Symantec Encryption Management Server Benefits and Considerations for upgrading to version 10.5

book

Article ID: 150915

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

 This article goes over the benefits and considerations when reviewing the upgrade from previous versions of Symantec Encryption Management Server (SEMS).  Broadcom recommends upgrading to the latest version of SEMS for best security.

One critical reason to upgrade to SEMS 10.5 is all previous versions (3.4.2 and older) have entered an EOS\EOL phase.  Broadcom will support only the version 10.5 going forward and this is where all improvements will be included in.

TIP: For information on how to carry out upgrades and other technical considerations see article 211876.

Resolution

The following is a historical reference to versions of SEMS highlighting some of the improvements available for each version:

  • Symantec Encryption Management Server version 3.3.2 used TLS 1.0 for its communications. When SEMS 3.4.0 was released, TLS 1.2 was available for improved security, however, TLS 1.0/1.1 was still enabled by default for backward compatibility.
    Important Note: TLS 1.0/1.1 protocols included many weak ciphers such as RC4/ARC4/arcfour/arcfour128/arcfour256 and so it is recommended customers upgrade to the latest branch to ensure weak ciphers are not included and not used.  See below note for current release of SEMS. 
    In addition to weak ciphers, SEMS 3.4.x runs on CentOS 6, which the CentOS Project has now designated as EOL so no further Linux security updates will be included.  SEMS 10.5 runs on CentOS 7, which is fully supported by the CentOS Project.
  • When SEMS 3.4.2 MP2 was released, TLS 1.2 was enabled and TLS 1.0/1.1 was disabled by default for increased security (see below for information on TLS).  
  • The last version of the SEMS 3.4.2 branch was MP5, which had a corresponding Symantec Encryption Desktop (SED) client version of 10.4.2 MP5. The next version after 3.4.2 MP5 was SEMS 10.5 GA.
    Note: For a list of current versions of Symantec Encryption Products, see article 156303.

 

Improvements made in Symantec Encryption Management Server 10.5:

  • Symantec Encryption Management Server 10.5 now runs on CentOS 7, which is a 64-bit platform with many improvements.
  • SEMS can now be assigned more than 16GBs of memory/RAM (3.4.2 was restricted to 16GBs max, SEMS 10.5 has no limitations).  Database resources dynamically allocated for best performance.
    This is a big improvement for busier/larger deployments of SEMS.
  • All SEMS binaries have been recompiled for 64-bit with faster performance overall.
  • Backup speeds improved significantly
  • Now supports UEFI architecture
  • VMware tools now automatically installed natively

Note on versioning: In order to improve clarity between server and client related to versioning, SEMS now shares the same version as the SED client (Version 10.5).  Both SED and SEMS can be referred to as the same version. Previously SEMS was on a 3.x naming convention and SED was on a 10.x naming convention.  Now both server and client are referred to as SEMS/SED 10.5).

 

As mentioned above, Symantec Encryption Management Server has used TLS 1.0/1.1 for some features and backward compatibility for Symantec Encryption Desktop client versions 10.3.x and older or Symantec PGP Viewer application for Android devices.

Symantec Encryption Management Server 3.4 and Symantec Encryption Desktop 10.4 and above use TLS 1.2 as the default communications protocol.  TLS 1.0 is still enabled on these newer versions of the software in order to support older client communications.  Symantec Encryption Management Server 3.4.2 MP1 will be the last version to have TLS 1.0 enabled by default.

Starting with Symantec Encryption Management Server 3.4.2 MP2 and continuing with SEMS 10.5, TLS 1.0 will be disabled by default, and TLS 1.2 will be the only protocol available for secure communications. 

It is still possible to configure the Symantec Encryption Management server to use TLS 1.0/1.1 for backward compatibility for Symantec Encryption Desktop 10.3.x or Android devices, and some other features.  See below for the considerations as this applies to the SEMS 3.4.2 MP2 and newer during upgrades.

SEMS 10.5 will still support SED 10.3.2 clients, however, Symantec Enterprise Division strongly recommends upgrading these clients as soon as possible as 10.3.2 reached EOL July 31st, 2020.

 


Considerations before upgrading to Symantec Encryption Management Server 3.4.2 MP2 and newer:

Tip: For the current version of SEMS, see article 156303.

  • Legacy TLS 1.0/1.1 for communications, such as LDAPS for enrollment, or TLS email encryption
    If legacy systems require the use of TLS 1.0/1.1 for communications with SEMS, these will need to be enabled once the upgrade has completed.
     
  • Web Email Protection Complete Customization templates
    If the Complete Customization is being used for WEP, before migrating to 3.4.2 MP2, first save the customization template, then remove the existing customization, upgrade the server and rebuild complete customization once the upgrade has completed.  This is due to a new CAPTCHA feature included.
     
  • SEMS Proxy Configuration adjustments may be needed
    SEMS 3.4.2 MP2 will set the mail proxy configuration to STARTTLS attempt by default.  Make note of what settings you require in your own environment prior to upgrading to SEMS 3.4.2 MP2 to make the proper adjustments post upgrade.
  • Symantec Encryption Desktop 10.3.x and older
    These older versions used TLS 1.0 for communication to the SEMS and must be updated to 10.4 before it will communicate on TLS 1.2. If this is still needed, please contact support to re-enable TLS 1.0/1.1 manually.
  • Certificate enrollment with TLS 1.2
    If certificate enrollment is being used for enrollment, TLS 1.0/1.1 is still required.  If this is still needed, please contact support to re-enable TLS 1.0/1.1 manually.
     
  • SEE Management Server and Whole Disk Recovery Token Retrieval
    If a SEE Management Server is being used to retrieve Whole Disk Recovery tokens from SEMS 3.4.2 MP2, TLS 1.0/1.1 must still be enabled.  If this is still needed, please contact support to re-enable TLS 1.0/1.1 manually.
     
  • Symantec PGP Viewer for Android uses TLS 1.0 for communications.  If this is still needed, please contact support to re-enable TLS 1.0/1.1 manually.

 

With new versions of Symantec Encryption Management Server, older versions reach the End of Life phase.  For a listing of all Encryption products and their EOL dates, see article 152880.