Downloading the PGP Encryption Desktop (Symantec Encryption Desktop) Client Installers from the PGP Encryption Server (Symantec Encryption Management Server)
search cancel

Downloading the PGP Encryption Desktop (Symantec Encryption Desktop) Client Installers from the PGP Encryption Server (Symantec Encryption Management Server)

book

Article ID: 180244

calendar_today

Updated On: 08-13-2024

Products

Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP Command Line PGP SDK

Issue/Introduction

The PGP Encryption Server has the capability to download the PGP Encryption Desktop client. There is a "Managed" client or "Customized" client that can be created to communicate with the PGP Encryption Server for policies (Symantec Encryption Management Server).

There is also the capability to download a "Standalone" client from the PGP Encryption Server that does not communicate with it, or "Unmanaged".

This document goes over both scenarios.

For information on policies, see the following article:

153564 - Creating PGP Desktop Client Policies on Symantec Encryption Management Server (PGP Server) Consumer Policies

Resolution

The PGP Encryption Server (Symantec Encryption Management Server) manages all of the PGP Encryption Desktop (Symantec Encryption Desktop) clients that are deployed to the environment.  

You create the PGP Encryption Desktop client installers with the features and settings that support your organization's security requirements and then deploy those client installers to your end users. 

The PGP Server can allow you to create two client installer types:  Auto Detect and Preset Policy

The former being the most widely used and recommended option.




Section 1 of 6: Creating an Installer with Auto-Detect Policy (Recommended Method)

The Auto-Detect Policy option means that when the user enrolls with the server, the policy is automatically applied.  This is the best option to use if Directory Synchronization is being used to enroll clients. 

    1. Login to the Encryption Management Server administrative interface.

    2. Click Consumers, and then click Groups:



    3. On this page above, click Download Client button at the bottom.

      The Download Symantec Encryption Clients screen will then be displayed:




      Important Note: For the PGP Desktop client to be able to enroll and communicate with the PGP Server, the "Customize" box must be checked.
      Starting with PGP Encryption Server version 11, this check box is activated by default.

      When you click the "Customize" box, this will create the client that will communicate directly with your own PGP server using a unique FQDN.
      If you do not click the Customize option, then it will download a standalone client, and you will not get the usual enrollment wizard to bind your PGP Client with the PGP server. 
      This is a critical step if you wish to have your PGP Client managed by the PGP Server.

      If you wand Standalone, leave the box unchecked, and you will be prompted for the usual standalone setup that requires a license number to be entered
      (EPG-27233)

    4. In the Client field, select Symantec Encryption Desktop.

    5. In the Platform field, select Mac OS X, Linux 32-Bit , Linux 64-Bit ,Windows 32-bit or Windows 64-bit as appropriate.

    6. Reminder: As mentioned above, make sure the Customize check box is selected. 
      If this is not checked, it will create a "Standalone/Unmanaged" client that will not communicate with the PGP Server.
      If you choose this option, the user will be in charge of managing their own license number, PGP keys, etc. 
      This not typically desired, so checking the box will create the proper managed client.

      Select Auto-detect Policy.

    7. In the Symantec Encryption Server field, type the Encryption Management Server you want the application to interact with.
      The Encryption Management Server you are using to create the installer is listed by default.


___________________________________________________________________________________________________

 

 

Section 2 of 6: Load Balancers - TLS Passthrough VS TLS Renegotiation, Wildcard Certificate VS Single FQDN Certificate:

If you are using a Load Balancer to route communications to the PGP server, enter the FQDN the Load Balancer will be using.
For example, if you have two PGP Servers, one called "pgp01.example.com" and the other "pgp02.example.com", you'll want to use a name that will resolve to the Load Balancer.
Then Load Balancer will redirect traffic to one of the two servers in question. 

In one example, the Load Balancer FQDN could be named "keys.example.com".  So when you build the PGP client, enter this hostname and this will assign "keys.example.com" for the installer package, this is called the "PGPSTAMP", which is the FQDN for the PGP Server.  Post install, when the PGP client attempts to check in, it will attempt to resolve the PGPSTAMP value, or "keys.example.com" FQDN, which will go to the Load Balancer.   

At this point, you will need to consider how the TLS communications should behave.

Because the PGPSTAMP is pointing to "keys.example.com", the TLS certificate being used for the interface should also match "keys.example.com", whether it is the PGP Server that presents the TLS certificate or the Load Balancer. 


TLS Passthrough

If you are using the "passthrough" method on the Load Balancer, meaning the Load Balancer will not be presenting any certificates for the TLS connection and is simply sending to one of the two PGP Servers, ensure the certificate that is being used matches the same FQDN used to create the client.  

If the TLS certificate is created for "keys.example.com", but the servers are called "pgp01" and "pgp02", then the PGP client is going to produce a certificate warning.  To avoid this scenario, you can use a wildcard certificate so that regardless of the hostname of the PGP server, as long as the domain is the same, the certificate warning will not show.  For example, the hostname "pgp01.example.com" and "pgp02.example.com" will not produce a certificate warning if a wildcard certificate for ":*.example.com" was created.

Optionally, if a wildcard certificate is not possible, you can try adding SANS Alternative values for each PGP servers assigned.


TLS Renegotiation

If a wildcard certificate is not being used and SANS Alternative values are not available, then Symantec recommends creating the certificate for "keys.example.com" and assign that certificate to the Load Balancer and have the Load Balancer renegotiate. All the PGP clients will be connecting with TLS via the Load Balancer, and the Load Balancer will renegotiate to the PGP servers. The PGP clients will not be aware of the TLS connection being made from the Load Balancer to the PGP servers if TLS renegotiation/TLS Termination is being done on the Load Balancer and should avoid any TLS pop ups.

Caution: If you are using an Internal CA, ensure the Root and Intermediate Certificates are uploaded and fully trusted into the Trusted Keys section on the PGP Encryption Server.  In some cases using an internal CA, you may need to specifically assign the server certificate to be trusted.  In other words, some environments will not accept any certificates unless they were specifically added, even if they are signed by a trusted Internal CA so it's a good idea to test this thoroughly before deploying to the entire organization. 

For more information on PGP and Load Balancers, see the following article: 
156803 - Using DNS Round Robin and Load Balancers with Encryption Management Server
___________________________________________________________________________________________________

 

    1. In the Mail Server Binding field, the * wildcard character is the default setting. The client will bind automatically to any mail server. Mail policy will be enforced for any mail server to which the client connects. You can also use the wildcard as follows: *, *.example.com, and example.*.com. Customized client installations will not work without mail server binding.

    2. Click Download.

    3. When prompted, select a location and click Save.

    4. Distribute the Encryption Desktop installer to your users and have them install it on their systems.Once installed, Encryption Desktop coordinates with the Encryption Management Server and associates the user to the correct user policy.
       

      Note: In the Mail Server Binding, you can type the name of a specific mail server you want bound to that PGP Encryption Server.
      You must have a mail server defined unless your users read mail directly from the PGP Encryption Server via POP or IMAP, which would be rare.
      Using the * will typically be sufficient for most environments. If you are unsure,  reach out to Symantec Encryption Support for further guidance. 

 

Once the PGP client is installed on the machine, you can see which customized URL was used by going to the following location in the registry and make note of the "PGPSTAMP" value shows:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\PGP Corporation\PGP

PGPSTAMP: ovid=keys.example.com&mail=*&admin=1

In the above example, you can see which FQDN was used to create the client.

 

 

Section 3 of 6: Creating an Installer with Preset Policy

 

Tip: Use Preset Policy *only if* Directory Synchronization is not being used. 
Auto-Detect Policy is the recommended method for all client downloads.

    1. Login to the PGP Encryption Server administrative interface.

    2. Click Consumers.

    3. On the Groups card, click Download Client. The Download Encryption Clients screen is displayed.

    4. In the Client field, select Symantec Encryption Desktop.

    5. In the Platform field, select Mac OS X, Linux 32-Bit , Linux 64-Bit ,Windows 32-bit or Windows 64-bit as appropriate.

    6. Make sure the Customize check box is selected.

    7. Select Preset Policy, then select the policy you want your PGP Encryption Desktop users to be linked to from the drop-down menu.
      If you have not created any custom user policies, then the only entry in the drop-down menu is Default.
       

      Note: You can also select to Embed Policy into the installer. In this use case, there will never be a connection between the client and the server.

      The client never receives any updated policy information from PGP Encryption Server, even if the policy is updated on the server side.

      This is available in PGP Encryption Desktop for Windows only.  See the following article for more information on this feature:

      153203 - What is the Embed Policy Option for Symantec Encryption Desktop Configured Installations?

      Tip: If you have clients that need to be encrypted with Drive Encryption and will never communicate with the PGP server, it is recommend to use "Symantec Endpoint Encryption" .
      Symantec Endpoint Encryption uses a beneficial feature, "Connectionless" recovery, so there is no connectivity needed for recovery keys to be possible. 
      If you own a license for PGP Drive Encryption, you are entitled to use the SEE Drive Encryption instead.  Reach out to Symantec Encryption Support for further assistance on this. 

      To download Symantec Endpoint Encryption, see the following article:

      193931 - How to download Symantec Encryption products from the Broadcom download Portal (And where to find the license number for PGP)

       
    8. In the Symantec Encryption Server field, type the PGP Encryption Server hostname you want the application to interact with.
      This is the PGP Encryption Server you are using to create the installer is listed by default.

    9. In the Mail Server Binding field, the * wildcard character is the default setting. The client will bind automatically to any mail server.
      Mail policy will be enforced for any mail server to which the client connects.
      You can also use the wildcard as follows: *, *.example.com, and example.*.com. Customized client installations will not work without mail server binding.

 

Note: In the Mail Server Binding, you can type the name of a specific mail server you want bound to that Encryption Management Server.
You must have a mail server defined unless your users read mail directly from the Encryption Management Server via POP or IMAP.

 

  1. Click Download.
  2. When prompted, select a location and click Save.
  3. Distribute the Encryption Desktop installer to your users and have them install it on their systems. Once installed, Encryption Desktop coordinates with the Encryption Management Server and associates the user to the correct user policy.

 

 

Section 4 of 5: Troubleshooting:

If you are trying to download the client and running into issues with the operating system and complaining the installation package is not valid, this is normal behavior and expected.

The errors may be similar to the following:

"The signature of PGPDesktop.msi is corrupt or invalid"

"PGPDesktop.msi isn't commonly downloaded.  Make sure you trust PGPDesktop.msi"

"Microsoft Defender SmartScreen couldn't verify if this file is safe because it isn't commonly downloaded"

"Microsoft Defender SmartScreen prevented an unrecognized app from starting"

When checking the Digital Certificate on the PGP installer to see if the certificate is valid, it may show as not valid:

The reason for all of the above messages is the file is being built from a "template" PGPDesktop.msi file.  The template file "PGPDesktop.msi" is digitally signed.

If you do not customize the PGPDesktop.msi, you can compare the certificates and they will all match.

When the template is customized by wrapping the custom PGP Server name into it, and some other items, such as Trusted Keys, it modifies the file slightly.

These are the only modifications made to this installer, but is completely safe to then deploy to your environment.

For further guidance on this topic, reach out to Symantec Encryption Support.
EPG-30036

 

 

Section 5 of 6: Trusted Keys on the PGP Server Causing Download Challenges

We have seen some issues after migrations where the PGP Desktop client does not download after checking the box to "Customize".
If you don't check the Customize box, the download works fine.  For more details on this, see the following KB articles:

172547 - Missing PGPtrustedcerts.asc file in Encryption Desktop client installer (String too long) - Trusted Keys Duplicated

EPG-28298

 

 

Section 6 of 6: Downloading the "Standalone" or "Unmanaged" client from the PGP Encryption Server

If you have a requirement to create a PGP Encryption Desktop client that will never communicate with the PGP Encryption Server, you can download the client after "Unchecking" the customize box:


When you download this client from the PGP Encryption Server, the end user will need to enter their own license number, as well as control their own policy.
This gives the end user full control of the client, which is not typically recommended for larger organizations.

Starting with PGP Encryption Desktop version 11, it is no longer possible to download the client from the Broadcom Download Portal

If you are unsure if Standalone is the best option, reach out to  Symantec Encryption Support for further guidance.

There is another feature using the "Embed Policy", but has some limitations you would want to be aware of.

Additional Information