ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Connection not available error when setting up Mobile Encryption for iOS with Encryption Management Server

book

Article ID: 172779

calendar_today

Updated On:

Products

Encryption Management Server Mobile Encryption for iOS

Issue/Introduction

When trying to setup Mobile Encryption for iOS you receive a Connection not available error after entering the Server name, User name and Password.

The error message is as follows where keys.example.com is the Server name that you specify on the Setup page:

Symantec Mobile Encryption for iOS is unable to contact your organization's Symantec Encryption Management Server, keys.example.com
Connection not available

Cause

Just like the Symantec Encryption Desktop client, the Mobile Encryption for iOS client needs to connect to Encryption Management Server in order to: 

  1. Enroll the user.
  2. Download the user's policy.
  3. Download the user's private key.
  4. Lookup public keys for other users.

Mobile Encryption for iOS must therefore be able to make an HTTPS connection to the server name that you specify in the Setup page. The setup process for iOS clients is equivalent to the enrollment process of Encryption Desktop clients. The difference is that the iOS clients enroll over the Internet.

Environment

  • Symantec Mobile Encryption for iOS 2.0 and above.
  • Symantec Encryption Management Server 3.3.2 MP13 and above.

Resolution

Please ensure that the following requirements are met:

  1. The Server name in the Setup page is a fully qualified domain name (FQDN). For example, keys.example.com.
  2. The FQDN resolves to a public IP address so that iOS users can connect from the Internet.
  3. The FQDN maps to the interface on Encryption Management Server that is associated with an SSL certificate that matches the FQDN.
  4. The iOS device trusts the certificates in the certificate chain of the Encryption Management Server certificate. This is particularly important if the Encryption Management Server certificate is issued by your internal certificate authority. Note that iOS clients will still be able to enroll to Encryption Management Server if they do not trust the server certificate chain but they will receive a warning.
  5. For initial enrollment at least, the Encryption Management Server to which the iOS clients connect hosts the private keys of internal users. This is important if the FQDN points to a cluster member that is in DMZ mode because it is optional whether DMZ cluster members host private keys.
  6. The Encryption Management Server is configured to enroll clients using directory authentication. This is so that Encryption Management Server can validate the User name and Password of the iOS user at the time of enrollment.

Note that if you wish, you can host Web Email Protection and enroll iOS clients using the same interface of an Encryption Management Server.

If you wish to increase security, consider pointing the iOS clients to a firewall or proxy server that will only allow access to connections containing the following connection string:

POST /pgpuniversaldesktop