Symantec Encryption Desktop (formerly PGP Desktop) is unable to enroll, connect to Symantec Encryption Management Server or synchronize policy

Article:TECH155959  |  Created: 2011-03-18  |  Updated: 2014-03-27  |  Article URL http://www.symantec.com/docs/TECH155959
Article Type
Technical Solution


Issue



SED (Symantec Encryption Desktop) is unable to enroll, is unable to connect to the SEMS (Symantec Encryption Management Server) or is unable to synchronize policy with the SEMS.


Error



The following symptoms may be observed:

  • The PGP Tray fails to display in the taskbar although pgptray.exe does display in Task Manager.
  • Opening SED displays an error message: "Encryption Desktop is unable to contact your organization's Symantec Encryption Server".
  • Errors may be shown in the log concerning problems connecting to the SEMS.

 Encryption Desktop is unable to contact your organization's Symantec Encryption Server


Cause



PGPSTAMP may not be pointing to the SEMS.

To check this go to Start>Run>Regedit. PGPSTAMP can be found in the following container:

32 bit machines: HKEY_LOCAL_MACHINE\Software\PGP Corporation\PGP
64 bit machines: HKEY_LOCAL_MACHINE\Software\Wow6432Node\PGP

PGPSTAMP should look similar to this with ovid= pointing to your SEMS:

ovid=keys.symantec.com&mail=*&admin=1

A second issue is that SED automatically uses the Internet Explorer (IE) Proxy settings. However, some proxy servers do not allow SOAP/S traffic to go through completely to the SEMS. A connection to the SEMS is possible, but not all information is received by the SEMS or SED.

Third, check to make sure that port 443 is open on the client machine and that you can telnet to port 443 on the SEMS from the client machine.  If port 443 is closed or blocked, enrollment will fail. Note that being able to telnet to port 443 of the SEMS does not mean that proxy settings are not causing a problem. One way of testing this is to try to connect to https://SEMS:9000 from the client where SEMS is the FQDN of the SEMS. If you cannot connect to the admin interface then check your proxy settings.


Solution



Remove the proxy server from the IE settings completely or add an exception to the Advanced settings:

  • Open IE > Tools > Internet Options > Connections > LAN Settings > Advanced
  • Enter the SEMS FQDN into the exceptions list (separated by semicolon if needed). Use the same name as in the PGPSTAMP registry entry.
  • Note: The Option "Bypass Proxy Server for local addresses" is not used in SED, so adding an exception is the only way to set this.

In the case of proxy settings enforced by group policy, the group policy will need to be changed to add the SEMS FQDN and port 443 to the group policy proxy exceptions list.




Article URL http://www.symantec.com/docs/TECH155959


Terms of use for this information are found in Legal Notices