How it Works
PGP
Loading...
#
C
D
E
M
N
P
R
U
W
Loading...
Loading...
Universal Server - 3.2.1
Upgrade Manual
31 pgs237.32 Kb0
Installation Manual
54 pgs861.52 Kb0
Table of contents
Loading...

PGP Universal Server - 3.2.1 Administrator’s Guide

PGP™ Universal Server
Administrator's Guide
3.2
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Version 3.2.1. Last updated: April 2012.
Legal Notice
Copyright (c) 2012 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, PGP, Pretty Good Privacy, and the PGP logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED"AS IS"AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. “Commercial Computer Software and Commercial Computer Software Documentation”, as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation 350 Ellis Street Mountain View, CA 94043
Symantec Home Page (
Printed in the United States of America.
10 9 8 7 6 5 4 3 2 1
http://www.symantec.com)
Contents
Introduction
What is PGP Universal Server? 1 PGP Universal Server Product Family 2 Who Should Read This Guide 2 Common Criteria Environments 2 Improvements in this Version of PGP Universal Server 2 Using the PGP Universal Server with the Command Line 4 Symbols 4 Getting Assistance 5
Getting product information 5 Technical Support 5 Contacting Technical Support 6 Licensing and registration 6 Customer service 6 Support agreement resources 7
1
The Big Picture 9
Important Terms 9
PGP Products 9 PGP Universal Server Concepts 10 PGP Universal Server Features 11
PGP Universal Server User Types 12 Installation Overview 13 About Integration with Symantec Protection Center 18
Before You Integrate with Protection Center 18
About Open Ports 21
TCP Ports 21 UDP Ports 22
About Naming your PGP Universal Server
How to Name Your PGP Universal Server 23 Naming Methods 24
23
Understanding the Administrative Interface 25
System Requirements 25 Logging In 25 The System Overview Page 26 Managing Alerts 27 Logging In For the First Time 28 Administrative Interface Map 28 Icons 29
ii Contents
Licensing Your Software 35
Overview 35 Licensing a PGP Universal Server 35 License Authorization 35 Licensing the Mail Proxy Feature 35 Licensing PGP Desktop 36
Operating in Learn Mode 37
Purpose of Learn Mode 37 Checking the Logs 38 Managing Learn Mode 38
Managed Domains 39
About Managed Domains 39 Adding Managed Domains 40 Deleting Managed Domains 40
Understanding Keys 41
Choosing a Key Mode For Key Management 41
Changing Key Modes 43 How PGP Universal Server Uses Certificate Revocation Lists 44 Key Reconstruction Blocks 44 Managed Key Permissions 45
Managing Organization Keys 47
About Organization Keys 47 Organization Key 47
Inspecting the Organization Key 48
Regenerating the Organization Key 48
Importing an Organization Key 49 Organization Certificate 50
Inspecting the Organization Certificate 50
Exporting the Organization Certificate 51
Deleting the Organization Certificate 51
Generating the Organization Certificate 51
Importing the Organization Certificate 52
Renewing the Organization Certificate 52 Additional Decryption Key (ADK) 53
Importing the ADK 54
Inspecting the ADK 54
Deleting the ADK 54 External User Root Key 55
Generating the External User Root Key 55
Importing the External User Root Key 55
Deleting the External User Root Key 56
External User Root Certificate 56
Generating the External User Root Certificate 56
Importing the External User Root Certificate 57
Deleting the External User Root Certificate 57 Verified Directory Key 58
Importing the Verified Directory Key 58
Inspecting the Verified Directory Key 58
Deleting the Verified Directory Key 59
iii Contents
Administering Managed Keys
Viewing Managed Keys 61 Managed Key Information 62
Email Addresses 64
Subkeys 64
Certificates 65
Permissions 65
Attributes 66 Symmetric Key Series 66 Symmetric Keys 68 Custom Data Objects 69 Exporting Consumer Keys 70
Exporting the Managed Key of an Internal User 70
Exporting the Managed Key of an External User 71
Exporting PGP Verified Directory User Keys 71
Exporting the Managed Key of a Managed Device 71 Deleting Consumer Keys 72
Deleting the Managed Key of an Internal User 72
Deleting the Managed Key of an External User 72
Deleting the Key of a PGP Verified Directory User 73
Deleting the Managed Key of a Managed Device 73 Approving Pending Keys 73 Revoking Managed Keys 74
Managing Trusted Keys and Certificates
61
77
Overview 77
Trusted Keys 77
Trusted Certificates 77 Adding a Trusted Key or Certificate 78 Inspecting and Changing Trusted Key Properties 78 Deleting Trusted Keys and Certificates 79 Searching for Trusted Keys and Certificates 79
Managing Group Keys 81
Overview 81 Establishing Default Group Key Settings 81 Adding a Group Key to an Existing Group 82 Creating a New Group with a Group Key 82 Removing a Group Key from a Group 83 Deleting a Group Key 83
iv Contents
Revoking a Group Key 84 Exporting a Group Key 84
Setting Mail Policy 85
Overview 85
How Policy Chains Work 85
Mail Policy and Dictionaries 86
Mail Policy and Key Searches 87
Mail Policy and Cached Keys 87 Understanding the Pre-Installed Policy Chains 88 How Upgrading and Updating Affect Mail Policy Settings 89 Mail Policy Outside the Mailflow 89 Using the Rule Interface 90
The Conditions Card 90
The Actions Card 92 Building Valid Chains and Rules 92
Using Valid Processing Order 93
Creating Valid Groups 94
Creating a Valid Rule 95 Managing Policy Chains 96
Mail Policy Best Practices 96
Restoring Mail Policy to Default Settings 96
Editing Policy Chain Settings 96
Adding Policy Chains 97
Deleting Policy Chains 98
Exporting Policy Chains 98
Printing Policy Chains 99 Managing Rules 99
Adding Rules to Policy Chains 99
Deleting Rules from Policy Chains 99
Enabling and Disabling Rules 100
Changing the Processing Order of the Rules 100 Adding Key Searches 100 Choosing Condition Statements, Conditions, and Actions 101
Condition Statements 101
Conditions 102
Actions 106 Working with Common Access Cards 119
Applying Key Not Found Settings to External Users 121
Overview 121
Bounce the Message 121
PDF Messenger 122
PDF Messenger Secure Reply 122 Working with Passphrases 123
Certified Delivery with PDF Messenger 123
Send Unencrypted 124
Smart Trailer 124
PGP Universal Web Messenger 126 Changing Policy Settings 127 Changing User Delivery Method Preference 127
Using Dictionaries with Policy 129
Overview 129 Default Dictionaries 130
Editing Default Dictionaries 131 User-Defined Dictionaries 132
Adding a User-Defined Dictionary 132
Editing a User-Defined Dictionary 133
Deleting a Dictionary 134 Exporting a Dictionary 134 Searching the Dictionaries 134
Keyservers, SMTP Archive Servers, and Mail Policy 137
Overview 137 Keyservers 137
Adding or Editing a Keyserver 138
Deleting a Keyserver 140 SMTP Servers 140
Adding or Editing an Archive Server 140
Deleting an Archive Server 141
v Contents
Managing Keys in the Key Cache 143
Overview 143 Changing Cached Key Timeout 143
Purging Keys from the Cache 143
Trusting Cached Keys 144
Viewing Cached Keys 144 Searching the Key Cache 145
Configuring Mail Proxies 147
Overview 147 PGP Universal Server and Mail Proxies 147
Mail Proxies in an Internal Placement 148
Mail Proxies in a Gateway Placement 149 Changes in Proxy Settings from PGP Universal Server 2.0 to 2.5 and later 150 Mail Proxies Page 151 Creating New or Editing Existing Proxies 151
Creating or Editing a POP/IMAP Proxy 151
Creating or Editing an Outbound SMTP Proxy 153
Creating or Editing an Inbound SMTP Proxy 155
Creating or Editing a Unified SMTP Proxy 156
Email in the Mail Queue
Overview 159 Deleting Messages from the Mail Queue 159
159
vi Contents
Specifying Mail Routes 161
Overview 161 Managing Mail Routes 162
Adding a Mail Route 162
Editing a Mail Route 162
Deleting a Mail Route 163
Customizing System Message Templates 165
Overview 165
Templates and Message Size 165
PDF Messenger Templates 166
PGP Universal Web Messenger Templates 166 Editing a Message Template 167
Managing Groups 169
Understanding Groups 169
Sorting Consumers into Groups 169
Everyone Group 170
Excluded Group 170 Policy Group Order 170
Migrate Groups from PGP Universal Server 2.12 SP4 171
Setting Policy Group Order 171 Creating a New Group 171 Deleting a Group 172 Viewing Group Members 172 Manually Adding Group Members 172 Manually Removing Members from a Group 173 Group Permissions 174
Adding Group Permissions 174
Deleting Group Permissions 174 Setting Group Membership 175 Searching Groups 176 Creating Group Client Installations 177
How Group Policy is Assigned to PGP Desktop Installers 177
When to Bind a Client Installation 178
Creating PGP Desktop Installers 179
Managing Devices 183
Managed Devices 183
Adding and Deleting Managed Devices 184
Adding Managed Devices to Groups 184
Managed Device Information 186 Deleting Devices from PGP Universal Server 189 Deleting Managed Devices from Groups 190 WDE Devices (Computers and Disks) 191
WDE Computers 191
WDE Disks 192
Contents vii
Searching for Devices 194
Administering Consumer Policy 197
Understanding Consumer Policy 197 Managing Consumer Policies 197
Adding a Consumer Policy 197
Editing a Consumer Policy 198
Deleting a Consumer Policy 199 Making Sure Users Create Strong Passphrases 199
Understanding Entropy 200 Enabling or Disabling Encrypted Email 200 Using the Windows Preinstallation Environment 201 X.509 Certificate Management in Lotus Notes Environments 201
Trusting Certificates Created by PGP Universal Server 202
Setting the Lotus Notes Key Settings in PGP Universal Server 203
Technical Deployment Information 204 Offline Policy 205 Using a Policy ADK 206 Out of Mail Stream Support 206 Enrolling Users through Silent Enrollment 208
Silent Enrollment with Windows 208
Silent Enrollment with Mac OS X 208 PGP Whole Disk Encryption Administration 209
PGP Whole Disk Encryption on Mac OS X with FileVault 209
How Does Single Sign-On Work? 209
Enabling Single Sign-On 210
Managing Clients Remotely Using a PGP WDE Administrator Active Directory Group 211
Managing Clients Locally Using the PGP WDE Administrator Key 212
Setting Policy for Clients 215
Client and PGP Universal Server Version Compatibility 215
Serving PGP Admin 8 Preferences 216 Establishing PGP Desktop Settings for Your PGP Desktop Clients 217
PGP Desktop Feature License Settings 218
Enabling PGP Desktop Client Features in Consumer Policies 218
Controlling PGP Desktop Components 219 PGP Portable 220 PGP Mobile 221 PGP NetShare 221
How the PGP NetShare Policy Settings Work Together 221
Multi-user environments and managing PGP NetShare 222
Backing Up PGP NetShare-Protected Files 222
Using Directory Synchronization to Manage Consumers
How PGP Universal Server Uses Directory Synchronization 225
Base DN and Bind DN 226
Consumer Matching Rules 227 Understanding User Enrollment Methods 227
Before Creating a Client Installer 228
225
viii Contents
Email Enrollment 229
Directory Enrollment 231
Certificate Enrollment 232 Enabling Directory Synchronization 234 Adding or Editing an LDAP Directory 234
The LDAP Servers Tab 235
The Base Distinguished Name Tab 236
The Consumer Matching Rules Tab 236
Testing the LDAP Connection 237
Using Sample Records to Configure LDAP Settings 237 Deleting an LDAP Directory 237 Setting LDAP Directory Order 238 Directory Synchronization Settings 238
Managing User Accounts
Understanding User Account Types 241 Viewing User Accounts 241 User Management Tasks 241
Setting User Authentication 241
Editing User Attributes 242
Adding Users to Groups 242
Editing User Permissions 242
Deleting Users 243
Searching for Users 243
Viewing User Log Entries 244
Changing Display Names and Usernames 244
Exporting a User’s X.509 Certificate 245
Revoking a User's X.509 Certificate 245
Managing User Keys 246 Managing Internal User Accounts 246
Importing Internal User Keys Manually 247
Creating New Internal User Accounts 247
Exporting PGP Whole Disk Encryption Login Failure Data 248
Internal User Settings 248 Managing External User Accounts 252
Importing External Users 252
Exporting Delivery Receipts 253
External User Settings 254 Offering X.509 Certificates to External Users 255 Managing Verified Directory User Accounts 256
Importing Verified Directory Users 257
PGP Verified Directory User Settings 257
241
Recovering Encrypted Data in an Enterprise Environment 259
Using Key Reconstruction 259 Recovering Encryption Key Material without Key Reconstruction 260
Encryption Key Recovery of CKM Keys 260
Encryption Key Recovery of GKM Keys 260
Encryption Key Recovery of SCKM Keys 260
Encryption Key Recovery of SKM Keys 261 Using an Additional Decryption Key for Data Recovery 262
PGP Universal Satellite 263
Overview 263 Technical Information 263 Distributing the PGP Universal Satellite Software 264 Configuration 264
Key Mode 264
PGP Universal Satellite Configurations 265
Switching Key Modes 268 Policy and Key or Certificate Retrieval 268
Retrieving Lost Policies 268
Retrieving Lost Keys or Certificates 269
PGP Universal Satellite for Mac OS X 271
Overview 271 System Requirements 271 Obtaining the Installer 271 Installation 272 Updates 272 Files 272
ix Contents
PGP Universal Satellite for Windows 275
Overview 275 System Requirements 275 Obtaining the Installer 275 Installation 276 Updates 276 Files 277 MAPI Support 277
External MAPI Configuration 277 Lotus Notes Support 278
External Lotus Notes Configuration 278
Configuring PGP Universal Web Messenger 281
Overview 281
PGP Universal Web Messenger and Clustering 282
External Authentication 282 Customizing PGP Universal Web Messenger 284
Adding a New Template 284
Troubleshooting Customization 289
Changing the Active Template 291
Deleting a Template 291
Editing a Template 292
Downloading Template Files 292
Restoring to Factory Defaults 292 Configuring the PGP Universal Web Messenger Service 292
Starting and Stopping PGP Universal Web Messenger 293
Selecting the PGP Universal Web Messenger Network Interface 293
x Contents
Setting Up External Authentication 295
Creating Settings for PGP Universal Web Messenger User Accounts 296
Setting Message Replication in a Cluster 297
Configuring the Integrated Keyserver 299
Overview 299 Starting and Stopping the Keyserver Service 299 Configuring the Keyserver Service 299
Configuring the PGP Verified Directory 301
Overview 301 Starting and Stopping the PGP Verified Directory 302 Configuring the PGP Verified Directory 302
Managing the Certificate Revocation List Service 305
Overview 305 Starting and Stopping the CRL Service 305 Editing CRL Service Settings 306
Configuring Universal Services Protocol 307
Starting and Stopping USP 307 Adding USP Interfaces 307
Introducing PGP Remote Disable and Destroy 1
About PGP Remote Disable and Destroy 1 Components of PGP RDD 1 How PGP RDD Works 1
System Graphs 3
Overview 3 CPU Usage 3 Message Activity 3 Whole Disk Encryption 4
System Logs 5
Overview 5 Filtering the Log View 6 Searching the Log Files 6 Exporting a Log File 7 Enabling External Logging 7
Configuring SNMP Monitoring 9
Overview 9 Starting and Stopping SNMP Monitoring 10 Configuring the SNMP Service 10 Downloading the Custom MIB File 11
xi Contents
Viewing Server and License Settings and Shutting Down Services
Overview 13 Server Information 13
Setting the Time 13
Licensing a PGP Universal Server 14
Downloading the Release Notes 14 Shutting Down and Restarting the PGP Universal Server Software Services 15 Shutting Down and Restarting the PGP Universal Server Hardware 15
13
Managing Administrator Accounts 17
Overview 17
Administrator Roles 17
Administrator Authentication 19 Creating a New Administrator 19 Importing SSH v2 Keys 20 Deleting Administrators 20 Inspecting and Changing the Settings of an Administrator 21 Configuring RSA SecurID Authentication 22 Resetting SecurID PINs 23 Daily Status Email 24
Protecting PGP Universal Server with Ignition Keys
Overview 25
Ignition Keys and Clustering 26 Preparing Hardware Tokens to be Ignition Keys 26 Configuring a Hardware Token Ignition Key 28 Configuring a Soft-Ignition Passphrase Ignition Key 28 Deleting Ignition Keys 29
25
Backing Up and Restoring System and User Data
Overview 31 Creating Backups 31
Scheduling Backups 32
Performing On-Demand Backups 32 Configuring the Backup Location 32 Restoring From a Backup 33
Restoring On-Demand 34
Restoring Configuration 34
Restoring from a Different Version 35
31
xii Contents
Updating PGP Universal Server Software 37
Overview 37 Inspecting Update Packages 38
Setting Network Interfaces 39
Understanding the Network Settings 39 Changing Interface Settings 40 Adding Interface Settings 40 Deleting Interface Settings 40 Editing Global Network Settings 41 Assigning a Certificate 41 Working with Certificates 41
Importing an Existing Certificate 42
Generating a Certificate Signing Request (CSR) 42
Adding a Pending Certificate 43
Inspecting a Certificate 44
Exporting a Certificate 44
Deleting a Certificate 44
Clustering your PGP Universal Servers 45
Overview 45 Cluster Status 46 Creating a Cluster 47 Deleting Cluster Members 49 Clustering and PGP Universal Web Messenger 50 Managing Settings for Cluster Members 50 Changing Network Settings in Clusters 51 About Clustering Diagnostics 51
Monitoring Data Replication in a Cluster 52
Index
55

Introduction

1
This Administrator’s Guide describes both the PGP™ Universal Server and Client software. It tells you how to get them up and running on your network, how to configure them, and how to maintain them. This section provides a high-level overview of PGP Universal Server.

What is PGP Universal Server?

PGP Universal Server is a console that manages the applications that provide email, disk, and network file encryption. PGP Universal Server with PGP Universal Gateway Email provides secure messaging by transparently protecting your enterprise messages with little or no user interaction. The PGP Universal Server replaces PGP Keyserver with a built-in keyserver, and PGP Admin with PGP Desktop configuration and deployment capabilities.
PGP Universal Server also does the following:
Automatically creates and maintains a Self-Managing Security Architecture
(SMSA) by monitoring authenticated users and their email traffic.
Allows you to send protected messages to addresses that are not part of the SMSA.
Automatically encrypts, decrypts, signs, and verifies messages.
Provides strong security through policies you control.
PGP Universal Satellite, a client-side feature of PGP Universal Server, does the following:
Extends security for email messages to the computer of the email user.
Allows external users to become part of the SMSA.
If allowed by an administrator, gives end users the option to create and manage
their keys on their computers.
PGP Desktop, a client product, is created and managed through PGP Universal Server policy and does the following:
Creates PGP keypairs.
Manages user keypairs.
Stores the public keys of others.
Encrypts user email and instant messaging (IM).
Encrypts entire, or partial, hard drives.
Enables secure file sharing with others over a network.
2 Introduction

PGP Universal Server Product Family

PGP Universal Server Product Family
PGP Universal Server functions as a management console for a variety of encryption solutions. You can purchase any of the PGP Desktop applications or bundles and use PGP Universal Server to create and manage client installations. You can also purchase a license that enables PGP Universal Gateway Email to encrypt email in the mailstream.
The PGP Universal Server can manage any combination of the following PGP encryption applications:
PGP Universal Gateway Email provides automatic email encryption in the
gateway, based on centralized mail policy.
This product requires administration by the PGP Universal Server.
PGP Desktop Email provides encryption at the desktop for mail, files, and AOL
Instant Messenger traffic.
This product can be managed by the PGP Universal Server.
PGP Whole Disk Encryption provides encryption at the desktop for an entire disk.
This product can be managed by the PGP Universal Server.
PGP NetShare provides transparent file encryption and sharing among desktops.
This product can be managed by the PGP Universal Server.

Who Should Read This Guide

This Administrator’s Guide is for the person or persons who implement and maintain your organization’s PGP Universal Server environment. These are the PGP Universal Server administrators.
This guide is also intended for anyone else who wants to learn about how PGP Universal Server works.

Common Criteria Environments

To be Common Criteria compliant, see the best practices in PGP Universal Server 2.9 Common Criteria Supplemental. These best practices supersede recommendations made
elsewhere in this and other documentation.

Improvements in this Version of PGP Universal Server

PGP Universal Server 3.2.1 introduces the following new and improved features:
Improvements in this Version of PGP Universal Server
This release provides support for VMware VMotion HA Configurations. PGP
Universal Server with VMware VMotion allows virtual machines on failed ESX server hosts to restart on surviving ESX hosts.
This release contains improvements in the backup process which provides a faster
way to take and restore backups. Users also now have the capability of specifying encryption and compression with each backup.
Improvements made to streamline the migration process.
PGP Universal Web Messenger users are now notified when their accounts are
about to expire.
PGP Universal Web Messenger has added functionality to prevent a Cross Sites
Request Forge attacks. PGP Universal Server already provides functionality to prevent CSRF attacks.
The default mail policy includes the following changes:
New default mail policy no longer uses opportunistic encryption. Email is
secured only if the sender specifies (such as by selecting the Encrypt button in the email client or by marking the email as "Sensitive").
New default mail policy attempts to encrypt the mail if the subject line
contains “PDF”, and should be delivered as a secure PDF message if the key is not found and PGP Universal Web Messenger/PDF options are enabled.
“Excluded Signed”, and “Excluded Unsigned” rules are removed as they are
now part of opportunistic encryption.
Secure Reply option for PDF Messenger is enabled by default.
PGP NetShare can be integrated with Symantec Data Loss Prevention to provide
automatic encryption of files without end-user intervention. A Data Loss Prevention administrator defines policies and rules that define the parameters for identifying sensitive files and provide credentials for the encryption. The integration is accomplished using an endpoint client-side plug-in. Files under consideration for sensitive content can be data in motion (DIM) or data at rest (DAR). For more information, see the PGP NetShare Flex Response Plug-In for Data Loss Prevention Implementation Guide.
PGP Universal Server 3.2.0 introduces the following new and improved features:
X.509 certificates are available to your external users through the PGP Universal
Web Messenger interface. External users download the certificates, add them to their mail clients, and use them to communicate securely with users in your managed domain.
The PGP Universal Server user interface and all end user documentation have
been rebranded to include the Symantec logo and colors. The product name remains the same.
We improved performance and page load times for many parts of the interface.
You can now allow your external users to securely reply to PDF Messenger
messages.
You can now monitor the how well data is being replicated throughout your
cluster members.
After you migrate to PGP Universal Server 3.2.1, you can verify whether your
backup/restore or PUP update was successful. `
You can now require users to authenticate at the PGP BootGuard screen with their
user name, domain, and passphrase.
3 Introduction
4 Introduction

Using the PGP Universal Server with the Command Line

Symantec Patch Distribution Center now provides all software updates, which
replaces PGP update servers. Automatic updates through the PGP update servers are no longer available.
PGP Universal Server is now integrated with Symantec Protection Center, which
offers a single point of administration and helps you manage PGP Universal Server and other security products.
PGP Universal Server now supports group keys, which allows you to protect
shared files and folders in PGP NetShare. Group keys allow you to easily add or remove group members without affecting the PGP NetShare metadata associated with the protected files and folders.
You can now allow users, who use certificates or smart cards to log in to Microsoft
Windows, to enroll in PGP Desktop using those certificates.
Using the PGP Universal Server with the Command Line
You can use the PGP Universal Server command line for read-only access to, for example, view settings, services, logs, processes, disk space, query the database, and so on.

Symbols

Note: If you modify your configuration using the command line, and you do not
follow these procedures, your PGP Support agreement is void.
Changes to the PGP Universal Server using command line must be:
Authorized in writing by PGP Support.
Implemented by PGP's partner, reseller, or internal employee who is certified in
the PGP Advanced Administration and Deployment Training.
Summarized and documented in a text file in /var/lib/ovid/customization
on the PGP Universal Server.
Changes made through the command line may not persist through reboots and may become incompatible in a future release. When troubleshooting new issues, PGP Support can require you to revert custom configurations on the PGP Universal Server to a default state.
Notes, Cautions, and Warnings are used in the following ways.
Note: Notes are extra, but important, information. A Note calls your attention to
important aspects of the product. You can use the product better if you read the Notes.
Caution: Cautions indicate the possibility of loss of data or a minor security breach. A
Caution tells you about a situation where problems can occur unless precautions are taken. Pay attention to Cautions.
Warning: Warnings indicate the possibility of significant data loss or a major security
breach. A Warning means serious problems will occur unless you take the appropriate action. Please take Warnings very seriously.

Getting Assistance

For additional resources, see these sections.

Getting product information

The following documents and online help are companions to the PGP Universal Server Administrator’s Guide. This guide occasionally refers to information that can be found
in one or more of these sources:
Online help is installed and is available in the PGP Universal Server product.
PGP Universal Server Installation Guide—Describes how to install the PGP
Universal Server.
PGP Universal Server Upgrade Guide—Describes the process of upgrading your
PGP Universal Server.
PGP Universal Mail Policy Diagram—Provides a graphical representation of how
email is processed through mail policy. You can access this document via the PGP Universal Server online help.
You can also access all the documentation by clicking the online help icon in the upper-right corner of the PGP Universal Server screen.
PGP Universal Satellite for Windows and Mac OS X includes online help.
PGP Universal Server and PGP Satellite release notes are also provided, which may have last-minute information not found in the product documentation.
Getting Assistance
5 Introduction

Technical Support

Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates.
Symantec’s support offerings include the following:
A range of support options that give you the flexibility to select the right amount
of service for any size organization
Telephone and/or Web-based support that provides rapid response and
up-to-the-minute information
Upgrade assurance that delivers software upgrades
6 Introduction
Getting Assistance
Global support purchased on a regional business hours or 24 hours a day, 7 days a
week basis
Premium service offerings that include Account Management Services
For information about Symantec’s support offerings, you can visit our Web site at the following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy.

Contacting Technical Support

Customers with a current support agreement may access Technical Support information at the following URL:
www.symantec.com/business/support/
Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem.
When you contact Technical Support, please have the following information available:
Product release level
Hardware information
Available memory, disk space, and NIC information
Operating system
Version and patch level
Network topology
Router, gateway, and IP address information
Problem description:
Error messages and log files
Troubleshooting that was performed before contacting Symantec
Recent software configuration changes and network changes

Licensing and registration

If your Symantec product requires registration or a license key, access our technical support Web page at the following URL:
www.symantec.com/business/support/

Customer service

Customer service information is available at the following URL:
www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as the following types of issues:
Questions regarding product licensing or serialization
Product registration updates, such as address or name changes
General product information (features, language availability, local dealers)
Latest information about product updates and upgrades
Information about upgrade assurance and support contracts
Information about the Symantec Buying Programs
Advice about Symantec's technical support options
Nontechnical presales questions
Issues that are related to CD-ROMs or manuals

Support agreement resources

If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows:
Getting Assistance
7 Introduction
Asia-Pacific and Japan customercare_apac@symantec.com
Europe, Middle-East, Africa
North America, Latin America
semea@symantec.com
supportsolutions@symantec.com

The Big Picture

2
This chapter describes some important terms and concepts and gives you a high-level overview of the things you need to do to set up and maintain your PGP Universal Server environment.

Important Terms

The following sections define important terms you will encounter throughout the PGP Universal Server and this documentation.

PGP Products

PGP Universal Server: A device you add to your network that provides secure
messaging with little or no user interaction. The PGP Universal Server automatically creates and maintains a security architecture by monitoring authenticated users and their email traffic. You can also send protected messages to addresses that are not part of the security architecture.
PGP Global Directory: A free, public keyserver hosted by Symantec
Corporation. The PGP Global Directory provides quick and easy access to the universe of PGP keys. It uses next-generation keyserver technology that queries the email address on a key (to verify that the owner of the email address wants their key posted) and lets users manage their own keys. Using the PGP Global Directory significantly enhances your chances of finding a valid public key of someone to whom you want to send secured messages.
For external users without encryption keys, PGP Universal Server offers multiple secure delivery options, leveraging third-party software that is already installed on typical computer systems, such as a web browser or Adobe Acrobat Reader. For email recipients who do not have an encryption solution, you can use of of the following secure delivery options from PGP Universal Server:
PGP Universal Satellite: The PGP Universal Satellite software resides on the
computer of the email user. It allows email to be encrypted end to end, all the way to and from the desktop (for both internal and external users). Using PGP Universal Satellite is one of the ways for external users to participate in the SMSA. It also allows users the option of controlling their keys on their local computers (if allowed by the administrator).
PGP Universal Web Messenger: The PGP Universal Web Messenger service
allows an external user to securely read a message from an internal user before the external user has a relationship with the SMSA. If PGP Universal Web Messenger is available via mail policy for a user and the recipient’s key cannot be found, the message is stored on the PGP Universal Server and an unprotected message is sent to the recipient. The unprotected message includes a link to the original message, held on the PGP Universal Server. The recipient must create a passphrase, and then can access his encrypted messages stored on PGP Universal Server.
10 The Big Picture
Important Terms
PDF Messenger: PDF Messenger enables sending encrypted PDF messages to
external users who do not have a relationship with the SMSA. In the normal mode, as with PGP Universal Web Messenger, the user receives a message with a link to the encrypted message location and uses a PGP Universal Web Messenger passphrase to access the message. PDF Messenger also provides Certified Delivery, which encrypts the message to a one-time passphrase, and creates and logs a delivery receipt when the user retrieves the passphrase.
PGP Desktop: A client software tool that uses cryptography to protect your data
against unauthorized access. PGP Desktop is available for Mac OS X and Windows.
PGP Whole Disk Encryption: Whole Disk Encryption is a feature of PGP
Desktop that encrypts your entire hard drive or partition (on Windows systems), including your boot record, thus protecting all your files when you are not using them.
PGP NetShare: A feature of PGP Desktop for Windows with which you can
securely and transparently share files and folders among selected individuals. PGP NetShare users can protect their files and folders simply by placing them within a folder that is designated as protected.
PGP Virtual Disk: PGP Virtual Disk volumes are a feature of PGP Desktop
that let you use part of your hard drive space as an encrypted virtual disk. You can protect a PGP Virtual Disk volume with a key or a passphrase. You can also create additional users for a volume, so that people you authorize can also access the volume.
PGP Zip: A feature of PGP Desktop that lets you put any combination of files
and folders into a single encrypted, compressed package for convenient transport or backup. You can encrypt a PGP Zip archive to a PGP key or to a passphrase.
PGP Portable: A separately-licensed feature that enables you to send encrypted
files to users who do not have PGP Desktop software, and to transport files securely to systems that do not or cannot have PGP software installed.

PGP Universal Server Concepts

keys.<domain> convention: PGP Universal Server automatically looks for valid
public keys for email recipients at a special hostname, if no valid public key is found locally to secure a message. This hostname is keys.<domain> (where <domain> is the email domain of the recipient). For example, Example Corporation’s externally visible PGP Universal Server is named keys.example.com.
Symantec Corporation strongly recommends you name your externally visible PGP Universal Server according to this convention because it allows other PGP Universal Servers to easily find valid public keys for email recipients in your domain.
For more information, see Naming your PGP Universal Server (see " your PGP Universal Server" on page
Security Architecture: Behind the scenes, the PGP Universal Server creates and
manages its own security architecture for the users whose email domain it is securing. Because the security architecture is created and managed automatically, we call this a self-managing security architecture (SMSA).
About Naming
23).

PGP Universal Server Features

Administrative Interface: Each PGP Universal Server is controlled via a
Web-based administrative interface. The administrative interface gives you control over PGP Universal Server. While many settings are initially established using the web-based Setup Assistant, all settings of a PGP Universal Server can be controlled via the administrative interface.
Backup and Restore: Because full backups of the data stored on your PGP
Universal Server are critical in a natural disaster or other unanticipated loss of data or hardware, you can schedule automatic backups of your PGP Universal Server data or manually perform a backup.
You can fully restore a PGP Universal Server from a backup. In the event of a minor problem, you can restore the PGP Universal Server to any saved backup. In the event that a PGP Universal Server is no longer usable, you can restore its data from a backup onto a new PGP Universal Server during initial setup of the new PGP Universal Server using the Setup Assistant. All backups are encrypted to the Organization Key and can be stored securely off the PGP Universal Server.
Cluster: When you have two or more PGP Universal Servers in your network, you
configure them to synchronize with each other; this is called a “cluster.”
Dictionary: Dictionaries are lists of terms to be matched. The dictionaries work
with mail policy to allow you to define content lists that can trigger rules.
Directory Synchronization: If you have LDAP directories in your organization,
your PGP Universal Server can be synchronized with the directories. The PGP Universal Server automatically imports user information from the directories when users send and receive email; it also creates internal user accounts for them, including adding and using X.509 certificates if they are contained in the LDAP directories.
Ignition Keys: You can protect the contents of a PGP Universal Server, even if the
hardware is stolen, by requiring the use of a hardware token or a software passphrase, or both, on start.
Keyserver: Each PGP Universal Server includes an integrated keyserver populated
with the public keys of your internal users. When an external user sends a message to an internal user, the external PGP Universal Server goes to the keyserver to find the public key of the recipient to use to secure the message. The PGP Universal Server administrator can enable or disable the service, and control access to it via the administrative interface.
Learn Mode: When you finish configuring a PGP Universal Server using the Setup
Assistant, it begins in Learn Mode, where the PGP Universal Server sends messages through mail policy without taking any action on the messages, and does not encrypt or sign any messages.
Learn Mode gives the PGP Universal Server a chance to build its SMSA (creating keys for authenticated users, for example) so that when when Learn Mode is turned off, the PGP Universal Server can immediately begin securing messages. It is also an excellent way for administrators to learn about the product.
You should check the logs of the PGP Universal Server while it is in Learn Mode to see what it would be doing to email traffic if it were live on your network. You can make changes to the PGP Universal Server’s policies while it is in Learn Mode until things are working as expected.
Important Terms
11 The Big Picture
12 The Big Picture
Important Terms
Mail Policy: The PGP Universal Server processes email messages based on the
policies you establish. Mail policy applies to inbound and outbound email processed by both PGP Universal Server and client software. Mail policy consists of multiple policy chains, comprised of sequential mail processing rules.
Organization Certificate: You must create or obtain an Organization Certificate to
enable S/MIME support by PGP Universal Server. The Organization Certificate signs all X.509 certificates the server creates.
Organization Key: The Setup Assistant automatically creates an Organization Key
(actually a keypair) when it configures a PGP Universal Server. The Organization Key is used to sign all PGP keys the PGP Universal Server creates and to encrypt PGP Universal Server backups.
Caution: It is extremely important to back up your Organization Key: all keys the
PGP Universal Server creates are signed by the Organization Key, and all backups are encrypted to the Organization Key. If you lose your Organization Key and have not backed it up, the signatures on those keys are meaningless and you cannot restore from backups encrypted to the Organization Key.
PGP Verified Directory: The PGP Verified Directory supplements the internal
keyserver by letting internal and external users manage the publishing of their own public keys. The PGP Verified Directory also serves as a replacement for the PGP Keyserver product. The PGP Verified Directory uses next-generation keyserver technology to ensure that the keys in the directory can be trusted.
Server Placement: A PGP Universal Server can be placed in one of two locations in
your network to process email.
With an internal placement, the PGP Universal Server logically sits between your email users and your mail server. It encrypts and signs outgoing SMTP email and decrypts and verifies incoming mail being picked up by email clients using POP or IMAP. Email stored on your mail server is stored secured (encrypted).
With a gateway placement, the PGP Universal Server logically sits between your mail server and the Internet. It encrypts and signs outgoing SMTP email and decrypts and verifies incoming SMTP email. Email stored on your mail server is stored unsecured.
For more information, see Configuring Mail Proxies (on page Universal Server Installation Guide.
Setup Assistant: When you attempt to log in for the first time to the
administrative interface of a PGP Universal Server, the Setup Assistant takes you through the configuration of that PGP Universal Server.
Group Key: A server-managed keypair shared by a group of users. A Group Key is
assigned to a group based on membership in an Active Directory security group. This allows membership in the Active Directory security group to be modified without affecting the metadata associated with the protected data. To create a Group Key, the Directory Synchronization feature must be enabled and synchronized with an Active Directory database.
147) and the PGP

PGP Universal Server User Types

Administrators: Any user who manages the PGP Universal Server and its security
configuration from inside the internal network.

Installation Overview

Only administrators are allowed to access the administrative interface that controls PGP Universal Server. A PGP Universal Server supports multiple administrators, each of which can be assigned a different authority: from read-only access to full control over every feature and function.
Consumers: Internal, external, and Verified Directory users, and devices.
External Users: External users are email users from other domains (domains
not being managed by your PGP Universal Server) who have been added to the SMSA.
Internal Users: Internal users are email users from the domains being
managed by your PGP Universal Server.
PGP Universal Server allows you to manage PGP Desktop deployments to your internal users. The administrator can control which PGP Desktop features are automatically implemented at install, and establish and update security policy for PGP Desktop users that those users cannot override (except on the side of being more secure).
PGP Verified Directory Users: Internal and external users who have
submitted their public keys to the PGP Verified Directory, a Web-accessible keyserver.
Devices: Managed devices, WDE computers, and WDE disks. Managed
devices are arbitrary objects whose keys are managed by PGP Universal Server. WDE computers, and WDE disks are devices that are detected when users enroll.
Other Email Users: Users within your organization can securely send email to
recipients outside the SMSA.
First, the PGP Universal Server attempts to find a key for the recipient. If that fails, there are four fallback options, all controlled by mail policy: bounce the message back to the sender (so it is not sent unencrypted), send unencrypted, Smart Trailer, and PGP Universal Web Messenger mail.
Smart Trailer sends the message unencrypted and adds text giving the recipient the option of joining the SMSA by installing PGP Universal Satellite, using an existing key or certificate, or using PGP Universal Web Messenger. PGP Universal Web Messenger lets the recipient securely read the message on a secure website; it also gives the recipient options for handling subsequent messages from the same domain: read the messages on a secure website using a passphrase they establish, install PGP Universal Satellite, or add an existing key or certificate to the SMSA.
13 The Big Picture
Installation Overview
The following steps are a broad overview of what it takes to plan, set up, and maintain your PGP Universal Server environment.
Most of the steps described here are described in detail in later chapters. Steps 1 and 4 are described in the PGP Universal Server Installation Guide. Note that these steps apply to the installation of a new, stand-alone PGP Universal Server.
If you plan to install a cluster, you must install and configure one PGP Universal Server following the steps outlined here. Subsequent cluster members will get most of their configuration settings from the initial server by replication.
The steps to install and configure a PGP Universal Server are as follows:
14 The Big Picture
Installation Overview
1 Plan where in your network you want to locate your PGP Universal Server(s).
Where you put PGP Universal Servers in your network, how many PGP Universal Servers you have in your network, and other factors all have a major impact on how you add them to your existing network.
Create a diagram of your network that includes all network components and shows how email flows; this diagram details how adding a PGP Universal Server impacts your network.
For more information on planning how to add PGP Universal Servers to your existing network, see Adding the PGP Universal Server to Your Network in the PGP Universal Server Installation Guide.
2 Perform necessary DNS changes.
Add IP addresses for your PGP Universal Servers, an alias to your keyserver, update the MX record if necessary, add keys.<domain>, hostnames of potential Secondary servers for a cluster, and so on.
Properly configured DNS settings (including root servers and appropriate reverse lookup records) are required to support PGP Universal Server. Make sure both host and pointer records are correct. IP addresses must be resolvable to hostnames, as well as hostnames resolvable to IP addresses.
3 Prepare a hardware token Ignition Key.
If you want to add a hardware token Ignition Key during setup, install the drivers and configure the token before you begin the PGP Universal Server setup process. See Protecting PGP Universal Server with Ignition Keys (on page
25) for
information on how to prepare a hardware token Ignition Key.
Note: In a cluster, the Ignition Key configured on the first PGP Universal Server
in the cluster will also apply to the subsequent members of the cluster.
4 Install and configure this PGP Universal Server.
The Setup Assistant runs automatically when you first access the administrative interface for the PGP Universal Server. The Setup Assistant is where you can set or confirm a number of basic settings such as your network settings, administrator password, server placement option, mail server address and so on. The details of this process are described in Setting Up the PGP Universal Server in the PGP Universal Server Installation Guide.
Note: If you plan to configure multiple servers as a cluster, you must configure
one server first in the normal manner, then add the additional servers as cluster members. You can do this through the Setup Assistant when you install a server that will join an existing cluster, or you can do this through the PGP Universal Server administrative interface. For more information see Cluster Member Configuration in the PGP Universal Server Installation Guide.
5 License your server.
You cannot take a PGP Universal Server out of Learn Mode or install updates until the product is licensed. Once it is licensed, you should check for product updates and install them if found. For more information, see Licensing Your Software (on
35).
page
Loading...
+ 355 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use