Symantec Encryption Management Server (SEMS) has cluster technology, which allows data replication to each node.  Part of this cluster functionality is DMZ mode when the cluster node is placed in the DMZ network.  Because servers in the DMZ are accessible to the public, DMZ mode has a feature to disable the management of Private keys.  Disabling Private Keys on DMZ cluster nodes changes the way enrollment and policy updates can happen.

Disabling the Host Private keys option from Symantec Encryption Management Server will prevent it from running certain services--one such service is enrollment. Because the enrollment process involves private keys, enrolling clients to DMZ nodes not hosting private keys must not be done (both Symantec Encryption Desktop, and Mobile Devices).  Enrolling to DMZ nodes not hosting private keys, can have negative consequences, including, but not limited to, keymodes changing w/out warning, which can cause the managed keys to become unusable.  Take special care to not enroll to these nodes and enroll only to nodes which host private keys.

The following should be considered when enrolling mobile devices to servers when DMZ nodes are part of the cluster and Private Keys are not being hosted:

1. Enrolling users with an internal node is required if these are the only nodes which host Private keys.  Enrolling to these nodes can be done when on the internal wireless network. If the user cannot be on the internal wireless network, use a VPN client on the device to virtually connect to the internal network.
2. Policy updates from the client devices should be considered carefully.  Symantec Encryption Desktop and mobile devices should not be allowed to update policy from a DMZ node as not hosting private keys can cause keymodes to change (such as SKM keys getting converted to GKM without notice).

Contact Support if further guidance is needed to enroll servers to DMZ nodes not hosting Private Keys.