Account and User Management Training Guide

Transcription

1 Account and User Management Training Guide

2 Table of Contents 1 Account Management Overview Accessing the Control Console Module Objectives Obtain Control Console Login Credentials Create or Change a Password Sign into the Control Console with a Password Getting Locked out of the Control Console Unlocking a user Navigating the Control Console Global Search Tool Customer and Domain Selectors Customer Selector Customer Selector Display Performance Reports Customer Display Domain Selector Customer Details & Time Zone selection Distribution Lists Distribution Lists with Protection (Correo Limpio) Policies Distribution Lists with Directory Integration Distribution Lists with Performance Reports Distribution Groups Performance Reports Activate a Performance Report Manage Domains View Domains Primary Domains Primary Domain Details Domain Aliases Restricted Domains Manage Groups Proprietary and Confidential

3 7.1 Groups with Protection (Correo Limpio) Users in Multiple Groups with Protection (Correo Limpio) Groups with Web Protection (Navegación Segura) Users in Multiple Groups with Web Protection (Navegación Segura) Groups with Archiving Create Groups Add Members to a Group Assign a Group Administrator View Protection (Correo Limpio) Policies View user Group Assignment Delete a Group Manage Users User Management Overview User Creation Methods Users with Protection (Correo Limpio) Users with Archiving Users with Web Protection (Navegación Segura) User Roles & Permissions Roles & Permissions Permissions of My Account Tab Accessing Users Filter Users Search for Users Create Users Manually Create Users via Batch upload Edit Users Edit Individual User Details Aliases Protection (Correo Limpio) Web Protection Group Membership Group Administration Batch Edit Users Batch Edit Upload Merge Users Delete Users Selecting users for deletion Batch Delete Upload Download Users Downloading Unfiltered Users Downloading Filtered Users Proprietary and Confidential

4 8.24 Sync Users Help Non-Local Accounts Configure User Details Directory Integration User Agent User Aliases User Authentication (passwords) Assign/update individual passwords Assign/update batch passwords Directory Integration Overview Determine Sync Type Domain AD Domain Directory Integration High Level Steps Domain Directory Type Data Collection Server Hostname Enable SSL Server Port Search Bind DN Search Bind Password Advanced Settings Test Settings Automatic Synchronization & Approval Test Settings Save Cancel Help Synchronize Users Synchronize users in Archiving User Legal hold The Synchronization Process Users Created by Directory Integration Inactive Records AD Domain and Directory Services Connector Obtain Directory Services Connector My Account User role permissions with Protection (Correo Limpio) Proprietary and Confidential

5 11.2 User role permissions with Web Protection (Navegación Segura) User role permissions with Archiving Support Resources Module Objectives Axtel Customer Support Preferences eservice Requests Creating a Password Changing a Password Creating a Service Request (SR) Reviewing or Updating a Service Request Supporting Documentation Training Schedule and Materials Reporting False Negatives Education Services Contact Proprietary and Confidential

6 1 Account Management Overview This guide discusses all areas of the Control Console within the Account Management tab, which focuses on setting up common information that applies to all of the services to which you subscribe. For example, once users are created, they are applicable for the Protection (Correo Limpio), Web Protection (Navegación Segura)and Archiving services, if you subscribe to all three services. The account management information covered in this guide is not duplicated in those additional guides. The functional areas within Account Management are: Customers Time Zone setting, Distribution List setup & Performance Report settings Groups Creating Groups and managing Group members Domains Managing Primary and Domain Aliases Users User creation and individual user management Configuration settings that apply to all users within the selected primary domain Users created within Account Management: Are only created one time and are used for all services to which the customer subscribes: Protection (Correo Limpio), Web Protection (Navegación Segura)and Archiving Every user created must be unique Users deleted within Account Management: Are deleted from all services to which the customer subscribes; Protection (Correo Limpio), Web Protection and Archiving Are removed from all groups they were assigned; both for Protection (Correo Limpio) and Web Protection All Protection (Correo Limpio) quarantined messages are deleted Groups deleted in Account Management: Are removed from association for both the and Web Protection (Navegación Segura)policy sets The users are implicitly associated with Default policy sets

7 2 Accessing the Control Console 2.1 Module Objectives Upon completion of this module, you will be able to: Understand how to obtain your Sign In information Understand how to create or change your Control Console Password Understand how to Unlock a user who has been locked out of the Control Console Locate the navigation methods used within the Control Console 2.2 Obtain Control Console Login Credentials Once your account is provisioned with our service, a welcome is sent to the Technical contact on the account; the is only sent to one contact. The itself does not contain the login credentials to your account in the control console; however, it does provide instructions in obtaining those credentials. Refer to the Getting Started section in the Welcome . This provides instructions on logging onto our eservice Portal and accessing your specific Service Activation Guide. The Service Activation Guide is the document that provides the Control Console URL and Login ID. If you ordered services from one of our Axtel Partners, and that partner provides your support, please contact that partner directly for your login information. Note: your password is not created for you; you must create your own password on the Control Console once your login ID is obtained. To Sign into the Control Console, you need the: Control Console URL Sign in ID Password Note: this is the URLs to access the control console sign in page: Create or Change a Password Password Assignment Recommendations User accounts are not required to have a password. Passwords are needed when signing into the control console from the sign-in page. Passwords are not required if a user is accessing their individual user from an active Spam Quarantine Report (SQR). The SQR gives the user direct access to their account without entering a user or password. It is helpful for administrative level roles to have passwords assigned so they can access the control console when needed. It can also be helpful for individual users to have a password assigned if the customer subscribes to the Continuity Disaster Recovery Service. This allows the user to sign into their account and access their Continuity inbox if they do not have an active SQR. and W eb Protection Education Services Segura)Education Services Page 2-2

8 Creating your initial password When signing into the control console from the Sign in page for the first time, you must create your own password. The following steps are the same when you are creating your initial password, or if you have forgotten your existing password and need to change it. To do this: 1. Navigate to the Control Console sign in page; either: console.axtelesaas.com or portal.axtelsaas.com. 2. Click the Forgot your password or need to create a password link. 3. On the Change Password page in the Address field, enter your Control Console address (fully qualified address). 4. Choose whether you prefer to have the password information sent to the address you entered or to your Domain Contact address. Function: This sends a conformation with a link to create a user password. Radio button option: Determines which address receives the conformation with the password. 1. Sends the confirmation to the address that is the same as the Control Console user 2. Sends the confirmation to the address listed as the Contact within the Primary Domain. This option is beneficial when the customer s mail server is unavailable and a user cannot receive the confirmation on their mail server. It is beneficial to view the address listed as the Domain Contact and verify that it is outside of the customer s mail server. You will see a confirmation page that confirms an was sent to the desired address. and W eb Protection Education Services Segura)Education Services Page 2-3

9 Once you have received the , click on the URL included in the body, which will direct you to the Change Password page. Note: The link is active for one hour after the is generated and delivered. Create your password All passwords must: Be a minimum of eight characters, maximum of 20 and contain at least two of the following character types: Letters (upper / lower) Numbers Special Characters o ( ) ` # $ % ^ & * - + = \ { } [ ] : ; " ' < >,.? / o Passwords are case sensitive The first time a user signs in with a password, but no security question, you must select a security question and enter a security answer. The Security Question answer is used when a user forgets their password and walks through the above steps to change their existing password. Please note that answers to the security questions, unlike passwords, are not case sensitive. and W eb Protection Education Services Segura)Education Services Page 2-4

10 2.4 Sign into the Control Console with a Password Access the Control Console sign in page: Note: If a user has an active Spam Quarantine Report, they can use that to access their account without entering a user name or password. The Language drop down menu lists all available languages; the default language is English. Brazilian Portuguese Finnish Portuguese Chinese, Simplified French (universal) Russian Chinese, Traditional German Italian Spanish (universal) Danish Japanese Swedish Dutch Korean Turkish English Norwegian, Bokmal Users may also select their language preference once they access their account. Note: The only pages changed to the selected language are user-level pages; all administrative pages display in English. 2.5 Getting Locked out of the Control Console A user is locked out of the Control Console after five consecutive unsuccessful login attempts within 30 minutes. A user is notified their account has been locked out on the Control Console Sign in Page. and W eb Protection Education Services Segura)Education Services Page 2-5

11 2.5.1 Unlocking a user There are four ways for a user to be unlocked: 1. The user can wait 30 minutes until the lock out automatically expires and attempt to sign into the Control Console with the correct password. 2. The user can change their own password by clicking on the Forgot password link on the Control Console Sign in page and walking through remaining steps. 3. The user can ask their Customer Administrator to change their password and then attempt to log in with the newly assigned password. 4. The user can ask their Customer Administrator to unlock their account so they can attempt to sign in again with their correct password. Note: users with the role of Customer Administrators can assign and change other user s passwords. Users logged in with the Role of Partner Administrator or higher cannot assign passwords for any user other than their own. All administrative roles that have access to manage users can unlock a user. There is a Locked column on the Accounts page within User Management. View this column to identify if any users have been locked out. To Unlock a user, access the user by double clicking on the address or selecting the user and clicking the Edit button. Click the Unlock button inside the user Details. and W eb Protection Education Services Segura)Education Services Page 2-6

12 2.6 Navigating the Control Console There are four primary navigation options, which organize the functions within the Control Console: Account Management Protection (Correo Limpio) Archiving Web Protection My Account Note: The Account Management and My Account Product Selectors will be viewable by all customers. Only those customers who subscribe to the Protection (Correo Limpio), Archiving Service or the Web Protection (Navegación Segura)services will see the additional Primary Selectors. Main Menu Options Once the primary navigation option is selected, the associated main menu options are displayed. Account Management Customers Customer management Groups Group configuration Domains Domain configuration Users User management Configuration global user settings Protection (Correo Limpio) Overview 24 hour snap shot of activities Quarantine Message Quarantine for the entire Domain Continuity The Continuity Inbox of the user signed in Policies Policy configuration Setup Configuration of Protection (Correo Limpio) mail servers and additional options Message Audit searching for and interpreting the disposition of messages Reports Reporting and Statistics Archiving Overview Current snap shot of the overall status of Archiving Archived Messages Searching and Exporting of archived messages Reports Archiving report generation history Setup Mail source configuration and Alert activation and W eb Protection Education Services Segura)Education Services Page 2-7

13 Web Protection Policies Policy configuration Setup - Configuration Reports Canned Reporting and Statistics Forensics ad hoc report generation My Account Individual user settings with user level permissions 2.7 Global Search Tool The Global Search tool reduces the number of clicks needed to access Domains and Users. The Global Search tool is located at the top right corner of each window. The available options from the Search drop-down list will change depending on the user role. Options include users, domains, and customers. To uses global search: Enter information in the available field The system will validate the entry When entering a partial value, the database will return all matches in the dropdown menu Locate match, select and click Go If no matches are found, your search criteria displays in red and W eb Protection Education Services Segura)Education Services Page 2-8

14 2.9 Customer and Domain Selectors The Customer and Domain selectors are clickable links and display on the right side of the page. Using these selectors is a quick way to locate and switch to the desired Customer or Primary Domain. Based on the role in which you are logged in, you have access to the Customer and/or Domain selectors. The following examples show different roles and their associated access to each selector Customer Selector User accounts with permissions to create and edit Customer Accounts have access to the Customer Selector. When the Customer Selector link is clicked, a search customers input field appears. A minimum of 3 characters must be entered prior to the system automatically searching. The search is a begins with and will locate all matching Customer accounts that begin with the search input entered. and W eb Protection Education Services Segura)Education Services Page 2-9

15 2.9.2 Customer Selector Display There will be times when a Global, Support or Partner administrator is on the MSP Connector or Performance Reports pages; pages that are not enabled for all customers. Listed below are the scenarios when on a either the Performance Report or MSP Connector pages for a customer that does have the service enabled, and then through the Customer Selector choose a customer that isn t enabled for the service MSP Connector Customer Display If you are on the MSP Connector page and change the Customer selector to a customer that does not have MSP Connector enabled, the following occurs: The administrator says on the MSP Connector Page The MSP Connector tabs are disabled and grey out A message appears notifying the administrator that the selected customer does not have MSP Connector enabled. The customer selection will not be changed while you remain on the MSP Connector Page. To access the desired customer, navigate off of the MSP Connector page and re-select the desired Customer Performance Reports Customer Display 1 and W eb Protection Education Services Segura)Education Services Page 2-10

16 If you are on the Performance Reports page and change the Customer selector to a Web Protection (Navegación Segura)or Protection (Correo Limpio) customer that does not have Performance Reports enabled, the following occurs: The administrator is routed to the selected customers Customer Details page Performance Reports Customer Display 2 If you are on the Performance Reports page and change the Customer selector to an Archiving customer that does have Performance Reports enabled, the following occurs: The administrator says on the Performance Reports Page The Performance Reports page is disabled and grey out A message appears notifying the administrator that the selected customer does not subscribe to a service that includes Performance Reports Note: the Performance Reports contain data only for and Web Protection Domain Selector Once the Domain Selector link is clicked, a drop list of all available Primary domains in the selected customer appears. The Domains display in a drop list because the number of and W eb Protection Education Services Segura)Education Services Page 2-11

17 domains within a customer account is manageable. There is no minimum number of characters to enter to display or select a domain. The Domain selector displays on the appropriate domain level Protection (Correo Limpio) and Account Management pages and does not display on the Web Protection (Navegación Segura)or Archiving pages. Domains display in ASCII display order: Special Characters followed by Numbers and then Letters Similar to the Customer Selector, there is no all domains option; must select one specific domain. Only primary domains display for selection; no domain alias or public domains display. and W eb Protection Education Services Segura)Education Services Page 2-12

18 3 Customer Details & Time Zone selection When signed in as a role of Customer or Partner Administrator or Var Administrator, you can view the customer account details and select a customer level Time Zone. Note: users signed in with a Partner Administrator or higher role will not see the Details menu link. To change the customer level time zone setting, locate the customer account from the customer list and edit the customer account. When the update link is selected, the Details page grays out and a Time Zone selection appears atop the details page. Select the time zone with which all users will be created. Once a time zone is selected, all NEW users created will inherit the selected time zone. Once a time zone is selected, all EXISTING users created will inherit the selected time zone, if the individual user time zone has not previously been changed. This includes changes made to the user by any administrative role or the end user. SaaS and W eb Protection (Navegación Segura)Education Services Page 3-1

19 4 Distribution Lists Distribution lists allow for the creation of lists to be activated in different areas of the Control Console. When activated, distribution lists send a notification-type to the addresses in the distribution list. Distribution Lists members can be any valid, fully qualified address. The members added to a Distribution list do not have to reside as Users in the Control Console, and do not need to be associated to the customer s domain. Navigate to Account Management Customers Distribution List 5. Note: Distribution Lists are not the same thing, nor are they a replacement of Distribution Groups for delivery, which are maintained on the Customer Mail Server. Creating and implementing a distribution list is a two-step process: 1. Create a New Distribution List and add addresses into the list 1. Distribution Lists can contain any valid recipient address, including: addresses for a user with an account in the Control Console e.g. me@mycomanydomain.com Addresses for a user outside of the Control Console e.g. me@gmail.com or partner@partnerdomain.com Distribution Group addresses e.g. marketing@mydomain.com 2. Activate the Distribution List in one or more of the following places: Protection (Correo Limpio) Policies Attachment Filename Silent Copy Protection (Correo Limpio) Policies Content Groups Silent Copy Account Management Configuration Directory Integration Exception Notification Account Management Customers Performance Reports s

20 4.1 Distribution Lists with Protection (Correo Limpio) Policies When you select a Distribution List in the Silent Copy drop list of an Protection (Correo Limpio) policy, and the policy (rule) is violated, a blind carbon copy (silent copy) of an is sent to all members in the selected Distribution List. They are being notified with a copy of the that caused the policy violation. Example: Your policy states to Quarantine a message if a message contains a.php attachment and a distribution list is selected in the Silent Copy drop list. When a message is received with a.php file attached, the message is placed into Quarantine and a blind carbon copy of the message that invoked the violation will be sent to all addresses in the Distribution List. 4.2 Distribution Lists with Directory Integration Distribution Lists work when Directory Integration is set up, the Exception Notification is activated, a Distribution List is selected, and one or more Exception notification content checkboxes are checked on the Directory Integration page. When a Sync is requested, and if any users that meet the selected content checkboxes are found, an is sent to the addresses in the selected Distribution List, notifying them of the exceptions during the automatic synchronization. SaaS and W eb Protection (Navegación Segura)Education Services Page 4-2

21 4.3 Distribution Lists with Performance Reports When you select a Distribution List in the Deliver To drop list when activating Performance Reports, you are identifying to which addresses a PDF version of the Performance Report should be sent Distribution Groups Axtel distribution lists are not the same thing, nor are they a replacement of the customer s distribution groups. A primary user must reside in the Control Console for the address of the Distribution Group; however Distribution group members are created and maintained on the customer s server. E.g. a primary user for marketing@yourdomain.com must reside in the control console, we the service knows that this is a valid address for your organization. We will filter that message and if it passes the policy, one instance of the message is delivered to the mail server. The mail server is responsible for routing that message to every member of the Marketing distribution group Distribution lists are created and assigned using the Axtel Control Console Note: Any distribution group maintained on the customer s server must have an associated primary user in the Control Console. When an is sent to a primary user, if it passé the Protection (Correo Limpio) policy, the service delivers once instance of the message to the customer s server; only to the primary user. The customer s mail server distributes that message to all members of the customer s distribution group. SaaS and W eb Protection (Navegación Segura)Education Services Page 4-3

22 5 Performance Reports Performance reports contain statistical information on the performance of Protection (Correo Limpio) and Web Protection (Navegación Segura)Services. Once activated, Performance Reports are automatically generated and are sent via as a PDF attachment. To receive Performance Reports, you must opt into performance reports. Opting into Performance Reports is a two-step process: 1. Create a Distribution List and enter the addresses of the people you would like to receive the performance report. Refer to the Distribution List section of this document for steps on creating a Distribution Lists. 2. Access the Performance Reports link and select the desired Distribution List in the Deliver to drop list. 5.1 Activate a Performance Report Navigate to Account Management Customers Performance Reports Deliver To - Select the distribution list to which the Performance Report is sent Time Zone The time zone used to create the report. Frequency - Check the box to specify the frequency of the Performance Reports. o Weekly includes data for the previous full week. o Monthly - includes data for the previous full month. The Send Now button initiates an on-demand Performance Report be sent. This includes data from the last full reporting period. SaaS and W eb Protection (Navegación Segura)Education Services Page 5-1

23 Performance reports contain: Statistical information on the performance of Protection (Correo Limpio) Service and Web Protection Service If you subscribe to Outbound filtering, the Performance Report includes information relating to total number of outbound messages sent, threats and action taken. Graphical traffic and threat data Is formatted in grid, pie chart and line graph formats and represents a wide variety of traffic and threat categories Give insight into the on-going performance of the and Web security services Definitions for each report field and can be configured for weekly or monthly delivery Reports are ed to the distribution lists recipients as a.pdf attachment. Modifying the Time Zone field under Performance Reports only apply to the Performance Reports and not to individual users. Sample Performance Report SaaS and W eb Protection (Navegación Segura)Education Services Page 5-2

24 6 Manage Domains All primary domains are listed by default when you access the Account Management Domain area. You can select the Show Domain Aliases checkbox to view the domain aliases associated to your primary domains. As the Customer Administrator, you are able to: View your Domain Details Add Domain Aliases Note: Customer Administrators do not have the ability to add new Primary Domains, edit the Primary Domain details, or delete the Primary Domain. 6.1 View Domains The ability to view Public Domains and identify to which Primary Domains they are associated is available within the Domains page. When signed into the Control Console as a Global Administrator, Support Administrator or Partner Administrator, the following new checkbox always displays on the Domains index page: Show All Domains When signed into the Control Console and the Customer account to which you are signed in has a Public Domain associated, the roles of Domain Administrator, Customer Administrator, Partner Administrator, Support Administrator and Global Administrator will see the Show Public Domains checkbox. SaaS and W eb Protection (Navegación Segura)Education Services Page 6-1

25 If multiple types of domains display, a Type column appears and designates the type of domain for each one listed. Primary Domains have a type of Domain. If any Alias or Public domains display, the Primary domain to which they are associated displays in brackets. 6.2 Primary Domains Each Primary Domain has its own characteristics (mail servers, policies, users, IP address), and is configured separately. Primary Domains should be created when any of the following are true: Inbound messages for each domain must route to unique inbound server(s) Outbound messages for each domain route from unique outbound server(s) User accounts are unique each primary domain: o mary.smith@primarydomain1.com located in Seattle, WA o mary.smith@primarydomain2.com located in Chicago, IL Note: Customer Administrators do not have the ability to add new Primary Domains, edit the Primary Domain details, or delete the Primary Domain Primary Domain Details To open the Domain Details screen, click the Primary domain name. Review the Domain information and call your Support contact if any changes are needed to your primary domain(s). The options available on the Domain Details window will vary depending on which user role has logged in. As the Customer Administrator, some of the items you are able to do are: View your Domain Details Add and delete Domain Aliases SaaS and W eb Protection (Navegación Segura)Education Services Page 6-2

26 Select this option to the password verification to the user. The Contact listed inside the Primary domain is used when a user is creating or changing their password. When creating or changing a password, the user has the ability to determine where the confirmation is sent, allowing the user to change/ create their password. When the second radio button is selected, password information to my Domain Contact, the is sent to the address listed in the Contact field within the primary domain. Note: it is beneficial for the Contact address to be an address outside of the customer s primary domain. If the domain mail server is down, the password change confirmation can still be received by an address outside of the customer s mail server. SaaS and W eb Protection (Navegación Segura)Education Services Page 6-3

27 6.3 Domain Aliases Domain Aliases are virtual domains that inherit all of the same characteristics as the primary domain to which the domain alias is associated. Customers must own the rights to the domain alias name in the same way they own the rights to the primary domain name. Domain Alias Key Points: When a user is created in a primary domain, user alias accounts are automatically created in each domain alias: Primary domain policies and configurations apply to all associated domain aliases All messages addressed to domain aliases are routed to the users account on the primary domain server first then delivered to the alias accounts All quarantined messages for the domain alias are stored in the primary domain s quarantine area Domain aliases can be created by the Administrator when all of the following are true: Inbound messages for each domain route to the same inbound server(s) as the primary domain Outbound messages for each domain route from the same outbound server(s) as the primary domain User accounts belong to the same person such as mary@primarydomain1.com is the same person as mary@domainalias1.com and mary@domainalias2.com SaaS and W eb Protection (Navegación Segura)Education Services Page 6-4

28 6.4 Restricted Domains To prevent customers from creating a non-authorized domain, the following list of domains cannot be created as a primary, alias or sub domain in the control console. This prohibits people from entering domains not owned into the control console for testing purposes. These domains are not currently Axtel Customers; the list will be updated if any of the following are added as Customers. The list of prohibited domains includes: comcast.net gmail.com msn.com qwest.com yandex.ru cox.net hotmail.com rogers.blackberry.net yahoo.co.jp dell.com hotmail.fr sprint.blackberry.net yahoo.com earthlink.net live.de verizon.net yahoo.com.cn google.com mail.ru yahoo.de googl .com mindspring.com SaaS and W eb Protection (Navegación Segura)Education Services Page 6-5

29 7 Manage Groups Groups are used when a subset or group of users need to have their or web activity filtered differently by placing their account into a group and adding that group to a policy using a unique set of rules other than the default policy. 7.1 Groups with Protection (Correo Limpio) Use Groups when there are users in the organization whose you want filtered according to a policy other than the default policy. E.g., The Default policy denies any s that include.exe (Executable) attachments, however, a group of users on the Development team works with an outside vendor. That vendor needs to send s with Executable attachments to the developers. By grouping the developer users, and subscribing the Group to a new policy, only the developer users are allowed to receive s with Executable attachments. Navigate to groups by accessing Account Management Groups. By default, every person getting their filtered by our service will have their filtered against the Default Protection (Correo Limpio) Policy settings. There is a default Inbound Policy and default Outbound Policy. Each policy has pre-defined, best practice rules selected. All default policies are changeable. SaaS and W eb Protection (Navegación Segura)Education Services Page 7-1

30 Creating and applying groups for Protection (Correo Limpio) is a three-step process: 1. Create a new Protection (Correo Limpio) policy with unique filtering rules. 2. Create a new group and associate members to the group. 3. Subscribe the group to the policy. (activate the policy to apply for the Group) Once completed, the members of the group will have their filtered according to the newly created policy and not the filtering rules in the Default Policy Users in Multiple Groups with Protection (Correo Limpio) One user can be a member of one or more groups. In the scenario below, the user is in multiple groups, and each group is subscribed to a different Protection (Correo Limpio) Inbound Policy SaaS and W eb Protection (Navegación Segura)Education Services Page 7-2

31 With Protection, you will assign a priority to each policy, so even if a user is in more than one group, and technically associated to more than one policy, only one Inbound and only one Outbound policy is utilized when we filter that users . In the scenario below, the user will have their filtered only against the Management Policy, as that policy has a higher priority than the other policy to which the users group is subscribed. Proprietary and Confidential Page 7-3

32 7.2 Groups with Web Protection By default, every person getting their web filtered by our service will have their web filtered against the Default Web Protection (Navegación Segura)Policy settings. There is a default Web Protection (Navegación Segura)that has pre-defined, best practice rules selected. All default policies are changeable. Use Groups when there are users in the organization whose web activity needs to be filtered according to a policy other than the default policy. Groups apply only when Explicit User Authentication or WDS Connector Access Control Types will authenticate users. All Users authenticated via IP Address Range Authentication will utilize the Default Web Protection (Navegación Segura)Policy for every day of the week, all times of the day. Creating and applying Groups for Web Protection (Navegación Segura)is a three-step process: 1. Create a new Group and associate individual users to the group. 2. Create a new Policy with special web filtering rules and associate the Group to the Policy. 3. Schedule the Policy by selecting the time of day and days of the week the policy will apply. Once the three steps are completed, the users in the Group will have their web activity filtered according to the newly created policy, instead of the web filtering rules in the Default Policy. Navigate to groups by accessing Account Management Groups SaaS and W eb Protection (Navegación Segura)Education Services Page 7-4

33 7.2.1 Users in Multiple Groups with Web Protection One user can be a member of one or more groups. In the scenario below, one user is a member of two groups. Each of those groups is associated to a Web Protection (Navegación Segura)Schedule. Each Web Protection (Navegación Segura)Schedule has multiple policies enforced; each policy only applying for a given time of the day. Proprietary and Confidential Page 7-5

34 When the user is a member of multiple groups, and each group has a Web Protection (Navegación Segura)schedule with one or more policies, all policies are merged and applied in a specific filter order. There is no visual identifier denoting that the user is associated to multiple Web Protection (Navegación Segura)Schedules and that several policies were merged. See the Web Protection (Navegación Segura)Training Guide for the filter order. 7.3 Groups with Archiving The Groups functionality is not applicable with the Archiving Service 7.4 Create Groups Customer Administrators, Partner Administrator, VAR Administrators and Global Administrators have access to create Groups. One group can include users from one, more or all of the primary domains. User accounts not associated to a Group are considered an ungrouped user. All Ungrouped users are automatically associated to the Default Policy. Note: There is no limit to the number of users that can be associated to a group, nor is there a limit to the number of Groups to which a user can be a member. Once a Group is created, it can be associated to up to three different services, depending on the services to which the customer subscribes. One Group can be associated to: One Inbound Protection (Correo Limpio) Policy One Protection (Correo Limpio) Outbound Policy One Web Protection (Navegación Segura)SCHEDULE, which is comprised of one or more Web Protection Policies. A user can be associated with a group at the time of user creation or at any time after the account is created. SaaS and W eb Protection (Navegación Segura)Education Services Page 7-6

35 If the user is not associated with a Group, the account is considered an ungrouped user. All ungrouped users are automatically associated to the Default Policies. Access groups in Account Management Groups Perform two main steps to create a group: 1. Create the Group 2. Add Members into the Group To create a group: 1. Click New 2. Enter the name and description of the group While the description field is not required, other administrators could find it helpful in understanding the purpose of the group 3. Click Save Add Members to a Group Access the group by double clicking the group name or selecting it and clicking Edit Click Members Locate one, more or all users and click Add>> Click Apply to save changes All users within all primary domains in the organization display in alphabetical order. Select the checkbox for each user to add to the Group. To locate a specific User account, utilize the Filter option. Enter all or part of the user name, and identify if you want your filter to search within All Users, users not in a Group or users not in this Group. Click Filter to initiate your search. Perform the following actions to manage the group members: Click Add>> to add the selected users to this group Click Add All>> to add all users (selected or not) across all pages to this group Click <<Remove to remove the Selected Users from this group Click << Remove All to remove all Group members (selected or not) from this group Click Apply to save changes Proprietary and Confidential Page 7-7

36 Note: Be sure to subscribe this group to a policy to have the users in this group get their filtered against the new policy, instead of the Default policy Assign a Group Administrator You can assign any user with the role of Group Administrator to be the administrator of a Group. The Group Administrator can manage the members of their group, create and manage group level policies, and subscribe a group they administer to a policy. Note: There is a separate training guide and elearning recorded training course for Group Administrators View Protection (Correo Limpio) Policies The Protection (Correo Limpio) policies tab is a read only page and it displays the Protection (Correo Limpio) Inbound and the Protection (Correo Limpio) Outbound Policy to which this group is subscribed. If the group is not yet subscribed to a custom policy, it is still associated to the Default policy, which will not be explicitly listed. SaaS and W eb Protection (Navegación Segura)Education Services Page 7-8

37 Because there is not a one to one relationship between a Group and one Web Protection (Navegación Segura)Policy, only Protection (Correo Limpio) policies display, even if the customer also subscribes to Web Protection View user Group Assignment Once a user becomes a member of a group, you can view the user s group assignment. Access the individual user and click the Group Membership tab. 7.5 Delete a Group When deleting a group, it is important to understand that users are not deleted from the Control Console; however, some policies might be deleted. If you delete a group that is SUBSCRIBED to a customer or group level policy (but is not the owner of the policy), the policy is not deleted. The group is deleted and the association to the policy is removed. The policy itself remains, however is inactive if it no longer has a group subscribed. If the user is a member of another group, that or Web Protection (Navegación Segura)policy applies. If the user is not a member of another group, the Default or Web Protection (Navegación Segura)policy applies. Proprietary and Confidential Page 7-9

38 If you delete a group that is the OWNER of a policy (regardless of its group subscription), the policies to which this Group is the OWNER are deleted. A message displays identifying that policies are deleted. Groups deleted in Account Management: Will be removed from subscription for both the Protection (Correo Limpio) and Web Protection (Navegación Segura)policy sets All policies to which the group was an Owner are deleted The users will be implicitly associated with Default policy sets SaaS and W eb Protection (Navegación Segura)Education Services Page 7-10

39 8 Manage Users 8.1 User Management Overview User Management is comprised of two tabs: Users and Configuration. The Users tab is where you can manage specific user details, such as creating new users manually and edit user details, such as a user s individual Protection (Correo Limpio) allow list. Note: When creating an individual user, the only required information is user name. The Configuration tab is where you setup global user settings that affect all users for each primary domain. This includes setting up the Active Directory Integration information, and the means by which all users passwords are authenticated. Users created within Account Management: Are only ever created one time and are used for all services to which the customer subscribes: Protection (Correo Limpio), Web Protection (Navegación Segura)and Archiving Every user created must be unique Users deleted within Account Management: Are deleted from all services; Protection (Correo Limpio), Web Protection (Navegación Segura)and Archiving Are removed from all groups they were assigned; both for Protection (Correo Limpio) and Web Protection Have all of their Protection (Correo Limpio) Quarantined messages are deleted Note: Continuity messages are not deleted; they are moved to the non-local accounts continuity inbox. 8.2 User Creation Methods Explicit Users can be created: Individually Batch file upload Directory Integration mode* A fourth, non-explicit user creation mode is available, SMTP Discovery, which only applies with the Protection (Correo Limpio) Service. SMTP discovery automatically created users in the Control Console after 8 messages are received in a 24-hour period and is automated * Refer to the Directory Integration section of this document for details on setting up Active Directory Synchronization. And refer to the Protection (Correo Limpio) Administrator guide for details about the SMTP Discovery User Creation Mode. 8.3 Users with Protection (Correo Limpio) SaaS Eventually, and every W eb person Protection in your (Navegación organization should have an account in Page the 8-1 Control Console. If you Segura)Education Services

40 are using the SMTP Discovery User Creation mode, users are not required to start the SaaS and W eb Protection (Navegación Segura)Education Services Page 9-1

41 Protection Service. If you are using an Explicit User Creation Mode, Axtel delivers for only the users in the control console. See the Protection (Correo Limpio) Administrator Training Guide for details on the User Creation Modes. The benefits of having a User Account for Protection (Correo Limpio) are that it allows the user to: Receive a Spam Quarantine Report Manage their spam quarantine mail Manage their Spam Quarantine Report delivery options Set their password & security question and answer Set their time zone Manage their Allowed Senders list Manage their Blocked Senders list Manage their user aliases 8.4 Users with Archiving When Axtel retrieves and archives your mail, each message is associated to its owner (the message sender or recipient), if the owner has an account in the control console. If the user does not exist, the message is still archived; however it is not tied to an owner and is considered unassociated. If there are unassociated messages and the user is created at a later date, the unassociated messages will be moved and be associated to the user, typically within 24 hours. If the number of unassociated messages is high, it might take longer to associate all messages. 8.5 Users with Web Protection When you subscribe to the Web Protection (Navegación Segura)Service, you will not always need to create individual users. If you subscribe only to the Web Protection (Navegación Segura)Service, and you choose IP Address Range Authentication as your Access Control Type, you do not have to create users. If you subscribe to the Web Protection (Navegación Segura)Service and choose Explicit User Authentication, the WDS Connector, or MCP Connector as your Access Control Type(s), users are REQUIRED prior to activating service. If the user does not exist prior to redirecting your web activity to our service, the user will not be able to authenticate and will be denied web access. 8.6 User Roles & Permissions Every user is assigned a role, which determines what permissions this user will have when they sign into the Control Console. There is no limit to the number of users assigned each role. i.e. multiple users can be assigned the role of Customer Administrator. Customer level roles The following roles have access to the control console for all Primary Domains listed within the customer account. Partner Administrator Role VAR Admin SaaS and W eb Protection (Navegación Segura)Education Services Page 8-2

42 Customer Administrator Role Group Administrator Archive Compliance Officer Domain Level Roles The following roles are domain specific in that they can only view and manage the information they are allowed access, for the primary domain in which their user was created. If you need one of the following riles to have access to information in multiple primary domains, you must create a user with this role in each primary domain. Domain Administrator Role Quarantine Manager Role Reports Manager Role User Proprietary and Confidential Page 8-3

43 8.7 Roles & Permissions Partner VAR Customer Group Domain Quarantine Reports Admin Admin Admin Admin Admin Manager Manager Customer, Domain & Groups tab permissions Archive Compliance Officer User Create / edit Customer Account X N/A N/A N/A N/A N/A N/A N/A N/A Customer Details link N/A X X N/A N/A N/A N/A N/A N/A Create/ edit Distribution Lists Manage Performance Reports X X X N/A N/A N/A N/A N/A N/A X X X N/A N/A N/A N/A N/A N/A Configure MSP Connector X X X N/A N/A N/A N/A N/A N/A Manage Domain Language preference X X X N/A X N/A N/A N/A N/A Create / edit Groups X X X N/A N/A N/A N/A N/A N/A Manage Group Members X X X X N/A N/A N/A N/A N/A Create / edit Primary Domain X X N/A N/A N/A N/A N/A N/A N/A SaaS and W eb Protection (Navegación Segura)Education Services Page 8-1

44 Partn er Admin VAR Admin Custo me r Admin Group Admin Domain Admin Quarantin e Mana g er Reports Manager Archive Comp lian c e Office r User Create / edit Domain Alias X X X N/A N/A N/A N/A N/A N/A User Management Permissions View Users X X X X X X N/A N/A N/A Create Users X X X N/A N/A N/A N/A N/A N/A View Users Details X X X X X X N/A N/A N/A Edit User details X X X N/A N/A N/A N/A N/A N/A Batch Edit Users X X X N/A N/A N/A N/A N/A N/A Manage User Passwords N/A N/A X N/A N/A N/A N/A N/A N/A View Protection (Correo Limpio) Details X X X X X X N/A N/A N/A Edit Protection (Correo Limpio) Details X X X N/A N/A N/A N/A N/A N/A Send On-Demand Spam Quarantine Report X X X N/A X X N/A N/A N/A SaaS and W eb Protection (Navegación Segura)Education Services Page 8-2

45 Partner VAR Customer Group Domain Quarantine Reports Admin Admin Admin Admin Admin Manager Manager Archive Comp lian c e Office r User Manage Users Protection Quarantine X X X N/A X X N/A N/A N/A View Users Activity X X X N/A X X N/A N/A N/A Manage Users Allowed Senders List Manage Users Blocked Senders List X X X X X X N/A X X N/A N/A N/A N/A X X N/A N/A N/A Manage Users Continuity Inbox X X X N/A N/A N/A N/A N/A N/A View User Aliases X X X X N/A N/A N/A N/A N/A Manage Users Aliases X X X N/A N/A N/A N/A N/A N/A Manage Users Group Membership X X X X N/A N/A N/A N/A N/A Manage Users Continuity Inbox N/A N/A X N/A N/A N/A N/A N/A N/A Configure Directory Integration X X X N/A N/A N/A N/A N/A N/A Manage User Agent (web protection only ) X X X N/A N/A N/A N/A N/A N/A Proprietary and Confidential Page 8-3

46 Partner VAR Customer Group Domain Quarantine Reports Admin Admin Admin Admin Admin Manager Manager Archive Comp lian c e Office r User Manage User Aliases page X X X N/A N/A N/A N/A N/A N/A User Authentication - select authentication type X X X N/A X N/A N/A N/A N/A User Authentication upload batch passwords N/A X X N/A N/A N/A N/A N/A N/A Protection (Correo Limpio) tab permissions View Overview Page X X X N/A X N/A N/A N/A N/A Manage Quarantine Mail X X X N/A X X N/A N/A N/A Create / edit Customer level policy X X X N/A N/A N/A N/A N/A N/A View Customer level policy X X X X N/A N/A N/A N/A N/A Create / edit Group level policy X X X X N/A N/A N/A N/A N/A Manage Inbound Servers X X X N/A X N/A N/A N/A N/A SaaS and W eb Protection (Navegación Segura)Education Services Page 8-4

47 Partner VAR Customer Group Domain Quarantine Reports Admin Admin Admin Admin Admin Manager Manager Archive Comp lian c e Office r User Manage Outbound Servers X X X N/A X N/A N/A N/A N/A Manage Outbound Disclaimer X X X N/A X N/A N/A N/A N/A Configure Disaster Recovery X X X N/A X N/A N/A N/A N/A View MX Records X X X N/A X N/A N/A N/A N/A Manage Registered Documents X X X N/A X N/A N/A N/A N/A Manage User Creation Mode X X X N/A N/A N/A N/A N/A N/A Generate Message Audit logs X X X N/A N/A N/A N/A N/A N/A Generate Protection (Correo Limpio) Reports X X X N/A X X X N/A N/A Archiving tab permissions View Overview Page X X X N/A N/A N/A N/A X N/A Search for customer level archived messages X X X N/A N/A N/A N/A X N/A Proprietary and Confidential Page 8-5

48 Partner VAR Customer Group Domain Quarantine Reports Admin Admin Admin Admin Admin Manager Manager Archive Comp lian c e Office r User Purge messages N/A N/A N/A N/A N/A N/A N/A X N/A Generate Reports X X X N/A N/A N/A N/A X N/A Add Mail sources X X X N/A N/A N/A N/A N/A N/A Manage Legal Hold N/A N/A N/A N/A X X X X N/A Web Protection (Navegación Segura)tab permissions Create / edit new Policies X X X X N/A N/A N/A N/A N/A Schedule Policies X X X X N/A N/A N/A N/A N/A Select / download Access Control Type Generate Web Protection Reports X X X N/A N/A N/A N/A N/A N/A X X X N/A N/A N/A N/A N/A N/A Generate Forensics reporting X X X N/A N/A N/A N/A N/A N/A SaaS and W eb Protection (Navegación Segura)Education Services Page 8-6

49 8.9 Permissions of My Account Tab The following permissions apply if you access your account by clicking the My Account tab, or if you sign into the control console from the sign in page and your user role = User. Notes: The My Account primary selector gives the user access to their individual account with user level permissions. Even if the user has signed into the control console as an administrator, when the My Account tab is clicked, they have user level permissions into their own account. If you are signed into the control console as an Administrative level role, and you need to edit your account with administrative level permissions, navigate to the Account Management User area of the Console, locate your account and choose the Edit option. Users with the role of User will not see a tab called My Account, but they will have the following permissions when they access their user. Partner Var Customer Group Domain Quarantine Reports Archive User Admin Admin Admin Admin Admin Manager Manager Compliance Officer Preferences Page General settings X X X X X X X X X Preferences page Protection (Correo Limpio) settings X X X X X X X X X Aliases X X X X X X X X X Quarantined Messages X X X X X X X X X Continuity X X X X X X X X X Allowed Senders X X X X X X X X X Blocked Senders X X X X X X X X X Proprietary and Confidential Page 8-7

50 Partner Var Customer Group Domain Quarantine Reports Archive User Admin Admin Admin Admin Admin Manager Manager Compliance Officer Archived X X X X X X X X X Messages SaaS and W eb Protection (Navegación Segura)Education Services Page 8-8

51 8.10 Accessing Users Once the Users tab is accessed, all users within all primary domains display. User accounts display in Alphabetical order by default. Each Column: Can be resized by dragging and dropping the column width bar Can be removed from the current view by choosing the down arrow that appears when you hover over a column, selecting the Columns option, and deselecting the column name you no longer want displayed Can be sorted by choosing the down arrow that appears when you hover over a column and choosing either Sort Ascending or Sort Descending Can be moved to another location by selecting and holding the column name and dragging it to the desired location. Once the desired location is found, release the column SaaS and W eb Protection (Navegación Segura)Education Services Page 8-1

52 8.11 Filter Users Some columns have the ability to apply a filter to customize the user list. If a filter is available for the column, a filters option is available when choosing the down arrow that appears when you hover over a column; the options on which to filter display. Select one or more checkboxes of the criteria on which to filter. If a column has a filter applied, a filter icon displays on the column toolbar. The filters are column specific Once a filter is applied, and an action is performed on the results (delete user, create new user), the entire user list displays; your filter is removed. Once a filter is applied, no action is taken, but you navigate away from the page and return, the filtered user list persists. Select a user by clicking the checkbox listed before the user name. Once selected, the user specific action buttons (edit and delete) on the toolbar activate. SaaS and W eb Protection (Navegación Segura)Education Services Page 8-2

53 To view all users and remove the filter, deselect the Filters checkbox on all columns that have an active filter. New create new users individually or via batch upload file. See the Create Users section of this guide for details. Edit edit a selected user or choose multiple users and batch edit. See the Edit Users section of this guide for details Search for Users To search for a specific user or specific grouping of users, utilize the Filter option on the User Name column. Click the down arrow on the User Name column Access the Filters option Select the criteria to filter Note: all parts of the user are searched (user name and domain name) when displaying users that match your filter criteria. Starts with enter one or more characters that the user name(s) you desire begin with. Once at least one character is entered, the user list updates. You can continue to enter additional characters to further define your search Contains enter one or more characters that exist in any part of the user name. Equals enter a fully qualified address (user name and domain name) to receive a match Proprietary and Confidential Page 8-3

54 The user name list updates as soon as you enter at least one character in either the Starts with or Contains option. The filter remains displayed so you can continue to enter additional characters or change your criteria. To view all users and remove the filter, deselect the Filters checkbox on all columns that have an active filter. SaaS and W eb Protection (Navegación Segura)Education Services Page 8-4

55 8.13 Create Users Manually There are two ways to manually create users; individually and via batch upload. To create users: Click the New button on the users toolbar Identify the Creation Mode: Individual (one user) or Batch (multiple user) Individual is the default mode. If you select Batch mode, the input fields change to allow you to browse for and upload a batch file. Proprietary and Confidential Page 8-5

56 Create Individual User When you create a user via the Individual Creation Mode, the only required field is the Address Once you input the Address, select the primary domain in which this User will reside. The domains display in a drop list only if the customer has more than one Primary Domain. The domains display in alphabetical order. Populate or select any optional fields Click Save The User account is saved and you return to the User List The optional fields you can select are: Username Role Type Password Confirm Password Group Membership Time zone Note: Users with the role of Customer Administrators can assign individual user passwords. Users logged in with the Role of Partner Administrator or Var Administrator cannot assign passwords for any user other than their own Create Users via Batch upload The batch creation mode allows you to create multiple users, their username and user alias accounts by uploading one batch file. The batch file format: Can contain users from multiple primary domains Is a.txt file or.csv file SaaS and W eb Protection (Navegación Segura)Education Services Page 8-6

57 100Kb max file size The Batch file must be in the following format if populating all three pieces of information: Fully qualified address, followed by a comma, username, followed by a comma, fully qualified user alias By default, Users are created using the role of user To create users via a Batch File: Click the Batch Creation mode Click Browse, and locate the.txt file containing users Click Upload Click Save User accounts are created and you return to the User list The first fully qualified addresses in the batch file display in the Primary column, designating the addresses will create Primary Users. The Username is entered in the next column, which is not a fully qualified address, but can contain a domain designator. E.g. mxl\jsmith. All additional fully qualified addresses on a line item display in the Aliases column, designating the names will create User Alias accounts. If any line items appear in red, the service will not create those users. A More Details designator displays; click More Details to understand why the user was not created. Proprietary and Confidential Page 8-7

58 The optional fields you can select are: Type Group Membership Time zone The Roles and Password fields do not display as they did with the Individual mode. All users created via batch file are created with a user role of user and will not have passwords assigned 8.14 Edit Users You have the ability to select an individual user and edit their user details, and other characterizes specific to the services to which you subscribe, or you can select multiple users and batch edit select user details Edit Individual User Details Select the checkbox next to the user and click the Edit button. The user displays in a pop-up. The details page allows you to change general settings for the user, and view the time stamp of several control console details. The Details settings are not specific to a service (e.g. Protection (Correo Limpio)); they apply regardless of the service(s) to which you subscribe. SaaS and W eb Protection (Navegación Segura)Education Services Page 8-8

59 Username The username identifies the user s network id if it is different than the fully qualified address listed in the Address field. The username is used for Web Protection (Navegación Segura)if the user is utilizing the Axtel Client Proxy (MCP) access control type. When being authenticated via the MCP the users network/login ID (usually a username) is passed to us. We then locate a match between the username and the users address so we know what Web Protection (Navegación Segura)policy to use to enforce the users Web access. Usernames can be entered in two formats; with or without the domain designator. Edu\laaron - or- laaron If a customer is using the MCP to authenticate their users, the full username including the domain designator must be included in the username. Usernames entered without a domain designator are not used for authenticating users, rather are used as a cross reference for the administrator if the user has a non-domain username. The usernames within a given domain must be unique. i.e. In the table below, one username must be changed; usernames cannot be the same within the same primary domain. Address Larry_smith@abc.com Linda_smith@abc.com Username Abc\lsmith Abc\lsmith Note: if the customer previously entered the username on the Axtel client Proxy Aliases page, those MCP Aliases are moved to the Username field Address This read only field displays the users Primary User account. All changes made to this primary account apply to all user alias and domain alias addresses. i.e. you cannot select different preferences for user alias addresses. Proprietary and Confidential Page 8-9

60 Role The role assigned determines what permissions this user will have when they log into the control console. The role of User is the role with no administrative access; the User role can only access and manage their individual user. See the Roles & Permissions module in this guide for the permissions assigned each role Status Each primary user is assigned one of three Status : Active, Inactive, or Protected. Active Status The Active Status allows the user to log into the control console and utilize the permissions as assigned based on the user role. All users have the Active status assigned by default. Note: All new users added to the console, using SMTP Discovery or Active Directory Integration are added with an Active status, the role of user, are ungrouped, and do not have a password assigned. Inactive Status The Inactive status does not allow the user to log into the control console. This status is assigned by an administrator when the user no longer works at the company, or is assigned automatically if the Active Directory Integration does not recognize the user when a sync is performed. Behaviors of the Inactive status: If the user creation mode for a domain is currently set for Explicit user creation, will not be delivered to users set to Inactive The user is denied access to the Control Console through direct login or via links within the Spam Quarantine Report (SQR) All existing SQR links are disabled The user will be denied access to functionality associated with user authentication for web protection The Inactive users allow and deny lists will not be used when filtering mail for this user Protected Status The Protected status allows the user to log into the control console and utilize the permissions as assigned base on the user role. This status is manually assigned by an administrator to protect this user from being automatically modified. Normally the protected status is assigned to Customer Administrative type accounts and ensures that accidental deletion does not occur, as users with the status of protected cannot be deleted. You cannot delete a user with a Protected Status. If you need to delete a user with a protected status, change their status to either Active or Inactive and then delete the user. If the Active Directory Integration does not recognize the user when a sync is performed, the protected status prohibits the sync to change the user status to Inactive. (see below) SaaS and W eb Protection (Navegación Segura)Education Services Page 8-10

61 Protected Status with Directory Integration There are times with a user resides in the Control Console, however the associated address does not reside on the customers active directory. For example, if the user name is customer_admin@customerdomain.com, it is unlikely that is an address on the customer s mail server. In these cases, it is recommended that the user status be changed to Protected. The protected status will protect this user from being inactivated when Directory Integration is run. If the user status is not protected and Directory Integration is run, the synchronization process will inactivate the user in the Control Console because it did not reside on the customer s mail server. Inactive users are not able to sign into the Control Console. Status Behaviors Active Inactive Protected SMTP Discovery User Creation Mode; mail flows normally X X X SMTP Discovery User Creation Mode; mail follows policy to which user is associated X X X Explicit User Creation Mode; mail flows normally X No X Explicit User Creation Mode; mail follows policy to which user is associated Explicit User Creation Mode; mail gets denied; no delivery to server, no policy enforcement (recipient is considered invalid) X No X No X No User account can be edited by an Administrator X X X User account can be edited by User X No X Spam Quarantine Links remain active X No X All previous Spam Quarantine Links become disabled No X No Spam Quarantine Report delivered according to policy X No X Quarantined Mail is managed at Domain Quarantine Area X X X User account can be deleted by an Administrator X X No User can sign into the Control Console from the blue login screen X No X User account counts in Active User Count X No X Web Protection (Navegación Segura)(Navegación Segura) User Authentication; user still gets authenticated X No X Proprietary and Confidential Page 8-11

62 Type There are two Types available: User and Distribution List User: Most users are assigned the Type of User. The User type is assigned to newly created users by default. This identifies this user as a unique person in the customer organization. Distribution List: This type is used when the user is not a unique live person, rather the address of the grouping of users. I.e. marketing@mydomain.com. Note: the members of the distribution list are managed on the customer s mail server, not inside the control console. When a message is sent to a distribution list type address, assuming the message passes all policies, one instance of that message is delivered to the customer mail server. The mail server is then responsible for routing that message to ever member within the distribution list. Users with the Type = to Distribution List: Are not counted as a user in the customer s Existing user count Note: Users assigned the Type = Distribution List does not affect customer user seat count billing Password Users are not required to have a password. Passwords are needed only when signing into the control console from the sign-in page. Passwords are not required if a user is accessing their individual user from an active Spam Quarantine Report. It is helpful for administrative level roles to have passwords assigned so they can access the control console when needed. It can also be helpful for individual users to have a password assigned if the customer subscribes to the Continuity Disaster Recovery Service. This allows the user to sign into their account and access their Continuity inbox if they do not have an active SQR. Note: Users with the role of Customer Administrator are the only role that can assign individual user passwords. Users logged in with the Role of Partner Administrator or Var Administrator cannot assign passwords for any user other than their own. Password rules All newly created or changed passwords must adhere to the following: Minimum of 8 characters Alpha, numeric, and special character types are allowed There must be at least one character that differs in character type (alpha, numeric, or special) from the majority of characters At least 2 of the following character types: o Letters (upper / lower) o Numbers o Special Characters ( ) ` # $ % ^ & * - + = \ { } [ ] : ; " ' < >,.? / o Passwords are case sensitive Cannot be the user's address or the user name, or local, portion of the user s address. SaaS and W eb Protection (Navegación Segura)Education Services Page 8-12

63 Time Zone The Time Zone allows the selection of the user s local time zone. This is helpful: When generating reports ( and web protection), the time stamp on the report reflects the time zone selected in the users account. This is helpful for Protection (Correo Limpio) Reports: To identify when a user performed an action in the control console. E.g. if you generate the quarantine release report and show that a user released a message from quarantine, the time stamp on the report reflects when the user released the message based on their time zone selection. This is helpful for Web Protection (Navegación Segura)for two reasons: To ensure you are interpreting the user s web activity appropriately. E.g. if accessing the Allowed Content report, and see that one user accessed a specific Web category (like gaming) a specific time of the day, having the users local time zone selected ensures you will see what time of the day, in the users local time, the user accessed the web category. This eliminates interpreting web activity in correctly. E.g. You notice a user accessed a Game site yesterday with a time stamp of 12pm Eastern Time. Assuming the user s time zone was set to their local time, you would interpret that the user was accessing the Game site during their lunch hour. However, if the user time zone were not set to their local time, it would look like the user was accessing the Game site during work hours. For Web Protection (Navegación Segura)the Time Zone is also used to enforce schedule based policies. E.g. if a policy is scheduled to apply only from 12p-1p Monday- Friday, having the users local time zone selected ensures their policy is applied when it is 12p the users local time, regardless of where the user is located Language Selecting the language option determines in which language the user-level screens display. Note: changing the language does not change the language on any administrative level pages. The default Language is English Entries per Page The Entries per page drop list identifies up to how many entries display when the user accesses an index page. The default selection is 25 entries. Once 25 entries display, the service will automatically set a next page. Changing the Entries per page increases the number of items displayed before the service automatically sets page breaks. The Entries per page applies to all index pages listed below to which the user has access. Index Page User Batch Groups Domains Customers Partners Quarantine Audit Event Click Log Quarantine Disaster Edit Trail Log Report Report Recovery User Report Report Log User Group Admin X X Reports Mgr. X X X X X Proprietary and Confidential Page 8-13

64 Quarantine Mgr. X X X X X Domain Admin. Customer Admin X X X X X X X X X X X X X X X VAR Admin X X X X X X X X X Partner Admin Global Admin. Support Admin. X X X X X X X X X X X X X X X X X X X X X X X X X X X X X Customer Name The Customer name designator is read only and displays the name of the customer account to which this user is associated Domain Contact The Domain Contact is read only and displays the address listed as the contact with the customer s primary domain. The domain contact is used when a user is creating or changing their password. When creating or changing a password, the user has the ability to determine where the confirmation is sent, allowing the user to change/ create their password. When the 2 nd radio button is selected, password information to my domain contact, the is sent to the address listed in the Contact field within the primary domain First sign in SaaS and W eb Protection (Navegación Segura)Education Services Page 8-14

65 The first sign in displays the first time this user signed into the control console. The time stamp displays reflects the time stamp of the administrator viewing the user. The first sign in time stamp is not based on the user s individual time zone selection Last sign in The Last sign in displays the last time this user signed into the control console. The time stamp displays reflects the time stamp of the administrator viewing the user. The Last Sign in time stamp is not based on the user s individual time zone selection Date created The Date created displays the time stamp of when the user was created. The Date Created displays regardless of how the user was created (manually, via SMTP Discovery or Directory Integration Sync) The time stamp displays reflects the time stamp of the administrator viewing the user. The Date Created time stamp is not based on the user s individual time zone selection Aliases The Aliases tab displays all addresses associated to this user s primary account. This includes User Alias and Domain Alias addresses. By default, each primary user can have up to five user alias accounts. User Aliases are only those addresses that reside on the customers Primary Domain. These are listed under the User Alias Addresses section. As soon as a User Alias address is added, a corresponding Domain Alias Address is added. To add a User Alias: Enter the new user alias in the address field o Notice that the primary domain is listed and cannot be changed to another domain Click Add o The new address appears under the User Alias addresses area with a Pending status Click Apply to save changes Click the Delete checkbox to delete the address Click the Change to Primary radio button to change the newly added alias address to be the users Primary User Account Proprietary and Confidential Page 8-15

66 Domain Alias Addresses If there are Domain Aliases listed within the Customers Primary Domain, an address that matches the Primary or User Alias is created for each Domain Alias. The Domain Alias addresses are not editable, and cannot be deleted, as all Aliases inherit all information from their Primary user Protection (Correo Limpio) The Protection (Correo Limpio) tab allows the administrator to manage and view the Users Protection (Correo Limpio) specific areas, such as the users Protection (Correo Limpio) quarantine messages and user level Allow and Deny lists. The toolbar actions that can be performed on the Protection (Correo Limpio) tab are to Apply changes made, reset the fields to revert to the settings prior to Apply being clicked, and you can generate an on- demand Spam Quarantine Report (SQR). SaaS and W eb Protection (Navegación Segura)Education Services Page 8-16

67 Send Spam Quarantine Report Click the Send Spam Quarantine Report to request an on-demand generation of the users Spam Quarantine Report (SQR). This will generate an instant SQR to the user, assuming the user has messages quarantined due to Spam. The service will never send an empty SQR. The Send Spam Quarantine action bypasses the user level SQR delivery frequency; this does not interfere with the users regularly scheduled SQR. Sending an on-demand SQR will not utilize all of the users SQR settings If the users SQR is set to HTML, it always follows the All Quarantine Messages rule If a user s SQR is set to Text Only Summary, it sends a text only summary report Proprietary and Confidential Page 8-17

68 Administrative only function; users with the role of User do not have access to this function The SQR delivered contains quarantine mail for the past seven days, even if the customer is set up for a 14 day quarantine period If the user is in a group policy where SQR is Disabled, this overrides that policy and sends the SQR to the user(s) If the SQR Delivery Successful: SQR is delivered to the user Deliver Spam Report button becomes disabled Spam report delivered message is displayed Notification message appears at the bottom of the page To prevent sending multiple SQR s, the Deliver Spam Report option is disabled once clicked and successful. Note: If the Administrator navigates away from the user Details page and re-accesses, the Deliver Spam Report button is re-enabled. If SQR delivery unsuccessful: There are two reasons why the SQR will not be sent: If the user does not have any messages in their Spam Quarantine Area If the customer subscribes to Disaster Recovery and is in a Disaster Recovery state A Notification message appears at the bottom of the page identifying why the SQR was not sent The following shows which roles have access to the Send Spam Quarantine Report Button Role User Customer Admin Group Administrator Domain Admin Quarantine Manager Reports Manager Partner Admin Support Admin Global Admin Send Spam Quarantine Report Button No X No X X No X X X SaaS and W eb Protection (Navegación Segura)Education Services Page 8-18

69 Protection (Correo Limpio) General Settings Inbound SMTP Policy Subscription: This read only field displays the Protection (Correo Limpio) Inbound policy to which this user is associated, has the highest priority of all policy groups this user associated, and designates which policy the user will have their inbound filtered. Outbound SMTP Policy Subscription This read only field displays the Protection (Correo Limpio) Outbound policy to which this user is associated, has the highest priority of all policy groups this user associated and will have their outbound filtered. Displays only if the account subscribes to Protection (Correo Limpio) Outbound service. Spam Actions The Spam Actions checkbox, checked by default, identifies whether the user should utilize the actions set for the Medium Likelihood Spam and High Likelihood Spam identified in the Protection (Correo Limpio) Inbound policy to which this use is associated. When unchecked, the Medium Spam Actions and High Spam Actions fields become active. The ability to select what action to take for each Spam Action is available. This setting overrides the users Protection (Correo Limpio) inbound policy when filtering their inbound mail for spam. Spam quarantine report: This checkbox, enabled by default, determines whether you would like the user to be sent a SQR when all criteria are met. When unchecked, the user s mail will continue to be filtered for spam, and messages will be quarantined due to Spam, as applicable, however no SQR is sent. This setting overrides the settings in the users Protection (Correo Limpio) Inbound policy. Spam Quarantine Report Frequency: The frequency identifies how frequently the users SQR is sent, assuming all criteria are met. The Default frequency is every day. Note: the SQR will not be sent if the user does not have any messages quarantined due to spam, or the customer is in a Disaster Recovery state. Spam Quarantine Report Content: The report content determines if the SQR is sent in HTML or Text based format. All SQR s have at least one clickable link, giving give the user access to their account. Proprietary and Confidential Page 8-19

70 Spam Quarantine Report Alternate Delivery Address: This field only appears when the Allow users to configure alternate address for spam report delivery checkbox is checked within this users Protection (Correo Limpio) Inbound policy. ( Protection (Correo Limpio) Policy < Inbound policy> Spam Reporting) When an Alternate Delivery Address is entered, this Users Spam Quarantine Reports (SQR) will be sent to the Alternate delivery address Instead Of the Primary Users Account. This function is beneficial for users that are Distribution Groups. e.g. if one SQR is sent to the address and 15 people are in that Distribution Group on the mail server, all 15 people receive the SQR, which often causes confusion or duplicate efforts. The alternate delivery address allows one person to receive and be responsible for managing that users spam quarantine mail. Note: The address entered as the Alternate Delivery Address must reside as a User Account within this customer s account. The Alternate Delivery Address must be one of the following: Primary User Account within the Users primary domain User Alias within the Users primary domain Primary User Account from a different primary domain within this customer User Alias from a different primary domain within this customer Primary user from a domain alias within this customer User Alias from a domain alias within this customer Be the user type of: User or Distribution List If this is been enabled, and alternate delivery addresses have been entered, and then the Administrator Disables the policy checkbox, the Alternate address is retained, however the SQR is delivered to the Primary User Account. Spam Quarantine Report Last Delivery Date: Displays the date / time stamp of the last SQR sent to the user Exempt checkboxes The checkboxes at the bottom of the general settings area override the users Protection (Correo Limpio) policy settings. Note: we recommend that you utilize the Group functionality to change or turn on/off policy settings. The reason is that the settings below turn on/off the entire threat area. Alternately, when you apply groups and a custom policy, you can identify policy actions for each option. i.e. if the attachment checkbox is de-selected, the users will not get filtered for any attachments. Also, there is no report available identifying which individual users you have Exempted from filtering. This makes knowing which users to access in the future difficult. Exempt user Uncheck this checkbox if you do not want the user's inbound to be filtered for spam, attachments, content keywords, or HTML. Exempt user will still be filtered for viruses and worms unless the virus filtering is specifically disabled. SaaS and W eb Protection (Navegación Segura)Education Services Page 8-20

71 Outbound Exempt User: Uncheck this checkbox if you do not want the user's outbound to be filtered for attachments, content keywords, or HTML. Exempt user will still be filtered for viruses and worms unless the virus filtering is specifically disabled. Enabled Filter Policies: These checkboxes apply only to filtering user s Inbound . The higher-level exempt user option above overrides these individual threat areas. All options are checked by default. Spam - Uncheck if the s sent to the user should not be filtered for spam. Keyword - Uncheck if the s sent to the user should not be filtered for content keywords. Virus - Uncheck if the s sent to the user should not be filtered for viruses and worms. Caution: Disabling virus filtering is potentially hazardous because the s will still contain the viruses and worms. Attachment - Uncheck if the s sent to the user should not be filtered for attachments. HTML - Uncheck if the s sent to the user should not be filtered for HTML. Proprietary and Confidential Page 8-21

72 Quarantined Messages Each user has one quarantine area that displays quarantine messages for all of their addresses; primary address, user alias and domain alias addresses. The Administrator can view all of the selected user s quarantined mail, while the users can only see their Spam Quarantined messages. Select Quarantine search criteria by selecting options in the Threat drop list, Day and Direction. The Administrator can view each user s quarantined mail: Spam, Virus, Attachment, and Content Keyword. The Administrator can take action on any of these quarantined messages; Release, Delete or Release the message and place the sender on the user s allow list by clicking Always Allow for User. Note: When a user logs into their own account, the only quarantine messages they can view are Spam quarantine messages. The end user is never allowed to view messages quarantined due to a Virus, Attachment, or Content Keyword violation. To return to the User account, click the User Details link on the right side of the page Continuity The Continuity link is displayed if you subscribe to the Disaster Recovery Continuity service. Clicking the Continuity link within a user will open the users Inbox. Messages will only be displayed in the Continuity Inbox if the domain to which the user is associated is in Disaster Recovery mode and Axtel is spooling the domain mail. See the Disaster Recovery SaaS and W eb Protection (Navegación Segura)Education Services Page 8-22

73 Topic within this guide for additional details Activity The Activity page indicates the number of messages inbound and outbound (if the account subscribes to Outbound protection) that have been filtered for this user in the last seven days. You can also view the average size of this user s messages. A graphical view will be available to indicate the inbound / outbound message details Allowed Senders Tab This allows the User or the Administrators to place entries on the user level allow list. If the USER is adding entries to their allow list, there is a limit of 300 entries. The administrator, however, can add additional entries to the User Level Allow list, totaling 1,000. Entries on the User Allowed Senders list bypass only the policy SPAM Filter; all other policy filers apply. If there is an entry on the user level Allowed Senders list and the same entry is made on the Policy Level Deny list, the message is denied; the policy level list takes precedence Entries on the Allow and Deny list can be a fully qualified address or a wildcard character (*) can be used in the address. E.g. john@domain123.com or *@Axtel.com Entries can be made manually, or by uploading a batch file in a.txt format The batch file has a 100Kb file size limit Proprietary and Confidential Page 8-23

74 One entry per line You can also download the Allowed Senders list to a.csv spreadsheet file Blocked Senders Tab If the USER is adding to their Blocked Senders list, there is a limit of 300 entries. The administrator, however, can add additional entries to the User Level Blocked Senders list, totaling 1,000. If an entry is made on the user level Blocked Senders list, any message from the entered sender is denied delivery. The users blocked senders list is used when senders are known to the user, but the user wishes not to receive inbound messages from this sender. If an entry is made on the user blocked senders list, and the same entry is made on the Policy Allow, the message is denied when sent to the user; the users blocked senders list takes precedence. Entries can be made manually, or by uploading a batch file in a.txt format The batch file has a 100Kb file size limit One entry per line You can also download the Blocked Senders list to a.csv spreadsheet file SaaS and W eb Protection (Navegación Segura)Education Services Page 8-24

75 User Level Allow/ Deny Scenarios Scenario 1: Note: I placed my entry on the Allow list first User Allow: lisa@hotmail.com User Deny: lisa@hotmail.com Results: User Allow: Saved User Deny: Not saved to Deny list; received following message Sender lmottis@hotmail.com already exists on either the Allow List or the Deny List Scenario 2: Note: I placed my entry on the Deny list first User Allow: lisa@hotmail.com User Deny: lisa@hotmail.com Results: User Allow: Not saved to Allow list; received following message Sender lmottis@hotmail.com already exists on either the Allow List or the Deny List User Deny: Saved Scenario 3: User Allow: *@hotmail.com User Deny: lisa@hotmail.com Results: User Allow: Enforced: Messages from Hotmail.com received, except User Deny: Enforced: messages from lisa@hotmail.com denied Scenario 4: User Allow: lisa@hotmail.com User Deny: *@hotmail.com Results: User Allow: Overridden by User Deny list; messages from this sender denied User Deny: Enforced: all hotmail.com messages denied Proprietary and Confidential Page 8-25

76 Web Protection The Web Protection (Navegación Segura)tab allows for the generation of user level web activity reporting. This tab displays only if you subscribe to the Web Protection (Navegación Segura)service. Refer to the Web Protection Guide for additional details There are two functions available: Web Activity: (Navegación Segura)Administration Training Within Web activity, you can generate the following canned user level reports: Threat Filtering Allowed Content Blocked Content Download Web Activity Details: When Download Web Activity details is clicked, this will open MS Excel and display all web activity for this user for the past 7 days. This includes all of the data from the three reports above: Threat Filtering, Allowed Content and Blocked Content. The reporting information goes back 7 days from the time the Download Web Activity Details link is clicked. The Web Activity page allows user-level Web Activity reports to be generated. SaaS and W eb Protection (Navegación Segura)Education Services Page 8-26

77 Group Membership The Group Membership tab allows the user to be added as a member of a previously created group. Each group can be assigned to one policy for each service the customer subscribes. See the Group section of this document for information on creating groups Group Administration The Group Administration tab displays only if the user has the role of Group Administrator. Group Administration allows you to assign the Group(s) this user will administer. All customer groups display in the Available Groups area. Select one, more or all groups to which you want this user to administer, and click the Add>> button. This moves the groups to the Selected Groups area. This user can now manage the members of the groups they administrator. Note: assigning Group Administration does not make this user a Member of a Group. Proprietary and Confidential Page 8-27

78 8.16 Batch Edit Users The ability to select and edit criteria on multiple users at once is now available. On the Users page, select one or more users and click Edit Batch Edit You can select users across pages. There is a limit of 10,000 users to select for Batch Edit. A Batch Edit Users pop-up page appears and displays the following information for each user: Target User Username Language Time Zone If you selected a lot of users, the Batch Edit page will paginate based on the users Entries per Page. SaaS and W eb Protection (Navegación Segura)Education Services Page 8-28

79 If the username field was blank upon clicking Batch Edit, the words no change display. To edit the users Username, click in the user name field and type the user name To edit the Language, select the language field; a drop list appears with all selectable languages To edit the users Time Zone, click in the Time Zone field; a drop list of all available Time Zones display Once changes are made, but not yet saved, a red arrow appears on the field changed. Once save is clicked, all changes are saved; the users that have changed are removed from the batch edit page. Any unchanged users remain on the Batch Edit page. Proprietary and Confidential Page 8-29

80 If you do not have permissions to edit the selected user, the user name is highlighted in Red. You are able to enter a Username and select a new Language and Time Zone, however, upon clicking Save; you will be notified that you do not have permissions to change this user 8.17 Batch Edit Upload The ability to upload a batch file of changes is also available. While there are no user accounts selected, choose the Batch Edit option. SaaS and W eb Protection (Navegación Segura)Education Services Page 8-30