Transcription
Symantec Encryption ManagementServer Administrator Guide10.5Last updated: July 2020
ContentsIntroductionWhat is Symantec Encryption Management Server?Symantec Encryption Management Server Product FamilyWho Should Read This GuideCommon Criteria EnvironmentsSymbolsGetting AssistanceGetting product informationTechnical SupportThe Big PictureImportant TermsRelated ProductsSymantec Encryption Management Server ConceptsSymantec Encryption Management Server FeaturesSymantec Encryption Management Server User TypesInsta Ilation OverviewAbout Open PortsTCP PortsUDP PortsAbout Naming your Symantec Encryption Management ServerHow to Name Your Symantec Encryption Management ServerNaming MethodsUnderstanding the Administrative InterfaceSystem RequirementsLogging InThe System Overview PageManaging AlertsLogging In For the First TimeLicensing Your SoftwareOverviewLicensing a Symantec Encryption Management ServerLicense AuthorizationLicensing the Mail Proxy 929292930
IntroductionThis Administrator’s Guide describes both the Symantec Encryption ManagementServer and Client software. It tells you how to get them up and running on yournetwork, how to configure them, and how to maintain them. This section provides ahigh-level overview of Symantec Encryption Management Server.What is Symantec Encryption Management Server?Symantec Encryption Management Server is a console that manages the applicationsthat provide email, disk, and network file encryption. Symantec EncryptionManagement Server with Symantec Gateway Email Encryption provides securemessaging by transparently protecting your enterprise messages with little or no userinteraction.Symantec Encryption Management Server also does the following: Automatically creates and maintains a Self-Managing Security Architecture(SMSA) by monitoring authenticated users and their email traffic. Allows you to send protected messages to addresses that are not part of the SMSA. Automatically encrypts, decrypts, signs, and verifies messages. Provides strong security through policies you control.Symantec Encryption Desktop, a client product, is created and managed throughSymantec Encryption Management Server policy and does the following: Creates PGP keypairs. Manages user keypairs. Stores the public keys of others. Encrypts user email. Encrypts entire, or partial, hard drives. Enables secure file sharing with others over a network.Symantec Encryption Management Server Product FamilySymantec Encryption Management Server functions as a management console for avariety of encryption solutions. You can purchase any of the Symantec EncryptionDesktop applications or bundles and use Symantec Encryption Management Server tocreate and manage client installations. You can also purchase a license that enablesSymantec Gateway Email Encryption to encrypt email in the mailstream.The Symantec Encryption Management Server can manage any combination of thefollowing Symantec encryption applications: Symantec Gateway Email Encryption provides automatic email encryption in thegateway, based on centralized mail policy.
This product requires administration by the Symantec Encryption ManagementServer. Symantec Desktop Email provides encryption at the desktop for mail and files.This product can be managed by the Symantec Encryption Management Server. Symantec Drive Encryption provides encryption at the desktop for an entire disk.This product can be managed by the Symantec Encryption Management Server. Symantec File Share Encryption provides transparent file encryption and sharingamong desktops.This product can be managed by the Symantec Encryption Management Server.Who Should Read This GuideThis Administrator’s Guide is for the person or persons who implement and maintainyour organization’s Symantec Encryption Management Server environment. These arethe Symantec Encryption Management Server administrators.This guide is also intended for anyone else who wants to learn about how SymantecEncryption Management Server works.Common Criteria EnvironmentsTo be Common Criteria compliant, see the best practices in PGP Universal Server 2.9Common Criteria Supplemental. These best practices supersede recommendationsmade elsewhere in this and other documentation.
SymbolsNotes, Cautions, and Warnings are used in the following ways.Note: Notes are extra, but important, information. A Note calls your attention toimportant aspects of the product. You can use the product better if you read theNotes.Caution: Cautions indicate the possibility of loss of data or a minor security breach. ACaution tells you about a situation where problems can occur unless precautions aretaken. Pay attention to Cautions.Warning: Warnings indicate the possibility of significant data loss or a major securitybreach. A Warning means serious problems will occur unless you take theappropriate action. Please take Warnings very seriously.Getting AssistanceFor additional resources, see these sections.The following documents and online help are companions to the Symantec EncryptionManagement Server Administrator’s Guide. This guide occasionally refers toinformation that can be found in one or more of these sources: Online help is installed and is available in the Symantec Encryption ManagementServer product. Symantec Encryption Management Server Installation Guide—Describes how toinstall the Symantec Encryption Management Server. Symantec Encryption Management Server Upgrade Guide—Describes theprocess of upgrading your Symantec Encryption Management Server. Symantec Encryption Management Server Mail Policy Diagram—Provides agraphical representation of how email is processed through mail policy. You canaccess this document via the Symantec Encryption Management Server onlinehelp.You can also access the Symantec Encryption Management Server online help byclicking the online help icon in the upper-right corner of the Symantec EncryptionManagement Server screen.Symantec Encryption Management Server release notes is also provided, which mayhave last-minute information not found in the product documentation.
For information about Symantec Enterprise Security support offerings, you can visitour website at the following URL:https://support.broadcom.com/security
The Big PictureThis chapter describes some important terms and concepts and gives you a high-leveloverview of the things you need to do to set up and maintain your Symantec EncryptionManagement Server environment.Important TermsThe following sections define important terms you will encounter throughout theSymantec Encryption Management Server and this documentation. Symantec Encryption Management Server: A device you add to your networkthat provides secure messaging with little or no user interaction. The SymantecEncryption Management Server automatically creates and maintains a securityarchitecture by monitoring authenticated users and their email traffic. You canalso send protected messages to addresses that are not part of the securityarchitecture. PGP Global Directory: A free, public keyserver hosted by Symantec. ThePGP Global Directory provides quick and easy access to the universe of PGPkeys. It uses next-generation keyserver technology that queries the emailaddress on a key (to verify that the owner of the email address wants theirkey posted) and lets users manage their own keys. Using the PGP GlobalDirectory significantly enhances your chances of finding a valid public keyof someone to whom you want to send secured messages.For external users without encryption keys, Symantec Encryption ManagementServer offers multiple secure delivery options, leveraging third-party softwarethat is already installed on typical computer systems, such as a web browser orAdobe Acrobat Reader. For email recipients who do not have an encryptionsolution, you can use of the following secure delivery options from SymantecEncryption Management Server: Symantec Encryption Web Email Protection: The Symantec EncryptionWeb Email Protection service allows an external user to securely read amessage from an internal user before the external user has a relationshipwith the SMSA. If Symantec Encryption Web Email Protection is availablevia mail policy for a user and the recipient’s key cannot be found, themessage is stored on the Symantec Encryption Management Server and anunprotected message is sent to the recipient. The unprotected messageincludes a link to the original message, held on the Symantec EncryptionManagement Server. The recipient must create a passphrase, and then canaccess his encrypted messages stored on Symantec Encryption ManagementServer.
Symantec PDF Email Protection: Symantec PDF Email Protection enablessending encrypted PDF messages to external users who do not have arelationship with the SMSA. In the normal mode, as with SymantecEncryption Web Email Protection, the user receives a message with a link tothe encrypted message location and uses a Symantec Encryption Web EmailProtection passphrase to access the message. Symantec PDF EmailProtection also provides Certified Delivery, which encrypts the message to aone-time passphrase, and creates and logs a delivery receipt when the userretrieves the passphrase.Symantec Encryption Desktop: A client software tool that uses cryptography toprotect your data against unauthorized access. Symantec Encryption Desktop isavailable for Mac OS and Windows. Symantec Drive Encryption: Drive Encryption is a feature of SymantecEncryption Desktop that encrypts your entire hard drive or partition (onWindows systems), including your boot record, thus protecting all your fileswhen you are not using them. Symantec File Share Encryption: A feature of Symantec Encryption Desktopfor Windows with which you can securely and transparently share files andfolders among selected individuals. Symantec File Share Encryption userscan protect their files and folders simply by placing them within a folder thatis designated as protected. PGP Virtual Disk: PGP Virtual Disk volumes are a feature of SymantecEncryption Desktop that let you use part of your hard drive space as anencrypted virtual disk. You can protect a PGP Virtual Disk volume with a keyor a passphrase. You can also create additional users for a volume, so thatpeople you authorize can also access the volume. PGP Zip: A feature of Symantec Encryption Desktop that lets you put anycombination of files and folders into a single encrypted, compressed packagefor convenient transport or backup. You can encrypt a PGP Zip archive to aPGP key or to a passphrase.keys. domain convention: Symantec Encryption Management Serverautomatically looks for valid public keys for email recipients at a specialhostname, if no valid public key is found locally to secure a message. Thishostname is keys. domain (where domain is the email domain of therecipient). For example, Example Corporation’s externally visible SymantecEncryption Management Server is named keys.example.com.Symantec strongly recommends you name your externally visible SymantecEncryption Management Server according to this convention because it allowsother Symantec Encryption Management Servers to easily find valid public keysfor email recipients in your domain.For more information, see Naming your Symantec Encryption Management Server(see "About Naming your Symantec Encryption Management Server" on page 21).
Security Architecture: Behind the scenes, the Symantec Encryption ManagementServer creates and manages its own security architecture for the users whoseemail domain it is securing. Because the security architecture is created andmanaged automatically, we call this a self-managing security architecture (SMSA). Administrative Interface: Each Symantec Encryption Management Server iscontrolled via a Web-based administrative interface. The administrative interfacegives you control over Symantec Encryption Management Server. While manysettings are initially established using the web-based Setup Assistant, all settingsof a Symantec Encryption Management Server can be controlled via theadministrative interface. Backup and Restore: Because full backups of the data stored on your SymantecEncryption Management Server are critical in a natural disaster or otherunanticipated loss of data or hardware, you can schedule automatic backups ofyour Symantec Encryption Management Server data or manually perform abackup.You can fully restore a Symantec Encryption Management Server from a backup.In the event of a minor problem, you can restore the Symantec EncryptionManagement Server to any saved backup. In the event that a Symantec EncryptionManagement Server is no longer usable, you can restore its data from a backuponto a new Symantec Encryption Management Server during initial setup of thenew Symantec Encryption Management Server using the Setup Assistant. Allbackups are encrypted to the Organization Key and can be stored securely off theSymantec Encryption Management Server. Cluster: When you have two or more Symantec Encryption Management Serversin your network, you configure them to synchronize with each other; this is called a“cluster.” Dictionary: Dictionaries are lists of terms to be matched. The dictionaries workwith mail policy to allow you to define content lists that can trigger rules. Directory Synchronization: If you have LDAP directories in your organization,your Symantec Encryption Management Server can be synchronized with thedirectories. The Symantec Encryption Management Server automatically importsuser information from the directories when users send and receive email; it alsocreates internal user accounts for them, including adding and using X.509certificates if they are contained in the LDAP directories. Ignition Keys: You can protect the contents of a Symantec EncryptionManagement Server, even if the hardware is stolen, by requiring the use of a SoftIgnition Passphrase Ignition Key.Important: Support for Hardware Token Ignition Key is removed in SymantecEncryption Management Server 10.5. Use a Soft-Ignition PassphraseIgnition Key to protect the Symantec Encryption Management Server. Beforeyou migrate to Symantec Encryption Management Server 10.5, make sureto add a Soft-Ignition Passphrase Ignition Key, and then delete theHardware Token Ignition Key. Keyserver: Each Symantec Encryption Management Server includes an integratedkeyserver populated with the public keys of your internal users. When an externaluser sends a message to an internal user, the external Symantec EncryptionManagement Server goes to the keyserver to find the public key of the recipient touse to secure the message. The Symantec Encryption Management Serveradministrator can enable or disable the service, and control access to it via theadministrative interface. Learn Mode: When you finish configuring a Symantec Encryption ManagementServer using the Setup Assistant, it begins in Learn Mode, where the SymantecEncryption Management Server sends messages through mail policy without
taking any action on the messages, and does not encrypt or sign any messages.
Learn Mode gives the Symantec Encryption Management Server a chance to buildits SMSA (creating keys for authenticated users, for example) so that when LearnMode is turned off, the Symantec Encryption Management Server can immediatelybegin securing messages. It is also an excellent way for administrators to learnabout the product.You should check the logs of the Symantec Encryption Management Server whileit is in Learn Mode to see what it would be doing to email traffic if it were live onyour network. You can make changes to the Symantec Encryption ManagementServer’s policies while it is in Learn Mode until things are working as expected. Mail Policy: The Symantec Encryption Management Server processes emailmessages based on the policies you establish. Mail policy applies to inbound andoutbound email processed by both Symantec Encryption Management Server andclient software. Mail policy consists of multiple policy chains, comprised ofsequential mail processing rules. Organization Certificate: You must create or obtain an Organization Certificate toenable S/MIME support by Symantec Encryption Management Server. TheOrganization Certificate signs all X.509 certificates the server creates. Organization Key: The Setup Assistant automatically creates an Organization Key(actually a keypair) when it configures a Symantec Encryption ManagementServer. The Organization Key is used to sign all PGP keys the SymantecEncryption Management Server creates and to encrypt Symantec EncryptionManagement Server backups.Caution: It is extremely important to back up your Organization Key: all keys theSymantec Encryption Management Server creates are signed by the OrganizationKey, and all backups are encrypted to the Organization Key. If you lose yourOrganization Key and have not backed it up, the signatures on those keys aremeaningless and you cannot restore from backups encrypted to the OrganizationKey. Symantec Encryption Verified Directory: The Symantec Encryption VerifiedDirectory supplements the internal keyserver by letting internal and externalusers manage the publishing of their own public keys. The Symantec EncryptionVerified Directory also serves as a replacement for the PGP Keyserver product.The Symantec Encryption Verified Directory uses next-generation keyservertechnology to ensure that the keys in the directory can be trusted. Server Placement: A Symantec Encryption Management Server can be placed inone of two locations in your network to process email.With an internal placement, the Symantec Encryption Management Serverlogically sits between your email users and your mail server. It encrypts and signsoutgoing SMTP email and decrypts and verifies incoming mail being picked up byemail clients using POP or IMAP. Email stored on your mail server is storedsecured (encrypted).With a gateway placement, the Symantec Encryption Management Server logicallysits between your mail server and the Internet. It encrypts and signs outgoingSMTP email and decrypts and verifies incoming SMTP email. Email stored on yourmail server is stored unsecured.For more information, see Configuring Mail Proxies (on page 141) and theSymantec Encryption Management Server Installation Guide. Setup Assistant: When you attempt to log in for the first time to theadministrative interface of a Symantec Encryption Management Server, the SetupAssistant takes you through the configuration of that Symantec EncryptionManagement Server.
Group Key: A server-managed keypair shared by a group of users. A Group Key isassigned to a group based on membership in an Active Directory security group.This allows membership in the Active Directory security group to be modifiedwithout affecting the metadata associated with the protected data. To create aGroup Key, the Directory Synchronization feature must be enabled andsynchronized with an Active Directory database. Administrators: Any user who manages the Symantec Encryption ManagementServer and its security configuration from inside the internal network.Only administrators are allowed to access the administrative interface thatcontrols Symantec Encryption Management Server. A Symantec EncryptionManagement Server supports multiple administrators, each of which can beassigned a different authority: from read-only access to full control over everyfeature and function. Consumers: Internal, external, and Verified Directory users, and devices. External Users: External users are email users from other domains (domainsnot being managed by your Symantec Encryption Management Server) whohave been added to the SMSA. Internal Users: Internal users are email users from the domains beingmanaged by your Symantec Encryption Management Server.Symantec Encryption Management Server allows you to manage SymantecEncryption Desktop deployments to your internal users. The administrator cancontrol which Symantec Encr
Symantec Encryption Desktop, a client product, is created and managed through Symantec Encryption Management Server policy and does the following: Creates PGP keypairs. Manages user keypairs. Stores the public keys of others. Encry
