PGP Universal Server 3.0.1 Installation guide

Type
Installation guide
PGP Universalâ„¢ Server
Installation Guide
Version Information
PGP Universal Server Installation Guide. PGP Universal Server Version 3.0.1. Released June 2010.
Copyright Information
Copyright © 1991-2010 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted in any form or by any
means, electronic or mechanical, for any purpose, without the express written permission of PGP Corporation.
Trademark Information
PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the US and other countries. IDEA is a trademark of
Ascom Tech AG. Windows and ActiveX are registered trademarks of Microsoft Corporation. AOL is a registered trademark, and AOL Instant
Messenger is a trademark, of America Online, Inc. Red Hat and Red Hat Linux are trademarks or registered trademarks of Red Hat, Inc. Linux is a
registered trademark of Linus Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered
trademark of International Business Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH and
Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or registered trademarks of Apple
Computer, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective owners.
Licensing and Patent Information
The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST-128 encryption algorithm,
implemented from RFC 2144, is available worldwide on a royalty-free basis for commercial and non-commercial uses. PGP Corporation has secured a
license to the patent rights contained in the patent application Serial Number 10/655,563 by The Regents of the University of California, entitled Block
Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a Conventional Block Cipher. Some third-party software included in PGP
Universal Server is licensed under the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL. If you would
like a copy of the source code for the GPL software included in PGP Universal Server, contact PGP Support (
https://support.pgp.com). PGP Corporation
may have patents and/or pending patent applications covering subject matter in this software or its documentation; the furnishing of this software or
documentation does not give you any license to these patents.
Acknowledgments
This product includes or may include:
-- The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with permission from the free Info-ZIP implementation,
developed by zlib (
http://www.zlib.net). -- Libxml2, the XML C parser and toolkit developed for the Gnome project and distributed and copyrighted
under the MIT License found at
http://www.opensource.org/licenses/mit-license.html. Copyright © 2007 by the Open Source Initiative. -- bzip2 1.0, a
freely available high-quality data compressor, is copyrighted by Julian Seward, © 1996-2005. -- Application server (
http://jakarta.apache.org/), web
server (
http://www.apache.org/), Jakarta Commons (http://jakarta.apache.org/commons/license.html) and log4j, a Java-based library used to parse
HTML, developed by the Apache Software Foundation. The license is at
www.apache.org/licenses/LICENSE-2.0.txt. -- Castor, an open-source, data-
binding framework for moving data from XML to Java programming language objects and from Java to databases, is released by the ExoLab Group
under an Apache 2.0-style license, available at
http://www.castor.org/license.html. -- Xalan, an open-source software library from the Apache Software
Foundation that implements the XSLT XML transformation language and the XPath XML query language, is released under the Apache Software
License, version 1.1, available at
http://xml.apache.org/xalan-j/#license1.1. -- Apache Axis is an implementation of the SOAP ("Simple Object Access
Protocol") used for communications between various PGP products is provided under the Apache license found at
http://www.apache.org/licenses/LICENSE-2.0.txt. -- mx4j, an open-source implementation of the Java Management Extensions (JMX), is released
under an Apache-style license, available at
http://mx4j.sourceforge.net/docs/ch01s06.html. -- jpeglib version 6a is based in part on the work of the
Independent JPEG Group. (
http://www.ijg.org/) -- libxslt the XSLT C library developed for the GNOME project and used for XML transformations is
distributed under the MIT License
http://www.opensource.org/licenses/mit-license.html. -- PCRE Perl regular expression compiler, copyrighted and
distributed by University of Cambridge. ©1997-2006. The license agreement is at
http://www.pcre.org/license.txt. -- BIND Balanced Binary Tree Library
and Domain Name System (DNS) protocols developed and copyrighted by Internet Systems Consortium, Inc. (
http://www.isc.org) -- Free BSD
implementation of daemon developed by The FreeBSD Project, © 1994-2006. -- Simple Network Management Protocol Library developed and
copyrighted by Carnegie Mellon University © 1989, 1991, 1992, Networks Associates Technology, Inc, © 2001- 2003, Cambridge Broadband Ltd. ©
2001- 2003, Sun Microsystems, Inc., © 2003, Sparta, Inc, © 2003-2006, Cisco, Inc and Information Network Center of Beijing University of Posts and
Telecommunications, © 2004. The license agreement for these is at
http://net-snmp.sourceforge.net/about/license.html. -- NTP version 4.2 developed
by Network Time Protocol and copyrighted to various contributors. -- Lightweight Directory Access Protocol developed and copyrighted by OpenLDAP
Foundation. OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP). Copyright © 1999-2003, The
OpenLDAP Foundation. The license agreement is at
http://www.openldap.org/software/release/license.html. Secure shell OpenSSH developed by
OpenBSD project is released by the OpenBSD Project under a BSD-style license, available at
http://www.openbsd.org/cgi-
bin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD. -- PC/SC Lite is a free implementation of PC/SC, a specification for SmartCard integration is released
under the BSD license. -- Postfix, an open source mail transfer agent (MTA), is released under the IBM Public License 1.0, available at
http://www.opensource.org/licenses/ibmpl.php. -- PostgreSQL, a free software object-relational database management system, is released under a
BSD-style license, available at
http://www.postgresql.org/about/licence. -- PostgreSQL JDBC driver, a free Java program used to connect to a
PostgreSQL database using standard, database independent Java code, (c) 1997-2005, PostgreSQL Global Development Group, is released under a
BSD-style license, available at
http://jdbc.postgresql.org/license.html. -- PostgreSQL Regular Expression Library, a free software object-relational
database management system, is released under a BSD-style license, available at
http://www.postgresql.org/about/licence. -- 21.vixie-cron is the Vixie
version of cron, a standard UNIX daemon that runs specified programs at scheduled times. Copyright © 1993, 1994 by Paul Vixie; used by permission. -
- JacORB, a Java object used to facilitate communication between processes written in Java and the data layer, is open source licensed under the
GNU Library General Public License (LGPL) available at
http://www.jacorb.org/lgpl.html. Copyright © 2006 The JacORB Project. -- TAO (The ACE ORB)
is an open-source implementation of a CORBA Object Request Broker (ORB), and is used for communication between processes written in C/C++ and
the data layer. Copyright (c) 1993-2006 by Douglas C. Schmidt and his research group at Washington University, University of California, Irvine, and
Vanderbilt University. The open source software license is available at
http://www.cs.wustl.edu/~schmidt/ACE-copying.html. -- libcURL, a library for
downloading files via common network services, is open source software provided under a MIT/X derivate license available at
http://curl.haxx.se/docs/copyright.html. Copyright (c) 1996 - 2007, Daniel Stenberg. -- libuuid, a library used to generate unique identifiers, is released
under a BSD-style license, available at
http://thunk.org/hg/e2fsprogs/?file/fe55db3e508c/lib/uuid/COPYING. Copyright (C) 1996, 1997 Theodore Ts'o. --
libpopt, a library that parses command line options, is released under the terms of the GNU Free Documentation License available at
http://directory.fsf.org/libs/COPYING.DOC. Copyright © 2000-2003 Free Software Foundation, Inc. -- gSOAP, a development tool for Windows clients
to communicate with the Intel Corporation AMT chipset on a motherboard, is distributed under the gSOAP Public License version 1.3b, available at
http://www.cs.fsu.edu/~engelen/license.html. -- Windows Template Library (WTL) is used for developing user interface components and is distributed
under the Common Public License v1.0 found at
http://opensource.org/licenses/cpl1.0.php. -- The Perl Kit provides several independent utilities used to
automate a variety of maintenance functions and is provided under the Perl Artistic License, found at
http://www.perl.com/pub/a/language/misc/Artistic.html. -- rEFIt - libeg, provides a graphical interface library for EFI, including image rendering, text
rendering, and alpha blending, and is distributed under the license found at
http://refit.svn.sourceforge.net/viewvc/*checkout*/refit/trunk/refit/LICENSE.txt?revision=288. Copyright (c) 2006 Christoph Pfisterer. All rights
reserved. -- Java Radius Client, used to authenticate PGP Universal Web Messenger users via Radius, is distributed under the Lesser General Public
License (LGPL) found at
http://www.gnu.org/licenses/lgpl.html. -- Yahoo! User Interface (YUI) library version 2.5.2, a Web UI interface library for AJAX.
Copyright (c) 2009, Yahoo! Inc. All rights reserved. Released under a BSD-style license, available at
http://developer.yahoo.com/yui/license.html. --
JSON-lib version 2.2.1, a Java library used to convert Java objects to JSON (JavaScript Object Notation) objects for AJAX. Distributed under the
Apache 2.0 license, available at
http://json-lib.sourceforge.net/license.html. -- EZMorph, used by JSON-lib, is distributed under the Apache 2.0 license,
available at
http://ezmorph.sourceforge.net/license.html. -- Apache Commons Lang, used by JSON-lib, is distributed under the Apache 2.0 license,
available at
http://commons.apache.org/license.html. -- Apache Commons BeanUtils, used by JSON-lib, is distributed under the Apache 2.0 license,
available at
http://commons.apache.org/license.html. -- SimpleIni is an .ini format file parser and provides the ability to read and write .ini files, a
common configuration file format used on Windows, on other platforms. Distributed under the MIT License found at
http://www.opensource.org/licenses/mit-license.html. Copyright 2006-2008, Brodie Thiesfield. -- uSTL provides a small fast implementation of common
Standard Template Library functions and data structures and is distributed under the MIT License found at
http://www.opensource.org/licenses/mit-
license.html. Copyright (c) 2005-2009 by Mike Sharov <[email protected]ceforge.net>. -- Protocol Buffers (protobuf), Google's data interchange
format, are used to serialize structure data in the PGP SDK. Distributed under the BSD license found at
http://www.opensource.org/licenses/bsd-
license.php. Copyright 2008 Google Inc. All rights reserved.
Additional acknowledgements and legal notices are included as part of the PGP Universal Server.
Export Information
Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from time to time by the Bureau
of Export Administration, United States Department of Commerce, which restricts the export and re-export of certain products and technical data.
Limitations
The software provided with this documentation is licensed to you for your individual use under the terms of the End User License Agreement provided
with the software. The information in this document is subject to change without notice. PGP Corporation does not warrant that the information meets
your requirements or that the information is free of errors. The information may include technical inaccuracies or typographical errors. Changes may be
made to the information and incorporated in new editions of this document, if and when made available by PGP Corporation.
Unsupported Third Party Products
By utilizing third party products, software, drivers, or other components ("Unsupported Third Party Product") to interact with the PGP software and/or by
utilizing any associated PGP command or code provided by to you by PGP at its sole discretion to interact with the Unsupported Third Party Product
("PGP Third Party Commands"), you acknowledge that the PGP software has not been designed for or formally tested with the Unsupported Third Party
Product, and therefore PGP provides no support or warranties with respect to the PGP Third Party Commands or the PGP software's compatibility with
Unsupported Third Party Products. THE PGP THIRD PARTY COMMANDS ARE PROVIDED "AS IS," WITH ALL FAULTS, AND THE ENTIRE RISK AS TO
SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH YOU. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE
LAW, PGP DISCLAIMS ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS, WHETHER EXPRESS OR IMPLIED, INCLUDING ANY
WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NONINFRINGEMENT, QUIET
ENJOYMENT, AND ACCURACY WITH RESPECT TO THE PGP THIRD PARTY COMMANDS OR THE PGP SOFTWARE'S COMPATIBILITY WITH THE
UNSUPPORTED THIRD PARTY PRODUCT.
4
1
Contents
Introduction
What is PGP Universal Server? 1
PGP Universal Server Product Family 2
Who Should Read This Guide 2
Common Criteria Environments 2
Using the PGP Universal Server with the Command Line 3
Symbols 3
Getting Assistance 3
Getting product information 4
Contact Information 4
Adding the PGP Universal Server to Your Network 7
Server Placement 7
Gateway Placement 7
Internal Placement 8
Using a Mail Relay 9
Microsoft Exchange Server 10
Lotus Domino Server 10
Installation Overview 10
Open Ports 17
TCP Ports 17
UDP Ports 19
Naming your PGP Universal Server
21
Considering a Name for Your PGP Universal Server 21
Methods for Naming a PGP Universal Server 22
Installing the PGP Universal Server
23
About Installation 23
System Requirements 24
Installing on a VMWare ESX Virtual Machine 24
VMWare Tools Installation for PGP Universal Server 25
Installation Materials 26
Installation Options 26
Default Installation Procedure 27
Performing a Media Verification on your DVD 29
Alternate Installation Procedures 29
i
PGP Universalâ„¢ Server Contents
Preparing for Setup after pgp Install 30
Hardware 31
System Information 31
Connect to the PGP Universal Server 31
Setting Up the PGP Universal Server 33
About the Setup Assistant 33
Initial Configuration with Setup Assistant 34
Configuring a New Installation 36
Configuring a Cluster Member 39
Restoring From a Server Backup 41
Migrating the Keys from a PGP Keyserver 41
Configuration Examples 43
Internal Placement Configuration 43
Gateway Placement Configuration 44
Non-mailstream Placement Configuration 45
Cluster Configuration 46
Clustered Proxy and Keyserver Configuration 47
Gateway Cluster with Load Balancer 49
Gateway and Internal Placement Cluster 50
Encircled Configuration 52
Large Enterprise Configuration 53
Spam Filters and PGP Universal Server 54
Exchange with PGP Client Software 55
Lotus Domino Server with PGP Client Software 56
Unsupported Configurations 56
Multiple Gateway–Placed Servers 56
ii
1
Introduction
This book describes some important PGP Universal
â„¢
Server concepts and gives
you a high-level overview of the things you need to do to set up and use PGP
Universal Server.
This book provides information about how your PGP Universal Server processes
email, to help you decide how to integrate your PGP Universal Servers into your
existing network.
It lists system requirements, provides an overview of the installation process,
and provides step-by-step instructions on how to install the software. It also
includes information about using Microsoft
®
Exchange Server and Lotus
®
Domino
®
Server with PGP Universal Satellite.
What is PGP Universal Server?
PGP Universal Server is a single console for managing the applications that
provide email, disk, and network file encryption.
PGP Universal Server with PGP Universal Gateway Email gives you secure
messaging: it transparently protects your enterprise messages with little or no
user interaction.
The PGP Universal Server also replaces the PGP Keyserver product with a built-
in keyserver, and the PGP Admin product with PGP Desktop configuration and
deployment capabilities.
PGP Universal Server automatically creates and maintains a Self-Managing
Security Architecture (SMSA) by monitoring authenticated users and their email
traffic. You can also send protected messages to addresses that are not part of
the SMSA. The PGP Universal Server encrypts, decrypts, signs, and verifies
messages automatically, providing strong security through policies you control.
PGP Universal Satellite, a client-side feature of PGP Universal Server, extends
PGP security for email messages all the way to the computer of the email user,
it allows external users to become part of the SMSA, and it gives end users the
option to create and manage their keys on their own computer (if allowed by
the PGP administrator).
PGP Desktop, a client product, is created and managed through PGP Universal
Server policy. It creates PGP keypairs and can manage user keypairs as well as
store the public keys of others. It encrypts user email and instant messaging
(IM). It can encrypt entire or partial hard drives. It also enables secure file
sharing with others over a network.
1
PGP Universalâ„¢ Server Introduction
PGP Universal Server Product Family
PGP Universal Server functions as a management console for a variety of
encryption solutions. You can purchase any of the PGP Desktop applications or
bundles and use PGP Universal Server to create and manage client installations.
You can also purchase a license that enables PGP Gateway Email to encrypt
email in the mailstream.
The PGP Universal Server can manage any combination of PGP encryption
applications. PGP encryption applications are:
 PGP Universal Gateway Email provides automatic email encryption in the
gateway, based on centralized mail policy. This product requires
administration by the PGP Universal Server.
 PGP Desktop Email provides encryption at the desktop for mail, files, and
AOL Instant Messenger traffic. This product can be managed by the PGP
Universal Server.
 PGP Whole Disk Encryption provides encryption at the desktop for an
entire disk. This product can be managed by the PGP Universal Server.
 PGP NetShare provides transparent file encryption and sharing among
desktops. This product can be managed by the PGP Universal Server.
Who Should Read This Guide
This Installation Guide is for the person or persons who will be installing the
software for your organization’s PGP Universal Server environment. These are
the PGP administrators.
Common Criteria Environments
To be Common Criteria compliant, please refer to the best practices shown in
PGP Universal Server 2.9 Common Criteria Supplemental. Note that these best
practices supersede recommendations made elsewhere in this and other
documentation.
2
PGP Universalâ„¢ Server Introduction
Using the PGP Universal Server with the Command Line
Using the PGP Universal Server command line for read-only access (such as to
view settings, services, logs, processes, disk space, query the database, etc) is
supported. However, performing configuration modifications via the command
line voids your PGP Support agreement unless these procedures are followed.
Any changes made to the PGP Universal Server via the command line must be:
 Authorized in writing by PGP Support.
 Implemented by a PGP Partner, reseller or internal employee who is
certified in the PGP Advanced Administration and Deployment Training.
 Summarized and documented in a text file in
/var/lib/ovid/customization on the PGP Universal Server itself.
Changes made through the command line might not persist through reboots
and might be incompatible with future releases. PGP Support can require
reverting any custom configurations on the PGP Universal Server back to a
default state when troubleshooting new issues.
Symbols
Notes, Cautions, and Warnings are used in the following ways.
Note: Notes are extra, but important, information. A Note calls your attention
to important aspects of the product. You can use the product better if you
read the Notes.
Caution: Cautions indicate the possibility of loss of data or a minor security
breach. A Caution tells you about a situation where problems can occur
unless precautions are taken. Pay attention to Cautions.
Warning: Warnings indicate the possibility of significant data loss or a major
security breach. A Warning means serious problems will occur unless you
take the appropriate action. Please take Warnings very seriously.
Getting Assistance
For additional resources, see these sections.
3
PGP Universalâ„¢ Server Introduction
Getting product information
The following documents and online help are companions to the PGP Universal
Server Administrator’s Guide. This guide occasionally refers to information that
can be found in one or more of these sources:
 Online help is installed and is available within the PGP Universal Server
product.
 PGP Universal Server Installation Guide—Describes how to install the
PGP Universal Server software.
 PGP Universal Server Upgrade Guide—Describes the process of
upgrading your PGP Universal Server.
 PGP Universal Mail Policy Diagram—Provides a graphical representation
of how email is processed through mail policy. You can access this
document via the PGP Universal Server online help.
 Tutorials—Provides animated introductions on how to manage the mail
policy feature in PGP Universal Server 2.5 and later, and how upgraded
PGP Universal Server settings migrate into the new mail policy feature.
You can also access all the documentation and tutorials by clicking the
online help icon in the upper-right corner of the PGP Universal Server
screen.
 PGP Universal Satellite for Windows and Mac OS X include online help.
 PGP Universal Server and PGP Satellite release notes are also provided,
which may have last-minute information not found in the product
documentation.
The documentation, provided as Adobe Acrobat PDF files, are available on the
Documentation (
https://pgp.custhelp.com/app/docs) section on the PGP Support
Portal.
Once PGP Universal Server is released, additional information regarding the
product is added to the online Knowledge Base available on PGP Corporation’s
Support Portal (
https://support.pgp.com).
Contact Information
Contacting Technical Support
 To learn about PGP support options and how to contact PGP Technical
Support, please visit the PGP Corporation Support Home Page
(
https://support.pgp.com).
4
PGP Universalâ„¢ Server Introduction
 To access the PGP Support Knowledge Base or request PGP Technical
Support, please visit PGP Support Portal Web Site
(
https://support.pgp.com). Note that you may access portions of the
PGP Support Knowledge Base without a support agreement;
however, you must have a valid support agreement to request
Technical Support.
 To access the PGP Support forums, please visit PGP Support
(
http://forum.pgp.com). These are user community support forums hosted
by PGP Corporation.
Contacting Customer Service
 For help with orders, downloads, and licensing, please visit PGP
Corporation Customer Service (
https://pgp.custhelp.com/app/cshome).
Contacting Other Departments
 For any other contacts at PGP Corporation, please visit the PGP Contacts
Page (
http://www.pgp.com/about_pgp_corporation/contact/index.html).
 For general information about PGP Corporation, please visit the PGP Web
Site (
http://www.pgp.com).
5
2
Adding the PGP Universal
Server to Your Network
This chapter provides information about how your PGP Universal Server
processes email, to help you decide how to integrate your PGP Universal
Servers into your existing network. It also includes information about using
Microsoft Exchange Server and Lotus Domino Server with PGP Universal
Satellite.
These topics are covered in the following sections.
Server Placement
A PGP Universal Server can be placed in your network in either of two locations
in the logical flow of data:
 Internal placement. The PGP Universal Server is located between your
email users and their local mail server in the logical flow of data.
 Gateway placement. The PGP Universal Server is located between your
external facing mail server and the Internet in the logical flow of data.
Caution: The PGP Universal Server must not be behind a proxy server,
unless it is a transparent proxy, to receive licensing and update information
automatically. This is true for both gateway and internal placement.
Gateway Placement
With a gateway placement, your PGP Universal Server sits between your mail
server and the Internet in the logical flow of data.
7
PGP Universalâ„¢ Server Adding the PGP Universal Server to Your Network
1
PGP Universal Server gateway placement
2
Example Corp. DMZ
3
External email user
4
Logical flow of data
5
Example Corp. internal network
6
Example Corp. email users
7
Example Corp. email server
Note: The physical location of the PGP Universal Server and the mail server
are not important. What is important is that, from a mail relay point of view,
the PGP Universal Server is between the mail server and the Internet. Both
can be on the internal network or in the DMZ.
With a gateway placement, email messages are secured before they are sent to
the Internet (on the way to their destination) and decrypted/verified when
received from the Internet, over SMTP in both cases.
Note: Email users on your internal network should not be allowed direct
access to a PGP Universal Server in gateway placement. PGP Universal
Server attempts to enforce this automatically based on your configuration.
Configure the mail server to verify From addresses if you intend to use the
signing features of PGP Universal Server.
With a gateway placement, messages are stored unsecured on the mail server
(unless PGP Universal Satellite is being used).
For PGP Universal Server to create the SMSA, you must make sure to correctly
configure your mail server when you are using PGP Universal Servers in
gateway placements.
Internal Placement
With an internal placement, your PGP Universal Server sits between your email
users and their email server in the logical flow of data.
8
PGP Universalâ„¢ Server Adding the PGP Universal Server to Your Network
1
PGP Universal Server internally placed
2
Example Corp. email server
3
Example Corp. DMZ
4
External email user
5
Logical flow of data
6
Example Corp. internal network
7
Example Corp. email users
Note: The physical location of the PGP Universal Server and the mail server
are not important. What is important is that, from a mail relay point of view,
the PGP Universal Server is between the email users and the mail server.
Both can be on the internal network or in the DMZ. From a performance
perspective, it is generally advisable to put them next to each other on the
same network.
With an internal placement of your PGP Universal Server, messages are
secured based on the applicable policies when they are sent to the mail server
using SMTP; they are decrypted and verified when they are retrieved from the
mail server using POP or IMAP.
With an internal placement, messages are stored secured on the mail server.
Messages are only transmitted unencrypted between the internal user and the
PGP Universal Server, then only if PGP Universal Satellite has not been
deployed globally to your internal users. If your mail server is configured for
SSL/TLS communications with the email client, the messages can be passed
through that encrypted channel thus maintaining encryption along the entire
path.
For PGP Universal Server to create the SMSA, email clients must have SMTP
authentication turned on when they are communicating with a PGP Universal
Server in an internal placement.
Using a Mail Relay
PGP Universal Server can forward outgoing email, after processing, to a central
mail gateway acting as a mail relay. Sites that use explicit mail routing can use
the mail relay feature to forward outgoing email to a mail relay that performs
this explicit routing.
You cannot configure the mail relay when you initially configure the server using
the Setup Assistant. Instead, you have to configure the server for gateway
placement, then use the administrative interface to configure the mail relay.
9
PGP Universalâ„¢ Server Adding the PGP Universal Server to Your Network
Configure the relay on the Outbound or Unified SMTP proxy. For more
information, see "Creating New or Editing Existing Proxies" in the PGP Universal
Server Administrator's Guide.
Microsoft Exchange Server
Messaging Application Programming Interface (MAPI) support is available for
Microsoft Exchange Server environments by using PGP Desktop or PGP
Universal Satellite for Windows. MAPI support is not available in PGP Universal
Satellite for Mac OS X because there are no MAPI email clients for Mac OS X.
For more information about using MAPI, see Exchange with PGP Client
Software (on page
55) and "MAPI Support" in the PGP Universal Server
Administrator's Guide.
Lotus Domino Server
Lotus Domino Servers and the Lotus Notes email client (versions 7.0.3 and
later) are supported in PGP Desktop and PGP Universal Satellite for Windows
®
.
For more information about using the Lotus Notes email client, see Lotus
Domino Server with PGP Client Software (on page
56) and "Lotus Notes
Support" in the PGP Universal Server Administrator's Guide.
Installation Overview
The following steps are a broad overview of what it takes to plan, set up, and
maintain your PGP Universal Server environment.
Steps 1 and 4 are described in detail in this book. The remaining tasks are
described in the PGP Universal Server Administrator's Guide.
Note that these steps apply to the installation of a new, stand-alone PGP
Universal Server. If you plan to install a cluster, you must install and configure
one PGP Universal Server following the steps outlined here. Subsequent cluster
members will receive most of their configuration settings from the initial PGP
Universal Server through data replication.
The steps to install and configure a PGP Universal Server are as follows:
1 Plan where in your network you want to locate your PGP Universal
Server(s).
Where you put PGP Universal Servers in your network, how many PGP
Universal Servers you have in your network, and other factors all have a
major impact on how you add them to your existing network.
10
PGP Universalâ„¢ Server Adding the PGP Universal Server to Your Network
Create a diagram of your network that includes all network components
and shows how email flows; this diagram details how adding a PGP
Universal Server impacts your network.
For more information on planning how to add PGP Universal Servers to
your existing network, see Adding the PGP Universal Server to Your
Network (on page
7).
2 Perform necessary DNS changes.
Add IP addresses for your PGP Universal Servers, an alias to your
keyserver, update the MX record if necessary, add keys.<domain>,
hostnames of potential Secondary servers for a cluster, and so on.
Properly configured DNS settings (including root servers and appropriate
reverse lookup records) are required to support PGP Universal Server.
Make sure both host and pointer records are correct. IP addresses must be
resolvable to hostnames, as well as hostnames resolvable to IP addresses.
3 Prepare a hardware token Ignition Key.
If you want to add a hardware token Ignition Key during setup, install the
drivers and configure the token before you begin the PGP Universal Server
setup process. See "Protecting PGP Universal Server with Ignition Keys" in
the PGP Universal Server Administrator's Guide for information on how to
prepare a hardware token Ignition Key.
Note: In a cluster, the Ignition Key configured on the first PGP Universal
Server in the cluster will also apply to the subsequent members of the
cluster.
4 Install and configure this PGP Universal Server.
The Setup Assistant runs automatically when you first access the
administrative interface for the PGP Universal Server. The Setup Assistant
is where you can set or confirm a number of basic settings such as your
network settings, administrator password, server placement option, mail
server address and so on. The details of this process are described in
Setting Up the PGP Universal Server (on page
33).
Note: If you plan to configure multiple servers as a cluster, you must
configure one server first in the normal manner, then add the additional
servers as cluster members. You can do this through the Setup Assistant
when you install a server that will join an existing cluster, or you can do
this through the PGP Universal Server administrative interface. For more
information see Cluster Member Configuration (UN Only) (see
"Configuring a Cluster Member" on page 39).
5 License your server.
You cannot take a PGP Universal Server out of Learn Mode or install
updates until the product is licensed. Once it is licensed, you should check
for product updates and install them if found.
11
PGP Universalâ„¢ Server Adding the PGP Universal Server to Your Network
If you want the PGP Universal Server to provide mail proxy services, you
must have a PGP Universal Server license with the mailstream feature
enabled. For more information, see "Licensing Your Software" in the PGP
Universal Server Administrator's Guide.
6 If you have a PGP key you want to use as your Organization Key with
PGP Universal Server, import it, then back it up.
Your Organization Key does two important things: it is used to sign all user
keys the PGP Universal Server creates and it is used to encrypt PGP
Universal Server backups. This key represents the identity of your
organization, and is the root of the Web-of-Trust for your users.
If your organization uses PGP Desktop and already has an Corporate Key or
Organization Key, and you want to use that key with PGP Universal Server,
you should import it as soon as you have configured your server, then
create a backup of the key.
If your organization does not have an existing key that you want to use as
your Organization Key, use the Organization Key the Setup Assistant
automatically creates with default values. For more information, see
"Managing Organization Keys" in the PGP Universal Server Administrator's
Guide.
No matter which key you use as your Organization Key, it is very important
to make a backup of the key. Since PGP Universal Server’s built-in back-up
feature always encrypts backups to this key, you need to provide a copy of
your Organization Key to restore your data.
For more information, see "Organization Certificate" in the PGP Universal
Server Administrator's Guide.
7 If you have a PGP Additional Decryption Key (ADK) that you want to
use with PGP Universal Server, add it.
An ADK is a way to recover an email message if the recipient is unable or
unwilling to do so; every message that is also encrypted to the ADK can be
opened by the holder(s) of the ADK. You cannot create an ADK with the
PGP Universal Server, but if you have an existing PGP ADK (generated by
PGP Desktop, an ideal scenario for a split key; refer to the PGP Desktop
User’s Guide for more information), you can add it to your PGP Universal
Server and use it. For more information, see "Additional Decryption Key
(ADK)" in the PGP Universal Server Administrator's Guide.
8 Create a SSL/TLS certificate or obtain a valid SSL/TLS certificate.
The Setup Assistant automatically creates a self-signed certificate for use
with SSL/TLS traffic. Because this certificate is self-signed, however, it
might not be trusted by email or Web browser clients. PGP Corporation
recommends that you obtain a valid SSL/TLS certificate for each of your
PGP Universal Servers from a reputable Certificate Authority.
This is especially important for PGP Universal Servers that are accessed
publicly. Older Web browsers might reject self-signed certificates or not
know how to handle them correctly when they encounter them via PGP
Universal Web Messenger or Smart Trailer.
12
PGP Universalâ„¢ Server Adding the PGP Universal Server to Your Network
For more information, see "Working with Certificates" in the PGP Universal
Server Administrator's Guide.
9 Configure the Directory Synchronization feature if you want to
synchronize an LDAP directory with your PGP Universal Server.
Using the Directory Synchronization feature gives you more control over
who is included in your SMSA, if you have an existing LDAP server.
By default, user enrollment is set to Email enrollment. If you elect to use
LDAP directory enrollment, it assumes that you have an LDAP directory
configured. You can change the client enrollment setting for Directory
Synchronization from the Directory Synchronization Settings page in the
PGP Universal Server administrative interface. You must have an LDAP
directory configured and Directory Synchronization enabled for LDAP user
enrollment to work.
For more information, see "Using Directory Synchronization to Manage
Users" in the PGP Universal Server Administrator's Guide.
10 Add trusted keys, configure consumer policy, and establish mail
policy.
All these settings are important for secure operation of PGP Universal
Server. For more information on adding trusted keys from outside the
SMSA, see "Managing Trusted Keys and Certificates" in the PGP Universal
Server Administrator's Guide. For more information about consumer policy
settings, see "Administering Consumer Policy." For information on setting
up mail policy, see "Setting Mail Policy."
Note: When setting policy for Consumers, PGP Universal Server provides
an option called Out of Mail Stream (OOMS) support. OOMS specifies
how the email gets transmitted from the client to the server when PGP
Desktop cannot find a key for the recipient and therefore cannot encrypt
the message.
OOMS is disabled by default. With OOMS disabled, sensitive messages
that can't be encrypted locally are sent to PGP Universal Server "in the
mail stream" like normal email. Importantly, this email is sent in the clear
(unencrypted). Mail or Network administrators could read these messages
by accessing the mail server's storage or monitoring network traffic.
However, archiving solutions, outbound anti-virus filters, or other systems
which monitor or proxy mail traffic will process these messages normally.
You can elect to enable OOMS, which means that sensitive messages
that can't be encrypted locally are sent to PGP Universal Server "out of
the mail stream." PGP Desktop creates a separate, encrypted network
connection to the PGP Universal Server to transmit the message.
However, archiving solutions, outbound anti-virus filters, or other systems
which monitor or proxy mail traffic will not see these messages.
13
PGP Universalâ„¢ Server Adding the PGP Universal Server to Your Network
During your configuration of your PGP Universal Server you should
determine the appropriate settings for your requirements. This option can
be set separately for each policy group, and is set through the Consumer
Policy settings. For more details on the effects of enabling or disabling
OOMS, see Out of Mail Stream Support in the PGP Universal Server
Administrator's Guide.
11 Install and configure additional cluster server members.
You can do this through the Setup Assistant when you install a server that
will join an existing cluster, or you can do this through the PGP Universal
Server administrative interface. Remember that you must configure one
server in the normal manner before you can add and configure additional
servers as cluster members. For more information, see "Clustering your
PGP Universal Servers" in the PGP Universal Server Administrator's Guide..
12 Reconfigure the settings of your email clients and servers, if
necessary.
Depending on how you are adding the PGP Universal Server to your
network, some setting changes might be necessary. For example, if you
are using a PGP Universal Server placed internally, the email clients must
have SMTP authentication turned on. For PGP Universal Servers placed
externally, you must configure your mail server to relay SMTP traffic to the
PGP Universal Server.
13 Enable SNMP Polling and Traps.
You can configure PGP Universal Server to allow network management
applications to monitor system information for the device on which PGP
Universal Server is installed and to send system and application information
to an external destination. For more information see "Configuring SNMP
Monitoring" in the PGP Universal Server Administrator's Guide.
14 Distribute PGP Universal Satellite and/or PGP Desktop to your
internal users, if appropriate.
If you want to provide seamless, end-to-end PGP message security without
the need for any user training, have them use PGP Universal Satellite.
Exchange/MAPI and Lotus Notes environments also require the use of PGP
Universal Satellite. PGP Desktop provides more features and user control
than PGP Universal Satellite. For more information, see "PGP Universal
Satellite" and "Configuring PGP Desktop Installations" in the PGP Universal
Server Administrator's Guide.
15 Analyze the data from Learn Mode.
In Learn Mode, your PGP Universal Server sends messages through mail
policy without actually taking action on the messages, decrypts and verifies
incoming messages when possible, and dynamically creates a SMSA. You
can see what the PGP Universal Server would have done without Learn
Mode by monitoring the system logs.
14
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63

PGP Universal Server 3.0.1 Installation guide

Type
Installation guide

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI