search cancel

When Encryption Management Server requires more than one network interface

book

Article ID: 214686

calendar_today

Updated On:

Products

Encryption Management Server Encryption Management Server Powered by PGP Technology Gateway Email Encryption Gateway Email Encryption Powered by PGP Technology

Issue/Introduction

Determining how many network interfaces Encryption Management Server requires depends largely on how many TLS certificates it needs.

In a clustered environment, each cluster member requires a TLS certificate. Usually, each certificate has a CN (Common Name) that matches the hostname of the server.

If Encryption Desktop clients are connecting to the cluster then another certificate will be installed on each cluster member. This certificate will have a CN that matches the DNS name that the Encryption Desktop clients connect to.

Therefore a clustered environment usually requires a minimum of two certificates.

If services such as Web Email Protection are enabled, a third certificate is usually required. The CN of this certificate will match the public DNS name that the external users connect to.

Likewise, if the Keyserver service is enabled and connections are accepted over LDAPS, a certificate will be required.

Environment

Symantec Encryption Management Server 3.4.2 and above.

Resolution

Few environments will be exactly the same therefore there are no hard and fast rules.

Within Encryption Management Server network settings, a TLS certificate is associated with a Network Interface and each Network Interface has a different IP address.

Each Interface is associated with a Physical Adapter but more than one Interface can be associated with the same Physical Adapter.

For example, Interface 1 and Interface 2 can be associated with eth0 and each can have their own certificate and IP address.

In addition, certificates support SAN (Subject Alternative Name) so one certificate can be used for multiple services.

Generally, two Interfaces are recommended for a clustered environment. Each Interface can be associated with a single Physical Adapter. Generally, Interface 1 will be used for replication and Interface 2 for client connections. The administration console will run on Interface 1. Internally issued certificates can be used for these purposes.

SMTP using TLS can run on any Interface and can co-exist with other services such as replication and client connections. To separate out Inbound and Outbound traffic, two Interfaces will be needed. Each will need a certificate.

If Web Email Protection or the LDAPS Keyserver service is enabled then a certificate issued by a public Certificate Authority will be required. This certificate will usually need to be associated with its own Interface.

If more than one Physical Adapter is used, each adapter must be on a separate subnet to avoid routing issues. If more than one subnet is being used, manual routing files will need to be created because there can only ever be one default gateway. If possible, therefore, use only one Physical Adapter to avoid routing complexity. If manual routing is unavoidable, host Web Email Protection on the highest numbered Physical Adapter and route that adapter through the default gateway.