SonicWALL Security Appliance Administrator Guide

Transcription

1 SonicWALL Security Appliance Administrator Guide Version 7.3 SonicWALL, Inc Logic Drive San Jose, CA Phone: Fax: Part Number: Rev B

2 CHAPTER 1 About this Guide Preface SonicWALL s threat protection solution is a dynamic, self-learning, and self-running system, providing IT departments with the protection they need for inbound and outbound . SonicWALL Security offers redundancy, comprehensive reporting and central administration across multiple data centers. The solution scales for organizations with 10 employees to enterprises with 100,000 or more employees. This guide describes how to configure SonicWALL Security and the SonicWALL Security appliances. Information that is specifically about SonicWALL Security appliances is indicated by a footnote at the bottom of the page. Documentation Conventions Font Bold Italic Courier Bold Courier Meaning Terms you see in a SonicWALL Security window Variable names Text on a command line Text that you type in a command line Documentation Overview Finding Online Help SonicWALL Security provides Administrator s Guides, Getting Started Guides, and User s Guides to help in the installation, administration, and use of its products to protect users from phishing, spam, viruses, and to manage the security policies you define for your organization. Click the What is this? button for in-depth online help on a specific area of the SonicWALL Security interface. Click the Help button on any UI web page for information on how to use the UI features on that page.

3 Planning SonicWALL Security Deployment CHAPTER 2 Determine the appropriate architecture for SonicWALL Security before you deploy it in your network. This section discusses the different modules available in SonicWALL Security and network topology planning. Note For installation and set up instructions for your SonicWALL Security appliance, refer to the SonicWALL Security Series Getting Started Guide document. SonicWALL Security and Mail Threats SonicWALL Security determines that an fits only one of the following threats: Spam, Likely Spam, Phishing, Likely Phishing, Virus, Likely Virus, Policy Violation, or Directory Harvest Attack (DHA). It uses the following precedence order when evaluating threats in messages: Virus Likely Virus Policy Trigger Phishing Likely Phishing Spam Likely Spam For example, if a message is both a virus and a spam, the message will be categorized as a virus since virus is higher in precedence than spam. If SonicWALL Security determines that the message is not any of the above threats, it is deemed to be good and is delivered to the destination server. Licensing SonicWALL Security Modules SonicWALL Security provides multiple modules to protect an organization s gateway. When you activate SonicWALL Security, the following modules are licensed: Security Base Key (Server Configuration, Policy & Compliance, User & Group Management, Junk Box, and Reports & Monitoring) Protection Subscription and Dynamic Support (Anti-Spam Anti-Phishing) In addition, you can optionally license one or more of the following modules for an additional cost: Compliance Subscription (compliance functionality under Policy and Compliance) SonicWALL Anti-Virus (McAfee and SonicWALL Time Zero) Subscription SonicWALL Anti-Virus (Kaspersky and SonicWALL Time Zero) Subscription

4 SonicWALL Security Administrator s Guide 9 SonicWALL recommends that you deploy SonicWALL Security with one or both of the antivirus modules to provide the best protection and management capabilities for your organization s inbound and outbound traffic. Defining SonicWALL Security Deployment Architecture SonicWALL Security can be configured in two ways: All in One: In this configuration, all machines running SonicWALL Security analyze , quarantine junk mail, and allow for management of administrator and user settings. A typical All in One configuration: In an All in One configuration, you can also deploy multiple SonicWALL Security servers in a cluster setup wherein all of the gateways share the same configuration and data files. To set up such a cluster, begin by creating a shared directory, on either one of the SonicWALL Security servers or on another dedicated server (preferred) running the same operating system. This shared directory will be used to store data including user settings, quarantine , etc., from all the SonicWALL Security servers in the cluster. Split: In a Split network configuration, there are two kinds of servers: Control Centers and Remote Analyzers. In this configuration there is typically one Control Center and multiple Remote Analyzers, but the Control Center can be set up in a cluster as well. The Split configuration is designed for organizations with remote physical data centers. The Split configuration allows you to manage SonicWALL Security so that messages are filtered in multiple remote locations through multiple Remote Analyzers. The entire setup is centrally managed from a single location through the Control Center.

5 SonicWALL Security Administrator s Guide 10 Control Center clusters are not supported by SonicWALL Security appliance. The Control Center, in addition to managing all data files, controls, monitors and communicates with all Remote Analyzers. The data files consist of statistical data such as how much has been received, network usage, remote hardware space used, and hourly spam statistics. The Control Center stores or quarantines junk it receives from the Remote Analyzers. It also queries LDAP servers to ensure valid users are logging in to SonicWALL Security. End users can log in to a Control Center to manage their junk mail. Remote Analyzers analyze incoming to determine whether it is good or junk. It sends junk to the Control Center where it is quarantined. It routes good mail to its destination server. Only administrators can log in to a Remote Analyzer. Note: The Replicator is the SonicWALL Security component that automatically sends data updates from the Control Center to the Remote Analyzer, ensuring that these components are always synchronized. Replicator logs are stored in the Control Center s logs directory. You can review replication activity from these logs for troubleshooting purposes. Inbound and Outbound Flow SonicWALL Security can process both inbound and outbound on the same machine. In an All in One configuration, each SonicWALL Security instance can support both inbound and outbound . In a Split configuration, each Remote Analyzer can support both inbound and outbound . For inbound flow, DNS configuration and firewall rules need to be set to direct traffic to SonicWALL Security. Whereas, for outbound flow, the downstream server must be configured to send all to Security (Smart Host Configuration).

6 SonicWALL Security Administrator s Guide 11 Proxy versus MTA SonicWALL Security can run either as an SMTP proxy or an MTA (Mail Transfer Agent). The SMTP proxy operates by connecting to a destination SMTP server before accepting messages from a sending SMTP server. Note that SMTP proxies can only send to one server. Some benefits of the SMTP proxy are: All processing occurs in memory, significantly reducing the latency and providing higher throughput There is no queue and SonicWALL Security does not lose any messages. SonicWALL Security automatically respects your existing fail over strategies if your mail infrastructure experiences a failure. The MTA service operates by writing messages to disk and allows for routing of a message. Some benefits of the MTA are: Can route messages to different domains based on MX records or LDAP mapping. Can queue messages by temporarily storing messages on disk and retrying delivery later in case the receiving server is not ready. Allows SonicWALL Security to be the last touch mail gateway for outbound traffic Should You Choose an All in One or a Split Architecture? SonicWALL recommends the All in One configuration whenever possible because of its simplicity. Choose a Split configuration to support multiple physical data centers and if you want to centrally manage this deployment from a single location. SonicWALL strongly recommends that after you deploy the chosen architecture, you do not change the setup from a Control Center to a Remote Analyzer or vice versa, as there are no obvious advantages, and some data might be lost. Thus, it is important to make the deployment architecture decision before installing SonicWALL Security.

7 SonicWALL Security Administrator s Guide 12 Typical SonicWALL Security Deployments SonicWALL Security as the First-Touch / Last-Touch Server In a deployment with first-touch and last-touch in the DMZ, change your MX records to point to the SonicWALL Security setup. Also, all the inbound and outbound connections (typically port 25) for SonicWALL Security must be properly configured in your firewalls. In this configuration, SonicWALL Security can be configured on the inbound path to be either a SMTP Proxy or a MTA. On the outbound path, it must be configured to be a MTA. This setup also can be extended to a cluster with multiple SonicWALL Security servers all using a shared drive for data location. For more information on routing using Smart Host, refer to Adding an Inbound Mail Server for All in One Architecture on page 19. To configure SonicWALL Security in this configuration, you also need to: 1. Configure SonicWALL Security server with a static IP address on your DMZ. 2. In your firewall, add an inbound NAT Rules s private IP address to an Internet addressable IP address for TCP port 25 (SMTP). 3. In the public DNS server on the Internet, create an A record, mapping a name such as smtp.my_domain.com, to the Internet addressable IP address you assigned in step Update your domain s MX record to point to the new a record. You need to deploy the SonicWALL Security for each MX record.

8 SonicWALL Security Administrator s Guide 13 SonicWALL Security Not as a First-Touch / Last Touch Server A network topology where Security is not the first-touch and last-touch SMTP server. is not recommended because security mechanisms such as SPF and Connection Management cannot be used. In this configuration SonicWALL Security can be configured to be either an MTA or a proxy.

9 CHAPTER 3 Getting Started Introduction This chapter describes configuring SonicWALL Security to match your environment and user needs. Notes: Initial Configuration Configure your web browser s pop-up blockers to allow pop-ups from your organization s SonicWALL Security server before using SonicWALL Security, because many of the windows are pop-up windows. For security purposes, SonicWALL Security terminates your session if there is no activity for 10 minutes. You must log in again if this occurs. SonicWALL Security Master Account Logging In Each SonicWALL Security setup has a Master Account which is a master administrative account. You use this account to initially configure the server, configure for LDAP synchronization and assign administrative privileges to other accounts. The Master Account s user name is admin and the password is password. Log in to your SonicWALL Security as a user with administrator privileges. Example: To log in with the Master Account, type User Name: admin Password: password The first time you log in to the SonicWALL Security system, you go to the license settings screen where you can: Change Account password Confirm license keys in the License Management section Perform Quick Configuration of the system

10 SonicWALL Security Administrator s Guide 15 Change Master Account Password Quick Configuration After you login using the Master Account, you can change the password. SonicWALL strongly recommends that you change the Master Account password. To change password 1. Type admin for the username. 2. Type a new password in the Password text box. 3. Type the same password in the Confirm password text box. 4. Click Apply Changes. If you plan to install SonicWALL Security in an All in One Configuration for inbound and outbound message processing with only one downstream server, no SSL, and routine LDAP options, click the Quick Configuration link from the License Management window. Quick Configuration allows you to set up SonicWALL Security in a default configuration. Quick Configuration also allows you to choose whether to quarantine junk messages in the Junk Box or to pass messages through to users. However, Quick Configuration requires that you configure all modules similarly; that is, if you store spam messages in the Junk Box, you must also store messages with viruses in the Junk Box. Note: If you have previously configured your SonicWALL Security with more complex settings than are supported by Quick Configuration, an alert will appear. If this alert window or a similar alert window appears, you must either configure all of the modules to pass through without filtering or to store it in the Junk Box. To configure SonicWALL Security using the Quick Configuration window, select the radio buttons and enter values for the following configuration variables: 1. Network Architecture 1. Enter the Inbound Destination server name or IP address and port number. 2. Select the Inbound SMTP setup: Allow SMTP recipient addresses to all domains Only allow SMTP recipients addresses to these domains and enter the domains 3. Click Test Mail Servers to determine that the flow of from the SonicWALL Security server to downstream mail server is able to process Select the Outbound Path setup checkbox if the specified Inbound Destination Server will be the only server passing outbound messages to SonicWALL Security. 2. LDAP Configuration 1. Add your LDAP Server name or IP address. This is the hostname or IP address of the LDAP server. Frequently, this is the name of your Exchange server or your server. 2. Select the LDAP Server type from the drop-down list. 3. Enter your Login name in the format indicated by the type of LDAP server. Active Directory - The login name is commonly of the form domain\username; for example: sales\john Exchange The login name is commonly of the form CN=username, for example: CN=john

11 SonicWALL Security Administrator s Guide 16 Note: To use NTLM authentication, add the LDAP domains on the LDAP configuration page. Lotus Notes/Domino - The login name is commonly of the form username, for example: john SunOne/iPlanet - The login name can either be the exact string "CN=Directory Manager" or a user's X.400-style login. Consider both examples below: CN=Directory Manager UID=john,OU=people,O=xyz.com,O=internet For Other LDAP Servers, see the documentation that shipped with that product. 4. Enter your password. 5. Click the Test LDAP Login button to ensure that LDAP you can log in to your LDAP server. 6. Click the Test LDAP Query button to ensure that LDAP you can query your LDAP server. 7. Enter the Windows NT/NetBIOS domain name if you have an Active Directory or an Exchange 5.5 server. 3. Message Management 1. Select the action SonicWALL Security should take for messages identified as junk: Click Quarantine junk to cause SonicWALL Security to store all messages in the Junk Box. Click Deliver all messages to users to allow all messages to pass through to users without filtering for threats. 4. Junk Box Summary 1. Check the Send summaries daily check box to send users daily summaries of their quarantined , if you selected Quarantine junk in step Check the Users can preview their own quarantined junk mail check box to allow users to preview their junked messages. 3. Enter the URL for the user view. This text box is filled in automatically based on your server configuration and is included in the Junk Box Summary Click Test this Link to ensure that you have configured a link for users to connect to SonicWALL Security. 5. Updates 1. Click the Test Connectivity to SonicWALL button to ensure that you can connect to the SonicWALL Security data center. Click Apply Changes to save your Quick Configuration settings. Your server is now ready to process messages and stop threats. Understanding the SonicWALL Security User Interface The upper right corner displays the role of the user logged in: Admin, Manager, Help Desk, Group Admin or User. See SonicWALL Security Roles on page 3 for more information about roles. The current login name is displayed next to the role. Use the left navigation pane to select the different modules, such as spam management or server configuration. Each button brings up a unique menu on the left side. Click the links on the lower margin of the window for the following information: Contact us: Click this link for a Contact Technical Support form and other support information. About: Click this link to display a window that contains information about SonicWALL Security.

12 SonicWALL Security Administrator s Guide 17 Sign in as any user: Click this link if you are signed in as the administrator and would like to login as a user. System host name: SonicWALL Security can run on more than one server. The lower right corner of your window displays the host name for the server to which you are currently logged in. Language: Click this drop-down box to change SonicWALL Security s user interface in any of the languages shown in the Preferred Languange section. By default, SonicWALL Security automatically senses the language that you have configured your Web browser. Automatically Download Updates for SonicWALL Security To provide the best protection against latest threats, SonicWALL periodically releases updates to its software. SonicWALL recommends that you keep your software version up-to-date to ensure that you get the best protection available. Configuring Spam, Phishing, and Virus Updates Updates To configure automatic software downloads for SonicWALL Security servers that run All in One configuration on Windows 1. Click System > Updates. SonicWALL Security displays the Updates window. 2. Select the time interval from the Check for Spam, Fraud, and Virus Blocking Updates drop-down list to configure how often to receive junk-blocking updates. 3. Check the Submit unjunk thumbprints check box to send unjunked thumbprints to SonicWALL Security s Research Laboratory. Note: When users unjunk a message, a thumbprint of that message can be sent to SonicWALL Security. These unjunked messages are used to improve the collaborative settings for all users, which tracks new trends in spam and other junk , and helps prevent unwanted . The thumbprints sent optionally from SonicWALL Security contain absolutely no readable information. 4. Check the Submit generic spam blocking data check box to send spam-blocking data to SonicWALL Security s Research Laboratory. Generic spam blocking data is sent to SonicWALL Security to assist in customer support and to help improve spam blocking. No messages, content, header information or any other uniquely identifiable information is ever sent. Sample information that is sent includes the following data: Volume of messages processed and junked Success of various junking methods Number of users protected When a new SonicWALL Security software update becomes available, the SonicWALL Security appliance automatically downloads the update and alerts the administrator via that it is available. Upon logging in to the SonicWALL Security administrative interface, a pop-up screen displays, prompting the administrator to either click to update now or wait to update later. Note The administrator should choose the appropriate time to complete the update while considering the delay in traffic flow. The installation will take less than ten minutes. Once the Update Now button is selected, the update file is extracted. When the process is complete, the SonicWALL Security appliance will automatically reboot.

13 SonicWALL Security Administrator s Guide 18 Note: SonicWALL recommends that you download and install major updates as soon as possible. Windows OS For Windows based installations, when a minor software update is available, SonicWALL Security automatically downloads the newer version and alerts the administrator that a newer version is available and can be installed. If you want to use the Update Now button to upgrade the software and you are administering the system from a remote machine, you must install Java Runtime Environment (JRE) 1.4.2_05 or later from on the remote machine first. If you are running SonicWALL Security with a load balancer, you must log in directly to the server on which SonicWALL Security runs to update the software. Using SafeMode SafeMode is a fall back option when a normal upgrade fails to patch and the administrator wants to restore the appliance using a different image. Warning This is not a function that administrators should choose unless a patch installation from the UI has failed. To restore the appliance using SafeMode, perform the following steps: 1. Reboot the appliance to view the GRUB loader options. Either connect a console and keyboard to the appliance or use the serial port and redirect the output to another system. The GRUB menu allows the administrator to chose which firmware image to boot. Available options are the following: " Security SonicWALL MFL" - the default option which boots into current Security firmware "SonicWALL MFL [Verbose Startup Mode]" - this option boots the same firmware as above, but outputs debugging information on startup "SonicWALL Authentication Reset" - this option allows administrative credentials to reset to default values "SonicWALL Safe Mode" - boots into special firmware image, which allows a firmware update to perform, in case normal update procedure resulted in an unbootable firmware. 2. Using the arrow keys on your keyboard, select the Safe Mode option to boot into SafeMode and display the command line option to set the IP, subnet mask, and gateway. 3. Access the SafeMode user interface by entering the URL in the browser as for example 4. Use the Browse button to point to the firmware to be imaged. 5. Click the Upload button to upload the file. 6. Click the Reboot button. The system reboots and the information posts back on the web browser.

14 CHAPTER 4 System Introduction In this chapter, you will learn how to configure the system more extensively and learn more about additional system administration capabilities. This chapter contains the following sections: Setting Your Network Architecture on page 19 LDAP Configuration on page 25 Default Message Management Settings on page 30 Junk Box Summary on page 31 User View Setup on page 32 Updates on page 33 Monitoring on page 33 Connection Management on page 36 Backup/Restore Settings on page 44 Host Configuration on page 45 Configuring Advanced Settings on page 46 Branding on page 48 Setting Your Network Architecture There are different ways to configure and deploy SonicWALL Security, and the first decision to make is the choice of network architecture. See Planning SonicWALL Security Deployment on page 8 for more information on what network architecture is appropriate for your need. You must decide whether you are setting up a Split or All in One architecture, as that choice impacts other configuration options. You can change the architecture later, but if you do so, you will need to add your mail servers and reset configuration options again. To configure SonicWALL Security as your desired network architecture, click System > Network Architecture. Adding an Inbound Mail Server for All in One Architecture Set this server to All in One configuration by choosing the radio button next to All in One. Click the Add Path button in the Inbound Flow section. The Add Inbound Path window appears.

15 SonicWALL Security Administrator s Guide 20 Source IP Contacting Path! 1. In this section you can configure from where you accept . You can choose to Accept connections for all senders. Use of this setting can make the product an open relay. SonicWALL Security strongly recommends against an open relay. Open relays can reduce the security of your network and allow malicious users to spoof your domain. Accept connections for all senders sending to the specified domains. Accept connections from the specified senders 2. Path Listens On. In this section, you can specific which IP addresses and port number the service is listening on for incoming . Listen for all IP address on this port - This is the typical setting for most environment as the service listens on the specified port using the machine s default IP address. The usual port number for incoming traffic is 25. Listen only on this IP address and port - If you have multiple IP addresses configured in this machine, you can specify which IP address and port number to listen on. 3. Destination of Path. In this section, you can specify the destination server for incoming traffic in this path. This is a proxy. Pass all to destination server - This setting configures this path to act as a proxy and relay messages to a downstream server. If the downstream server is unavailable, incoming messages will not be accepted. This is an MTA. Route using SmartHost to destination server - This setting is the same as the above Proxy option, except that incoming messages will be accepted and queued if the downstream server is unavailable. In this instance, this path acts as a SMTP smarthost. However, you can configure the following domain exceptions: - These domains should use MX record routing Instead of being routed to the destination server specified above, messages sent to the domains listed in this box are routed using MX record routing. For example, the default downstream server is an Exchange server at IP address All mail is routed directly to that Exchange server with two exceptions: addressed to mailfrontier.com or mailfrontier.net is routed using MX records. - These domains should use the associated IP address or hostname Instead of being routed to the destination server specified above, sent to the domains listed in this box are routed to the associated IP address or hostname. For example, the default downstream server is an Exchange server at IP address All mail is routed directly to that Exchange server with two exceptions: addressed to engr.sonicwall.com is routed directly to IP address , and addressed to sales.sonicwall.com is routed directly to IP address This is an MTA. Route using SmartHost with load balancing to the following multiple destination servers - When a path is configured with this choice, messages received will be routed to multiple downstream servers as follows. If Round robin is specified, will be load-balanced by sending a portion of the flow through each of the servers specified in the text box in round-robin order. All of the servers will process all the time. If Fail over is specified, the first server listed will handle all processing under normal operation. If the first server cannot be reached, will be routed through the second server. If the second server cannot be reached, will be routed through the third server, and so on. MTA with MX record routing - This setting configures this path to route messages by standard MX (Mail Exchange) records. To use this option, your DNS server must be configured to specify the MX records of your internal mail servers that need to receive the .

16 SonicWALL Security Administrator s Guide 21 Note: MTA with MX record routing (with exceptions) - This setting configures this path to route messages by standard MX (Mail Exchange) records, except for the specified domains. For the specified domains, route messages directly to the listed IP address. You can specify addresses in addition to domains in this routing table. Also, hostnames can be specified instead of IP addresses. For example, if you want to route customer service s to one downstream server and the rest of the traffic to a different downstream server, you can specify something like: [email protected] mycompany.com internal_mailserver.mycompany.com 4. Advanced Settings 5. Use this text instead of a host name in the SMTP banner - Use this text to customize the HELO banner. By default, the fully qualified domain name will be used 6. Set the action you want to take for messages for recipients who are not listed in your LDAP server. Typically, it is a good practice to set this path to adhere to corporate settings. 7. Enable StartTLS on this path - Check this check box if you want a secure internet connection for . If the check box is checked, SonicWALL Security uses Transport Layer Security (TLS) to provide the secure internet connection. When StartTLS is enabled, can be sent and received over a secure socket. The source and destination addresses and the entire message contents are all encrypted during transfer. 8. Click Add to add an inbound path for this All in One server. Adding an Outbound Mail Server for All in One Architecture 1. Click the Add Path button in the Outbound Flow section. The Add Outbound Path window appears. 2. Source IP Contacting Path. In this section, you can specify which servers within your organization can connect to this path to relay outgoing . Any source IP address is allowed to connect to this path - This setting configures this path to receive outgoing from any server. Using this option could make your server an open relay. Only these IP addresses can connect and relay - This setting configures this path to accept only from the specified IP addresses. Note: You need to use this setting if you configure your SonicWALL Security installation to listen for both inbound and outbound traffic on the same IP address on port Path Listens On. In this section, you can specify the IP addresses and port number on which this path listens for connections. Listen for all IP address on this port - This is the typical setting for most environment as the service listens on the specified port using the machine s default IP address. Listen only on this IP address and port - If you have multiple IP addresses configured in this machine, you can specify which IP address and port number to listen to. 4. Destination of Path. In this section, you can specify the destination server for outgoing traffic in this path. This is a Proxy. Pass all to destination server - Use this setting if you want this path to act as a proxy and relay messages to an upstream MTA. Enter the host name or IP address of the upstream MTA and the port on which it should be contacted. If the upstream MTA is unavailable, outgoing messages will not be accepted. This is an MTA. Route using SmartHost to - This setting is same as the Proxy option above except that outgoing messages will be accepted and queued if the upstream MTA is unavailable.

17 SonicWALL Security Administrator s Guide 22 This is an MTA. Route using SmartHost with load balancing to the following multiple destination servers - When a path is configured with this choice, outbound messages will be routed to multiple upstream MTAs as follows. If Round robin is specified, will be load-balanced by sending a portion of the flow through each of the MTAs specified in the text box in round-robin order. All of the MTAs will process all the time. If Fail over is specified, the first MTA listed will handle all processing under normal operation. If the first MTA cannot be reached, will be routed through the second MTA. If the second MTA cannot be reached, will be routed through the third MTA, and so on. This is an MTA. Route using MX record routing - Use this setting to configure this path to route outbound messages by standard MX (Mail Exchange) records. This is an MTA. Route using MX record routing with these exceptions - Use this setting to configure this path to route outbound messages by standard MX (Mail Exchange) records except for the specified domains. For the specified domains, route messages directly to the listed IP address. 5. Advanced Settings Use this string instead of a host name in the SMTP banner - Use this string to customize the HELO banner. By default, the fully qualified domain name will be used. Adding a Server for Split Architecture If you chose Split Architecture, you must define whether the server is the Control Center or Remote Analyzer, and then let each know about the other. 1. Go to System > Network Architecture. 2. Choose Split. Adding a Control Center 3. Click Control Center to configure the server as a Control Center or click Remote Analyzer to configure the server as a Remote Analyzer. 4. Click Apply. To add a Control Center: 1. Click Add Server in the Control Center section of the Network Architecture window. 2. Enter the Control Center hostname. 3. If feasible, use the default port number. If not, enter a new Control Center Server Address Port Number. 4. Click Add. Adding a Remote Analyzer You must add one or more Remote Analyzers to a Split Configuration. Remote Analyzers can process inbound messages or outbound messages or both. 1. Click the Add Server button in the Inbound Remote Analyzer or Outbound Remote Analyzer section based on your need. 2. Enter the Remote Analyzer s hostname or IP address. 3. Enter the Remote Analyzer Server Address Port number. 4. If your network requires SSL, check the Requires SSL check box. 5. Click the Add button. Note: If there is a high volume of network traffic, it might take some time before the new Remote Analyzer is displayed in the System>Network Architecture window.

18 SonicWALL Security Administrator s Guide 23 Any changes you make at the Control Center are propagated to the Remote Analyzers you just added. You can monitor their status on the Reports page as well. Configuring Inbound Flow for a Remote Analyzer While logged into the Control Center, Click the Add Path button next to the Inbound Remote Analyzer. An Add Inbound Path window appears. Follow the instructions in Adding an Inbound Mail Server for All in One Architecture on page 19. Configuring Outbound Flow for a Remote Analyzer While logged into the Control Center, Click the Add Path button next to the Outbound Remote Analyzer. An Add Outbound Path window appears. Follow the instructions in Adding an Outbound Mail Server for All in One Architecture on page 21. Make sure that the Control Center can connect and relay messages through this path - Step 1 in the Add Outbound Path dialog. Configuring Remote Analyzers to Communicate with Control Centers After you have set up the Control Center, configure each Remote Analyzer so that it can communicate with its Control Center. 1. Log in to each server set up as a Remote Analyzer and go to Network Architecture. 2. Click the Add button to identify from which Control Center this Remote Analyzer will accept instructions. 3. An Add Control Center screen appears. Enter the hostname of your Control Center. If your Control Center is a cluster, you must add each individual hostname as a valid Control Center. Note: If your Control Center is a cluster, add each individual hostname as a valid Control Center by repeating steps 2-3. All other configuration options for the Remote Analyzer are managed by the Control Center. Deleting a Remote Analyzer from a Split Configuration Before deleting a Remote Analyzer, ensure there are no messages in the queue for quarantine 1. Stop SMTP traffic to the Remote Analyzer by turning off the SonicWALL Security Service. Click Control Panel>Administrative Tools>Services>MlfASG Software> Stop. 2. After a few minutes, view the last entry in the mfe log on the Remote Analyzer log. 3. View the mfe log in the Control Center logs directory to ensure the last entry in the mfe log for the Remote Analyzer is there: this can take a few moments. Turn off the ability of the associated server to send mail to this Remote Analyzer, and/or point the associated server to another installed and configured Remote Analyzer. Testing the Mail Servers Click the Test Mail Servers button. SonicWALL Security displays a window that indicates either a successful test or an unsuccessful test.

19 SonicWALL Security Administrator s Guide 24 Note: It takes 15 seconds for SonicWALL Security to refresh its settings. If the first test fails, try the test again. Changing from an All in One Configuration to a Split Configuration There are only two situations that warrant changing your configuration: You are a current SonicWALL Security customer running All in One architecture and want to upgrade to a Split Network configuration. You are a new customer and have incorrectly configured for All in One architecture and you want to configure for Split Network, or vice versa. Configure MTA You can configure the Mail Transfer Agent (MTA) Settings by navigating to the System>Network Architecture> MTA Configuration screen. You can specify how the MTA will handle a case in which Security is unable to deliver a message right away. Note that most installations will not require any change to the MTA settings. Delivery Messages are bounced if the recipient domain returns a permanent failure (5xxx error code). In the case of transient failures (4xx error codes, indicating a delay), the MTA will retry delivery of the message periodically based on the schedule specified in the Retry interval field. Delayed messages that cannot be delivered within the time period specified in the Bounce after field will be bounced; no further attempts will be made to deliver them. Non-Delivery Reports (NDR) When an cannot be sent due to either a transient delay or a permanent failure, the sender may receive a notification , or a Non-Delivery Report (NDR), describing the failure. Administrators can use this pane to customize the schedule and contents of those notification s. Transient Failure Settings To enable Transient NDR, select the Send NDR for transient failures check box. Specify the interval (days, hours, minutes) at which notifications are sent, the sender name and address (for example, Colin Brown and [email protected] ), a customized subject line for the NDR (for example, Delay in sending your ), and a customized body for the NDR. Permanent Failure Settings Choose a name and address from which NDRs will be sent (for example, Colin Brown and [email protected] ), a customized subject line for the NDR (for example, Your could not be sent ), and a customized body for the NDR. Note that Permanent Failure Settings cannot be disabled.

20 SonicWALL Security Administrator s Guide 25 General Settings All NDRs include a diagnostic report about the problem that prevented delivery, including the headers of the original message. Permanent NDRs may optionally have the contents of the original message attached. Customized Fields Certain fields in the subject line, body, and sender of the DSN can be specified by the administrator: $subject - the subject of the original $hostname - the hostname from which the NDR is sent $originator - the sender of the original $recipient - the intended recipient of the original $timequeued - the time at which the original was queued $date - the current date $retryafter - the interval at which delivery of delayed s is retried $bounceafter - the time after which delivery attempts will cease for delayed s Example Sender - postmaster@$hostname Example Subject - Delivery Status Notification (re: $subject) Example Body - Your from $originator regarding $subject has bounced. It was sent on $timequeued to $recipient. No further attempts at delivery will be made. Have a nice day! Note: LDAP Configuration Some mail servers, such as Microsoft Exchange, may send their own NDRs or rewrite the contents of NDRs sent from other products. Please see the Administrator's Guide for information on integrating this product's NDR functionality with Microsoft Exchange. Address Rewriting Use this dialog to rewrite addresses for inbound or outbound s. These operations affect only the envelope (the RFC 2821 fields): the headers are not affected in any way. For inbound , the To field (the RCPT TO field) is rewritten. For outbound , the From field (the MAIL FROM field) is rewritten. Trusted Networks When the SonicWALL Security receives messages from an upstream server that uses a non-reserved or public IP address, the GRID Network effectiveness may degrade. To avoid this degradation on the GRID Network, users can put public IP addresses on a privatized list. To add IP addresses to a Trusted Network, click the Add Server button. In the box that displays, type in the IP addresses you want to add, then click Save. The IP addresses will now appear on the Server List. SonicWALL Security uses Lightweight Directory Access Protocol (LDAP) to integrate with your organization s environment. LDAP is an Internet protocol that programs use to look up users contact information from a server. As users and distribution lists are defined in your mail server, this information is automatically reflected in SonicWALL Security in real time. Many enterprise network use directory servers like Active Directory or Lotus Domino to manage user information. These directory servers support LDAP and SonicWALL Security can automatically get user information from these directories using the LDAP. You can run SonicWALL Security without access to an LDAP server as well. If your organization does not use a directory server, users cannot access their Junk Boxes, and all inbound is managed by the message-management settings defined by the administrator. SonicWALL Security uses the following data from your mail environment.

21 SonicWALL Security Administrator s Guide 26 Configuring LDAP Login Name and Password: When a user attempts to log into the SonicWALL Security server, their login name and password are verified against the mail server using LDAP authentication. Therefore, changes made to the user names and passwords are automatically uploaded to SonicWALL Security in real time. If your organization allows users to have multiple aliases, SonicWALL Security ensures any individual settings defined for the user extends to all the user s aliases. This means that junk sent to those aliases aggregates into the same folder. groups or distribution lists in your organization are imported into SonicWALL Security. You can manage the settings for the distribution list in the same way as a user s settings. LDAP groups allow you to assign roles to user groups and set spam-blocking options for user groups. Use the LDAP Configuration screen to configure SonicWALL Security for username and password authentication for all employees in the enterprise. Note Complete the LDAP configuration screen to get the complete list of users who are allowed to login to their Junk Box. If a user does not appear in the User list in the User & Group screen, their will be filtered, but they cannot view their personal Junk Box or change default message management settings. Enter the server information and login information to test the connection to the LDAP server. 1. Click the Add Server button to add a new LDAP Server. Configuring the LDAP server is essential to enabling per-user access and management. These settings are limited according to the preferences set in the User Management pane. See the User View Setup section on page 4 for details. 2. The following checkboxes appear under the Settings section: Show Enhanced LDAP Mappings fields: Select this option for Enhanced LDAP, or LDAP Redundancy. You will have to specify the Secondary Server IP address and Port number. Auto-fill LDAP Query fields when saving configurations: Select this option to automatically fill the LDAP Query fields upon saving. 3. Enter the following information about your LDAP server: Friendly Name: The friendly name for your LDAP server. Primary Server Name or IP address: The DNS name or IP address of your LDAP server. (Configuration checklist parameter M) Port number: The TCP port running the LDAP service. The default LDAP port is 389. (Configuration checklist parameter N) LDAP server type: Choose the appropriate type of LDAP server from the dropdown list. LDAP page size: Specify the maximum page size to be queried. The default size is 100. SSL Connection: Select this box if your server requires a secured connection. Type of LDAP Server: Choose the appropriate type of LDAP server from the list. Allow LDAP referrals: Leaving this option unchecked will disable LDAP referrals and speed up logins. You may select this option if your organization has multiple LDAP servers in which the LDAP server can delegate parts of a request for information to other LDAP servers that may have more information. 4. Specify if the LDAP login method for your server is by Anonymous Bind or Login. Specify the Login name and Password. This may be a regular user on the network, and typically does not have to be a network administrator.

22 SonicWALL Security Administrator s Guide 27 Note: LDAP Query Panel Some LDAP servers allow any user to acquire a list of valid addresses. This state of allowing full access to anybody who asks is called Anonymous Bind. In contrast to Anonymous Bind, most LDAP servers, such as Microsoft's Active Directory, require a valid username/password in order to get the list of valid addresses. (Configuration checklist parameter O and P) 5. Click the Test LDAP Login button. A successful test indicates a simple connection was made to the LDAP server. If you are using anonymous bind access, be aware that even if the connection is successful, anonymous bind privileges might not be high enough to retrieve the data required by SonicWALL Security. 6. Click Save Changes. To access the LDAP Query Panel settings window, click the Friendly Name link or the Edit button of the server you wish to configure. Note: SonicWALL Security does not require you to configure LDAP query information settings for most installations. To configure advanced LDAP settings for users 1. Enter values for the following fields: Directory node to begin search: The node of the LDAP directory to start a search for users. (Configuration checklist parameter Q). Filter: The LDAP filter used to retrieve users from the directory. User login name attribute: the LDAP attribute that corresponds to the user ID. alias attribute: The LDAP attribute that corresponds to aliases. 2. Click the Test User Query button to verify that the configuration is correct. 3. Click Save Changes to save and apply all changes made. Note: You may click the Auto-fill User Fields button to have SonicWALL Security automatically complete the remainder of this form. To configure LDAP Settings for Groups: 1. Enter values for the following fields: Directory node to begin search: The node of the LDAP directory to start a search for users. (Configuration checklist parameter Q). Filter: the LDAP filter used to retrieve groups from the directory. Group name attribute: the LDAP attribute that corresponds to group names. Group members attribute: the LDAP attribute that corresponds to group members. User member attribute: the LDAP attribute that specifies attribute inside each user's entry in LDAP that lists the groups or mailing lists that this user is a member of. 2. Click the Test User Query button to verify that the configuration is correct. 3. Click Save Changes to save and apply all changes made. Note: Click the Auto-fill Group Fields button to have SonicWALL Security automatically complete the remainder of this form. If you have a large number of user mailboxes, applying these changes could take several minutes.

23 SonicWALL Security Administrator s Guide 28 Advanced LDAP Settings In a Microsoft Windows environment, you will need to specify the NetBIOS domain name, sometimes called the pre-windows 2000 domain name. To locate the pre-windows 2000 domain name 1. Login to your domain controller. 2. Navigate to Start > All Programs > Administrative Tools > Active Directory Domains and Trusts. 3. In the left pane of the Active Directory Domains and Trusts dialog box, highlight your domain and click Action. 4. Next, click Properties. The domain name or pre-windows 2000 name will display in the General tab. On some LDAP servers, such as Lotus Domino, some valid addresses do not appear in LDAP. This panel provides two methods of managing such addresses. This panel provides a way to add additional mappings from one domain to another. For example, a mapping could be added that would ensure s addressed to [email protected] are sent to [email protected]. It also provides a way of substituting single characters in addresses. For example, a substitution could be created that would replace all the spaces to the left of the "@" sign in an address with a "-". In this example, addressed to Casey [email protected] would be sent to [email protected]. Note: This feature does not make changes to your LDAP system or rewrite any addresses; it makes changes to the way SonicWALL Security interprets certain addresses. To access the Advanced LDAP Settings, click the Friendly Name link or the Edit button of the server you wish to configure. To configure the advanced LDAP settings panel 1. Click the Add LDAP Mappings button. 2. From the first drop-down list, choose one of the following: domain is - choose this to add additional mappings from one domain to another. If replace with is chosen from the second drop-down menu, then the domain is replaced. If also add is chosen from the second drop-down menu, then when first domain is found, the second domain is added to the list of valid domains. left hand side character is to add character substitution mappings. If replace with is chosen from the second drop-down menu, then the character is replaced in all characters to the left of the "@" sign in the address. If also add is chosen from the second drop-down menu, then a second address is added to the list of valid addresses. 3. Click the Add Mapping button.

24 SonicWALL Security Administrator s Guide 29 Multiple LDAP Server Support SonicWALL Security allows administrators to set different filters and rules for each LDAP server. In very large organizations, multiple LDAP servers can feed one Security instance. The following table describes the actions that can be taken on a group, domain, or global level. Function Domain LDAP Group Global Directory Harvest Attack prevention Y - Y Policy Y Y Y Reporting Y - Y Roles - Y Y Settings Y* Y Y * Requires creating a master group on the LDAP server. Configuring SonicWALL ES for Multiple LDAP Servers The LDAP configuration page allows administrators to configure more than one LDAP server. All LDAP servers are listed. For each LDAP server, you can edit or delete it without affecting the connection of other LDAP servers. To add an LDAP server: 1. Log in as the Security administrator. 2. Click System and then LDAP Configuration. 3. Click the Add Server button. 4. Fill in the connection information for the LDAP server you wish to add. Be sure to give it a unique friendly name so that you can easily identify it in the list of servers. 5. When you are finished, click Apply Changes and use the test button to confirm that the LDAP server is properly connected and configured. Administering Multi-LDAP Environments Administrators must log into a specific domain unless they are the SonicWALL Security administrator. Once a domain administrator is logged in, she can modify the Security settings for her domain, including the anti-spam settings. The Security administrator can see all the LDAP servers attached to SonicWALL Security. The administrator logs in with no domain specified. Editing LDAP Connection Information The Security administrator configures the multiple domains. To change the settings of an existing LDAP server 1. Log in as the Security administrator. 2. Click System and then LDAP Configuration.

25 SonicWALL Security Administrator s Guide Click the server name link or the Edit (pencil) button associated with the friendly name of the LDAP server you want to change. 4. Edit the details of the LDAP server using the information you have collected. 5. In the Global Configurations section, you can enter aliases for your pseudo-domains. In this example, the administrator can configure aliases (on the right side) to correspond with the pseudo-domain. Aliases must be unique and can consist of lowercase alpha-numeric characters and underscores. Aliases are separated by commas. If you set an alias to the domain name, users can log in using their address. 6. In the Settings subsection, choose whether you want the domains to appear in the login dropdown box. If this box is checked, all users will be able to see all domains. If it remains unchecked, users must log in with their fully-qualified login, such as [email protected]. You can also choose how often SonicWALL ES refreshes the LDAP usermap. 7. When you are done, click Apply Changes and use the test button to confirm that the LDAP server is properly connected and configured. Address Rewriting In a multiple LDAP server environment, administrators can map incoming or outbound addresses to new apparent domains. This feature also allows you to expand an list into its constituent members. To configure Address Rewriting on a per-ldap basis: 1. Log in as the Security administrator. 2. Click System and then Network Architecture. 3. Scroll down and click the Address Rewriting button. 4. Click the Add New Rewrite Operation button. 5. In Type of Operation, choose LDAP Rewrite to Primary. If you are on the Inbound tab, you could also choose LDAP List Expansion. 6. Enter the information for the operation you have chosen. 7. Enter a name for the rewrite operation. 8. Click Save This Rewrite Operation. Default Message Management Settings The Default Message Settings window enables the administrator to set default settings for users messages. The Default Message Settings window allows you to choose default settings for messages that contain spam, phishing, virus, and policy management issues. 1. Choose the Number of Junk Box days from the drop-down list. Set the enterprise-wide policy for the number of days messages will remain in the Junk Box before being automatically deleted. The maximum number of days is 180. This can be adjusted for an individual user by an administrator or the user, if you allow it (See User View Setup on page 4).

26 SonicWALL Security Administrator s Guide 31 Junk Box Summary 2. Choose the number of items to display in the Message Center from the drop-down list. 3. Review the four check box options that allow the user to define conditions for tagging messages incoming to their inbox. Each of the tags below will be prefixed to the subject line of the message. To tag unjunked messages, check the Tag unjunked messages with this text added to the subject line checkbox, and input word(s) to be used for tagging. To tag messages which were considered as junk but will be delivered because the sender s domain is on the user s Allow list, check the Tag messages considered junk, but delivered because sender/domain/list is in Allowed list with the text added to the subject line checkbox, and input word(s) to be used for tagging. To tag messages which were considered as junk but will be delivered because of a Policy action in effect, check the Tag messages considered junk, but delivered because of a Policy action with the text added to the subject line checkbox, and input word(s) to be used for tagging. To tag all those messages that are processed by Security 7.0 Server for testing, check Tag all messages processed by Security for initial deployment testing with this text added to the subject line checkbox, and input word(s) to be used for tagging. 4. Click the click here links to manage spam, virus, phishing, and policy. 5. Click the Apply Changes button. SonicWALL Security sends an message to users listing all the messages that have been placed in their Junk Box. The Junk Box Summary includes: Good vs Junk count (organization) Number of blocked messages (per user) Users can unjunk items listed in the Junk Box Summary by clicking links in the . When unjunking there is an option not to add a sender to the Allowed list. To manage the Junk Box summary 1. Choose Frequency of Summaries from the drop-down box. 2. Choose the dates and times to receive notification. Individual users can override these settings. 3. Choose whether to include in message summary All Junk Messages or Likely Junk Only (hide definite junk). 4. Choose Language of summary s from the drop-down list. 5. Choose a plain or graphics rich summary. 6. If a delegate has been assigned to manage an user s Junk Box, select the summary for that user to be sent to the assigned delegate. 7. Select to send summary only to users in LDAP. Sent From. The message summary can come from the individual user or another address which you enter here. Be aware that if summaries are sent because the address doesn t exist, the message summary message will bounce as well. 8. Select the name to be displayed in end user s client for the summary s. Subject Enter the subject line for the Junk Box Summary . URL for User View This text box is filled in automatically based on your server configuration and is included in the Junk Box Summary . Clicking on the link will allow users to unjunk messages. Test the link if you make any changes to ensure connectivity. If you have multiple SonicWALL Security deployments, enter the virtual hostname here.

27 SonicWALL Security Administrator s Guide 32 Test this Link Users unjunk items in the Junk Box summary by clicking links in the . To test the URL, click Test this Link. If the test fails, check that the URL is correct. (Installation checklist parameters B, C, D) 9. Click the Apply Changes button. User View Setup Configure whether and how the end users of the SonicWALL Security server access the system and what capabilities of the system are exposed to the end users. To set up the user view 1. Select one or more HTTP settings: To enable HTTP, select Enable HTTP access on port checkbox and enter the port number in the field. The default port for http is 80. To enable HTTPS (SSL) access, select Enable HTTPS (SSL) access on port: checkbox and enter the port number in the field. The default port for HTTPS is 443. Click the Redirect access from HTTP to HTTPS checkbox if you always want the users to connect through HTTPS. 2. Select one or more items to appear in the user navigation toolbar: Select the Login enabled checkbox to allow users to access their junk boxes. Allow users to log into SonicWALL Security and have access to their per-user Junk Box. If you disable this, mail will still be analyzed and quarantined, but users will not have access to their Junk Box. It makes SonicWALL Security operate in a manner that is not visible to the user. Select the Anti-Spam Techniques checkbox to include the user-configurable options available for blocking spam s. Users can customize the categories People, Companies, and Lists into their personal Allowed and Blocked lists. You can choose to grant users full control over these settings by selecting the Full user control over antispam aggressiveness settings checkbox, or force them to accept the corporate aggressiveness defaults by leaving the checkbox empty. Select the Reports checkbox to provide junk blocking information about your organization as a whole. Even if this option is checked, users may view only a small subset of the reports available to administrators. Select the Settings checkbox to provide options for management of the user's Junk Box, including individual junk summary reports and specifying delegates. 3. Determine the user download settings: Check the Allow users to download SonicWALL Anti-Spam Desktop for OutLook and Outlook Express checkbox to allow users to download the Anti-Spam Desktop. Anti- Spam desktop is a plugin for Microsoft Outlook and Outlook Express that filters spam and allows users to mark s they receive as junk or good . It is a complete anti-spam application. Check the Allow users to download SonicWALL Junk Button for Outlook check box to allow users to download SonicWALL Security Junk Button for Outlook. Junk Button is a lightweight plugin for Microsoft Outlook. It allows users to mark s they receive as junk, but does not filter Determine the settings for quarantined junk mail: Check the Users can preview their own quarantined junk mail checkbox to enable users to view their individual mail that is junked. Choose which other types of users can preview quarantined junk mail. These roles are configured within SonicWALL Security. 5. Users are not usually shown reports which include information about users, such as addresses. Select the Reports view settings checkbox to give user access to those reports.

28 SonicWALL Security Administrator s Guide Enter an Optional login help URL. An administrator can specify a URL for any customized help web page for users to view on the Login screen. If no URL is entered, SonicWALL Security provides a default login help screen. If a URL is entered, that page is launched when the user clicks the Login Help link. 7. Click Apply Changes. Updates Monitoring SonicWALL Security uses collaborative techniques as one of many tools in blocking junk messages. The collaborative database incorporates thumbprints of junked from MailFrontier Desktop and SonicWALL Security users. Your SonicWALL Security communicates with a data center hosted by SonicWALL (using the HTTP protocol) to download data used to block spam, phishing, virus and other evolving threats. SonicWALL Security recommends that you check for spam, phishing, and virus blocking updates at least every twenty minutes. Check the Submit unjunk thumbprints check box to submit thumbprints to the SonicWALL Security data center when users unjunk a message. Thumbprints sent from SonicWALL Security contribute to the collaborative community by improving junk-blocking accuracy. They contain absolutely no readable information. Check the Submit generic spam blocking data check box to send generic spam-blocking data to the SonicWALL Security data center to assist in customer support and to help improve spam blocking. No s, content, header information or any other uniquely identifiable information is ever sent. Web Proxy Configuration When your SonicWALL Security contacts the SonicWALL hosted data center to download data, it uses the HTTP protocol. If your organization routes HTTP traffic through a proxy, you can specify the proxy server here. You can also allow HTTP traffic from certain servers to bypass the proxy server. You may want to do this for data transferred between SonicWALL Security servers within your organization. If your organization routes HTTP traffic through a proxy which requires basic authentication, you can enter the username and password to configure SonicWALL Security to authenticate with the HTTP proxy server. Test Connectivity to SonicWALL Security Test that communication through the web proxy is working. Click the Test Connectivity to SonicWALL button to ensure that SonicWALL Security has access to the SonicWALL hosted data center. Use the Monitoring page to enter the addresses of administrators who receive emergency alerts and outbound quarantine notifications. If this field is left blank, notifications will not be sent. The Monitoring page is also used to set up the postmaster for the MTA. If SonicWALL Security has been configured to be an MTA, enter the address to which postmaster notifications generated by the MTA should be sent. Notifications are not sent more than once every ten minutes. You can also enter the names or IP addresses of backup SMTP servers. If you are running SonicWALL Security in split mode, and you route outbound through SonicWALL Security, you must enter the IP addresses or fully-qualified domain names of any Remote Analyzers through which outbound is routed in this text box on the Control Center. Use the monitoring page to configure the Syslog settings. Options include setting external servers for logging and alerts.

29 SonicWALL Security Administrator s Guide 34 About Alerts To create a customized signature, enter text in the text box. This text appears at the bottom of all alerts. Alerts in SonicWALL Security provide the following details: A summary of the alert Details that include the following: Host Name Two to three lines of description of an alert or trigger A trigger message if available A time stamp In local time In GMT If available, the alert will also include the following: Recommended action with possible suggestions on a next step An alerts configuration page General alert settings The following is an example of an alert: Viewing Alert History To view a history of alerts that have been sent, click the View Alert History button located in the top-right corner of the page. Alert Suppression Schedule If you want to turn off alerts during a product maintenance window, you can suppress them for a period of time by clicking the Schedule Alert Suppression button. To turn off alerts 1. Click the Schedule Alert Suppression button. Select a host from the drop-down menu. 2. Select the severity of the alerts that you wish to suppress.

30 SonicWALL Security Administrator s Guide Choose the date and the time (24-hour clock) you would like to suppress the alerts. 4. Enter a reason for suppressing the alert. 5. Select the Submit button. Using Syslog The log files for SonicWALL Security are now configurable. Syslog supports ES Alerts and Subset of MFE lines. You can choose specific notifications and have them sent to external servers automatically. You can also use the syslog to report events directly to the Windows Event Viewer. To change Syslog settings 1. Log in as the Security administrator. 2. Click System. Navigate to Monitoring>Set System Logging. The Set System Logging page appears. 3. Set your Log Level. Changing your log level will only affect the syslog. 4. If you are running SonicWALL Security as a software installation on a Windows system, you can check Local to send the log information to the Windows Event Viewer. This option is also available for Appliances. The log information will be sent to /opt/ security/logs/essyslog.log. 5. If you want to send your log information to a remote logging server, check the Remote box. If you choose this option, you must configure at least one remote server. 6. Click Send Message Details. This will enable or disable the subset of MFE lines on the syslog. 7. Enter the server and port which will receive logged events. The secondary server is not a failover. If two servers are configured, both will receive event notifications. 8. Click Save. In the save process, your external logging server, if any, is validated, and you are alerted if there is a problem.

31 SonicWALL Security Administrator s Guide 36 Connection Management Intrusion Prevention To view log files 1. Log in as the Security administrator. 2. Click System and then Advanced. The Advanced page displays. 3. Scroll down to Download System/Log Files. The contents of the Choose Specific Files field change, depending on the type of file you have selected. For example, choosing the Data Directory regenerates the page and offers you several choices, including SW-ES-MIB.txt, a file that describes the MIB identifiers for Security-specific events. 4. Click Download or To to send the log file you have selected. The Connection Management section uses technology to slow or drop unwanted traffic. As part of Connection Management, SonicWALL Security rejects messages with an invalid MAIL FROM setting. Connection Management includes the following subsections: Intrusion Prevention Protection against Denial of Service (DoS) attacks, Directory Harvest Attacks (DHA), and invalid addresses. Quality of Service Enables a greater control over the server connection from suspicious clients. To access the Intrusion Prevention portion of the Connection Management module, go to System > Connection Management. Directory Harvest Attack (DHA) Protection Spammers not only threaten your network with junk mail, they stage Directory Harvest Attacks (DHA) to get a list of all users in an organization s directory. DHA makes unprotected organizations vulnerable to increased attacks on their and other data systems. DHA can threaten your network in the following ways: Expose the users in your directory to spammers The people at your organization need their privacy in order to be effective. To expose them to malicious hackers puts them and the organization at significant risk from a variety of sources. Users whose addresses have been harvested are at risk. Once a malicious hacker knows their , users are at risk for being spoofed: someone can try to impersonate their identity. In addition, exposed users can be vulnerable to spoofing by others. IT departments routinely receive from people pretending to be providing upstream services, such as DNS services. Expose users to phishing Exposed users can be targeted to receive fraudulent . Some receive legitimate-appearing from banks or credit cards asking for personal or financial information. Some exposed users have been blackmailed; Reuters reported cases where users were told if they did not pay up, their computers would be infected with viruses or pornographic material. Expose your organization to Denial of Service Attacks DHA can lead to denial of service attacks because malicious hackers can send lots of information to valid addresses in an effort to overwhelm the capacity of your mail server. Expose your organization to viruses DHA provides a highly effective means of delivering virusinfected to users. Exposes users to fraudulent masquerading as good Directory Harvest Attacks can perpetuate fraudulent messages by giving malicious hackers the ability to target your users individually and by name.

32 SonicWALL Security Administrator s Guide 37 The following table outlines the available options for messages that are sent to addresses that are not configured in your LDAP server.r Options Directory Harvest Attack (DHA) protection off. Process all messages the same (whether or not address is in LDAP) No action is taken on messages to invalid recipients. Permanently Delete All addressed to users not in the organization s directory is permanently deleted. Reject invalid addresses (Tarpitting) SMTP clients that specify invalid recipients will be tarpitted. Always store in Junk Box (regardless of spam rating). that is sent to an invalid address is stored in the Junk Box. SonicWALL Security does not process the to determine if it is spam or another form of unwanted . Consequences No directory protection. The sender does not receive notification about the they have sent. This option can lead to permanently deleting legitimate mail with a typographical error in the address. Responses to those invalid recipient commands are delayed for some time period to slow down the rate that they can attack an organization s mail system. Warning: Enabling tarpitting protection uses your system resources (CPU, memory) that may slow down your server. SonicWALL Security recommends this option to protect the confidentiality of your directory population. Apply DHA protection to these recipient domains Options Apply to all recipient domains. SonicWALL recommends that most organizations choose Apply to all recipient domains. Apply only to the recipient domains listed below. Apply to all recipient domains except those listed below. Consequences Applies DHA protection to all recipient domains. Applies DHA protection to the recipient domain(s) listed. Applies DHA protection to all recipient domains except for those listed. Denial of Service (DoS) Attack Protection A Denial of Service attack aims at preventing authorized access to a system resource or the delaying of system operations and functions for legitimate users. Denial of Service attacks can threaten your network in the following ways: Bandwidth consumption The available bandwidth of a network is flooded with junkmail addressed to invalid recipients. Resource starvation The mail servers of an organization are overwhelmed trying to process the increased volume of messages coming from infected computers, which leads to the mail servers to run out of resources (CPU, memory, storage space). The Denial of Service Attack Protection adds an extra level of security to thwart an attack.

33 SonicWALL Security Administrator s Guide 38 Quality of Service To set Denial of Service Attack Protection 1. Navigate to go to System > Connection Management. 2. Check the Enable DoS attack protection box. Read and acknowledge the warning. To use the Denial of Service Attack protection feature, your SonicWALL Security appliance must be the first destination for incoming messages. If you are routing mail to your Security appliance from an internal mail server or using a mail transfer agent, do not use Denial of Service Attack protection. 3. Specify the trigger: specify the number of connections to allow from a given IP address 4. Specify an action to take: deferral for a set period of time completely block all further connections 5. Click the Apply Changes button. To access the Quality of Service portion of the Connection Management module, go to System > Connection Management and scroll down to the Quality of Service section. The following sections describe how to configure the Quality of Service components: BATV on page 38 Sender IP Reputation on page 39 Throttling (Flow control) on page 42 Connections on page 43 Messages on page 43 BATV BATV adds a stamp to the envelope of all outbound mail. If the mail is bounced and does not reach a recipient, the stamp alerts the inbound mail processor that this originated within your organization. False bounce messages, which will not have the stamp, will not be passed through the inbound mail processor. To use BATV, SonicWALL Security must touch all outbound mail. For maximum efficiency of processing inbound bounces, SonicWALL Security should be your first-touch inbound mail processor. SonicWALL Security will read the bounce message envelope, determine whether or not it is legitimate, and only download and pass through legitimate messages. The added BATV tag is removed before the is passed to the users. BATV is not enabled by default. Although BATV is a powerful tool to eliminate false bounce messages, some configurations on other mail servers may cause the BATV system to reject legitimate bounce messages. The user who sent out the message would not know it did not reach the intended recipient. Reasons for "false positives" might include: LDAP upstream of SonicWALL Security Null reverse paths instead of "From" fields Divergent SonicWALL Security configuration Incorrect or altered reverse mail paths Users might also receive "false negatives", which are false bounce messages even though they did not send the originals. False negatives might come from a spambot or zombie infection of the organization. In that case, the spam would be properly stamped as it left the organization.

34 SonicWALL Security Administrator s Guide 39 To enable BATV, you must turn it on for both your outbound and inbound SonicWALL Security servers, if they are different. If you are running an all-in-one system, you only have to turn it on once. BATV will work best if your SonicWALL portal is the last-touch for outbound mail and the firsttouch for inbound mail. Note: For the first 4-5 days after you enable BATV, your users may not receive legitimate bounce messages. This is because there are messages which are still trying to reach an invalid destination, and when they come back, they will not have the appropriate stamp. To enable BATV 1. Log into your Security as an administrator. 2. Choose System from the left navigation bar. 3. Choose Connection Management. 4. Scroll down to the Quality of Service section. 5. Click in the Bounced Address Tag Validation to enable BATV. 6. Click Apply Changes. BATV is now enabled. If you have different servers for inbound and outbound mail, make sure that it is enabled on both servers. BATV is a solution to backscatter caused by spoofed addresses. Only messages sent from within your organization will be returned as bounces. This drastically reduces the bounce traffic. BATV must be enabled on both inbound and outbound servers to work. Sender IP Reputation This section describes the SonicWALL GRID Connection Management with Sender IP Reputation feature. GRID Network Sender IP Reputation is the reputation a particular IP address has with members of the SonicWALL GRID Network. When this feature is enabled, is not accepted from IP addresses with a bad reputation. When SonicWALL Security will not accept a connection from a known bad IP address, mail from that IP address never reaches the Security server. This feature is useful only for Security servers that are running as the first touch server (receiving directly from the internet). SonicWALL recommends disabling GRID Connection Management Network IP Reputation if Security is not first touch. GRID Network Sender IP Reputation checks the IP address of incoming connecting requests against a series of lists and statistics to ensure that the connection has a probability of delivering valuable . The lists are compiled using the collaborative intelligence of the SonicWALL GRID Network. Known spammers are prevented from connecting to the SonicWALL Security server, and their junk payloads never consume system resources on the targeted systems. Benefits: Because as much as 80 percent of junk is blocked before it ever reaches your servers, you need fewer resources to maintain your level of spam protection. Your bandwidth is not wasted on receiving junk on your servers, only to analyze and delete it. A global network watches for spammers and helps legitimate users restore their IP reputations if needed.

35 SonicWALL Security Administrator s Guide 40 GRID Connection Management with Sender IP Reputation and Connection Management Precedence Order When a request is sent to your first-touch SonicWALL Security server, the server evaluates the reputation of the requestor. The reputation is compiled from white lists of known-good senders, block lists of known spammers, and denial-of-service thresholds. If IP Reputation is enabled, the source IP address is checked in this order: Evaluation Allow-list Block-list Reputation-list Defer-list DoS Throttling Not-grey-list* Grey-list* Description If an IP address is on this list, it is allowed to pass messages through Connection Management. The messages will be analyzed by your SonicWALL Security server as usual. This IP address is banned from connecting to the SonicWALL Security server. If the IP address is not in the previous lists, the SonicWALL Security server checks with the GRID Network to see if this IP address has a bad reputation. Connections from this IP address are deferred. A set interval must pass before the connection is allowed. If the IP address is not on the previous lists, the SonicWALL Security server checks to see if the IP address has crossed the Denial of Service threshold. If it has, the server uses the existing DoS settings to take action. If the IP address has crossed the throttling threshold, the server uses the existing throttling settings to take action. This IP address has already been through (and passed) the grey-list filter. If this is the first time this IP address has attempted to connect with the server, add it to the grey list. * Only if this feature is enabled Only if the IP address passes all of these tests does the SonicWALL Security server allow that server to make a connection and transfer mail. If the IP address does not pass the tests, there is a message from the SonicWALL server to the requesting server indicating that there is no SMTP server. The connection request is not accepted. Using GRID IP Reputation Most of the work of the IP Reputation feature happens before a connection is ever accepted. This means that you won t see reports on junk mail messages that are blocked before they ever appear on your servers. You may also see changes in the reporting statistics. Blocked connections are added to the Junk Breakdown report. Each connection might have delivered many junk messages, but we cannot tell how many s were blocked by rejecting a connection from an IP address. Instead, we keep a tally of rejected IP connections and a log of why they were rejected. To turn on GRID IP Reputation 1. Log in as the Security administrator. 2. Click System and then Connection Management. 3. Scroll down to the Quality of Service section and select the box for GRID Network IP Reputation. 4. Click the Apply Changes button.

36 SonicWALL Security Administrator s Guide 41 All inbound connection requests will be evaluated for reputation. If the connection fails to meet the standards set by SonicWALL Security, the connection request is dropped. The error message sent back to the requesting server is 544 No SMTPd Here. Greylisting In this section you can enable or disable Greylisting. Greylisting is disabled by default in SonicWALL Security. The Greylisting feature in SonicWALL Security discourages spam without permanently blocking a suspicious IP address. When Greylisting is enabled, Security assumes that all new IP addresses that contact it are suspicious, and requires those addresses to retry before it will accept the . The assumption is that most spammers do not waste time retrying failed connections. Therefore, forcing enterprise level Mail Transfer Agents (MTAs) to retry the connection a second time should reduce the amount of spam received by your organization. The Greylist is the list of IP addresses which have contacted SonicWALL Security once, and have been sent a request to retry the connection. The Greylist is cleared and restarted every night. Thus, if the connection is not retried before the Greylist is restarted, that server will be asked to retry the connection again when it sends a retry of the initial connection request. SonicWALL Security also keeps track of the MTAs that have successfully retried the connection and are now deemed to be responsible MTAs. These IP addresses are added to a separate list. Connections from MTAs on this Responsible MTA List are accepted without further retry requests, but the data from the connection is subjected to the rigorous checking performed by SonicWALL Security on all incoming . Notes: The Greylisting feature is useful only for Security servers that are running as the "first touch" server (receiving directly from the Internet). SonicWALL recommends disabling Greylisting if Security is not first touch. Enabling Greylisting may cause good to be delayed. The mail should be delivered within 15 minutes, depending on the configuration of the sending MTA. Benefits of Greylisting The benefits of enabling Greylisting are: Increased effectiveness Less spam received into the gateway translates to less spam delivered to the Inbox. Better performance Greylisting can reduce the volume of traffic at the gateway, as well as traffic to the downstream (e.g., the Exchange server). As a result of the reduced volume, valuable system resources are freed up (e.g., sockets, memory, network utilization, etc.,) allowing SonicWALL Security to process more good mail in the same amount of time. Storage requirements With the increasing focus on archiving, Greylisting will reduce the amount of junk that gets stored in an archive, again saving valuable resources. Greylisting and Connection Management Precedence Order Greylisting functionality is intended for First Touch installations of SonicWALL Security on inbound paths only. If SonicWALL Security has not been contacted by a reasonable number of unique IP addresses in a certain amount of time, the SonicWALL gateway will detect this and automatically disable Greylisting. However, there would be no harm if this feature were inadvertently enabled even when not running on a First Touch server, as the first connection would be deferred, but subsequent connections would immediately be allowed. If Greylisting is enabled, the Source IP address will be cross-checked against the SonicWALL Security Connection Management components, in the following order: Allow-list If an IP address is on this list, it gets a free pass through Connection Management (the message is still subject to plug-in chain processing) Block-list This IP address is already blocked from connecting to SonicWALL Security Defer-list Connections from this IP address are already configured to be deferred

37 SonicWALL Security Administrator s Guide 42 DoS Check to see if the IP address has crossed the DoS threshold, and if so, take the appropriate action Throttling Check to see if the IP address has crossed the throttling threshold, and if so, take the appropriate action Responsible MTA List This IP address has already been through and passed the Greylisting filter Greylist If this is the first time this IP address has contacted us, add it to the Greylist Enabling and Disabling Greylisting Greylisting is disabled by default in SonicWALL Security. You can enable it or disable it on the System > Connection Management page. Note: When the Greylisting feature is first enabled, it automatically runs in evaluation mode for the first 24 hours. During that time, IP addresses will be collected, but no connections will be deferred. After 24 hours the Greylisting feature will operate fully. To enable or disable Greylisting 1. Navigate to System > Connection Management. 2. Scroll down to the Quality of Service section of the page. 3. To enable Greylisting, select the Enable greylisting check box. 4. To disable Greylisting if it is enabled, clear the Enable greylisting check box. 5. Click the Apply Changes button. Throttling (Flow control) In this section you can set specific thresholds to limit the sending ability of suspicious clients by limiting offensive IP addresses. Some example thresholds include: one connection per hour one message per minute for the next 24 hours ten recipients per message To set the Throttling feature 1. Navigate to System > Connection Management. 2. Check the Enable throttling box. 3. Specify the trigger: specify the number of connections, messages, or the number of recipients from a given IP address specify the percentage of invalid s to recipients. This setting only applies to recipient commands 4. Specify an action to take: deferral for a set period of time completely block all further connections limit a number of connections, messages, or recipients, for a number of minutes over a range of time 5. Click the Apply Changes button. Note: Some scenarios can be implemented with either Denial of Services Attack Protection or Throttling settings. You can choose to throttle mail from clients above one threshold and choose to block clients above a second threshold.

38 SonicWALL Security Administrator s Guide 43 Connections In this section you can impose a limit on the number of simultaneous inbound and outbound connections that your SonicWALL Security server can accept. On the inbound path, this value limits the number of simultaneous connections external hosts can make to SonicWALL Security. On the outbound path, this value limits the number of simultaneous connections internal hosts can make to SonicWALL Security to deliver messages. When the connections limit is exceeded SonicWALL Security will send a transient failure (421 error code). Messages In this section, you can limit messages based on message characteristics such as message size and number of recipients. SonicWALL Security will return a transient failure (4xx error code) if too many recipients are specified in a message and a permanent failure (5xx error code) if the message size limit is exceeded. Note: For limiting message size, SonicWALL Security depends on the SMTP client to specify the message size in the ESMTP transaction. Manually Edit IP Address List To access this portion of the Connection Management module, go to System > Connection Management. The Manually Edit IP Address Lists appears. Use this window to manage the list of IP addresses you want to allow, defer, block, and throttle. When an IP address is added to the Allowed list, Security will continue to check for spam and phishing attacks in messages from that IP address. However, messages from IP addresses in the Allowed list will not be blocked, deferred, or throttled even when the IP address is affected by connection management rules that would do so. To stop checking for spam and phishing attacks in messages from a certain IP address, you can configure a policy. See Configuring a Policy Filter for Inbound on page 12. When the SMTP server receives a connection from an IP address on a blocked list, it will respond with a "554 No SMTP service here" error and reject the TCP/IP connection. In the case of a connection from a deferred IP address, the transient message is Service not available, connection deferred. and a connection from a list of throttled addresses, Service not available, too many connections due to throttling.

39 SonicWALL Security Administrator s Guide 44 Backup/Restore Settings On the System > Backup/Restore page, the administrator can decide what and how the SonicWALL Security will backup and restore collected data. Note: Manage Backup It is not necessary to perform either of these functions. Executing these functions depends on the needs of your organization. In the Manage Backups section, the administrator can select from the following backup configurations: Settings Select this setting to back up your ALL user settings, including network architecture, LDAP, per-user settings and policies. SonicWALL recommends that you back up your settings regularly since this data loss would require a complete re-configuration of your settings. Junk Box Select this backup setting to enable a snapshot of your Junk box for future recovery. Enabling this backup setting requires sufficient disk space and requires 30 to 60 minutes to complete the backup snapshot. Archive Select this backup setting to enable a back up of the archive. This setting backs up all messages that have been archived on this server's file system. Note that this setting does not back up messages that have been archived to an external SMTP server. Reports Data Select this backup setting to enable a snapshot of your reports data. This backup setting is the least critical of the three backup settings. Reports data does not include critical information for system recovery. Snapshots Scheduled Backup Manage Restores Click the Take Snapshot Now button to combine the files selected for backup into a single zip file, or the snapshot. There is only one snapshot file on a system at any time. When a new snapshot is taken, the existing snapshot file (if any) is overwritten. Click the Download Snapshot button the download the last snapshot from the system running. The administrator can choose to save the downloaded snapshot file to a separate system. Scheduled Backups allow administrators to schedule daily, weekly, or monthly backups. By checking the Enable scheduled backup checkbox and specifying the backup frequency and schedule, you will be able to schedule when snapshots are taken periodically and copied onto the configured remote FTP server. Note that you will need to specify the FTP server, port number, username, password, and destination path to properly authenticate your FTP server. In the Manage Restores section, the administrator can restore data from a snapshot file, from the following restore configurations: The administrator can select either to restore the data from a snapshot file from the SonicWALL Security server or to upload a snapshot from the local hard drive. A snapshot is saved on the computer work station and not on the SonicWALL Security appliance. The administrator can select the snapshot files by checking the boxes of what is to be restored. From the three selections of Settings, Junk box, and Reports data, the administrator has the flexibility to choose options suitable for system recovery or system management.

40 SonicWALL Security Administrator s Guide 45 Host Configuration You can use this page to make changes to the server on which SonicWALL Security is installed. After applying these settings, you can use the Restart Services or Reboot this Server buttons at the top of the Host Configuration screen. Changing the Hostname If you want to change the hostname of this server, enter the new fully-qualified hostname in the Hostname field and click the Apply Changes button. Note: Date & Time Settings The system will perform a reboot upon a host name change and clicking the Apply Change button. Changing the hostname will cause a number of changes to be made to SonicWALL Security settings, configuration files, and will rename some of the directories in the SonicWALL Security installation and data directories. If you are running the SonicWALL Security appliance in split mode, you must also make changes to the hostname on the other servers. If you rename a Remote Analyzer, you must log in to the Control Center and click the System > Network Architecture page. Then remove the old Remote Analyzer hostname from any of the Control Centers with which it is associated, and add the new Remote Analyzer hostname. If you rename a Control Center, you must login to the Remote Analyzers and click the System > Network Architecture page. Then remove the old Control Center hostname and add the new one. Use this section to set the time zone, date, and time of the host machine. To finish applying these settings, you must either restart all the services, or reboot the host machine. Note: Network Settings If your server is running Microsoft Windows, please use the Windows Control Panel to configure date and time settings, instead of on the SonicWALL Security appliance. For NTP Settings, enable the Network Time Protocol option, then provide the list of NTP servers to use in synchronizing the time. To configure network settings, such as the IP address, use the Networking panel. If Dynamic Host Configuration Protocol (DHCP) is chosen, all the necessary settings will be automatically found from the network DHCP server. If static IP settings are chosen, additional information must be entered in the remaining fields. To view an assigned DHCP IP address, log in to the SonicWALL Security command line interface (CLI) and then type the command tsr at the CLI prompt. In the output, the assigned IP address is available in two places: As the value for ifconfig In the inet_addr field for eth0 To enable, disable, and configure a Secondary Network Interface Controller, or Dual NIC, select the Enable use of Ethernet1 port option, and specify the IP address and Subnet mask of the second NIC. Note: By default, the primary NIC does not have the option to be disabled. Click the Add Virtual IP button to bind multiple IP addresses to a single network interface. You will have to specify the IP address and Subnet mask, and then click Save. The new Virtual IP will display just below the interface you added it to.

41 SonicWALL Security Administrator s Guide 46 Note: CIFS Mount Settings Configuring Advanced Settings You are able to add or delete Virtual IPs to one or both NICs. However, updating an existing Virtual IP is not supported in this release. CIFS Mounting allows the mounting of an external drive to store the appliance s data. The available data on the current drive will be migrated to the external storage drive, which increases storage limit for the appliance. For Dual NIC, the same external drive can be mounted on both control centers to share the data. The two control centers can be configured to either share the load or as a failover. Provide the Hostname (FQDN), Shared Drive name, Remote Login User ID, and Remote Login Password. Then, click on one of the following: Mount This option will mount the external drive. If the external drive is empty, a warning message will display. Click Continue to migrate the local data to the external drive. If the external drive already contains Security-related data, the external drive will be directly mounted. Migrate This option will migrate local data to the external drive. Unmount This option will unmount the external drive, and revert back to the local drive. Note that the data stored on the external drive will not be migrated back to the local drive. Test Mount This option will test whether or not the external drive has successfully mounted. The Advanced Settings window enables you to configure logging levels, customize the SMTP banner, specify LDAP page size, and other advanced features including reinitialize to factory settings and download system/log files.! The Advanced page contains tested values that work well in most configurations. Changing these values can adversely affect performance. Configure the following settings: Customize the SMTP banner. Use this setting to customize the SMTP banner. When remote SMTP servers contact SonicWALL Security to send through it, they see an SMTP header that identifies the server with whom they are communicating as a SonicWALL Security server. Some companies might want to hide this information and present their own custom SMTP banner header information. Be sure to use valid characters and syntax for an SMTP header. Replace SonicWALL in Received: headers: Use this setting to replace the name in the Received: header. If you do not want to have the SonicWALL Security name in the Received headers when sending good downstream to your servers, use this field to specify another value. DNS timeout for Sender ID: Enter the number of seconds to search for the DNS record of the sender. If SonicWALL Security cannot find the DNS record in the number of seconds you specify, it times out and does not return the DNS record of the sender. The default value is two seconds. You can set this value from 1 to 30 seconds. For more information about SPF, see About Sender ID and SPF on page 54. Reports data will be deleted when older than: Enter the number of days of data that you want to preserve for reporting information. Lowering this number means less disk space will be used, but you will not have report data older than the number of days specified. The default value is 366 days. If your organization's volume is very high, you may want to consider reducing this number. Permit users to add members of their own domain to their Allowed Lists: Use this check box to enables users to add people within your domain to their Allowed List. For example, if you work at example.com and check this check box, all users at example.com can be added to your

42 SonicWALL Security Administrator s Guide 47 Allowed list. As a result, their messages to internal users are not filtered by SonicWALL Security. You can either add people manually or SonicWALL Security automatically adds each person to whom users send . The default setting is On. Save a copy of every that enters your organization: When archiving is enabled, folders containing the entire contents of every are created in the logs directory of each SonicWALL Security server that analyzes traffic. Save a copy of every that leaves your organization: When archiving is enabled, folders containing the entire contents of every are created in the logs directory of each SonicWALL Security server that analyzes traffic. Log Level: Use this setting to change the log level for SonicWALL Security. By default, logging is enabled at level 3. You can set event logging from level 1, for maximum logging, to level 6, for minimum logging. Log files roll over at different sizes, or don't roll over at all. Note: Do not adjust the log level unless you are troubleshooting a specific problem. Reports data will be deleted when older than: Enter the number of days of data that you want to preserve for reporting information. Lowering this number means less disk space will be used, but you will not have report data older than the number of days specified. The default value is 366 days. If your organization's volume is very high, you may want to consider reducing this number. Click the Test Connectivity to reports database button to verify that you can access the Reports database. See the Reports and Monitoring chapter in this guide for more information on accessing and customizing reports. Upload Patch When a new SonicWALL Security firmwaresoftware update becomes available, the SonicWALL Security appliance automatically downloads the update and alerts the administrator via that it is available. Upon logging in to the SonicWALL Security administrative interface, a popup screen displays, prompting the administrator to either click to update now or wait to update later. In some instances an administrator may want or need to apply a patch manually. For example, if an administrator has multiple servers running in split configuration mode (Remote Analyzer/Control Center configuration), updates must be applied manually. Note: Updating servers in split mode configuration requires that the Remote Analyzer be updated first and the Control Center updated last. To apply a patch manually, perform the following steps 1. Log into with your user name and password. 2. In the left-hand side navigation menu, click Download Center to access the list of available firmwaresoftware. 3. Download the build onto your Security management machine (not to the Security appliance). 4. In SonicWALL Security, navigate to the System > Advanced page. In the Upload Patch section, click the Browse button to locate the executable file located in your client machine. 5. Click the Apply Patch button to upload and install the signed installer executable. As part of the upgrade process, the Security applianceserver will reboot. All the settings and data will be preserved. Download System/Log Files The administrator can download log files from SonicWALL Security to another computer.

43 SonicWALL Security Administrator s Guide 48 Reinitialize to Factory Settings An administrator may consider this advanced feature to set the server back to factory default values. Selecting Reinitialize to Factory Settings will wipe out all the user s configured data and reconfigure the SonicWALL Security server with another IP. On selecting the button, a warning dialogue box appears on the screen, prompting the user to confirm or cancel the reinitialize process. Branding Quick Settings Branding provides the ability to customize aspects of the user interface. Administrators can upload replacement assets for the key branding elements, including company name, logo, and other branding assets. The Quick Settings tab allows administrators to specify global settings for the most commonly modified asset files on the GUI. Note that any settings configured in this tab will override those specified by deployed packages. Text Preferences Contact Us URL The Address or URL provided in this field appears as the Contact Us link that appears at the footer of each page. This field supports and mailto:. Image Preferences The image preference files can all be modified by clicking the Browse... button or clicking the Download icon to download the default SonicWALL image file. Note that an error message will display if you have uploaded an incorrect file type. The following are image preference files that can be modified: Web Icon file This field replaces the 4-bit SonicWALL S logo that appears in the address bar of every Webpage across all browser platforms. Logon logotype file This field replaces the logon, logout, and mini-logon generic bitmap that displays the SonicWALL challenge screen layout and design. Logon backdrop art file This field replaces the logotype bitmap that appears upon every challenge screen. Page header art file This field replaces the SonicWALL banner art bitmap at the top of each Webpage. Page logotype file This field replaces the short version of the SonicWALL logotype that appears at the top of each Webpage's banner art. Pop-up Dialog art file This field replaces the smaller version of the SonicWALL banner art that appears at the top of each pop-up dialog page. Pop-up Dialog logotype file This field replaces the smaller version of the SonicWALL logotype that appears at the top of each pop-up diaglog's page banner art. Junk Summary Preferences The Junk Summary Preferences can all be modified by clicking the "Browse..." button or clicking the Download icon to download the default SonicWALL image file. Note that an error message will display if you have downloaded an incorrect file type. The following are Junk Summary preference files that can be modified: Junkbox Summary logotype file This field replaces the black-on-white logotype that always appears at the top of each Junkbox summary . Junkbox Summary header art file This field replaces the Junkbox summary banner art bitmap at the top of each page.

44 SonicWALL Security Administrator s Guide 49 Packages The Packages tab allows administrators to manage, upload, and apply branding packages to their GUI. The Manage Packages table displays the available packages the administrator can apply to the GUI, including the SonicWALL brand package which may never be deleted. Administrators are able to edit or delete all other brand packages that have been uploaded.

45 Anti-Spam Anti-Phishing Techniques CHAPTER 5 Managing Spam Spam Identification SonicWALL Security uses multiple methods of detecting spam and other unwanted . These include using specific Allowed and Blocked lists of people, domains, and mailing lists; patterns created by studying what other users mark as junk mail, and the ability to enable thirdparty blocked lists. You can define multiple methods of identifying spam for your organization; users can specify their individual preferences to a lesser extent. In addition, SonicWALL Security provides updated lists and collaborative thumbprints to aid in identifying spam and junk messages. SonicWALL Security uses a multi-prong approach to identifying spam and other unwanted . It is useful to understand the general operation so you can build your lists appropriately. When an comes in, the sender of the is checked against the various allowed and blocked lists first, starting with the corporate list, then the recipient s list, and finally thesonicwall Security-provided lists. If a specific sender is on the corporate blocked list but that same sender is on a user s allowed list, the message is blocked, as the corporate settings are a higher priority than a user s. More detailed lists take precedence over the more general lists. For example, if a message is received from [email protected] and your organization s Blocked list includes domain.com but a user s Allowed list contains the specific address [email protected], the message is not blocked because the sender s full address is in an Allowed list. After all the lists are checked, if the message has not been identified as junk based on the Allowed and Blocked lists, SonicWALL Security analyzes messages headers and contents, and use collaborative thumbprinting to block that contains junk. Managing Spam through Default Settings Use the Default Spam Management window to select options for dealing with spam and likely spam. The default setting for spam and likely spam will quarantine the message in the user s junk box. To manage messages marked as spam or likely spam 1. Choose one of the following responses for messages marked as definite spam and likely spam Response Definite Spam filtering off Effect SonicWALL Security does not filter messages for spam. All messages are passed through to the recipient.

46 SonicWALL Security Administrator s Guide 51 Response Permanently Delete Bounce Back to Sender Effect The message is permanently deleted. CAUTION: If you select this option, your organization risks losing wanted . The message is returned to sender with a message indicating that it was not deliverable. Store in Junk Box (default setting) Send to The message is stored in the Junk Box. It can be unjunked by users and administrators with appropriate permissions. This option is the recommended setting. Enter the address of the person to receive this . Tag With The is tagged with a term in the subject line, for example, [JUNK] or [Possible Junk?]. Selecting this option allows the user to have control of the and can junk it if it is unwanted. 2. Check the Accept Automated Allowed List check box to accept automated lists that are created by User Profilers. User Profilers analyze your outbound traffic and automatically populate per user white lists. This helps reduce the false positives. Note If this check box is unchecked in the Corporate, Group, or User windows, User Profilers have no effect. 3. Check the Skip spam analysis for internal to exclude internal s from spam analysis. 4. Check the Allow users to delete junk to allow users to control the delete button on individual junk boxes. Note: When you go on vacation, deselect this box so that your vacation-response reply does not automatically place all recipients on your Allowed list. 5. Click Apply Changes. Adding People to Allowed and Blocked Lists for the Organization You can add specific people s addresses to organization-wide Allowed or Blocked lists. Use People page. If the sender-id check fails, the Allowed list entry will be ignored. This page displays the address of senders on the organization s Allowed or Blocked lists. The source of the address is shown in the right-hand column. If you attempt to add your own address or your organization s domain, SonicWALL Security will display a warning. A user s address is not automatically added to the allowed list, because spammers sometimes use a recipient s own address. Leaving the address off the allowed list does not prevent users from ing themselves, but their s are evaluated to determine if they are junk.

47 SonicWALL Security Administrator s Guide 52 Note These settings apply to the entire organization. Individual users can add or block people for their personal lists by clicking Anti-Spam Techniques > People in their SonicWALL Security user accounts. To see an individual user s lists, you must log in as that user. For more information, see Signing In as a User on page 1. To search for an address, enter all or part of the address. For example, entering sale displays [email protected] as well as [email protected]. To add people to the Allowed or Blocked lists 1. Choose the Allowed or Blocked tab. 2. Click the Add button 3. Enter one or more addresses, separated by carriage returns, to add to the chosen list. Notes: Companies or Domains You cannot put an address in both the Allowed and Blocked list simultaneously. If you add an address in one list that already exists on the other, it is removed from the first one. SonicWALL Security will warn you if you attempt to add your own address or your own organization. addresses are case-insensitive; SonicWALL Security converts the address to lowercase. SonicWALL Security will ignore any entries to the Allowed list if the sender-id (SPF) check fails. For more information on SPF, see Effects of SPF on Security Behavior on page 55. You can allow and block messages from entire domains. If you do business with certain domains regularly, you can add the domain to the Allowed list; SonicWALL Security allows all users from that domain to send . Similarly, if you have a domain you want to block, enter it here and all users from that domain are blocked. Note: SonicWALL Security does not support adding top-level domain names such as.gov or.abc to the Allowed and Blocked lists. To add domains to the Allowed or Blocked lists 1. Choose the Allowed or Blocked tab. 2. Click the Add button. 3. Enter one or more domains, separated by carriage returns. Notes: A domain cannot be on both the Allowed and Blocked list at the same time. If you add a domain to one list and it already exists on the other, it is removed from the first list. Domain names are case-insensitive and are converted to lowercase.

48 SonicWALL Security Administrator s Guide 53 Mailing Lists SonicWALL Security enables you to add mailing lists, such as listserv lists, to your Allowed list. Mailing list messages are handled differently than individuals and domains because SonicWALL Security looks at the recipient s address rather than the sender s. Because many mailing list messages appear spam-like, entering mailing list addresses prevents misclassified messages. To add mailing lists 1. Click Add. 2. Enter one or more addresses, separated by carriage returns. addresses are case-insensitive; the message is converted to lowercase. Anti-Spam Aggressiveness The Anti-Spam Aggressiveness window allows you to tailor SonicWALL Security to your organization s preferences. Configuring this window is optional. SonicWALL Security recommends using the default setting of Medium (or 3) unless you require different settings for specific types of spam blocking. Configuring SMART Network Aggressiveness Settings SMART Network refers to SonicWALL Security user community. Every that is junked by an user in SMART Network is summarized in the form of thumbprints. A thumbprint is an anonymous record of the junked that contains no information about the user who received the mail or the contents of the mail. You can adjust SMART Network settings to customize the level of influence community input has on spam blocking for your organization. Updates are provided to your gateway server at defined intervals. To adjust your settings, click one of the radio buttons from Mild (1) to Strong (5). A setting of 5 indicates that you are comfortable with the collective experience of the SonicWALL Security user community, and do not want to see more . A setting of 1 or 2 indicates that want to judge more for yourself and rely less on the collective experience of SonicWALL Security's user community. Configuring Adversarial Bayesian Aggressiveness Settings The Adversarial Bayesian technique refers to SonicWALL Security s statistical engine that analyzes messages for many of the spam characteristics. This is the high-level setting for the Rules portion of spam blocking and lets you choose where you want to be in the continuum of choice and volume of . This setting determines the threshold for how likely an message is to be identified as junk . Use these settings to specify how stringently SonicWALL Security evaluates messages. If you choose Mild (check box 1 or 2), you are likely to receive more questionable in your mailbox and receive less in the Junk Box. This can cause you to spend more time weeding unwanted from your personal mailbox. If you choose Medium (check box 3), you accept SonicWALL Security s spam-blocking evaluation. If you choose Strong (check box 4 or 5), SonicWALL Security rules out greater amounts of spam for you. This can create a slightly higher probability of good messages in your Junk Box.

49 SonicWALL Security Administrator s Guide 54 Determining Amounts and Flavors of Spam You can determine how aggressively to block particular types of spam, including sexual content, offensive language, get rich quick, gambling, and advertisements. For each of the spam flavors: Choose Mild (check box 1) to be able to view that contains terms that relate to these topics. Choose Medium (check box 2 through 4) to cause SonicWALL Security to tag this as likely junk. Choose Strong (check box 5) to make it more likely that with this content is junked. For example, the administrator has determined that they want to receive no with sexual content by selecting Strong (5). They are less concerned about receiving advertisements, and selected Mild (1). You can also choose whether to allow users to unjunk specific flavors of spam. Authenticating the Sender s Domain via Sender ID Select the Consider Sender ID in statistical evaluation check box. About Sender ID and SPF Many senders of junk messages spoof addresses to make their appear more legitimate and compelling. When you send an message, the contains information about the domain from which the message was sent. Sender ID, sometimes called Sender Policy Framework (SPF) is a system that checks the sender s DNS records. SonicWALL Security determines whether the IP address from which the message was sent matches the purported domain. Many organizations publish their list of IP addresses that are authorized to send so that recipient s MTAs can authenticate the domain of messages that claim to be from that address. SonicWALL Security uses the following system to determine if the sender is authorized to send from the purported address: 1. Stores the IP address of the SMTP client that delivered the message, which is the Source IP address. 2. Finds the sender of the message, and stores the domain that the message claims to be from. 3. Using the Domain Name System (DNS), queries the domain for its Sender ID record, if it is published. Those records are published by many domain owners, and create a list of IP addresses that are authorized to send mail for that domain. 4. Validates that the domain authorizes the Source IP address in its SPF record. Below is a simple example: SonicWALL Security receives a message from In the message, SonicWALL Security finds From: [email protected] so it uses example.com as the domain. SonicWALL Security queries example.com for its SPF record The SPF record published at example.com lists as a system that is authorized to send mail for example.com, so SonicWALL Security gives this message an SPF = pass result. This information is taken into account by SonicWALL Security in the determination of spam. Sender ID or SPF Implementation Notes To use Sender ID or SPF effectively, SonicWALL Security must be the first-touch server. SonicWALL Security factors each message s SPF score as a portion of information used by its spam- detection engine. SonicWALL Security needs the Source IP address of the SMTP client sending messages. Thus, if your SonicWALL Security is downstream from another MTA, for example, Postfix or SendMail, this check will not provide useful information, since all of the messages will come from the IP Address of your Postfix or SendMail server.

50 SonicWALL Security Administrator s Guide 55 Note: SonicWALL Security performance might vary if you enable Sender ID because each is placed on hold while the DNS server is being queried. Effects of SPF on Security Behavior SonicWALL Security relies on SPF to help define a message as spam or likely spam. As implemented, SPF can return a soft failure or a hard failure when validating the sender s MAIL FROM field. A hard failure causes the message to be marked as likely spam even when no other test confirms it. With confirmation from another Security plug-in, the message can be marked as definite spam. A soft failure by SPF lends weight to the classification of a message as spam or likely spam, but is not enough to mark the message by itself. If the sending domain does not publish SPF records, Security does not use SPF to take any action. In cases where a certain domain is on a user s Allowed list, an SPF soft or hard failure will still prevent spam based on spoofed use of the allowed domain. Once Security determines that a domain has been spoofed in an incoming message, it disables checking of the Allowed list. Publishing Your SPF Record SonicWALL strongly recommends that you publish your SPF records to prevent spammers from spoofing your domain. When spammers spoof your domain, your domain can receive a high volume of bounced messages due to fraudulent or junk that appears to come from your domain. Implementing SPF prevents your company s branding from being diluted. For assistance in setting up your SPF records, go to To see an example of an SPF record, you can use a tool such as nslookup from your favorite shell. As an example, to query SPF records for AOL, type: nslookup -query=txt aol.com Languages You can allow, block, or enter no opinion on in various languages. If you enter No opinion, SonicWALL Security judges the content of the message based on the SonicWALL Security modules that are installed. Note: Black List Services (BLS) Some spam messages are seen in English with a background encoded in different character sets such as Cyrillic, Baltic, or Turkish. This is done by spammers to bypass the antispam mechanism that only scans for words in English. In general, unless used, it is recommended to exclude these character sets. Common languages such as Spanish and German are normally not blocked. Public and subscription-based black list services, such as the Mail Abuse Prevention System (MAPS), Real-time Blackhole List (RBL), Relay Spam Stopper (RSS), Open Relay Behavior-modification Systems (ORBS) and others, are regularly updated with domain names and IP addresses of known spammers. SonicWALL Security can be configured to query these lists and identify spam originating from any of their known spam addresses. Note: SonicWALL Security performance may vary if you add Black List Services because each is placed on hold while the BLS service is queried. Add Click Add and enter the server name of the black list service, for example list.dsbl.org. Each black list service is automatically enabled when you add it.

51 SonicWALL Security Administrator s Guide 56 that Arrives from Sources on the Black Lists Services Check the Treat all that arrives from sources on Black List Services as Likely Spam check box to prevent users from receiving messages from known spammers. If you check this box, you will be warned that enabling this feature increases the risk of false positives, and you may not receive some legitimate . Managing Spam Submissions and Probe Accounts Use the Spam Submissions page to manage that is miscategorized and to create probe accounts to collect spam and catch malicious hackers. Managing miscategorized and creating probe accounts increases the efficiency of SonicWALL Security s spam management. This page enables administrators and users to forward the following miscategorized messages to their IT groups, create probe accounts, and accept automated allowed lists to prevent spam. Managing Miscategorized Messages The following diagrams illustrate the process of junk submissions. They show how junk that was missed by SonicWALL Security (also known as false negatives) is sent to SonicWALL Security s Research Laboratory for analysis. They also show how good that was junked by the SonicWALL Security (also known as false positives) is sent to SonicWALL Security s Collaborative laboratory for analysis. This image demonstrates Submitting missed and miscategorized messages

52 SonicWALL Security Administrator s Guide 57 What Happens to Miscategorized Messages The following happens when an message is miscategorized For false negatives, SonicWALL Security adds the sender address of the junked to the user s Blocked List so that future messages from this sender are blocked. (The original sender is blacklisted for the original recipient.) For false positives, SonicWALL Security adds the addresses of good senders that were unjunked to the user s Allowed List. (The original sender is whitelisted for the original recipient.) If the sender is the user s own address, the address is not added to the allowed list, because spammers send pretending to be from the user. sent to and from the same address will always be evaluated to determine if it is junk. These messages are sent to the global collaborative database. Good mail that was unjunked is analyzed to determine why it was categorized as junk. Forwarding Miscategorized to SonicWALL Security You must set up your system so that sent to the [email protected]_domain.com and [email protected]_domain.com passes through SonicWALL Security. Note: The addressed to [email protected]_domain.com and [email protected]_domain.com must pass through SonicWALL Security so that it can be operated on. The same domain as the domain that is used to forward s to. Using a domain that does not route, such as fixit.please.com, is recommended. Configuring Submit-Junk and Submit-Good Accounts Mail is considered miscategorized if SonicWALL Security puts wanted (good) in the Junk Box or if SonicWALL Security delivers unwanted in the user s inbox. If a user receives a miscategorized , they can to update their personal Allowed list and Blocked list to customize their filtering effectiveness. This system is similar to the benefits of running MailFrontier Desktop in conjunction with SonicWALL Security, and clicking Junk or Unjunk messages, but does not require SonicWALL Security Desktop to be installed. The administrator can define two addresses within the appropriate configuration page in SonicWALL Security, such as [email protected]_domain.comand [email protected]_domain.com. As SonicWALL Security receives sent to these addresses, it finds the original , and appropriately updates the user s personal Allowed and Blocked list. Note: Users must forward their miscategorized directly to these addresses after you define them so that SonicWALL Security can learn about miscategorized messages.

53 SonicWALL Security Administrator s Guide 58 Problem with Forwarding Miscategorized A problem can arise if the user sends an to [email protected]_domain.com, and the local mail server (Exchange, Notes, or other mail server) is authoritative for this domain, and does not forward it to SonicWALL Security. There are a few ways around this problem; the most common solution is included below as an example. To forward the missed to SonicWALL Security for analysis 1. Add the this_is_spam and not_spam addresses as [email protected]_domain.com and [email protected]_domain.com into the SonicWALL Security Junk Submission text boxes. Note: Probe Accounts Create an A and an MX record in your internal DNS that resolves es.your_domain.com to your SonicWALL Security server's IP address. 2. Tell users to forward mail to [email protected]_domain.com or [email protected]_domain.com. The mail goes directly to the SonicWALL Security servers. Probe accounts are accounts that are established on the Internet for the sole purpose of collecting spam and tracking hackers. SonicWALL Security suggests that you use the name of a past employee as the name in a probe account, for example, [email protected]. Configure the Probe Account fields to cause any sent to your organization to create fictitious accounts from which mail is sent directly to SonicWALL, Inc. for analysis. Adding this junk to the set of junk messages that SonicWALL Security blocks enhances spam protection for your organization and other users. If you configure probe accounts, the contents of the will be sent to SonicWALL, Inc. for analysis. Managing Spam Submissions! To manage spam submissions 1. Click Anti-Spam Techniques > Spam Submissions. The Spam Submission window appears. 2. Enter an address in Submitting Missed Spam. For example, you might address all missed spam to mailto:submitmissedspam@your_domain.com. 3. Enter an address in Submitting Junked Good Mail. For example, you might address all misplaced good to mailto:submitgood@your_domain.com. 4. Establish one or more Probe Accounts. Enter the address of an account you want to use to collect junk . The address does not have to be in LDAP, but it does have to be an address that is routed to your organization and passes through SonicWALL Security. For example, you might create a probe account with the address mailto:probeaccount1@your_domain.com. A probe account should NOT contain an address that is used for any purpose other than collecting junk . If you enter an address that is in use, the owner of that address will never receive another - good or junk - again, because all sent to that address will be redirected to the SonicWALL corporation s data center. 5. Click the Apply Changes button.

54 SonicWALL Security Administrator s Guide 59 Anti-Phishing SonicWALL Security s Anti-Spam Anti-Phishing module protects organizations against containing fraudulent content. There are two audiences for fraud: the consumer and enterprise users. SonicWALL Security focuses on preventing fraud that enters the enterprise via . is an entry point for malicious hackers. What is Enterprise Phishing? Preventing Phishing There are numerous types of enterprise phishing. Consumer phishers try to con users into revealing personal information such as social security numbers, bank account information, credit card numbers, and driver s license identification. This is known as identity theft. Recouping from having a phisher steal your identity can take many hours and can cost consumers many dollars. Being phished can bring your life to a virtual standstill as you contact credit card companies, banks, state agencies, and others to regain your identity. Enterprise phishers attempt to trick users into revealing the organization s confidential information. This can cost thousands of executive and legal team hours and dollars. An organization s electronic-information life can stop abruptly if hackers deny services, disrupt , or infiltrate sensitive databases. Phishing aimed at the IT group in the organization can take the following forms: that appears to be from an enterprise service provider, such as a DNS server, can cause your organization s network to virtually disappear from the Web. Hacking into your web site can cause it to be shut down, altered, or defaced. might request passwords to highly sensitive databases, such as Human Resources or strategic marketing information. The might take the form of bogus preventive maintenance. Other information inside the organization s firewall, such as Directory Harvest Attacks (DHA) to monitor your users. Phishing can also take the form of malicious hackers spoofing your organization. is sent that appears to come from your organization can damage your community image and hurt your customers in the following ways: Spoofed can ask customers to confirm their personal information. Spoofed can ask customers to download new software releases, which are bogus and infected with viruses. Phishing harms organizations and consumers by raising the price of doing business, which raises the cost of goods and services. SonicWALL Security prevents phishing through: Adapting SonicWALL Security s spam-fighting heuristics to phishing Divergence Detection TM ensures that all contact points are legitimate. Contact points include addresses, URLs, phone numbers, and physical addresses. Sender ID or Sender Policy Framework (SPF) a system that attempts to validate that a message is from the domain from which it purports to be. Sender ID authenticates that the domain from which the sender s message reports matches one of the IP addresses published by that domain. SonicWALL Security factors Sender ID pass or fail into its junk algorithm. For more information about Sender ID, see Authenticating the Sender s Domain via Sender ID on page 54.

55 SonicWALL Security Administrator s Guide 60 Configuring Phishing Protection To configure SonicWALL Security to screen for phishing: 1. Navigate to the Anti-Phishing page.click the radio button to choose which action to take for messages that contain Phishing. 2. Click the radio button to choose which action to take for messages that contain Likely Phishing. 3. Check the Allow users to unjunk phishing messages checkbox if you want to allow users to unjunk fraudulent messages. 4. Enter one or more addresses of people designated to receive proactive phishing alerts. 5. To send copies of fraudulent messages to a person or people designated to deal with them, enter the recipients addresses in the Send copies of s containing phishing attacks to the following addresses text box. \ 6. Click Apply Changes. Use SonicWALL Security s Community to Alert Others Phishing is continuously evolving and adapting to weaknesses in the organization s network. Malicious hackers use any known weakness to infiltrate the corporate firewall. SonicWALL Security has tuned and enhanced their spam-management techniques to prevent phishing. SonicWALL Security also collects incidences of phishing and summarizes the addresses, text, phone numbers, and domains of phishing perpetrators in a database, which stores the thumbprints of the phishing message. Report Phishing and Other Enterprise Fraud to SonicWALL Security SonicWALL Security alerts organizations to phishing attacks. SonicWALL Security needs you to report fraudulent messages to mailto:[email protected]. Reporting phishing enables SonicWALL Security to alert other users to the phishing attacks you experienced.

56 CHAPTER 6 How Virus Checking Works Anti-Virus Techniques SonicWALL Security s Anti-Virus modules protect your organization from inbound borne viruses and prevent your employees from sending viruses with outbound . Once SonicWALL Security has identified the message or attachment that contains a virus or is likely to contain a virus, you choose how to manage the virus-infected . Optional virus-protection modules for the entire organization are available. The Anti-Virus modules use virus-detection engines to scan messages and attachments for viruses, Trojan horses, worms, and other types of malicious content. The virus-detection engines receive periodic updates to keep them current with the latest definitions of viruses. SonicWALL Security supports McAfee and Kaspersky virus-detection engines. You can choose to buy and deploy one or both virus-detection engines supported by SonicWALL Security. Messages determined to be dangerous by McAfee or Kaspersky engine are categorized as Viruses. SonicWALL Security also supports the SonicWALL GRID antivirus automatically. GRID virus-detection works in with the McAfee and Kaspersky virus-detection engines to improve your protection from virus payloads. When any one of the virus-detection engines is activated, you also get the benefit of SonicWALL Security s Time Zero Virus Technology. This technology uses heuristic statistical methodology and virus outbreak responsive techniques to determine the probability that a message contains a virus. If the probability meets certain levels, the message is categorized as Likely Virus. This technology complements virus-detection engines and enabling this technology provides the greatest protection for time zero viruses, the first hours that a virus is released, when major anti-virus companies have not yet modified their virus definitions to catch it. Preventing Viruses and Likely Viruses in To configure anti-virus protection 1. Log in as the Security Administrator. 2. Navigate to the Anti-Virus Techniques page. The Anti-Virus window appears.

57 SonicWALL Security Administrator s Guide 62 If you have licensed more than one virus-detection engines, they will all work in tandem. Licensed virus-detection engines can be used on both inbound and outbound paths. Checking for Updates 3. Determine how to treat messages that contain Viruses or Likely Viruses and select the action to take. 4. Click the Allow Unjunk checkbox to allow users to view messages with viruses from Junk Box. SonicWALL Security removes the virus from the message before the user retrieves it. Action Consequence Additional Information Virus Filtering Off Permanently Delete Bounce Back to Sender Store in Junk Box (default setting) Send To Tag with [VIRUS] or [LIKELY VIRUS] 5. Click Apply Changes. To determine how frequently you want to check for virus definition updates 1. Click System > Updates. The Updates window appears. SonicWALL Security passes this through to users without stripping the viruses or likely viruses. SonicWALL Security permanently deletes this message. 2. Choose a time interval from the dropdown list adjacent to Check for Spam, Phishing, and Virus Blocking Updates. You can choose every 5 minutes to every 2 hours. 3. Click the Apply Changes button SonicWALL Security bounces back to the sender with the virus removed. SonicWALL Security stores in the Junk Box. If you click the Allow Users to Unjunk button, users can unjunk the message. SonicWALL Security sends to a specified address SonicWALL Security delivers to the addressee and strips the virus. The subject is tagged with [VIRUS], or [LIKELY VIRUS] or another administrator-specified term. This choice provides no screening for viruses or likely viruses. This is a secure option for the enterprise because the virus or likely virus is permanently deleted. However, neither the receiver nor the sender knows that the message contained a virus or likely virus, and once the message is deleted, you cannot retrieve it. The sender is notified of the virus or likely virus in the . Mail is stored in Junk Box. If you click the Allow Users To Unjunk button users can receive the message, with the virus or likely virus removed. NOTE: SonicWALL Security recommends this option because you can retrieve the message after SonicWALL Security strips the virus. Option allows messages to be copied to a specific address You can enter another tag in the text box or use the default [VIRUS] or [LIKELY VIRUS].

58 SonicWALL Security Administrator s Guide 63 Zombie and Spyware Protection Unauthorized software may be running on a computer within your organization sending out junk messages such as: spam, phishing, virus, or other unauthorized content. This scenario could happen if your organization was subjected to a virus attack called Trojans or a user downloaded something from the web and unauthorized software got installed without user s knowledge. These unauthorized software programs that send out malicious content are called Zombies or Spyware. SonicWALL Security's Zombie and Spyware Protection technology brings the same high standard of threat protection available on the inbound path to messages leaving your organization through the outbound path. To enable Zombie and Spyware Protection, navigate to the Anti-Virus Techniques page, click on the Outbound tab and check the box Enable Zombie and Spyware Protection. Action Action for messages identified as Definite Viruses leaving your organization: Action for messages identified by SonicWALL s Time Zero Virus Technology as Likely Viruses leaving your organization: Description Select one of the following settings: Definite Virus filtering off (deliver message to users) Virus filtering is disabled and messages are delivered to users without stripping the viruses or likely viruses. Permanently delete The message is permanently deleted. Bounce back to sender The message is sent back to the sender with the virus removed. Store in Junk box (recommended for most configurations) Identified messages that contain viruses are stripped of the virus attachment and stored in the Junk Box. If you click the Allow Users to Unjunk button, users can receive the message with the virus or likely virus removed. Send to Enter a designated address. SonicWALL's Time Zero Virus Technology uses a combination of Predictive and Responsive techniques to identify messages with a possible virus. This technology is most useful when a virus first appears and before a virus signature is available to identify, stop and clean the virus. Select one of the following settings: Likely Virus filtering off (deliver message to users) Virus filtering is disabled and messages are delivered to users without stripping the viruses or likely viruses. Permanently delete The message is permanently deleted. Bounce back to sender The message is sent back to the sender with the virus removed. Store in Junk box (recommended for most configurations) Identified messages that contain viruses are stored in the Junk Box. If you click the Allow Users to Unjunk button, users can receive the message with the virus or likely virus removed. Send to Enter a designated address.

59 SonicWALL Security Administrator s Guide 64 Action Enable Zombie and Spyware Protection to block spam, phishing attacks, and virus zombies and to alert administrators immediately when a zombie has infected your organization: Monitoring for Zombie and Spyware Activity: Actions to take when s are sent by Zombies: Specify senders that will not trigger alerts or actions: Description This feature is not enabled by default. Select this checkbox to enable Zombie and Spyware Protection. Once the Zombie and Spyware Protection is selected, the fields in the three sections below become active. These settings do not take any action other than alerting the administrator of a potential zombie infection. Select any of the check boxes to send and alert to the administrator if: is sent from an address not in the LDAP within the last hour. More than (select a number) messages are identified as possible threats within the last hour. More than (select a number) messages are sent by one user within an hour. These settings can affect flow leaving your organization. Choose actions for messages leaving your organization that are identified as a threat and also to choose to activate/deactivate Outbound Safe Mode. Outbound Safe Mode, when enabled, blocks all s with potentially dangerous attachments from leaving your organization. Outbound Safe Mode, when enabled, minimizes the possibility of new virus outbreaks spreading through your outbound traffic. This setting is most useful when a virus first appears and before a virus signature is available to identify, stop and clean the virus. Enter addresses in this box you want exempt from Zombie Protection. (This list might include any addresses that are not in LDAP and addresses that are expected to send a lot of messages.)

60 CHAPTER 7 Auditing SonicWALL Security s Auditing module enables the user to monitor all s, both inbound and outbound, that pass through SonicWALL Security. This allows the user to monitor where s have filtered into or locate the destination of a particular . Auditing The Auditing window can track the path of any message that passes through SonicWALL Security. The Auditing window contains a search display that the administrator uses to search inbound or outbound s. SonicWALL now uses a search engine to search on audit and junk messages. Refer to Supported Search in Audit and Junkbox on page 12 for more information about the search types. Searching Inbound and Outbound s Audit Simple View Inbound s processed by SonicWALL Security are those that originate from outside of your organization including the total number of junk messages and good messages. Below the search section a list of s is displayed with the following information: the recipient of the where the is located the subject heading of the the sender of the the date of the from the header Outbound s processed by SonicWALL Security are those that come from the recipients of your organization. This includes both junk s and good s. To use the Audit Simple View 1. Search for messages containing specific strings in the following fields: To, Subject, or From. Note that the search is not case-sensitive. 2. Select the specific date to search on any particular date. 3. Click Search.

61 SonicWALL Security Administrator s Guide 66 Audit Advanced View This view provides support to search on multiple fields to get the results in more granularity. To use Advanced Search 1. On the Auditing page, click the Advanced View button. 2. To search for specific threat types, or in specific mail locations, select the desired checkboxes. 3. Click Search. Messages matching your search criteria are displayed. To move quickly through results pages, click in the field that says Page 1 of 14 and type the result page you want to view. You can also change the number of messages displayed on each page. As an example, suppose you wanted to see only messages that were Spam or Likely Spam. Clear all the checkboxes except the Show *Spam and Show Likely Spam check boxes. Leave all the locations selected and click Search.

62 SonicWALL Security Administrator s Guide 67 Configure Auditing Message Audit The Configure Auditing window allows you to tailor SonicWALL Security to your organization s preferences for auditing s. Configuration in this window is optional. SonicWALL Security sets the default in the on positions with a default of 30 days for keeping auditing files. To turn on Configure Auditing 1. Navigate to the Auditing module. 2. Click the Configure Auditing button located in the upper-left corner of the Auditing page. 3. Select the radio button(s) in the On position for the following: Auditing for inbound Auditing for outbound 4. Select the length of time from the drop-down list to audit messages. Time ranges from one day to seven years. 5. Click the Apply button. SonicWALL Security enables you to diagnose why an failed through the Message Audit window. To activate the window, click on the desired address which is displayed in the inbound or outbound tab. SonicWALL Security displays the message audit. When the message audit window is open, data is displayed about the actions of the , such as the IP address of the computer that sent the , and also the details about the itself, such as the subject heading and message size. Message actions and message details with their descriptions. Message Action Arrived into gateway from: Direction: Arrival notes: Audit trails: Description Shows the IP address from the computer that sent the . The date and time are taken from the header. The is either inbound or outbound. Additional information about the arrival of the , e.g. if the arrived encrypted. Provides information on what happens to the on a per recipient basis Table 1: Message Field Subject From To Date Received Message Size Threat Category Attachment Description Subject title of the Sender s address Recipient s address Date and time, taken from the header Message size Identifies the threat status of the Identifies the subtype of spam the is categorized with Attachment

63 SonicWALL Security Administrator s Guide 68 Judgment Details The SonicWALL Judgment Details feature allows administrators to view blocked and determine why it was blocked. This additional information allows them to tune their filters better and reduce false positives. Judgment Details are a description of why a particular message was flagged as junk or possible junk by SonicWALL Security. This might include keywords, suspicious headers, or other data that indicates a message is not legitimate. This information is only available to administrators. SonicWALL Security has always collected data on why a particular was rejected. A simplified version of the judgment details appears to users in their junk boxes, explaining that their messages were flagged as having attributes of a particular category of junk mail, including phishing or gambling. Judgment Details for administrators is a much more fine-grained tool that identifies exactly which words, phrases, headers, or contents caused SonicWALL Security to put the message in the Junk Box. Using Judgment Details Full judgment details are only available if judgment detail auditing has been configured on the auditing page. Auditing must also be turned on, or judgment detail auditing information is not stored. Only administrators can view judgment details. Turn on auditing for judgment details 1. Log in as the Security administrator. 2. Click Auditing. 3. Click the Configure Auditing button at the top of the page. 4. Select the On button next to Auditing for inbound Select the On button next to Auditing for outbound (if relevant). 6. Select the On button next to Enable Effectiveness Details logging. While this option is selected, each piece of that is sent to the junk box has a record of the judgment details appended to it. Only s that are sorted after the auditing for judgment details is turned on will have full details. When judgment detail is being audited, an administrator can view a message. In addition to the existing message details, there will be a list of judgment details. To view judgment details 1. Log in as the Security administrator. 2. Click Auditing. 3. Configure the search to find the message(s) you are interested in viewing and click Search. 4. Click on the link in the Subject column for the message you want details on. 5. You will see the Message Audit window. Your judgment details appear as a part of this window. The specific fields recorded depend on whether the message was inbound or outbound. Not all fields will appear all the time - fewer judgment details are collected on outbound messages.

64 SonicWALL Security Administrator s Guide 69 Effectiveness Field Anti-Virus Policy People, Companies, Lists Anti-Spam Aggressiveness Significant Keywords and Phrases Found Spammer s Tricks Language Detected GRID Network Reputation Misc Description Which of your virus scanners was first to find a virus in the message The name of the policy that blocked s with this characteristic If this message was blocked because of a list you configured, which list item occurred in the message Depending on the aggressiveness settings you have configured, where this message falls on the sensitivity ratings. Which words in the increased the s score. Known spammer tricks that have been coded against. Only the first-found spammer trick is reported in this window. Which language the is in. Some organizations block languages they do not expect. Reports from other users about this Sender ID The reason a message was allowed through without checking. This is usually because the message is from a sender in the same domain as the recipient.

65 CHAPTER 8 Policy & Compliance SonicWALL Security s Policy Management module enables you to write policies to filter messages and their contents as they enter or exit your organization. Policies can be defined only by an administrator. Typical use of policies include capturing messages that contain certain business terms, such as trademarked product names, company intellectual property and dangerous file attachments. Note: Policy & Compliance has precedence over the Address Books. For example, if you add [email protected] to your Allowed List, but the administrator has a policy to quarantine all mails from [email protected], the message will be quarantined. Standard Module vs. Compliance Module The SonicWALL Security Policy & Compliance Module is divided into two subsections: 1. Standard Module This module comes activated through the Security Base License Key that deploys with SonicWALL Security and includes access to the following features in the left-hand navigation menu: Filters on page 6 Policy Groups on page Compliance Module This module is accessible through the optional purchase of a Compliance Subscription License Key. The module contains the following features in the lefthand navigation menu: Dictionaries on page 14 Approval Boxes on page 15 Encryption on page 16 Record ID Definitions on page 16 Archiving on page 17 Basic Concepts for Policy Management Policy Management enables you to filter based on message contents and attachments. You can filter for specific terms that you want, such as terms in your product or terms you do not want in your organization s . You manage policy by creating filters in which you specify the words to search for in content, senders, or other parts of the . After filtering for specified characteristics, you can choose from a list of actions to apply to the message and its attachments.

66 SonicWALL Security Administrator s Guide 2 Defining Word Usage In the context of Policy Management, a word is a series of alphabetic characters and numbers with no spaces. Punctuation Character Example Slash / Punctuation allowed as first or last character but not in the middle. Character value Example Dollar sign $ $100 Percent sign % 100% Punctuation allowed in the middle but not as first or last character Period Character value. Example is allowed..mail or mail. are not allowed. at [email protected] Ampersand & AT&T Colon : Hyphen - xxx-yyy All other punctuation is used as word separators to split words. Punctuation included in this category includes the following characters: ~! # ^ * + = { } [ ] ; " < >,? \ `()" For example, X~Y is treated as two words, X and Y. Defining Address Matching Policy Management can do intelligent matching for addresses in the From and To/CC/BCC fields. Address field Matching strings jdoe company.com [email protected] [email protected] Match Match Match [email protected] No Match Match No Match [email protected] Match No Match No Match Defining Intelligent Attachment Matching When you create a policy to detect attachments based on file extension, by default, SonicWALL Security will do simple matching based on the specified file extension. If the attachment has been renamed to have a different file extension, this simple matching will not detect that. To accurately detect attachments without relying on the file extension, select Intelligent

67 SonicWALL Security Administrator s Guide 3 Attachment Matching checkbox. For example, an executable attachment renamed to.txt extension can be matched as an executable. SonicWALL Security supports Intelligent Attachment Matching for the following file extensions. File Format Bitmap format FITS format GIF format Graphics Kernel System IRIS rgb format ITC (CMU WM) format JPEG File Interchange Format NIFF (Navy TIFF) PM format PNG format Postscript format Sun Rasterfile Targa format TIFF format (Motorola - big endian) TIFF format (Intel - little endian) X11 Bitmap format XCF Gimp file structure Xfig format XPM format Bzip Extension.bmp.fits.gif.gks.rgb.itc.jpg.nif.pm.png.[e]ps.ras.tga.tif.tif.xbm.xcf.fig.xpm.bz Compress.Z gzip format pkzip format TAR (pre-posix) TAR (POSIX) MS-DOS, OS/2 or MS Windows.gz.zip.tar.tar.exe Unix elf pgp public ring pgp security ring pgp security ring pgp encrypted data

68 SonicWALL Security Administrator s Guide 4 Defining Disguised Text Identification SonicWALL Security provides disguised text identification to prevent users in your organization from sending or receiving messages with unwanted words with substituted, inserted, constructed, or deleted characters. Using traditional word matching or spell checking finds exact matches or known frequent misspellings, such as hte for the. Disguised text identification is as simple and intuitive as traditional word matching; and is more powerful than using regular expressions to find specific words or terms. In addition, it is far easier to use and less potentially dangerous than regular expressions. Disguised text identification provides the following types of matches: Variations Constructed characters Inserted characters Substituted characters Deleted characters Imaginative spelling Resulting Words or Phrases \ / for V, or \./\/ for W, for example, \/\/ork at home - or _, for example, c-o-m-m-e-n-t or for a or 1 for i, for example, p@ntyhose or Sat1sfact10n wnderful opprtunty Purrfection or garunteeed suxess Note: Disguised text identification might result in false positives due to unexpected conditions, and can be computationally intensive. Disguised text identification is not meant to be a spam catcher. SonicWALL Security has developed extensive heuristic statistical techniques for catching spam. Instead, this feature allows you to detect terms that are important to your organization and build policies based on them. You can use this feature to capture specific terms, for example, route incoming messages with your product s name with appropriate trademarks for your sales departments. It can also be used to filter outgoing mail. As an example, if your organization prohibits sending source code outside of the company, you could use various programming keywords as search terms and route messages with those terms to the appropriate manager. Inbound vs. Outbound Policy Filters Organizations can create policies to deal with both inbound and outbound messages. To create inbound policies select Inbound tab and click on Add New Filters. Policies created on the inbound path can not be shared with the outbound path and vice versa. To create outbound policies, select Outbound tab and click on Add New Filter. See the Managing Filters section on page 10 for examples of adding inbound and outbound policies.

69 SonicWALL Security Administrator s Guide 5 Preconfigured Inbound Filters New installations of SonicWALL Security ship with preconfigured filters. These preconfigured filters are not enabled by default. Strip Potentially Dangerous File Attachments This filter, Strip Potentially Dangerous File Attachments, strips all attachments from the incoming messages that triggered the filter conditions. Enable and edit this rule if you want to allow some of these attachments and not others. Junk s with Attachments over 4MB This filter, Junk s with Attachments Over 4MB, stores all incoming messages over 4MB in size in the Junk Box. Strip Picture and Movie Attachments This filter, Strip Picture and Movie Attachments, strips all attachments from the incoming messages that triggered the filter conditions. Enable and edit this rule if you want to allow some of these attachments and not others. Detect Personal Financial Information (PFI) Records in Inbound Mails This filter, Detect Personal Financial Information (PFI) Records in Inbound Mails, detects personal financial information by using the Record ID definitions feature as an identifying tool looking for mails that match Social Security Number and Credit Card Number formats. Detect Personal Health Information (PHI) Records in Inbound Mails This filter, Detect Personal Health Information (PFI) Records in Inbound Mails, detects personal health information by utilizing the Medical Drug Names pre-defined dictionary as an identifying tool. Detect Corporate Financial Information in Inbound Mails This filter, Detect Corporate Financial Information in Inbound Mails, detects corporate financial information in the subject line or body of an by utilizing the Financial Terms predefined dictionary as an identifying tool.

70 SonicWALL Security Administrator s Guide 6 Preconfigured Outbound Filters New installations of SonicWALL Security ship with preconfigured filters. These preconfigured filters are not enabled by default. Detect Personal Financial Information (PFI) Records in Outbound Mails This filter, Detect Personal Financial Information (PFI) Records in Outbound Mails, detects personal financial information by using Record ID definitions feature as an identifying tool looking for mails that match Social Security Number and Credit Card Number formats. Detect Personal Health Information (PHI) Records in Outbound Mails This filter, Detect Personal Health Information (PFI) Records in Outbound Mails, detects personal health information by utilizing the Medical Drug Names pre-defined dictionary as an identifying tool. Detect Corporate Financial Information in Outbound Mails This filter, Detect Corporate Financial Information in Outbound Mails,detects corporate financial information in the subject line or body of an by utilizing the Financial Terms predefined dictionary as an identifying tool. Filters A Policy Filter is an action or actions you want SonicWALL Security to take on messages that meet the conditions you define. SonicWALL's Policy Management module enables you to filter as it enters or exits your organization. Policy Management is a tool only for administrators: policies cannot be managed individually and are not user-configurable. To create and manage policy filters 1. Select Filters link under Policy Management module. 2. Select the Inbound or Outbound tab to create filters for inbound or outbound messages respectively. 3. Click the Add New Filter button. The Add Filter window appears. Note: The fields in the window will change based on the action you choose. 4. The Enable this Filter checkbox is checked by default. Uncheck the checkbox to create rules that do not go into effect immediately. 5. Choose whether the filter matches All of the conditions or Any of the conditions All - Causes to be filtered when any of the filter conditions apply (logical AND) Any - Causes to be filtered when any of the conditions apply (logical OR) 6. Choose the part of the message to filter.

71 SonicWALL Security Administrator s Guide 7 Select Judgement From To/Cc/Bcc Subject Body Subject or Body Subject, Body, or Attachments Message header Attachment name Attachment contents Size of message Number of recipients RFC 822 Byte Scan Definition The server s assessment of a categorized message threat Filter by the sender s name Filter by the names in the To: cc: or bcc: fields Filter by words in the subject Filter based on information in the body of the Filter based on information in the subject and body of the Filter based on information in the subject, body, and attachments of the Filter by the RFC822 information in the message header fields, which includes information including the return path, date, message ID, received from, and other information Filter attachments by name Filter based on information in the attachments Filter messages based on the size of the message Filter messages based on the number of recipients Scan the entire message 7. Choose the matching operation. The choices for matching operation vary with the message part being matched against. The following table describe the matching operations available. Type Explanation Example With Specific Word Without Specific Word With Specific Phrase Without Specific Phrase Starts With Equivalent to Find the whole word only Not equivalent to Find the whole word only Equivalent to Find complete phrase Not equivalent to Find complete phrase The message part being searched for should start with the search value Search for the word Mail from the subject line This is Mail will match. Search for the word Mail from the subject line This is MailFrontier will not match. Search for the words is Mail from the subject line This is Mail will match. Search for the word is Mail from the subject line This is MailFrontier will not match. Search for This from the subject line This is Mail will match. Ends With The message part being searched for should end with the search value Search for is Mail from the subject line This is Mail will match.

72 SonicWALL Security Administrator s Guide 8 Is Is Not Only the search criteria should exist (exact match). Only the search criteria should not exist Search for the word Mail from the subject line This is Mail will not match. Search for is Mail from the subject line is Mail will match. Search for the phrase is Mail from the subject line This is MailFrontier, will match. Contains Substring search Search for is Mail from the subject line This is Mail will match. Does not Contain Substring search does not match 8. Enter the words or phrase that you want to filter in the Search Value text box. Select the appropriate check boxes. Match Case - Filters a word or words sensitive to upper and lower case. Note: Intelligent Attachment Matching - Filters attachment names, such as.exe or.zip. Disguised Text Identification - Filters disguised words through the sequence of its letters, for example Vi@gr@. Disguised Text Identification cannot be used together with Match Case and can be selected only for Body and Subject message parts. If the Compliance Module is active, the administrator has additional filtering conditions that can be set. The Use Dictionary option of using terms from a dictionary can be selected, as well as the Use Record Match option which looks for numbers such as telephone numbers or social security numbers. 1. Click the plus sign (+) to add another layer of filtering. See Junk s with Attachments over 4MB on page 5. You can add up to 20 filters. Filters are similar to rock sifters. Each additional filter adds further screens that test for additional conditions. 2. Choose the response action from the Action drop-down list. Action Log as event Permanently delete Store in Junk Box Store in Approval Box Bounce back to sender Effect The message is logged. No further processing in Policy management occurs (default). This option stores a log of all messages so that the administrator has a record and can analyze traffic patterns. The log is in the mfe log. NOTE: Policy management logs all messages as events regardless of the action specified. The message is permanently deleted and no further processing occurs in any SonicWALL Security module occurs. This option does not allow the user to review the and can cause good to be lost. The message is stored in the Junk Box. It can be unjunked by users and administrators with appropriate permissions. The user has the option of unjunking the . The message is stored in the Approval Box. It will not be delivered until an administrator approves it for delivery. The message is returned to sender with an optional message indicating that it was not deliverable.

73 SonicWALL Security Administrator s Guide 9 Action Deliver and bounce Deliver and skip Spam and Phishing Analysis Route to Deliver and route to Tag subject with Strip all attachments Append text to message Issue notification Add X-header to message Remove X-header from message Route to IP Deliver and Route to IP Route Copy to Archive Encrypt Decrypt Effect The message is delivered to the recipient and is bounced back to the sender with an optional message. The message is delivered without spam or phishing analysis. The message is routed to the specified address. The message can be routed to only one address. Deliver to the recipients and also route to the specified address. The message can be routed to only one address The subject of the is tagged with a the specified term. Remove all the attachments from the . The specified text is appended to the message body. Sends an notification to the recipients of the that triggered the rule. Adds an X-header to the . Removes an X-header from an . The message is routed to the specified IP address. The message can be routed to only one IP address. Deliver to the recipients and also route to the specified IP address. The message can be routed to only one IP address A copy of the message is routed to the archive. Message is sent to the encryption center for encryption. This action is used for outbound messages. The administrator must provide a name or IP address of SMTP server for encryption at the Policy & Compliance > Encryption page. Message is sent to the decryption center for decryption. This action is used for inbound messages. The administrator must provide a name or IP address of SMTP server for encryption at the Policy & Compliance > Encryption page. When no additional filtering is required on a message, select the and stop processing policy filters checkbox. This checkbox is automatically selected and grayed out when you have selected a terminal action.if additional actions need to be performed on the same message, select the plus sign (+) to the right. You cannot add the same action more than once to a specific filter rule. As a result, once an action has been selected, it will not be available in the drop-down list for further selection within the current filter rule. 3. Type a descriptive name in the Filter Name text box. 4. Select a policy group you want to apply this filter to. By default, All Groups will be selected and this filter will apply to all messages. 5. Click Save This Filter.

74 SonicWALL Security Administrator s Guide 10 Language Support Managing Filters Policy management supports filtering messages based on non-english terms in the Search Value. For example, you can search for a Japanese word or phrase in the body of a message. However, SonicWALL Security does not support adding text strings to messages in languages other than English and does not support foreign language filter names. Note: Editing a Filter To view messages in Asian languages, you might need to install East Asian Language Packs on the server where you run SonicWALL Security (for Windows only). This applies to deployments using the SonicWALL Security Software Edition. The main Policy Management page lists all the filters created in the system for the Inbound and Outbound path. From this view, you can Add New Filter, Change the order of filters, Edit or Delete filters. Filters that have been enabled are indicated with a green tick mark. Deleting a Filter Changing Filter Order To change a filter that has been saved: 1. Click the Edit button adjacent to the filter to be changed. 2. Change any of the filter conditions. 3. Click Save This Filter. To delete a filter, click the Delete button adjacent to the filter. Filters are processed in the order they appear. To change the order of the filters, use the up and down arrow icons to the left of the filters. Advanced Filtering Creating a Multi-Layered Filter You can create filters with multiple conditions chained together and multiple actions to be performed on the message, if the specified conditions are met. For an example, if the message is sent from NASA and the body contains the word Mars then take the following actions: Tag the subject with the term [Mars Update from NASA] and Route the message to engineering.

75 SonicWALL Security Administrator s Guide 11 To create a multi-layered filter: 1. Click the Add New Filter button from the Policy & Compliance > Filters > Inbound module. 2. Select All conditions to be met 3. With Specific Words operation, search for nasa.org in the message part From. 4. Select the + button to the right to add another condition 5. With Specific Words operation, search for Mars in the message part Body. Enable Match Case to get an exact case match. 6. Select the action Tag Subject With. Set the Tag field to [Mars Update from NASA]. Make sure and stop processing policy filters checkbox is not enabled. 7. Select the + button to the right to add another action 8. Select the action Route To and set the To field to [email protected]. Select and Stop Processing Policy Filters checkbox to stop further policy filtering on this message. 9. Select the Save This Filter button. Configuring a Policy Filter for Outbound to Include a Company Disclaimer Message To add a company disclaimer to the end of each outgoing message from your organization, you would set the policy filter in this way. If an is sent from anyone at sonicwall.com then take the following actions: Append text to the end of the message, This is my company disclaimer To create the outbound policy filter perform the following steps: 1. In the Security management interface, browse to the Policy & Compliance > Filters screen and click the Outbound tab. 2. Click the Add New Filter button. 3. Select All conditions to be met. 4. Select From in the Select drop-down list, and select contains in the Matching drop-down list. 5. In the Search Value field, type sonicwall.com. 6. To protect against internal spammers or zombies, click the plus sign icon to add another condition. 7. Select Judgement in the Select drop-down list, and select is good in the Matching dropdown list. 8. Select the action Append text to message. 9. In the Message text write: This is my company disclaimer 10. Name the filter Outbound Disclaimer 11. Select Apply to Everyone from the dropdown menu in the Apply this filter to: section. 12. Click the Save This Filter button.

76 SonicWALL Security Administrator s Guide 12 Configuring a Policy Filter for Inbound To filter messages sent to your organization that are not judged as spam but contain the words job application in the subject or body of the message you would set the policy filter this way: If an is Not judged as spam The subject or body of the contains the words job application then take the following actions: route the to [email protected] To create the inbound policy filter: 1. Select Add New Inbound Filter button. 2. Select All conditions to be met. 3. Judgement operation, matching is not spam. 4. Select the + button to the right to add another condition. 5. With specific phrase operation, search for job application in the message part Subject or Body. 6. Select the action Route to and enter the address [email protected] in the To: field. 7. Name the filter Resume Routing. 8. Select Apply to Everyone from the dropdown menu in the Apply this filter to: section. 9. Select the Save This Filter button. Exclusive Actions The action named Permanently delete is an exclusive action and is terminal in nature and no further policy filtering will be possible after this action has been performed. The Stop Processing Policy Filters checkbox will be automatically enabled and grayed out if an exclusive action is selected. Parameterized Notifications SonicWALL Security supports parameterized notifications wherein you can use pre-defined parameters in the text fields for the Issue Notification action. These parameters will get substituted with corresponding values when the message is processed. You can use these parameters in either the Subject or Message Text fields of the Issue Notification action. The parameters can be used multiple times and are substituted each time they are used. Each parameter entered should start and end with % symbol. Parameter %SUBJECT% %FROM% %ATTACHMENT_NAMES% %FILTER_NAME% %MATCHED_RECORDID% %MATCHED_TERM% Value the Subject: content from the triggering the From: content from the triggering a comma-separated list of attachment names from the triggering the name of the policy filter which took the action on the triggering the Record ID file name which has a matching pattern in the triggering the Dictionary term which matched in the triggering

77 SonicWALL Security Administrator s Guide 13 Policy Groups In some cases, it may be appropriate to associate a policy filter to a group of users rather than the entire organization. For example, you may want a policy filter to be applied to all incoming messages sent to your sales team and no one else in your organization. If you want policy filters you create to be applied to particular group of users, you first have to create policy groups from LDAP. Policy groups, once created, can be associated with either inbound or outbound policies. To manage policy groups, select Policy Groups link under Policy & Compliance module. From this screen, you can manage all policy groups for your SonicWALL Security setup. To add a new policy group, select the Add New Group button. From the pull down menu, select one of three methods to locate a desired group equal to (fast) starting with (medium) containing (slow) search using the actual name search using the first few characters search using a substring of characters Once the list of group names is displayed, select the checkbox of the group you wish to add. Click on the Add Group button. To remove a group, check the group(s) to be removed and select the Remove Group button. You can view the members of a group by selecting that group and clicking on the List Group Members button. If a user is present in more than one group, that user is treated to be a member of the group that is listed highest in the list. You can change group ordering, by clicking on the arrows to the left of listed groups. To change the order in which groups are listed, use the up and down arrow icons to the left of the groups. For example in the above illustration, if [email protected] is listed under both SalesEngineering and Sales, the policy filter that is associated with SalesEngineering will be applied to messages for [email protected]. Multiple LDAP Groups To manage policy groups from multiple LDAP servers 1. Log in as the Security administrator. 2. Click Policy and Compliance and then Policy Groups. 3. Select the LDAP source and click the Go button. You are connected to that LDAP server. 4. Click the Add Group button. The groups on that LDAP server are retrieved and presented. 5. Choose the groups you want to add policies to. 6. When you have selected the groups, click the Add Group button. Your groups are added. 7. You can now apply policies to these groups. If a user is a member of more than one group, actions will only be taken on the first group the system reads.

78 SonicWALL Security Administrator s Guide 14 Compliance Module Dictionaries Address Rewriting In a multiple LDAP server environment, administrators can map incoming or outbound addresses to new apparent domains. This feature also allows you to expand an list into its constituent members. To configure Address Rewriting on a per-ldap basis: 1. Log in as the Security administrator. 2. Click System and then Network Architecture. 3. Scroll down and click the Address Rewriting button. 4. Click the Add New Rewrite Operation button. 5. In Type of Operation, choose LDAP Rewrite to Primary. If you are on the Inbound tab, you could also choose LDAP List Expansion. 6. Enter the information for the operation you have chosen. 7. Enter a name for the rewrite operation. 8. Click Save This Rewrite Operation. This module is accessible through the optional purchase of a Compliance Subscription License Key and enables organizations to make efforts in ensuring that complies with relevant regulations and/or corporate policies. Once the Compliance Module is activated, the network administrator has access to the new Encryption and Archiving features in addition to features such as additional filtering tools that enhance the Standard Module. Note: When the Compliance Module license expires, filters that were created during the valid license period will continue to work, taking advantage of the advanced features. However, the administrator will not be able to add any new filters to use licensed features until a license to the module is obtained. A dictionary is a convenient collection of set of words or phrases that you can group together for use in policy filters. A dictionary can be specified as a search value in a policy filter. Dictionaries can be created or modified either manually or by importing from a file in the file system. A predefined dictionary is a group of words or phrases all belonging to a specific theme such as medical or financial terms, which can be used as a database of words that filters can look for. By default, SonicWALL Security provides two pre installed dictionaries: Financial Terms Medical Drug Names These dictionaries may be modified by clicking the edit button. To import a dictionary from a file on the file system: 1. Click on the Import Dictionary button. 2. Choose to name a new dictionary or to replace an existing dictionary by selecting the appropriate radio button next to your selection. 3. Find the import file by browsing to the correct location. The imported file should contain one word or phrase per line and each line should be separate by <CR>. 4. Click the Import button.

79 SonicWALL Security Administrator s Guide 15 Approval Boxes To manually add a dictionary: 1. Click on the Add New Dictionary button. 2. Enter a word or phrase under Dictionary Terms and click Add Term. Repeat for all the terms you want to add to the dictionary. 3. Give your dictionary a name. 4. Click Save Dictionary. You will automatically be returned to the Policy & Compliance > Dictionaries module. An Approval Box is a list of stored messages that are waiting for an administrator to take action. They will not be delivered until an administrator approves them for delivery. The View Approval Box for drop-down list allows you to have two different views of Approval Boxes: the Manager view and the individual approval box view. To see a list of the Approval Boxes that have been created, select Approval Box Manager from the pull-down menu in the View box from this list. The Approval Box Manager view allows you to edit or delete existing Approval Boxes, and to create new Approval Boxes. To see the contents of a particular Approval Box, choose the desired Approval Box name from the View Approval Box for drop-down list. This page allows you to search the messages stored in that Approval Box and to take action on any of those messages. Note: Only users who have administrative rights can see the contents of an approval box. See Chapter 9, User and Group Management for managing user rights and privileges. To store messages in an Approval Box 1. Create the Approval Box by clicking the Add New Approval Box button in the Summary view page. Then, go to the Policy Management > Filters page and create a policy filter that has Store in Approval Box as its Action, and choose the desired Approval Box for messages caught by that filter. 2. Enter a name for this Approval Box. This name will appear in the page that shows the list of approval boxes and in the drop-down list that allows you to select the detailed view of individual approval boxes. 3. From the Default action pull-down menu, select an action to be taken. This action will automatically be taken on the message waiting for approval if the administrator does not respond to the notification within the period of time specified. None Approve & Deliver Delete Bounce Back to Sender No action is taken. The remains in the Approval Box. The is passed to the recipient. The is deleted. The will automatically be bounced back to the sender and removed from the approval box after the specified length of time elapses. It will not be delivered to the intended recipients. 4. Enter a list of recipients in the text box. Separate multiple addresses with a carriage return. Note: Make sure that the recipients you enter are users that have administrative rights to the SonicWALL Security appliance. If they do not have administrative access, they will not be able to view the approval boxes when they receive notification.

80 SonicWALL Security Administrator s Guide Select a notification frequency for this approval box. Approval box notification s for this approval box will be sent according to the schedule you choose here. 6. Write the subject line for this notification. 7. Click the Apply Changes button to save your changes to this approval box notification. Encryption Record ID Definitions This section is used to configure the servers used to encrypt and decrypt messages. Once configured, you may create a policy filter for which the action is to encrypt or decrypt messages. A policy action of encrypt can be used to direct confidential outbound messages to the encryption server. A policy action of decrypt can be used to direct confidential inbound messages to the decryption server. A Record ID Definition can be used to detect specific IDs described by a series of generic patterns. This section allows the administrator to predefine a cluster or clusters of letters and numbers into logical sets of groups such as social security numbers, patient medical record numbers, or credit card numbers. When these patterns are discovered, compliance actions can be taken to ensure that the organization's privacy and security regulations are met. The filter will stop processing a message after it finds the first matching Record ID Definition. By default, SonicWALL Security provides the following Record ID Definitions pre installed: ABA Bank Routing Number Canadian Social Security Number Credit Card Number Date Phone Number Social Security Number Zip Code To add a new record ID definition 1. Click the Add New Record ID Definition button. The Add Record ID Definition window displays. 2. Name the Record ID you are creating. 3. Enter a term including correct spacing, dashes or other symbols. Use the key to set values to the sets of characters 4. Select Add Term to add the term to the Record ID. 5. Repeat adding terms for each Record ID as necessary.

81 SonicWALL Security Administrator s Guide 17 Archiving This section is used to configure how messages are archived. Once configured, you may create a policy filter for which the action is Route copy to archive. Messages can be archived either to a remote archive server or to a file system. To have messages archived to a remote server, click the External SMTP Server radio button, and enter the IP address of the server to which messages should be routed for archiving in the Route to Archive Address field. To have messages archived to a file system 1. Click the File System radio button. 2. Choose from the archive settings for both inbound and outbound s. 3. Select a length of time for s to be archived. 4. Click the Apply Changes button.

82 CHAPTER 9 User and Group Management The User and Group Management function allows you to: Manage the list of users who can log in to the SonicWALL Security Assign roles to individual users or groups of users Set spam blocking options for groups of users This chapter also describes how to assign a delegate to manage your Junk Box. For more information, see Assigning Delegates on page 6. Notes: Working with Users Searching for Users Sort Signing In as a User To manage users and groups from within this module, you need to have configured your SonicWALL Security setup to synchronize with your organization s LDAP server. You can configure LDAP settings and queries on the System > LDAP Configuration page. SonicWALL Security queries your corporate LDAP server every hour to update users and groups. Changes made to some settings in this section may not be reflected immediately on SonicWALL Security, but are updated within an hour. To manage users in SonicWALL Security 1. Click the User & Group Management icon. SonicWALL Security displays the Users and Groups window. 2. Select the Users link. From this screen, you can sign in as an user, set their message management settings to corporate default and edit their privileges in the system. If there are too many users to display in a window, select the search option from the drop down menu (equal, starts with, or contains), enter the search parameter in the blank field, and click Go. The search speed varies according to the search parameter. Click User Name or Primary to sort the list of users by that column. Administrators can sign in as any user, see their Junk Box, and change the settings for that user. In addition, you can sign in as a particular user to manage their delegates for them.

83 SonicWALL Security Administrator s Guide 2 Resetting User Message Management Setting to Default Edit User Rights Import Export Add Remove Select one or more users and click Set Message Management to Default to restore all settings to the defaults. Be aware that this overrides all individual user preferences the user might have set. Administrators can assign different privileges to different users in the system by assigning them pre-defined roles. To assign a role to an user, select the user and click on Edit User Rights button. See SonicWALL Security Roles on page 3 for more information. The administrator can add multiple non-ldap users by importing a list of names. The list is made up of the primary addresses followed by the corresponding aliases of the users. The imported file can be appended to the existing names, or overwrite them. The format of the file is tab-delimited. One may use an Excel spreadsheet to generate a user list and save it as a tab-delimited file. To import the list, click the browse button to locate the file and click Import. The administrator can download a tab-delimited list by clicking this button. The file generated lists multiple non-ldap users and can later be imported using the Import feature. The administrator can add individual non-ldap users. Fill out the Primary Address and Alias fields and click Add. Add an existing user with an alias and the user will have that alias added to them. This is not dependent on LDAP status. Note: Working with Groups About LDAP Groups Users added in this way remain non-ldap users. Their User Rights cannot be changed. Their source will be listed as Admin. Users can edit their Junk Box setting only if the administrator sets the Junk Box setting, Enable "Single Click" viewing of messages to "Full Access" in the System > Junk Box Summary page. The administrator can remove individual non-ldap users. First select a non-ldap user by using the checkbox in front of the name, then click the Remove button to delete the name from the list. This section describes how SonicWALL Security lets you query and configure groups of users managed by an LDAP server. Most organization create LDAP groups on their Exchange server according to the group functions, for example: a group configured on their Exchange server called support represents the technical support groups in Exchange. Configure LDAP groups on your corporate LDAP server before configuring the rights of users and groups on SonicWALL Security in the User and Group Management screen. SonicWALL Security allows you to assign roles and set spam-blocking options for user groups. Though a user can be a member of multiple groups, SonicWALL Security assigns each user to the first group it finds when processing the groups. Each group can have unique settings for the aggressiveness for various spam prevention. You can configure each group to use the default settings or specify settings on a per-group basis.

84 SonicWALL Security Administrator s Guide 3 Updates to groups settings in this section do not get reflected immediately. The changes will be reflected the next time SonicWALL Security synchronizes itself with your corporate LDAP server. If you want to force an update, click on the Refresh From LDAP button. Add a New Group To add a new group, Click Add New Group button. The Add Group window appears with a list of all the groups to which you can assign roles. You can also add new groups in this window. To find a group 1. Search for the group you want by entering the name in the text box. Choose the search mechanism and search speed: equals (fast), starts with (medium), or contains (slow). Click Go to begin the search. or Scroll through the list of groups to locate the group you want to add. 2. Click the checkbox to include the group. 3. Click Add Group. A message appears stating that the group was added successfully. Removing a Group 1. Click the checkbox adjacent to the group(s) to remove. 2. Click the Remove Group button. A success message appears. Listing Group Members SonicWALL Security Roles 1. Click the checkbox adjacent to the group to list. 2. Click the List Group Members button. Users belonging to that group will be listed in a pop-up window. Roles are a set of privileges that you can grant any individual user or group of users in the SonicWALL Security. There are five defined roles that can be assigned to any user or group. Admin: An administrator role has full rights over the system. Administrators are taken to the system status page after logging in. They can log in as any user to change individual settings and view Junk Boxes, manage the corporate Junk Box, and configure everything. Help Desk: A Help Desk role can sign in as any user in the system, change their settings and address books, or operate on the Junk Box. This role is not allowed to change any corporatewide settings and other server configurations. Group Admin: A group administrator role is similar to the Help Desk role except that this role s privileges are limited to users for the group they are specified to administer. Group Admin role is always associated with one or more groups added to the Spam Blocking Options for Groups section. Manager: A manager role has access to only system reports. User: Using the user role, you can allow users in your organization to log in to SonicWALL Security. SonicWALL Security displays their Junk Box as the opening window. In addition, you can also allow them access to other areas such as reports, message management, and lists.

85 SonicWALL Security Administrator s Guide 4 Setting a LDAP Group s Role All members of a group get the role assigned to the group. To set the role of a group 1. Click the checkbox adjacent to the group to edit. 2. Click Edit Role A window appears with the group s name and current role. 3. Click the radio button for the appropriate role that you want to assign to the group. 4. Click Apply Changes. A message appears stating that the group was changed successfully. Setting Spam Blocking Options for LDAP Groups All members of a group get the spam blocking options assigned to the group. To set spam blocking options for an LDAP group: 1. Click the checkbox adjacent to the group that you want to edit. 2. Click the Edit Junk Blocking Options button. The Edit Spam Blocking Options for Group window appears. Note: User View Setup The Adhere to Corporate/Group Defaults box is checked by default. By opening this screen, you are now editing the spam blocking options for this one group. There is an Adhere to Corporate Defaults check box at the very top of each sub-page in this dialog, this check box only applies to the values on one page and for the current group only. For example, you can adhere to the corporate defaults for the two pages User View Setup and Rules and Collaboration, and uncheck the box and set custom settings for this one group for Foreign Language and then uncheck the box for and set custom settings for this group for Spam Management. To enable the specified group to have special privileges, deselect the Adhere to Corporate/Group Defaults box. This controls what options are available to the users in this group when they login to server using their user name and password. You can change the settings on the following items: Login Enabled enables users in this group to log into their Junk Box Allow/Block People, Companies, Lists, Foreign Languages, Rules Allows or blocks specified people, companies, foreign languages, and rules as these were configured in the user setup. Reports let users in this group look at their Spam reports Settings enables users in this group to view their settings Click the Allow the following types of user downloads from the SonicWALL Security check box to enable users in this group to preview quarantined junk mail. Click Apply. Rules and Collaborative Settings You can configure rules and collaborative settings for groups. Choose the appropriate Collaborative level for this group. You can adjust collaborative settings to customize the level of influence community input has on enterprise spam blocking. Choose the appropriate Aggressiveness level this group.

86 SonicWALL Security Administrator s Guide 5 For each category of spam, determine level and whether members of the group are allowed to unjunk their Junk Boxes. Click Apply Changes. Configuring Foreign Language for Groups You can determine the foreign language that groups can receive. Select Allow All to allow all users in a group to receive in the specified language. Select Block All to block all users in a group from receiving in the specified language. Click No opinion to permit to be subject to the spam and content filtering of SonicWALL Security. Click Apply Changes. Managing the Junk Box Summary You can manage the way in which you receive the Junk Box summary of s. Spam Management To manage the Junk Box for groups 1. Choose the default frequency users to receive notification of junk . Choose the time of day to receive junk . Choose the day of the week to receive junk . Choose a plain or graphics rich summary. Choose if sending the junk box summary to a delegate or delegates. 2. Click Apply Changes. You can manage how groups deal with spam through the Spam Management window. To manage messages marked as Spam or Likely Spam for this group: Choose what you want done with messages: Spam Filtering Off passes all messages to users without filtering. Permanently Delete Bounce back to sender send the message back to the sender. Caution: in cases of self-replicating viruses that engage the sender s address book, this can inadvertently cause a denial of service to a non-malicious user. Send to you must specify an address for the recipient. Tag with label the to warn the user. The default is [JUNK]. Click Apply Changes. Phishing Management Virus Management The phishing management window gives you the option of managing phishing and likely phishing settings at a group level. Just like spam management options, it allows to you deal with phishing differently for different groups. However, unlike spam management options, these settings cannot be altered for individual users. The virus management window gives you the option to manage virus and likely virus settings at a group level. Just like spam management options, it allows to you deal with viruses and likely viruses differently for different groups. However, unlike spam management options, these settings can not be altered for individual users.

87 SonicWALL Security Administrator s Guide 6 Assigning Delegates Delegates are people who have full access to your individual Junk Box. This includes the ability to change your Junk Box settings and manage the messages in your Junk Box. The most common use of delegates is for an administrative assistant to act as a delegate of the CEO of a company. The assistant frequently has access to all of the CEO's , so the assistant now would have access to the CEO's Junk Box and Junk Box settings as well. To assign a delegate to manage your Junk Box 1. Sign in to your individual user account; click the Sign in as any user link at the bottom of most SonicWALL Security windows and sign in with your username and password. 2. Go to Settings > Delegate. 3. To add a delegate, click the Add button. The Add New Delegate screen appears. 4. Enter the address of the delegate in the text box. 5. Click Go. A group of people who match the address appear. 6. Click the checkbox adjacent to the preferred delegate. 7. Click Add Delegate. To remove a delegate, click the Remove button on the Delegate window. Users and Groups in Multiple LDAP Users The administrators of each organization can create a master LDAP group that encompasses all their users and groups. That master group can then be used to administer Security settings across the organization, even if there are multiple domains. With a group that contains all the members of the LDAP, the administrator effectively administers the LDAP. When an administrator logs in and views the Users page, she sees all the addresses that exist on that instance of SonicWALL Security. The administrator can then narrow the view to only the entries from that LDAP. Note: The Using Source selection allows administrators to access users who were added directly to SonicWALL Security, and did not come in through an LDAP entry. These entries will not be deleted with an LDAP deletion. To filter the user view setup by source 1. Log in as the Security administrator. 2. Click Users & Groups and then Users. 3. Scroll down to User View Setup. 4. From the Using Source drop-down menu, choose the LDAP source associated with the users you want to view. Click Go. You will see only the users associated with that LDAP source. The list of users can be sorted by user name, primary address, user rights, or source. If you have already filtered by source, sorting by source will not retrieve anything outside the filter. To sort a list of users, click on the column heading that describes the sort type. Click again to sort in reverse order.

88 SonicWALL Security Administrator s Guide 7 Each LDAP user record has a checkbox next to it. To edit a user or users, check the box. If you select one user, you can log in as that user or edit that user s rights, for example, to elevate them to group admin or help desk-level rights. If you select more than one user, you can only change their message management style to the default style. Because there are usually many records in an LDAP source, SonicWALL Security has provided several ways of looking for a specific user. To find a specific user 1. Log in as the Security administrator. 2. Click Users & Groups and then Users. 3. Scroll down to User View Setup. 4. From the Find all users in column drop-down menu, choose either the username or the primary address to search on. 5. Choose which type of search you want. Exact matches are the fastest, but matches contain your search term may help you more if you cannot remember the exact username or address you are looking for. 6. Enter your search term. 7. Click Go. You will see the users who mach your search criteria. If you want to add a user who does not appear in the automatically-generated list from your LDAP, you can choose to manually add an account. If an LDAP is not provided, the user will be added to the default LDAP source. You cannot add users to your LDAP from the SonicWALL Security interface. To add a user 1. Log in as the Security administrator. 2. Click Users & Groups and then Users. 3. Scroll down to User View Setup. 4. Click Add. 5. Enter the user s fully-qualified address, choose a source (if any), and any aliases you wish to associate with the user. To delete a user 1. Log in as the Security administrator. 2. Click Users & Groups and then Users. 3. Scroll down to User View Setup. 4. Select the user you wish to delete. Deleting a user will not remove the user s LDAP entry, only the entry in the Security. 5. Click Add. Groups Administering groups Use groups within SonicWALL Security to incorporate or extend existing LDAP groups. You can also change a group s security role in SonicWALL Security and view the membership of a group. To filter the group view by source 1. Log in as the Security administrator. 2. Click Users & Groups and then Groups. 3. Scroll down to Assign Roles to Groups Found in LDAP.

89 SonicWALL Security Administrator s Guide 8 4. From the Using Source drop-down menu, choose the LDAP source associated with the groups you want to view. Click Go. 5. If you do not see the group you want, click the Add Group button. You can choose an existing group from one of your sources. You cannot create a group that does not exist. You can change each group s role in SonicWALL Security. Security roles determine a user s permissions to change Security settings, including user settings. To change a group s role 1. Log in as the Security administrator. 2. Click Users & Groups and then Groups. 3. Scroll down to Assign Roles to Groups Found in LDAP. 4. Select the box next to the group you want to change. 5. Click Edit Role. 6. In the pop-up window, choose the role you want that group to have. You can choose only one role per group. If a user is in multiple groups, permissions are granted in the order in which the groups are listed in the user s profile. 7. Click Apply Changes. You will see a status update at the top of the page. You can view the members of a group in SonicWALL Security. To view the members of a particular group 1. Log in as the Security administrator. 2. Click Users & Groups and then Groups. 3. Scroll down to Assign Roles to Groups Found in LDAP. 4. Select the box next to the group you want to see the membership of. 5. Click List Members. You will see a pop-up window that lists the group s membership by primary address. Setting Junk Blocking by Group You can use the existing LDAP groups to configure the filtering sensitivity for different user groups. For example, your sales group might need to receive written in foreign languages. To set junk blocking by group 1. Log in as the Security administrator. 2. Click Users & Groups and then Groups. 3. Scroll down to Set Junk Blocking Options for Groups Found in LDAP. 4. Under Using LDAP, select your LDAP. 5. Select a group to edit. 6. Click Edit Junk Blocking Options. You will see the Group Junk Blocking Options window. Follow the recommendations described in Chapter 5, Anti-Spam Anti-Phishing Techniques.

90 CHAPTER 10 Junk Box The Junk Box allows you to review and process messages that have been flagged as spam, virus-infected, organization policy violations, or phishing. You can unjunk or release a falsely identified message. When you or the recipient unjunks an incoming message, SonicWALL Security adds the sender of the message to the recipient s Allowed list and delivers the to the recipient. The size of the junk box can grow rapidly. By default, the messages are stored in junk box for 30 days and deleted after that. You may need to customize this setting depending on your organization s policies and storage capacity on the shared data directory for messages are stored. To change this setting, go to System > Default Message Management > Store in Junk Box and delete after and choose a value between 1 and 180 days. Messages in junk box can be quickly sorted and viewed by threat types. Messages that contain definite spam, phishing, and viruses have red asterisks (*) adjacent to them. Messages that contain likely spam, phishing, and viruses do not have any marks. Type of Message Spam (definite) Likely Spam Phishing (definite) Likely Phishing Virus (definite) Likely Virus Display *Spam Spam *Phishing Phishing *Virus Virus

91 SonicWALL Security Administrator s Guide 10 Junk Box - Simple View At the top of the junk box page, the number of days messages will be stored in junk box will be displayed. The window also displays all the messages that have been categorized as the selected threats. You can also: Search for messages containing specific strings in the following fields: To, Subject, or From. Search is not case sensitive. Select specific date to search on any particular date. Junk Box - Advanced View Additional search capabilities give administrators the ability to support users more effectively, audit more selectively, and dispose of unwanted messages with more granularity. To use Advanced Search 1. On the Junkbox page, click the Advanced View button. 2. To search for specific threat types, clear the check boxes under the Search text box to remove the information you want excluded. 3. Click Search.

92 SonicWALL Security Administrator s Guide 11 Messages matching your search criteria are displayed. To move quickly through results pages, click in the field that says Page 1 of 14 and type the result page you want to view. You can also change the number of messages displayed on each page. As an example, suppose you wanted to see only messages that were Spam or Likely Spam. Clear all the checkboxes except the Show *Spam and Show Likely Spam check boxes. Leave all the locations selected and click Search. Outbound Messages Stored in Junk Box To display the outbound messages in junk box, click on the Outbound tab. Outbound message management detects messages sent by users in your organization that contain viruses, likely viruses, and message that trigger policy alerts. Outbound message management also quarantines outbound spam, phishing, and UAS.

93 SonicWALL Security Administrator s Guide 12 Working with Junk Box Messages Unjunk Send Copy To Release Delete Message Details This button is available only on the inbound junk box. Select Unjunk to forward the selected messages to the recipient and add the sender of each message to the recipient s Allowed list. Unjunking a message removes it from the Junk Box. Select Send Copy To to forward a copy of the messages (including attachments, if any) to the specified address. The message will still remain in the Junk Box. This button will only be available to members of administrative group and only if they are allowed to view the messages in the Junk Box. This button is available only on the outbound junk box. Select Release to release the selected messages from the queue and forward them to the recipients. The message will be removed from the Junk Box. Deletes the selected messages. Messages are automatically deleted after a set number of days, so there is no need to do this on a regular basis. Set the number of days messages are kept in the junk box through the System > Default Message Management > Number of days to store messages in the Junk Box field. You can scroll through the messages and click the Subject field to view more information about the message in plain text. Depending on your user access set up, you might see the content of the messages. To control who is allowed to preview the content of messages, go to System > User View Setup. Managing Junk Summaries Both administrators and users receive Junk Box summaries listing the incoming that SonicWALL Security has classified as junk. From these messages, users can choose to view or unjunk an if the administrator has configured these permissions. From the Junk Box Summary window, users can determine the language, frequency, content, and format of Junk Box summaries. To configure Junk Box Summaries: 1. Select the timing and frequency for summaries. 2. Select the language for Junk Box summaries from the Language of summary list. 3. Supported Search in Audit and Junkbox The following types of search can be performed in the To, From, or Subject field. Boolean Search OR Operator: This is the default search. Add OR in between search words. The results will contain any of these search words.

94 SonicWALL Security Administrator s Guide 13 AND Operator: Add + before the search word (or) AND in between search words. Each result must contain these words. NOT Operator: Add - before the search words (or) NOT in between search words. The results must not contain these search words. Wildcard Search * operator: Add * to the middle or end of the word. This substitutes more than one character to the search word, and attempts to perform a search on all possible words.? operator: Add? to the middle or end of the word. This substitutes one character and will find the match for the word. Note: Wildcard operators should be added to the middle or end of the text, rather than at that beginning. Phrase Search A phrase is a group of words surrounded by quotes. The exact phrase will be searched. Fuzzy Search Add ~ to the end of the word to search for the closest possible match. This search is useful when search words have an error, or the exact spelling for the text is unknown. Proximity Search This searches for words closer to each other. The syntax is word 1 word2 ~distance

95 CHAPTER 11 Reports and Monitoring SonicWALL Security allows you to view system status and data through the Reports and Monitoring module. View statistics for different time periods on the local system or the mail transfer agent (MTA). Monitor the flow of traffic passing through Security in real time. Use SNMP to send information to a monitoring agent. This chapter contains the following sections: Status Reports on page 1 Reporting in SonicWALL Security on page 5 Advanced on page 11 SNMP Monitoring on page 13 Status Reports System Status MTA Status For a description of the different monitoring methods available in SonicWALL Security, see the following sections: System Status on page 1 MTA Status on page 1 Real-Time System Monitor on page 2 Performance Monitoring on page 2 The System Status window shows the status of SonicWALL Security and the status of connections with other systems that it needs to communicate with. A green check indicates the system is functioning as expected and a red X indicates it is not. The lower half of the System Status window in the Control Center Status section shows system statistics, including the disk space used b the Junk Box, free disk space on the data drive, and free disk space on the install drive. The MTA status page gives details on the status of the mail transfer agent (MTA) if one or more paths have been configured to act as MTAs The following options are available on this screen: MTA Status One or more paths are configured to be MTAs - Will be set to Yes if one or more paths have been configured to act as MTAs; will be set to No otherwise. MlfMTA service is running - If the MTA is running as expected, this field will show a checkmark in a green circle. If the MTA is not running as expected, the field will show an X in a red circle.

96 SonicWALL Security Administrator s Guide 2 MTA Totals by Host If one or more paths are configured to act as MTAs, this section will provide additional information about their host. Host - This column shows the name of the host(s). Number of messages delivered in last hour - This column shows the number of messages delivered by the MTA in the last hour. Number of message recipients in all queues combined - This column shows the sum of the messages in the queues of all the MTAs. MTA Status on Inbound/Outbound Paths If one or more paths are configured to act as MTAs, these two sections will provide additional information about the paths. The columns and the values they represent are: Host (src/listen/dest) - This column shows the various paths you configured in the Network Architecture section. src is the source IP contacting path: the IP address of a machine that is allowed to connect to and relay through this path. listen is the IP address and port on which this path listens for connections. dest is the destination to which this path routes . Path is configured to be an MTA - This column shows whether the listed path is configured to be a proxy or an MTA. Number of message recipients in queue - This column lists the number of messages in the queue if the path is an MTA. If it is a proxy, messages are not queued and this column will indicate N/A. To see details about the messages in a queue, click the Show Details link for that queue. To see details for messages on a particular server, you must log in to SonicWALL Gateway on that server. Real-Time System Monitor The Real-Time System Monitor page provides real-time information on the flow of passing through SonicWALL Security. The Message Throughput History graph shows the number of s processed by this server per second. The Message Bandwidth History graph shows the total bandwidth used for in bytes per second. The bandwidth is the sum of the sizes of all the messages passing through this SonicWALL Security server per second. Performance Monitoring This feature allows administrators to view and compare performance metrics with the Security interface without downloading and formatting CVS files. The performance monitoring section displays data that has always been collected by SonicWALL Security. Performance monitoring allows administrators to monitor a single metric over a period of time, or to compare two metrics. Once an administrator creates a graph, the graph can be saved or ed to share with others who do not have administrator privileges. Reading Performance Monitoring There are two ways of viewing the data: by comparing data from the same day but different process metrics, or by comparing data of the same process metric across several days. The "View Multiple metrics for a given date" option creates a graph which contains one or two process metrics for a given date. If there are two metrics, a second y-axis scale will appear at the right-hand side of the graph for the interpretation of the second metric.

97 SonicWALL Security Administrator s Guide 3 The "Compare many data files for a single performance metric" option creates a graph for a single process metric across multiple days. Each day's worth of data is a line of a different color. Up to six data files can be displayed. Graphs are shown for a 24-hour period starting and ending at midnight GMT+0. Once a graph is specified, it will not display or redraw until the "Refresh Reports" button is clicked. To view the raw data files used to build a particular graph, click either the " to " or the "Download" buttons and a ZIP file containing the data files and also the bitmap will be provided accordingly. Creating a Performance Monitoring Graph To create a performance monitoring graph 1. Log into your Security as an administrator. 2. Choose Reports & Monitoring from the left navigation bar. 3. Choose Monitoring. 4. Choose Performance Monitoring. You will see the empty performance monitoring graphs. 5. Choose the type of performance graph you want. 6. For the multiple metrics graph: Select the date you want information on from the select data file dropdown box. Click in the first select process box and choose a process. Click in the first select metric box and choose a metric of the selected process. If you want to compare a second metric, repeat the process with the second set of dropdown boxes. 7. Click the Refresh button. You will see the performance graph for those metrics on that day. 8. For the multiple days graph: Select the process and metric you want information on. Select your dates from the data file dropdown boxes. 9. Click the Refresh button. You will see the performance graph for that metric on those days. Monitored Metrics The following processes are currently monitored and available as data files. These data files have always existed, but the information is now more readily accessible. Monitoring Service Tomcat Service Replicator Service SMTP Server Thumb Updater Service Database Service Operating System MTA Service Message Statistics

98 SonicWALL Security Administrator s Guide 4 Metrics List These are the process metrics that are being tracked and stored in the data files. Most of these metrics exist in each process. The most common metrics appear in the table below. Metrics not shown in the list are usually System process monitoring. Process Metric DHA Msgs %Disk Time Fraud Msgs Good Msgs Likely Fraud Likely Spam Likely Virus Policy Msgs Spam Msgs Total Msgs Virus Msgs %Processor Time Available Bytes Avg. Disk Bytes/Transfer Avg. Disk Queue Length Buffer Bytes Cache Bytes Description Number of messages classified as directory harvest attacks. DHA messages are addressed to invalid users at your domain. The percentage of elapsed time that the selected disk drive was busy servicing read or write requests. Number of messages identified as fraudulent and delivered to the junk box. Number of messages which were delivered without any noted problems. Number of messages which are delivered but marked as probable fraud. Number of messages which are delivered but marked as probable spam. Number of messages which are delivered but marked as probably virus-infected. Number of messages with triggered a policy action. Number of messages sent to the junk box as spam. Total number of messages processed by SonicWALL Security Number of messages with a virus attached. The percentage of elapsed time that all of process threads used to execute instructions. An instruction is the basic unit of execution in a computer, a thread is the object that executes instructions, and a process is the object created when a program is run. Code is executed to handle some hardware interrupts and trap conditions The amount of physical memory, in bytes, available to processes running on the computer. This is calculated by adding the amount of space on the Zeroed, Free, and Standby memory lists. Free memory is ready for use; zeroed memory consists of pages of memory filled with zeros to prevent subsequent processes from seeing data used by a previous process; standby memory is memory that has been removed from a process' working set, but is still available to be recalled. This counter displays the last observed value only; it is not an average. The time, in seconds, of the average disk transfer. The average number of read and write requests queued for the selected disk during the sample interval. Used in Linux systems. Buffer Bytes is the number of bytes consumed by the kernel. The sum of the Memory\\System Cache Resident Bytes, Memory\\System Driver Resident Bytes, Memory\\System Code Resident Bytes, and Memory\\Pool Paged Resident Bytes counters. This counter displays the last observed value only; it is not an average.

99 SonicWALL Security Administrator s Guide 5 Process Metric Committed Bytes Connections Established Connection Failures Connections Reset Handle Count Install Dir Free Space Private Bytes Segments Retransmitted/sec Segments/sec Swap Available Bytes Thread Count Virtual Bytes Description The amount of committed virtual memory, in bytes. Committed memory is the physical memory which has space reserved on the disk paging file(s). There can be one or more paging files on each physical drive. This counter displays the last observed value only; it is not an average. The number of TCP connections for which the current state is either ESTABLISHED or CLOSE-WAIT. The number of times TCP connections have made a direct transition to the CLOSED state from the SYN-SENT state or the SYN-RCVD state, plus the number of times TCP connections have made a direct transition to the LISTEN state from the SYN-RCVD state. The number of times TCP connections have made a direct transition to the CLOSED state from either the ESTABLISHED state or the CLOSE- WAIT state. The total number of handles this process currently has open. This number is the sum of the handles currently open by each thread in this process. For Windows, the number of bytes remaining free on the installation drive. Private Bytes is the current size, in kilobytes, of memory that this process has allocated which cannot be shared with other processes. The rate at which segments are retransmitted, that is, segments transmitted containing one or more previously transmitted bytes. The rate at which TCP segments are sent or received using the TCP protocol. Used in Linux systems. Swap Available Bytes is "Swap space which is still free to use". The number of threads currently active in this process. An instruction is the basic unit of execution in a processor, and a thread is the object that executes instructions. Every running process has at least one thread. The current size, in kilobytes, of the virtual address space the process is using. Use of virtual address space does not imply corresponding use of either disk or main memory pages. Virtual space is finite, and the process can limit its ability to load libraries. Reporting in SonicWALL Security SonicWALL Security provide many types of reports. All reports allow you to optionally download the data in CSV format. You can also create custom reports by specifying a time period for the data, and download the report for analysis or the report. Per-domain reports are available for custom and scheduled reports. See Generating Per-Domain Reports on page 6. SonicWALL Security also provides several reports for Managed Service Provider (MSP) related data, including the following: breakdown (custom/scheduled report only) Bandwidth (custom/scheduled report only) Good v Junk per domain (custom/scheduled report only)

100 SonicWALL Security Administrator s Guide 6 Note: SonicWALL Security uses the Firebird Database Engine to generate reports. Make sure that there is no other installation of the Firebird Database Engine on the same server as SonicWALL Security. By default, SonicWALL Security retains 366 days of reporting information in the database. You can change this setting in System > Advanced > Data in reports database will be removed after field. Lowering this number means less disk space will be used, but you will not have report data older than the number of days specified. If your organization's volume is very high, you may want to consider lowering this number. For descriptions of the different report types, see the following sections: Overview Reports on page 6 Anti-Spam Reports on page 9 This report displays the users in your organization who receive the most spam. on page 9 Anti-Virus Reports on page 9 Policy Management Reports on page 10 Compliance Reports on page 10 Directory Protection Reports on page 10 Advanced on page 11 Generating Per-Domain Reports Overview Reports When SonicWALL Security is being used as an server for several different organizations, you can generate reports that are specific to each domain. This is especially useful in a Managed Service Provider (MSP) environment. For example, you could generate reports that show data only for sonicwall.com or only for mailfrontier.net. Security provides a way for administrators to specify the domain for which data should be displayed. Only administrators can configure the per-domain setting. It is disabled for managers or other roles. Per-domain reporting is supported for the following seven report types: Inbound Good versus Junk Junk Breakdown Spam Caught Messages Identified as Phishing Inbound Viruses Caught Inbound Policy Messages Filtered Number of Attacks Per-domain reporting is not available for dashboard reports or static reports. In per-domain reporting, sub-domains are not considered to be separate domains. For example, sent to [email protected], [email protected], and [email protected] will all be included in reports for sonicwall.com. The following report types are available in the Overview Reports section of the Security management interface. See the following sections: Reports Dashboard on page 7 Return on Investment on page 8 Bandwidth Savings on page 8 Inbound Good vs Junk on page 8

101 SonicWALL Security Administrator s Guide 7 Outbound Good vs Junk on page 8 Inbound vs Outbound on page 8 Top Outbound Senders on page 8 Junk Breakdown on page 8 Reports Dashboard SonicWALL Security displays the Dashboard window on administrator login. The Dashboard provides a lot of information about SonicWALL Security at a glance. These charts are updated hourly and display the statistics for the last 24 hours. Good vs Junk Displays the number of good messages versus junk messages. Junk message count includes spam, likely spam, phishing, likely phishing, viruses, likely viruses, Directory Harvest Attacks (DHA), and messages that trigger policy events. Spam Caught Displays the number of messages that are definitely spam and the number of messages that are likely spam. Junk Breakdown Displays the number of junk messages broken down into the following categories: Spam Virus Phishing Policy Directory Harvest Attack (DHA) You can also find this information in Junk Breakdown on page 8. System Load Average (15 min) Displays the system load as sampled every fifteen minutes. This chart is incremented in thousands of messages. Use this chart to judge your peak system load, and your loads through the day. If you are viewing a Remote Analyzer, this is one of the available charts. System % Processor Time (15 min) Displays what percentage of the processor is used, as sampled every fifteen minutes. This chart is incremented in processor percentage. Use this chart to judge whether you have sufficient processor power for your needs. If you are viewing a Remote Analyzer, this is one of the available charts. Top Spam Recipients Displays the total number of spam received by the top 12 recipients in your organization in the last 24 hours. Top Outbound Senders Displays the number of outbound messages sent by the top 12 senders in your organization in the last 24 hours.

102 SonicWALL Security Administrator s Guide 8 Return on Investment SonicWALL Security provides a tool to help determine the Return on Investment (ROI) for your organization s investment in SonicWALL Security. You can customize this tool to reflect your organization s costs of doing business. You can determine your organization s return on investment on a daily, weekly, or monthly basis from using the SonicWALL Security product. ROI numbers are computed from a formula and data accumulated by SonicWALL Security s mlfupdater and the usermap.xml file is input into the formula. Determining the ROI for Your Organization To determine the savings from preventing unwanted , click Change Assumptions to enter figures that reflect your organization. An input window appears with default values To change the values so that they match your organization s experience: 1. Enter the appropriate values for your organization for salary, number of users, and other factors that contribute to the cost of dealing with unwanted Click the Recalculate Report button after you enter your values; a revised ROI report appears. Bandwidth Savings The Bandwidth Savings report displays the number of megabytes of bandwidth that SonicWALL Security saves your organization. SonicWALL Security lowers your organization's network costs through the following actions: Removing the high volume of junk messages that go through your network. Quarantining junk messages in the Junk Box. Deleting junk messages before they enter your network. Inbound Good vs Junk This report displays the total number of inbound messages processed by SonicWALL Security along with the total number of junk messages and good messages. Outbound Good vs Junk This report displays the total number of outbound messages processed by SonicWALL Security along with the total number of junk messages and good messages. Inbound vs Outbound The number of inbound and outbound messages processes by SonicWALL Security. This report is available only if outbound module is licensed. Top Outbound Senders The number of outbound messages sent by the top 12 senders in your organization. This report is available only if outbound module is licensed. Junk Breakdown This report gives a percentage and numeric breakdown of the various categories of junk received, including Spam, Likely Spam, Viruses, Likely Viruses, Phishing, Likely Phishing, Policy events, and Directory Harvest Attacks (DHA).

103 SonicWALL Security Administrator s Guide 9 Anti-Spam Reports SonicWALL Security provides the following anti-spam reports. Report Name Spam vs Likely Spam Top Spam Origination Domains Description This report displays the total number and percentage breakdown of spam and likely spam messages. This report displays the alleged domains that sent your organization the most spam s during the time period you select. Most spam messages use spoofed addresses, hence the domains listed in this report may not be the actual originators of the spam. Top Spam Recipients This report displays the users in your organization who receive the most spam. Anti-Phishing Reports SonicWALL Security provides the following Anti-Phishing report. Report Name Phishing Messages Description The total number messages identified as phishing. Anti-Virus Reports If you have licensed the Anti-Virus module, you can view the number of viruses detected by the SonicWALL Security and the names of the most prevalent viruses detected. Report Name Inbound Viruses Caught Top Inbound Viruses Outbound Viruses Caught Top Outbound Viruses Description The number of viruses detected by SonicWALL Security in the inbound traffic. The names of viruses detected by SonicWALL Security in the inbound traffic. The number of viruses detected by SonicWALL Security in the outbound traffic. The names of viruses detected by SonicWALL Security in the outbound traffic.

104 SonicWALL Security Administrator s Guide 10 Policy Management Reports If you have created policy filters in SonicWALL Security to manage traffic, the following policy reports provides statistics on messages that triggered the policy filters. Report Name Inbound Policies Filtered Top Inbound Policies Outbound Policies Filtered Top Outbound Policies Description The total number of inbound messages that SonicWALL Security has filtered based on policies that you have configured. The inbound policies by name that were triggered by inbound traffic. The total number of outbound messages that SonicWALL Security has filtered based on policies that you have configured. The outbound policies by name that were triggered by outbound traffic. Compliance Reports The set of Compliance Reports are accessible upon licensing of the Compliance Module. Report Name Inbound Messages Decrypted Inbound Messages Archived Top Inbound Approval Boxes Outbound Messages Encrypted Outbound Messages Archived Top Outbound Approval Boxes Description The total number of inbound messages decrypted. The report can be viewed on a daily, weekly, or monthly basis. The total number of inbound messages archived. The report can be viewed on a daily, weekly, or monthly basis. The top inbound approval boxes by name. The report lists the approval boxes with data viewed on a daily, monthly, or yearly basis The total number of outbound messages encrypted. The report can be viewed on a daily, weekly, or monthly basis. The total number of outbound messages archived. The report can be viewed on a daily, weekly, or monthly basis. The top outbound approval boxes by name. The report lists the approval boxes with data on a daily, weekly, or monthly basis. Directory Protection Reports SonicWALL Security provides protection against directory attacks. Following directory protection reports are available to give more information on the directory attacks your organization is subjected to. Report Name Number of DHA Attacks Description The total number of incoming messages that had incorrect addresses.

105 SonicWALL Security Administrator s Guide 11 Report Name Top DHA Domains Description The alleged domains from which the most frequent Directory Harvest Attacks (DHA) originate. Most junk messages use spoofed addresses, therefore the domains listed in this report may not be the actual originators of the message. Connection Management Reports SonicWALL Security provides connection management to reduce the traffic your system must analyze and automatically reject connections from bad IP addresses. You can configure which IP address to ignore and also use the GRID network to add bad IP addresses to the Blocked Connection list. Report Name Blocked Connection Breakdown Greylisted Connections Description The connections which have been rejected, including information on why the connections were rejected. The report can be viewed on an hourly, daily, or monthly basis. The connections which have been greylisted, and whether they were blocked or accepted. The report can be viewed on an hourly, daily, or monthly basis. Advanced Scheduled Reports SonicWALL Security allows you to schedule delivery of reports. You can choose the type of report, a time span the data covers, the list of recipients, etc. Data in scheduled reports is displayed in the time zone of the server on which SonicWALL Security stores data (either an All in One or a Control Center), just like the reports in the Reports & Monitoring section of the UI. Scheduled report s are sent according to the time zone on that computer as well. To schedule delivery of a report 1. Select the type of report from the Which Report drop-down list. 2. Select the frequency of the report from the drop-down list. 3. Select the time of day at which you would like to receive the report . This will be in the time zone of the server on which SonicWALL Security stores data (either an All in One or a Control Center), just like the reports in the Reports & Monitoring section of the user interface. 4. Select the day of the week on which you would like to receive the report Select the language in which you would like to receive the report Select the time span the report will cover. For example, suppose the report frequency is 3 Days, the time span selected is 7 Days, and the report is sent at 10 AM every day. A report sent on April 24th at 10 AM will cover roughly the time period starting April 21 at 10 AM and ending April 24 at 10 AM. 7. Select the time period by which you want to see results listed. This is the unit of time to use in the bar graph. For example, if Hour is chosen, a bar line will be shown for each hour in the specified timespan.

106 SonicWALL Security Administrator s Guide 12 Custom Reports 8. Specify the name of the sender of report s. This is a human-readable name that will appear in your mail client as the sender of the report . This does not need to be a real name. Examples: Charles Nelson Really, My Daily Scheduled Report, SonicWALL Security Administrator, Joe Bloggs Please use only 7-bit ASCII text. 9. Specify the address from which this report is sent. 10. Enter a list of recipients in the text box. Separate multiple addresses with a comma. 11. Enter a name for this scheduled report. This name will appear in the page that shows the list of scheduled reports. It will also be the subject line for the message when the scheduled report is sent. SonicWALL Security allows you to customize reports. You can choose the type of report, a range of dates for the data, or a number of hours for the data. You can also the reports to another user. To customize reports 1. Select the type of report from the Report Name drop-down list. 2. Select the Start and End Dates from the Date Range. 3. Select Hourly, Daily, or Monthly from the Breakdown drop-down list. You can select a period of up to 48 hours for hourly reports. 4. Select either the Display or the to radio button. Note: To run a report now, select Display and click the Generate This Report link. To a report, select to and enter the recipients addresses in the text box. Separate each address with a comma. You can optionally enter a subject in the subject text box. The Custom Reports page displays the generated report in a new window. If you have configured a popup blocker for your web browser, it may interfere with displaying the window with the data. Configure your browser to allow popup windows from your organization's SonicWALL Security site. Configuring a Custom Report for Inbound Good versus Junk This section provides a configuration sample for Custom Reports. Here is an example of how you would create a specific report and have it delivered to an address. To create a Custom Report for Inbound Good vs Junk 1. Select the Inbound Good vs Junk report from the Report Name drop-down list. 2. Select the Start and End Dates from the Date Range. 3. Select Hourly, Daily, or Monthly from the Breakdown drop-down list. You can select a period of up to 48 hours for hourly reports. 4. Select either the to radio button and enter a valid address where the report will be delivered to. 5. Enter the name and address from where the reports are sent from. 6. Enter text that will show in the subject heading of the Click Generate This Report.

107 SonicWALL Security Administrator s Guide 13 SNMP Monitoring SNMP monitoring allows you to configure your own SNMP application to query statistics from your SonicWALL Security system. In split-mode environments, the statistics are gathered on the SonicWALL Security environment as a whole, not the individual remote analyzers. All statistics are recorded from the time the system was upgraded or restarted. For appliances, the SNMP agent runs on UDP port 161 and is accessed by an external NMS. The SNMP module is a shared object named sonicwall sec.so. SonicWALL supports the Net-SNMP library. By default, SNMP is turned on in the command-line interface. Before you can configure SNMP monitoring, you must have the Microsoft SNMP service configured and running. You must also have the community string for your network management station (NMS) configured to the correct string for SonicWALL Security. For software-only installations, all requests for SonicWALL Security statistics are forwarded to the Security SNMP agent by the Microsoft SNMP agent. The Security installer creates the snmpagent.dll file in the installer directory. The following table describes the monitorable application statistics and their addresses. OID Statistic Name Security Application Statistic totalmsg Total messages received goodmsg Total good messages received spammsg Total spam messages received likelyspam Total likely spam messages received virus Total virus messages received likelyvirus Total likely virus messages received fraud Total fraud messages received likelyfraud Total likely spam messages received policy Total policy messages received dha Total dha messages received pmtaquelen MTA queue length at instant of time likelyspam Total likely spam messages. Other statistics are stored in the log directory in the snmpstats.txt file.

108 Security 7.0 Software Administrator Guide 14 System Requirements Operating System Hardware Installing SonicWALL Security on Windows APPENDIX A This chapter describes installation of SonicWALL Security on Windows operating systems. To install SonicWALL Security on Windows, SonicWALL recommends the following minimum software and hardware configurations. Microsoft Windows Server 2000 Microsoft Windows Server 2003 with Service Pack 1 or Service Pack 2 Note: SonicWALL periodically offers upgraded versions of SonicWALL Security software. To enable your server to upgrade to the latest downloaded SonicWALL Security, download and install Sun s Java Runtime Environment (JRE) 1.4.2_06 or later from on the computer where you administer SonicWALL Security using your browser. SonicWALL recommends the following hardware for SonicWALL Security: Processor: Pentium 4 or Xeon or equivalent Memory: 1 GB minimum, 2 GB recommended Hard Disk: 40GB minimum, with a caching RAID controller for the data directory, 80GB recommended SonicWALL recommends installing SonicWALL Security on a dedicated server. SonicWALL Security Software Installer SonicWALL Security Software installer includes the following components: Sun Microsystems Java Runtime Environment Apache Tomcat Firebird Database Engine Jaybird JDBC driver SonicWALL Security SonicWALL Security User Profiler Installers Port25 PowerMTA

109 15 SonicWALL Security The installer installs all these components in the appropriate location. Note: If the Firebird database engine is already running on the server on which you install SonicWALL Security, Firebird will not get installed. Ensure that you have write access to the data directory in which you want to install SonicWALL Security. If you have anti-virus programs running on the machines where you install SonicWALL Security, please make sure that those programs do not scan SonicWALL Security installation or data directories. If virus scanning for these directories is not disabled, the SonicWALL Security data directory can get corrupted and quarantined messages may not be retrievable for all users. SonicWALL Security Installation Checklist IDs A Parameters The directory path where SonicWALL Security will install Needed During Installation Value (write in your values) Default path: C:\Program Files\SonicWallES B Administrative Web Server Port Installation Default web server port: 80 C The server s trusted network IP address Login Page Example: D The server s trusted fully qualified DNS Login Page name E SonicWALL Security License Licensing F Admin Username Setup Administration G Admin Password Setup Administration H Admin address Setup Administraion I J SonicWALL Security SMTP Listening Port Destination SMTP server DNS name or IP address Add Mail Server Add Mail Server K Destination SMTP server s port number Add Mail Server L domain names your organization accepts mail for Add Mail Server M LDAP Server Name LDAP Configuration N LDAP Port Number LDAP Configuration O LDAP Login Name LDAP Configuration P LDAP Password LDAP Configuration Q LDAP Directory Tree Node to Search LDAP Configuration R Microsoft NT NETBIOS Domain Name (only required if using Active Directory or Exchange 5.5) LDAP Configuration Example: SonicWALL Software.mycorp.com Default: admin Default: password Example: [email protected] Default: 25 Example: mail-relay.mycorp.com Default: 25 Example: mycorp.com, mycorp.net, mydivision.com Example: mail-relay.mycorp.com Default: 389 Example: varies by mail server, check, LDAP. Example: varies by mail server, check, LDAP. Example: MYCORP check, LDAP.

110 Security 7.0 Software Administrator Guide 16 Installing SonicWALL Security You must be logged in as administrator to install SonicWALL Security. SonicWALL Security s installer alerts you if your system does not have the required physical memory. SonicWALL strongly encourages you to upgrade the memory of your server to a minimum of 1 Gb for optimal effectiveness and performance. 1. Run the installer. You get the welcome screen. Click Next. 2. Read the License Agreement and click Next to agree to the terms presented. 3. SonicWALL Security provides an alert if the server where you are installing does not have Asian language packs installed. Note Even though this step is optional, SonicWALL Security s spam prevention capabilities may be diminished if the East Asian language pack is not installed. Also, to view messages in Asian languages, you will need to install this language pack. This language pack can be installed separately after the SonicWALL Security installation is completed. To install the East Asian Language Pack support on Windows 2003, go to the Regional and Language Options in the Control Panel and select the Languages tab. Select the Install files for East Asian Languages check box. To install the East Asian Language Pack support on Windows 2000, go the Regional and Language Options in the Control Panel and select the General tab. Select all Asian languages from the Languages settings for the system. 4. Click Next to accept the default location, or Browse to select an alternate location (install checklist parameter A), and click Next. Caution It is important that this folder is not scanned by an anti-virus engine. 5. Choose the directory to install your data. The default destination location for SonicWALL Security files is suitable for most servers. Note If you are deploying multiple SonicWALL Security servers that share a folder, specify that shared folder for your data. Note For performance reasons, read/write access to the data directory must be fast. If the data directory is on the same disk drive as the install directory, it is almost certainly fast enough. If the data directory is shared between two or more computers, or is on a different device than the install directory, administrators need to make sure that performance requirements are met. As a general rule, there should be at least a 100 Megabit connection to the data drive and less than 10 millisecond latency to the data drive. Latency can be tested with the ping command. Caution It is important that this folder is not scanned by an anti-virus engine. 6. Click Next to accept the default data destination folder or click Browse to specify another folder.

111 17 SonicWALL Security 7. Click Install to install these third-party products. If the required versions of Tomcat, Firebird, and the Java Runtime Environment (JRE) are not installed, they will be installed now. 8. If you are already running a Web server on port 80, you can change the port setting (install checklist parameter B). SonicWALL recommends port 8080 for Apache Tomcat if port 80 is already used. Click Next to continue. Note You can change the port number and also configure HTTPS access through the UI on the System > User View Setup page. 9. A window appears to say that installation is complete. Click the Finish button. SonicWALL Security displays a browser window in which you can click links to view the documentation. Confirm Windows Services Are Running 1. Test your SonicWALL Security Software installation to confirm that SonicWALL Security services are running and you can navigate to the Login page. 2. Select Start > Programs > Administrative Tools > Services and confirm that the following services have started: Apache Tomcat MlfAsg Software MlfAsg Monitor MlfAsg Replicator MlfAsg Updater Firebird Guardian Firebird Server MlfMTA Configuring Proxy Services for SonicWALL Security for Windows SonicWALL Security communicates regularly with the SonicWALL Security data center to obtain updates of collaborative spam thumbprints, spam-blocking rules, Blocked Lists, and other information to help keep its spam-blocking capabilities up to date. This communication takes place via HTTP. If your organization restricts HTTP access via a proxy server, SonicWALL Security can use this proxy to communicate with the SonicWALL Security Data Center. To do this, you must configure SonicWALL Security to use the proxy. If SonicWALL Security does not have access to the SonicWALL Security data center, collaborative rules and allowed and blocked lists are not updated. Configure the Proxy Server settings within Internet Explorer. By default, those settings are not visible to Windows Services, including SonicWALL Security. To make the settings visible, edit the Windows Registry with regedit, and add the following Windows Registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Curre ntversion\internet Settings\ProxySettingsPerUser with a DWORD value of 0. Then, reconfigure the proxy server settings in Internet Explorer.

112 Security 7.0 Software Administrator Guide 18 Note If your HTTP proxy server requires basic username and password authentication, you can set these parameters in the System > Updates page of the administration UI after you finish installation. Uninstalling SonicWALL Security Except in very rare cases, new versions of SonicWALL Security can be installed without uninstalling the older version. If you are required to uninstall, SonicWALL recommends that you use the Control Panel to uninstall SonicWALL Security and its components. To remove SonicWALL Security for Windows and other installed components: 1. Select Start > Settings > Control Panel > Add/Remove Programs. 2. Click SonicWALL Security and select Change/Remove. 3. Click Apache Tomcat version number and select Change/Remove. 4. Click Java 2 Runtime Environment SE and select Change/Remove. 5. Click Java Web Start and select Change/Remove. 6. Click Firebird version number and select Change/Remove. If you uninstall SonicWALL Security and its components, do not delete SonicWALL Security data from the SonicWALL Security installation or data directories unless directed to by SonicWALL Security Technical Support. This information will be needed when you reinstall the product. Upgrading to SonicWALL Security 6.2 Upgrading SonicWALL does not require uninstalling previous versions. However, you should capture your setting in case you need to roll back. Your backup should include the setting files, including the per user settings. To back up your existing environment: 1. On your Security management system, log into your mysonicwall.com account at 2. The management system can be any computer on which you are using a Web browser to access Security. 3. In the left navigation pane under System, choose Backup/Restore. You will see the Backup/Restore page. 4. In the Manage Backups section, select Settings. 5. Click Take Snapshot Now to save the settings. 6. Click Download Snapshot to store the settings. If, after upgrading to 6.2, you need to roll back to a previous version, go back to the Backup/Restore page and use the Manage Restores section to upload the snapshot you have stored.

113 19 SonicWALL Security

114 APPENDIX B Managed Service Providers This appendix collects information useful to service providers who serve several customers. These customers may have individual domains and LDAP servers, and may have administrators who log into the Security management tools. The following components are described: Multiple LDAP Server Support Per-domain Reports and Statistics Per-domain DHA Settings Overview Multiple LDAP Server Support This appendix provides managed service providers with a suite of tools that will allow them to administer SonicWALL Security for multiple clients. The core administration of SonicWALL Security remains the same, but adding support for multiple LDAP servers expands the easeof-use for providers. Providers can offer their clients customized reports that show only the statistics for that client s domain. Clients can configure DHA and other SonicWALL Security features on a per-domain basis, instead of applying a one-size-fits-all solution. This appendix is intended as a supplement to the information in the Administrator Guide, not as a replacement. SonicWALL Security allows administrators to set different filters and rules for each LDAP server. In very large organizations, multiple LDAP servers can feed one Security instance. The following table describes the actions that can be taken on a group, domain, or global level. Function Domain LDAP Group Global Directory Harvest Attack prevention Y - Y Policy Y Y Y Reporting Y - Y Roles - Y Y Settings Y* Y Y * Requires creating a master group on the LDAP server. Feature Overview section on page 21 Using Multiple LDAP Servers section on page 21

115 SonicWALL Security Administrator s Guide 21 Feature Overview The core administration of SonicWALL Security remains the same, but adding support for multiple LDAP servers expands the services providers can offer. Providers can also offer their clients customized reports that show only the statistics for that client's domain. Clients can configure DHA and other SonicWALL Security features on a per-domain basis, instead of applying a one-sizefits-all solution. Using Multiple LDAP Servers To connect an LDAP server to SonicWALL Security Administrator s Guide, you will need the following information: Server name or IP address Port number LDAP server type (Active Directory, Lotus Domino, Exchange 5.5, Sun ONE iplanet, other) LDAP page size (the maximum page size which can be queried) Usermap frequency (how often the user information is updated from the LDAP server) LDAP requires SSL? Allow LDAP referrals? Authenticate using anonymous bind or login? Login name and password for the LDAP server administrator The NetBIOS domain name of your server, if relevant Configuring SonicWALL ES for Multiple LDAP Servers The LDAP configuration page allows administrators to configure more than one LDAP server. All LDAP servers are listed. For each LDAP server, you can edit or delete it without affecting the connection of other LDAP servers. To add an LDAP server: 1. Log in as the Security administrator. 2. Click System and then LDAP Configuration. 3. Click the Add Server button. 4. Fill in the connection information for the LDAP server you wish to add. Be sure to give it a unique friendly name so that you can easily identify it in the list of servers. 5. When you are done, click Apply Changes and use the test button to confirm that the LDAP server is properly connected and configured. Administering Multi-LDAP Environments Administrators must log into a specific domain unless they are the SonicWALL Security Administrator s Guide administrator. Once a domain administrator is logged in, she can modify the Security settings for her domain, including the anti-spam settings. The Security administrator can see all the LDAP servers attached to SonicWALL Security. The ES administrator logs in with no domain specified.

116 SonicWALL Security Administrator s Guide 22 Editing LDAP Connection Information The Security administrator configures the multiple domains. To change the settings of an existing LDAP server 1. Log in as the Security administrator. 2. Click System and then LDAP Configuration. 3. Click the server name link or the Edit (pencil) button associated with the friendly name of the LDAP server you want to change. 4. Edit the details of the LDAP server using the information you have collected. 5. In the Global Server Mapping section, you can enter aliases for your pseudo-domains. In this example, the administrator can configure aliases (on the right side) to correspond with the pseudo-domain. Aliases must be unique and can consist of lowercase alpha-numeric characters and underscores. Aliases are separated by commas. Note: Do not change the NetBIOS domain mappings. Doing so will break the links to the pseudodomain. Choose whether to show drop-down aliases. If so, administrators must use username@alias to log in. 6. When you are done, click Apply Changes and use the test button to confirm that the LDAP server is properly connected and configured. Users and Groups The administrators of each organization can create a master LDAP group that encompasses all their users and groups. That master group can then be used to administer Security settings across the organization, even if there are multiple domains. With a group that contains all the members of the LDAP, the administrator effectively administers the LDAP. Users When an administrator logs in and views the Users page, she sees all the addresses that exist on that instance of SonicWALL Security. The administrator can then narrow the view to only the entries from that LDAP. Note: The Using Source selection allows administrators to access users who were added directly to SonicWALL Security, and did not come in through an LDAP entry. These entries will not be deleted with an LDAP deletion. To filter the user view setup by source 1. Log in as the Security administrator. 2. Click Users & Groups and then Users. 3. Scroll down to User View Setup.

117 SonicWALL Security Administrator s Guide From the Using Source drop-down menu, choose the LDAP source associated with the users you want to view. Click Go. You will see only the users associated with that LDAP source. The list of users can be sorted by user name, primary address, user rights, or source. If you have already filtered by source, sorting by source will not retrieve anything outside the filter. To sort a list of users, click on the column heading that describes the sort type. Click again to sort in reverse order. Each LDAP user record has a checkbox next to it. To edit a user or users, check the box. If you select one user, you can log in as that user or edit that user s rights, for example, to elevate them to group admin or help desk-level rights. If you select more than one user, you can only change their message management style to the default style. Because there are usually many records in an LDAP source, SonicWALL Security has provided several ways of looking for a specific user. To find a specific user 1. Log in as the Security administrator. 2. Click Users & Groups and then Users. 3. Scroll down to User View Setup. 4. From the Find all users in column drop-down menu, choose either the username or the primary address to search on. 5. Choose which type of search you want. Exact matches are the fastest, but matches contain your search term may help you more if you cannot remember the exact username or address you are looking for. 6. Enter your search term. 7. Click Go. You will see the users who mach your search criteria. If you want to add a user who does not appear in the automatically-generated list from your LDAP, you can choose to manually add an account. If an LDAP is not provided, the user will be added to the default LDAP source. You cannot add users to your LDAP from the SonicWALL Security interface. To add a user 1. Log in as the Security administrator. 2. Click Users & Groups and then Users. 3. Scroll down to User View Setup. 4. Click Add. 5. Enter the user s fully-qualified address, choose a source (if any), and any aliases you wish to associate with the user. To delete a user 1. Log in as the Security administrator. 2. Click Users & Groups and then Users. 3. Scroll down to User View Setup. 4. Select the user you wish to delete. Deleting a user will not remove the user s LDAP entry, only the entry in the Security. 5. Click Add.

118 SonicWALL Security Administrator s Guide 24 Groups Administering groups Use groups within SonicWALL Security to incorporate or extend existing LDAP groups. You can also change a group s security role in SonicWALL Security and view the membership of a group. To filter the group view by source 1. Log in as the Security administrator. 2. Click Users & Groups and then Groups. 3. Scroll down to Assign Roles to Groups Found in LDAP. 4. From the Using Source drop-down menu, choose the LDAP source associated with the groups you want to view. Click Go. 5. If you do not see the group you want, click the Add Group button. You can choose an existing group from one of your sources. You cannot create a group that does not exist. You can change each group s role in SonicWALL Security. Security roles determine a user s permissions to change Security settings, including user settings. To change a group s role 1. Log in as the Security administrator. 2. Click Users & Groups and then Groups. 3. Scroll down to Assign Roles to Groups Found in LDAP. 4. Select the box next to the group you want to change. 5. Click Edit Role. 6. In the pop-up window, choose the role you want that group to have. You can choose only one role per group. If a user is in multiple groups, permissions are granted in the order in which the groups are listed in the user s profile. 7. Click Apply Changes. You will see a status update at the top of the page. You can view the members of a group in SonicWALL Security. To view the members of a particular group 1. Log in as the Security administrator. 2. Click Users & Groups and then Groups. 3. Scroll down to Assign Roles to Groups Found in LDAP. 4. Select the box next to the group you want to see the membership of. 5. Click List Members. You will see a pop-up window that lists the group s membership by primary address.

119 SonicWALL Security Administrator s Guide 25 Setting Junk Blocking by Group You can use the existing LDAP groups to configure the filtering sensitivity for different user groups. For example, your sales group might need to receive written in foreign languages. To set junk blocking by group 1. Log in as the Security administrator. 2. Click Users & Groups and then Groups. 3. Scroll down to Set Junk Blocking Options for Groups Found in LDAP. 4. Under Using LDAP, select your LDAP. 5. Select a group to edit. 6. Click Edit Junk Blocking Options. You will see the Group Junk Blocking Options window. Follow the recommendations described in Chapter 5, Anti-Spam Anti-Phishing Techniques. Policy Groups To manage policy groups from multiple LDAP servers 1. Log in as the Security administrator. 2. Click Policy and Compliance and then Policy Groups. 3. Select the LDAP source and click the Go button. You are connected to that LDAP server. 4. Click the Add Group button. The groups on that LDAP server are retrieved and presented to you. 5. Choose the groups you want to add policies to. 6. When you have selected the groups, click the Add Group button. Your groups are added. 7. You can now apply policies to these groups. If a user is a member of more than one group, actions will only be taken on the first group the system reads. Address Rewriting In a multiple LDAP server environment, administrators can map incoming or outbound addresses to new apparent domains. This feature also allows you to expand an list into its constituent members. To configure Address Rewriting on a per-ldap basis: 1. Log in as the Security administrator. 2. Click System and then Network Architecture. 3. Scroll down and click the Address Rewriting button. 4. Click the Add New Rewrite Operation button. 5. In Type of Operation, choose LDAP Rewrite to Primary. If you are on the Inbound tab, you could also choose LDAP List Expansion. 6. Enter the information for the operation you have chosen. 7. Enter a name for the rewrite operation. 8. Click Save This Rewrite Operation.

120 SonicWALL Security Administrator s Guide 26 Per-domain Reports and Statistics Reporting is a powerful tool for any administrator. SonicWALL Security offers providers a way to give clients reports specifically tailored for their domain or domains. Clients can then see the data most relevant to them. Reports are fully described in Chapter 11, Reports and Monitoring. Security provides a way for administrators to specify the domain for which data should be displayed. Per-domain reporting is supported for the following seven report types: Inbound Good versus Junk Junk Breakdown Spam Caught Messages Identified as Phishing Inbound Viruses Caught Inbound Policy Messages Filtered Number of Attacks Per-domain DHA Settings Per-domain reporting is not available for dashboard reports or static reports. The following procedure describes how to generate a single-domain report for the Inbound Good versus Junk statistic. For each of the reports, selecting a single domain to report for has the same steps. To generate a per-domain report on Inbound Good versus Junk 1. Log in as the Security administrator. 2. Choose Reports & Monitoring and then Inbound Good vs Junk. 3. Choose the Customize button in the upper-right. 4. In the Custom Reports window, enter the domain you want a report on in the Report shows sent to these domains field. The format for a domain is sonicwall.com. You do not need to add sign. If you want a report on more than one domain, separate each domain with a comma. 5. Choose whether you want the report to display or be sent to a designated address or addresses. If you want it mailed, provide the recipient addresses and sender information. 6. Click Generate This Report. Directory Harvest Attacks can be globally blocked by SonicWALL Security. Administrators can also choose to turn DHA protection on or off for specific domains. To manage DHA protection for specific domains 1. Log in as the Security administrator. 2. Choose System and then Connection Management.

121 SonicWALL Security Administrator s Guide In the Intrusion Protection section, you can choose to use the same blocking method for all domains, or specify some domains to treat differently. 4. Choose an option that determines how the domains you name will be handled. 5. Type the first domain. After each domain, press enter and type the next domain. 6. When you have added all the domains, click Apply Changes.

122 APPENDIX C LDAP This Appendix details specific LDAP configuration settings for popular mail server environments, such as Microsoft Exchange and Lotus Domino. Configuring Microsoft Active Directory LDAP Server Login Information Microsoft Exchange 2000, 2003, and 2007 use Microsoft Active Directory (AD) for user login, address and aliases. Server Name (configuration parameter M): In this field, enter the IP address or DNS name of one of your Active Directory servers. Different Active Directory servers in the same domain tree replicate their information amongst each other. Any AD server should have all the data required by SonicWALL Security. If you have more than one tree then specify the Global Catalog. Port (configuration parameter N): The default LDAP port is 389. Unless your Active Directory server has been configured for another port (highly unlikely), use the default port number. If you are specifying a Global Catalog, use port Anonymous Bind: Do not use this setting with Active Directory. Active Directory servers can be configured to allow for anonymous access. However, by default, Active Directory the anonymous access setting does not provide enough directory information for SonicWALL Security. Login (configuration parameter O): Specify a user login that has access to browse the Active Directory and has site-level permissions to add and delete people in the directory. By default, Active Directory allows all users to browse the directory. However, if your Active Directory does not allow this, use a login name with administrative privileges. Note: This user must have site-level permissions; otherwise, mail will be halted. The proper format for the login name is: NT-DOMAIN\USERNAME For example, if your NT Domain is MYCORP, the syntax for the login name is: MYCORP\Administrator. If you do not know your DOMAIN name, see Windows Domains on page 30.

123 SonicWALL Security Administrator s Guide 29 LDAP Query Directory Node to Search (configuration parameter Q): Specify your top level Active Directory domain using LDAP syntax. For example, if your top level Active Directory domain name is mycorp.com, the LDAP syntax is: Note: dc=mycorp,dc=com. If you have more than one Directory Node that you intend to use, you can separate multiple nodes by separating them with an ampersand (&). For example: DC=sales,DC=xyz,DC=com&DC=engr,DC=xyz,DC=com To discover your Active Directory domain(s), from an Active Directory server go to Start->Programs->Administrative Tools->Active Directory Domains and Trusts. All your Active Directory domains are listed in this window. In the example, spamurus.com is the Active Directory Domain name. The LDAP syntax is: dc=spamurus,dc=mailfrontier,dc=com Filter: The Active Directory default filter for getting the users is the following: (&( (objectclass=group)(objectclass=person))(mail=*)(samaccountname=*)) This filter provides SonicWALL Security with all the necessary information for users and distribution lists. The default filter for getting groups is: (objectclass=group) User Login Name Attribute: The Active Directory default user login attribute is the following: samaccountname Alias Attribute: The Active Directory default alias attributes are: proxyaddresses, legacyexchangedn

124 SonicWALL Security Administrator s Guide 30 Group Name Attribute: The Active Directory default group name attribute is: cn Windows Domains Group Member Attribute: The Active Directory default attribute that contains the members of a group is: member Attributes indicate groups that users belong to: The Active Directory default attribute that contains the groups a user belong to is: memberof User authentication requires the use of Windows NT/NetBIOS Domain Names. Just like the Windows login screen, the SonicWALL Security login screen has three elements, the User name, Password and Domain. Enter each of your Windows Domains into the Domain List. (configuration parameter R) To discover your Windows Domain Name, enter these commands from an Active Directory server 1. Go to Start > Programs > Administrative Tools > Active Directory Domains and Trusts. 2. Select one of the Active Directory domains listed on the left side of the screen. 3. Click Action > Properties from the menu. The value in the Domain name (pre-windows 2000) is your Windows Domain Name. Login to SonicWALL Security To login into SonicWALL Security, users enter their Active Directory username and their password and selects the Windows Domain to which they belong. This list of domains is populated by the entries you made in System > LDAP Configuration. If the password matches the Active Directory password, the user is logged in.

125 SonicWALL Security Administrator s Guide 31 Multiple Domain Trees in One Forest If you have more than one domain tree in one Active Directory forest, for example, mycorp.com and mycorp.org, you must make some minor changes to include users from all the domain trees: 1. Under LDAP Server, choose a Global Catalog server instead of a regular Active Directory Domain Controller. 2. Under Port, specify the Global Catalog port: Under Directory Node, specify all the domain trees, separated by an ampersand (&). For example: DC=mycorp,DC=com&DC=mycorp,DC=org Configuring Microsoft Exchange 5.5 LDAP LDAP Server The Microsoft Exchange 5.5 LDAP service allows SonicWALL Security access to user login, address and aliases. Server Name (configuration parameter M): In this field, enter the IP address or DNS name of one of your Exchange 5.5 servers. Different Exchange servers replicate their information amongst each other. Any Exchange server should have all the data required by SonicWALL Security, provided they are all within the same Exchange Organization. Port (configuration parameter N): The default LDAP port is 389. Unless your Exchange server has been configured for another port (highly unlikely), use the default port number. Note: Login Information LDAP Query By default, the LDAP service for Microsoft Exchange 5.5 is turned on. If your LDAP service is not enabled, launch Exchange Administrator, go to Configuration > Protocols > LDAP, and click the Enable check box. Anonymous Bind: Do not use this setting with Microsoft Exchange 5.5. Exchange 5.5 servers can be configured to allow for anonymous access. However, by default, the anonymous access setting does not provide enough directory information for SonicWALL Security. Login (configuration parameter O): Specify a user login that has access to browse the Exchange 5.5 Directory. By default, Exchange 5.5 allows all users to browse the directory. However, if your Exchange server does not allow this, use a login name with administrative privileges. The proper format for the login name is: cn=exchange username For example, if your Exchange 5.5 user name is bsmith, the exact syntax would be: cn=bsmith. Directory Node To Search (configuration parameter Q). Specify your Exchange Organization name using LDAP syntax. For example, if your Exchange Organization name is MyCorp the LDAP syntax is o=mycorp. NOTE: If you have more than one Directory Node that you intend to use, you can separate multiple nodes by separating them with an ampersand (&). For example: DC=sales,DC=xyz,DC=com&DC=engr,DC=xyz,DC=com

126 SonicWALL Security Administrator s Guide 32 To discover your Exchange Organization Name, from an Exchange Server, go to Start->Programs->Microsoft Exchange->Microsoft Exchange Administrator. Your Microsoft Exchange Organization name is listed as the top element of the tree visible on the lefthand side of the Administrator tool. In the example, the Exchange Organization name is SonicWALL Security, Inc. The LDAP syntax is: o= MailFrontier, Inc. Note: Quotation marks ( ) are required if your Exchange Organization name has spaces, like the example shown. Filter: The Exchange 5.5 default filter is the following: (&( (objectclass=groupofnames)(objectclass=person))(mail=*)(uid=*)) This filter will provide SonicWALL Security with all the necessary information for users and distribution lists. The default filter for getting groups is: (objectclass=groupofnames) User Login Name Attribute: The Exchange 5.5 default user login attribute is the following: uid Alias Attributes: The Exchange 5.5 default alias attributes are: distinguishedname, othermailbox, rfc822mailbox Group Name Attribute: The Exchange 5.5 default group name attribute is: cn Group Member Attribute: The Exchange 5.5 default attribute that contains the members of a group is: member Attribute to indicate groups that users belong to: The Exchange 5.5 default attribute that contains the groups a user belong to is: memberof Windows Domains (Configuration Parameter R) User authentication requires the use of Windows NT/NetBIOS Domain Names. Just like the Windows 2000 login screen, the SonicWALL Security login screen has three elements, the User name, Password and Domain. SonicWALL Security uses a convention that should be familiar to users. Enter each of your Windows Domains into the Domain List.

127 SonicWALL Security Administrator s Guide 33 Login to SonicWALL Security To login into SonicWALL Security, a user enters their Exchange 5.5 username and their password and then selects the Windows Domain to which they belong. This list of domains is populated by the entries you made in System > LDAP Configuration. If the password matches the Exchange 5.5 password, the user is logged in. Configuring Lotus Domino R5 LDAP LDAP Server The Lotus Domino R5 LDAP service allows SonicWALL Security access to user login, address and aliases. SonicWALL Security queries your LDAP server for all the addresses under the directory node you specified. By default, your Lotus server is configured to return all the entries requested; however, you may have changed the configuration to limit the number of entries returned per query. If the LDAP Configuration page warns you about not able to get the complete list of users, or if you notice users missing from the User Management page, change your Domino Server LDAP Configuration to increase the maximum limit. Server Name (configuration parameter M): In this field, enter the IP address or DNS name of one of your Lotus Domino servers. Different Domino servers replicate their information amongst each other. Any Domino server should have all the data required by SonicWALL Security. Port (configuration parameter N): The default LDAP port is 389. Unless your Domino server has been configured for another port (highly unlikely), use the default port number. Note: Login Information LDAP Query By default, the LDAP service for Lotus Domino R5 is turned off. If your LDAP service is not enabled, run the LDAP Server task from the Domino Administrator->Server console. For more information about the LDAP Server, please refer to the Lotus Domino R5 documentation. Anonymous Bind: Do not use this setting with Lotus Domino R5. Domino R5 servers can be configured to allow for anonymous access. However, by default, the anonymous access setting does not provide enough directory information for SonicWALL Security. Login (configuration parameter O): Specify a user login that has access to browse the Domino Directory. By default, Domino allows all users to browse the directory. However, if your Domino server does not allow this, use a login name with administrative privileges. shortname For example, if your Domino short name is bsmith, the exact syntax would be bsmith. Note: To successfully connect to the Domino Server, your Domino ID must have an Internet Password. Directory Node to Search (configuration parameter Q): Specify your Lotus Domino Domain name using LDAP syntax. For example, if your Lotus Domino Domain name is MyCorp, the LDAP syntax is Note: o=mycorp. If you intend to use more than one Directory Node, you can separate multiple nodes by separating them with an ampersand (&), for example: DC=sales,DC=xyz,DC=com&DC=engr,DC=xyz,DC=com

128 SonicWALL Security Administrator s Guide 34 Filter: The Lotus Domino R5 default filter can be configured in two ways, depending on whether your users will want to connect via their short name (that is, bsmith) or common name (that is, Bob Smith). If you would like to use the short name, use the following filter: (&(objectclass=person)(mail=*)(shortname=*)) If you would like to use the common name, use this filter: (&(objectclass=person)(mail=*)(cn=*)) Either of these filters will provide SonicWALL Security with all the necessary information for users. The default filter for getting groups is: (objectclass=dominogroup) User Login Name Attribute: If you would like the users to connect via their short name, use the following: shortname If you would like the users to connect via their common name, use the following: cn Alias Attributes: The Lotus Domino default alias attribute is: Note: shortname Lotus Domino R5 allows SMTP aliases to be defined in the short name or user name fields. However, SonicWALL Security only supports SMTP aliases defined in the short name field. The user name is not exposed via LDAP. Group Name Attribute: The Lotus Domino default group name attribute is: cn Group Member Attribute: The Lotus Domino default attribute that contains the members of a group is: member Attribute to indicate groups that users belong to: There is no Lotus Domino default for this attribute Windows Domains (configuration parameter R) Windows Domains are not needed for Lotus Domino R5. Login to SonicWALL Security To login into SonicWALL Security, a user enters either their Lotus Domino short name or common name, depending on how you configured LDAP, and their password. If the password matches the Lotus Domino internet password, they are allowed to login. Note: SonicWALL Security depends on a person document having an internet password defined. If an Internet password is not defined, SonicWALL Security will not be able to authenticate the password provided by the user.

129 SonicWALL Security Administrator s Guide 35 Configuring SunOne/iPlanet Messaging Server LDAP Server Login Information LDAP Query SunOne/iPlanet Messaging Server uses SunOne/iPlanet Directory for user login, address and aliases. Server Name (configuration parameter M): In this field, enter the IP address or DNS name of your SunOne/iPlanet Directory server. Port (configuration parameter N): The default LDAP port is 389. Unless your Domino server has been configured for another port (highly unlikely), use the default port number. Anonymous Bind: Do not use this setting with SunOne/iPlanet Directory Server. SunOne/iPlanet Directory servers can be configured to allow for anonymous access. However, by default, the anonymous access setting does not provide enough directory information for SonicWALL Security. Login (configuration parameter O): Specify a user login that has access to browse the SunOne/iPlanet Directory. By default, SunOne/iPlanet allows all users to browse the directory. However, if your SunOne/iPlanet server does not allow this, use a login name with administrative privileges. The easiest ID to use is the Directory Manager. If you choose to use Directory Manager, use the following syntax: cn=directory Manager Note: You can use a specific user for binding purposes. However, you must know the full distinguished name for this user. For example: uid=joe,ou=people,o=mycorp.com,o=internet Directory Node to Search (configuration parameter Q): Specify your SunOne/iPlanet Messaging server User Directory Subtree using LDAP syntax. An example of a root level node is: o=mycorp, o=internet Note: If you have more than one Directory Node that you intend to use, you can separate multiple nodes by separating them with an ampersand (&); for example: DC=sales,DC=xyz,DC=com&DC=engr,DC=xyz,DC=com To discover your SunOne/iPlanet root node, start the SunOne/iPlanet Console. Note: This is sometimes called the Netscape Console. Your User Directory Subtree is listed on the main properties screen of the Console. Filter: The SunOne/iPlanet default filter is as follows: (&( (objectclass=inetmailgroup)(objectclass=person))(mail=*)(cn=*)) This default filter will provide SonicWALL Security with all the necessary information for users and distribution lists. The default filter for getting groups is: ( (objectclass=inetmailgroup)(objectclass=groupofuniquenames))

130 SonicWALL Security Administrator s Guide 36 User Login Name Attribute: The SunOne/iPlanet default user login attribute is the following: cn Alias Attributes: The SunOne/iPlanet default alias attribute is: mailalternateaddress Group Name Attribute: The SunOne/iPlanet default group name attribute is: cn Group Member Attribute: The SunOne/iPlanet default attribute that contains the members of a group is: uniquemember Attribute to indicate groups that users belong to: The SunOne/iPlanet default attribute that contains the groups a user belong to is: memberof Note: For large organizations, the default LDAP query window might be too small to retrieve all the users. If all the users in your organization do not appear in SonicWALL Security, you must increase the limit. 1. Open the SunOne/iPlanet console. 2. Double-click the Directory Server icon and select Configuration->Database. 3. Under the Performance tab, increase the Look through limit to a large enough number. For example, if you have 50,000 users and distribution lists in your organization, make this number 50,000. Windows Domains (configuration parameter R): Windows Domains are not needed for SunOne/iPlanet Directory. Login to SonicWALL Security To login into SonicWALL Security, users enter either their SunOne/iPlanet common name (that is, Colin Brown) and their password. If the password matches the SunOne/iPlanet Directory password, they are allowed to login.

131 SonicWALL Security TCP Port Utilization APPENDIX D The SonicWALL Security uses a variety of TCP ports that it uses to communicate with other network services. Each of these ports needs special attention if your organization filters TCP traffic. Note: Inbound TCP Traffic Outbound TCP Traffic DMZ traffic is usually heavily filtered by multiple firewalls. Ensure that all the inbound and outbound ports SonicWALL Security requires are open. The following inbound ports are used by SonicWALL Security: SMTP (configurable port, usually 25) SonicWALL Security is an SMTP proxy server. It receives to be analyzed for characteristics of spam on SMTP port 25. HTTP (configurable port, usually 80) or HTTPS, port 443 SonicWALL Security hosts a Web server, HTTP port 80, which is used to administer SonicWALL Security s Web interface. In addition, users log in to this Web server to view their personal Junk Box and configure their anti-junk settings. The following outbound ports are used by SonicWALL Security: HTTP (port 80) SonicWALL Security server installed in your organization communicates with SonicWALL Security Anti-Spam Lab s data center via HTTP port 80. SonicWALL Security Anti-Spam Data Center is available on the Internet. HTTP requests are made via port 80 to the data center requesting anti-spam updates. If an update is available, the HTTP response returns it. LDAP (configurable port, usually port 389) or LDAPS, (configurable port 636) SonicWALL Security server installed in your datacenter communicates with a LDAP server inside your organization on TCP port 389 or 636. DNS, port 53 SonicWALL Security needs to communicate with DNS server to look up information if it is configured to check for senders SPF records. Port 53 is the default port used for DNS queries. SMTP (configurable port, usually 25) If SonicWALL Security determines an message is not spam, it needs to be delivered to the next mail server in your SMTP mail flow. SonicWALL Security sends these messages via SMTP port 25

132 SonicWALL Security Administrator s Guide 38 Split Configuration TCP Port Utilization If your organization is configured for Split Architecture, you must also configure these settings: Port 2599 SMTP configurable (Remote Analyzer to Control Center, bad mail routing) SonicWALL Security Remote Analyzer communicates with Control Center for routing quarantine through port Port 80 HTTP or port 443 HTTPS configurable (Control Center to Remote Analyzer communication) Control center keeps all Remote Analyzers up to date with latest configuration information by communicating via port 80 or 443. Ports and protocols used between components of SonicWALL Security and other parts of the network:

133 APPENDIX E Secure Socket Layer This Appendix explains how to configure a secure environment using Secure Socket Layer (SSL) between the following components: An LDAP server and SonicWALL Security Software Edition Tomcat Web server The Control Center and the Remote Analyzer Note: This section refers to the SonicWALL Security Software Edition. Overview Required Components When a user logs into the SonicWALL Security, either as a System Administrator who wants to configure the system or as a user who wants to manage their Junk Box, the SonicWALL Security verifies via the LDAP protocol that the login (user ID and password) is valid. This communication between SonicWALL Security server and the LDAP server can be encrypted using SSL protocol. Also, if you configured the Split Network Architecture, you can use SSL between a Control Center and a Remote Analyzer to encrypt data between the two servers. For general information about SSL, see the following Web sites: This appendix assumes that your SonicWALL Security system includes the following components: SonicWALL Security Software Edition LDAP server SonicWALL Control Center SonicWALL Remote Analyzer SSL Signed Certificates and Certificate Authorities An SSL trusted certificate is a digitally signed document authenticating the server. If the client accepts the certificate as valid, it proceeds with encrypted communication with the server. It is analogous to when you present your driver s license to an airline representative to collect your boarding pass for a flight. The license provides assurance that you are who you say you are, and the airline representative accepts that and gives you your boarding pass. SSL certificates are signed by Certificate Authorities. Similar to the DMV issuing driver licenses, a Certificate Authority is an organization that provides the assurance of identity. All SSL clients have a list of trusted Certificate Authorities. SonicWALL Security recommends Verisign and Thawte as Certificate Authorities.

134 SonicWALL Security Administrator s Guide 40 Use of Third-Party Vendors for Certificates SonicWALL Security recommends you use third-party vendors Verisgn and Thawte to provide you with your certificates. If you use other third-party vendors, additional procedures might be required for the certificates to be accepted, which are not documented in this guide. See the documentation that shipped with the access to the Certificate Authority. Setting Up LDAP over SSL (LDAPS) LDAPS between SonicWALL Security and the LDAP server involves three parts: Obtaining and importing a certificate from a certificate authority Configuring the LDAP server to use the certificate and accept an LDAPS connection Configuring SonicWALL Security to use an LDAPS connection We recommend you obtain and import your certificates from the third-party vendors Verisign or Thawte. It is easier to acquire and use third-party certificates from the system when they are from the same vendor. If you use an internal certificate server, see the section, Generating a Self-Signed Certificate for LDAP over SSL on page 45. Environment Assumptions The following instructions use Exchange 2000/Windows 2000 Server and Exchange 5.5/Windows NT 4.0 Server as examples. Environment Assumptions for Exchange 2000 on Windows 2000 Server Server #1: Windows 2000 Active Directory Domain Controller Service Pack 4 (previous versions of Service Pack also work) Internet Information Server (IIS) 5.0 Server #2: Exchange 2000 running on a Windows 2000 member server in the same Active Directory domain as Server #1. Environment Assumptions for Exchange 5.5 on Windows NT 4.0 Server Server: NT4, Primary or Backup Domain Controller (PDC or BDC) Internet Information Server (IIS) 4.0 Microsoft DNS server Option Pack 4 Service Pack 6a Exchange 5.5 Obtaining and Importing A Certificate From A Certificate Authority (Exchange 2000/Windows 2000) 1. Create a certificate request on the Active Directory Domain Controller. If you do not have IIS already installed on your Active Directory Domain Controller, first create the certificate request on any IIS 5.0 server and then proceed with the steps below. 2. Go to Verisign or Thawte s Web site and follow their instructions on requesting and installing an SSL certificate. Verisign To acquire the certificate

135 SonicWALL Security Administrator s Guide 41 To generate the Customer Service Request and install the certificate IIS 5.0-specific: - Thawte Main page at Thawte Support for various Web Servers Microsoft Internet Information Server 5 Key and CSR Generation Instructions Microsoft Internet Information Server 5 Certificate Installation Note: Follow these guidelines for the SSL certificate name; the Common Name in the Certificate request must match the Active Directory fully qualified domain name. Example: SSLTEST.DOMAIN.COM The internal DNS name must match the domain name of the Active Directory Domain. Example: URL: ssltest.company.com Active Directory Domain Controller computer name = ssltest Active Directory Domain name = domain.com TCP/IP configuration: Host = ssltest, Domain = domain.com Internal DNS server domain = domain.com After you receive the certificate from the Certificate Authority, export the SSL certificate and its private key. Import the Certificate into the Certificate store on the Active Directory controller. Obtaining and Importing a Certificate From a Certificate Authority (Exchange 5.5 / Windows NT 4.0 Server) Access the following Web sites for general instructions: Verisign: To generate the Customer Service Request and install the certificate: Thawte: Note: and select IIS4. Follow these guidelines for the SSL certificate name: The Common Name in the Certificate request must match the Computer name and NT Domain name of the server where it will be installed. The internal DNS name must match the domain name of the NT Domain. Example: URL: ssltest.domain.com

136 SonicWALL Security Administrator s Guide 42 Exchange/NT4 computer name = ssltest NT4 Domain name = domain TCP/IP configuration Host = ssltest Domain = domain.com Internal DNS server domain = domain.com Configure the LDAP Server to Use the Certificate and Accept an LDAPS Connection (Exchange 2000) Configuring the LDAP server to use the certificate and accept an LDAP Over SSL (LDAPS) connection involves creating a Certificate Console. The Certificate Console allows you to manage your SSL Certificates and verify they are configured correctly. It is a Microsoft Management Console (MMC) Plug-in, and not available by default. Configure the Certificate Console 1. Click Start > Run > MMC. The Console1 screen appears. 2. Click Console. 3. Select Add/Remove Snap-In.

137 SonicWALL Security Administrator s Guide Click Add, and select certificates from the list of Snap-in modules on the Add Standalone Snap-in screen that appears. 5. Click Add. 6. Select Computer Account on the next screen and click Next. 7. Leave the default of Local Computer on the next screen and click Finish. 8. Click Close and click OK to return to the Certificate Console. 9. Click Console > Save As, and enter Certificate Console, then click Save. This adds the Console to Administrative Tools for future use. 10. Verify the SSL certificate is in the Local Computer's Personal certificate store. Click Start > Program Files > Administrative Tools > Certificate Console. LDAP communication to the Active Directory controller is now enabled over SSL.

138 SonicWALL Security Administrator s Guide 44 Configure the LDAP Server to Use the Certificate and Accept an LDAPS Connection (Exchange 5.5) 1. Click Start > Run. 2. Enter the keyring. The Key Manager screen appears. 3. Highlight the installed SSL certificate under WWW. 4. Click Key>Export Key> Backup File, and enter a name, for example: Sslkey.\ 5. Enter a password to protect the SSL key, for example: my*password. 6. Highlight LDAP. 7. Click Key> Import Key> Backup File. 8. Select the SSL certificate you exported in step 3, (for example, SSLkey.key. T. The system automatically appends the second key). 9. Enter the password, for example: my*password. 10. When prompted for Server Connection information, click IP Address, and enter the IP address of your Exchange server. 11. Click OK. The SSL certificate is now usable for secure LDAP communication. Configuring SonicWALL Security to Use an LDAPS Connection 1. In SonicWALL Security, go to the System>LDAP Configuration screen. 2. Check the This server requires a secured connection (SSL) check box. 3. Change the port number to Click on Apply Changes. Note; If Exchange 5.5 resides on a Windows 200x domain controller, the default port for LDAPS, 636, is already reserved by a Directory service on the Windows 200x domain controller. According to Microsoft, you must reconfigure the Exchange Server to use another port. See Microsoft Knowledge Base Article

139 SonicWALL Security Administrator s Guide 45 Generating a Self-Signed Certificate for LDAP over SSL Prerequisites You must have a copy of OpenSSL to generate a CA certificate. Sun's KEYTOOL program does not support Certificate Authority-issuing functionality. OpenSSL can perform this task. A Win32 binary version can be downloaded at OpenSSL is also a part of the Cygwin utilities distribution ( but it is not part of the default installation. You must manually select OpenSSL during the installation of Cygwin. These instructions are based on the following environment: Exchange 5.5 and IIS 4.0 on Windows NT 4.0 SP6. SonicWALL Security Version 3 on Windows 2003 Server, originally configured to use LDAP/389 Using Sun s Java Runtime Environment on Windows (installed as part of the Windows version of SonicWALL Security)! If Exchange 5.5 resides on a Windows 200x domain controller, the default port for LDAPS, 636, is already reserved by a Directory service on the Windows 200x domain controller. According to Microsoft Knowledge Base Article , you must reconfigure the Exchange Server to use another port. Setting up SSL between SonicWALL Security and the LDAP Server Setting up SSL between SonicWALL Security's Tomcat Web Server and the LDAP Server consists of five parts: 1. Creating a private key and Certificate Authority (CA) certificate 2. Creating an Exchange Certificate Server Request (CSR) 3. Creating a Server Certificate with the private key and CA certificate 4. Installing a Server Certificate in Exchange 5. Installing a CA certificate in Tomcat 1. Creating a Private Key and a CA Certificate 1. Install OpenSSL on any workstation. 2. Create a private key with OpenSSL. Type: openssl genrsa -des3 -out privatekeyfilename When prompted, enter a password or pass phrase you can remember for this key. Note: The command line syntax is case-sensitive. 4. Create a Certificate Authority certificate using the private key created above. Type: openssl req -new -key privatekeyfilename -x509 -days n -out <CACertFileName> The -days n parameter allows you to enter the number of days the CA certificate is valid from n days from today. Example: openssl req -new -key PrivateKey.key -x509 -days out CACert.crt 5. When prompted for the pass phrase, enter the password you used in step 2 above and press Enter. Note: Ensure the Common Name is the fully qualified domain name (FQDN) or the server name of the Exchange server.

140 SonicWALL Security Administrator s Guide Creating an Exchange Certificate Server Request (CSR) 1. On the server where Exchange and IIS are installed on, login as the administrator and run keyring from the command line. 2. In keyring, highlight the LDAP node and click Key->Create New Key to create a Certificate Server Request. On the dialog box where you are asked for the Common Name (CN), you must enter the fully qualified domain name (FQDN) of the Exchange server. If you do not enter a valid FQDN here, the authentication between Tomcat and Exchange will fail with the message: trusted Certificate cannot be found 3. When you type in the password for the CSR, it does not have to be same as the one used in 1. Creating a Private Key and a CA Certificate on page 45 but for consistency, use the password you created in 1. Creating a Private Key and a CA Certificate on page 45. Otherwise, you must remember the password for this step when you install the signed key certificate later). 4. Save the CSR to a file and copy it to the workstation where you are running OpenSSL. 3. Creating a Server Certificate with the Private Key and a CA Certificate Type: openssl x509 -req -days n -in CSR from Exchange -CA <CACertFileName> -CAkey <privatekeyfilename> -CAcreateserial -out <ServerCertFileName> Example: openssl x509 -req -days in NewKeyRq.txt -CA CACert.crt -CAkey PrivateKey.key - CAcreateserial -out ServerCert.crt 4. Install the Server Certificate in Exchange 1. Take the ServerCertFileName created in 3. Creating a Server Certificate with the Private Key and a CA Certificate on page 46 and copy it to the Exchange server. 2. On the Exchange server, run keyring, locate the LDAP node and the key you created in 2. Creating an Exchange Certificate Server Request (CSR) on page 46, right click on the key and select Install Key Certificate. 3. When the Open dialog box appears, select the ServerCertFileName and click Open. 4. When prompted for a password, type in the password used in 2. Creating an Exchange Certificate Server Request (CSR) on page When prompted for Server Connection, select Default. 5. Install the CA certificate in Tomcat 1. Take the CACertFileName created in 1. Creating a Private Key and a CA Certificate on page 45, step 3, and install it in Tomcat on SonicWALL Security using Sun's KEYTOOL program located in C:\Program Files\Java\j2re1.4.2_06\bin. Type: keytool -import -keystore C:\Program Files\Java\j2re1.4.2_06\lib\security\cacerts -file CACertFileName -alias CACertName Example: keytool -import -keystore C:\Program Files\Java\j2re1.4.2_06\lib\security\cacerts -file CACert.crt -alias CACert 2. Restart both the Exchange server and Tomcat. When the Exchange Server is restarted, look in the Event Viewer on the Exchange Box to verify that the MSExchangeDS LDAP Interface is started on both port 389 and Log in to SonicWALL Security as the administrator and change the LDAP Configuration to use port 636.

141 SonicWALL Security Administrator s Guide Check the This server requires a secure connection (SSL) check box. 5. Click Apply Changes. 6. Test the LDAP Login and the LDAP Query to verify LDAPS connectivity. Setting Up SSL Between Control Center and a Remote Analyzer Setting up SSL between the Control Center and a Remote Analyzer includes three steps: Generating a self-signed certificate Setting up Tomcat to accept an HTTPS connection Configuring a Remote analyzer as a secure server Generating a Self-Signed Certificate Keystore The keystore file contains your public and private keys. Each keytool command has a keystore option for specifying the name and location of the persistent keystore file for the keystore managed by a keytool. The keystore is stored in a file named.keystore in the user s home directory, as determined by the user.home system property. On Solaris systems, user.home defaults to the user s home directory. To generate and store keys in a keystore: NOTE: <JAVA_HOME> is a variable that represents where the Java directory is installed. 1. On Windows 2000 and Windows 2003 Server, enter the following: <JAVA_HOME>\bin\keytool genkey keyalg RSA alias tomcat On Unix, enter the following: <JAVA_HOME>/bin/keytool genkey alias tomcat -keyalg RSA keystore~root/.keystore Example: <SonicWallES>/java/bin/keytool -genkey alias tomcat - keyalg RSA 2. Respond to system prompts regarding general system information: Password. The default Tomcat password is changeit (all lower case). First and last name. Enter the name of the server you are using, for example, machine1234.xyzcorp.com. Name of your organizational unit. Example: Engineering. Name of your organization. Example: example_company Name of your city or locality. Example: San Francisco. Name of your State or Province. Example: California. 2-letter country code. Example: US The system displays the information entered for review. 3. Enter Yes to approve the entries, or edit them as necessary. The system prompts you for the same password you entered earlier. The system displays Return if it uses the same password as.keystore password, but you must type the password again. The.keystore file is now created.

142 SonicWALL Security Administrator s Guide 48 Setting Up Tomcat to Accept an HTTPS Connection To modify Tomcat to use your certificate store, open Tomcat s server.xml file in a text editor. This file is located in YOUR_TOMCAT_INSTALL_DIR/conf. 1. Scroll down to find the following text: <!-- Define a SSL Coyote HTTP/1.1 Connector on port > <!-- <Connector classname="org.apache.coyote.tomcat4.coyoteconnector" port="8443" minprocessors="5" maxprocessors="75" enablelookups="true" acceptcount="100" debug="0" scheme="https" secure="true" useurivalidationhack="false" disableuploadtimeout="true"> <Factory ClassName="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientauth="false" protocol="tls" /> </Connector> --> 2. Remove the comment notation from this connector; remove the <!--and --> around the connector tag. After you remove the comments, the text should look as follows: <!-- Define a SSL Coyote HTTP/1.1 Connector on port > <Connector classname="org.apache.coyote.tomcat4.coyoteconnector" port="8443" minprocessors="5" maxprocessors="75" enablelookups="true" acceptcount="100" debug="0" scheme="https" secure="true" useurivalidationhack="false" disableuploadtimeout="true"> <Factory classname="org.apache.coyote.tomcat4.coyoteserversocketfactory" clientauth="false" protocol="tls" /> </Connector> 3. Find and replace all references in the code to port 8443 to 443 in the Tomcat s server.xml file. 4. Restart the Tomcat service or reboot the server. After the server has rebooted, you can navigate to or Configuring a Remote Analyzer as a Secure Server To configure a Remote Analyzer as a secure server: 1. Access System on SonicWALL Security. 2. Check the Remote Analyzer check box that you want to make a secure server. 3. Click Edit. An Edit screen appears. 4. Change the port number for the secure connection to Check the box that enables a Secure SSL connection for this Remote Analyzer. 6. Use the Test buttons to verify that SSL connectivity is working.

143 SonicWALL Security Administrator s Guide 49 Importing New Verisign Certificates into the Keystore To import a new Verisign certificate: 1. Type: $./keytool -certreq -alias tomcat -keyalg RSA -file /export/spare/kris/cr.txt 2. Enter the.keystore password: changeit $ Verisign creates a certificate that is automatically downloaded. Note: If you purchase a Global Secure Site Pro Certificate (128 bit), there are additional steps involved in the installation. The Global Secure Site Pro Certificate requires an intermediate certificate to complete the authentication chain of trust. The existing Intermediate Certificate expired on 1/7/2004. Therefore, you must include the new Intermediate Certificate when doing the import into Tomcat. 3. Download the certificate that was purchased from Verisign, and save it as a text file. 4. Download the Intermediate certificate from this location and save it as a text file. 5. Import the Intermediate Certificate into the Internet Explorer browser. 6. In your browser, go to Tools > Internet Options > Content Tab. 7. Click the Certificates button.

144 SonicWALL Security Administrator s Guide Select the Intermediate Certification Authorities Tab. 9. Click the Import button and follow the steps in the Certificate Import wizard to import your certificate. This imports the Intermediate Certificate into the Internet Explorer keystore. 10. Import the certificate that was received from Verisign using the same procedure. 11. Highlight the Other People Tab. 12. Press the Import button. 13. Follow the steps in the Certificate Import wizard to import your certificate. The certificate is displayed in the list of Other People Certificates. 14. Highlight the certificate and press the Export button. 15. Follow the steps in the Certificate Export Wizard.

145 SonicWALL Security Administrator s Guide For the export File Format, select Cryptographic Message Syntax Standard PKCS #7 Certificates (.P7B) 17. Check the Include All Certificates In The Certification Path if possible. 18. Save this file with a.p7b extension. This creates a file with the complete certification chain of your certificate and includes the new Verisign Intermediate certificate plus the Verisign Root certificate. 19. Import this into your keystore file. Type: $./keytool -import -keyalg RSA -trustcacerts -alias tomcat -file /yourfile.p7b 20. Enter keystore password: changeit The top-level certificate appears: Owner: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US Serial number: 70bae41d10d92934b638ca7b03ccbabf Valid from: Sun Jan 28 16:00:00 PST 1996 until: Tue Aug 01 16:59:59 PDT 2028 Certificate fingerprints: MD5: 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67 SHA1: 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2... is not trusted. Install reply anyway? [no]: yes Certificate reply was installed in keystore

146 SonicWALL Security Administrator s Guide 52 Importing the LDAP Server's SSL Root Certificate to the SonicWALL Security Server If the SSL certificate's root is not trusted by the LDAP client (SonicWALL Security server), attempts to establish an SSL connection fails. The only certificates that are trusted are those whose root certificates are present in the local Java Runtime Environment keystore. If the certificate used by the LDAP server was self-generated or generated by a Microsoft Certificate Server, then the root certificate is unknown to SonicWALL Security Tomcat server. You must import the root certificate into the Java Root Certificate Keystore. To import a root Certificate Authority certificate either self-signed or third-party signed you must import it into the cacerts keystore. 1. Extract the root key from the Certificate Authority that created your SSL certificate for LDAP. Refer to the documentation that comes from the Certificate Authority on how to extract a root key. You receive a text file root certificate file that looks similar to this: -----BEGIN CERTIFICATE----- MIIDRzCCArCgAwIBAgIEO5kvRTANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJV UzEQMA4GA1UEChMHRW50cnVzdDEvMC0GA1UECxMmRW50cnVzdCBQS0kgRGVtb25z dhjhdglvbibdzxj0awzpy2f0zxmwhhcnmdewota3mjawndezwhcnmjewota3mjaz NDEzWjBQMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEvMC0GA1UECxMm RW50cnVzdCBQS0kgRGVtb25zdHJhdGlvbiBDZXJ0aWZpY2F0ZXMwgZ0wDQYJKoZI BENSTDEwKwYDVR0QBCQwIoAPMjAwMTA5MDcyMDA0MTNagQ8yMDIxMDkwNzIwMDQx M1owCwYDVR0PBAQDAgEGMB8GA1UdIwQYMBaAFHNSsvL8PTcMqhffaMAOOpbtViW6 MB0GA1UdDgQWBBRzUrLy/D03DKoX32jADjqW7VYlujAMBgNVHRMEBTADAQH/MBkG CSqGSIb2fQdBAAQMMAobBFY0LjADAgSQMA0GCSqGSIb3DQEBBQUAA4GBAAx6b1uh 0ZLLgvnc+ePagi1cK3oRL5XMNawXamiiub+WfHXxyl2A2L9Gg3T5JdEooGAo1v1n w4kn8iz+e5btly+vjkp7wcocchxg8adxi8kcyslkxqj+hcx7/hdvozeapkkjrboz VonUPwEk+elHGXQDcr5nXllPwl9UzFkgrxBZ -----END CERTIFICATE Locate the cacerts file for the Java installation used by SonicWALL Security's Tomcat. It is located at C:\Program Files\Java\j2re1.4.1_01\lib\security\cacerts 3. Import the root key certificate from the root_certificate_file: 4. Navigate to <%JAVAhome>. 5. Type: \bin\keytool -import -keyalg RSA -alias tomcat -keystore..\jre\lib\security\cacerts -file root_certificate_file The keytool prompts: 6. Enter keystore password: Type the default password for the java cacerts key store: changeit.

147 Deployment Considerations APPENDIX F SonicWALL Security on a Mail Server If your organization has fewer than 500 users, consider installing SonicWALL Security on your SMTP server. For medium to large-sized organizations, SonicWALL recommends that you install SonicWALL Security on a separate server. If you are running Microsoft IIS on the SMTP server, be aware that SonicWALL Security runs as an SMTP service on port 25 and an HTTP service on port 80. Typically, Microsoft IIS also runs on these ports and interferes with the operation of SonicWALL Security. If you require IIS on this server, configure the ports differently for either IIS or SonicWALL Security. If you are not using IIS, disable both the World Wide Web Publishing Service and Simple Mail Transport Protocol (SMTP), or completely uninstall IIS. Server Preconfiguration Requirements Supported Mail Servers Before you begin the SonicWALL Security software installation, the server on which you install SonicWALL Security must meet the following requirements: The server on which SonicWALL Security is installed must have a static IP address. The server should be listed in DNS. SonicWALL Security supports Exchange, SendMail, and Lotus Domino and other mail programs that support SMTP. SSL (Secure Socket Layer) Connection to Administrative Interface When users and administrators log into SonicWALL Security, SonicWALL Security exchanges user login and application information with the user s client browser. Using SSL, you can protect login and application data by encrypting communication between the user s browser and SonicWALL Security. SSL (Secure Socket Layer) Connection to LDAP When users and administrators log into SonicWALL Security, SonicWALL Security verifies via the LDAP protocol that the login information (user ID and password) is valid. Using SSL, you can protect login information by encrypting information sent to the LDAP server. You can also install SSL between a Control Center and a Remote Analyzer to encrypt configuration data transferred between the two servers. For detailed explanation of SSL and related instructions, see Secure Socket Layer on page 39.

148 SonicWALL Security Administrator s Guide 54 Domains and Workgroups You must configure all servers that deploy SonicWALL Security such that they are in the same Windows domain or workgroup. If your data directory is shared and is in a dedicated server, it must be in the same domain or workgroup as well. If the servers are in a workgroup, you must share the directory so that everyone has access to it. Note: Remote Analyzers do not need to be in the same Windows domain or workgroup. The above applies to All in One configuration and Control Centers in Split Configuration. Configuring Security on an Exchange Server

149 SonicWALL Security Administrator s Guide 55 Exchange 2003 APPENDIX F Installing SonicWALL Security on an Server If your organization has fewer than 500 users, you can install Security directly on your SMTP server. For medium to large-sized organizations, SonicWALL recommend that you install Security on a separate server. To set the IP address of Security in your server To change the SMTP port on Microsoft Exchange 2003, go to the Exchange System Manager 1. Select Servers > Your Server > Protocols. 1. Select Default SMTP Virtual Server and choose Properties > Delivery > Advanced. 2. Enter in the IP of the Security inside the brackets []. 3. Click OK. Virtual Connector 4. Restart the SMTP service on the mail server. If you have a virtual connector, that connector will over-ride the smart host setting in the SMTP protocol. You will need to change the smart host on the connector in order for the outbound s to pass through. To configure the virtual connector 1. Open up Exchange System Manager 2. Click on Administrative Group 3. Navigate to First Administrative Group > Routing Group > Connector. 4. Look for the connector with the * in the address space. This is the Default SMTP Connector

150 SonicWALL Security Administrator s Guide Right-click on the connector s name Exchange Select Forward all mail through this connector to the following smart host. 7. Enter in the IP of the Security inside the brackets [] 8. Click Apply 9. Restart the SMTP service on the mail server. To change the SMTP port on Microsoft Exchange 5.5, you can follow the instructions in Microsoft Support Q173903: Edit the Services file, innt\system32\drivers\etc\services, to specify the port used for SMTP. The following example, an excerpt from the Services file, shows removing SMTP from port 25 and enabling SMTP on port 17. Port 17 is normally used for qotd (quote of the day) service. smtp 17/tcp mail #qotd 17/tcp quote #qotd 17/udp quote chargen 19/tcp ttytst source chargen 19/udp ttytst source ftp-data 20/tcp ftp 21/tcp telnet 23/tcp #smtp 25/tcp mail time 37/tcp timeserver Use telnet ip_address or server_name 17 to verify that the Internet Mail Service is indeed listening on tcp port 17. For information on how to configure other types of mail servers to listen on another port, refer to your mail server documentation.

151 System Requirements Operating System Hardware Installing SonicWALL Security on Windows APPENDIX G This appendix describes installation of SonicWALL Security on Windows operating systems. To install SonicWALL Security on Windows, SonicWALL recommends the following minimum software and hardware configurations. Microsoft Windows Server 2000 Microsoft Windows Server 2003 with Service Pack 1 or Service Pack 2 Note: SonicWALL periodically offers upgraded versions of SonicWALL Security software. To enable your server to upgrade to the latest downloaded SonicWALL Security, download and install Sun s Java Runtime Environment (JRE) 1.4.2_06 or later from on the computer where you administer SonicWALL Security using your browser. SonicWALL recommends the following hardware for SonicWALL Security: Processor: Pentium 4 or Xeon or equivalent Memory: 1 GB minimum, 2 GB recommended Hard Disk: 40GB minimum, with a caching RAID controller for the data directory, 80GB recommended SonicWALL recommends installing SonicWALL Security on a dedicated server. SonicWALL Security Software Installer SonicWALL Security Software installer includes the following components: Sun Microsystems Java Runtime Environment Apache Tomcat Firebird Database Engine Jaybird JDBC driver SonicWALL Security SonicWALL Security User Profiler Installers Port25 PowerMTA

152 SonicWALL Security Administrator s Guide 58 The installer installs all these components in the appropriate location. Note: If the Firebird database engine is already running on the server on which you install SonicWALL Security, Firebird will not get installed. Ensure that you have write access to the data directory in which you want to install SonicWALL Security. If you have anti-virus programs running on the machines where you install SonicWALL Security, please make sure that those programs do not scan SonicWALL Security installation or data directories. If virus scanning for these directories is not disabled, the SonicWALL Security data directory can get corrupted and quarantined messages may not be retrievable for all users. SonicWALL Security Installation Checklist st IDs Parameters Needed During Value (write in your values) A The directory path where SonicWALL Security will install Installation Default path: C:\Program Files\SonicWallES B Administrative Web Server Port Installation Default web server port: 80 C The server s trusted network IP address D The server s trusted fully qualified Login Page DNS name E SonicWALL Security License Licensing Login Page Example: Example: SonicWALL Software.mycorp.com F Admin Username Setup Administration G Admin Password Setup Administration H Admin address Setup Administraion I J K L SonicWALL Security SMTP Listening Port Destination SMTP server DNS name or IP address Destination SMTP server s port number domain names your organization accepts mail for Add Mail Server Add Mail Server Add Mail Server Add Mail Server M LDAP Server Name LDAP Configuration N LDAP Port Number LDAP Configuration O LDAP Login Name LDAP Configuration P LDAP Password LDAP Configuration Q LDAP Directory Tree Node to Search LDAP Configuration R Microsoft NT NETBIOS Domain Name (only required if using Active Directory or Exchange 5.5) LDAP Configuration Default: admin Default: password Example: [email protected] Default: 25 Example: mailrelay.mycorp.com Default: 25 Example: mycorp.com, mycorp.net, mydivision.com Example: mailrelay.mycorp.com Default: 389 Example: varies by mail server, see LDAP on page 28. Example: varies by mail server, see LDAP on page 28. Example: MYCORP, see LDAP on page 28.

153 SonicWALL Security Administrator s Guide 59 Installing SonicWALL Security You must be logged in as administrator to install SonicWALL Security. SonicWALL Security s installer alerts you if your system does not have the required physical memory. SonicWALL strongly encourages you to upgrade the memory of your server to a minimum of 1 GB for optimal effectiveness and performance. 1. Run the installer. The welcome screen appears. Click Next. 2. Read the License Agreement and click Next to agree to the terms presented. 3. SonicWALL Security provides an alert if the server where you are installing SonicWALL Security does not have Asian language packs installed. Note: Even though the next step is optional, SonicWALL Security s spam prevention capabilities may be diminished if the East Asian language pack is not installed. Also, to view messages in Asian languages, you will need to install this language pack. This language pack can be installed separately after the SonicWALL Security installation is completed. To install the East Asian Language Pack support on Windows 2003, go to the Regional and Language Options in the Control Panel and select the Languages tab. Select the Install files for East Asian Languages check box.! To install the East Asian Language Pack support on Windows 2000, go the Regional and Language Options in the Control Panel and select the General tab. Select all Asian languages from the Languages settings for the system. 4. Click Next to accept the default location, or Browse to select an alternate location (install checklist parameter A), and click Next. It is important that this folder is not scanned by an anti-virus engine. 5. Choose the directory to install your data. Notes: The default destination location for SonicWALL Security files is suitable for most servers. If you are deploying multiple SonicWALL Security servers that share a folder, specify that shared folder for your data. For performance reasons, read/write access to the data directory must be fast. If the data directory is on the same disk drive as the install directory, it is almost certainly fast enough. If the data directory is shared between two or more computers, or is on a different device than the install directory, administrators need to make sure that performance requirements are met. As a general rule, there should be at least a 100 Megabit connection to the data drive and less than 10 millisecond latency to the data drive. Latency can be tested with the ping command. 6. Click Next to accept the default data destination folder or click Browse to specify another folder. 7. Click Install to install these third-party products. If the required versions of Tomcat, Firebird, and the Java Runtime Environment (JRE) are not installed, they will be installed now. 8. If you are already running a Web server on port 80, you can change the port setting (install checklist parameter B). SonicWALL recommends port 8080 for Apache Tomcat if port 80 is already used. Click Next to continue. You can change the port number and also configure HTTPS access through the UI on the System > User View Setup page. 9. A window appears to say that installation is complete. Click the Finish button. SonicWALL Security provides links displays a browser window in which you can click links to view the documentation.

154 SonicWALL Security Administrator s Guide 60 Confirm Windows Services Are Running 1. Test your SonicWALL Security Software installation to confirm that SonicWALL Security services are running and you can navigate to the Login page. 2. Select Start > Programs > Administrative Tools > Services and confirm that the following services have started: Apache Tomcat MlfAsg Software MlfAsg Monitor MlfAsg Replicator MlfAsg Updater Firebird Guardian Firebird Server MlfMTA Configuring Proxy Services for SonicWALL Security for Windows SonicWALL Security communicates regularly with the SonicWALL Security data center to obtain updates of collaborative spam thumbprints, spam-blocking rules, Blocked Lists, and other information to help keep its spam-blocking capabilities up to date. This communication takes place via HTTP. If your organization restricts HTTP access via a proxy server, SonicWALL Security can use this proxy to communicate with the SonicWALL Security Data Center. To do this, you must configure SonicWALL Security to use the proxy. If SonicWALL Security does not have access to the SonicWALL Security data center, collaborative rules and allowed and blocked lists are not updated. Configure the Proxy Server settings within Internet Explorer. By default, those settings are not visible to Windows Services, including SonicWALL Security. To make the settings visible, edit the Windows Registry with regedit, and add the following Windows Registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser with a DWORD value of 0. Then, reconfigure the proxy server settings in Internet Explorer. Note: If your HTTP proxy server requires basic username and password authentication, you can set these parameters in the System > Updates page of the administration UI after you finish installation.

155 SonicWALL Security Administrator s Guide 61 Uninstalling SonicWALL Security If you are required to uninstall a previous version of SonicWALL Security, SonicWALL recommends that you use the Control Panel to uninstall SonicWALL Security and its components. To remove SonicWALL Security for Windows and other installed components: 1. Select Start > Settings > Control Panel > Add/Remove Programs. 2. Click SonicWALL Security and select Change/Remove. 3. Click Apache Tomcat version number and select Change/Remove. 4. Click Java 2 Runtime Environment SE and select Change/Remove. 5. Click Java Web Start and select Change/Remove. 6. Click Firebird version number and select Change/Remove. If you uninstall SonicWALL Security and its components, do not delete SonicWALL Security data from the SonicWALL Security installation or data directories unless directed to by SonicWALL Security Technical Support. This information will be needed when you reinstall the product. Upgrading to SonicWALL Security Capture your settings in case you need to revert. Your backup should include the settings files, including the per-user settings. You can only revert to version 6.2x. To back up your existing environment 1. On your Security management system, log into your mysonicwall.com account at The management system can be any computer on which you are using a Web browser to access Security. 2. In the left navigation pane under System, choose Backup/Restore. You will see the Backup/Restore page. 3. In the Manage Backups section, select Settings. 4. Click Take Snapshot Now to save the settings. 5. Click Download Snapshot to store the settings. If, after upgrading to 7.0, you need to revert to a previous version, go back to the Backup/Restore page and use the Manage Restores section to upload the snapshot you have stored.

156 Glossary Term All-in-One Architecture Allowed List (Whitelist) Anti-Virus Definition An architecture for the SonicWALL Security where one server manages all protection that receives all enterprise . See also Split Architecture on page 64. Lists of users, domains, and mailing lists that are allowed to send to users in your organization. Software that detects viruses in message bodies and attachments. Blocked List (also known as Black Lists) Collaborative Settings Control Center Dashboard Lists of users, domains, or mailing lists from whom you or your users do not want to receive . SonicWALL Security administers its own content-based signature network with a collaborative community of users and junk mailboxes worldwide. You can select collaborative settings to customize the level of influence community input has on enterprise spam blocking. Manages all data files; it controls and communicates with one or more of the remote analyzers. It stores or quarantines mail it receives from the remote analyzer, and queries LDAP servers to ensure valid users can log in to SonicWALL Security. A high level overview of the system statistics. Cluster Directory Harvest Attack (DHA) DMZ A group of SonicWALL Security servers that act like a single system and enable high availability and, in some cases, load balancing and parallel processing. Spammers stage Directory Harvest Attacks (DHA) to get lists of all users in an organization s directory. DHA makes organizations vulnerable to increased attacks, spam, and fraudulent messages. The logical space between two firewalls where an gateway typically resides. This term was derived from De-Militarized Zone, an area between two warring countries where tanks were not permitted. Envelope Information in RFC-821 format, which includes the address from which the mail came and the receipt-to address. First-touch server A configuration where s arriving into your organization are delivered the Security server first, as opposed to going through another MTA. The purpose of configuring Security as your first-touch server is to capture the sender s IP address.

157 SonicWALL Security Administrator s Guide 63 Term Honeypot Definition (Continued) A specially equipped system deployed by security professionals to lure hackers and track their every move. Internet Message Access Protocol (IMAP) Keystore Junk Box Junk Box Summary Lightweight Directory Access Protocol (LDAP) LDAP Groups LDAPS Master Account Mail Transfer Agent (MTA) Phishing Post Office Protocol Version 3 (POP3) Policy Management Profiler Probe Account Quarantine Realtime Blackhole List. (RBL) Remote Analyzer Privilege Roles Sender ID Simple Mail Transfer Protocol (SMTP) Secure Socket Layer (SSL) Spam A method of accessing electronic mail messages that are kept on a mail server. IMAP permits a client program to access remote message stores as if they were local. The keystore file contains your public and private keys. A Web page interface that displays all quarantined . A daily sent to users summarizing messages that have been quarantined because they contained spam, viruses, or other undesired mail content. An Internet protocol that programs use to look up contact information from a server. Allow you to assign roles to user groups and set spam-blocking options for user groups. This is an optional configuration that enables you to fine-tune user access by group. LDAP run over SSL provides a secure LDAP connection The initial account you log in to when configuring SonicWALL Security. This is also the master administrative account. software that runs on an outward-facing server that delivers mail to an organization. Sending or creating a replica of an existing Web page to fool a user into submitting personal, financial, or password data. In the enterprise, phishers seek enterprise passwords and sensitive information. Phishers might use enterprise to send fraudulent information to customers and business partners. A protocol used to retrieve from a server. A customizable module that enables the administrator to filter the content of messages and attachments that enter SonicWALL Security. A software component that collects users outgoing addresses, which can optionally be stored as known good addresses. The Profiler can be configured to work with each supported client. Similar to a Honeypot, an account that is established on the Internet for the sole purpose of collecting spam and tracking hackers. A means of containing suspect messages in a Junk Box. A list of Internet TCP/IP addresses known to send spam, or by hosts considered friendly to spam. An SMTP proxy placed in the flow, and performs a spam analysis to determine whether is good or junk. It sends junk mail to the control center where it is quarantined, and routes good mail to its destination server. Users can be assigned privileges so that they can administer all , log in as another person or for a helpdesk role, can view SonicWALL Security reports, or view their own Junk Box. A mechanism that determines whether the alleged domain address of each is authentic, which is one factor SonicWALL Security uses to determine whether the message is junk. A protocol designed to transfer mail reliably and efficiently. A protocol for transmitting private documents via the Internet. SSL uses a private key to encrypt data that is transferred over the SSL connection. Any unsolicited commercial that a user does not want. Spam frequently contains false advertising, get-rich-quick schemes, and other offensive material.

158 SonicWALL Security Administrator s Guide 64 Term SPF Split Architecture STARTTLS Tarpitting Time Zero Virus Thumbprint Transport Layer Security (TLS) Usermap User Profile Unjunk Virus Definition (Continued) Sender Policy Framework (SPF) is an extension to the Simple Mail Transfer Protocol (SMTP). SPF allows software to identify and reject forged addresses in the SMTP MAIL FROM (Return-Path), a typical nuisance in spam. Architecture for networks with multiple physical data centers, the functions of SonicWALL Security can be split across different servers in different locations. The keyword used to initiate a secure SMTP connection between two servers using Transport Layer Security (TLS). Protects your enterprise from spammers trying to spam your mail server accounts through Directory Harvest attacks (DHA). A term for the first hours that a virus is released, when major anti-virus companies have not yet modified their virus definitions to catch it. Checksums that uniquely identify from junk messages. The thumbprint contains absolutely no readable information. Thumbprints are sent the collaborative community to block new types of junk. TLS is the successor to the Secure Sockets Layer (SSL) protocol. The terms SSL and TLS are often used interchangeably since they are very similar protocols. A local cache of the LDAP Server containing the list of aliases per user. An optional program that creates per-user allowed lists based on the information in address books and sent items, and then uses the HTTP protocol to post these allowed lists in an XML format to the SonicWALL Security. Removing messages from the Junk Box as enabled by the administrator. Message content that contains malicious and self-replicating code. A virus in can infect the user s computer and then use to propagate itself to other computers.

159 SonicWALL, Inc Logic Drive T San Jose, CA F PN: Rev B 2012 SonicWALL, Inc. is a registered trademark of SonicWALL, Inc. Other product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. Specifications and descriptions subject to change without notice.