HOW TO: Configure 2.0.6 Proxy Settings after PGP Universal 2.5.x upgrade

book

Article ID: 180153

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

 

Resolution


This article discusses how to configure 2.0.6 proxy settings in PGP Universal 2.5.x if needed.


 

Reproducing 2.0.6 Proxy Settings

Some of the settings that in previous versions of PGP Universal Server were controlled through the Mail Proxies card are now managed on the Mail Policy card. 

While your current settings will be automatically reproduced during upgrade, you may need to change those settings. The following section explains how the old proxy settings appear in the new mail policy rules.

 

Setting: Always Encrypt Internal Mail

PGP Universal Server 2.0.6 provided a setting to always encrypt internal mail. This setting is now replicated through the No Encryption for Regular Internal Users rule on the Outbound chain. When you migrate from PGP Universal Server 2.0.6, if you previously enabled the Always Encrypt Internal Mail setting, the No Encryption for Regular Internal Users rule will automatically be disabled. 

When a PGP Universal Server in a Gateway placement is a member of a cluster or is the only PGP Universal Server in your environment, messages between internal users whose keys are managed by the PGP Universal Server are not encrypted. Enabling the No Encryption for Regular Internal Users rule allows this. This setup ensures everyone is able to read mail sent to them, because in an environment where a PGP Universal Server manages all keys, not every internal user will have PGP Universal Satellite or PGP Desktop installed. Thus, it is sometimes necessary to set the security boundary at the gateway while allowing client-managed keys for selective internal security. 

However, if you intend to apply policies via Directory Synchronization and/or deploy PGP Universal Satellite internally to all server-managed key users, you should disable the No Encryption for Regular Internal Users rule to encrypt all internal mail between your users. If you do disable this rule, you must make sure that all of your internal users not disabled via Directory Synchronization are either running PGP Universal Satellite or receiving mail through PGP Universal Server directly over POP/IMAP. Disabling this rule allows you to enforce encryption of all internal mail without having to create a policy for each managed domain.


 

Setting: Applying Mail Policy for Authenticated Connections Only

PGP Universal Server 2.0.6 Mail/Proxies SMTP Inbound or Unified proxy card had a setting called Apply mail policy for authenticated connections only. This setting is now controlled by the mail policy through a rule requiring authentication based on the IP information for internal or external proxy connectors. The appropriate rules replicating your proxy settings will be created during migration. 

The 2.0.6 setting allows only mail sent from an authenticated client connection to have mail policy applied to it. Disabling the setting allows policy to be applied to all received mail. 

The Apply Outbound policy for authenticated SMTP connections rule replicates the setting for inbound email and allows outbound mail policies to be applied to traffic coming in from the Internet if the user can authenticate to the mail server. Without this rule, all connections to an inbound proxy are considered inbound, and policy is not applied. With this rule, if your users authenticate, PGP Universal Server will apply policy for any authenticated connection just as if the user was connecting to an Outbound SMTP proxy. 

This rule is useful if you have users on the local mail server who want to access it from a remote location; a salesperson on a sales call or an engineer at a conference, for example. The Passthrough If User Did Not Authenticate rule replicates the setting for outbound mail. Only mail sent from an authenticated client connection will have policies applied to it. If this rule is disabled, policy will be applied to all received mail. For an internal placement, where mail is coming to the PGP Universal Server directly from your internal email users, this rule should be enabled. 

For a gateway placement, where mail is coming to the PGP Universal Server from the mail server, disabling this rule allows the mail server to pass the mail along to the PGP Universal Server where the applicable policies will be applied. In this case, make sure that access to this proxy is restricted to trusted mail servers. 

PGP Universal Server preserves your setting choices during migration as the Passthrough If User Did Not Authenticate rule on the Outbound chain and the Apply Outbound policy for authenticated SMTP connections rule on the Inbound chain. The Outbound rule matches the Outbound and Unified SMTP proxy setting, and the Inbound rule matches the Inbound and Unified SMTP proxy setting. If you did not have Apply mail policy for authenticated connections only enforced, the rule will be installed disabled. 

The upgrade process automatically migrates your proxy settings and creates these new rules for you, so you do not need to create them. However, you may at some point want to edit the rules, or add cluster members and create new rules specific to them. The following procedure explains how to create the rules, if necessary.

For outbound mail:

1) To replicate the Apply mail policy for authenticated connections only setting as a rule applied to outbound mail, create a new rule on the Outbound chain, and name it Passthrough If User Did Not Authenticate.

2) Create the following condition in the new rule: 

Create as many IP address and port conditions as necessary to replicate the proxy local connectors. In the above example, the IP address and port information match the proxy connector interfaces for a Unified SMTP proxy. If you want the rule to apply to all outbound messages, do not specify IP addresses or ports. If you want the rule to apply only to outbound messages from specific local connectors, make sure to add the IP address and port for each local connector you want the rule to apply to.

3) Create the following action on the rule: 

4) Place the rule at the top of the Outbound chain.

For inbound mail:

1) To replicate the Apply mail policy for authenticated connections only setting as a rule applied to inbound mail, create a new rule on the Inbound chain, and call it Apply Outbound policy for authenticated SMTP connections.

2) Add the following condition to the new rule: 

Create as many IP address and port conditions as necessary to replicate the proxy local connectors. If you want the rule to apply to all inbound messages, do not specify IP addresses or ports. If you want the rule to apply only to inbound messages from specific local connectors, make sure to add the IP address and port for each local connector you want the rule to apply to.

3) Create the following action on the rule:

Renumber the rule to move it to the top of the Inbound chain. Refer to the PGP Universal Server Administrator's Guide for more information about mail proxies. 


 

Setting: Decrypting Email upon Receipt

The PGP Universal Server 2.0.6 Mail/Proxies SMTP proxy card had a setting called Decrypt upon receipt. This setting is now controlled through the mail policy. 

PGP Universal Server preserves your setting choices during migration through the Decrypt Message (SMTP) and Decrypt Message (non-SMTP) rules on the Inbound chain. If you previously chose not to have email decrypted on receipt, the Decrypt Message (SMTP) will be installed disabled. 

Decrypting email upon receipt means that mail will be decrypted prior to being sent to the internal mail server. If the rule is disabled, mail passes through without being decrypted. 

 

Note: If the recipient is a PGP Desktop CKM, GKM, or SCKM user, email will not be decrypted before delivery because the PGP Universal Server does not have access to a decryption key.


This is useful if you have PGP Universal Servers in both internal and gateway placements and the server in the internal placement is processing mail and the server in the gateway placement is providing other services, such as PGP Universal Web Messenger. In such a scenario, you would want to disable the Decrypt Messages rule for the local connectors on the server in the gateway placement; the mail would then pass through unprocessed to the server in the internal placement, where it would be processed.

If you want the rule to apply to email from all local connector proxies, the rule should not specify the IP address and port number for any specific proxy. If you want to decrypt or not decrypt inbound email from only certain connectors, you can add those local connectors to the rule.

The upgrade process automatically migrates your proxy settings and creates these new rules for you, so you do not need to create them. However, you may at some point want to edit the rules, or add cluster members and create new rules specific to them. The following example demonstrates how the rules should appear. In the example, all inbound messages except ones from the specified SMTP local connector will be decrypted upon receipt. 

 

Setting: Enable AntiVirus Checking

If you had multiple proxies and only had AntiVirus scanning enabled on some of them, you will need to edit the Scan for Viruses rule after migration. The mail policy Scan for Viruses rule enables virus scanning on all outbound email. If you do not want certain outbound email scanned for viruses, you will need to edit the rule to exclude those local connectors.

In the following example, you can see that each IP address/port set is bound together into a local connector by the condition modifier - If all of the following are true. Then all the local connectors are grouped together by the condition modifier - If any of the following are true tells PGP Universal Server that any of the local connectors is a condition match. Finally, the entire group is bound together by - If none of the following are true, which means that mail from any local connector that does not match the list will be scanned for viruses, and mail from any local connector on the list will not be scanned.