Symantec Encryption Desktop (PGP Desktop) is unable to enroll, connect to Symantec Encryption Management Server or synchronize policy
search cancel

Symantec Encryption Desktop (PGP Desktop) is unable to enroll, connect to Symantec Encryption Management Server or synchronize policy

book

Article ID: 154004

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption Encryption Management Server PGP Command Line PGP Encryption Suite PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK Endpoint Encryption File Share Encryption Gateway Email Encryption

Issue/Introduction

Symantec Encryption Desktop/PGP Desktop is unable to enroll, connect, nor synchronize policy with Symantec Encryption Management Server.

The following symptoms may be observed:

  • The PGP Tray fails to display in the task bar although pgptray.exe does display in Windows Task Manager.
  • Opening Encryption Desktop displays an error message: "Encryption Desktop is unable to contact your organization's Symantec Encryption Server".
  • Errors may be shown in the log concerning problems connecting to the Symantec Encryption Management Server.

    

Cause

PGPSTAMP may not be pointing to the Symantec Encryption Management Server (PGP Server).

A second issue is that Encryption Desktop automatically uses the Internet Explorer (IE) Proxy settings. However, some proxy servers do not allow SOAP/S traffic to go through completely to Symantec Encryption Management Server . A connection to the server is possible, but not all information is received by Symantec Encryption Management Server or Encryption Desktop.

Resolution

Use the following to troubleshoot the issue:

PGPSTAMP

To check the value of the PGPSTAMP, click Start > Run > Regedit. PGPSTAMP can be found in the following container:

32-bit machines: HKEY_LOCAL_MACHINE\Software\PGP Corporation\PGP
64-bit machines: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\PGP Corporation\PGP

Here is an example of the value for PGPSTAMP directing the client to an example hostname of the Symantec Encryption Management Server:

ovid=keys.example.com&mail=*&admin=1
 

Check proxy and port connectivity

Remove the proxy server from the Internet Explorer settings completely or add an exception to the Advanced settings:

  1. Open Microsoft Internet Explorer and click Tools > Internet Options > Connections > LAN Settings > Advanced
  2. Enter the Symantec Encryption Management Server FQDN into the exceptions list (separated by semicolon if needed). Use the same name as in the PGPSTAMP registry entry.

Note: The Option "Bypass Proxy Server for local addresses" is not used in Encryption Desktop, so adding an exception is the only way to set this.

When proxy settings are enforced by a group policy, the group policy will need to be changed to add the Symantec Encryption Management Server FQDN and port 443 to the group policy proxy exceptions list.

Check port connectivity

Check to make sure that port 443 is open on the client machine and that you can telnet to port 443 on the Symantec Encryption Management Server from the client machine. If port 443 is closed or blocked, enrollment will fail. Note that being able to telnet to port 443 of the server does not mean that proxy settings are not causing a problem. One way of testing this is to try to connect to https://keys.<yourservername>.com:9000 from the client where is the FQDN of Symantec Encryption Management Server. If you cannot connect to the admin interface then check your proxy settings.

Additional Information

Powered by Wolken Software