PGP Universal Server

Installation Guide

Version Information
PGP Universal Server Installation Guide. PGP Universal Server Version 3.0.0. Released March 2010.

Copyright Information
Copyright © 1991-2010 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of PGP Corporation.

Trademark Information
PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the US and other countries. IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered trademarks of Microsoft Corporation. AOL is a registered trademark, and AOL Instant Messenger is a trademark, of America Online, Inc. Red Hat and Red Hat Linux are trademarks or registered trademarks of Red Hat, Inc. Linux is a registered trademark of Linus Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered trademark of International Business Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH and Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or registered trademarks of Apple Computer, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective owners.

Licensing and Patent Information
The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST-128 encryption algorithm, implemented from RFC 2144, is available worldwide on a royalty-free basis for commercial and non-commercial uses. PGP Corporation has secured a license to the patent rights contained in the patent application Serial Number 10/655,563 by The Regents of the University of California, entitled Block Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a Conventional Block Cipher. Some third-party software included in PGP Universal Server is licensed under the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL. If you would like a copy of the source code for the GPL software included in PGP Universal Server, contact PGP Support (https://support.pgp.com). PGP Corporation may have patents and/or pending patent applications covering subject matter in this software or its documentation; the furnishing of this software or documentation does not give you any license to these patents.

Acknowledgments
This product includes or may include: -- The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with permission from the free Info-ZIP implementation, developed by zlib (http://www.zlib.net). -- Libxml2, the XML C parser and toolkit developed for the Gnome project and distributed and copyrighted under the MIT License found at http://www.opensource.org/licenses/mit-license.html. Copyright © 2007 by the Open Source Initiative. -- bzip2 1.0, a freely available high-quality data compressor, is copyrighted by Julian Seward, © 1996-2005. -- Application server (http://jakarta.apache.org/), web server (http://www.apache.org/), Jakarta Commons (http://jakarta.apache.org/commons/license.html) and log4j, a Java-based library used to parse HTML, developed by the Apache Software Foundation. The license is at www.apache.org/licenses/LICENSE-2.0.txt. -- Castor, an open-source, data-binding framework for moving data from XML to Java programming language objects and from Java to databases, is released by the ExoLab Group under an Apache 2.0-style license, available at http://www.castor.org/license.html. -- Xalan, an open-source software library from the Apache Software Foundation that implements the XSLT XML transformation language and the XPath XML query language, is released under the Apache Software License, version 1.1, available at http://xml.apache.org/xalan-j/#license1.1. -- Apache Axis is an implementation of the SOAP ("Simple Object Access Protocol") used for communications between various PGP products is provided under the Apache license found at http://www.apache.org/licenses/LICENSE-2.0.txt. -- mx4j, an open-source implementation of the Java Management Extensions (JMX), is released under an Apache-style license, available at http://mx4j.sourceforge.net/docs/ch01s06.html. -- jpeglib version 6a is based in part on the work of the Independent JPEG Group. (http://www.ijg.org/) -- libxslt the XSLT C library developed for the GNOME project and used for XML transformations is distributed under the MIT License http://www.opensource.org/licenses/mit-license.html. -- PCRE Perl regular expression compiler, copyrighted and distributed by University of Cambridge. ©1997-2006. The license agreement is at http://www.pcre.org/license.txt. -- BIND Balanced Binary Tree Library and Domain Name System (DNS) protocols developed and copyrighted by Internet Systems Consortium, Inc. (http://www.isc.org) -- Free BSD implementation of daemon developed by The FreeBSD Project, © 1994-2006. -- Simple Network Management Protocol Library developed and copyrighted by Carnegie Mellon University © 1989, 1991, 1992, Networks Associates Technology, Inc, © 2001- 2003, Cambridge Broadband Ltd. © 2001- 2003, Sun Microsystems, Inc., © 2003, Sparta, Inc, © 2003-2006, Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, © 2004. The license agreement for these is at http://net-snmp.sourceforge.net/about/license.html. -- NTP version 4.2 developed by Network Time Protocol and copyrighted to various contributors. -- Lightweight Directory Access Protocol developed and copyrighted by OpenLDAP Foundation. OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP). Copyright © 1999-2003, The OpenLDAP Foundation. The license agreement is at http://www.openldap.org/software/release/license.html. Secure shell OpenSSH developed by OpenBSD project is released by the OpenBSD Project under a BSD-style license, available at http://www.openbsd.org/cgi­ bin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD. -- PC/SC Lite is a free implementation of PC/SC, a specification for SmartCard integration is released under the BSD license. -- Postfix, an open source mail transfer agent (MTA), is released under the IBM Public License 1.0, available at http://www.opensource.org/licenses/ibmpl.php. -- PostgreSQL, a free software object-relational database management system, is released under a BSD-style license, available at http://www.postgresql.org/about/licence. -- PostgreSQL JDBC driver, a free Java program used to connect to a PostgreSQL database using standard, database independent Java code, (c) 1997-2005, PostgreSQL Global Development Group, is released under a BSD-style license, available at http://jdbc.postgresql.org/license.html. -- PostgreSQL Regular Expression Library, a free software object-relational database management system, is released under a BSD-style license, available at http://www.postgresql.org/about/licence. -- 21.vixie-cron is the Vixie version of cron, a standard UNIX daemon that runs specified programs at scheduled times. Copyright © 1993, 1994 by Paul Vixie; used by permission. ­ - JacORB, a Java object used to facilitate communication between processes written in Java and the data layer, is open source licensed under the GNU Library General Public License (LGPL) available at http://www.jacorb.org/lgpl.html. Copyright © 2006 The JacORB Project. -- TAO (The ACE ORB) is an open-source implementation of a CORBA Object Request Broker (ORB), and is used for communication between processes written in C/C++ and the data layer. Copyright (c) 1993-2006 by Douglas C. Schmidt and his research group at Washington University, University of California, Irvine, and Vanderbilt University. The open source software license is available at http://www.cs.wustl.edu/~schmidt/ACE-copying.html. -- libcURL, a library for downloading files via common network services, is open source software provided under a MIT/X derivate license available at http://curl.haxx.se/docs/copyright.html. Copyright (c) 1996 - 2007, Daniel Stenberg. -- libuuid, a library used to generate unique identifiers, is released under a BSD-style license, available at http://thunk.org/hg/e2fsprogs/?file/fe55db3e508c/lib/uuid/COPYING. Copyright (C) 1996, 1997 Theodore Ts'o. -libpopt, a library that parses command line options, is released under the terms of the GNU Free Documentation License available at http://directory.fsf.org/libs/COPYING.DOC. Copyright © 2000-2003 Free Software Foundation, Inc. -- gSOAP, a development tool for Windows clients to communicate with the Intel Corporation AMT chipset on a motherboard, is distributed under the gSOAP Public License version 1.3b, available at

and alpha blending.opensource. Additional acknowledgements and legal notices are included as part of the PGP Universal Server.org/licenses/mit­ license. including image rendering. -. Distributed under the BSD license found at http://www. are used to serialize structure data in the PGP SDK. -.fsu.0 license.Yahoo! User Interface (YUI) library version 2.cs. United States Department of Commerce.org/licenses/cpl1.html. Google's data interchange format.1.0 found at http://opensource. All rights reserved. used by JSON-lib. Yahoo! Inc. -.gnu.apache.php. available at http://commons.Apache Commons Lang. -. -.opensource.net>. The information may include technical inaccuracies or typographical errors. -.html. is distributed under the Apache 2. used by JSON-lib. -. Limitations The software provided with this documentation is licensed to you for your individual use under the terms of the End User License Agreement provided with the software.ini format file parser and provides the ability to read and write . used by JSON-lib. Brodie Thiesfield.sourceforge.svn. -JSON-lib version 2.sourceforge. found at http://www. is distributed under the Apache 2.html. a Web UI interface library for AJAX.perl.0 license.opensource.html. Distributed under the MIT License found at http://www.2. Copyright (c) 2005-2009 by Mike Sharov <msharov@users. text rendering. Export Information Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from time to time by the Bureau of Export Administration.sourceforge. The information in this document is subject to change without notice.libeg. -. is distributed under the Apache 2. which restricts the export and re-export of certain products and technical data. Released under a BSD-style license. Copyright 2006-2008. used to authenticate PGP Universal Web Messenger users via Radius.org/licenses/mit-license. -.net/license.org/licenses/bsd-license.0 license. PGP Corporation does not warrant that the information meets your requirements or that the information is free of errors. and is distributed under the license found at http://refit.org/license.ini files.net/viewvc/*checkout*/refit/trunk/refit/LICENSE.0. Changes may be made to the information and incorporated in new editions of this document. is distributed under the Lesser General Public License (LGPL) found at http://www.Protocol Buffers (protobuf).org/licenses/lgpl.0 license.net/license.html. available at http://commons. 4 .http://www. All rights reserved. Copyright (c) 2009.txt?revision=288.html.Java Radius Client.yahoo. Copyright (c) 2006 Christoph Pfisterer.sourceforge. Distributed under the Apache 2.uSTL provides a small fast implementation of common Standard Template Library functions and data structures and is distributed under the MIT License found at http://www.com/pub/a/language/misc/Artistic.SimpleIni is an .apache.2. available at http://developer. Copyright 2008 Google Inc.html.edu/~engelen/license.EZMorph.html. on other platforms. a common configuration file format used on Windows. available at http://ezmorph.rEFIt .html. if and when made available by PGP Corporation.Apache Commons BeanUtils.org/license. provides a graphical interface library for EFI. -. available at http://json-lib. All rights reserved.5. -.html. a Java library used to convert Java objects to JSON (JavaScript Object Notation) objects for AJAX.com/yui/license.The Perl Kit provides several independent utilities used to automate a variety of maintenance functions and is provided under the Perl Artistic License.Windows Template Library (WTL) is used for developing user interface components and is distributed under the Common Public License v1.php.

Contents Introduction What is PGP Universal Server? PGP Universal Server Product Family Who Should Read This Guide Common Criteria Environments Using the PGP Universal Server with the Command Line Symbols Getting Assistance Getting product information Contact Information 1 1 2 2 2 3 3 3 4 4 Adding the PGP Universal Server to Your Network Server Placement Gateway Placement Internal Placement Using a Mail Relay Microsoft Exchange Server Lotus Domino Server Installation Overview 7 7 7 8 9 10 10 10 Open Ports TCP Ports UDP Ports 17 17 19 Naming your PGP Universal Server Considering a Name for Your PGP Universal Server Methods for Naming a PGP Universal Server 21 21 22 Installing the PGP Universal Server About Installation System Requirements Installing on a VMWare ESX Virtual Machine VMWare Tools Installation for PGP Universal Server Installation Materials Installation Options Default Installation Procedure Performing a Media Verification on your DVD Alternate Installation Procedures Preparing for Setup after pgp Install i 23 23 23 24 24 25 25 26 28 28 29 .

PGP Universal Server Contents Hardware System Information Connect to the PGP Universal Server 29 29 30 Setting Up the PGP Universal Server About the Setup Assistant Initial Configuration with Setup Assistant Configuring a New Installation Configuring a Cluster Member Restoring From a Server Backup Migrating the Keys from a PGP Keyserver 31 31 32 34 37 38 39 Configuration Examples Internal Placement Configuration Gateway Placement Configuration Non-mailstream Placement Configuration Cluster Configuration Clustered Proxy and Keyserver Configuration Gateway Cluster with Load Balancer Gateway and Internal Placement Cluster Encircled Configuration Large Enterprise Configuration Spam Filters and PGP Universal Server Exchange with PGP Client Software Lotus Domino Server with PGP Client Software Unsupported Configurations Multiple Gateway–Placed Servers 41 41 42 43 44 45 47 48 50 51 52 53 54 54 54 ii .

signs. and it gives end users the option to create and manage their keys on their own computer (if allowed by the PGP administrator). It encrypts user email and instant messaging (IM). PGP Desktop. It also enables secure file sharing with others over a network. and provides step-by-step instructions on how to install the software. a client product. It also includes information about using Microsoft Exchange Server and Lotus Domino Server with PGP Universal Satellite. PGP Universal Server with PGP Universal Gateway Email gives you secure messaging: it transparently protects your enterprise messages with little or no user interaction. a client-side feature of PGP Universal Server. You can also send protected messages to addresses that are not part of the SMSA. is created and managed through PGP Universal Server policy. It can encrypt entire or partial hard drives. This book provides information about how your PGP Universal Server processes email. What is PGP Universal Server? PGP Universal Server is a single console for managing the applications that provide email. It lists system requirements. PGP Universal Server automatically creates and maintains a Self-Managing Security Architecture (SMSA) by monitoring authenticated users and their email traffic. providing strong security through policies you control. disk. extends PGP security for email messages all the way to the computer of the email user. 1 . PGP Universal Satellite. and verifies messages automatically. The PGP Universal Server encrypts.1 Introduction This book describes some important PGP Universal Server concepts and gives you a high-level overview of the things you need to do to set up and use PGP Universal Server. The PGP Universal Server also replaces the PGP Keyserver product with a builtin keyserver. It creates PGP keypairs and can manage user keypairs as well as store the public keys of others. decrypts. to help you decide how to integrate your PGP Universal Servers into your existing network. provides an overview of the installation process. and network file encryption. it allows external users to become part of the SMSA. and the PGP Admin product with PGP Desktop configuration and deployment capabilities.

You can purchase any of the PGP Desktop applications or bundles and use PGP Universal Server to create and manage client installations. You can also purchase a license that enables PGP Gateway Email to encrypt email in the mailstream. This product requires administration by the PGP Universal Server. This product can be managed by the PGP Universal Server.9 Common Criteria Supplemental. Common Criteria Environments To be Common Criteria compliant. ƒ ƒ ƒ Who Should Read This Guide This Installation Guide is for the person or persons who will be installing the software for your organization’s PGP Universal Server environment.PGP Universal Server Introduction PGP Universal Server Product Family PGP Universal Server functions as a management console for a variety of encryption solutions. files. These are the PGP administrators. please refer to the best practices shown in PGP Universal Server 2. The PGP Universal Server can manage any combination of PGP encryption applications. PGP NetShare provides transparent file encryption and sharing among desktops. and AOL Instant Messenger traffic. 2 . PGP Desktop Email provides encryption at the desktop for mail. PGP Whole Disk Encryption provides encryption at the desktop for an entire disk. Note that these best practices supersede recommendations made elsewhere in this and other documentation. This product can be managed by the PGP Universal Server. PGP encryption applications are: ƒ PGP Universal Gateway Email provides automatic email encryption in the gateway. based on centralized mail policy. This product can be managed by the PGP Universal Server.

PGP Support can require reverting any custom configurations on the PGP Universal Server back to a default state when troubleshooting new issues. query the database. However. information. and Warnings are used in the following ways. Warning: Warnings indicate the possibility of significant data loss or a major security breach. reseller or internal employee who is certified in the PGP Advanced Administration and Deployment Training. processes. Any changes made to the PGP Universal Server via the command line must be: ƒ ƒ ƒ Authorized in writing by PGP Support. disk space. Changes made through the command line might not persist through reboots and might be incompatible with future releases. Implemented by a PGP Partner. but important. performing configuration modifications via the command line voids your PGP Support agreement unless these procedures are followed.PGP Universal Server Introduction Using the PGP Universal Server with the Command Line Using the PGP Universal Server command line for read-only access (such as to view settings. Note: Notes are extra. Summarized and documented in a text file in /etc/pso on the PGP Universal Server itself. A Note calls your attention to important aspects of the product. 3 . A Warning means serious problems will occur unless you take the appropriate action. Please take Warnings very seriously. A Caution tells you about a situation where problems can occur unless precautions are taken. etc) is supported. Symbols Notes. Pay attention to Cautions. Getting Assistance For additional resources. see these sections. You can use the product better if you read the Notes. Caution: Cautions indicate the possibility of loss of data or a minor security breach. Cautions. logs. services.

com). you must have a valid support agreement to request Technical Support. PGP Universal Mail Policy Diagram—Provides a graphical representation of how email is processed through mail policy. Contact Information Contacting Technical Support ƒ To learn about PGP support options and how to contact PGP Technical Support. ƒ ƒ PGP Universal Satellite for Windows and Mac OS X include online help.com). To access the PGP Support Knowledge Base or request PGP Technical Support.PGP Universal Server Introduction Getting product information The following documents and online help are companions to the PGP Universal Server Administrator’s Guide. PGP Universal Server Upgrade Guide—Describes the process of upgrading your PGP Universal Server. Tutorials—Provides animated introductions on how to manage the mail policy feature in PGP Universal Server 2. You can access this document via the PGP Universal Server online help. PGP Universal Server Installation Guide—Describes how to install the PGP Universal Server software. however. This guide occasionally refers to information that can be found in one or more of these sources: ƒ ƒ ƒ ƒ Online help is installed and is available within the PGP Universal Server product. additional information regarding the product is added to the online Knowledge Base available on PGP Corporation’s Support Portal (https://support. ƒ 4 . please visit the PGP Corporation Support Home Page (https://support.pgp. PGP Universal Server and PGP Satellite release notes are also provided. Note that you may access portions of the PGP Support Knowledge Base without a support agreement.pgp.com). You can also access all the documentation and tutorials by clicking the online help icon in the upper-right corner of the PGP Universal Server screen.pgp. and how upgraded PGP Universal Server settings migrate into the new mail policy feature. which may have last-minute information not found in the product documentation. please visit PGP Support Portal Web Site (https://support.5 and later. ƒ Once PGP Universal Server is released.

com/app/cshome). and licensing.com/about_pgp_corporation/contact/index. downloads. Contacting Other Departments ƒ ƒ For any other contacts at PGP Corporation.pgp. please visit the PGP Contacts Page (http://www.pgp.html).pgp. 5 .com). Contacting Customer Service ƒ For help with orders.custhelp. These are user community support forums hosted by PGP Corporation. For general information about PGP Corporation. please visit the PGP Web Site (http://www.com). please visit PGP Corporation Customer Service (https://pgp. please visit PGP Support (http://forum.PGP Universal Server Introduction ƒ To access the PGP Support forums.

.

Caution: The PGP Universal Server must not be behind a proxy server. It also includes information about using Microsoft Exchange Server and Lotus Domino Server with PGP Universal Satellite. The PGP Universal Server is located between your email users and their local mail server in the logical flow of data. to help you decide how to integrate your PGP Universal Servers into your existing network. The PGP Universal Server is located between your external facing mail server and the Internet in the logical flow of data. your PGP Universal Server sits between your mail server and the Internet in the logical flow of data. 7 . This is true for both gateway and internal placement.2 Adding the PGP Universal Server to Your Network This chapter provides information about how your PGP Universal Server processes email. to receive licensing and update information automatically. unless it is a transparent proxy. Gateway placement. Gateway Placement With a gateway placement. Server Placement A PGP Universal Server can be placed in your network in either of two locations in the logical flow of data: ƒ ƒ Internal placement. These topics are covered in the following sections.

you must make sure to correctly configure your mail server when you are using PGP Universal Servers in gateway placements. email server Note: The physical location of the PGP Universal Server and the mail server are not important. messages are stored unsecured on the mail server (unless PGP Universal Satellite is being used).PGP Universal Server Adding the PGP Universal Server to Your Network 1 2 3 4 5 6 7 PGP Universal Server gateway placement Example Corp. your PGP Universal Server sits between your email users and their email server in the logical flow of data. the PGP Universal Server is between the mail server and the Internet. from a mail relay point of view. With a gateway placement. What is important is that. Note: Email users on your internal network should not be allowed direct access to a PGP Universal Server in gateway placement. Configure the mail server to verify From addresses if you intend to use the signing features of PGP Universal Server. For PGP Universal Server to create the SMSA. With a gateway placement. DMZ External email user Logical flow of data Example Corp. Internal Placement With an internal placement. over SMTP in both cases. internal network Example Corp. Both can be on the internal network or in the DMZ. 8 . email users Example Corp. email messages are secured before they are sent to the Internet (on the way to their destination) and decrypted/verified when received from the Internet. PGP Universal Server attempts to enforce this automatically based on your configuration.

messages are secured based on the applicable policies when they are sent to the mail server using SMTP. email clients must have SMTP authentication turned on when they are communicating with a PGP Universal Server in an internal placement. Using a Mail Relay PGP Universal Server can forward outgoing email. Messages are only transmitted unencrypted between the internal user and the PGP Universal Server. email server Example Corp. If your mail server is configured for SSL/TLS communications with the email client.PGP Universal Server Adding the PGP Universal Server to Your Network 1 2 3 4 5 6 7 PGP Universal Server internally placed Example Corp. the messages can be passed through that encrypted channel thus maintaining encryption along the entire path. internal network Example Corp. after processing. 9 . Instead. You cannot configure the mail relay when you initially configure the server using the Setup Assistant. messages are stored secured on the mail server. to a central mail gateway acting as a mail relay. the PGP Universal Server is between the email users and the mail server. from a mail relay point of view. What is important is that. From a performance perspective. you have to configure the server for gateway placement. email users Note: The physical location of the PGP Universal Server and the mail server are not important. then use the administrative interface to configure the mail relay. they are decrypted and verified when they are retrieved from the mail server using POP or IMAP. DMZ External email user Logical flow of data Example Corp. With an internal placement of your PGP Universal Server. then only if PGP Universal Satellite has not been deployed globally to your internal users. Sites that use explicit mail routing can use the mail relay feature to forward outgoing email to a mail relay that performs this explicit routing. it is generally advisable to put them next to each other on the same network. Both can be on the internal network or in the DMZ. For PGP Universal Server to create the SMSA. With an internal placement.

Note that these steps apply to the installation of a new. and maintain your PGP Universal Server environment. how many PGP Universal Servers you have in your network. For more information about using the Lotus Notes email client. For more information about using MAPI. Microsoft Exchange Server Messaging Application Programming Interface (MAPI) support is available for Microsoft Exchange Server environments by using Protector for Mail Encryption Client or PGP Universal Satellite for Windows. and other factors all have a major impact on how you add them to your existing network. Lotus Domino Server Lotus Domino Servers and the Lotus Notes email client (versions 7. Installation Overview The following steps are a broad overview of what it takes to plan. see Lotus Domino Server with PGP Client Software (on page 54) and "Lotus Notes Support" in the PGP Universal Server Administrator's Guide. Subsequent cluster members will receive most of their configuration settings from the initial PGP Universal Server through data replication. set up. stand-alone PGP Universal Server. If you plan to install a cluster. The remaining tasks are described in the PGP Universal Server Administrator's Guide. see "Creating New or Editing Existing Proxies" in the PGP Universal Server Administrator's Guide. Steps 1 and 4 are described in detail in this book. Where you put PGP Universal Servers in your network. 10 . see Exchange with PGP Client Software (on page 53) and "MAPI Support" in the PGP Universal Server Administrator's Guide. The steps to install and configure a PGP Universal Server are as follows: 1 Plan where in your network you want to locate your PGP Universal Server(s).3 and later) are supported in PGP Desktop and PGP Universal Satellite for Windows. For more information.PGP Universal Server Adding the PGP Universal Server to Your Network Configure the relay on the Outbound or Unified SMTP proxy.0. you must install and configure one PGP Universal Server following the steps outlined here. MAPI support is not available in PGP Universal Satellite for Mac OS X because there are no MAPI email clients for Mac OS X.

install the drivers and configure the token before you begin the PGP Universal Server setup process. For more information see Cluster Member Configuration (on page 37). this diagram details how adding a PGP Universal Server impacts your network. 4 Install and configure this PGP Universal Server. update the MX record if necessary. mail server address and so on. The Setup Assistant is where you can set or confirm a number of basic settings such as your network settings. 11 . If you want to add a hardware token Ignition Key during setup. as well as hostnames resolvable to IP addresses. Make sure both host and pointer records are correct. 5 License your server. server placement option. Add IP addresses for your PGP Universal Servers. You cannot take a PGP Universal Server out of Learn Mode or install updates until the product is licensed.PGP Universal Server Adding the PGP Universal Server to Your Network Create a diagram of your network that includes all network components and shows how email flows. 2 Perform necessary DNS changes. you should check for product updates and install them if found. See “Protecting PGP Universal Server with Ignition Keys” in the PGP Universal Server Administrator's Guide for information on how to prepare a hardware token Ignition Key. Once it is licensed. You can do this through the Setup Assistant when you install a server that will join an existing cluster.<domain>. 3 Prepare a hardware token Ignition Key. see Adding the PGP Universal Server to Your Network (on page 7). add keys. the Ignition Key configured on the first PGP Universal Server in the cluster will also apply to the subsequent members of the cluster. IP addresses must be resolvable to hostnames. The Setup Assistant runs automatically when you first access the administrative interface for the PGP Universal Server. administrator password. and so on. The details of this process are described in Setting Up the PGP Universal Server (on page 31). hostnames of potential Secondary servers for a cluster. an alias to your keyserver. or you can do this through the PGP Universal Server administrative interface. then add the additional servers as cluster members. Note: In a cluster. you must configure one server first in the normal manner. For more information on planning how to add PGP Universal Servers to your existing network. Properly configured DNS settings (including root servers and appropriate reverse lookup records) are required to support PGP Universal Server. Note: If you plan to configure multiple servers as a cluster.

8 Create a SSL/TLS certificate or obtain a valid SSL/TLS certificate. see “Organization Certificate” in the PGP Universal Server Administrator's Guide. The Setup Assistant automatically creates a self-signed certificate for use with SSL/TLS traffic. 7 If you have a PGP Additional Decryption Key (ADK) that you want to use with PGP Universal Server. PGP Corporation recommends that you obtain a valid SSL/TLS certificate for each of your PGP Universal Servers from a reputable Certificate Authority. For more information. Since PGP Universal Server’s built-in back-up feature always encrypts backups to this key. 12 . For more information. see “Licensing Your Software” in the PGP Universal Server Administrator's Guide. and you want to use that key with PGP Universal Server. see “Additional Decryption Key (ADK)” in the PGP Universal Server Administrator's Guide. Older Web browsers might reject self-signed certificates or not know how to handle them correctly when they encounter them via PGP Universal Web Messenger or Smart Trailer. If your organization uses PGP Desktop and already has an Corporate Key or Organization Key. import it. then create a backup of the key. then back it up. see “Managing Organization Keys” in the PGP Universal Server Administrator's Guide. it is very important to make a backup of the key. Your Organization Key does two important things: it is used to sign all user keys the PGP Universal Server creates and it is used to encrypt PGP Universal Server backups. and is the root of the Web-of-Trust for your users. you must have a PGP Universal Server license with the mailstream feature enabled. you need to provide a copy of your Organization Key to restore your data. but if you have an existing PGP ADK (generated by PGP Desktop. For more information. however. You cannot create an ADK with the PGP Universal Server. use the Organization Key the Setup Assistant automatically creates with default values. An ADK is a way to recover an email message if the recipient is unable or unwilling to do so. If your organization does not have an existing key that you want to use as your Organization Key.PGP Universal Server Adding the PGP Universal Server to Your Network If you want the PGP Universal Server to provide mail proxy services. every message that is also encrypted to the ADK can be opened by the holder(s) of the ADK. This is especially important for PGP Universal Servers that are accessed publicly. you can add it to your PGP Universal Server and use it. Because this certificate is self-signed. For more information. No matter which key you use as your Organization Key. it might not be trusted by email or Web browser clients. an ideal scenario for a split key. 6 If you have a PGP key you want to use as your Organization Key with PGP Universal Server. add it. refer to the PGP Desktop User’s Guide for more information). you should import it as soon as you have configured your server. This key represents the identity of your organization.

You must have an LDAP directory configured and Directory Synchronization enabled for LDAP user enrollment to work.PGP Universal Server Adding the PGP Universal Server to Your Network For more information. it assumes that you have an LDAP directory configured. 10 Add trusted keys. All these settings are important for secure operation of PGP Universal Server. see “Setting Mail Policy. Mail or Network administrators could read these messages by accessing the mail server's storage or monitoring network traffic. archiving solutions. or other systems which monitor or proxy mail traffic will process these messages normally. see “Managing Trusted Keys and Certificates” in the PGP Universal Server Administrator's Guide. 9 Configure the Directory Synchronization feature if you want to synchronize an LDAP directory with your PGP Universal Server. if you have an existing LDAP server. However. You can change the client enrollment setting for Directory Synchronization from the Directory Synchronization Settings page in the PGP Universal Server administrative interface. outbound anti-virus filters. this email is sent in the clear (unencrypted). see “Administering Consumer Policy. or other systems which monitor or proxy mail traffic will not see these messages. user enrollment is set to Email enrollment. Importantly. see “Using Directory Synchronization to Manage Users” in the PGP Universal Server Administrator's Guide.” For information on setting up mail policy.” Note: When setting policy for Consumers. By default. PGP Universal Server provides an option called Out of Mail Stream (OOMS) support. configure consumer policy. encrypted network connection to the PGP Universal Server to transmit the message. see “Working with Certificates” in the PGP Universal Server Administrator's Guide. With OOMS disabled. and establish mail policy. However. which means that sensitive messages that can't be encrypted locally are sent to PGP Universal Server "out of the mail stream. Using the Directory Synchronization feature gives you more control over who is included in your SMSA. For more information." Protector for Mail Encryption Client creates a separate. archiving solutions. OOMS specifies how the email gets transmitted from the client to the server when Protector for Mail Encryption Client cannot find a key for the recipient and therefore cannot encrypt the message. outbound anti-virus filters. OOMS is disabled by default. 13 . sensitive messages that can't be encrypted locally are sent to PGP Universal Server "in the mail stream" like normal email. For more information on adding trusted keys from outside the SMSA. You can elect to enable OOMS. For more information about consumer policy settings. If you elect to use LDAP directory enrollment.

if necessary. your PGP Universal Server sends messages through mail policy without actually taking action on the messages. you must configure your mail server to relay SMTP traffic to the PGP Universal Server. Exchange/MAPI and Lotus Notes environments also require the use of PGP Universal Satellite. PGP Desktop provides more features and user control than PGP Universal Satellite. 14 Distribute PGP Universal Satellite and/or PGP Desktop to your internal users. For more information see “Configuring SNMP Monitoring” in the PGP Universal Server Administrator's Guide. if appropriate. You can do this through the Setup Assistant when you install a server that will join an existing cluster. Remember that you must configure one server in the normal manner before you can add and configure additional servers as cluster members. For PGP Universal Servers placed externally. 15 Analyze the data from Learn Mode. 11 Install and configure additional cluster server members. 14 . some setting changes might be necessary. have them use PGP Universal Satellite. the email clients must have SMTP authentication turned on. see “PGP Universal Satellite” and “Configuring PGP Desktop Installations” in the PGP Universal Server Administrator's Guide. For more details on the effects of enabling or disabling OOMS. If you want to provide seamless. or you can do this through the PGP Universal Server administrative interface. For more information. You can see what the PGP Universal Server would have done without Learn Mode by monitoring the system logs.PGP Universal Server Adding the PGP Universal Server to Your Network During your configuration of your PGP Universal Server you should determine the appropriate settings for your requirements. 12 Reconfigure the settings of your email clients and servers. and is set through the Consumer Policy settings. This option can be set separately for each policy group. In Learn Mode. see “Out of Mail Stream Support” in the PGP Universal Server Administrator's Guide. and dynamically creates a SMSA. if you are using a PGP Universal Server placed internally. 13 Enable SNMP Polling and Traps. Depending on how you are adding the PGP Universal Server to your network. end-to-end PGP message security without the need for any user training.. For example. For more information. You can configure PGP Universal Server to allow network management applications to monitor system information for the device on which PGP Universal Server is installed and to send system and application information to an external destination. see “Clustering your PGP Universal Servers” in the PGP Universal Server Administrator's Guide. decrypts and verifies incoming messages when possible.

Once this is done. Make sure you have licensed each of your PGP Universal Servers. 18 Take your PGP Universal Servers out of Learn Mode. so that the PGP Universal Server is operating just how you want before you go live. according to the relevant policy rules. see “Backing Up and Restoring System and User Data” in the PGP Universal Server Administrator's Guide. For example. It might take a few tries to get everything working just the way you want. signed. email messages are encrypted.PGP Universal Server Adding the PGP Universal Server to Your Network Learn Mode lets you become familiar with how the PGP Universal Server operates and it lets you see the effects of the policy settings you have established before the PGP Universal Server actually goes live on your network. For more information. 15 . 16 Adjust policies as necessary. For more information. This gives you a baseline backup in case you need to return to a clean installation. you might need to revise your mail policy. you can fine tune settings while in Learn Mode. 19 Monitor the system logs to make sure your PGP Universal Server environment is operating as expected. you cannot take a PGP Universal Server out of Learn Mode until it has been licensed. 17 Perform backups of all PGP Universal Servers before you take them out of Learn Mode. see “Operating in Learn Mode” in the PGP Universal Server Administrator's Guide. Naturally. and decrypted/verified.

.

22 Open SSH (Secure Shell) 25 SMTP (Simple Mail Transfer Protocol) 80 HTTP (HyperText Transfer Protocol) 110 POP (Post Office Protocol) 143 IMAP (Internet Message Access Protocol) 389 LDAP (Lightweight Directory Access Protocol) 17 . Closed for gateway placements. access on this port is automatically redirected to port 443 over HTTPS. Closed for gateway placements. With a gateway placement. If the Verified Directory is not enabled. so port 20 (FTP Data) is not used. Data is sent via passive FTP. Used for retrieving mail by users with IMAP accounts with internal placements only. Used to allow remote hosts to look up public keys of local users. Protocol/Service FTP (File Transfer Protocol) Comment Used for transmitting encrypted backup archives to other servers. Used for retrieving mail by users with POP accounts with internal placements only.3 TCP Ports Port 21 Open Ports This chapter lists and describes the ports a PGP Universal Server has open and on which it is listening. Used for remote shell access to the server for low-level system administration. Used for sending mail. the PGP Universal Server listens on port 25 for both incoming and outgoing SMTP traffic Used to allow user access to the PGP Verified Directory.

Secure) 18 . Used for clustering replication messages. This is a non-standard port used only by legacy mail servers.PGP Universal Server Open Ports Port 443 Protocol/Service HTTPS (HyperText Transfer Protocol. Used for retrieving mail securely by users with IMAP accounts with internal placements only. We recommend not using this port. Secure) 9000 HTTPS (HyperText Transfer Protocol. Used for sending mail securely with internal placements only. Secure) 993 995 POPS (Post Office Protocol. Closed for gateway placements. Closed for gateway placements. 444 SOAPS (Simple Object Access Protocol. Secure) SMTPS (Simple Mail Transfer Protocol. Closed for gateway placements. Secure) 465 636 LDAPS (Lightweight Directory Access Protocol. Used for retrieving mail securely by users with POP accounts with internal placements only. Used to securely allow remote hosts to look up public keys of local users. and instead always using STARTTLS on port 25. Secure) Comment Used for PGP Desktop and PGP Universal Satellite policy distribution and PGP Universal Web Messenger access. Secure) IMAPS (Internet Message Access Protocol. Used to allow access to the PGP Universal Server administrative interface.

Used by network management applications to query the health and activities of PGP Universal Server software and the computer on which it is installed.PGP Universal Server Open Ports UDP Ports Port 123 Protocol/Service NTP (Network Time Protocol) SNMP (Simple Network Management Protocol) Comment Used to synchronize the system’s clock with a reference time source on a different server. 161 19 .

.

If you have multiple PGP Universal Servers in a cluster managing an email domain.<domain> convention are treated as valid and trusted by default. only one of those PGP Universal Servers needs to use the keys. For example.com if the Widgetcorp PGP Universal Server is named using the keys. keys. where <domain> is the email domain of the recipient.<domain>.com. Note: Keys that are found using the keys. because doing so allows other PGP Universal Servers to easily find valid public keys for email recipients in your domain. 21 . If your organization uses email addresses such as “mingp@example. even if there is no domain policy for widgetcorp.com is sending email to “susanjones@widgetcorp.<domain> convention.<domain> convention.com” as well as “mingp@corp. Considering a Name for Your PGP Universal Server Unless a valid public key is found locally. the Example Corp.com. it automatically looks for a valid public key for Susan at keys.com” at keys.widgetcorp.widgetcorp.<domain> convention.com. PGP Universal Server can only find a valid public key for “susan@widgetcorp. Caution: PGP Corporation strongly recommends you name your PGP Universal Server according to this convention.corp. or if Susan was an external user who explicitly supplied her key via the PGP Universal Web Messenger service).example.com on Example’s PGP Universal Server. PGP Universal Servers automatically look for valid public keys for email recipients by attempting to contact a keyserver at a a special hostname.4 Naming your PGP Universal Server This section describes how and why to name your PGP Universal Server using the keys.example. an internal user at example.com and keys.example.” then you need your PGP Universal Server to be reachable at both keys.” If no valid public key for Susan is found on the Example Corp. Naturally. Make sure to name your externally visible PGP Universal Server using this convention. PGP Universal Server (keys would be found locally if they are cached.com.

The ports that would need to be load-balanced are the ones on which you are running your keyserver service (typically port 389 for LDAP and 636 for LDAPS). keys. Change the Host Name of your PGP Universal Server to keys.<domain> convention that is appropriate for your DNS server configuration. and make sure the server has a DNS alias of keys.<domain> convention for each email domain.<domain>. Create a DNS alias to your PGP Universal Server that uses the keys. If you are administering multiple email domains.<domain> convention.<domain> using the administrative interface on the Network Settings section of the System > Network page. If your PGP Universal Server is behind your corporate firewall (as it should be).PGP Universal Server Naming your PGP Universal Server Alternately.<domain> convention: ƒ ƒ Name your PGP Universal Server “keys. you need to make sure that ports 389 (LDAP) and 636 (LDAPS) are open to support the keys.<domain>” on the Host Name field of the Network Setup page in the Setup Assistant. Methods for Naming a PGP Universal Server There are three ways to name your PGP Universal Server to support the keys. ƒ 22 . Another acceptable naming convention would be to name your PGP Universal Server according to the required naming convention your company uses.<domain> should be the address of a load-balancing device which then distributes connections to your PGP Universal Server’s keyserver service.com. you should establish the keys.

Note: PGP Corporation strongly recommends locating your PGP Universal Servers in secured areas with restricted access. Installation deletes all data on the system and reconfigures it as a PGP Universal Server. You can find the latest PGP Universal Server Certified Hardware List available on PGP Corporation's website (www. PGP Universal Server is a customized Linux installation. About Installation Install and test the installation in a lab or staging environment before integrating the PGP Universal Server into your network. see Installation Overview (on page 10).com/support/\n)). System Requirements For the latest system requirements. Warning: Make sure all data on the system is backed up before you begin the installation. For a higher-level view of this process. Every PGP Universal Server requires a dedicated computer that meets the system requirements below. see the PGP Universal Server Release Notes. and provides step-by-step instructions on how to install the software. Only authorized individuals should be granted physical access to PGP Universal Servers. PGP Universal Satellite and PGP Desktop software installers. 23 . which also includes documentation. it cannot be installed on a Windows server. it lists the system requirements. You must install the PGP Universal Server software on PGP Universal Server Certified Hardware. software license.com (http://www.pgp. The installation software is included on the Server Installation DVD.pgp. and Release Notes.5 Installing the PGP Universal Server This section describes how to set up your PGP Universal Server.

Memory: PGP Corporation recommends the following minimums: ƒ ƒ ƒ 2048MB (2GB) of memory on a Single Server instance 4096MB (4GB) on a two Server Cluster configuration For additional servers. Guest operating system: this must be set to Linux: ƒ Other Linux kernel 2.5. you must install the set of VMWare Tools. PGP Whole Disk Encryption or PGP NetShare. PGP Universal Server does not support the BusLogic SCSI Adapter. and configuring your virtual machine using it will cause a partitioning error during PGP Universal Server installation. ƒ I/O Adapter type: LSI Logic SCSI Adapter. The remaining options can be configured as appropriate. PGP Universal Server requires a virtual machine to be created on the host VMWare ESX server. The minimum requirements may also increase depending upon the features in use upon the PGP Universal Servers. ƒ ƒ Virtual CPUs: PGP Corporation recommends configuring at least two virtual CPUs for PGP Universal Server. The following instructions assume that VMWare ESX is fully installed.6 (32 bit) This is a required setting. PGP Corporation recommends configuring the VMWare hardware as if configuring a physical server. This is done by running a script via the console: 1 Log in to the server as root. or ESX 4. 24 . and that you are an administrator with sufficient privileges to perform the required functions. ƒ ƒ Use the New Virtual Machine Wizard to create the new virtual machine. such as Gateway Email.0 can be installed on a virtual machine running under VMWare ESX 3.x0.0 Server.PGP Universal Server Installing the PGP Universal Server Installing on a VMWare ESX Virtual Machine The PGP Universal Server version 3. VMWare Tools Installation for PGP Universal Server After PGP Universal Server installation.0. even more memory is recommended. This is a required setting. Note: Using PGP Universal Server with vMotion is not supported at this time.

the console messages should indicated that the VMWare modules have been loaded correctly ("[OK]").PGP Universal Server Installing the PGP Universal Server 2 Run one of the following scripts. Confirm that the modules have been installed: ƒ # lsmod | grep vm This should list four vmware modules for ESX 3. you can choose among several installation boot options. PGP Corporation recommends you perform the default installation to ensure that your PGP Universal Server will run properly when you have finished. Installation Materials PGP Universal Server is distributed on a single DVD. depending on whether you are running ESX 3.5 If you are running ESX 4. 25 .5 or ESX 4.0 3 4 During a reboot. Installation Options Note: Your system must be set to boot from the DVD in order to perform this installation.sh --version 4.5. Use this DVD to install the server on PGP Universal Server Certified Hardware.0: ƒ ƒ If you are running ESX 3. The default option (customnet) installs the PGP Universal Server using a standard partitioning scheme and configures the network settings based on your inputs during the installation process. The DVD also contains PGP Universal Server documentation and PGP Universal Satellite and PGP Desktop software installers. 5 Confirm that the appropriate processes are running: ƒ # chkconfig --list vmware-tools This will show if the VMWare modules are correctly set to load during system startup: they should be ON for runlevel 3.0: # /usr/bin/install-vmware-tools.sh --version 3. # ps aux | grep guestd This should show that /usr/sbin/vmware­ guestd is running. and six for ESX 4. When you insert the installation DVD and reboot the server.0.5: # /usr/bin/install-vmware-tools.

For more information about these options. 26 . The default installation also simplifies the steps necessary to connect to the PGP Universal Server to continue with the setup. it is pre-loaded into the Setup Assistant. you can either Press Enter to run the default installation without verifying the DVD or ƒ Type customnet mediacheck and Enter to perform a DVD verification prior to the installation. If you are considering one of these installation boot options. If you provide the network information during installation. Reboot the system. Default Installation Procedure  To install the PGP Universal Server software using the default installation 1 2 3 4 5 Set up the system that will be hosting the server in a secure location. the install begins. Attach a keyboard and monitor to the server on which you are installing PGP Universal Server. see Default Installation Procedure (on page 26). For more information. When the system reboots. see Performing a Media Verification on your DVD (on page 28). during installation you are asked to provide the following information for the PGP Universal Server: ƒ ƒ ƒ ƒ ƒ IP address Subnet mask Default gateway DNS information Hostname For instructions. please consult with your PGP Technical Support representative. which are best suited for expert system administrators. if you suspect there may be problems with the DVD (this is not usual). see Alternate Installation Procedures (on page 28). 6 At the prompt.PGP Universal Server Installing the PGP Universal Server You can have the installation program verify the contents of the DVD prior to beginning the installation itself. These options may make it more complicated to connect to and continue setting up your PGP Universal Server. if you suspect the media not be valid (this is not usual). Insert the PGP Universal Server Installation DVD into the drive. Other installation boot options provide various combinations of installation and configuration steps. Make sure the system is set to boot from the DVD. If you choose to run the default installation. The mediacheck boot option provides for this.

10 Select OK to return to the list of network interfaces." If you plan to use multiple interfaces. as the PGP Universal Server listens on the first interface by default. 8 If you have more than one network interface.255. Installation takes approximately 15 minutes. When the pre-installation is finished. The pre-installation runs for approximately 2 minutes. Note that as you configure each interface. the Network Configuration screen appears. 255. After the system reboots. You do not need to log in to complete the setup. The hostname must be the name of the first network interface. the system automatically ejects the DVD and reboots. Primary DNS. a login prompt appears. select OK to continue. Do not log in here.255. You can enter the Netmask in either dotted quad notation (for example. The Hostname Configuration screen appears. or Cancel to terminate the installation. Notice that all the network interfaces are set to "Active on boot. and select OK. depending on the speed of your disk and type of processor. and select OK. If your system contains multiple network interfaces. 7 Select Continue to acknowledge this warning and proceed with the installation. 9 Type the IP address and Prefix/Netmask for the selected network interface. these are presented in a list. if necessary.0) or in Classless Inter-Domain Routing (CIDR) notation (/24). The fields for entering the IP address and Netmask appear. which allows other PGP Universal Servers to easily find valid public keys for email recipients in your domain. and Secondary DNS. see Naming your PGP Universal Server (on page 21). For more information. 13 Type the Hostname for the PGP Universal Server. its IP address appears in the list of interfaces. You can cancel the installation at this point. When the software is installed. highlight the network interface you want to configure and select Edit. 27 .PGP Universal Server Installing the PGP Universal Server For details of the mediacheck procedure see Performing a Media Verification on your DVD (on page 28). 12 Type the IP addresses of the Gateway. you should configure them all with IP addresses during this installation step.<domain> convention. PGP Corporation strongly recommends you name your externally visible PGP Universal Server according to the keys. The Miscellaneous Network Settings screen appears. 11 When you have configured the IP address and Netmask for all the network interfaces. A warning appears stating that the installation process will erase and repartition the system's disk.

depending on the special needs of your installation. (Select Skip to continue on to the next PGP Universal Server software installation step. If the DVD passes the check. type customnet mediacheck and Enter to perform a DVD verification prior to the installation. standard.) Select Test to test the current DVD. pgp. To continue with the installation and setup. but does not make default partitions. and network configuration. or skip it. you can elect to eject the DVD and test another one. Assigns IP address 192.100. a screen appears asking if you want to perform the check. The following installation options are available: ƒ customnet. you can verify that the media from which you are installation is error-free.168. 2 3 4 To verify the DVD. see Initial Configuration with Setup Assistant (on page 32).1. Prompts for network configuration information. The same as standard. ƒ ƒ ƒ 28 . You do this by adding the mediacheck keyword to your installation command. Clears disk partitions. Alternate Installation Procedures The PGP Universal Server installation provides a variety of installation options. The default option: it clears the disk partitions and creates default partitions. select OK to continue with the software installation. Clears the disk partitions and makes default partitions. see Default Installation Procedure (on page 26). then prompts for network configuration information. 1 For the normal installation. For instructions about performing this installation. ks. select OK. driver installation.PGP Universal Server Installing the PGP Universal Server 14 Connect to the server through the Setup Assistant browser interface at https://<hostname>:9000 or https://<IP address>:9000. ƒ Press F2 at the initial prompt after the installation process has begun to access the alternate installation options. If the DVD does not pass. If you elect to perform the media verification. These enable different options for partitions. Performing a Media Verification on your DVD Before beginning the PGP Universal Server software installation.

This test is recommended if you are installing on new hardware that has not been used previously. ks. Clears disk partitions. If you chose the pgp or noautopart installation. A crossover Ethernet cable to connect a Windows or Mac OS X computer to the PGP Universal Server. Does not perform the installation. but does not make default partitions. Allows partitioning of removable media. go to Initial Configuration with Setup Assistant (on page 32). PGP Corporation strongly recommends that you consult your PGP Technical Support representative before you attempt to use an alternate installation procedure.PGP Universal Server Installing the PGP Universal Server ƒ expert. see Performing a Media Verification on your DVD (on page 28). but runs memtest86+ to test the RAM of the system. Hardware To configure your PGP Universal Server using the Setup Assistant You must have the following: ƒ ƒ A Windows or Mac OS X computer to connect to the PGP Universal Server using a Web browser so that you can run the Setup Assistant. System Information You also need some information to configure your PGP Universal Server: ƒ Connect through the temporary IP address and subnet of the newly installed PGP Universal Server. Caution: Some of these options may make it more complicated to connect and continue the configuration using a web browser. For more information. Assigns IP address 192.1. All these installation options configure your network settings as part of the installation process.168. but does not make default partitions. and prompts for a driver disk. which will be used for the initial configuration portion of the Setup Assistant: 29 . ƒ ƒ You can perform a media verification prior to running the installation by including the mediacheck keyword after any of these installation commands. noautopart. Prompts for network configuration information. Clears disk partitions. Preparing for Setup after pgp Install If you chose the default installation option (customnet) or the standard. memtest86. or expert options. you must gather materials and information before you can continue with the setup.100.

ƒ ƒ An IP address. name.255. The License Authorization file is a text file you need during the configuration process.PGP Universal Server Installing the PGP Universal Server IP: 192.1. 2 Continue setup as described in the section Initial Configuration with Setup Assistant (on page 32). before the PGP Universal Server is available via a Web browser.168.168. you can save this temporary setup as a separate location in Network Preferences (such as “setup”) for future use. 1 Configure the client computer: IP: 192. such as your Organization Key or a saved backup.0 Use this data to connect to the PGP Universal Server you are configuring in the initial configuration portion of the Setup Assistant.99 Subnet: 255.255. 30 . the license server authorizes your PGP Universal Server license. Connect to the PGP Universal Server Connect to the PGP Universal Server to continue the installation and setup. A license or license authorization from PGP Corporation Which one you need depends on your Internet connection: ƒ If your PGP Universal Server can connect to the PGP Licensing Server over the Internet. depending on the type of setup you are performing. and DNS server information for the PGP Universal Server. you need the License Authorization file to correctly license your PGP Universal Server. If your PGP Universal Server cannot connect to the PGP Licensing Server over the Internet.0 If you are using a Mac OS X client computer.255. Configure the client computer with a fixed IP address and access the PGP Universal Server from this computer.255. You need a crossover Ethernet cable when connecting the PGP Universal Server. ƒ ƒ You can also need other data. gateway.100:9000 Subnet: 255.1.

Once the PGP Universal Server is restarted. For more information about configuring a PGP Universal Server with data from a backup. You are restoring backed-up data from another PGP Universal Server onto a new PGP Universal Server. You are migrating the keys and data from a PGP Keyserver to a PGP Universal Server. ƒ Keyserver. and configure the network settings for your PGP Universal Server. About the Setup Assistant The Setup Assistant only appears the first time you access the PGP Universal Server.6 Setting Up the PGP Universal Server This section describes how to access and use the Setup Assistant. the Setup Assistant uses the answers to those questions to configure your PGP Universal Server. All four setup types have a common beginning: you read the End User License Agreement. You are configuring a PGP Universal Server to be your only PGP Universal Server or the first server in a cluster. The Setup Assistant displays a series of screens that ask you questions about your network and about how you want your PGP Universal Server to work. you can also use the administrative interface to configure those features not covered in the Setup Assistant. Cluster Member. 31 . see the PGP Universal Server Upgrade Guide. In many cases. then the PGP Universal Server is restarted. the Setup Assistant performs the majority of the configuration for your PGP Universal Server. Restore. For more information about configuring a PGP Universal Server with the keys from a PGP Keyserver. see the PGP Universal Server Upgrade Guide. specify the type of setup. The Setup Assistant supports four types of setups: ƒ ƒ ƒ New Installation. you can connect to it via a Web browser and continue with the rest of the Setup Assistant. This PGP Universal Server will join an existing cluster. You can change any settings you establish with the Setup Assistant anytime after you run it using the administrative interface of the PGP Universal Server. which is a set of screens you use to configure your PGP Universal Server. You need the backed-up data file and the Organization Key used to encrypt the backup file.

100:9000. then click the I Agree button at the end of the agreement. and must initiate an Add Cluster Member request for the cluster member you plan to install. ƒ The Welcome screen of the Setup Assistant appears. For more information. see “Clustering your PGP Universal Servers" in the PGP Universal Server Administrator's Guide.PGP Universal Server Setting Up the PGP Universal Server Initial Configuration with Setup Assistant The Setup Assistant guides you through establishing the PGP Universal Server’s network configuration and setup type. After the software installs and the server restart. connect to https://<hostname>:9000. as explained in the section Preparing for Setup after pgp Install (on page 29). ƒ Select Restore if you want to restore the data from a server backup. 4 Make the appropriate selection: ƒ Select New Installation if this is a new PGP Universal Server installation.1.168. The initial PGP Universal Server acts as the sponsor for the second PGP Universal Server. you can connect to the PGP Universal Server via a Web browser at the configured IP address and finish running the Setup Assistant. If you chose the pgp or noautopart installation. connect to https://192. and this server will be the only PGP Universal Server in your network. 2 Read the text. and you are using a client computer with a fixed IP address. using the hostname or IP address you assigned to the PGP Universal Server. For more information. ks. see the PGP Universal Server Upgrade Guide. then click the Forward arrow to continue. The Setup Type screen appears. You must have one PGP Universal Server already installed and configured before you can install a second PGP Universal Server as a cluster member. or it will be the first server in a cluster. or expert installation options. Select Cluster Member if this PGP Universal Server will join an existing PGP Universal Server cluster. You need your Organization Key and access to the backup file to proceed with this installation. ƒ 32 . The End User License Agreement screen appears. 1 Open a Web browser and connect to the PGP Universal Server: ƒ If you chose the default installation (customnet) or the standard. 3 Read the text of the License Agreement.

PGP Universal Server

Setting Up the PGP Universal Server

ƒ

Select Keyserver if you want to migrate the keys on an existing PGP Keyserver to the PGP Universal Server you are configuring. For more information, see the PGP Universal Server Upgrade Guide.

5

Click the Forward arrow to continue. The Date & Time screen appears. Your server preforms many time-based operations, so it is important to set up the correct time.

6 7 8 9

From the Time Zone menu, select your location. Choose Time Format and Date Format settings. Set the correct Time and Date. Optionally, specify an NTP time server in the NTP Server field. The PGP Universal Server automatically synchronizes the time when the Setup Assistant is finished. Click the Forward arrow to continue. The Network Setup screen appears.

10

11

If you chose the standard installation, this information is already present. Otherwise, type the appropriate information:

a

In the Hostname field, type a name for this PGP Universal Server. This must be a fully-qualified domain name of the external, untrusted interface. PGP Corporation strongly recommends you name your externally visible PGP Universal Server according to the keys.<domain> convention, which allows other PGP Universal Servers to easily find valid public keys for email recipients in your domain. For example, Example Corporation names its externally visible PGP Universal Server “keys.example.com.” For more information, see Naming your PGP Universal Server (on page 21).

b c d e

In the IP Address field, type an IP address for this PGP Universal Server. In the Subnet Mask field, type a subnet mask for this PGP Universal Server. In the Gateway field, type the IP address of the default gateway for the network. In the DNS Servers field, type the IP address(es) of the DNS servers for your network.

12 Click the Forward arrow to continue. The Proxy Configuration page appears. If your PGP Universal Server has a direct Internet connection, or you want to set up a proxy server configuration at a later time, click Skip and go on to step 14.
33

PGP Universal Server

Setting Up the PGP Universal Server

If your PGP Universal Server does not have a direct Internet connection, you can still receive licensing authorization and automatic system software updates from PGP Corporation through an HTTP proxy server. Configure the proxy server to authenticate and authorize the PGP Universal Server, and to proxy HTTP traffic for updates and license authorization requests. Make sure the proxy access list and authentication parameters are correct. The proxy server must also be able to contact and relay HTTP traffic to and from PGP Corporation. 13 Type in the following proxy server information: ƒ ƒ ƒ ƒ 14 Hostname/IP Port number Username (optional) Passphrase (optional)

Click the Forward arrow to continue. The Confirmation screen appears.

15 Make sure the information is correct, then click Done. Click the Back arrow if you need to go back and make any changes. The Network Configuration Changed dialog box appears, while the server restarts automatically. If you chose the default installation (customnet) or the standard, ks, or expert installation options, skip step 15 and go on to the next section. If you chose the pgp or noautopart installation, go on to the next step. At this point, your PGP Universal Server has accepted the new network settings you typed, so you can disconnect the temporary setup. 16 Disconnect the cable between the client computer and the PGP Universal Server, return the settings of the client computer back to what they were, connect the two computers back to the original network, and continue with the Setup Assistant.

Configuring a New Installation
1 After the PGP Universal Server has rebooted, log in again to the administrative interface. If you selected New Installation as the configuration type for the PGP Universal Server, after reboot the Licensing page appears automatically. 2 If you want to license your PGP Universal Server at a later time, click Skip, and go on to step 6. You can add your license later through the PGP Universal Server's administrative interface.

34

PGP Universal Server

Setting Up the PGP Universal Server

3

To license your PGP Universal Server at this step, type your PGP Universal Server license information, then click the Forward arrow.
If your PGP Universal Server has an active connection to the Internet, the
PGP Universal Server license is authorized.

4

If your PGP Universal Server does not have an active connection to the Internet, and you did not previously provide proxy server configuration during setup, you need to enter your license authorization information; click Manual. The Manual Licensing page appears, where you can paste your license authorization block into the field provided. You can also click Skip from this page to skip the licensing step.

5

Type the appropriate license information, paste your license authorization information in the License Authorization box, then click the Forward arrow. The Administrator Name & Passphrase page appears.

6 7 8 9 10

On the Administrator Name & Passphrase page, type the administrator’s login name in the Login Name field. In the Passphrase field, type the administrator’s passphrase. In the Confirm field, type the same passphrase. In the Email Address field, type the administrator’s email address. This is optional and enables the administrator to receive a daily status email. Click the Forward arrow to continue. The Mail Processing page appears.

11

Specify the placement of this PGP Universal Server in your network: ƒ ƒ Select Gateway Placement if your PGP Universal Server is logically located between your mail server and the Internet. Select Internal Placement if your PGP Universal Server is logically located between your email users and your mail server, or if your PGP Universal Server is out of the mailstream.

12 Click the Forward arrow to continue. The Mail Server Selection page appears. 13 14 In the Mail Server field, type the hostname or IP address of the mail server that this PGP Universal Server interacts with. In the Proxy Server field, type an optional additional mail server to which all outbound mail is sent. This only applies if you are installing your PGP Universal Server in gateway placement. In the Primary Domain field, type the email domain that the PGP Universal Server manages. Click the Forward arrow to continue. The Ignition Keys page appears.

15 16

35

Click Skip to proceed with the Setup Assistant without configuring an Ignition Key. then click Backup Key to back up the key. 20 Click the Forward arrow to continue. For information about the Organization Key and Organization Certificate. do so immediately after finishing setup. prepare the token before you add it to the system here. 36 . 21 Click Done to finish setup. For more information. If you want to generate an S/MIME Organization Certificate. a passphrase. and the server restarts automatically. then click the Forward arrow. The PGP Universal Server generates an Organization Key for you. you cannot restore your PGP Universal Server from backed-up data. The Passphrase Ignition Key page is shown here. The Backup Organization Key page appears. Note: If this PGP Universal Server will be used as the initial member of a cluster. then click the Forward arrow. 18 Type a name for the Ignition Key.PGP Universal Server Setting Up the PGP Universal Server Ignition Keys protect the data on your PGP Universal Server if an unauthorized person gets control of it. You are redirected to the administrative interface of the PGP Universal Server you just configured. See “Protecting PGP Universal Server with Ignition Keys" in the PGP Universal Server Administrator's Guide for information on how to prepare a hardware token Ignition Key. see “Operating in Learn Mode" in the PGP Universal Server Administrator's Guide. 19 Type and confirm a passphrase to protect the Organization Key (optional. click Forward without backing up the key. Be aware that without a backup of your Organization Key. select the type of Ignition Key you would like to use. The Confirmation page appears. This page summarizes the configuration of your PGP Universal Server. The Configuration Changed page appears. New cluster members sponsored by this PGP Universal Server will be initially locked with this Ignition Key. see “Managing Organization Keys" in the PGP Universal Server Administrator's Guide. confirm the passphrase. this Ignition Key will be replicated to all additional cluster members. 17 To configure an ignition key. If you want to use a hardware Ignition Key. but strongly recommended). The appropriate Ignition Key page appears. Your PGP Universal Server is initially configured in Learn Mode. To skip backing up your Organization Key (not recommended).

paste your license authorization information in the License Authorization box. the Licensing page appears automatically. The sponsoring PGP Universal Server must initiate an Add Cluster Member request. The joining server is then added as a pending member of the cluster. then click the Forward arrow. the PGP Universal Server license is authorized. 5 Type the appropriate license information. If your PGP Universal Server has an active connection to the Internet. where you can paste your license authorization block into the field provided. 4 If your PGP Universal Server does not have an active connection to the Internet. The Join Cluster page appears. then click the Forward arrow. and you did not previously provide proxy server configuration during setup. and go on to step 5. the Administrator must perform an Add Cluster Member request. You can add your license later through the PGP Universal Server's Administrative interface. specifying the PGP Universal Server you are installing as a cluster member (the joining server). you need to enter your license authorization information. click Manual. click Skip. If you selected Cluster Member as the configuration type for the PGP Universal Server. See "Clustering your PGP Universal Servers" in the PGP Universal Server Administrator's Guide for more detailed instructions on adding a cluster member. it must be sponsored by an existing PGP Universal Server. On the sponsoring server. 1 After the PGP Universal Server has rebooted. To license your PGP Universal Server at this step.PGP Universal Server Setting Up the PGP Universal Server Configuring a Cluster Member Note: In order to set up a PGP Universal Server as a cluster member. 3 37 . 6 Type the Hostname or IP Address of the PGP Universal Server that is acting as the sponsor for this joining server. with a Contact button available that allows the sponsor to initiate the join process. The Manual Licensing page appears. 2 If you want to license your PGP Universal Server at a later time. then click the Forward arrow. specifying the server that will be joining the cluster. type your PGP Universal Server license information. log in again to the administrative interface.

and must be unlocked using the ignition key or organization key (also a global key).PGP Universal Server Setting Up the PGP Universal Server The PGP Universal Server again reboots. When the replication process is complete. and then the Waiting for Cluster Host page appears. Important: If the sponsoring server was configured to use an Ignition Key. Restoring From a Server Backup To configure a PGP Universal Server with the data from the backup. and a number of other settings. For information on configuring a PGP Universal Server with the data from a backup. To enable it you must configure one or more mail proxies on the cluster member. This includes the administrator login name(s) and password(s). ignition key (if any)) are replicated from the sponsoring server. This displays a progress bar that indicates the progress of the data replication process. including proxy and policy settings. see “Operating in Learn Mode" in the PGP Universal Server Administrator's Guide. Restoring from a backup restores everything configured. the PGP Universal Server administrative interface Login page is displayed. However. as well as keys and user information. Note: The replication process has copied many of the configuration settings from the sponsor PGP Universal Server. you need to have both the appropriate backup file and the Organization Key on the setup computer. This message continues to be displayed until an administrator logs into the sponsoring server's administrative interface. see the PGP Universal Server Upgrade Guide. Mail processing is not enabled on the cluster member after it is installed. and clicks the Contact button to initiate the join with this server you are installing. For more information. 38 . When contact is received from the sponsoring PGP Universal Server the Waiting message is replaced by the Replicating Cluster Data page. In a New Installation configuration. Mail domains and the mail placement setting are global. primary domain. Learn Mode is a global setting and therefore the Learn mode setting will be determined by the setting as replicated from the sponsoring server. The configuration settings for the PGP Universal Server you are installing as a cluster member (administrator login and password. your PGP Universal Server is initially configured in Learn Mode. that key is replicated to this PGP Universal Server and thus when the server restarts it is automatically locked. proxies are local to each PGP Universal Server that want to process email.

39 .PGP Universal Server Setting Up the PGP Universal Server Migrating the Keys from a PGP Keyserver Migrating keys on an old PGP Keyserver to a PGP Universal Server includes two steps: getting the keys out of the PGP Keyserver into a format that can be imported into a PGP Universal Server. Note: You can find more information online about moving to PGP Universal Server at the PGP Corporation website. then using the Setup Assistant to configure a PGP Universal Server and add the PGP keys from the PGP Keyserver.

.

7 Configuration Examples This section shows and describes potential configurations for PGP Universal Server: ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ Internal Placement Configuration (on page 41) Gateway Placement Configuration (on page 42) Non-mailstream Placement Configuration (on page 43) Cluster Configuration (on page 44) Clustered Proxy and Keyserver Configuration (on page 45) Gateway Cluster with Load Balancer (on page 47) Gateway and Internal Placement Cluster (on page 48) Encircled Configuration (on page 50) Large Enterprise Configuration (on page 51) Spam Filters and PGP Universal Server (on page 52) Exchange with PGP Client Software (on page 53) Lotus Domino Server with PGP Client Software (on page 54) Unsupported Configurations (on page 54) Internal Placement Configuration In this example. 41 . Example Corporation has one main office but wants to support external email users.

example. Example Corporation has its PGP Universal Server in a gateway placement.example. By placing the server in the DMZ.com IP Address.com.com and the PGP Universal Server becomes mail.PGP Universal Server Configuration Examples 1 2 3 4 5 6 PGP Universal Server internally placed Example Corp. email users Settings for 1: Server type: New Installation Mail processing: Internal placement Hostname: mail.example.example. Subnet Mask. email server External email user Logical flow of data Example Corp.example.com to mail­ 1. internal network Example Corp. Gateway Placement Configuration In this example.com Mail server: mail-1. the company can use an internal placement (which means its messages are encrypted even while on its mail server) and still support external email users via Smart Trailers. Gateway. Create a DNS alias for keys. and DNS Servers: As appropriate Notes Change mail.example.com to also point to the PGP Universal Server. 42 . SMTP Authentication might need to be enabled for end users. End users might require no changes to their configuration. or PGP Universal Satellite. PGP Universal Web Messenger mail.

Subnet Mask. DMZ External email user Logical flow of data Example Corp.com that points to mail-gw.com Mail server: mail.example. Gateway placement also supports external email users via Smart Trailers or PGP Universal Web Messenger mail. internal network Example Corp.example.example. Gateway. create an alias keys.com IP Address. Non-mailstream Placement Configuration In this example. 43 .example. Example Corporation has a PGP Universal Server placed outside the mailstream. and DNS Servers: As appropriate Notes: Add or modify the MX record for example.com.com to point to PGP Universal Server’s IP address on mail-gw.example.com. Mail server must be configured to relay through the PGP Universal Server. Also in DNS. This is a common configuration for a PGP Universal Server managing client installations without PGP Gateway Email. The PGP Universal Server integrates with PGP Desktop to provide automated user enrollment and real-time end-user security policy management. email server Settings for 1: Server type: New Installation Mail processing: Gateway placement Hostname: mail-gw.PGP Universal Server Configuration Examples 1 2 3 4 5 6 7 PGP Universal Server gateway placement Example Corp. email users Example Corp.

and another server in the DMZ that performs keyserver and PGP Universal Web Messenger functions only. PGP Desktop & email users Settings for 1: Server type:New Installation Mail processing: None IP Address. decryption. email server Example Corp. All encryption. with multiple PGP Universal Servers proxying messages on its internal network.PGP Universal Server Configuration Examples 1 2 3 4 5 6 7 PGP Universal Server policy/management Example Corp. DMZ External email user Logical flow of data Example Corp. and DNS Servers: As appropriate Notes: PGP Universal Server is outside of mailstream. internal network Example Corp. signing. Cluster Configuration In this example. email server Logical flow of data 44 . 1 2 3 PGP Universal Server Keyserver/Web Messenger Example Corp. Subnet Mask. Example Corporation has a cluster. Gateway. and verification is done through PGP Desktop.

PGP Universal Server internally placed Example Corp. No mail proxies configured on the keyserver.PGP Universal Server Configuration Examples 4 5 6 7 8 Example Corp. the other and the keyserver configured as cluster members.PGP Universal Server internally placed Administration . Cluster port (444) on firewall between the internally placed servers and the keyserver must be opened. with one PGP Universal Server proxying messages on its internal network. DMZ Notes: One internally placed PGP Universal Server configured as the first server in the cluster. 45 . and another server in the DMZ that performs keyserver and PGP Universal Web Messenger functions only. Example Corporation has a cluster. Clustered Proxy and Keyserver Configuration In this example.PGP Universal Server internally placed Development . internal network Manufacturing . Mail server does not relay through the keyserver PGP Universal Server.

email users Settings for 1: Server type: New Installation (first server in cluster) Mail processing: Internal placement Hostname: mail. PGP Universal Server becomes mail. email server Example Corp.example.example.example.com IP Address.com Mail server: mail-1. Subnet Mask. To support external users via PGP Universal Web Messenger.com becomes mail-1. Cluster port (444) on firewall between the two servers must be opened.com IP Address. Subnet Mask. 46 . designate the keyserver as a PGP Universal Web Messenger server. Mail server does not relay through 2. internal network Example Corp. Gateway.com.example.example. Gateway. DMZ External email user Logical flow of data Example Corp.com.PGP Universal Server Configuration Examples 1 2 3 4 5 6 7 8 PGP Universal Server internally placed PGP Universal Server Keyserver/Web Messenger Example Corp. and DNS Servers: As appropriate Notes: mail.example. and DNS Servers: As appropriate Settings for 2: Server type: Cluster Member Mail processing: Disabled Hostname: keys.

PGP Universal Server Configuration Examples Gateway Cluster with Load Balancer In this example. internal network Example Corp. 1 2 3 4 5 6 7 8 9 F5 BIG-IP Load Balancer PGP Universal Server 1 PGP Universal Server 2 PGP Universal Server 3 Logical flow of data Example Corp. DMZ Example Corp. ensuring that traffic goes through all of them. email users Example Corp. Example Corporation is using an F5 BIG-IP load balancer to handle address rotation between the PGP Universal Servers in the cluster. email server 47 .

Subnet Mask. port 25 Virtual server for untrusted interface: cluster-gw. The mail server must be reconfigured to relay through cluster-gw-internal. Also in DNS.com IP Address.example.com Virtual server addresses: Trusted interfaces for hosts 2. and DNS Servers: As appropriate Settings for 4: Server type: Cluster Member Hostname: cluster3­ gw.example. Gateway.com IP Address.com Virtual server addresses: Untrusted interfaces for hosts 2. and 4. 3. Subnet Mask. Gateway.com IP Address.com Mail server: mail. Subnet Mask.com to keys. and DNS Servers: As appropriate Notes: Add DNS MX record that points to cluster-gw. and 4. Subnet Mask.example.example. Gateway and Internal Placement Cluster You can have a cluster that includes both a PGP Universal Server internally placed and a PGP Universal Server in a gateway placement managing a single mail server. and DNS Servers: As appropriate Settings for 2: Server type: New Installation Mail processing: Gateway placement Hostname: cluster1­ gw. but you should carefully consider why you need both at a single location.example.example. One good reason would be for the PGP Universal Server in gateway placement to act exclusively as a keyserver or as a PGP Universal Web Messenger server.com.example. Gateway.PGP Universal Server Configuration Examples Settings for 1: Virtual server for trusted interface: cluster-gw-internal. ports 25 and 389 IP Address.example.com.com. 3. create an alias from cluster-gw. Gateway.example. 48 . while the PGP Universal Server(s) internally placed handles message processing. and DNS Servers: As appropriate Settings for 3: Server type: Cluster Member Hostname: cluster2­ gw.example.

in gateway placement. with PGP Universal Web Messenger disabled. 1 2 3 4 5 6 7 PGP Universal Server gateway placed Example Corp. email users Example Corp. In such a scenario. they can create multiple user accounts and/or keys. with PGP Universal Web Messenger enabled. then from a remote location using a laptop). DMZ External email user Example Corp. 49 . those using standards-based protocols connect to the internally placed PGP Universal Server while the PGP Universal Server in gateway placement ensures proper handling of PGP Universal Web Messenger and Smart Trailer messages for the MAPI clients. The second server cluster member is in the DMZ. The first server (cluster member) is internally placed. email server Notes: If the same user sends messages from different locations (such as from the internal network using a desktop computer.PGP Universal Server Configuration Examples The most common usage for this configuration is when you have internal MAPI clients running PGP Universal Satellite in addition to non-MAPI clients using POP. and SMTP. IMAP. internal network PGP Universal Server internally placed Example Corp.

DMZ External email user Example Corp. and SMTP. Optional: to hide internal PGP Universal Server IP from outside.com Mail server: mail-1. internal network Example Corp.com. Subnet Mask. use 2nd IP in the DMZ.example.PGP Universal Server Configuration Examples Encircled Configuration Using PGP Universal Server in an encircled configuration is an alternative to placing two PGP Universal Servers in a clustered internal/gateway placement. email users Settings for 1: Server type: New Installation Mail processing: Internal placement Hostname: mail. 50 .example. 1 2 3 4 5 6 PGP Universal Server internally placed Example Corp. email server Example Corp. IMAP.com IP Address. when you have internal MAPI clients running PGP Universal Satellite in addition to non-MAPI clients using POP. and DNS Servers: As appropriate PGP Universal Web Messenger and keyserver functionality enabled Notes: Add DNS MX record that points to mail.example. Gateway.

DMZ Example Corp. a separate PGP Universal Server for PGP Universal Web Messenger and keyserver support. 51 . email user with PGP Universal Satellite The company uses its MTA to perform static email routing and to establish rules that govern which email messages are processed by PGP Universal Server and which are not. email server F5 BIG-IP Load Balancer PGP Universal Server 1 PGP Universal Server 2 PGP Universal Server 3 MTA Example Corp. and a standalone Mail Transfer Agent (MTA).PGP Universal Server Configuration Examples Large Enterprise Configuration As a large enterprise. PGP Universal Satellite users. 11 PGP Universal Server Keyserver/Web Messenger Example Corp. 1 2 3 4 5 6 7 8 9 10. internal network Example Corp. Example Corporation has a sophisticated network that includes multiple PGP Universal Servers that are load balanced. Naturally. the features of the MTA being used govern what it can be used for.

(An RBL is a list of servers that are known to send out spam or to be open relays. PGP Universal Server internally placed 1 2 3 4 5 Example Corp. Make sure the MTA you decide to use is correctly configured for use with PGP Universal Server. email server RBL-based spam filter PGP Universal Server in gateway placement 1 2 3 4 5 Example Corp.) The company is careful to locate the respective spam filters in the appropriate locations in the logical flow of data and to configure them correctly. email user Example Corp.PGP Universal Server Configuration Examples Note: PGP Corporation does not recommend any specific MTA for use with PGP Universal Server. Spam Filters and PGP Universal Server Example Corporation has both a content-based and a Realtime Blackhole List (RBL) spam filter that it wants to use in conjunction with its PGP Universal Server. email user Content-based spam filter PGP Universal Server internally placed Example Corp. email server Content-based spam filter PGP Universal Server externally placed RBL-based spam filter 52 .

see MAPI Support. Caution: If you begin receiving encrypted spam. For example. For more information about Microsoft Exchange Server environments and MAPI support. this might require disabling the spam filter's reverse MX lookups feature. Other SMTP filtering devices (such as a standalone antivirus gateway. only POP/IMAP. the content-based spam filter must not treat the PGP Universal Server as a “trusted mail relay” to avoid creating an open relay. Both spam filters must be correctly configured. This is done on the inbound or Unified SMTP proxy. 53 . This allows even PGP Universal Server–encrypted messages to be checked. spam in unencrypted messages is still detected. so no special configuration on the PGP Universal Server is required. relocate or add another content-based spam filter to sit between the internal email users and the PGP Universal Server. Receiving unencrypted spam is unlikely because it is CPUintensive and inefficient. the content-based spam filter is not filtering SMTP. Alternatively. the content-based spam filter must be configured on the PGP Universal Server as a mail server. However. Note: You might require this alternative configuration if the content-based spam filter requires reverse MX lookups. put both spam filters between the PGP Universal Server and the firewall in the logical flow of data. for example) would be placed in the same location. Exchange with PGP Client Software Microsoft Exchange Server environments (MAPI) are supported in PGP Desktop and PGP Universal Satellite for Windows for both internal and external PGP Universal Server users.PGP Universal Server Configuration Examples Notes: The content-based spam filter sits between the internal email users and the PGP Universal Server in the logical flow of data so that messages are decrypted before they are checked for spam. This configuration assumes PGP Universal Server–encrypted messages do not contain spam because they are scanned while encrypted. With an internal placement. For the gateway placement scenario.

see "Lotus Notes Support" in the PGP Universal Server Administrator's Guide.PGP Universal Server Configuration Examples Lotus Domino Server with PGP Client Software Lotus Domino Server environments. Multiple Gateway–Placed Servers You cannot have multiple PGP Universal Servers operating in gateway placements in one DMZ. Unsupported Configurations Not every PGP Universal Server deployment scenario is a supported configuration. DMZ 54 . including the Lotus Notes email client. For more information about Lotus Domino Server environments and Lotus Notes email client support. are supported in PGP Desktop and PGP Universal Satellite for Windows for both internal and external PGP Universal Server users. 1 2 3 4 5 6 PGP Universal Server 1 PGP Universal Server 2 PGP Universal Server 3 PGP Universal Server 4 Acmecorp email server Example Corp.

For more information. email user Example Corp. 55 . internal network Notes: This configuration will not work as expected because the mail server will only route outbound email through one of the PGP Universal Servers.PGP Universal Server Configuration Examples 7 8 9 Logical flow of data Example Corp. see Gateway Cluster with Load Balancer (on page 47). You can use load balancing to achieve a similar result.