search cancel

Symantec Encryption Management Server Web Email Protection Troubleshooting

book

Article ID: 153269

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

This article will go over several of the known troubleshooting steps when working with Web Email Protection from Symantec Encryption Management Server.

 

 



 

Resolution



Scenario 0: Web Email Protection Customized templates are not applying properly. 

For more information on this, see article 208629.



Scenario 1: Web Email Protection Quick Start Guide

For information you can send to your Web Email Protection end users (Quick Reference Guide) on how to use this functionality, see the following article:
153186 - How to use your Symantec Web Email Protection account for secure communications with your client


Scenario 2: Unable to send to additional recipients using PGP Web Email Protection Secure Inbox

Web Email Protection allows you to send to multiple recipients, but they must be valid users in order to be included.  For more information on this, see the following article:

246540 - Unable to send to additional recipients using PGP Web Email Protection Secure Inbox

"The following addresses were not on the original recipient list and are not managed by the Symantec Encryption Server"

Scenario 3: Password Reset Help

For information on how to troubleshoot password reset links that use "click security" solutions, see the following article:
163934 - Encryption Management Server Web Email Protection and PDF Email Protection users cannot reset their passwords



Scenario 4: Vague Contact Your Administrator Message Displayed

When WEP users go to reset their link and fails, there is an obscure message to "Contact your administrator" leaving the end user wondering who the administrator is.  You can customize this message to be more descriptive and if you wish to do this, see the following article:

175114 - Encryption Management Server Web Email Protection password reset message has incorrect Subject



Scenario 5: Password Reset Links

SEMS 10.5 and previous would allow only one password lock reset per 24-hours.  Starting with SEMS 10.5 MP1, SEMS can send multiple unlock emails in 1-hour intervals.
SEMS will also send an email to unlock the account if the account is locked, and a user has attempted to login. See the following article for more information:

165174 - PDF Messenger and Web Email Protection users cannot reset their passphrase if their account is locked

230526 - New Web Email Protection or PDF Email Protection account is immediately locked out



Scenario 6: WEP Emails going into Spam Folder

Sometimes the Web Email Protection emails go into the spam folder for some vendors such as the address by default is "[email protected]".  This can be changed to a different email address that does not have the appearance of spam, such as "[email protected]" to avoid this issue.  For assistance with this, refer to the following KB:

154712 - Change the sending address used by Message Templates, Enrollment emails and Daily Status emails in Encryption Management Server

It is important to check the mail templates on the PGP Server to ensure items in the template itself do not appear as spam.

For example, if you have a custom URL that you include for your organization, make sure it is an "https" URL and is valid.  

Some spam filters may see invalid URLs and mark the email as spam.

If you are seeing WEP Email notifications going into the spam folder, reaching out to the domain rejecting to find out more details will help prevent future issues.

In addition to using "[email protected]", it is advisable that this be an actual account that exists on the mailserver so if a reverse lookup is performed, it will be found to be a valid email account.

 

Scenario 7: Email Security Headers to avoid Rejection

Symantec Encryption Management Server sends the Web Email Protection (WEP) email, but the recipient domain rejects the message and does not arrive.
When an internal user sends a WEP email to an end user, the "New Message Notification" messages come from that sender.  If you click the "forgot passphrase" link, those come from the server itself, so the address configured should also be setup as an actual email account on the server and appropriate records are set as per below:

There are several security checks that recipient mail servers will be doing:
*Ensure the SEMS FQDN DNS resolves both forward and reverse.
*Ensure SPF records have been configured for SEMS sending WEP messages.
*Ensure  DMARC/DKIM records have been configured
Note: Many mail servers will check whether the email address it receives email from is a valid email address.  Below is an example of what one mail server checks:


If these above are not added, some mail servers may reject the messages.



Scenario 8: WEP Account Expiration Details

For useful information on the Web Email Protection account expiration behavior, see the following article:
202565 - What happens when Web Email Protection Accounts Expire on Symantec Encryption Management Server?

163953 - Configure Web Email Protection account expiration reminders in Symantec Encryption Management Server



Scenario 9: WEP Users Can't Send to Anyone via Secure Inbox

How come all users can't send to anyone from within their WEP account? For more information on this, see the following article:

246540 - Unable to send to additional recipients using PGP Web Email Protection Secure Inbox



Scenario 10: WEP Customization Template Help

For information on how to troubleshoot the templates, see the following details.

Note: Symantec does not offer customization services, and would rely on your expertise to customize the web portion.  For basic assistance and additional help, please contact Symantec Support.

Template Validation Errors

Advanced and complete custom templates allow you to edit the images and/or HTML files used by PGP Universal Web Messenger. After you upload your files, there are two levels of validation: file validation and tag validation.

File Validation

During advanced customization file upload, the zipped image file is validated to make sure all required files are present. During complete customization, the zipped file is validated to make sure all required image, HTML, and other files are present and located in the correct directory. When you download the default file set, all necessary files are present. The same files must be present, although edited, during upload. You can add more files, but you cannot remove any.

File validation runs before tag validation. If the template fails file validation and you make corrections, the template may still fail validation at the tag validation stage.

To correct invalid files:

If validation of the uploaded files fail, the File Validation Error screen displays a list of missing or misplaced files.

Use the following steps to correct any error(s) and upload the new files.

 

  1. Click Export Validation Error Log to export and view the error log offline. The error log is exported as a text file.
  2. Click Cancel to save the template in the error state.
  3. Repair the invalid files on your own computer desktop, using the exported error log as a reference. You can download the default set of files and use them as a reference when replacing and re-organizing missing and incorrectly located customized files.
  4. When you are ready to upload the corrected files, click the template. The template opens to the validation page.
  5. Click Upload New File to upload the .zip files.

Tag Validation

During complete customization file upload, the zipped file is validated to make sure all required files are present. A compiler converts the HTML pages to an internal format, and then the validation process makes sure that all required HTML tags and tag attributes are present in the HTML and are correctly positioned in relation to each other.

Validation checks that specific code necessary to PGP Universal Web Messenger functionality has not been modified, moved, or deleted. Tag attributes that mark specific locations on each page, such as ID attributes, are particularly important.

If your files failed the validation process, compare the default set of files with your edited versions to find the errors listed in the validation error log.

Make sure that you have not deleted any HTML tags, IDs, and other elements that use the "Required" attribute. HTML tags necessary to PGP Universal Web Messenger functionality are marked with the Required attribute, so if you delete a tag that was marked as Required, validation will fail and an error message appears. If the Required attribute is "true," the tag is required.

Example:

<h2 id="loginWelcome" required="true">

Look for incorrectly nested HTML tags, attributes, and other elements. Make sure you have not moved or deleted elements containing the "Within" attribute. The content of the attribute is the element in which it should be nested.

Example:

<tr id="trTemplateRow" required="true" within="taInbox">

<td class="first" width="20"><input id="deleteCheckbox" required="true" within="trTemplateRow" type="checkbox" name="deletedMessages" value="runtime_replace" onclick="highlightRow(this);"></td>


To correct invalid files

If validation fails, the Tag Validation Error page appears. The Tag Validation Error page shows a list of missing or misplaced files.

 

  1. Click Export Validation Error Log to export and view the error log offline. The error log is exported as a text file.
  2. Click Cancel to save the template in the error state.
  3. Repair the invalid files on your own computer desktop, use the exported error log as a reference.

    Note: You can download the default set of files and use them as a reference when replacing and re-organizing missing and incorrectly located customized files and repairing the HTML.


     
  4. When you are ready to upload the corrected files, click the template. The template opens to the validation page.
  5. Click Upload New File to upload the .zip files. The files are validated.



Scenario 11: Web Email Protection Reminders and PDF Messenger Reminders

Web Email Protection reminders have a scheduled routine to send reminders to WEP users when their accounts are close to reaching the expiration date of their account. At this time, the WEP user must login to the account to validate the account is still active. In some environments, these reminders are not needed and can be disabled in the scheduled tasks of SEMS. For information on how to do this, please contact Symantec Encryption Support and we can help you do this (Refer to  EPG-23265 and EPG-23744 when you log the new case). 

PDF Messenger Reminders are not available in the current release, but will be available for a future release of SEMS.  If you would like to have reminders available for PDF Messenger Emails, please contact Symantec Encryption Support and reference ISFR-1447 to be added to this request. 

See the following articles for more information on Account Expiration for WEP:

202565 - What happens when Web Email Protection Accounts Expire on Symantec Encryption Management Server?

163953 - Configure Web Email Protection account expiration reminders in Symantec Encryption Management Server



Scenario 12: Switching Complete Customized Web Email Protection Templates

If you are attempting to change templates, take special care because these can take a long time to upload, and then takes additional time to apply.  In a clustered environment, it can then take time to replicate to the other nodes.  For additional information on how to troubleshoot this scenario, see the following article:

157023 - Troubleshooting: Uploading and Switching Customized Web Email Protection Templates (formerly known as Web Messenger Templates) can take several minutes to complete


 

Scenario 13: PDF Messenger and Certified Delivery

Symantec Encryption Management Server also includes a feature for Certified Delivery.  This is for use with the PDF Messenger feature and not Web Email Protection.   For more information on this feature, see the following article:

153270 - Symantec Encryption Management Server - Secure PDF Messenger Functionality

 

Scenario 14: PDF Messenger Expiration Notifications starting in PGP Server 10.5.1

After upgrading to 10.5.1, depending on how many accounts there are may not allow sufficient time to pass for the users to receive their notifications.  As a result, some action may need to take place. See the following article for more information on this:

238734 - Insufficient time to warn all PDF Email Protection users of account deletion


EPG-27376


Scenario 15: Can the PGP server handle more than one branding experience for the managed domain?

Answer: The PGP server can handle one domain
ISFR-2119 

 

Scenario 16: Not able to set proper language for Web Email Protection and gets an unhandled exception

Answer: This is resolved in Symantec Encryption Management Server 10.5.1 and above and is available for download.

No handler for event: lnj.e
2021/10/22 04:40:05 +02:00  ERROR  pgp/wm[2002]: Unhandled exception in Boomerang: java.lang.IllegalStateException: Cannot create a session after the response has been committed EXCEPTION STACK TRACE: java.lang.IllegalStateException: Cannot create a session after the response has been committed  at org.apache.catalina.connector.Request.doGetSession(Request.java:2997)  at org.apache.catalina.connector.Request.getSession(Request.java:2439)  at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:908)  at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:920)  at com.pgp.boom.BoomServlet.dispatchEvent(BoomServlet.java:326)  at com.pgp.boom.BoomServlet.doGet(BoomServlet.java:153)  at javax.servlet.http.HttpServlet.service(HttpServlet.java:626)  at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)  at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)  at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:63)  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)  at com.pgp.web.ResponseHeaderFilter.doFilter(ResponseHeaderFilter.java:47)  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)  at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)  at 


Scenario 17: Not able to send certain PDFs with the PGP Server: Messages fail to send with exception 

Answer: See the following article if you are running into this rare event:

246868 - Some PDF Messenger emails may fail to send some PDFs with exceptions on PGP Server

Scenario 18: Web Email Protection URLs not what they should be

Answer: When a recipient receives a Web Email Protection email, it includes a URL on the bottom of the page.  There are some times when clicking that URL may take you to the wrong PGP server.
If this happens, check to see if there is a cluster being used, and if there is, make sure the Web Email Protection service is enabled on all nodes, and that the replication of all messages is enabled for all servers.  This will ensure that WEP will work on any of the servers.  

Once this has been done, then check the URL associated to each of the servers.  Whichever server is sending the email, that is the URL that should typically be used.

Using a Load Balancer can cause these URLs to potentially redirect to the wrong server.  Symantec Encryption Support recommends when using Load Balancers to have only one active server and the rest be passive.  For more information on Load Balancers and PGP server, see the following article:

156803 - Using DNS Round Robin and Load Balancers and Reverse Proxies with Encryption Management Server



Scenario
19: Clicking the Web Email Protection URL Redirects to the Wrong PGP Server

Answer: If you have multiple PGP servers in the cluster and using Web Email Protection and you are wanting each of the servers to handle Web Email Protection, be sure to enable the service on each of the nodes.

In addition to this, make sure the "All" option is selected so that Web Email Protection Email so that all email is available on each of the nodes. This will prevent redirection to a different PGP server if the mail messages are not replicated.

For example, if you have securemail1.domain.dom and securemail2.domain.dom and the WEP service is enabled on both, but if you click on the WEP URL for "securemail2.domain.dom, and it takes you to securemail1, then the "All" option may not be selected. Make sure this is enabled and retry.  The WEP service will be restarted when this is selected and saved.

You may get an error "Too many redirects" if this feature is not enabled and set to "All".

Scenario 20: Unable to reply in proper language, such as Greek

Answer: If you have received a Web Email Protection message and you wish to type in a language, such as Greek, but it is not working, this is likely caused by encoding.
For more information on this topic, see the following article:

259248 - Symantec Web Email Protection Replies will not allow proper language characters to be input

 

If you are still running into issues, please reach out to Symantec Encryption Support for further guidance. 

 

Attachments