Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

PGP Universal Server and offsite Drive Encryption clients

Created: 29 Jan 2013 | 5 comments

Currently, we have two clients using the latest release of Drive Encryption, controlled by our Universal Server which is also on the latest version.  These laptops are typically always in the office apart from going home at night or occasional travel.  This year we will be rolling out encryption to all of our laptops, around 30 total.  A handful of these are rarely, if ever, in the office, and very rarely connect via VPN.

What is the best approach for these laptops?  If at all possible, I'd like them to be in contact with a server instead of on their own.  My server is an ESXi VM, so I can create a DMZ-only Universal Server if needed.

Comments 5 CommentsJump to latest comment

Alex_CST's picture

The standard practice is to have the Universal Server inside the DMZ anyway, so its reachable by an FQDN - keys.companyname.com, so just move your current universal server inside the DMZ and you're golden :)

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

dynamicci's picture

What about Active Directory?  I negelected to mention I have the server contacting LDAP, and it uses that for SSO on the workstations.

One other question - are there any implications if a client goes an extended period of time without server contact?

Alex_CST's picture

It can still sync with AD, you can even use LDAPS if you're concerned about privacy.

In terms of "extended period of time" not really no, only policy updates you make it wont get, that's about it.  There's no automatic "cleanup" in the Universal Server

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

dynamicci's picture

LDAPS is already enabled; however, what I'm really concerned with is contacting a DC.  I'm guessing either a read-only DC or some other form of domain services in the DMZ would be the recommended approach?

Alex_CST's picture

you can also have 2 universal servers, one in the DMZ on in internal, and all inter universal server traffic is encrypted and cluster them

Please mark posts as solutions if they solve your problem!

http://www.cstl.com