Symantec Encryption Management Server

Transcription

1 Symantec Encryption Management Server Administrator's Guide 3.3

2

3 The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Version Last updated: January Legal Notice Copyright (c) 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, PGP, Pretty Good Privacy, and the PGP logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Java is a registered trademark of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED"AS IS"AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR and subject to restricted rights as defined in FAR Section "Commercial Computer Software - Restricted Rights" and DFARS , et seq. Commercial Computer Software and Commercial Computer Software Documentation, as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement. Symantec Corporation 350 Ellis Street Mountain View, CA Symantec Home Page ( Printed in the United States of America

4

5 Contents Introduction What is Symantec Encryption Management Server? Symantec Encryption Management Server Product Family Who Should Read This Guide Common Criteria Environments Improvements in this Version of Symantec Encryption Management Server Using the Symantec Encryption Management Server with the Command Line Symbols Getting Assistance Getting product information Technical Support Contacting Technical Support Licensing and registration Customer service Support agreement resources The Big Picture Important Terms Related Products Symantec Encryption Management Server Concepts Symantec Encryption Management Server Features Symantec Encryption Management Server User Types Installation Overview About Integration with Symantec Protection Center Before You Integrate with Protection Center About Open Ports TCP Ports UDP Ports About Naming your Symantec Encryption Management Server How to Name Your Symantec Encryption Management Server Naming Methods Understanding the Administrative Interface System Requirements Logging In The System Overview Page Managing Alerts Logging In For the First Time

6 ii Contents Licensing Your Software Overview Licensing a Symantec Encryption Management Server License Authorization Licensing the Mail Proxy Feature Licensing Symantec Encryption Desktop Operating in Learn Mode Purpose of Learn Mode Checking the Logs Managing Learn Mode Managed Domains About Managed Domains Adding Managed Domains Deleting Managed Domains Understanding Keys Choosing a Key Mode For Key Management Changing Key Modes How Symantec Encryption Management Server Uses Certificate Revocation Lists Key Reconstruction Blocks Managed Key Permissions Managing Organization Keys About Organization Keys Organization Key Inspecting the Organization Key Regenerating the Organization Key Importing an Organization Key Organization Certificate Inspecting the Organization Certificate Exporting the Organization Certificate Deleting the Organization Certificate Generating the Organization Certificate Importing the Organization Certificate Renewing the Organization Certificate Additional Decryption Key (ADK) Importing the ADK Inspecting the ADK Deleting the ADK External User Root Key Generating the External User Root Key Importing the External User Root Key Deleting the External User Root Key

7 Contents iii External User Root Certificate Generating the External User Root Certificate Importing the External User Root Certificate Deleting the External User Root Certificate Verified Directory Key Importing the Verified Directory Key Inspecting the Verified Directory Key Deleting the Verified Directory Key Administering Managed Keys Viewing Managed Keys Managed Key Information Addresses Subkeys Certificates Permissions Attributes Symmetric Key Series Symmetric Keys Custom Data Objects Exporting Consumer Keys Exporting the Managed Key of an Internal User Exporting the Managed Key of an External User Exporting Symantec Encryption Verified Directory User Keys Exporting the Managed Key of a Managed Device Deleting Consumer Keys Deleting the Managed Key of an Internal User Deleting the Managed Key of an External User Deleting the Key of a Symantec Encryption Verified Directory User Deleting the Managed Key of a Managed Device Approving Pending Keys Revoking Managed Keys Managing Trusted Keys and Certificates Overview Trusted Keys Trusted Certificates Adding a Trusted Key or Certificate Inspecting and Changing Trusted Key Properties Deleting Trusted Keys and Certificates Searching for Trusted Keys and Certificates Managing Group Keys 77 Overview Establishing Default Group Key Settings Adding a Group Key to an Existing Group Creating a New Group with a Group Key Removing a Group Key from a Group Deleting a Group Key

8 iv Contents Revoking a Group Key Exporting a Group Key Setting Mail Policy Overview How Policy Chains Work Mail Policy and Dictionaries Mail Policy and Key Searches Mail Policy and Cached Keys Understanding the Pre-Installed Policy Chains How Upgrading and Updating Affect Mail Policy Settings Mail Policy Outside the Mailflow Using the Rule Interface The Conditions Card The Actions Card Building Valid Chains and Rules Using Valid Processing Order Creating Valid Groups Creating a Valid Rule Managing Policy Chains Mail Policy Best Practices Restoring Mail Policy to Default Settings Adding Policy Chains Deleting Policy Chains Exporting Policy Chains Printing Policy Chains Managing Rules Adding Rules to Policy Chains Deleting Rules from Policy Chains Enabling and Disabling Rules Changing the Processing Order of the Rules Adding Key Searches Choosing Condition Statements, Conditions, and Actions Condition Statements Conditions Actions Working with Common Access Cards Applying Key Not Found Settings to External Users Overview Bounce the Message Symantec PDF Protection Symantec PDF Protection Secure Reply Working with Passphrases Certified Delivery with Symantec PDF Protection Send Unencrypted Smart Trailer Symantec Encryption Web Protection Changing Policy Settings Changing User Delivery Method Preference

9 Contents v Using Dictionaries with Policy 125 Overview Default Dictionaries Editing Default Dictionaries User-Defined Dictionaries Adding a User-Defined Dictionary Editing a User-Defined Dictionary Deleting a Dictionary Exporting a Dictionary Searching the Dictionaries Keyservers, SMTP Archive Servers, and Mail Policy Overview Keyservers Adding or Editing a Keyserver Deleting a Keyserver SMTP Servers Adding or Editing an Archive Server Deleting an Archive Server Managing Keys in the Key Cache Overview Changing Cached Key Timeout Purging Keys from the Cache Trusting Cached Keys Viewing Cached Keys Searching the Key Cache Configuring Mail Proxies Overview Symantec Encryption Management Server and Mail Proxies Mail Proxies in an Internal Placement Mail Proxies in a Gateway Placement Changes in Proxy Settings from version 2.0 to 2.5 and later Mail Proxies Page Creating New or Editing Existing Proxies Creating or Editing a POP/IMAP Proxy Creating or Editing an Outbound SMTP Proxy Creating or Editing an Inbound SMTP Proxy Creating or Editing a Unified SMTP Proxy in the Mail Queue 157 Overview Deleting Messages from the Mail Queue

10 vi Contents Specifying Mail Routes Overview Managing Mail Routes Adding a Mail Route Editing a Mail Route Deleting a Mail Route Customizing System Message Templates Overview Templates and Message Size Symantec PDF Protection Templates Symantec Encryption Web Protection Templates Editing a Message Template Integrating with Symantec Data Loss Prevention Enabling Integration with DLP Disabling Integration with DLP Changing the DLP Integration Authentication Information Managing Groups Understanding Groups Sorting Consumers into Groups Everyone Group Excluded Group Policy Group Order Migrate Groups from Version 2.12 SP4 Setting Policy Group Order Creating a New Group Deleting a Group Viewing Group Members Manually Adding Group Members Manually Removing Members from a Group Group Permissions Adding Group Permissions Deleting Group Permissions Setting Group Membership Searching Groups Creating Group Client Installations How Group Policy is Assigned to Symantec Encryption Desktop Installers When to Bind a Client Installation Creating Symantec Encryption Desktop Installers Managing Devices Managed Devices Adding and Deleting Managed Devices

11 Contents vii Adding Managed Devices to Groups Managed Device Information Deleting Devices from Symantec Encryption Management Server Deleting Managed Devices from Groups Drive Encryption Devices (Computers and Disks) Drive Encryption Computers Drive Encryption Disks Searching for Devices Administering Consumer Policy 197 Understanding Consumer Policy 197 Managing Consumer Policies 197 Adding a Consumer Policy 197 Editing a Consumer Policy 198 Deleting a Consumer Policy 199 Making Sure Users Create Strong Passphrases 199 Understanding Entropy 200 Enabling or Disabling Encrypted 200 Using the Windows Preinstallation Environment 201 X.509 Certificate Management in Lotus Notes Environments 201 Trusting Certificates Created by Symantec Encryption Management Server 202 Setting the Lotus Notes Key Settings in Symantec Encryption Management Server 204 Technical Deployment Information 204 Offline Policy 205 Using a Policy ADK 206 Out of Mail Stream Support 207 Enrolling Users through Silent Enrollment 208 Silent Enrollment with Windows 209 Silent Enrollment with Mac OS X 209 Symantec Drive Encryption Administration 209 Symantec Drive Encryption on Mac OS X with FileVault 209 How Does Single Sign-On Work? 210 Enabling Single Sign-On 210 Managing Clients Remotely Using a Symantec Drive Encryption Administrator Active Directory Group 212 Managing Clients Locally Using the Symantec Drive Encryption Administrator Key 213 Setting Policy for Clients 215 Client and Symantec Encryption Management Server Version Compatibility 215 Serving PGP Admin 8 Preferences 216 Establishing Symantec Encryption Desktop Settings for Your Symantec Encryption Desktop Clients217 Symantec Encryption Desktop Feature License Settings 218 Enabling Symantec Encryption Desktop Client Features in Consumer Policies 219 Controlling Symantec Encryption Desktop Components 220 PGP Portable 221 Symantec File Share Encryption 221 How the Symantec File Share Encryption Policy Settings Work Together 221 Multi-user environments and managing Symantec File Share Encryption 222 Backing Up Symantec File Share Encryption-Protected Files 223 About Mobile Encryption 223 About Administration of the Symantec Mobile Encryption for ios App 224

12 viii Contents About Symantec Mobile Encryption for ios Configuration Files Setting Policy for Symantec Mobile Encryption About Dropbox File Protection About Administration of the Symantec File Share Encryption for ios App Using Directory Synchronization to Manage Consumers How Symantec Encryption Management Server Uses Directory Synchronization Base DN and Bind DN Consumer Matching Rules Understanding User Enrollment Methods Before Creating a Client Installer Enrollment Directory Enrollment Certificate Enrollment Enabling Directory Synchronization Adding or Editing an LDAP Directory The LDAP Servers Tab The Base Distinguished Name Tab The Consumer Matching Rules Tab Testing the LDAP Connection Using Sample Records to Configure LDAP Settings Deleting an LDAP Directory Setting LDAP Directory Order Directory Synchronization Settings Managing User Accounts Understanding User Account Types Viewing User Accounts User Management Tasks Setting User Authentication Editing User Attributes Adding Users to Groups Editing User Permissions Deleting Users Searching for Users Viewing User Log Entries Changing Display Names and Usernames Exporting a User s X.509 Certificate Revoking a User's X.509 Certificate Managing User Keys Managing Internal User Accounts Importing Internal User Keys Manually Creating New Internal User Accounts Exporting Symantec Drive Encryption Login Failure Data Internal User Settings Managing External User Accounts Importing External Users Exporting Delivery Receipts External User Settings Offering X.509 Certificates to External Users Managing Verified Directory User Accounts

13 Contents ix Importing Verified Directory Users Symantec Encryption Verified Directory User Settings Recovering Encrypted Data in an Enterprise Environment Using Key Reconstruction Recovering Encryption Key Material without Key Reconstruction Encryption Key Recovery of CKM Keys Encryption Key Recovery of GKM Keys Encryption Key Recovery of SCKM Keys Encryption Key Recovery of SKM Keys Using an Additional Decryption Key for Data Recovery Symantec Encryption Satellite Overview Technical Information Distributing the Symantec Encryption Satellite Software Configuration Key Mode Symantec Encryption Satellite Configurations Switching Key Modes Policy and Key or Certificate Retrieval Retrieving Lost Policies Retrieving Lost Keys or Certificates Symantec Encryption Satellite for Mac OS X Overview System Requirements Obtaining the Installer Installation Updates Files Symantec Encryption Satellite for Windows Overview System Requirements Obtaining the Installer Installation Updates Files MAPI Support External MAPI Configuration Lotus Notes Support External Lotus Notes Configuration Configuring Symantec Encryption Web Protection 287 Overview 287

14 x Contents Symantec Encryption Web Protection and Clustering External Authentication Customizing Symantec Encryption Web Protection Adding a New Template Troubleshooting Customization Changing the Active Template Deleting a Template Editing a Template Downloading Template Files Restoring to Factory Defaults Configuring the Symantec Encryption Web Protection Service Starting and Stopping Symantec Encryption Web Protection Selecting the Symantec Encryption Web Protection Network Interface Setting Up External Authentication Creating Settings for Symantec Encryption Web Protection User Accounts Setting Message Replication in a Cluster Configuring the Integrated Keyserver Overview Starting and Stopping the Keyserver Service Configuring the Keyserver Service Configuring the Symantec Encryption Verified Directory Overview Starting and Stopping the Symantec Encryption Verified Directory Configuring the Symantec Encryption Verified Directory Managing the Certificate Revocation List Service Overview Starting and Stopping the CRL Service Editing CRL Service Settings Configuring Universal Services Protocol Starting and Stopping USP Adding USP Interfaces System Graphs Overview CPU Usage Message Activity Whole Disk Encryption System Logs Overview Filtering the Log View

15 Contents xi Searching the Log Files Exporting a Log File Enabling External Logging Configuring SNMP Monitoring Overview Starting and Stopping SNMP Monitoring Configuring the SNMP Service Downloading the Custom MIB File Viewing Server and License Settings and Shutting Down Services 325 Overview 325 Server Information 325 Setting the Time 326 Licensing a Symantec Encryption Management Server 326 Downloading the Release Notes 327 Shutting Down and Restarting the Symantec Encryption Management Server Software Services327 Shutting Down and Restarting the Symantec Encryption Management Server Hardware 328 Managing Administrator Accounts Overview Administrator Roles Administrator Authentication Creating a New Administrator Importing SSH v2 Keys Deleting Administrators Inspecting and Changing the Settings of an Administrator Configuring RSA SecurID Authentication Resetting SecurID PINs Daily Status Protecting Symantec Encryption Management Server with Ignition Keys Overview Ignition Keys and Clustering Preparing Hardware Tokens to be Ignition Keys Configuring a Hardware Token Ignition Key Configuring a Soft-Ignition Passphrase Ignition Key Deleting Ignition Keys Backing Up and Restoring System and User Data 345 Overview Creating Backups Scheduling Backups Performing On-Demand Backups Configuring the Backup Location Restoring From a Backup

16 xii Contents Restoring On-Demand Restoring Configuration Restoring from a Different Version Updating Symantec Encryption Management Server Software Overview Inspecting Update Packages Setting Network Interfaces Understanding the Network Settings Changing Interface Settings Adding Interface Settings Deleting Interface Settings Editing Global Network Settings Assigning a Certificate Working with Certificates Importing an Existing Certificate Generating a Certificate Signing Request (CSR) Adding a Pending Certificate Inspecting a Certificate Exporting a Certificate Deleting a Certificate Clustering your Symantec Encryption Management Servers Overview Cluster Status Creating a Cluster Deleting Cluster Members Clustering and Symantec Encryption Web Protection Managing Settings for Cluster Members Changing Network Settings in Clusters About Clustering Diagnostics Monitoring Data Replication in a Cluster Index

17 1 Introduction This Administrator s Guide describes both the Symantec Encryption Management Server and Client software. It tells you how to get them up and running on your network, how to configure them, and how to maintain them. This section provides a high-level overview of Symantec Encryption Management Server. What is Symantec Encryption Management Server? Symantec Encryption Management Server is a console that manages the applications that provide , disk, and network file encryption. Symantec Encryption Management Server with Symantec Gateway Encryption provides secure messaging by transparently protecting your enterprise messages with little or no user interaction. The Symantec Encryption Management Server replaces PGP Keyserver with a built-in keyserver, and PGP Admin with Symantec Encryption Desktop configuration and deployment capabilities. Symantec Encryption Management Server also does the following: Automatically creates and maintains a Self-Managing Security Architecture (SMSA) by monitoring authenticated users and their traffic. Allows you to send protected messages to addresses that are not part of the SMSA. Automatically encrypts, decrypts, signs, and verifies messages. Provides strong security through policies you control. Symantec Encryption Satellite, a client-side feature of Symantec Encryption Management Server, does the following: Extends security for messages to the computer of the user. Allows external users to become part of the SMSA. If allowed by an administrator, gives end users the option to create and manage their keys on their computers. Symantec Encryption Desktop, a client product, is created and managed through Symantec Encryption Management Server policy and does the following: Creates PGP keypairs. Manages user keypairs. Stores the public keys of others. Encrypts user and instant messaging (IM). Encrypts entire, or partial, hard drives. Enables secure file sharing with others over a network.

18 2 Introduction Symantec Encryption Management Server Product Family Symantec Encryption Management Server Product Family Symantec Encryption Management Server functions as a management console for a variety of encryption solutions. You can purchase any of the Symantec Encryption Desktop applications or bundles and use Symantec Encryption Management Server to create and manage client installations. You can also purchase a license that enables Symantec Gateway Encryption to encrypt in the mailstream. The Symantec Encryption Management Server can manage any combination of the following Symantec encryption applications: Symantec Gateway Encryption provides automatic encryption in the gateway, based on centralized mail policy. This product requires administration by the Symantec Encryption Management Server. Symantec Desktop provides encryption at the desktop for mail, files, and AOL Instant Messenger traffic. This product can be managed by the Symantec Encryption Management Server. Symantec Drive Encryption provides encryption at the desktop for an entire disk. This product can be managed by the Symantec Encryption Management Server. Symantec File Share Encryption provides transparent file encryption and sharing among desktops. This product can be managed by the Symantec Encryption Management Server. Who Should Read This Guide This Administrator s Guide is for the person or persons who implement and maintain your organization s Symantec Encryption Management Server environment. These are the Symantec Encryption Management Server administrators. This guide is also intended for anyone else who wants to learn about how Symantec Encryption Management Server works. Common Criteria Environments To be Common Criteria compliant, see the best practices in PGP Universal Server 2.9 Common Criteria Supplemental. These best practices supersede recommendations made elsewhere in this and other documentation.

19 Introduction Improvements in this Version of Symantec Encryption Management Server 3 Improvements in this Version of Symantec Encryption Management Server Symantec Encryption Management Server introduces the following new and improved features: Symantec identity branding The PGP product line has been renamed. For a detailed map of old product names to new ones, refer to the Symantec Knowledgebase article TECH ( Integration with Symantec File Share Encryption and Dropbox on Apple ios devices The integration of Symantec File Share Encryption, formerly known as PGP NetShare, with Dropbox brings protection to files copied from a Dropbox Windows client to cloud-based storage. You can then view these encrypted Dropbox files on your ios device. This integration allows protected files to move among Dropbox locations, to be read, edited, and saved by you or a collaborative group. Files and folders are encrypted or decrypted transparently, as needed. Gateway Integration with Symantec Data Loss Prevention Symantec Gateway , previously known as PGP Universal Gateway , has deepened its integration with Symantec Data Loss Prevention and Symantec Messaging Gateway powered by Brightmail. Symantec Messaging Gateway sends outbound to Data Loss Prevention, which scans the , flags the message for security violations or sensitivity. The flagged gets routed to GWE to process corresponding security remediation through mail policy. Symantec Gateway then sends encryption remediation status confirmation back to Data Loss Prevention. Audit information is centrally located in Data Loss Prevention Enforce. This status synchronization leverages Data Loss Prevention s new Incident Remediation API (IRA). This new feature is called Encryption Connect in DLP Enforce. Next generation of mobile management PGP Viewer, which has been renamed to Symantec Mobile Encryption for ios, now expands the ability beyond viewing to securely reply to encrypted messages or initiate new secure messages, with or without attachments. Mobile Encryption for ios integrates with Microsoft Exchange Mobile Address List for access to your contacts. PGP Viewer 1.0 users can automatically update to Mobile Encryption for ios version 2.0. This product requires the mobile management policy provided in Symantec Encryption Management Server 3.3. Expanded Platform Compatibility for Symantec Web Protection sent using the Symantec Web Protection feature, formerly known as PGP Web Messenger, can now be viewed using a browser on most ios and Android mobile devices Expanded Platform Compatibility for Symantec PDF Protection sent using the Symantec PDF Protection feature, formerly PGP PDF Messenger, can now be viewed using a browser on most ios and Android mobile devices. Compatibility with VMware ESXi 5

20 4 Introduction Using the Symantec Encryption Management Server with the Command Line This release provides installation of Symantec Encryption Management Server, formerly known as PGP Universal Server, on VMware ESX virtual machines running ESXi 5. Compatibility with New Linux Packages This release supports installation of Symantec Drive Encryption for Linux, formerly known as PGP Whole Disk Encryption for Linux, on Red Hat Enterprise Linux/CentOS 6.1 and 6.2 (32-bit and 64-bit versions). Compatibility with Apple Mac OS X 10.8 This release supports installation of Symantec Desktop Encryption, formerly known as PGP Desktop, on systems running Mac OS X 10.8 (Mountain Lion). Win PE 64-bit Support Symantec Drive Encryption, formerly known as PGP Whole Disk Encryption, now provides WinPE recovery for both 32-bit and 64-bit Windows 7 environments. Removal of the PGP Remote Disable and Destroy Feature Symantec Corporation has discontinued the PGP Remote Disable and Destroy (RDD) feature, including its policy management and reporting functionalities. However, the feature is retained for customers who have an existing subscription entitlement until their current subscription period expires. For information on how to disable PGP RDD, go to the Symantec Knowledgebase ( and search for article ID HOWTO79556, "HOW TO: Remove PGP Remote Disable and Destroy (PGP RDD)". Using the Symantec Encryption Management Server with the Command Line You can use the Symantec Encryption Management Server command line for read-only access to, for example, view settings, services, logs, processes, disk space, query the database, and so on. Note: If you modify your configuration using the command line, and you do not follow these procedures, your Symantec Support agreement is void. Changes to the Symantec Encryption Management Server using command line must be: Authorized in writing by Symantec Support. Implemented by Symantec's partner, reseller, or internal employee who is certified in Symantec Encryption Management Server Advanced Administration and Deployment Training. Summarized and documented in a text file in /var/lib/ovid/customization on the Symantec Encryption Management Server. Changes made through the command line may not persist through reboots and may become incompatible in a future release. When troubleshooting new issues, Symantec Support can require you to revert custom configurations on the Symantec Encryption Management Server to a default state.

21 Introduction Symbols 5 Symbols Notes, Cautions, and Warnings are used in the following ways. Note: Notes are extra, but important, information. A Note calls your attention to important aspects of the product. You can use the product better if you read the Notes. Caution: Cautions indicate the possibility of loss of data or a minor security breach. A Caution tells you about a situation where problems can occur unless precautions are taken. Pay attention to Cautions. Warning: Warnings indicate the possibility of significant data loss or a major security breach. A Warning means serious problems will occur unless you take the appropriate action. Please take Warnings very seriously. Getting Assistance For additional resources, see these sections. Getting product information The following documents and online help are companions to the Symantec Encryption Management Server Administrator s Guide. This guide occasionally refers to information that can be found in one or more of these sources: Online help is installed and is available in the Symantec Encryption Management Server product. Symantec Encryption Management Server Installation Guide Describes how to install the Symantec Encryption Management Server. Symantec Encryption Management Server Upgrade Guide Describes the process of upgrading your Symantec Encryption Management Server. Symantec Encryption Management Server Mail Policy Diagram Provides a graphical representation of how is processed through mail policy. You can access this document via the Symantec Encryption Management Server online help. You can also access all the documentation by clicking the online help icon in the upper-right corner of the Symantec Encryption Management Server screen. Symantec Encryption Satellite for Windows and Mac OS X includes online help. Symantec Encryption Management Server and Symantec Encryption Satellite release notes are also provided, which may have last-minute information not found in the product documentation.