Server Roles in Multi-Domain Environments with SEE Management Server
search cancel

Server Roles in Multi-Domain Environments with SEE Management Server

book

Article ID: 388346

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Encryption Suite PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

This article will provide information on Server Roles and how to support multiple domains with SEE Management Server.

For more information on Server Roles, see the following article:

214027 - Symantec Endpoint Encryption Admin Server Roles and Server Roles Report

Resolution

SEEMS Configuration Manager - Server Roles:

The following are items that you should ensure are configured to support multiple domains within the SEE Management Server:

Section 1 of 5: Prerequisites:
*The domains are assumed to have FULL TRUST between each other.
*There needs to be a read-only account configured that will have read access to the Active Directory for all domains.
*Two SEE Management Servers must be installed, one for each doamin.

 

Section 2 of 5: TLS Certificate Details:
*TLS Certificates should be fully configured and used for both SEE Client communications as well as the web console.
For information on configuring TLS for SEE Management Server client communications as well as web console access, see the following article:
178609 - Creating an SSL certificate to secure SEE Client Communication with the Symantec Endpoint Encryption Management Server (SEE)

*TLS Certificates should be fully configured and used for the connection from the SEE Management Server to the database it connects to.
For information on configuring TLS for the database connection from the SEE Management Server, see the following article:
214267 - Enable TLS/SSL for the Database on Symantec Endpoint Encryption Configuration Manager (SEE)

Important Note: Certificates should be supported by both domains (Root should be established and trusted for both).
Self-Signed Certificates must not be used and are not supported. 

 

Section 3 of 5: Database Configuration:
When configuring the database, there are two authentication modes that are needed.  This provides not only authentication to the database from the SEE Management Server, but also provides access to Active Directory objects, which is needed to use Server Roles.

On the bottom of the Database tab, you'll notice "Authentication mode".  This use is what will help authenticate searching for users to add to Server Roles.
If you are using Windows Authentication, then this user will be used to do all these queries.

If you are using SQL Authentication, the default account used is "Network Service".
The NETWORK SERVICE account is a generic Windows account and does not usually provide enough access to reading all objects in the domains. 
Selecting a different account is usually needed for this to ensure the SEE Management Server can read all objects.  "Read-Only" is all that is required. 

Especially in multiple-domain environments, you will need to be sure to choose a user that will have full read access to all domains applicable.
If not, then some users may not be found when searching for them to add in Server Roles.


Section 4 of 5: Domain Information:
*The server needs to be joined to one of the domains, but shouldn't matter which, as long as the server joined also has access to all other domains.
If there is full trust between all domains, then by virtue of the Windows Server being joined to that domain, Active Directory objects should be available.

*Because multiple domains exist, DNS should be configured to support all applicable domains.

 

Section 5 of 5: SEE Management Server Configuration:
When two domains are needed to use Server Roles, this is possible, but only by installing an additional SEE Management Server for the additional domain.
For example, if you have two domains, one called "example.com" and the other is example.net", you will need to have two Windows Servers.

For Example.com, you'll install SEE Management Server on the Windows server joined to the domain.

For Example.Net, you will install another SEE Management Server, but you will use the same SEE Database for both domains.
In other words, when you go through the install of SEE Management Server, make sure you have already completed the first install and fully configure example.com.
Then, after example.com is fully configured and fully functional, move on to example.net and do a new install, but reference the same database.

Warning: Do not attempt to have two different SEE Management Servers using different databases, as this will cause some issues with the user synchronizations. 

For more information, reach out to Symantec Encryption Support.

Additional Information

Powered by Wolken Software