This article will go over several of the known troubleshooting steps when working with Web Email Protection from PGP Encryption Server.
For more information on this, see article 208629.
For information you can send to your Web Email Protection end users (Quick Reference Guide) on how to use this functionality, see the following article:
153186 - How to use your Symantec Web Email Protection account for secure communications with your client
Web Email Protection allows you to send to multiple recipients, but they must be valid users in order to be included. For more information on this, see the following article:
246540 - Unable to send to additional recipients using PGP Web Email Protection Secure Inbox
"The following addresses were not on the original recipient list and are not managed by the Symantec Encryption Server"
For information on how to troubleshoot password reset links that use "click security" solutions, see the following article:
163934 - Encryption Management Server Web Email Protection and PDF Email Protection users cannot reset their passwords
When WEP users go to reset their link and fails, there is an obscure message to "Contact your administrator" leaving the end user wondering who the administrator is. You can customize this message to be more descriptive and if you wish to do this, see the following article:
SEMS 10.5 and previous would allow only one password lock reset per 24-hours. Starting with SEMS 10.5 MP1, SEMS can send multiple unlock emails in 1-hour intervals.
SEMS will also send an email to unlock the account if the account is locked, and a user has attempted to login. See the following article for more information:
230526 - New Web Email Protection or PDF Email Protection account is immediately locked out
Sometimes the Web Email Protection emails go into the spam folder for some vendors such as the address by default is "[email protected]". This can be changed to a different email address that does not have the appearance of spam, such as "[email protected]" to avoid this issue. For assistance with this, refer to the following KB:
154712 - Change the sending address used by Message Templates, Enrollment emails and Daily Status emails in Encryption Management Server
It is important to check the mail templates on the PGP Server to ensure items in the template itself do not appear as spam.
For example, if you have a custom URL that you include for your organization, make sure it is an "https" URL and is valid.
Some spam filters may see invalid URLs and mark the email as spam.
If you are seeing WEP Email notifications going into the spam folder, reaching out to the domain rejecting to find out more details will help prevent future issues.
In addition to using "[email protected]", it is advisable that this be an actual account that exists on the mailserver so if a reverse lookup is performed, it will be found to be a valid email account.
The PGP Encryption Server sends the Web Email Protection (WEP) email, but the recipient domain may rejects the message.
When an internal user sends a WEP email to an end user, the "New Message Notification" messages come from that sender. If you click the "forgot passphrase" link, those come from the PGP Encryption Server itself, so the address configured should also be setup as an actual email account on the server and appropriate records are set as per below:
There are several security checks that recipient mail servers will be doing:
*Ensure the PGP Server FQDN DNS resolves both forward and reverse.
*Ensure SPF records have been configured for PGP sending WEP messages.
*Ensure DMARC/DKIM records have been configured for your outbound mailservers--this DKIM header should help prevent spam detection.
Note: Many mail servers will check whether the email address it receives email from is a valid email address. Below is an example of what one mail server checks:
If these above are not added, some mail servers may reject the messages.
DKIM Signatures are typically added by the first sending mailserver, and this DKIM signature will follow the lifecycle of the email and will also be attached to the WEP Emails.
For further guidance, reach out to Symantec Encryption Support.
IMSFR-953
For useful information on the Web Email Protection account expiration behavior, see the following article:
202565 - What happens when Web Email Protection Accounts Expire on Symantec Encryption Management Server?
How come all users can't send to anyone from within their WEP account? For more information on this, see the following article:
246540 - Unable to send to additional recipients using PGP Web Email Protection Secure Inbox
For information on how to troubleshoot the templates, see the following details.
Note: Symantec does not offer customization services, and would rely on your expertise to customize the web portion. For basic assistance and additional help, please contact Symantec Support.
Template Validation Errors
Advanced and complete custom templates allow you to edit the images and/or HTML files used by PGP Universal Web Messenger. After you upload your files, there are two levels of validation: file validation and tag validation.
File Validation
During advanced customization file upload, the zipped image file is validated to make sure all required files are present. During complete customization, the zipped file is validated to make sure all required image, HTML, and other files are present and located in the correct directory. When you download the default file set, all necessary files are present. The same files must be present, although edited, during upload. You can add more files, but you cannot remove any.
File validation runs before tag validation. If the template fails file validation and you make corrections, the template may still fail validation at the tag validation stage.
To correct invalid files:
If validation of the uploaded files fail, the File Validation Error screen displays a list of missing or misplaced files.
Use the following steps to correct any error(s) and upload the new files.
Tag Validation
During complete customization file upload, the zipped file is validated to make sure all required files are present. A compiler converts the HTML pages to an internal format, and then the validation process makes sure that all required HTML tags and tag attributes are present in the HTML and are correctly positioned in relation to each other.
Validation checks that specific code necessary to PGP Universal Web Messenger functionality has not been modified, moved, or deleted. Tag attributes that mark specific locations on each page, such as ID attributes, are particularly important.
If your files failed the validation process, compare the default set of files with your edited versions to find the errors listed in the validation error log.
Make sure that you have not deleted any HTML tags, IDs, and other elements that use the "Required" attribute. HTML tags necessary to PGP Universal Web Messenger functionality are marked with the Required attribute, so if you delete a tag that was marked as Required, validation will fail and an error message appears. If the Required attribute is "true," the tag is required.
Example:
<h2 id="loginWelcome" required="true">
Look for incorrectly nested HTML tags, attributes, and other elements. Make sure you have not moved or deleted elements containing the "Within" attribute. The content of the attribute is the element in which it should be nested.
Example:
<tr id="trTemplateRow" required="true" within="taInbox">
<td class="first" width="20"><input id="deleteCheckbox" required="true" within="trTemplateRow" type="checkbox" name="deletedMessages" value="runtime_replace" onclick="highlightRow(this);"></td>
To correct invalid files
If validation fails, the Tag Validation Error page appears. The Tag Validation Error page shows a list of missing or misplaced files.
Note: You can download the default set of files and use them as a reference when replacing and re-organizing missing and incorrectly located customized files and repairing the HTML. |
Scenario 11: Web Email Protection Reminders and PDF Messenger Reminders
Web Email Protection reminders have a scheduled routine to send reminders to WEP users when their accounts are close to reaching the expiration date of their account. At this time, the WEP user must login to the account to validate the account is still active. In some environments, these reminders are not needed and can be disabled in the scheduled tasks of SEMS. For information on how to do this, please contact Symantec Encryption Support and we can help you do this (Refer to EPG-23265 and EPG-23744 when you log the new case).
PDF Messenger Reminders are not available in the current release, but will be available for a future release of SEMS. If you would like to have reminders available for PDF Messenger Emails, please contact Symantec Encryption Support and reference ISFR-1447 to be added to this request.
See the following articles for more information on Account Expiration for WEP:
If you are attempting to change templates, take special care because these can take a long time to upload, and then takes additional time to apply. In a clustered environment, it can then take time to replicate to the other nodes. For additional information on how to troubleshoot this scenario, see the following article:
Symantec Encryption Management Server also includes a feature for Certified Delivery. This is for use with the PDF Messenger feature and not Web Email Protection. For more information on this feature, see the following article:
153270 - Symantec Encryption Management Server - Secure PDF Messenger Functionality
After upgrading to 10.5.1, depending on how many accounts there are may not allow sufficient time to pass for the users to receive their notifications. As a result, some action may need to take place. See the following article for more information on this:
238734 - Insufficient time to warn all PDF Email Protection users of account deletion
EPG-27376
Answer: The PGP server can handle one domain
ISFR-2119
Answer: This is resolved in Symantec Encryption Management Server 10.5.1 and above and is available for download.
No handler for event: lnj.e
2021/10/22 04:40:05 +02:00 ERROR pgp/wm[2002]: Unhandled exception in Boomerang: java.lang.IllegalStateException
Answer: See the following article if you are running into this rare event:
246868 - Some PDF Messenger emails may fail to send some PDFs with exceptions on PGP Server
Answer: When a recipient receives a Web Email Protection email, it includes a URL on the bottom of the page. There are some times when clicking that URL may take you to the wrong PGP server.
If this happens, check to see if there is a cluster being used, and if there is, make sure the Web Email Protection service is enabled on all nodes, and that the replication of all messages is enabled for all servers. This will ensure that WEP will work on any of the servers.
Once this has been done, then check the URL associated to each of the servers. Whichever server is sending the email, that is the URL that should typically be used.
Using a Load Balancer can cause these URLs to potentially redirect to the wrong server. Symantec Encryption Support recommends when using Load Balancers to have only one active server and the rest be passive. For more information on Load Balancers and PGP server, see the following article:
Answer: If you have multiple PGP servers in the cluster and using Web Email Protection and you are wanting each of the servers to handle Web Email Protection, be sure to enable the service on each of the nodes.
In addition to this, make sure the "All" option is selected so that Web Email Protection Email so that all email is available on each of the nodes. This will prevent redirection to a different PGP server if the mail messages are not replicated.
For example, if you have securemail1.example.com and securemail2.example.com and the WEP service is enabled on both, but if you click on the WEP URL for "securemail2.example.com, and it takes you to securemail1, then the "All" option may not be selected. Make sure this is enabled and retry. The WEP service will be restarted when this is selected and saved.
You may get an error "Too many redirects" if this feature is not enabled and set to "All".
Answer: If you have received a Web Email Protection message and you wish to type in a language, such as Greek, but it is not working, this is likely caused by encoding.
For more information on this topic, see the following article:
259248 - Symantec Web Email Protection Replies will not allow proper language characters to be input
Answer: Yes, for more information on this topic, see the following article:
If you are still running into issues, please reach out to Symantec Encryption Support for further guidance.