Configuring Multiple Interfaces on the PGP Encryption Server (Symantec Encryption Management Server)
search cancel

Configuring Multiple Interfaces on the PGP Encryption Server (Symantec Encryption Management Server)

book

Article ID: 397932

calendar_today

Updated On: 07-07-2025

Products

Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

The PGP Encryption Server can handle a plethora of different scenarios with Encryption, including serving keys, managing policies, sending encrypted emails and more.

In doing so, multiple interfaces can be configured, but with PGP Encryption Server 11, special steps may need to be followed for this to work properly.

This article will guide you to how you should configure multiple interfaces for best success for the PGP Encryption Server.

For more information about all of the Symantec Encryption products, see the following article:

151074 - Symantec Endpoint Encryption and PGP Encryption Solutions Comparison

Resolution

The best option before configuring multiple interfaces on the PGP Encryption Server is to first make sure only one interface is added to the server.

This will provide a baseline for working with the server to make sure everything else is working well.

Test each of the options you are going to use to make sure you know that at the baseline, things are working for you.

When you are ready to add additional interfaces, we recommend you consider what the interfaces are going to do, and do they need to have TLS configured?

For example, if you are going to be using the interface to perform email encryption or Web Email Protection, then a TLS certificate should be configured for each interface specified.

Before making any changes, take a snapshot and backup of the server, so it's easy to revert if you need to redo any steps.


Important Note: When you create a new interface for the PGP Encryption Server, it is recommended to assign a TLS certificate to that interface.
If you do not add a TLS certificate to the interface, the PGP Encryption Server Configuration may not work properly.
Additionally, if you are using Azure, there could be errors that occur.  If you don't already have a TLS cert created, create one first, then when you add,
make sure you also add the TLS cert for each interface to ensure the proper configuration is performed. 
EPG-37689/ IMSFR-1072

 

Step 1:
In this example, we have one physical NIC, and we are going to add two additional IP addresses. 
We are going to use the same physical NIC, so that means the additional IP addresses are going to be "Virtual NICs".

To be able to do this, establish the IP addresses and the hostnames that will be associated to these Virtual NICs.

In this example, we'll have three Interfaces:

Interface 1: 192.168.1.240 - keysgw.example.com
Interface 2: 192.168.1.241 - keysgw1.example.com
Interface 3: 192.168.1.242 - keysgw2.example.com

Each of the above interfaces are going to be using TLS, so in this scenario, we recommend getting a TLS certificate created for each of them.

Note: In this example, we will be using a "self-signed" certificate for testing, but in production, this would never be done.
Always
get a certificate from either your Internal Certificate Authority, or a Certificate Authority, such as Digicert.

Step 2: 
To view the Network Interfaces, go to System, Network on the PGP Encryption Server:

Notice in the screenshot above, we have only one interface.

Step 3:
Before we add any other interfaces, we need to get certificates created for them.
Since this is for testing only, we will use the "self-signed" certificates by clicking on the Certificates button.

We enter the FQDN for each of the certificates, and click "Generate Self Signed".
For more information about certificates, see the following article:

180416 - Installing an SSL Certificate for PGP Encryption Server (Symantec Encryption Management Server)

For this example, we created a self-signed certificate for keysgw1.example.com and keysgw2.example.com.
We will now create each virtual NIC, or in this case, an "Interface".

Step 4: 
In the following screenshot, notice the IP Address (192.168.1.242), and hostname (keysgw2.example.com), as well as Hostname, and especially the "Assigned Certificate":

Warning: It's very important to create the certificate before creating the interface.
You will want to assign the certificate at the time of adding the interface.  

In the above example, we are going to create "Interface 3", and notice the certificate is listed as "keysgw2.example.com".

Once you have all the fields entered, including the certificate, then click Save.  The network service will be restarted:

Notice in the message above, the network settings are saved, and will take some time to restart.
Also, instead of the Interface 3 hostname being listed, this screen will list the main interface for keysgw.example.com.

Once this has been done, the new interface will be listed and should now be available to assign to various tasks/services for the PGP Encryption Server.

The most important step in all of the above is to first make sure you create your TLS certificate before creating your interface.
If this is done after the fact, there could be errors.

For additional guidance, reach out to Symantec Encryption Support.

 

 

Additional Information

EPG-38044/EPG-37689/EPG-35049

Powered by Wolken Software