![]() ![]() ![]() If it is not possible to connect to domain controllers in the internal network over LDAPS, Encryption Management Server can be configured to allow clients to enroll using email. Therefore, if Encryption Management Server is in a DMZ, it will need to be able to connect to domain controllers in the internal network over LDAPS (or LDAP but this is not recommended). It also usually groups users according to their membership of Active Directory security groups. It connects to one or more Active Directory domain controllers in order to authenticate users at enrollment time. Usually, Encryption Management Server is configured to use Directory Synchronization for enrollment. Each of these considerations is addressed below as well as listing other ports and services that may be needed. For maximum security, you would allow no traffic from the DMZ to the internal network but this affects enrollment of users, regrouping of users, replication and server management. What you then need to consider is which ports to allow to connect from the DMZ to the internal network. Generally, however, you would place Encryption Management Server in a DMZ. In this scenario, so long as the clients can resolve the FQDN of Encryption Management Server there is nothing more to do. You could place Encryption Management Server in the internal network and configure your firewall or reverse proxy to allow clients to connect to it from the Internet over port 443. ![]() Search for article 153660 for further details about PGPSTAMP. You can avoid forcing the clients to re-enroll by writing a script to quit PGP Tray and change the PGPSTAMP registry entry. This will force the Encryption Desktop users to re-enroll. You can change PGPSTAMP by downloading the Encryption Desktop installer from Encryption Management Server after changing the Symantec Encryption Server setting, then upgrading the clients. If the FQDN within the PGPSTAMP value cannot be resolved from the Internet, the PGPSTAMP value needs to be changed. Clearly, if the Encryption Desktop clients are connecting to Encryption Management Server over the Internet, the clients must be able to resolve this FQDN to a public IP address. #SYMANTEC ENCRYPTION DESKTOP SHARED MACHINE INSTALL#When you install Encryption Desktop, the PGPSTAMP registry setting contains the FQDN (fully qualified domain name) of the Encryption Management Server. Therefore this is the only port that needs to be open between Encryption Desktop and Encryption Management Server. Required port to publishĪll communications between Encryption Desktop and Encryption Management Server occur over port 443 (HTTPS). If you do not use drive encryption or File Share Encryption and use only GKM mode keys for clients, it may be possible to allow Encryption Desktop to connect to cluster members that do not host private keys but this is not recommended. This is because File Share Encryption relies on private keys. You are using File Share Encryption, especially with Group Keys.This is because Whole Disk Recovery Tokens (WDRTs) are not stored on cluster members that do not host private keys. ![]() You are using Encryption Desktop drive encryption.This is because such client keys will be permanently corrupted. You are using SKM (Server Key Mode) keys for any of your users.Do not allow Encryption Desktop users to connect to such cluster members if any of the following apply: In an Encryption Management Server cluster, some cluster members can be configured not to host private keys of internal users and consumer groups. Cluster members that do not host private keys The considerations for publishing Encryption Management Server on the Internet are as follows. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |