Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

PGP Universal Server- internal AND external placement (not OR)

Created: 13 Feb 2013 | 2 comments

Hello

We are looking to understand our options in regards to placement of our PGP Universal Server. This need is specifically for outbound email flow, and web messenger functionality.

We are looking to achieve the following:

1. Placement internal - the PGP server would be between our internal mail server & our DLP system.

2. Placement external - we need the web messenger and storage of Public Keys to sit outside (in our DMZ)  - Major reason being, we do not want external customers who need to log into our Web Messenger portal to retrieve messages, or Public Key communication going 'inside'- we want that communication to remain outside in the DMZ.  

I have to imagine it is possible but after having read through the installation guide, the 2 senaiors are internal OR external; not a hybrid.

Has anyone done this?

Does anyone know of documenation that goes through this?

Assuming it is possible, my next question is to what capacity can the two PGP servers talk to eachother so we can split the workload?

 

Comments 2 CommentsJump to latest comment

Alex_CST's picture

May I ask, why do you want the UN before your DLP system?  The DLP won't be able to interrogate any encrypted emails for DLP purposes.

You can have both, in a clustered configuration so they share data, but for external customers they would be able to resolve keys.servername.com to your external UN, and internal users would resolve keys.servername.com to your internal UN.

They wouldnt be able to split the workload as they do not have load balancing capabilities, you would need a 3rd party hardware load balancer to do that.  The alternative to a load balancer is round robin DNS, but that again wouldnt be suitable as both your UNs perform different tasks.

So clustering in this scenario would be used to share key information and configuration information, and nothing else.

 

 

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

lagoldfinger's picture

Hi Alex

Thank you for the follow up- very awesome!!

So not really the reason why but our justification for what you mention is that if the email is encrypted, we aren't concerned about data leak (b/c it is encrypted).

As for what you said, if you dont' mind can you just confirm i understand you right...

We can cluster our PGP servers, one inside the firewall, one outside the firewall. Our internal users would resolve to the inside box and external customers would resolve to the box in the DMZ.

They would share info (public and private keys, web messenger data, PGP configuration) but the clustering would provide no redundancy.

Do you know of any documenation on the senario you painted?

Cheers and thanks again!

lg~