Endpoint Encryption

 View Only

  • 1.  New PGP installation for Gateway Email and file share Encryption

    Posted May 10, 2015 04:03 PM

    Hi All,

    Appriciate quick answer to below queries and help me plan my PGP installation.

     

    1) Customer is having internal domain name as "abcd.CA" and External Domain name as "abcd.ORG.CA"

    Does it needs a separate certificate? or can install internal certificate for internal users and external third party certificate for external users?

    Any other special requirement for the certificate should be considered?

     

    2) To proceed with installation what should be the first universal server name as ?

    For Internal:

    keys.abcd.ca or keysinternal.abcd.ca

    For External:

    keys.abcd.ORG.CA

     

    3) I'm planning to have replication between these two servers as a cluster

    Is it advisable or anything should i need to consider

     

    4) What happen in case of PGP is down, is that will affect the mail flow ?

     

    Thanks



  • 2.  RE: New PGP installation for Gateway Email and file share Encryption

    Broadcom Employee
    Posted May 11, 2015 11:05 AM

    If you only have one network interface and there are two different Domains. Then you will need a wildcard Certificate for the primary domain. 

    You could use two different network interfaces and bind two different Certificates one for the internal domain and one for the external domain name. This is slightly more complex, but could be accomplished through binding them on the System>Network> page. You would import both certificates and then bind one to eth0 and then the other to eth1. 

     

    It is recommended to have the server name for external lookups as keys.domain.com. Internally it doesn't matter what name you use as long as it matches the installation package that is build on the server. 

    If you are using a cluster of servers. Then I would recommend using a load balancer between all the traffic and have that IP setup as keys.domain.com for the external traffic.

    You should also load balance internal traffic to make sure that the clients and mail flow are balanced and to help in case of problems on one server. This really depends on how many clients and how much mail you are attempting to send through the server.

    The only way traffic gets to both servers in a clustering configuration is if you have load balancer. The Symantec Encryption Management server does not do redundancy by default. So it's not true clustering as you would think of it. It just copies data between servers so that both of them have the same data. If you want redundancy then you need to have a load balancer for this traffic. 

     

     



  • 3.  RE: New PGP installation for Gateway Email and file share Encryption

    Posted May 13, 2015 04:42 PM

    Hi Brian,

    Appreciate your help in this regards

    I have couple more questions in context to fail over concept as you said we need a load balancer

    The outbound mail flow of DMZ will be something like this, considering I have clustered key1 and key2 in DMZ for external domain and key3 for internal domain.

    Outbound Mail flow of External domain (abcd.ORG.CA) in DMZ:

    From Exchange (4 servers) -->DLP EMC2  (2servers)--> PGP (2 servers)--->F5 (1server)--->ironport (2servers)

     

    In-bound mail flow of External domain (abcd.ORG.CA):

    From Ironport -->directly to Exchange

    Queries:

    1. Please let me know your suggestion where to place PGP?  is it after F5 (Load balancer) or before F5 to achieve failover.
    2. What should be my gateway unified settings for outbound and for inbound mail flow?

    Thanks,

    -Syed Hussain