature always encrypts backups to this key, you need to provide a copy of your Organization Key to restore your data.
For more information, see Organization Certificate (on page
60).
7 If you have a PGP Additional Decryption Key (ADK) that you want to use with
PGP Universal Server, add it.
An ADK is a way to recover an email message if the recipient is unable or unwilling to do so; every message that is also encrypted to the ADK can be opened by the holder(s) of the ADK. You cannot create an ADK with the PGP Universal Server, but if you have an existing PGP ADK (generated by PGP Desktop, an ideal scenario for a split key; refer to the PGP Desktop User’s Guide for more information), you can add it to your PGP Universal Server and use it. For more information, see Additional Decryption Key (ADK) (on page
63).
8 Create a SSL/TLS certificate or obtain a valid SSL/TLS certificate.
You can create a self-signed certificate for use with SSL/TLS traffic. Because this certificate is self-signed, however, it might not be trusted by email or Web browser clients. Symantec Corporation recommends that you obtain a valid SSL/TLS certificate for each of your PGP Universal Servers from a reputable Certificate Authority.
This is especially important for PGP Universal Servers that are accessed publicly. Older Web browsers might reject self-signed certificates or not know how to handle them correctly when they encounter them via PGP Universal Web Messenger or Smart Trailer.
For more information, see Working with Certificates (on page
373).
9 Configure the Directory Synchronization feature if you want to synchronize an
LDAP directory with your PGP Universal Server.
If you have an existing LDAP server, using the Directory Synchronization feature gives you more control over which users, keys, and certificates are added to the PGP Universal Server.
25 The Big Picture
26 The Big Picture
Installation Overview
By default, user enrollment is set to Email enrollment. If you elect to use certificate enrollment or LDAP directory enrollment, you must have an LDAP directory configured and Directory Synchronization enabled. You can change the client enrollment setting from the Directory Synchronization Settings page in the PGP Universal Server administrative interface.
For more information, see Using Directory Synchronization to Manage Consumers (on page
237).
10 Configure PGP Desktop client features.
The PGP Desktop client basic (default) license is installed along with the PGP Universal Server, so adding the client license as a separate step is not necessary. However, the optional features (messaging, PGP Whole Disk Encryption, and PGP NetShare) are disabled by default. If you have purchased a license for those features, you must edit your client policy settings to enable them. For more information about consumer policy settings, see "Establishing PGP Desktop Settings for Your PGP Desktop Clients (on page
231)".
11 Add trusted keys, configure consumer policy, and establish mail policy.
All these settings are important for secure operation of PGP Universal Server. For more information on adding trusted keys from outside the SMSA, see Managing Trusted Keys and Certificates (on page policy settings, see Administering Consumer Policy (on page
87). For more information about consumer
213). For information
on setting up mail policy, see Setting Mail Policy (on page 95).
Note: When setting policy for Consumers, PGP Universal Server provides an
option called Out of Mail Stream (OOMS) support. OOMS specifies how the email gets transmitted from the client to the server when PGP Desktop cannot find a key for the recipient and therefore cannot encrypt the message.
OOMS is disabled by default. With OOMS disabled, sensitive messages that can't be encrypted locally are sent to PGP Universal Server "in the mail stream" like normal email. Importantly, this email is sent in the clear (unencrypted). Mail or Network administrators could read these messages by accessing the mail server's storage or monitoring network traffic. However, archiving solutions, outbound anti-virus filters, or other systems which monitor or proxy mail traffic will process these messages normally.
You can elect to enable OOMS, which means that sensitive messages that can't be encrypted locally are sent to PGP Universal Server "out of the mail stream." PGP Desktop creates a separate, encrypted network connection to the PGP Universal Server to transmit the message. However, archiving solutions, outbound anti­virus filters, or other systems which monitor or proxy mail traffic will not see these messages.
During your configuration of your PGP Universal Server you should determine the appropriate settings for your requirements. This option can be set separately for each policy group, and is set through the Consumer Policy settings. For more details on the effects of enabling or disabling OOMS, see Out of Mail Stream Support.
12 Install and configure additional cluster server members.
Loading...
+ 368 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use