There are three types of PGP Encryption Server cluster members (Symantec Encryption Management Server):
Encryption Desktop clients should only ever connect to Internal cluster members.
Symantec Encryption Management Server and Encryption Desktop release 10.5 and above.
If your organization uses a DNS name such as keys.example.com for its Internal cluster members and Encryption Desktop clients enroll to that name, please ensure that this DNS name does not resolve to the IP address of a DMZ cluster member without private keys.
This is because if Encryption Desktop uploads its key to a DMZ cluster member without private keys, the user's key on the server will become corrupted. This will be apparent if SKM mode keys on Encryption Management Server change to what appear to be GKM mode keys.