Video Screencast Help

PGP universal server internal

Created: 10 Jul 2012 | 6 comments
bec3's picture

what is the advantage of setting up pgp universal server internally, and can we publish it to the internet if we want to use webmessensger ?

Comments 6 CommentsJump to latest comment

Alex_CST's picture

You mean internal placement instead of gateway placement?  It's really quite unusual to have an internal placement, there are no real advantages for doing it, the only reason I can see for doing it is if you use hosted exchange or have offsite mail servers, otherwise always use gateway placement.

Here's an article on internal placement

It also cant proxy MAPI in internal placement

Please mark posts as solutions if they solve your problem!

bec3's picture

I was thinking of a design that can store the email encrypted on the mail server without using PGP desktop

Alex_CST's picture

That will not be possible.  There will still be flow somewhere where the mail is unencrypted.  The only way to have true end-to-end encryption is to use PGP Desktop.

Please mark posts as solutions if they solve your problem!

NextChris's picture

I don´t see any advantages concerning security of the proposed design (Assuming your Mailserver is inside your network and controlled by your staff).

The mailflow between the client and the Universal Server remains unencrypted. Instead of the mailserver admin the Universal Server Admin will have the option to read all your mail in cleartext if he wants to.

In my opinion encrypting mail on the client-side is the only way to get a higher level of security in that szenario.

Besides publishing an internally placed WebMessenger Server is a no-go. The WebMessenger Server should always be placed outside your corporates border (In the DMZ for example).

So if you use internal placement I´d always recommend to create a cluster-node in the DMZ which offers the WebMessenger service.

bec3's picture

Can I create a cluster of webmessneger, and store the emails inside the network ?

in other word, Have 2 webmessenger, 1 which play the rule of webmessenger(on DMZ) and second to store the emails(internally)?

NextChris's picture

I am not sure if I got this right, but !yes you can! create a cluster and have the webmessenger role separated from the other part. You have the option to not store any private keys on the webmessenger -

but NO you can´t have 2 webmessenger servers, one storing mail inboxes of the webmessenger users and the other just providing the web access. (so this is as far as I know)

I am not sure if this would actually make a big difference (of course it would be better, but not much) - if you have full control of the web-access providing server then you can of course grab the inboxes from another "save" server, because you would be the one that is decrypting the https/ssl-connection and the one who is authenticating webmessenger users. - But still I also think it is a good practice to have as less as possible information on a internet-facing web- and application-server and development could have a guess about it.