McAfee Gateway 7.0 Appliances

Transcription

1 Installation Guide McAfee Gateway 7.0 Appliances

2 COPYRIGHT Copyright 2011 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Gateway 7.0 Appliances Installation Guide

3 Contents 1 Preface 5 About this guide Audience Conventions How to use this guide Finding product documentation Preparing to install 9 What's in the box Plan the installation Inappropriate use Operating conditions Positioning the appliance Considerations about network modes Transparent bridge mode Transparent router mode Explicit proxy mode Deployment strategies for using the device in a DMZ SMTP configuration in a DMZ Workload management Installation quick reference table Ports and connections Physically installing the appliance Mounting the appliance in a rack Connect to the network Port numbers Using Copper LAN connections Using Fiber LAN connections Monitor, mouse and keyboard Supplying power to the appliance Overview task Installing the software Task Downloading the installation software Task Creating a CD from the installation software image Using the Configuration Console Welcome Performing a Standard Setup Performing a Custom Setup Restoring from a file epo Managed Setup Encryption Only Setup A tour of the Dashboard 53 Dashboard McAfee Gateway 7.0 Appliances Installation Guide 3

4 Contents Draft only Benefits of using the Dashboard Dashboard portlets Testing the configuration 57 Task Test connectivity Task Update the DAT files Task Test mail traffic and virus detection Task Testing spam detection Exploring the appliance features 59 Introduction to policies Encryption Task Identify quarantined messages Compliance Settings Data Loss Prevention settings Index 67 4 McAfee Gateway 7.0 Appliances Installation Guide

5 Preface Contents About this guide Finding product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Administrators People who implement and enforce the company's security program. Conventions This guide uses the following typographical conventions and icons. Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis. Bold User input or Path Code Text that is strongly emphasized. Commands and other text that the user types; the path of a folder or program. A code sample. User interface Hypertext blue Words in the user interface including options, menus, buttons, and dialog boxes. A live link to a topic or to a website. Note: Additional information, like an alternate method of accessing an option. Tip: Suggestions and recommendations. Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data. Warning: Critical advice to prevent bodily harm when using a hardware product. McAfee Gateway 7.0 Appliances Installation Guide 5

6 Preface About this guide Draft only Graphical conventions Use this information to understand the graphical symbols used within this document. Appliance Internet or external networks Mail Server Other servers (such as DNS servers) User or client computer Router Switch Firewall Network zone (DMZ or VLAN) Network Actual data path Perceived data path of terms used in this guide Use this information to understand some of the key terms used in this document. Term demilitarized zone (DMZ) DAT files operational mode policy Reputation Service check A computer host or small network inserted as a buffer between a private network and the outside public network to prevent direct access from outside users to resources on the private network. Detection definition (DAT) files, also called signature files, containing the definitions that identify, detect, and repair viruses, Trojan horses, spyware, adware, and other potentially unwanted programs (PUPs). Three operating modes for the product: explicit proxy mode, transparent bridge mode, and transparent router mode. A collection of security criteria, such as configuration settings, benchmarks, and network access specifications, that defines the level of compliance required for users, devices, and systems that can be assessed or enforced by a McAfee security application. Part of sender authentication. If a sender fails the Reputation Service check, the appliance is set to close the connection and deny the message. The sender's IP address is added to a list of blocked connections and is automatically blocked in future at the kernel level. How to use this guide This topic gives a brief summary of the information contained within this document. This guide helps you to: Plan and perform your installation. Become familiar with the interface. 6 McAfee Gateway 7.0 Appliances Installation Guide

7 Preface Finding product documentation Test that the product functions correctly. Apply the latest detection definition files. Explore some scanning policies, create reports, and get status information. Troubleshoot basic issues. You can find additional information about the product's scanning features in the online help within the product and the McAfee Gateway 7.0 Administrators Guide. Finding product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. Task 1 Go to the McAfee Technical Support ServicePortal at 2 Under Self Service, access the type of information you need: To access... User documentation Do this... 1 Click Product Documentation. 2 Select a product, then select a version. 3 Select a product document. KnowledgeBase Click Search the KnowledgeBase for answers to your product questions. Click Browse the KnowledgeBase for articles listed by product and version. McAfee Gateway 7.0 Appliances Installation Guide 7

8 Preface Finding product documentation Draft only McAfee Gateway 7.0 Appliances Installation Guide

9 1 Preparing 1 to install To ensure the safe operation of McAfee Gateway 7.0, consider the following before you begin the installation. Familiarize yourself with its operational modes and capabilities. It is important that you choose a valid configuration. Decide how to integrate the appliance into your network and determine what information you need before you start. For example, the name and IP address for the device. Unpack the product as close to its intended location as possible. Remove the product from any protective packaging and place it on a flat surface. Observe all provided safety warnings. Review and be familiar with all provided safety information. Contents What's in the box Plan the installation Inappropriate use Operating conditions Positioning the appliance Considerations about network modes Deployment strategies for using the device in a DMZ What's in the box Use this information to ensure that you have a complete shipment for your product. To check that all components are present, refer to the packing list supplied with your product. Generally, you should have: An appliance McAfee Gateway installation and recovery CD Power cords Linux source code CD Network cables Documentaiton CD If an item is missing or damaged, contact your supplier. McAfee Gateway 7.0 Appliances Installation Guide 9

10 1 Preparing to install Plan the installation Draft only Plan the installation Use this information when planning the installation of your device. Before unpacking your McAfee Gateway, it is important to plan the installation and deployment. Consider the following: Environmental requirements. Information on environmental site requirements, including temperature, airflow, and space requirements. Power requirements and considerations. Power requirements and electrical factors that must be considered before installation. Hardware specifications and requirements. Configuration scenarios. Preparing for installation. Inappropriate use Use this information to avoid using this product inappropriately. McAfee Gateway is: Not a firewall. You must use it within your organization behind a correctly configured firewall. Not a server for storing extra software and files. Do not install any software on the device or add any extra files to it unless instructed by the product documentation or your support representative. The device cannot handle all types of traffic. If you use explicit proxy mode, only protocols that are to be scanned should be sent to the device. Operating conditions Use this information to understand the environmental conditions needed for your McAfee Gateway. Temperature Relative humidity 10 to 35 C (50 to 95 F). 20% to 80% (non-condensing) with a maximum humidity gradient of 10% per hour. Maximum vibration 0.25 G at Hz for 15 minutes. Maximum shock One shock pulse in the positive z axis (one pulse on each side of the unit) of 31 G for up to 2.6 ms. Altitude -16 to 3,048 m (-50 to 10,000 ft.). 10 McAfee Gateway 7.0 Appliances Installation Guide

11 Preparing to install Positioning the appliance 1 Positioning the appliance Use this information to understand where the McAfee Gateway should be placed before setting up and using it. Select the final position for the appliance and install it so that it meets the operating conditions, so that you can control physical access to the appliance, and so that you can access all ports and connections on both the front and the rear panels.. A rack-mounting kit is supplied with the appliance, allowing you to install the appliance in a 19-inch rack. Considerations about network modes Use this information to gain an understanding of the operational (or network) modes in which the device can operate. Before you install and configure your McAfee Gateway, you must decide which network mode to use. The mode you choose determines how you physically connect your appliance to your network. You can choose from the following network modes: Transparent bridge mode The device acts as an Ethernet bridge. Transparent router mode The device acts as a router. Explicit proxy mode The device acts as a proxy server and a mail relay. If you are still unsure about the mode to use after reading this and the following sections, consult your network expert. Architectural considerations about network modes The main considerations regarding the network modes are: Whether communicating devices are aware of the existence of the device. That is, if the device is operating in one of the transparent modes. How the device physically connects to your network. The configuration needed to incorporate the device into your network. Where the configuration takes place in the network. Considerations before changing network modes In explicit proxy and transparent router modes, you can set up the device to sit on more than one network by setting up multiple IP addresses for the LAN1 and LAN2 ports. If you change to transparent bridge mode from explicit proxy or transparent router mode, only the enabled IP addresses for each port are carried over. After you select a network mode, McAfee recommends not changing it unless you move the device or restructure your network. Transparent bridge mode Use this information to better understand Transparent bridge mode on your McAfee Gateway. In transparent bridge mode, the communicating servers are unaware of the device the device s operation is transparent to the servers. McAfee Gateway 7.0 Appliances Installation Guide 11

12 1 Preparing to install Considerations about network modes Draft only In the figure, the external mail server (A) sends messages to the internal mail server (C). The external mail server is unaware that the message is intercepted and scanned by the device (B). The external mail server seems to communicate directly with the internal mail server the path is shown as a dotted line. In reality, traffic might pass through several network devices and be intercepted and scanned by the device before reaching the internal mail server. What the device does in transparent bridge mode In transparent bridge mode, the device connects to your network using the LAN1 and LAN2 ports. The device scans the traffic it receives, and acts as a bridge connecting two network segments, but treats them as a single logical network. Configuration in transparent bridge mode Transparent bridge mode requires less configuration than transparent router and explicit proxy modes. You do not need to reconfigure all your clients, default gateway, MX records, Firewall NAT or mail servers to send traffic to the device. Because the device is not a router in this mode, you do not need to update a routing table. Where to place the device when using transparent bridge mode For security reasons, you must use the device inside your organization, behind a firewall. In transparent bridge mode, position the device between the firewall and your router, as shown. In this mode, you physically connect two network segments to the device, and the device treats them as one logical network. Because the devices firewall, device, and router are on the same logical network, they must all have compatible IP addresses on the same subnet. Devices on one side of the bridge (such as a router) that communicate with devices on the other side of the bridge (such as a firewall) are unaware of the bridge. They are unaware that traffic is intercepted and scanned, therefore the device is said to operate as a transparent bridge. Transparent router mode Use this information to better understand Transparent router mode on your McAfee Gateway. In transparent router mode, the device scans traffic between two networks. The device has one IP address for outgoing scanned traffic, and must have one IP address for incoming traffic. The communicating network servers are unaware of the intervention of the device the device s operation is transparent to the devices. What the device does in transparent router mode In transparent router mode, the device connects to your networks using the LAN1 and LAN2 ports. The device scans the traffic it receives on one network, and forwards it to the next network device on a different network. The device acts as a router, routing the traffic between networks, based on the information held in its routing tables. 12 McAfee Gateway 7.0 Appliances Installation Guide

13 Preparing to install Considerations about network modes 1 Configuration in transparent router mode Using transparent router mode, you do not need to explicitly reconfigure your network devices to send traffic to the device. You need only configure the routing table for the device, and modify some routing information for the network devices on either side of it (the devices connected to its LAN1 and LAN2 ports). For example, you might need to make the device your default gateway. In transparent router mode, the device must join two networks. The device must be positioned inside your organization, behind a firewall. Transparent router mode does not support Multicast IP traffic or non-ip protocols, such as NETBEUI and IPX. Firewall rules In transparent router mode, the firewall connects to the physical IP address for the LAN1/LAN2 connection to the management blade. Where to place the device Use the device in transparent router mode to replace an existing router on your network. You need to: If you use transparent router mode and you do not replace an existing router, you must reconfigure part of your network to route traffic correctly through the device. Configure your client devices to point to the default gateway. Configure the device to use the Internet gateway as its default gateway. Ensure your client devices can deliver messages to the mail servers within your organization. Explicit proxy mode Use this information to better understand explicit proxy mode on your McAfee Gateway. In explicit proxy mode, some network devices must be set up explicitly to send traffic to the device. The device then works as a proxy or relay, processing traffic on behalf of the devices. Explicit proxy mode is best suited to networks where client devices connect to the device through a single upstream and downstream device. This might not be the best option if several network devices must be reconfigured to send traffic to the device. Network and device configuration If the device is set to explicit proxy mode, you must explicitly configure your internal mail server to relay traffic to the device. The device scans the traffic before forwarding it, on behalf of the sender, to the external mail server. The external mail server then forwards the message to the recipient. In a similar way, the network must be configured so that incoming messages from the Internet are delivered to the device, not the internal mail server. The device scans the traffic before forwarding it, on behalf of the sender, to the internal mail server for delivery, as shown. McAfee Gateway 7.0 Appliances Installation Guide 13

14 1 Preparing to install Deployment strategies for using the device in a DMZ Draft only For example, an external mail server can communicate directly with the device, although traffic might pass through several network servers before reaching the device. The perceived path is from the external mail server to the device. Protocols To scan a supported protocol, you must configure your other network servers or client computers to route that protocol through the device, so that no traffic bypasses the device. Firewall rules Explicit proxy mode invalidates any firewall rules set up for client access to the Internet. The firewall sees only the IP address information for the device, not the IP addresses of the clients, so the firewall cannot apply its Internet access rules to the clients. Where to place the device Configure the network devices so that traffic needing to be scanned is sent to the device. This is more important than the location of the device. The router must allow all users to connect to the device. The device must be positioned inside your organization, behind a firewall, as shown in Figure 6: Explicit proxy configuration. Typically, the firewall is configured to block traffic that does not come directly from the device. If you are unsure about your network s topology and how to integrate the device, consult your network expert. Use this configuration if: The device is operating in explicit proxy mode. You are using (SMTP). For this configuration, you must: Configure the external Domain Name System (DNS) servers or Network Address Translation (NAT) on the firewall so that the external mail server delivers mail to the device, not to the internal mail server. Configure the internal mail servers to send messages to the device. That is, the internal mail servers must use the device as a smart host. Ensure that your client devices can deliver messages to the mail servers within your organization. Ensure that your firewall rules are updated. The firewall must accept traffic from the device, but must not accept traffic that comes directly from the client devices. Set up rules to prevent unwanted traffic entering your organization. Deployment strategies for using the device in a DMZ Use this information to understand about demilitarized zones within your network, and how to use them to protect your servers. A demilitarized zone (DMZ) is a network separated by a firewall from all other networks, including the Internet and other internal networks. The typical goal behind the implementation of a DMZ is to lock down access to servers that provide services to the Internet, such as . Hackers often gain access to networks by identifying the TCP/UDP ports on which applications are listening for requests, then exploiting known vulnerabilities in applications. Firewalls dramatically reduce the risk of such exploits by controlling access to specific ports on specific servers. 14 McAfee Gateway 7.0 Appliances Installation Guide

15 Preparing to install Deployment strategies for using the device in a DMZ 1 The device can be added easily to a DMZ configuration. The way you use the device in a DMZ depends on the protocols you intend to scan. SMTP configuration in a DMZ Use this information to understand how to configure SMTP devices within a demilitarized zone on your network. The DMZ is a good location for encrypting mail. By the time the mail traffic reaches the firewall for the second time (on its way from the DMZ to the Internet), it has been encrypted. Devices which scan SMTP traffic in a DMZ are usually configured in explicit proxy mode. Configuration changes need only be made to the MX records for the mail servers. NOTE: You can use transparent bridge mode when scanning SMTP within a DMZ. However, if you do not control the flow of traffic correctly, the device scans every message twice, once in each direction. For this reason, explicit proxy mode is usually used for SMTP scanning. Mail relay If you have a mail relay already set up in your DMZ, you can replace the relay with the device. To use your existing firewall policies, give the device the same IP address as the mail relay. Mail gateway SMTP does not provide methods to encrypt mail messages you can use Transport Layer Security (TLS) to encrypt the link, but not the mail messages. As a result, some companies do not allow such traffic on their internal network. To overcome this, they often use a proprietary mail gateway, such as Lotus Notes or Microsoft Exchange, to encrypt the mail traffic before it reaches the Internet. To implement a DMZ configuration using a proprietary mail gateway, add the scanning device to the DMZ on the SMTP side of the gateway. In this situation, configure: The public MX records to instruct external mail servers to send all inbound mail to the device (instead of the gateway). The device to forward all inbound mail to the mail gateway, and deliver all outbound mail using DNS or an external relay. The mail gateway to forward all inbound mail to the internal mail servers and all other (outbound) mail to the device. The firewall to allow inbound mail that is destined for the device only. Firewalls configured to use Network Address Translation (NAT), and that redirect inbound mail to internal mail servers, do not need their public MX records reconfigured. This is because they are directing traffic to the firewall rather than the mail gateway itself. In this case, the firewall must instead be reconfigured to direct inbound mail requests to the device. McAfee Gateway 7.0 Appliances Installation Guide 15

16 1 Preparing to install Deployment strategies for using the device in a DMZ Draft only Firewall rules specific to Lotus Notes Use this information to identify specific considerations when protecting Lotus Notes systems. By default, Lotus Notes servers communicate over TCP port The firewall rules typically used to secure Notes servers in a DMZ allow the following through the firewall: Inbound SMTP requests (TCP port 25) originating from the Internet and destined for the device TCP port 1352 requests originating from the Notes gateway and destined for an internal Notes server TCP port 1352 requests originating from an internal Notes server and destined for the Notes gateway SMTP requests originating from the device and destined for the Internet All other SMTP and TCP port 1352 requests are denied. Firewall rules specific to Microsoft Exchange Use this information to identify specific considerations when protecting Microsoft Exchange systems. A Microsoft Exchange-based mail system requires a significant workaround. When Exchange servers communicate with each other, they send their initial packets using the RPC protocol (TCP port 135). However, once the initial communication is established, two ports are chosen dynamically and used to send all subsequent packets for the remainder of the communication. You cannot configure a firewall to recognize these dynamically-chosen ports. Therefore, the firewall does not pass the packets. The workaround is to modify the registry on each of the Exchange servers communicating across the firewall to always use the same two dynamic ports, then open TCP 135 and these two ports on the firewall. We mention this workaround to provide a comprehensive explanation, but we do not recommend it. The RPC protocol is widespread on Microsoft networks opening TCP 135 inbound is a red flag to most security professionals. If you intend to use this workaround, details can be found in the following Knowledge Base article on the Microsoft website: Workload management Use this information to learn about the workload management features of McAfee Gateway. The appliances includes its own internal workload management, distributing the scanning load evenly between all appliances configured to work together. You do not need to deploy an external load balancer. 16 McAfee Gateway 7.0 Appliances Installation Guide

17 2 Installing the McAfee Gateway appliance Use this information to understand the recommended process to install, connect and configure your McAfee Gateway. McAfee recommends that you consider installing the McAfee Gateway in the following order: 1 Unpack the McAfee Gateway and confirm no parts are missing (check against parts lists in the box) 2 Rack-mount the McAfee Gateway 3 Connect the peripherals and power (monitor, keyboard). 4 Connect the McAfee Gateway to the network, noting deployment scenarios and intended network mode. 5 Install the software onto the McAfee Gateway 6 Use the Configuration Console to carry out the basic configuration (server name, IP addresses, gateway, and so on). 7 Connect to the administration interface. 8 Run the Setup Wizard. 9 Route test network traffic through the McAfee Gateway 10 Test that the network traffic is being scanned. 11 Configure policies and reporting. 12 Route production traffic through the McAfee Gateway. Connecting the McAfee Gateway to your network can disrupt Internet access or other network services. Ensure that you have arranged network down-time for this, and that you schedule this during periods of low network usage. Contents Installation quick reference table Ports and connections Physically installing the appliance Connect to the network Supplying power to the appliance Overview task Installing the software Using the Configuration Console McAfee Gateway 7.0 Appliances Installation Guide 17

18 2 Installation quick reference table Draft only Installation quick reference table Use this information as a quick reference when installing the McAfee Gateway. This step is described here. 1. Unpack the pallet and check the contents against the parts lists in the box. Part List 2. Connect the peripherals and power. 3. Connect the appliance to the network. 4. Install the software. 5. Perform basic configuration. 6. Connect to the administration interface. 7. Route the test network traffic through the appliance. 8. Test that the network traffic is being scanned. 9. Configure policies and reporting. 10. Configure production traffic through the system. Ports and connections Information regarding the ports and connections are no longer held within this guide. For information about the ports and connections on your appliance, please refer to the McAfee Gateway Port Identification Guide. Physically installing the appliance Use this task to physically connect your appliance to your network. Task 1 Remove the appliance from the protective packaging and place it on a flat surface. 2 If you are going to install the appliance in a 19-inch rack, perform the steps in Mounting the appliance in a rack. 3 Connect a monitor, keyboard and mouse to the appliance. 4 Connect power leads to the monitor and the appliance, but do not connect to the power supplies yet. 5 Connect the appliance to the network, taking into consideration your chosen operating mode. Mounting the appliance in a rack Use this information to mount your appliance into a rack. The rack kit enables you to install the appliance into a four-post rack. The kit can be used with most industry-standard 19-inch rack cabinets. 18 McAfee Gateway 7.0 Appliances Installation Guide

19 Connect to the network 2 The rack kit contains: 2 mounting rails 8 screws 2 releasable tie wraps You will need a screwdriver that is suitable for use with the supplied screws. Make sure you follow the supplied safety warnings. Always load the rack from the bottom up. If you are installing multiple appliances, start with the lowest available position first. Connect to the network Learn how to connect your Gateway to your network. This section describes how to connect the appliance to your network. The ports and cables that you use to connect the appliance to your network depend on how you are going to use the appliance. For information about network modes, see Considerations about network modes. Port numbers Use this information to understand some of the important ports used by your appliance. When you connect the appliance to your network, use the following port numbers: For HTTPS, use Port 443. For POP3, use port 110. For HTTP, use Port 80. For FTP, use Port 21. For SMTP, use Port 25. Using Copper LAN connections Understand how to connect your Gateway to your network using copper connections. Using the LAN1 and LAN2 switch connections and the supplied network cables (or equivalent Cat 5e or Cat 6 Ethernet cables), connect the appliance to your network according to the network mode you have chosen. If you have DHCP configured on your network, the IP addresses for these ports are now automatically allocated. Transparent bridge mode Use the copper LAN cables (supplied) to connect the Gateway LAN1 and LAN2 switches to your network so that the appliance is inserted into the data stream. Transparent router mode The Gateway functions as a router. The LAN segments connected to its two network interfaces must therefore be on different IP subnets. It must replace an existing router, or a new subnet must be created on one side of the appliance. Do this by changing the IP address or the netmask used by the computers on that side. McAfee Gateway 7.0 Appliances Installation Guide 19

20 2 Supplying power to the appliance Draft only Explicit proxy mode Use a copper LAN cable (supplied) to connect the LAN1 or LAN2 switch to your network. The cable is a straight-through (uncrossed) cable, and connects the appliance to a normal uncrossed RJ-45 network switch. In explicit proxy mode, the unused switch connection can be used as a dedicated management port. To manage the appliance locally, use a crossover Cat 5e Ethernet cable to connect the appliance to your local computer s network card. Using Fiber LAN connections Understand how to connect your Gateway to your network using fiber-optic connections. Using the LAN1 and LAN2 switch connections and the fiber cables, connect the appliance to your network according to the network mode you have chosen. Transparent bridge mode Use the fiber cables to connect the LAN1 and LAN2 switches to your network. Transparent router mode Use the fiber cables to connect the LAN1 and LAN2 switches to different IP subnets. Explicit proxy mode Use a fiber cable to connect the appliance s LAN1 switches to your network. In explicit proxy mode, the unused connector can be used as a dedicated management port. If your management computer has a compatible Network Interface Card (NIC), connect it to the remaining connector for local management. Monitor, mouse and keyboard Use this information to connect a computer monitor, the mouse and the keyboard to your McAfee Gateway. Connect a computer monitor to the VGA connector on your McAfee Gateway. Connect the keyboard and mouse to USB connectors on the McAfee Gateway Supplying power to the appliance Use this task to supply power to the appliance and to switch it on. Task 1 Connect the monitor and appliance power cables to power outlets. If the power cord is not suitable for the country of use, contact your supplier. 2 Switch on the appliance by pushing the power button. After booting up, the Configuration Console appears on the monitor. 20 McAfee Gateway 7.0 Appliances Installation Guide

21 Overview task Installing the software 2 Overview task Installing the software Use this task as an overview of the software installation process for McAfee Gateway. Task 1 From a computer with internet access, download the latest version of the and Web Security software from the McAfee download site. (You will need your Grant Number to do this.) 2 Create a CD from this image. 3 With the device switched on, insert the CD into the CD-ROM drive. 4 Re-boot the device. As the McAfee Gateway reboots, the software is installed on the device. Tasks Task Downloading the installation software on page 21 Use this task to download the most up-to-date version of the McAfee Gateway software. Task Creating a CD from the installation software image on page 22 Use this task to create an installation CD from the downloaded software image. Task Downloading the installation software Use this task to download the most up-to-date version of the McAfee Gateway software. Before you begin Read your product installation guide. Get the McAfee grant ID number that you received when you purchased McAfee Gateway. McAfee provides the software as an.iso file (for creating CDs for installation on physical appliances), available from the McAfee download website. Task 1 Go to the McAfee website Hover your cursor over your business type and click Downloads. 2 From My Products - Downloads, click Login. 3 Type the McAfee grant ID number that you received when you purchased McAfee Gateway, and click Submit. 4 From the list of products, select Gateway. 5 Agree to the license terms, select the latest version and download it. McAfee recommends that you read the Release Notes that accompany the software image before you continue with the installation. McAfee Gateway 7.0 Appliances Installation Guide 21

22 2 Using the Configuration Console Draft only Task Creating a CD from the installation software image Use this task to create an installation CD from the downloaded software image. Before you begin Download the software image in.iso file format. Ensure that you have a method to validate the downloaded.iso file, by comparing the MD5 checksums. Ensure that you have a suitable writable CD-ROM drive connected to your computer system and suitable writeable CDs. Ensure that you have suitable CD creation software able to create a CD image from an.iso file installed on your computer system, From a computer that can access the downloaded.iso image, carry out the following steps. Task 1 Validate the downloaded.iso file, by generating an MD5 checksum, and comparing it with the information given on the download site. 2 Following the instructions supplied with your CD Creation software, open the software. 3 Following the workflow for your CD Creation software, select your writable CD-ROM drive, and the McAfee Gateway.iso file and insert a blank writable CD into the CD-ROM drive.. 4 Create the installation CD. Using the Configuration Console Understand how to use the configuration console to set up your McAfee Gateway. You can now configure your Gateway either from the Configuration Console, or from the Setup Wizard within the user interface. The Configuration Console launches automatically at the end of the startup sequence after either: an unconfigured Gateway starts, or after a Gateway is reset to its factory defaults. When launched, the Configuration Console provides you with options to either configure your device in your preferred language from the Gateway console, or provides instructions for you to connect to the Setup Wizard within the user interface from another computer on the same class C subnet. Both methods provide you with the same options to configure your Gateway. From the Configuration Console, you can configure a new installation of the appliance software. However, to configure your appliance using a previously saved configuration file, you need to log onto the appliance user interface, and run the setup Wizard (System Setup Wizard). This version of the software also introduces automatic configuration using DHCP for the following parameters: Host name DNS server Domain name Leased IP address Default gateway NTP server 22 McAfee Gateway 7.0 Appliances Installation Guide

23 Using the Configuration Console 2 Welcome Use this page to select the type of installation that you want to follow. This is the first page of the Setup Wizard. Use this page to select the type of installation you want to perform. Standard Setup (default) use this option to set up your device in transparent bridge mode, and configure it to protect your network. The SMTP protocol is enabled by default. You can choose to enable scanning of POP3 traffic. Choosing Standard Setup forces the device to run in transparent bridge mode. Custom Setup use this option to select the operating mode for your device. You can choose to protect mail traffic using SMTP and POP3 protocols. You should use this if you need to configure IPv6 and to make other changes to the default configuration. Restore from a file (not available from the Configuration Console) use this to set up your device based on a previously saved configuration. Following the import of the file you will be able to check the imported settings before finishing the wizard. If the file came from an earlier McAfee and Web Security Appliance, some details are not available. epo Managed Setup use this to set up your device so that it can be managed by your epolicy Orchestrator server. Only minimal information is needed, as the device will get most of its configuration information from your epolicy Orchestrator server. Encryption Only Setup use this option to set up your appliance as a standalone encryption server. The appliance operates in one of the following modes transparent bridge, transparent router, or explicit proxy. The mode affects how you integrate the appliance into your network and how the appliance handles traffic. You will need to change the mode only if you restructure your network. Performing a Standard Setup Use this information to understand the purpose of the Standard Setup. Standard Setup enables you to quickly set up your McAfee Gateway using the most common options. Use this option to set up your device in transparent bridge mode, and configure it to protect your network. The SMTP protocol is enabled by default. You can choose to enable scanning of POP3 traffic. Choosing Standard Setup forces the device to run in transparent bridge mode. For the Standard Setup, the wizard includes these pages: Configuration Basic Settings Summary McAfee Gateway 7.0 Appliances Installation Guide 23

24 2 Using the Configuration Console Draft only Configuration page (Standard Setup) This information describes the options available on this page. Enable protection against Potentially Unwanted Programs Enable McAfee Global Threat Intelligence feedback Local relay domain Click to activate protection against Potentially Unwanted Programs. Read the advice from McAfee about the effects that activating this protection can have. Select this option to enable McAfee Global Threat feedback. Click What is this? to read about how the feedback is used, and view the McAfee Privacy Policy. Enter both the IP address and netmask for your local relay domain. Basic Settings page (Standard Setup) Use this page in the Standard Setup wizard, to specify basic settings for the appliance in transparent bridge mode. Device name Domain name Specifies a name, such as appliance1. Specifies a name, such as domain1.com. IP address Specifies an address, such as The fully qualified domain name (Device name.domain name) must resolve to this IP address when the DNS server (specified here) is called. We recommend that this IP address resolves to the FQDN in a reverse lookup. Subnet Specifies a subnet address, such as Gateway Address DNS Server IP Mode User ID Current Password/ New Password Specifies an address, such as This is likely to be a router or a firewall. You can test later that the appliance can communicate with this device. Specifies the address of a Domain Name Server that the appliance uses to convert website addresses to IP addresses. This can be an Active Directory or a Domain Name Service server. You can test later that the appliance can communicate with this server. Specifies the mode Transparent Bridge, Transparent Router or Explicit Proxy. The scmadmin user is the super administrator. You cannot change or disable this account and the account cannot be deleted. However, you can add more login accounts after installation. The original default password is password. Specify the new password. Change the password as soon as possible to keep your appliance secure. You must type the new password twice to confirm it. Appliance Time zone Appliance Time (UTC) Set Now Client Time Specifies the time zone of the appliance. You might need to set this twice each year if your region observes daylight saving time. The zones are organized from west to east to cover mid-pacific, America, Europe, Asia, Africa, India, Japan, and Australia. Specifies the date and UTC time for the appliance. To select the date, click the calendar icon. You can determine the UTC time from websites such as When clicked, applies the date and UTC time that you specified in this row. Displays the time according to the client computer from which your browser is currently connected to the appliance. 24 McAfee Gateway 7.0 Appliances Installation Guide

25 Using the Configuration Console 2 Synchronize appliance with client When selected, the time in the Appliance Time (UTC) immediately takes its value from Client Time. You can use this checkbox as an alternative to manual setting of Appliance Time (UTC). The appliance calculates the UTC time based on the time zone that it finds on the client's browser. Ensure that the client computer is aware of any daylight savings adjustments. To find the setting on Microsoft Windows, right-click the time display in the bottom right corner of the screen. NTP server address To use Network Time Protocol (NTP), specify the server address. Alternatively, you can configure NTP later. Summary page (Standard Setup) Use this page in the Standard Setup wizard, to review a summary of the settings that you have made for the network connections and scanning of the network traffic. To change any value, click its blue link to display the page where you originally typed the value. After you click Finish, the setup wizard has completed, and the appliance is configured as a transparent bridge. Use the IP address shown here to access the interface. For example The address begins with https, not http. When you first log on to the interface, type the user name, admin and the password that you gave on the Basic Settings page. Table 2-1 The value is set according to best practice. The value is probably not correct. Although the value is valid, it is not set according to best practice. Check the value before continuing. No value has been set. The value has not been changed from the default. Check the value before continuing. Performing a Custom Setup Use this information to understand the purpose of the custom setup. Use the Custom Setup to give you greater control in the options that you can select, including the operating mode for your device. You can choose to protect mail traffic using SMTP and POP3 protocols. You should use this configuration option if you need to configure IPv6 and to make other changes to the default configuration. For the Custom Setup, the wizard includes these pages: Configuration DNS and Routing Basic Settings Time Settings Network Settings Password Cluster Management Summary McAfee Gateway 7.0 Appliances Installation Guide 25

26 2 Using the Configuration Console Draft only Basic Settings page (Custom Setup) Use this page when selecting the Custom Setup wizard, to specify basic settings for the appliance. The appliance tries to provide some information for you, and shows the information highlighted in amber. To change the information, click and retype. Cluster mode Defines the options that appear on the Cluster Management page of the Setup Wizard. Off This is a standard appliance. Cluster Scanner The appliance receives its scanning workload from a master appliance. Cluster Master The appliance controls the scanning workload for several other appliances. Cluster Failover If the master fails, this appliance controls the scanning workload instead. Device name Domain name Default Gateway Next Hop Router Network Interface Specifies a name, such as appliance1. Specifies a name, such as domain1.com. Specifies an IPv4 address, such as You can test later that the appliance can communicate with this server. Specifies an IPv6 address, such as FD4A:A1B2:C3D4::1. Becomes available when you set the Next Hop Router for IPv6. Network Settings page Use these options to view and configure the IP address and network speeds for the appliance. You can use IPv4 and IPv6 addresses, separately or in combination. To prevent duplication of IP addresses on your network and to deter hackers, give the appliance new IP addresses, and disable the default IP addresses. The IP addresses must be unique and suitable for your network. Specify as many IP addresses as you need. <mode> Network Interface 1 Network Interface 2 Change Network Settings View Network Interface Layout The operating mode that you set during installation or in the Setup Wizard Expands to show the IP address and netmask associated with Network Interface 1, the auto-negotiation state, and the size of the MTU. Expands to show the IP address and netmask associated with Network Interface 2, the auto-negotiation state, and the size of the MTU Click to open the Network Interface Wizard to specify the IP address and adapter settings for NIC 1 and NIC 2, and change the chosen operating mode. Click to see the <?> associated with LAN1, LAN2, and the out of band interface Network Interfaces Wizard Use the Network Interfaces Wizard to change the chosen operating mode, and specify the IP address and adapter settings for NIC 1 and NIC 2. The options you see in the Network Interfaces Wizard depend on the operating mode. On the first page of the wizard, you can choose to change the operating mode for the appliance. You can change the settings by clicking Change Network Settings to start a wizard. Click Next to progress through the wizard. In Explicit Proxy mode, some network devices send traffic to the appliances. The appliance then works as a proxy, processing traffic on behalf of the devices. 26 McAfee Gateway 7.0 Appliances Installation Guide

27 Using the Configuration Console 2 In Transparent Router or Transparent Bridge mode, other network devices, such as mail servers, are unaware that the appliance has intercepted and scanned the before forwarding it. The appliance's operation is transparent to the devices. If you have a standalone appliance running in transparent bridge mode, you will have the option to add a bypass device in case the appliance fails. If the appliance is operating in Transparent Bridge mode, and the Spanning Tree Protocol (STP) is running on your network, make sure that the appliance is configured according to STP rules. Additionally, you can set up a bypass device in transparent bridge mode. Network Interfaces Wizard Explicit Proxy mode Use the Network Interfaces Wizard to change the chosen operating mode, and specify the IP address and adapter settings for NIC 1 and NIC 2. This version of the Network Interfaces Wizard becomes available when you select the Explicit Proxy mode. Specify the details for Network Interface 1, then use the Next button to set details for Network Interface 2 as necessary. Network Interface 1 or Network Interface 2 page IP Address Specifies network addresses to enable the appliance to communicate with your network. You can specify multiple IP addresses for the appliance s network ports. The IP address at the top of a list is the primary address. Any IP addresses below it are aliases. You must have at least one IP address in both Network Interface 1 and Network Interface 2. However, you can deselect the Enabled option next to any IP addresses that you do not wish to listen on. Network Mask Enabled Virtual Specifies the network mask. In IPv4, you can use a format such as , or CIDR notation, such as 24. In IPv6, you must use the prefix length, for example, 64. When selected, the appliance accepts connections on the IP address. When selected, the appliance treats this IP address as a virtual address. This option only appears in cluster configurations, or on a McAfee Content Security Blade Server. McAfee Gateway 7.0 Appliances Installation Guide 27

28 2 Using the Configuration Console Draft only New Address/ Delete Selected Addresses NIC 1 Adapter s or NIC 2 Adapter s Add a new address, or remove a selected IP address. Expand to set the following options: MTU size specifies the Maximum Transmission Unit (MTU) size. The MTU is the maximum size (expressed in bytes) of a single unit of data (for example, an Ethernet Frame) that can be sent over the connection. The default value is 1500 bytes. Autonegotiation state either: On allows the appliance to negotiate the speed and duplex state for communicating with other network devices. Off allows you to select the speed and duplex state. Connection speed provides a range of speeds. Default value is 100MB. Duplex state provides duplex states. Default value is Full duplex. Enable IPv6 auto-configuration Select this option to allow the appliance to automatically configure its IPv6 addresses and IPv6 default next-hop router, by receiving Router Advertisement messages sent from your IPv6 router. This option is unavailable by default if your appliance is running in transparent router mode, or is part of a cluster configuration, or running as part of a Blade Server installation. Network Interfaces Wizard Transparent Router mode Use the Network Interfaces Wizard to change the chosen operating mode, then specify the IP address and adapter settings for NIC 1 and NIC 2. Network Interface 1 or Network Interface 2 pages IP Address Network Mask Enabled Virtual Specifies network addresses to enable the appliance to communicate with your network. You can specify multiple IP addresses for the appliance s ports. The IP address at the top of a list is the primary address. Any IP addresses below it are aliases. Specifies the network mask, for example: In IPv4, you can use a format such as , or CIDR notation, such as 24. In IPv6, you must use the prefix length, for example, 64. When selected, the appliance accepts connections on that IP address. When selected, the appliance treats this IP address as a virtual address. This option only appears in cluster configurations, or on a McAfee Content Security Blade Server. 28 McAfee Gateway 7.0 Appliances Installation Guide

29 Using the Configuration Console 2 New Address/ Delete Selected Addresses NIC 1 Adapter s or NIC 2 Adapter s Add a new address, or remove a selected IP address. Expand to set the following options: MTU size specifies the Maximum Transmission Unit (MTU) size. The MTU is the maximum size (expressed in bytes) of a single unit of data (for example, an Ethernet Frame) that can be sent over the connection. The default value is 1500 bytes. Autonegotiation state either: On allows the appliance to negotiate the speed and duplex state for communicating with other network devices. Off allows you to select the speed and duplex state. Connection speed provides a range of speeds. Default value is 100MB. Duplex state provides duplex states. Default value is Full duplex. Enable IPv6 auto-configuration select this option to allow the appliance automatically configure its IPv6 addresses and IPv6 default next-hop router, by receiving Router Advertisement messages sent from your IPv6 router. This option is unavailable by default if your appliance is running in transparent router mode, or is part of a cluster configuration, or running as part of a Blade Server installation. Enable sending IPv6 router advertisements on this interface Network Interfaces Wizard Transparent Bridge mode Use the Network Interfaces Wizard to change the chosen operating mode, and specify the IP address and adapter settings for NIC 1 and NIC 2. Specify the details for the Ethernet Bridge, then use the Next button to set details for the Spanning Tree Protocol and Bypass Device as necessary. definitions Ethernet Bridge page Select all IP Address Network Mask Enabled New Address/ Delete Selected Addresses Click to select all the IP addresses. Specifies network addresses to enable the appliance to communicate with your network. You can specify multiple IP addresses for the appliance s ports. The IP addresses are combined into one list for both ports. The IP address at the top of a list is the primary address. Any IP addresses below it are aliases. Use the Move links to reposition the addresses as necessary. Specifies the network mask, for example: In IPv4, you can use a format such as , or CIDR notation, such as 24. In IPv6, you must use the prefix length, for example, 64. When selected, the appliance accepts connections on that IP address. Add a new address, or remove a selected IP address. McAfee Gateway 7.0 Appliances Installation Guide 29

30 2 Using the Configuration Console Draft only NIC Adapter s Expand to set the following options: MTU size specifies the Maximum Transmission Unit (MTU) size. The MTU is the maximum size (expressed in bytes) of a single unit of data (for example, an Ethernet Frame) that can be sent over the connection. The default value is 1500 bytes. Autonegotiation state either: On allows the appliance to negotiate the speed and duplex state for communicating with other network devices. Off allows you to select the speed and duplex state. Connection speed provides a range of speeds. Default value is 100MB. Duplex state provides duplex states. Default value is Full duplex. Enable IPv6 auto-configuration select this option to allow the appliance to automatically configure its IPv6 addresses and IPv6 default next-hop router, by receiving Router Advertisement messages sent from your IPv6 router. This option is unavailable by default if your appliance is running in transparent router mode, or is part of a cluster configuration, or running as part of a Blade Server installation. definitions Spanning Tree Protocol Settings page Enable STP Bridge priority Advanced parameters STP is enabled by default. Sets the priority for the STP bridge. Lower numbers have a higher priority. The maximum number that you can set is Expand to set the following options. Change the settings only if you understand the possible effects, or you have consulted an expert: Forwarding delay Hello interval (seconds) Maximum age (seconds) Garbage collection interval (seconds) Ageing time (seconds) definitions Bypass Device Settings page The bypass device inherits settings from those you entered in NIC Adapter s Select bypass device Watchdog timeout (seconds). Choose from two supported devices. 30 McAfee Gateway 7.0 Appliances Installation Guide

31 Using the Configuration Console 2 Heartbeat interval (seconds) Advanced parameters Set to monitor heartbeat by default. This option becomes active when you select a bypass device. Mode choose to monitor the heartbeat or the heartbeat and the link activity. Link activity timeout (seconds) becomes active when you select Monitor heartbeat and link activity in Mode Enable buzzer enabled by default. Cluster Management page Use this page to specify cluster management balancing requirements. Depending on the cluster mode you selected on the Basic Settings page, the options that appear on the Cluster Management page change. Cluster Management Configuration (Standard appliance) Do not use. Cluster management is disabled. Cluster Management (Cluster Scanner) Cluster identifier If you have more than one cluster or McAfee Content Security Blade Server on the same subnet, assign each a different Cluster identifier to ensure the clusters do not conflict. The allowable range is Cluster Management (Cluster Master) In explicit proxy mode or transparent router mode, you can enable failover between two appliances in a cluster by assigning a virtual IP address to this appliance and configuring another appliance as a Cluster Failover appliance using the same virtual address. In transparent bridge mode, this is achieved by setting a high STP priority for this appliance and configuring another appliance as a Cluster Failover appliance with a lower STP priority. Address to use for load balancing Cluster identifier Specifies the appliance address. If you have more than one cluster or McAfee Content Security Blade Server on the same subnet, assign each a different Cluster identifier to ensure the clusters do not conflict. The allowable range is Enable scanning on this appliance (Not applicable on Content Security Blade Servers) If not selected, this appliance distributes all scanning workload to the scanning appliances. For a cluster of appliances, if you have only a master and a failover appliance, with both configured to scan traffic, the master will send most connections to the failover appliance for scanning. McAfee Gateway 7.0 Appliances Installation Guide 31

32 2 Using the Configuration Console Draft only Cluster Management (Cluster Failover) Address to use for load balancing Cluster identifier Enable scanning on this appliance (Not applicable on Content Security Blade Servers) Specifies the appliance address. Provides a list of all subnets assigned to the appliance. If you have more than one cluster or McAfee Content Security Blade Server on the same subnet, assign each a different Cluster identifier to ensure the clusters do not conflict. The allowable range is If not selected, this appliance distributes all scanning workload to the scanning appliances. For a cluster of appliances, if you have only a master and a failover appliance, with both configured to scan traffic, the master will send most connections to the failover appliance for scanning. DNS and Routing page Use this page to configure the appliance's use of DNS and routes. Domain Name System (DNS) servers translate or "map" the names of network devices into IP addresses (and the reverse operation). The appliance sends requests to DNS servers in the order that they are listed here. DNS server addresses Table 2-2 definitions DNS Servers Server Address New Server/ Delete Selected Servers Only send queries to these servers Displays the IP addresses of the DNS servers. The first server in the list must be your fastest or most reliable server. If the first server cannot resolve the request, the appliance contacts the second server. If no servers in the list can resolve the request, the appliance forwards the request to the DNS root name servers on the Internet. If your firewall prevents DNS lookup (typically on port 53), specify the IP address of a local device that provides name resolution Adds a new server to the list, or removes one when, for example, when you need to decommission a server due to network changes. Selected by default. McAfee recommends that you leave this option selected because it might speed up DNS queries as the appliance sends the queries to the specified DNS servers only. If they don't know the address, they go to the root DNS servers on the Internet. When they get a reply, the appliance receives it and caches the response so that other servers that query that DNS server can get an answer more quickly. If you deselect this option, the appliance first tries to resolve the requests, or might query DNS servers outside your network. Routing settings Table 2-3 definitions Routing Network Address Type the network address of the route. Mask Specifies how many hosts are on your network, for example, Gateway Specifies the IP address of the router used as the next hop out of the network. The address (IPv4), or :: (IPv6) means that the router has no default gateway. 32 McAfee Gateway 7.0 Appliances Installation Guide

33 Using the Configuration Console 2 Table 2-3 definitions Routing (continued) Metric New Route / Delete Selected Routes Enable dynamic routing Specifies the preference given to the route. A low number indicates a high preference for that route. Add a new route to the table, ore remove routes. Use the arrows to move routes up and down the list. The routes are chosen based on their metric value. Use this option in transparent router mode only. When enabled, the appliance can: receive broadcast routing information received over RIP (default) that it applies its routing table so you don't have to duplicate routing information on the appliance that is already present in the network. broadcast routing information if static routes have been configured through the user interface over RIP. Configuration page (Custom Setup) This information describes the options available on this page. Initial configuration Enable protection against Potentially Unwanted Programs... Enable McAfee Global Threat Intelligence feedback Scan SMTP traffic / Scan POP3 traffic Click to activate protection against Potentially Unwanted Programs. Read the advice from McAfee about the effects that activating this protection can have. Click What is this? to read about how the feedback is used, and view the McAfee Privacy Policy. Both protocols are selected by default. Deselect a protocol to prevent scanning occurring. definitions Domains for which the appliance will accept or refuse Use these options to define how the appliance will relay . After you complete the Setup Wizard, you can manage the domains from Configuration Receiving Domain Name/ Network Address/MX Record Type Displays the domain names, wildcard domain names, network addresses, and MX lookups from which the appliance will accept or refuse . Domain name for example, example.dom. The appliance uses this to compare the recipient's address and compare the connection against an A record lookup. Network Address for example, /32 or /24. The appliance uses this to compare the recipient's IP literal address such as user@[ ], or the connection. MX Record Lookup for example, example.dom. The appliance uses this to compare the connection against an MX record lookup. Wildcard domain name for example, *.example.dom. The appliance only uses this information to compare the recipients address. McAfee Gateway 7.0 Appliances Installation Guide 33

34 2 Using the Configuration Console Draft only Category Add Domain Local domain Permitted domain Denied domain Click to specify the domains that can relay messages through the appliance to the recipient. Choose from: Local domain These are the domains or networks for which is accepted for delivery. For convenience, you can import a list of your local domain names using the Import Lists and Export Lists options. McAfee recommends that you add all domains or networks that are allowed to relay messages as local domains. Permitted domain is accepted. Use permitted domains to manage exceptions. Denied domain is refused. Use denied domains to manage exceptions. Hold your mouse cursor over the field to see the recommended format. You must set up at least one local domain. Add MX Lookup Delete Selected Items Click to specify a domain that the appliance will use to identify all mail server IP addresses from which it will deliver messages. Remove the selected item from the table. You must apply the changes before the item is completely removed from the appliance configuration. definitions Domain Routing Configure hosts that the appliance will use to route . After you complete the Setup Wizard, you can manage the domains from Configuration Sending . Domain name / Network Address / MX Record Type Displays a list of domains. This list allows you to specify specific relays/sets of relays to be used to deliver messages destined for specific domains. Domains can be identified using exact matches, or using pattern matches such as *.example.com. To specify multiple relays for a single domain, separate each with a space. If the first mail relay is accepting , all is delivered to the first relay. If that relay stops accepting , subsequent is delivered to the next relay in the list. Domain name for example, example.dom. The appliance uses this to compare the recipient's address and compare the connection against an A record lookup. Network Address for example, /32 or /24. The appliance uses this to compare the recipient's IP literal address such as user@[ ], or the connection. MX Record Lookup for example, example.dom. The appliance uses this to compare the connection against an MX record lookup. Wildcard domain name for example, *.example.dom. The appliance only uses this information to compare the recipients address. Category Local domain Permitted domain Denied domain 34 McAfee Gateway 7.0 Appliances Installation Guide

35 Using the Configuration Console 2 Add Relay List Click to populate the Known domains and relay hosts table with a list of host names, or IP addresses for delivery. Delivery will be attempted in the order specified unless you select the Round-robin the above hosts option which will distribute the load between the specified hosts. Host names/ip addresses may include a port number. Add MX Lookup Click to populate the Known domains and relay hosts table with an MX record lookup to determine the IP addresses for delivery. Delivery will be attempted to host names returned by the MX lookup in the order of priority given by the DNS server. Delete Selected Items Enable DNS lookup for domains not listed above Remove the selected item from the table. You must apply the changes before the item is completely removed from the appliance configuration. If selected, the appliance uses DNS to route for other, unspecified domains. DNS delivery attempts an MX-record lookup. If there are no MX records, it does an A-record lookup. If you deselect this checkbox, the appliance delivers only to the domains that are specified under Known domains and relay hosts. Time Settings page Use this page to set the time and date, and any details for the use of the Network Time Protocol (NTP). Appliance Time Zone Appliance Time (UTC) Set Now Client Time Synchronize appliance with client Specifies the time zone of the appliance. You might need to set this twice each year if your region observes daylight saving time. Specifies the date and UTC time for the appliance. To select the date, click the calendar icon. You can determine the UTC time from websites such as When clicked, applies the date and UTC time that you specified in this row. Displays the time according to the client computer from which your browser is currently connected to the appliance. When selected, the time in the Appliance Time (UTC) immediately takes its value from Client Time. You can use this checkbox as an alternative to manual setting of Appliance Time (UTC). The appliance calculates the UTC time based on the time zone that it finds on the client's browser. Ensure that the client computer is aware of any daylight savings adjustments. To find the setting on Microsoft Windows, right-click the time display in the bottom right corner of the screen. Enable NTP Enable NTP client broadcasts When selected, accepts NTP messages from a specified server or a network broadcast. NTP synchronizes timekeeping among devices in a network. Some Internet Service Providers (ISPs) provide a timekeeping service. Because NTP messages are not sent often, they do not noticeably affect the appliance's performance. When selected, accepts NTP messages from network broadcasts only. This method is useful on a busy network but must trust other devices in the network. When deselected, accepts NTP messages only from servers specified in the list. McAfee Gateway 7.0 Appliances Installation Guide 35

36 2 Using the Configuration Console Draft only NTP Server New Server Displays the network address or a domain name of one or more NTP servers that the appliance uses. For example, time.nist.gov. If you specify several servers, the appliance examines each NTP message in turn to determine the correct time. Type the IP address of a new NTP Server. Password page Use this page to specify a password for the appliance. For a strong password, include letters and numbers. You can type up to 15 characters. User ID Password This is admin. You can add more users later. Specifies the new password. Change the password as soon as possible to keep your appliance secure. You must enter the new password twice to confirm it. The original default password is password. Summary page Use this page to review a summary of the settings that you have made for the network connections and scanning of the traffic. To change any value, click its blue link to display the page where you originally typed the value. After you click Finish, the Setup Wizard has completed. Use the IP address shown here to access the interface. For example The address begins with https, not http. When you first log on to the interface, type the user name, admin and the password that you gave on the Password page. The value is set according to best practice. The value is probably not correct. Although the value is valid, it is not set according to best practice. Check the value before continuing. No value has been set. The value has not been changed from the default. Check the value before continuing. Restoring from a file Use this information to understand the purpose of restoring from a file When configuring your device from the Setup Wizard within the user interface, using the Restore from a file option enables you to import previously saved configuration information and apply it to your device. After this information has been imported you can make changes before applying the configuration. The Restore from a file option is not available from within the Configuration Console. To make use of this option, you must log into the McAfee Gateway and select Restore from a file from the System Setup Wizard menu. 36 McAfee Gateway 7.0 Appliances Installation Guide

37 Using the Configuration Console 2 Once the configuration information has been imported, you are taken to the Custom Setup options within the Setup Wizard (see Performing a custom setup.) All imported options are shown on the wizard pages, giving you the opportunity to make any amendments before applying the configuration. When using the Restore from a file option, the wizard includes these pages: Import Config Values to Restore Once this information has been loaded, you are then taken to the Custom Setup pages, so that you can make further changes before applying the new configuration: Configuration DNS and Routing Basic Settings Time Settings Network Settings Password Cluster Management Summary Basic Settings page (Custom Setup) Use this page when selecting the Custom Setup wizard, to specify basic settings for the appliance. The appliance tries to provide some information for you, and shows the information highlighted in amber. To change the information, click and retype. Cluster mode Defines the options that appear on the Cluster Management page of the Setup Wizard. Off This is a standard appliance. Device name Domain name Default Gateway Next Hop Router Network Interface Cluster Scanner The appliance receives its scanning workload from a master appliance. Cluster Master The appliance controls the scanning workload for several other appliances. Cluster Failover If the master fails, this appliance controls the scanning workload instead. Specifies a name, such as appliance1. Specifies a name, such as domain1.com. Specifies an IPv4 address, such as You can test later that the appliance can communicate with this server. Specifies an IPv6 address, such as FD4A:A1B2:C3D4::1. Becomes available when you set the Next Hop Router for IPv6. Cluster Management page Use this page to specify cluster management balancing requirements. Depending on the cluster mode you selected on the Basic Settings page, the options that appear on the Cluster Management page change. Cluster Management Configuration (Standard appliance) Do not use. Cluster management is disabled. McAfee Gateway 7.0 Appliances Installation Guide 37

38 2 Using the Configuration Console Draft only Cluster Management (Cluster Scanner) Cluster identifier If you have more than one cluster or McAfee Content Security Blade Server on the same subnet, assign each a different Cluster identifier to ensure the clusters do not conflict. The allowable range is Cluster Management (Cluster Master) In explicit proxy mode or transparent router mode, you can enable failover between two appliances in a cluster by assigning a virtual IP address to this appliance and configuring another appliance as a Cluster Failover appliance using the same virtual address. In transparent bridge mode, this is achieved by setting a high STP priority for this appliance and configuring another appliance as a Cluster Failover appliance with a lower STP priority. Address to use for load balancing Cluster identifier Specifies the appliance address. If you have more than one cluster or McAfee Content Security Blade Server on the same subnet, assign each a different Cluster identifier to ensure the clusters do not conflict. The allowable range is Enable scanning on this appliance (Not applicable on Content Security Blade Servers) If not selected, this appliance distributes all scanning workload to the scanning appliances. For a cluster of appliances, if you have only a master and a failover appliance, with both configured to scan traffic, the master will send most connections to the failover appliance for scanning. Cluster Management (Cluster Failover) Address to use for load balancing Cluster identifier Enable scanning on this appliance (Not applicable on Content Security Blade Servers) Specifies the appliance address. Provides a list of all subnets assigned to the appliance. If you have more than one cluster or McAfee Content Security Blade Server on the same subnet, assign each a different Cluster identifier to ensure the clusters do not conflict. The allowable range is If not selected, this appliance distributes all scanning workload to the scanning appliances. For a cluster of appliances, if you have only a master and a failover appliance, with both configured to scan traffic, the master will send most connections to the failover appliance for scanning. DNS and Routing page Use this page to configure the appliance's use of DNS and routes. Domain Name System (DNS) servers translate or "map" the names of network devices into IP addresses (and the reverse operation). The appliance sends requests to DNS servers in the order that they are listed here. 38 McAfee Gateway 7.0 Appliances Installation Guide

39 Using the Configuration Console 2 DNS server addresses Table 2-4 definitions DNS Servers Server Address New Server/ Delete Selected Servers Only send queries to these servers Displays the IP addresses of the DNS servers. The first server in the list must be your fastest or most reliable server. If the first server cannot resolve the request, the appliance contacts the second server. If no servers in the list can resolve the request, the appliance forwards the request to the DNS root name servers on the Internet. If your firewall prevents DNS lookup (typically on port 53), specify the IP address of a local device that provides name resolution Adds a new server to the list, or removes one when, for example, when you need to decommission a server due to network changes. Selected by default. McAfee recommends that you leave this option selected because it might speed up DNS queries as the appliance sends the queries to the specified DNS servers only. If they don't know the address, they go to the root DNS servers on the Internet. When they get a reply, the appliance receives it and caches the response so that other servers that query that DNS server can get an answer more quickly. If you deselect this option, the appliance first tries to resolve the requests, or might query DNS servers outside your network. Routing settings Table 2-5 definitions Routing Network Address Type the network address of the route. Mask Specifies how many hosts are on your network, for example, Gateway Metric New Route / Delete Selected Routes Enable dynamic routing Specifies the IP address of the router used as the next hop out of the network. The address (IPv4), or :: (IPv6) means that the router has no default gateway. Specifies the preference given to the route. A low number indicates a high preference for that route. Add a new route to the table, ore remove routes. Use the arrows to move routes up and down the list. The routes are chosen based on their metric value. Use this option in transparent router mode only. When enabled, the appliance can: receive broadcast routing information received over RIP (default) that it applies its routing table so you don't have to duplicate routing information on the appliance that is already present in the network. broadcast routing information if static routes have been configured through the user interface over RIP. Time Settings page Use this page to set the time and date, and any details for the use of the Network Time Protocol (NTP). Appliance Time Zone Appliance Time (UTC) Set Now Specifies the time zone of the appliance. You might need to set this twice each year if your region observes daylight saving time. Specifies the date and UTC time for the appliance. To select the date, click the calendar icon. You can determine the UTC time from websites such as When clicked, applies the date and UTC time that you specified in this row. McAfee Gateway 7.0 Appliances Installation Guide 39

40 2 Using the Configuration Console Draft only Client Time Synchronize appliance with client Displays the time according to the client computer from which your browser is currently connected to the appliance. When selected, the time in the Appliance Time (UTC) immediately takes its value from Client Time. You can use this checkbox as an alternative to manual setting of Appliance Time (UTC). The appliance calculates the UTC time based on the time zone that it finds on the client's browser. Ensure that the client computer is aware of any daylight savings adjustments. To find the setting on Microsoft Windows, right-click the time display in the bottom right corner of the screen. Enable NTP Enable NTP client broadcasts NTP Server New Server When selected, accepts NTP messages from a specified server or a network broadcast. NTP synchronizes timekeeping among devices in a network. Some Internet Service Providers (ISPs) provide a timekeeping service. Because NTP messages are not sent often, they do not noticeably affect the appliance's performance. When selected, accepts NTP messages from network broadcasts only. This method is useful on a busy network but must trust other devices in the network. When deselected, accepts NTP messages only from servers specified in the list. Displays the network address or a domain name of one or more NTP servers that the appliance uses. For example, time.nist.gov. If you specify several servers, the appliance examines each NTP message in turn to determine the correct time. Type the IP address of a new NTP Server. Password page Use this page to specify a password for the appliance. For a strong password, include letters and numbers. You can type up to 15 characters. User ID Password This is admin. You can add more users later. Specifies the new password. Change the password as soon as possible to keep your appliance secure. You must enter the new password twice to confirm it. The original default password is password. Summary page Use this page to review a summary of the settings that you have made for the network connections and scanning of the traffic. To change any value, click its blue link to display the page where you originally typed the value. After you click Finish, the Setup Wizard has completed. Use the IP address shown here to access the interface. For example The address begins with https, not http. When you first log on to the interface, type the user name, admin and the password that you gave on the Password page. 40 McAfee Gateway 7.0 Appliances Installation Guide

41 Using the Configuration Console 2 The value is set according to best practice. The value is probably not correct. Although the value is valid, it is not set according to best practice. Check the value before continuing. No value has been set. The value has not been changed from the default. Check the value before continuing. epo Managed Setup Use this information to understand the purpose of the Standard Setup. McAfee epolicy Orchestrator enables you to manage all your McAfee software and hardware appliances from a single management console. Use the epo Managed Setup to set up your device so that it can be managed by your epolicy Orchestrator server. Only minimal information is needed, as the device will get most of its configuration information from your epolicy Orchestrator server. Settings for epo Management Select epo Managed Setup within the Setup Wizard to configure your appliance for management by McAfee epolicy Orchestrator. Table 2-6 definitions epo Extensions Download the epolicy Orchestrator extensions for McAfee Gateway products, including McAfee Gateway 7.0. The file MEGv7.0_ePOextensions.zip contains both the EWG and the MEG epo extensions. The EWG extension allows reporting from within epolicy Orchestrator for the following products: McAfee and Web Security appliances McAfee Web Gateway appliances McAfee Gateway appliances The MEG Extension provides full epolicy Orchestrator management for McAfee Gateway 7.0. For you to use epolicy Orchestrator for either reporting or management, the epo Extensions need to be installed on your epolicy Orchestrator server. epo Help Extensions Import epo connection settings Download the epolicy Orchestrator help extensions. The file MEGv7.0_ePOhelpextensions.zip contains the online help information for the above epo Extensions. This file installs the help extensions relating to the epolicy Orchestrator extensions for McAfee and Web Gateway and McAfee Gateway 7.0 appliances onto your epolicy Orchestrator server. Click to browse to the epolicy Orchestrator connection settings file, to import the epolicy Orchestrator connection information into the appliance. McAfee Gateway 7.0 Appliances Installation Guide 41

42 2 Using the Configuration Console Draft only Task Configuring the appliance to work with epolicy Orchestrator Use this task to set up the appliance to be managed by epolicy Orchestrator: 1 From your McAfee Gateway, on Settings for epo Management, select epo Extensions and click Save to download the extension file. 2 From your McAfee Gateway, on Settings for epo Management, select epo Help Extensions and click Save to download the help extension file. 3 On your epo server, install these extensions using Menu Software Extensions Install Extensions. 4 On the epo server, save the connections settings from Menu Gateway Protection and Web Gateway Actions Export Connection Settings. 5 On the McAfee Gateway, return to the Settings for epo Management page in the Setup Wizard, and click Import epo connection settings. Browse to the epo connections settings file. 6 Click Next to continue to the Basic Settings page in the Setup Wizard. Basic Settings page (epo Managed Setup) Use this page to configure the basic settings for the appliance that will be managed by epolicy Orchestrator. Table 2-7 definitions Cluster mode The options are: Off (Standard appliance) Cluster scanner Cluster Master Cluster failover Device Name Domain Name Default Gateway (IPv4) Next Hop Router (IPv6) Network Interface Specifies a name, such as appliance1. Specifies a name, such as domain1.com. Specifies an IPv4 address, such as You can test later that the appliance can communicate with this server. Specifies an IPv6 address, such as FD4A:A1B2:C3D4::1. Becomes available when you set the Next Hop Router for IPv6. Cluster Management page (epo Managed Setup) Use this page to specify load-balancing requirements that apply to epo Managed appliances. Cluster Management Configuration (Standard appliance) Do not use this page. Cluster management is disabled. Cluster Management (Cluster Scanner) Use this page to specify information for a scanning appliance. Cluster identifier Specifies an identifier. Range is McAfee Gateway 7.0 Appliances Installation Guide

43 Using the Configuration Console 2 Cluster Management (Cluster Master) Use this page to specify information for a master appliance. Address to use for load balancing Specifies the appliance address. Cluster identifier Specifies an identifier. Range is Enable scanning on this appliance If not selected, this appliance distributes all scanning workload to the scanning appliances. Cluster Management (Cluster Failover) Use this page to specify information for a failover appliance. Address to use for load balancing Specifies the appliance address. Provides a list of all subnets assigned to the appliance. Cluster identifier Specifies an identifier. Range is Enable scanning on this appliance If not selected, this appliance distributes all scanning workload to the scanning appliances. DNS and Routing page Use this page to configure the appliance's use of DNS and routes. Domain Name System (DNS) servers translate or "map" the names of network devices into IP addresses (and the reverse operation). The appliance sends requests to DNS servers in the order that they are listed here. DNS server addresses Table 2-8 definitions DNS Servers Server Address New Server/ Delete Selected Servers Only send queries to these servers Displays the IP addresses of the DNS servers. The first server in the list must be your fastest or most reliable server. If the first server cannot resolve the request, the appliance contacts the second server. If no servers in the list can resolve the request, the appliance forwards the request to the DNS root name servers on the Internet. If your firewall prevents DNS lookup (typically on port 53), specify the IP address of a local device that provides name resolution Adds a new server to the list, or removes one when, for example, when you need to decommission a server due to network changes. Selected by default. McAfee recommends that you leave this option selected because it might speed up DNS queries as the appliance sends the queries to the specified DNS servers only. If they don't know the address, they go to the root DNS servers on the Internet. When they get a reply, the appliance receives it and caches the response so that other servers that query that DNS server can get an answer more quickly. If you deselect this option, the appliance first tries to resolve the requests, or might query DNS servers outside your network. McAfee Gateway 7.0 Appliances Installation Guide 43

44 2 Using the Configuration Console Draft only Routing settings Table 2-9 definitions Routing Network Address Type the network address of the route. Mask Specifies how many hosts are on your network, for example, Gateway Metric New Route / Delete Selected Routes Enable dynamic routing Specifies the IP address of the router used as the next hop out of the network. The address (IPv4), or :: (IPv6) means that the router has no default gateway. Specifies the preference given to the route. A low number indicates a high preference for that route. Add a new route to the table, ore remove routes. Use the arrows to move routes up and down the list. The routes are chosen based on their metric value. Use this option in transparent router mode only. When enabled, the appliance can: receive broadcast routing information received over RIP (default) that it applies its routing table so you don't have to duplicate routing information on the appliance that is already present in the network. broadcast routing information if static routes have been configured through the user interface over RIP. Time Settings page Use this page to set the time and date, and any details for the use of the Network Time Protocol (NTP). Appliance Time Zone Appliance Time (UTC) Set Now Client Time Synchronize appliance with client Specifies the time zone of the appliance. You might need to set this twice each year if your region observes daylight saving time. Specifies the date and UTC time for the appliance. To select the date, click the calendar icon. You can determine the UTC time from websites such as When clicked, applies the date and UTC time that you specified in this row. Displays the time according to the client computer from which your browser is currently connected to the appliance. When selected, the time in the Appliance Time (UTC) immediately takes its value from Client Time. You can use this checkbox as an alternative to manual setting of Appliance Time (UTC). The appliance calculates the UTC time based on the time zone that it finds on the client's browser. Ensure that the client computer is aware of any daylight savings adjustments. To find the setting on Microsoft Windows, right-click the time display in the bottom right corner of the screen. Enable NTP Enable NTP client broadcasts When selected, accepts NTP messages from a specified server or a network broadcast. NTP synchronizes timekeeping among devices in a network. Some Internet Service Providers (ISPs) provide a timekeeping service. Because NTP messages are not sent often, they do not noticeably affect the appliance's performance. When selected, accepts NTP messages from network broadcasts only. This method is useful on a busy network but must trust other devices in the network. When deselected, accepts NTP messages only from servers specified in the list. 44 McAfee Gateway 7.0 Appliances Installation Guide

45 Using the Configuration Console 2 NTP Server New Server Displays the network address or a domain name of one or more NTP servers that the appliance uses. For example, time.nist.gov. If you specify several servers, the appliance examines each NTP message in turn to determine the correct time. Type the IP address of a new NTP Server. Password page Use this page to specify a password for the appliance. For a strong password, include letters and numbers. You can type up to 15 characters. User ID Password This is admin. You can add more users later. Specifies the new password. Change the password as soon as possible to keep your appliance secure. You must enter the new password twice to confirm it. The original default password is password. Summary epo Managed Setup Use this page when using the epo Managed Setup Wizard, to review a summary of the settings that you have made for the network connections and scanning of the network traffic, clustering status, and the scanning settings that epolicy Orchestrator will manage for the appliance. To change any value, click its blue link to display the page where you originally typed the value. After you click Finish, the setup wizard has completed. Use the IP address shown here to access the interface. For example Note that the address begins with https, not http. When you first log onto the interface, type the user name, admin and the password that you gave to this setup wizard. The appliance is now managed by epolicy Orchestrator. Log onto the epo server to manage your appliance. Table 2-10 definitions The value is set according to best practice. The value is probably not correct. Although the value is valid, it is not set according to best practice. Check the value before continuing. No value has been set. The value has not been changed from the default. Check the value before continuing. Encryption Only Setup Use this information to understand the purpose of the Encryption Only setup options. For small-to-medium sized organizations, it is often sufficient to use the same McAfee Gateway to carry out your scanning tasks and also your encryption tasks. McAfee Gateway 7.0 Appliances Installation Guide 45

46 2 Using the Configuration Console Draft only However, if you are part of a larger organization, or you work in an industry that requires that all, or a high percentage, of your messages must be delivered in a secure way, then you may want to configure one or more of your McAfee Gateway appliances as stand-alone Encryption-only servers. In this situation, the Encryption Only Setup options within the Setup Wizard provide you with the relevant settings needed for Encryption only use. For the Encryption Only Setup, the wizard includes these pages: Configuration page (Encryption Only Setup) Define how the appliance will relay and configure the hosts that the appliance will use to route . Domains for which the appliance will accept or refuse After you complete the Setup Wizard, you can manage the domains from Configuration Receiving . Table 2-11 definitions Domain Name / Network Address / MX Record Type Category Add Domain Displays the domain names, wildcard domain names, network addresses, and MX lookups from which the appliance will accept or refuse . Domain name for example, example.dom. The appliance uses this to compare the recipient's address and compare the connection against an A record lookup. Network Address for example, /32 or /24. The appliance uses this to compare the recipient's IP literal address such as user@[ ], or the connection. MX Record Lookup for example, example.dom. The appliance uses this to compare the connection against an MX record lookup. Wildcard domain name for example, *.example.dom. The appliance only uses this information to compare the recipients address. Local domain Permitted domain Denied domain Click to specify the domains that can relay messages through the appliance to the recipient. Choose from: Local domain These are the domains or networks for which is accepted for delivery. For convenience, you can import a list of your local domain names using the Import Lists and Export Lists options. McAfee recommends that you add all domains or networks that are allowed to relay messages as local domains. Permitted domain is accepted. Use permitted domains to manage exceptions. Denied domain is refused. Use denied domains to manage exceptions. Hold your mouse cursor over the field to see the recommended format. You must set up at least one local domain. 46 McAfee Gateway 7.0 Appliances Installation Guide

47 Using the Configuration Console 2 Table 2-11 definitions (continued) Add MX Lookup Delete Selected Items Click to specify a domain that the appliance will use to identify all mail server IP addresses from which it will deliver messages. Remove the selected item from the table. You must apply the changes before the item is completely removed from the appliance configuration. Domain Routing After you complete the Setup Wizard, you can manage the domains from Configuration Sending . Table 2-12 definitions Domain Type Relay List/MX Record Add Relay List Displays a list of domains. Domain name for example, example.dom. The appliance uses this to compare the recipient's address and compare the connection against an A record lookup. Network Address for example, /32 or /24. The appliance uses this to compare the recipient's IP literal address such as user@[ ], or the connection. MX Record Lookup for example, example.dom. The appliance uses this to compare the connection against an MX record lookup. Wildcard domain name for example, *.example.dom. The appliance only uses this information to compare the recipients address. Click to populate the Known domains and relay hosts table with a list of host names, or IP addresses for delivery. Delivery will be attempted in the order specified unless you select the Round-robin the above hosts option which will distribute the load between the specified hosts. Host names/ip addresses may include a port number. Add MX Lookup Click to populate the Known domains and relay hosts table with an MX record lookup to determine the IP addresses for delivery. Delivery will be attempted to host names returned by the MX lookup in the order of priority given by the DNS server. Delete Selected Items Enable DNS lookup for domains not listed above. Remove the selected item from the table. You must apply the changes before the item is completely removed from the appliance configuration. If selected, the appliance uses DNS to route for other, unspecified domains. DNS delivery attempts an MX-record lookup. If there are no MX records, it does an A-record lookup. If you deselect this checkbox, the appliance delivers only to the domains that are specified under Known domains and relay hosts. McAfee Gateway 7.0 Appliances Installation Guide 47

48 2 Using the Configuration Console Draft only Basic Settings page (Encryption Only Setup) Use this page when selecting the Encryption Only Setup Wizard, to specify basic settings for the appliance. The appliance tries to provide some information for you, and shows the information highlighted in amber. To change the information, click and retype. Cluster mode Device name Domain name Default Gateway Next Hop Router Network Interface Select management port Defines the options that appear on the Cluster Management page of the Setup Wizard. Off This is a standard appliance. Cluster Scanner The appliance receives its scanning workload from a master appliance. Cluster Master The appliance controls the scanning workload for several other appliances. Cluster Failover If the master fails, this appliance controls the scanning workload instead. Specifies a name, such as appliance1. Specifies a name, such as domain1.com. Specifies an IPv4 address, such as You can test later that the appliance can communicate with this server. Specifies an IPv6 address, such as FD4A:A1B2:C3D4::1. Becomes available when you set the Next Hop Router for IPv6. Specifies the port that manages the gateway. By default, McAfee Gateway uses port Network Settings page (Encryption Only Setup) Use these options to view and configure the IP address and network speeds for McAfee Gateway as an encryption only appliance. You can use IPv4 and IPv6 addresses, separately or in combination. To prevent duplication of IP addresses on your network and to deter hackers, give the appliance new IP addresses, and disable the default IP addresses. The IP addresses must be unique and suitable for your network. Specify as many IP addresses as you need. Table 2-13 definitions <mode> Network Interface 1 Network Interface 2 Change Network Settings View Network Interface Layout The operating mode that you set during installation or in the Setup Wizard. Expands to show the IP address and netmask associated with Network Interface 1, the auto-negotiation state, and the size of the MTU. Expands to show the IP address and netmask associated with Network Interface 2, the auto-negotiation state, and the size of the MTU. Click to open the Network Interface Wizard to specify the IP address and adapter settings for NIC 1 and NIC 2, and change the chosen operating mode. Click to see the <?> associated with LAN1, LAN2, and the out of band interface. Cluster Management page (Encryption Only Setup) Use cluster management to specify load balancing requirements. Depending on the cluster mode you selected on the Basic Settings page, the options that appear on the Cluster Management page change. 48 McAfee Gateway 7.0 Appliances Installation Guide

49 Using the Configuration Console 2 Cluster Management Configuration (Standard appliance) Do not use. Cluster management is disabled. Cluster Management (Cluster Scanner) Table 2-14 definitions Cluster identifier If you have more than one cluster or McAfee Content Security Blade Server on the same subnet, assign each a different Cluster identifier to ensure the clusters do not conflict. The allowable range is Cluster Management (Cluster Master) In explicit proxy mode or transparent router mode, you can enable failover between two appliances in a cluster by assigning a virtual IP address to this appliance and configuring another appliance as a Cluster Failover appliance using the same virtual address. In transparent bridge mode, this is achieved by setting a high STP priority for this appliance and configuring another appliance as a Cluster Failover appliance with a lower STP priority. Table 2-15 definitions Address to use for load balancing Cluster identifier Enable scanning on this appliance (Not applicable on Content Security Blade Servers) Specifies the appliance address If you have more than one cluster or McAfee Content Security Blade Server on the same subnet, assign each a different Cluster identifier to ensure the clusters do not conflict. The allowable range is If not selected, this appliance distributes all scanning workload to the scanning appliances. For a cluster of appliances, if you have only a master and a failover appliance, with both configured to scan traffic, the master will send most connections to the failover appliance for scanning. Cluster Management (Cluster Failover) Table 2-16 definitions Address to use for load balancing Cluster identifier Enable scanning on this appliance (Not applicable on Content Security Blade Servers) Specifies the appliance address. Provides a list of all subnets assigned to the appliance. Provides a list of all subnets assigned to the appliance. If you have more than one cluster or McAfee Content Security Blade Server on the same subnet, assign each a different Cluster identifier to ensure the clusters do not conflict. The allowable range is If not selected, this appliance distributes all scanning workload to the scanning appliances. For a cluster of appliances, if you have only a master and a failover appliance, with both configured to scan traffic, the master will send most connections to the failover appliance for scanning. McAfee Gateway 7.0 Appliances Installation Guide 49

50 2 Using the Configuration Console Draft only DNS and Routing page (Encryption Only Setup) Use this page to configure the appliance's use of DNS and routes. Domain Name System (DNS) servers translate or "map" the names of network devices into IP addresses (and the reverse operation). The appliance sends requests to DNS servers in the order that they are listed here. DNS server addresses Table 2-17 definitions Server Address New Server / Delete Selected Servers Only send queries to these servers Displays the IP addresses of the DNS servers. The first server in the list must be your fastest or most reliable server. If the first server cannot resolve the request, the appliance contacts the second server. If no servers in the list can resolve the request, the appliance forwards the request to the DNS root name servers on the Internet. If your firewall prevents DNS lookup (typically on port 53), specify the IP address of a local device that provides name resolution Adds a new server to the list, or removes one when, for example, when you need to decommission a server due to network changes. Selected by default. McAfee recommends that you leave this option selected because it might speed up DNS queries as the appliance sends the queries to the specified DNS servers only. If they don't know the address, they go to the root DNS servers on the Internet. When they get a reply, the appliance receives it and caches the response so that other servers that query that DNS server can get an answer more quickly. If you deselect this option, the appliance first tries to resolve the requests, or might query DNS servers outside your network. Routing settings Table 2-18 definitions Network Address Type the network address of the route. Mask Specifies how many hosts are on your network, for example, Gateway Metric New Route / Delete Selected Routes Enable dynamic routing Specifies the IP address of the router used as the next hop out of the network. The address (IPv4), or :: (IPv6) means that the router has no default gateway. Specifies the preference given to the route. A low number indicates a high preference for that route. Add a new route to the table, or remove routes. Use the arrows to move routes up and down the list. The routes are chosen based on their metric value. Use this option in transparent router mode only. When enabled, the appliance can: receive broadcast routing information received over RIP (default) that it applies its routing table so you don't have to duplicate routing information on the appliance that is already present in the network. broadcast routing information if static routes have been configured through the user interface over RIP. 50 McAfee Gateway 7.0 Appliances Installation Guide

51 Using the Configuration Console 2 Time Settings page Use this page to set the time and date, and any details for the use of the Network Time Protocol (NTP). Appliance Time Zone Appliance Time (UTC) Set Now Client Time Synchronize appliance with client Specifies the time zone of the appliance. You might need to set this twice each year if your region observes daylight saving time. Specifies the date and UTC time for the appliance. To select the date, click the calendar icon. You can determine the UTC time from websites such as When clicked, applies the date and UTC time that you specified in this row. Displays the time according to the client computer from which your browser is currently connected to the appliance. When selected, the time in the Appliance Time (UTC) immediately takes its value from Client Time. You can use this checkbox as an alternative to manual setting of Appliance Time (UTC). The appliance calculates the UTC time based on the time zone that it finds on the client's browser. Ensure that the client computer is aware of any daylight savings adjustments. To find the setting on Microsoft Windows, right-click the time display in the bottom right corner of the screen. Enable NTP Enable NTP client broadcasts NTP Server New Server When selected, accepts NTP messages from a specified server or a network broadcast. NTP synchronizes timekeeping among devices in a network. Some Internet Service Providers (ISPs) provide a timekeeping service. Because NTP messages are not sent often, they do not noticeably affect the appliance's performance. When selected, accepts NTP messages from network broadcasts only. This method is useful on a busy network but must trust other devices in the network. When deselected, accepts NTP messages only from servers specified in the list. Displays the network address or a domain name of one or more NTP servers that the appliance uses. For example, time.nist.gov. If you specify several servers, the appliance examines each NTP message in turn to determine the correct time. Type the IP address of a new NTP Server. Password page (Encryption Only Setup) Specify a password for the appliance. For a strong password, include letters and numbers. You can type up to 15 characters. Table 2-19 definitions User ID Current Password New Password / Confirm New Password This is admin. You can add more users later. The existing password. The original default password is password. Change the password as soon as possible to keep your appliance secure. Specifies the new password. You must enter the new password twice to confirm it. McAfee Gateway 7.0 Appliances Installation Guide 51

52 2 Using the Configuration Console Draft only Summary page (Encryption Only Setup) Review a summary of the settings that you have made for the network connections and scanning of the traffic. To change any value, click its blue link to display the page where you originally typed the value. After you click Finish, the Setup Wizard has completed. Use the IP address shown on this page to access the interface. For example : The address begins with https, not http. When you first log on to the interface, type the user name, admin and the password that you gave on the Password page. Table 2-20 definitions The value is set according to best practice. The value is probably not correct. Although the value is valid, it is not set according to best practice. Check the value before continuing. No value has been set. The value has not been changed from the default. Check the value before continuing. 52 McAfee Gateway 7.0 Appliances Installation Guide

53 3 A tour of the Dashboard This section describes the Dashboard page, and how to edit its preferences. Dashboard The Dashboard provides a summary of the activity of the appliance. Dashboard Use this page to access most of the pages that control the appliance. On a cluster master appliance, use this page also to see a summary of activity on the cluster of appliances. Benefits of using the Dashboard This topic discusses the benefits of using the Dashboard within the user interface of your Gateway. The Dashboard provides a single location for you to view summaries of the activities of the appliance through a series of portlets. Some portlets display graphs that show appliance activity over the following periods of time: McAfee Gateway 7.0 Appliances Installation Guide 53