PGP Endpoint Operating instructions

PGP Endpoint Setup Guide

Version 4.3.0

User’s Guide

Version Information

PGP Endpoint Setup Guide. PGP Endpoint Version 4.3.0. Released: June 2008.

02_102_4.3.0.40

Copyright Information

any form or by any means, electronic or mechanical, for any purpose, without the express written permission of PGP

Corporation.

Trademark Information

PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the US and other countries.

IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered trademarks of Microsoft Corporation. AOL is a

registered trademark, and AOL Instant Messenger is a trademark, of America Online, Inc. Red Hat and Red Hat Linux are

trademarks or registered trademarks of Red Hat, Inc. Linux is a registered trademark of Linus Torvalds. Solaris is a trademark or

registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered trademark of International Business Machines

Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH and Secure Shell are

trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or registered trademarks of

Apple Computer, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective

owners.

Licensing and Patent Information

The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST-128

encryption algorithm, implemented from RFC 2144, is available worldwide on a royalty-free basis for commercial and non-

commercial uses. PGP Corporation has secured a license to the patent rights contained in the patent application Serial Number

10/655,563 by The Regents of the University of California, entitled Block Cipher Mode of Operation for Constructing a Wide-

blocksize block Cipher from a Conventional Block Cipher. Some third-party software included in PGP Universal Server is

licensed under the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL. If you

would like a copy of the source code for the GPL software included in PGP Universal Server, contact PGP Support

(http://www.pgp.com/support). PGP Corporation may have patents and/or pending patent applications covering subject matter in

this software or its documentation; the furnishing of this software or documentation does not give you any license to these

patents.

Acknowledgments

This product includes or may include:

• The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with permission from the free Info-

ZIP implementation, developed by zlib (http://www.zlib.net). • Libxml2, the XML C parser and toolkit developed for the Gnome

project and distributed and copyrighted under the MIT License found at http://www.opensource.org

/licenses/mit-license.html.

Commons (http://jakarta.apache.org/commons/license.html

) and log4j, a Java-based library used to parse HTML, developed by

the Apache Software Foundation. The license is at www.apache.org/licenses/LICENSE-2.0.txt

. • Castor, an open-source,

databinding framework for moving data from XML to Java programming language objects and from Java to databases, is

released by the ExoLab Group under an Apache 2.0-style license, available at http://www.castor.org/license.html. • Xalan, an

open-source software library from the Apache Software Foundation that implements the XSLT XML transformation language

and the XPath XML query language, is released under the Apache Software License, version 1.1, available at

http://xml.apache.org/xalan-j/#license1.1

. • Apache Axis is an implementation of the SOAP ("Simple Object Access Protocol")

used for communications between various PGP products is provided under the Apache license found at

http://www.apache.org/licenses/LICENSE-2.0.txt. • mx4j, an open-source implementation of the Java Management Extensions

(JMX), is released under an Apache-style license, available at http://mx4j.sourceforge.net/docs/ch01s06.html

. • jpeglib version

6a is based in part on the work of the Independent JPEG Group. (http://www.ijg.org/

) • libxslt the XSLT C library developed for

the GNOME project and used for XML transformations is distributed under the MIT License

http://www.opensource.org/licenses/mit-license.html. • PCRE version 4.5 Perl regular expression compiler, copyrighted and

Balanced Binary Tree Library and Domain Name System (DNS) protocols developed and copyrighted by Internet Systems

. • NTP

version 4.2 developed by Network Time Protocol and copyrighted to various contributors. • Lightweight Directory Access

Protocol developed and copyrighted by OpenLDAP Foundation. OpenLDAP is an open-source implementation of the

at http://www.openldap.org/software/release/license.html

. • Secure shell OpenSSH version 4.2.1 developed by OpenBSD

project is released by the OpenBSD Project under a BSD-style license, available at

http://www.openbsd.org/cgibin/cvsweb/src/us

r.bin/ssh/LICENCE?rev=HEAD. • PC/SC Lite is a free implementation of PC/SC, a

specification for SmartCard integration is released under the BSD license. • Postfix, an open source mail transfer agent (MTA),

is released under the IBM Public License 1.0, available at http://www.opensource.org/licenses/ibmpl.php. • PostgreSQL, a free

software object-relational database management system, is released under a BSD-style license, available at

http://www.postgresql.org/about/licence. • PostgreSQL JDBC driver, a free Java program used to connect to a PostgreSQL

released under a BSD-style license, available at http://jdbc.postgresql.org/license.html. • PostgreSQL Regular Expression

Library, a free software object-relational database management system, is released under a BSD-style license, available at

http://www.postgresql.org/about/licence. • 21.vixie-cron is the Vixie version of cron, a standard UNIX daemon that runs specified

facilitate communication between processes written in Java and the data layer, is open source licensed under the GNU Library

General Public License (LGPL) available at http://www.jacorb.org/lgpl.html

ACE ORB) is an open-source implementation of a CORBA Object Request Broker (ORB), and is used for communication

at Washington University, University of California, Irvine, and Vanderbilt University. The open source software license is

available at http://www.cs.wustl.edu/~schmidt/ACE-copying.html. • libcURL, a library for downloading files via common network

services, is open source software provided under a MIT/X derivate license available at http://curl.haxx.se/docs/copyright.html.

license, available at http://thunk.org/hg/e2fsprogs/?file/fe55db3e508c/lib/

Ts'o. • libpopt, a library that parses command line options, is released under the terms of the GNU Free Documentation License

development tool for Windows clients to communicate with the Intel Corporation AMT chipset on a motherboard, is distributed

under the GNU Public License, available at http://www.cs.fsu.edu/~engelen/soaplicense.html. • Windows Template Library

(WRT) is used for developing user interface components and is distributed under the Common Public License v1.0 found at

http://opensource.org/lic

enses/cpl1.0.php. • The Perl Kit provides several independent utilities used to automate a variety of

maintenance functions and is provided under the Perl Artistic License, found at

http://www.perl.com/pub/a/language/misc/Artistic.html

.

Export Information

Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from time

to time by the Bureau of Export Administration, United States Department of Commerce, which restricts the export and re-export

of certain products and technical data.

Limitations

The software provided with this documentation is licensed to you for your individual use under the terms of the End User

License Agreement provided with the software. The information in this document is subject to change without notice. PGP

Corporation does not warrant that the information meets your requirements or that the information is free of errors. The

information may include technical inaccuracies or typographical errors. Changes may be made to the information and

incorporated in new editions of this document, if and when made available by PGP Corporation.

PGP Endpoint Setup Guide 4.3.0 1

Contents

About this guide ...................................................................................................... 5

Product relevance of each chapter ........................................................................................................... 6

Conventions ........................................................................................................................................ 6

Notational conventions .................................................................................................................... 6

Typographic conventions ................................................................................................................... 7

Getting Assistance ................................................................................................................................. 7

Getting product information .............................................................................................................. 7

Contacting Technical Support ............................................................................................................. 7

Chapter 1: Installing PGP Endpoint’s Components ............................................................ 9

PGP Endpoint architecture ..................................................................................................................... 9

To install PGP Endpoint products ............................................................................................................ 10

Ghost image deployment....................................................................................................................... 12

Transport Layer Security......................................................................................................................... 13

Using TLS for client-PGP Endpoint Application Server communication ........................................................ 13

Using TLS for the inter-PGP Endpoint Application Server communication ....................................................15

What is a digital certificate? ............................................................................................................. 16

What is a Certificate Authority? ......................................................................................................... 16

Chapter 2: Installing the PGP Endpoint Database .............................................................17

Choosing a SQL engine .......................................................................................................................... 17

Before you install ................................................................................................................................ 18

Stage 1: To install the SQL database engine ............................................................................................... 18

Stage 2: To install the PGP Endpoint Database ........................................................................................... 19

Database clustering .............................................................................................................................. 21

What is database clustering? ............................................................................................................. 21

Terminology .................................................................................................................................. 21

Requirements ............................................................................................................................... 22

To implement a database cluster ...................................................................................................... 22

Items created during the PGP Endpoint Database setup .............................................................................. 23

Chapter 3: Using the Key Pair Generator ....................................................................... 25

Introduction ...................................................................................................................................... 25

Starting the Key Pair Generator .............................................................................................................. 25

Generating a key pair .......................................................................................................................... 26

Deploying the key pair ......................................................................................................................... 26

Chapter 4: Installing the PGP Endpoint Application Server ................................................ 29

Before you install ................................................................................................................................ 29

To install the PGP Endpoint Application Server ........................................................................................... 31

Items created during the PGP Endpoint Application Server setup .................................................................. 38

Chapter 5: Installing the PGP Endpoint Management Console ............................................ 41

Before you install ................................................................................................................................ 41

To install the PGP Endpoint Management Console ...................................................................................... 41

Items created during PGP Endpoint Management Console setup ................................................................... 44

Chapter 6: Installing the PGP Endpoint Client on your endpoint computers .......................... 45

System requirements ........................................................................................................................... 45

Overall system requirements ............................................................................................................ 45

Client computer requirements .......................................................................................................... 46

To install PGP Endpoint Clients ............................................................................................................... 46

Unattended installation of the PGP Endpoint Client ................................................................................... 53

Uninstalling the PGP Endpoint Client ....................................................................................................... 53

Load balancing methods ...................................................................................................................... 54

What is load balancing ................................................................................................................... 54

How does round robin DNS works? .................................................................................................... 54

Advantages of DNS Round Robin ....................................................................................................... 55

About this guide

2 PGP Endpoint Setup Guide 4.3.0

Items created during the PGP Endpoint Client setup .................................................................................. 56

Chapter 7: The PGP Endpoint Authorization Service Tool .................................................... 57

What is the PGP Endpoint Authorization Service Tool? ................................................................................. 57

To install the PGP Endpoint Authorization Service Tool ................................................................................ 57

Configuring WSUS ............................................................................................................................... 60

Chapter 8: Unattended Client installation .................................................................... 63

What is an MSI file?............................................................................................................................. 64

Creating a Transform file (MST) for an existing MSI file ................................................................................ 64

Prerequisites for creating a PGP Endpoint Client Deployment Tool package ..................................................... 65

To install the PGP Endpoint Client Deployment Tool ................................................................................... 65

To install packages ............................................................................................................................. 66

To install the PGP Endpoint Client: MST file generation ............................................................................... 66

Using the PGP Endpoint Client Deployment Tool to install the PGP Endpoint Client ............................................ 72

Using the command line to install clients ................................................................................................. 78

Using Windows Group Policy to install clients ............................................................................................ 78

Querying the client status ..................................................................................................................... 81

PGP Endpoint Client Deployment Tool menus ............................................................................................82

Packages Menu ..............................................................................................................................82

Computers menu ........................................................................................................................... 83

Help menu .................................................................................................................................. 85

Context menus ............................................................................................................................. 85

The Options Screen ............................................................................................................................. 85

Chapter 9: Using the SXDomain Command line tool ......................................................... 87

Introductio n ....................................................................................................................................... 87

The SXDomain parameters ..................................................................................................................... 87

Examples ..................................................................................................................................... 88

Scheduling domain synchronizations ..................................................................................................... 89

Chapter 10: Registering your PGP Endpoint product ......................................................... 91

Licensing ........................................................................................................................................... 91

Obtaining a license ......................................................................................................................... 91

License file location ........................................................................................................................ 92

License file format .......................................................................................................................... 92

License-related PGP Endpoint Application Server actions at start-up ............................................................. 93

License-related PGP Endpoint Application Server actions while running ........................................................ 93

License-related Client actions ............................................................................................................... 93

Appendix A: Detailed system requirements and limitations.............................................. 95

System requirements .......................................................................................................................... 95

PGP Endpoint Device Control ................................................................................................................. 96

Terminal services limitations ........................................................................................................... 96

The RunAs command limitations ....................................................................................................... 97

Appendix B: Registry keys ........................................................................................ 99

PGP Endpoint Application Server registry keys........................................................................................... 99

Database connection loss registry keys .............................................................................................. 99

Log insertion process registry keys .................................................................................................... 99

Debugging registry keys ................................................................................................................. 100

General registry keys ...................................................................................................................... 101

Security registry keys ..................................................................................................................... 101

PGP Endpoint Client registry keys .......................................................................................................... 104

Appendix C: Installing PGP Endpoint components on Windows XP SP2/2003 (SP1 or later) ........ 107

Connection between PGP Endpoint Application Server and the PGP Endpoint Database ..................................... 107

Connection between the PGP Endpoint Management Console and the PGP Endpoint Application Server .............. 108

Stage 1: Configuring a fixed port on the server ................................................................................... 108

Stage 2: Opening the port on the server firewall ................................................................................. 108

Connecting to the Server using the fixed port .................................................................................. 108

Connecting using the Endpoint Mapper ............................................................................................ 108

Summary .................................................................................................................................... 109

Connection between the PGP Endpoint Client Driver and the PGP Endpoint Application Server ............................ 110

Configuring the firewall ....................................................................................................................... 110

Appendix D: Opening firewall ports for client deployment ............................................... 113

To manually open the ports on a computer-by-computer basis ................................................................... 113

To open the ports on a computer-by-computer basis with a .bat file ............................................................ 114

To open the firewall ports via an Active Directory Group policy..................................................................... 114

About this guide

PGP Endpoint Setup Guide 4.3.0 3

To create the Group Policy (GPO): ...................................................................................................... 115

To improve security ....................................................................................................................... 116

Appendix E: Using the synchronization script for Novell ................................................... 117

Introduction ...................................................................................................................................... 117

What components are required? ............................................................................................................ 117

How does the Novell interface works? ..................................................................................................... 117

Synchronization script parameters ................................................................................................... 118

How to use Novell’s synchronization script .............................................................................................. 118

Script examples ................................................................................................................................. 119

What can go wrong and how do I fix it? ................................................................................................. 119

Installing your synchronization script ..................................................................................................... 120

Appendix F: Using Novell shares for your DataFileDirectory .............................................. 123

DataFileDirectory access to a Novell share ............................................................................................... 123

Transparent PGP Endpoint Application Server authentication for Novell eDirectory ........................................... 123

Appendix G: Installing a Certificate Authority for encryption and TLS Communication ............ 127

Requirements ....................................................................................................................................127

Integrating DNS with Active Directory .................................................................................................127

Installing the Certificate Services ........................................................................................................... 128

Checking certificates are correctly issued to the users ................................................................................ 130

Checking certificates are correctly issued to endpoint machines................................................................... 132

Appendix H: Importing file definitions during setup ...................................................... 133

Appendix I: Controlling administrative rights for PGP Endpoint’s administrators ................... 135

Ctrlacx.vbs ........................................................................................................................................ 135

Requirements .............................................................................................................................. 135

Usage ......................................................................................................................................... 135

Examples ................................................................................................................................. 136

What to do after running the script .................................................................................................. 136

Appendix J: Installation checklist ............................................................................... 139

Requirements ................................................................................................................................... 139

The PGP Endpoint Database ............................................................................................................ 139

The PGP Endpoint Application Server ................................................................................................. 140

The PGP Endpoint Management Console ............................................................................................ 140

PGP Endpoint Client ...................................................................................................................... 140

License ........................................................................................................................................141

Private and public keys ...................................................................................................................141

Data file directory ..........................................................................................................................141

SXS account ..................................................................................................................................141

Certificate Authority ...................................................................................................................... 142

Implementation actions ...................................................................................................................... 142

Installation checklist .......................................................................................................................... 143

Defining permissions in PGP Endpoint Device Control ................................................................................ 145

Appendix K: Installing PGP Endpoint Administration Server Terminal Services Edition ............ 147

Introducing PGP Endpoint Administration Server Terminal Services Edition ..................................................... 147

Installing the Server side components .................................................................................................... 147

Installing the PGP Endpoint Client Driver ................................................................................................. 148

The Installation Procedure ................................................................................................................... 148

Uninstalling the PGP Endpoint Client Driver ............................................................................................. 150

Appendix L: Installing PGP Endpoint in Windows XP embedded ........................................ 151

What is Windows XP embedded ............................................................................................................. 151

Thin Clients ........................................................................................................................................ 151

Available shells ............................................................................................................................ 152

What does Windows XP Embedded does not include ................................................................................. 152

Installing PGP Endpoint in Windows XP embedded ................................................................................... 152

What server side components you need .......................................................................................... 152

What client components you need ................................................................................................ 152

Componentized the PGP Endpoint Client Driver ................................................................................... 154

Functionalities and devices supported by PGP Endpoint in Windows XP Embedded .......................................... 155

How to configure the client .................................................................................................................. 156

PGP Endpoint Application Server (SXS) ............................................................................................... 157

Encrypted Communi cations ............................................................................................................. 157

How to update policies .................................................................................................................. 157

Enhance Write Filter (EWF) ................................................................................................................... 159

PGP Endpoint Client Driver & EWF ..................................................................................................... 159

About this guide

4 PGP Endpoint Setup Guide 4.3.0

Minimum Requirements ..................................................................................................................... 160

Known Issues ................................................................................................................................... 160

Glossary ............................................................................................................... 161

Index of figures ..................................................................................................... 167

Index of tables ...................................................................................................... 171

Index ................................................................................................................... 173

PGP Endpoint Setup Guide 4.3.0 5

About this guide

This guide explains in detail how to install all components of your PGP Endpoint solution. For a quick

introduction on how to test and understand the way PGP Endpoint works and protects your organization,

consult the PGP Endpoint Quick Setup Guide.

This guide contains the following chapters and appendices:

> Chapter 1: Installing PGP Endpoint’s Components shows you the basic PGP Endpoint architecture,

security tips, and guides you through the process of installing the PGP Endpoint components.

> Chapter 2: Installing the PGP Endpoint Database explains how to set up the database needed by PGP

Endpoint.

> Chapter 3: Using the Key Pair Generator explains how to generate public and private keys before you

deploy the PGP Endpoint Client to the machines you want to protect.

> Chapter 4: Installing the PGP Endpoint Administration Serv

er explains how to set up the component that

serves as a link between the client driver and the database and/or the management console and the

database.

> Chapter 5: Installing the PGP Endpoint Management Cons

ole explains how to set up the console used to

administer PGP Endpoint.

> Chapter 6: Installing the PGP Endpoint Client on your endpoint computers guides you on how to set up

the PGP Endpoint Client on the computers that will be protected by PGP Endpoint.

> Chapter 7: The PGP Endpoint Authorization Service Tool explains the setup procedures for the

SUS/WSUS (Software Update Services & Windows Server Update Services) update partner tool used for

our PGP Endpoint Application Control Suite programs (PGP Endpoint Application Control Server Edition,

PGP Endpoint Application Control Custom Edition, and PGP Endpoint Application Control Terminal

Services Edition).

> Chapter 8: Unattended Client installation s

hows you how to deploy clients silently.

> Chapter 9: Using the SXDomain Command line tool e

xplains how to synchronize information between

the PGP Endpoint Database and the domain controller.

> Chapter 10: Registering your PGP Endpoint product explains the PGP Endpoint licensing model.

> Appendix A: Detailed system requirements and limitations d

etails the hardware and software you need

for an optimum operation of the software.

> Appendix B: Registry keys provides detailed information about registry key settings for servers and

clients.

> Appendix C: Installing PGP Endpoint components on Windows XP SP2/2003 (SP1 or later) explains how

to configure this system to work with PGP Endpoint programs.

> Appendix D: Opening firewall ports for client deployment co

vers how to open the required ports needed

for the client deployment technique described in Chapter 8: Unattended Client installation.

> Appendix E: Using the synchronization script for Novell pr

ovides a quick setup guide for synchronizing

Novell eDirectory objects to define device/application permissions.

> Appendix F: Using Novell shares for your DataFileDirectory undertakes the task of explaining how to set

the data file directory (DataFileDirectory or DFD) in your Novell server.

About this guide

6 PGP Endpoint Setup Guide 4.3.0

> Appendix G: Installing a Certificate Authority for encryptio

n and TLS Communication describes how to

install a Microsoft Certificate Authority needed for client driver-PGP Endpoint Administration Server and

intra-PGP Endpoint Administration Server TLS communication. This authority is also needed if you plan to

centrally encrypt removable devices (if using PGP Endpoint Device Control).

> Appendix H: Importing file definitions during setup includes necessary information to use the Standard

File Definitions (SFD) for PGP Endpoint Application Control Suite programs during the setup phase.

> Appendix I: Controlling administrative rights for PGP Endpoint’s administrators describes a file script

used to set and control the rights to administer Organizational Units/Users/Computers/Groups in Active

Directory.

> Appendix J: Installation checklist contai

ns several tables to guide you through the initial setup process.

> Appendix K: Installing PGP Endpoint Ap

plication Control Terminal Services Edition introduces PGP

Endpoint for Terminals Services.

> Appendix L: Installing PGP Endpoint in Windows XP embe

dded discusses how to configure and install

PGP Endpoint on Windows Embedded systems.

> The Glossary provides definitions of standard terms used throughout the guide.

> The Index of figures, Index of tables, an

d Index provide quick access to specific figures, tables,

information, items, or topics.

Some of these chapters are only relevant for some programs of our product suite. For example, Appendix H:

Importing file definitions during setup is only applicable if you installed PGP Endpoint Application Control

Suite.

 Each chapter has an introduction paragraph explaining to which part of our suite they

correspond.

Product relevance of each chapter

All chapters contain information that is relevant to users of all PGP Endpoint products, apart from:

> Chapter 7: The PGP Endpoint Authorization

Service Tool, which only contains information relevant to

PGP Endpoint Application Control Suite programs (PGP Endpoint Application Control Server Edition,

PGP Endpoint Application Control Terminal Services Edition, and PGP Endpoint Application Control

Custom Edition).

> Appendix H: Importing file definitions during setup,

which only contains information relevant to PGP

Endpoint Application Control Suite programs (PGP Endpoint Application Control Server Edition, PGP

Endpoint Application Control Terminal Services Edition, and PGP Endpoint Application Control Custom

Edition).

Conventions

Notational conventions

We use the following symbols to emphasize important points about the information you are reading throughout

this guide:

 Special note. This symbol indicates further information about the topic you are working on.

These may relate to other parts of the system or be points that need particular attention.

 Time. This symbol indicates the description of ‘short-cut’ or tips that may save you time.

 Caution. This symbol means that proceeding with a course of action may result in a risk, e.g.

loss of data or potential problems with the operation of your system.

About this guide

PGP Endpoint Setup Guide 4.3.0 7

Typographic conventions

The following typefaces are used throughout this guide:

> Italic Represent fields, menu options, and cross-references.

>

Fixed width Shows messages or commands typed at the command prompt.

> S

MALL CAPS Represents buttons you select.

Getting Assistance

For additional resources, see these sections.

Getting product information

Unless otherwise noted, the product documentation is provided as Adobe Acrobat PDF files that are installed

with PGP Endpoint. Online help is available within the PGP Endpoint product. Release notes are also

available, which may have last-minute information not found in the product documentation.

Once PGP Endpoint is released, additional information regarding the product is entered into the online

Knowledge Base available on the PGP Corporation Support Portal (https://support.pgp.com).

Contacting Technical Support

> To learn about PGP support options and how to contact PGP Technical Support, please visit the PGP

Corporation Support Home Page (http://www.pgp.com/support

).

> To access the PGP Support Knowledge Base or request PGP Technical Support, please visit PGP

Support Portal Web Site (https://support.pgp.com). Note that you may access portions of the PGP

Support Knowledge Base without a support agreement; however, you must have a valid support

agreement to request Technical Support.

> For any other contacts at PGP Corporation, please visit the PGP Contacts Page

(http://www.pgp.com/company/contact/index.html).

> For general information about PGP Corporation, please visit the PGP Web Site (http://www.pgp.com

).

> To access the PGP Support forums, please visit PGP Support (http://forums.pgpsupport.com

). These

are user community support forums hosted by PGP Corporation.

PGP Endpoint Setup Guide 4.3.0 9

Chapter 1: Installing PGP Endpoint’s

Components

The information in this chapter is relevant to all PGP Endpoint products.

This chapter guides you through the procedure for installing the various PGP Endpoint components. You can

find a complete description of the PGP Endpoint products in the corresponding User Guide.

PGP Endpoint architecture

A PGP Endpoint solution includes the following four main components (for a full description see your User

Guide):

> One PGP Endpoint Database — This serves as the central repository of authorization information

(devices/applications).

> One or more PGP Endpoint Administration Server with one or (optionally) more Data File Directory

(DFD) — This is used to communicate between the PGP Endpoint Database and the protected clients.

> The PGP Endpoint Client — installed on each computer you want to protect.

> Administrative tools — including the PGP Endpoint Management Console. This provides the

administrative interface to the PGP Endpoint Administration Server. This interface, which can be installed

on as many computers as you like, is used to configure the solution and perform a range of day-to-day

administrative tasks. You can install the console on one of the servers you are using for the PGP

Endpoint Database or the PGP Endpoint Administration Server or any other computer that has access to

the PGP Endpoint Administration Server. You will also need to install the PGP Endpoint Client Driver on

the same computer if you are using PGP Endpoint Device Control and you want to encrypt removable

devices or authorize DVDs/CDs.

An implementation can have more than one PGP Endpoint Administration Server and one PGP Endpoint

Database connected over a wide area. This means that PGP Endpoint can provide a resilient and scalable

solution to your security issues.

The relationship between the PGP Endpoint components is represented in the following figure:

Chapter 1: Installing PGP Endpoint’s Components

10 PGP Endpoint Setup Guide 4.3.0

Figure 1: PGP Endpoint’s architecture

 We do not describe the installation of Microsoft SQL Server in replication mode in this guide.

We assume that the TCP/IP protocol is properly configured during the installation process described in this

guide:

Figure 2: PGP Endpoint's setup

To install PGP Endpoint products

Although PGP Endpoint Software is an extremely powerful security solution, its setup is straightforward. The

installation routine can be broken down into the following stages:

1. Decide whether you are going to use an extra encryption layer for PGP Endpoint Client Driver -

PGP Endpoint Administration Server and intra-PGP Endpoint Administration Server

communications or not. If you decide to use it, you need to install a Certificate Authority. This is also

needed if you want to centrally encrypt removable media using PGP Endpoint Device Control. See

Transport Layer Security on p

age 13, Appendix G: Installing a Certificate Authority for encryption

and TLS Communication on page 127, and

PGP Endpoint Device Control User Guide.

Chapter 1: Installing PGP Endpoint’s Components

PGP Endpoint Setup Guide 4.3.0 11

2. Install the PGP Endpoint Database on the computer that is to hold authorization information for

devices and/or executables, scripts and macros. You can find a detailed installation procedure

explanation in Chapter 2: Installing the PGP Endpoint D

atabase on page 17.

3. Generate the key pair that is used to sign/encrypt messages/media. See Chapter 3: Using the Key

Pair Gener

ator on page 25.

4. Install the P

GP Endpoint Administration Server on the computer or computers that serve as

intermediates between the PGP Endpoint Client and the PGP Endpoint Database, distributing the

list of device/software permissions for each client computer and/or User/group. See Chapter 4:

Installi

ng the PGP Endpoint Administration Server on page 19.

5. Ins

tall the PGP Endpoint Management Console on the computer(s) you are going to use to

configure PGP Endpoint, and subsequently carry out your day-to-day administrative tasks and

procedures. See Chapter 5: Installing the PGP Endpoint Management C

onsole on page 38.

6. Install a PGP Endpoint Client and test the predefined permissions for devices and/or

executables, scripts or macros. You can install the client on the same machine that you are using

for the PGP Endpoint Database, PGP Endpoint Administration Server, and PGP Endpoint

Management Console (some limitations apply). See Chapter 6: Installing the PGP Endpoint Client

on

your endpoint computers on page 45.

7. De

fine some test permissions for devices and/or executable files using the console installed on

step 3 and test these on the client machine. See the PGP Endpoint Quick Setup Guide.

8. Define company’s policies (permissions, rules, and settings). Determining and defining which

users get access to which devices and/or executables, scripts and macros. This step is done before

installing or rolling out any clients. Installing PGP Endpoint Clients without a good policy definition

would result in a loss of productivity. Consult the PGP Endpoint Application Control User Guide

and/or PGP Endpoint Device Control User Guide for more information.

9. Plan the client installation strategy and deploy your clients in production machines to begin

enjoying immediately the benefits of being protected by PGP Endpoint. See Chapter 8: Unattended

Clie

nt installation on page 63.

10.

Define a synchronization schema to be used for your Microsoft Domains or Novell eDirectory

structure. See Chapter 9: Using the SXDomain Command line to

ol on page 87.

You can find a detailed explanation of the functions carried out by the various PGP Endpoint administration

components in the PGP Endpoint Application Control User Guide and/or PGP Endpoint Device Control User

Guide. We recommend that you read these through thoroughly before starting the implement PGP Endpoint

products.

At any time after installing the PGP Endpoint Database, PGP Endpoint Administration Server, PGP Endpoint

Management Console, or the PGP Endpoint Client you can modify or uninstall the components by running their

respective setup.exe files.

If any setup routine stops, (e.g. if a severe error is encountered or if it is canceled by user request) the routine

attempts to clean up and roll back any modifications it made to your computer. It also produces log files

containing the reason why the setup failed. These are placed in %TMP% directory (of the user account who is

doing the installation) and named sxdbi.log, setupcltsu.log, setupsmc.log, setupdb.log, and setupsxs.log. If

your setup fails, and you make a support call to PGP, you will be asked to send these files to help us diagnose

the problem.

 You should resolve all hardware conflicts before installing PGP Endpoint solutions. You can

use Windows’ Device Manager to troubleshoot and fix software-configurable devices. All

hardware devices that use jumper pins or dip switches must be configured manually.

 It is critical to determine the Policy Definition that is best for your organization. This is where

you define which users get access to which devices and/or executables. This step must be

done before any clients are installed or rolled out. If you install clients without a good policy

definition, this will result in a loss of efficiency or it could prevent users from accessing their

devices. Define policies BEFORE installing any clients!

Chapter 1: Installing PGP Endpoint’s Components

12 PGP Endpoint Setup Guide 4.3.0

Ghost image deployment

A common problem that administrators face is how to deploy a ‘standard’ computer to a new user or when

upgrading to new hardware. They normally do this by installing all necessary software on a ‘fresh’ computer

and then use ‘Ghost’ software to create an image of it. The administrator then imprints this image on all new

computers.

The PGP Endpoint Client can be included in the ‘ghost ‘image. You can do this, using the following steps:

1. Install the PGP Endpoint Client on the machine to be 'ghosted', as you would do on any other client

computer.

2. Change all drivers to start on demand mode. To do this, use Regedit to modify the following values

found in HKLM\System\CurrentControlSet\Services\.

scomc: Start, REG_DWORD = 4

sk: Start, REG_DWORD = 4

3. Delete the value 'sk' in the registry key HKLM\System\CurrentControlSet\Control\Class\

{71A27CDD-812A-11D0-BEC7-08002BE2092F}\Upperfilters.

If this is not done, the client will not boot up.

4. Reboot the computer. The driver is installed but does not run.

5. In HKLM\System\CurrentControlSet\Services\sk\Parameters delete ALL entries that

start with '\SystemRoot\SxData\...'.

6. In HKLM\System\CurrentControlSet\Services\sk\Parameters delete the 'DeviceIndex'

key

7. In HKLM\System\CurrentControlSet\Services\scomc\Parameters delete the

'LastSeenComputerName' key.

8. Delete any keys (apart from default) that do not have a value set.

9. Delete all files in the %SystemRoot%\sxdata directory, apart from the public key file, sx-public.key.

10. Proceed to create the Ghost image from this 'standard' computer.

When deploying the Ghost image:

1. Change the SID (which uniquely identifies the computer) and the name of the computer. This can

be done using Ghostwalker or the freeware SIDchanger tool available from the SYSinternals

website (www.sysinternals.com).

2.

Change the starting mode of each driver back to its original state. To do this, use Regedit to modify

the following values found in HKLM\System\CurrentControlSet\Services\.

scomc: Start, REG_DWORD = 2

sk: Start, REG_DWORD = 0

3. Restore the registry key value 'sk' in HKLM\System\CurrentControlSet\Control\Class\

{71A27CDD-812A-11D0-BEC7-08002BE2092F}\Upperfilters.

4. Reboot the ‘new’ computer.

Chapter 1: Installing PGP Endpoint’s Components

PGP Endpoint Setup Guide 4.3.0 13

Transport Layer Security

The Transport Layer Security (TLS) protocol (based on SSL — Secure Socket Layers) addresses security

issues related to message interception during communication between hosts. The deployment of TLS, client

and server side, is the primary defense against compromised clients or mixed networks where is possible to

intercept transmitted messages.

TLS has specific advantages when addressing message security issues:

> The identities of peers can be authenticated using asymmetric or public key cryptography, allowing the

safe exchange of encrypted information , coupled with a Certificate Authority (see Appendix G: Installing a

Certificate Authority for encryption and TLS Communication). Clients can verify that the IP address and

name are consistent with the DNS records, inhibiting ‘man in the middle’ and DNS ‘spoofing’ exploits.

> Message’s contents cannot be modified while en route between two TLS negotiated hosts. Either party

has the ability of detecting TLS protocol violations.

However, there are also some disadvantages to using the TLS protocol:

> Cryptography, specifically when it involves public key operations, is CPU-intensive and using TLS may

result in a performance loss. The level of performance loss depends on factors such as your environment,

the total number of permissions required, if you want to use shadowing or not, and so on. Unfortunately, it

is impossible to know beforehand how large the performance loss will be for your particular organization.

> A TLS environment requires maintenance — the system administrator must configure the system and

manage certificates.

You should consider carefully whether your organization needs this extra security, i.e. if your company either

uses sensitive data or has to meet certain security regulations.

Using TLS for client-PGP Endpoint Administration Server communication

There are two ways in which a PGP Endpoint Client can communicate with a PGP Endpoint Administration

Server. It can use:

> A Pull operation in which the client driver establishes a connection with the server to:

• Obtain the most recent permission updates.

• Upload its log files.

• Upload its shadow files.

If using TLS protocol, the authentication and confidentiality of the data exchanged is guaranteed.

> A Push operation in which a PGP Endpoint Administration Server establishes a connection with the

client to:

• Request a client driver to perform a scan.

• Request a client driver to upload its log file.

• Request the client driver to upload its shadow files.

• Request a client driver to contact the server to receive the latest permission updates.

• ‘Ping’ a client to update its client list or begin another communication or process.

Push messages are very limited and basic and therefore do not use TLS. PGP Endpoint Administration Server

sends a short message informing the client to callback with an ID number, nothing else. This message,

although not encrypted, is signed. The PGP Endpoint Client Driver then opens a connection channel with the

PGP Endpoint Administration Server — either using TLS or not, as defined when installed — and sends back

the ID number. The PGP Endpoint Administration Server(s) verify that there is a pending request for this

communication and instruct the client driver what to do next.

The callback message (see also Using TLS for the inter-PGP Endpoint Administration Server communic

ation

on page 15) is authe

nticated using the private/public key pair, which must be generated before installing the

Chapter 1: Installing PGP Endpoint’s Components

14 PGP Endpoint Setup Guide 4.3.0

PGP Endpoint Application Server. Messages are signed with the server private key and clients use the

corresponding public key to guarantee that the messages come from genuine servers.

Since the messages exchanged with the server do not contain confidential data, there is no need to encrypt

them, i.e. using TLS for push messages would not provide any significant benefits.

When the communication mode used is TLS, PGP Endpoint Client:

> Checks that the size of the package received is at least big enough to hold the server signature, rejecting

any packages smaller than this minimum size.

> Rejects packages that are bigger than the maximum allowed size.

> Verifies the signature and integrity of the message, for the packages that have been accepted.

When a client driver receives a valid PGP Endpoint Administration Server command, it begins sending back

the requested data through a TLS connection (if configured). This data can comprise:

> Scan results.

> Log files.

> Shadow files.

> Permission updates.

> ‘Ping’ information.

Figure 3: PGP Endpoint Client: Using the TLS protocol for client-PGP Endpoint Administration Server communication

Chapter 1: Installing PGP Endpoint’s Components

PGP Endpoint Setup Guide 4.3.0 15

If the program does not auto-generate the required certificate (by attempting to obtain it from the Certificate

Authority) you can either try to import it or generate it with the Wizard. You must ensure that it is signed by a

private key as shown in the following image:

Figure 4: Signed certificate

Using TLS for the inter-PGP Endpoint Administration Server communication

If your PGP Endpoint implementation contains several PGP Endpoint Administration Servers and uses

distributed Data File Directories (DFD), then since confidential information is exchanged between these, it is a

good idea to choose to use the TLS protocol when installing them. For example, if you plan to define

read/write shadow rules (see the PGP Endpoint Device Control User Guide for a complete explanation), there

could be a constant flow of shadowed files circulating between them. Using the TLS protocol option assures

that data is encrypted.

Figure 5: PGP Endpoint Administration Server: Using the TLS protocol for intra-PGP Endpoint Administration Server

communication

Chapter 1: Installing PGP Endpoint’s Components

16 PGP Endpoint Setup Guide 4.3.0

PGP Endpoint Administration Server machines may have multiple DNS names and multiple certificates. The

certificate selected by PGP Endpoint Administration Server must match the DNS name used by the PGP

Endpoint Client and other PGP Endpoint Administration Servers when they communicate over secure TLS

ports. These values can be manually overridden by modifying a registry key (see Table 19 on page 102 for

more information).

The value in 'ServerName' can be used to specify a fully qualified DNS name that PGP Endpoint

Administration Servers register in the servers table and communicate to client drivers in callbacks. The value

'ServerCertSerial' is used to specify the serial number of the certificate that PGP Endpoint Administration

Server should use for TLS communication. The format of this value is exactly the same as the one that PGP

Endpoint Administration Server displays when a certificate is loaded, for example, 3738DCAE0003000001C0.

(The MMC Certificates snap-in uses almost the same format, except it has blanks after every two digits. These

blanks must NOT be specified for the PGP Endpoint Administration Server value.)

Server callback messages (see also Using TLS for client-PGP Endpoint Administration Server commu

nication

on page 13) in

clude the server’s DNS name and port number(s). This ensures that the client only answers the

particular contacting PGP Endpoint Administration Server even if the client has no prior information about it.

The message also includes a timestamp, which prevents the client driver from replying to old requests.

What is a digital certificate?

A digital certificate is an electronic presentation card that establishes your identity and credentials when doing

transactions over a channel. Certificates are issued by a Certification Authority. They contain, among other

things:

> A digital signature, indicating which certificate-issuing authority generated them. This lets a recipient

verify that the certificate is genuine.

> A public key, to be used for encrypting messages and digital signatures. All messages encrypted using

the public key can be decrypted using the corresponding private key pair (see a complete description on

the User Guide).

Most certificates used today are based on the X.509 v3 certificate standard.

All messages encrypted using the public key can be decrypted using the corresponding private key pair (see a

complete description on the Architecture section of the User Guide).

Typically, certificates also contain the following information:

> Certificate’s version and serial number.

> Signature algorithm.

> Validity (not before, not after).

> Authority and subject’s ID.

> Digital signature of the issuer, testifying the validity of the binding between the subject’s public key and

the subject’s identifier information.

What is a Certificate Authority?

A Certificate Authority (CA) is an entity that issues and manages certificates in a network. As part of a public

key infrastructure, a CA checks with a registration authority (RA) to verify the information provided by the

requestor of a digital certificate. If the RA verifies the requestor's information, the CA can then issue a

certificate stating that the public key contained in it belongs to the person, computer, or entity noted in the

same certificate. The idea behind this security process is that the user trusts the CA and can verify its

signature and can also corroborate that a certain public key belongs to whoever is identified in the certificate.

You either trust a CA or not. If you trust a CA, this means that you have confidence that it has proper policies

in place when evaluating certificates requests. In addition to this, you also trust that the CA will revoke

certificates that should no longer be considered as being valid, publishing an up-to-date CRL (Certification

Revocation List).

Page is loading ...

PGP Endpoint Operating instructions

PGP Endpoint Operating instructions

Related papers

Other documents