Section 1 of 6: Creating an Installer with Auto-Detect Policy (Recommended Method)

The Auto-Detect Policy option means that when the user enrolls with the server, the policy is automatically applied.  This is the best option to use if Directory Synchronization is being used to enroll clients. 

1. Login to the Encryption Management Server administrative interface.
   
   
2. Click Consumers, and then click Groups:
   
   
   
   
3. On this page above, click Download Client button at the bottom.
   
   The Download Symantec Encryption Clients screen will then be displayed:
   
   
   
   
   Important Note: For the PGP Desktop client to be able to enroll and communicate with the PGP Server, the "Customize" box must be checked.
   Starting with PGP Encryption Server version 11, this check box is activated by default.
   
   When you click the "Customize" box, this will create the client that will communicate directly with your own PGP server using a unique FQDN.
   If you do not click the Customize option, then it will download a standalone client, and you will not get the usual enrollment wizard to bind your PGP Client with the PGP server. 
   This is a critical step if you wish to have your PGP Client managed by the PGP Server.
   
   If you wand Standalone, leave the box unchecked, and you will be prompted for the usual standalone setup that requires a license number to be entered
   (EPG-27233)
   
   
4. In the Client field, select Symantec Encryption Desktop.
   
   
5. In the Platform field, select Mac OS X, Linux 32-Bit , Linux 64-Bit ,Windows 32-bit or Windows 64-bit as appropriate.
   
   
6. Reminder: As mentioned above, make sure the Customize check box is selected. 
   If this is not checked, it will create a "Standalone/Unmanaged" client that will not communicate with the PGP Server.
   If you choose this option, the user will be in charge of managing their own license number, PGP keys, etc. 
   This not typically desired, so checking the box will create the proper managed client.
   
   Select Auto-detect Policy.
   
   
7. In the Symantec Encryption Server field, type the Encryption Management Server you want the application to interact with.
   The Encryption Management Server you are using to create the installer is listed by default.

___________________________________________________________________________________________________

Section 2 of 6: Load Balancers - TLS Passthrough VS TLS Renegotiation, Wildcard Certificate VS Single FQDN Certificate:

If you are using a Load Balancer to route communications to the PGP server, enter the FQDN the Load Balancer will be using.
For example, if you have two PGP Servers, one called "pgp01.example.com" and the other "pgp02.example.com", you'll want to use a name that will resolve to the Load Balancer.
Then Load Balancer will redirect traffic to one of the two servers in question. 

In one example, the Load Balancer FQDN could be named "keys.example.com".  So when you build the PGP client, enter this hostname and this will assign "keys.example.com" for the installer package, this is called the "PGPSTAMP", which is the FQDN for the PGP Server.  Post install, when the PGP client attempts to check in, it will attempt to resolve the PGPSTAMP value, or "keys.example.com" FQDN, which will go to the Load Balancer.   

At this point, you will need to consider how the TLS communications should behave.

Because the PGPSTAMP is pointing to "keys.example.com", the TLS certificate being used for the interface should also match "keys.example.com", whether it is the PGP Server that presents the TLS certificate or the Load Balancer. 

TLS Passthrough

If you are using the "passthrough" method on the Load Balancer, meaning the Load Balancer will not be presenting any certificates for the TLS connection and is simply sending to one of the two PGP Servers, ensure the certificate that is being used matches the same FQDN used to create the client.  

If the TLS certificate is created for "keys.example.com", but the servers are called "pgp01" and "pgp02", then the PGP client is going to produce a certificate warning.  To avoid this scenario, you can use a wildcard certificate so that regardless of the hostname of the PGP server, as long as the domain is the same, the certificate warning will not show.  For example, the hostname "pgp01.example.com" and "pgp02.example.com" will not produce a certificate warning if a wildcard certificate for ":*.example.com" was created.

Optionally, if a wildcard certificate is not possible, you can try adding SANS Alternative values for each PGP servers assigned.

TLS Renegotiation

If a wildcard certificate is not being used and SANS Alternative values are not available, then Symantec recommends creating the certificate for "keys.example.com" and assign that certificate to the Load Balancer and have the Load Balancer renegotiate. All the PGP clients will be connecting with TLS via the Load Balancer, and the Load Balancer will renegotiate to the PGP servers. The PGP clients will not be aware of the TLS connection being made from the Load Balancer to the PGP servers if TLS renegotiation/TLS Termination is being done on the Load Balancer and should avoid any TLS pop ups.

Caution: If you are using an Internal CA, ensure the Root and Intermediate Certificates are uploaded and fully trusted into the Trusted Keys section on the PGP Encryption Server.  In some cases using an internal CA, you may need to specifically assign the server certificate to be trusted.  In other words, some environments will not accept any certificates unless they were specifically added, even if they are signed by a trusted Internal CA so it's a good idea to test this thoroughly before deploying to the entire organization. 

For more information on PGP and Load Balancers, see the following article: 
156803 - Using DNS Round Robin and Load Balancers with Encryption Management Server
___________________________________________________________________________________________________

1. In the Mail Server Binding field, the * wildcard character is the default setting. The client will bind automatically to any mail server. Mail policy will be enforced for any mail server to which the client connects. You can also use the wildcard as follows: *, *.example.com, and example.*.com. Customized client installations will not work without mail server binding.
   
   
2. Click Download.
   
   
3. When prompted, select a location and click Save.
   
   
4. Distribute the Encryption Desktop installer to your users and have them install it on their systems.Once installed, Encryption Desktop coordinates with the Encryption Management Server and associates the user to the correct user policy.
    

   Note: In the Mail Server Binding, you can type the name of a specific mail server you want bound to that PGP Encryption Server. You must have a mail server defined unless your users read mail directly from the PGP Encryption Server via POP or IMAP, which would be rare. Using the * will typically be sufficient for most environments. If you are unsure,  reach out to Symantec Encryption Support for further guidance.

Once the PGP client is installed on the machine, you can see which customized URL was used by going to the following location in the registry and make note of the "PGPSTAMP" value shows:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\PGP Corporation\PGP

PGPSTAMP: ovid=keys.example.com&mail=*&admin=1

In the above example, you can see which FQDN was used to create the client.

Section 3 of 6: Creating an Installer with Preset Policy

1. Login to the PGP Encryption Server administrative interface.
   
   
2. Click Consumers.
   
   
3. On the Groups card, click Download Client. The Download Encryption Clients screen is displayed.
   
   
4. In the Client field, select Symantec Encryption Desktop.
   
   
5. In the Platform field, select Mac OS X, Linux 32-Bit , Linux 64-Bit ,Windows 32-bit or Windows 64-bit as appropriate.
   
   
6. Make sure the Customize check box is selected.
   
   
7. Select Preset Policy, then select the policy you want your PGP Encryption Desktop users to be linked to from the drop-down menu.
   If you have not created any custom user policies, then the only entry in the drop-down menu is Default.
    

   Note: You can also select to Embed Policy into the installer. In this use case, there will never be a connection between the client and the server. The client never receives any updated policy information from PGP Encryption Server, even if the policy is updated on the server side. This is available in PGP Encryption Desktop for Windows only.  See the following article for more information on this feature: 153203 - What is the Embed Policy Option for Symantec Encryption Desktop Configured Installations? Tip: If you have clients that need to be encrypted with Drive Encryption and will never communicate with the PGP server, it is recommend to use "Symantec Endpoint Encryption" . Symantec Endpoint Encryption uses a beneficial feature, "Connectionless" recovery, so there is no connectivity needed for recovery keys to be possible.  If you own a license for PGP Drive Encryption, you are entitled to use the SEE Drive Encryption instead.  Reach out to Symantec Encryption Support for further assistance on this.  To download Symantec Endpoint Encryption, see the following article: 193931 - How to download Symantec Encryption products from the Broadcom download Portal (And where to find the license number for PGP)

    
8. In the Symantec Encryption Server field, type the PGP Encryption Server hostname you want the application to interact with.
   This is the PGP Encryption Server you are using to create the installer is listed by default.
   
   
9. In the Mail Server Binding field, the * wildcard character is the default setting. The client will bind automatically to any mail server.
   Mail policy will be enforced for any mail server to which the client connects.
   You can also use the wildcard as follows: *, *.example.com, and example.*.com. Customized client installations will not work without mail server binding.

1. Click Download.
2. When prompted, select a location and click Save.
3. Distribute the Encryption Desktop installer to your users and have them install it on their systems. Once installed, Encryption Desktop coordinates with the Encryption Management Server and associates the user to the correct user policy.