eprism Enterprise Tech Notes

Transcription

1 eprism Enterprise Tech Notes Utilizing Microsoft Active Directory for eprism s Directory Services Context eprism can integrate with an existing LDAP (Lightweight Directory Access Protocol) directory for user and group information. This tech note will explain how to utilize Active Directory (AD) for personal whitelists, user spam quarantine, policy management, directory authentication and to reject incoming s with non-existent recipients in AD. Requirements eprism model M1000 or higher eprism version 5.0 Microsoft Active Directory or ADAM (Active Directory Application Mode) Prerequisite Results Limit Active Directory has a default limit of 1000 entries that can be returned from a single LDAP query. With large queries, the results may be truncated. It is recommended that you modify the default maximum page size to ensure that LDAP group and user imports will work successfully. For more information, please read the LDAP Overview section on Chapter 4 of the eprism User Guide. Use the following procedures to modify the default maximum page size limit in Active Directory: 1. Log in to the Active Directory server as an administrator. 2. Open a command prompt window by going to Start -> Run, typing cmd and clicking OK. 3. Enter the following commands (in bold text): C:\>ntdsutil.exe ntdsutil: Ldap policies ldap policy: connections server connections: connect to server localhost Binding to localhost Connected to localhost using credentials of locally logged on user server connections: quit ldap policy: set MaxPageSize to ldap policy: commit changes ldap policy: quit ntdsutil: quit 4. Close the command prompt window by typing exit and pressing Enter. Configuration Directory Servers Any directory service feature on the eprism requires at least one directory server entry. Follow the instructions below for creating an entry under the directory server page. 1. Go to Basic Config -> Directory Services -> Directory Servers. 2. Click Add. 3. Enter the appropriate information for your Active Directory. For an example, see screenshot below.

2 4. Click Apply when finished. Your directory server entry should now be displayed on the page. 5. To test your settings, click the Edit button next to the entry. 6. Click Test to bring up the LDAP query test page. 7. Use the same Bind DN and Password as your directory server entry and click Submit LDAP Query. The results should look something like the example below. If not, please see the FAQ section at the end of this tech note. # extended LDIF # # LDAPv3 # base with scope sub # filter: (objectclass=*) # requesting: ALL # domain.com dn: DC=domain,DC=com objectclass: top objectclass: domain objectclass: domaindns distinguishedname: DC=domain,DC=com instancetype: 5 whencreated: Z whenchanged: Z subrefs: DC=ForestDnsZones,DC= domain,dc=com subrefs: DC=DomainDnsZones,DC= domain,dc=com subrefs: CN=Configuration,DC= domain,dc=com usncreated: 4098 usnchanged: name: domain objectguid:: McgtHFiZCEWw1+xucWw5nQ==

3 creationtime: forcelogoff: lockoutduration: lockoutobservationwindow: lockoutthreshold: 0 maxpwdage: minpwdage: minpwdlength: 7 modifiedcountatlastprom: 0 nextrid: 1003 pwdproperties: 1 pwdhistorylength: 24 objectsid:: AQQAAAAAAAUVAAAA/6vP6b2KZf1EEYC+ serverstate: 1 uascompat: 1 modifiedcount: Click Done and Cancel when finished testing. Directory Users Once you have the directory server configured, you can import the user and group information from Active Directory. For importing user information, you will need to create an entry under the directory user page using the instructions below. 1. Go to Basic Config -> Directory Services -> Directory Users. 2. Click Add. 3. Select the directory server entry that you have configured in the previous section. 4. The default values should work with most implementations of AD. When finished reviewing the values, click Apply.

4 5. Your directory user entry should now appear on the page along with some new buttons. These buttons will allow eprism to import the user information from AD. 6. Click the Import Settings button. 7. Enable the checkbox next to Import User Data to allow automatic scheduling of the import process. 8. Modify the frequency and start time to suit your needs. If you frequently make changes to the user information, select a quicker frequency setting such as hourly. 9. If you are going to utilize the user spam quarantine feature, enable the Mirror Accounts checkbox as well. 10. Click Apply to save the changes and get back to the previous page. 11. Then click Import Now to perform an initial import of the user data. Directory Groups Directory groups are used in conjunction with policy-based controls. It allows the importing of groups from an AD server to determine group memberships for the policies. If you are not using policy management, please skip this section. 1. Go to Basic Config -> Directory Services -> Directory Groups. 2. Click Add. 3. Select your directory server entry from the drop-down list. The default values will work in most Active Directory implementations.

5 4. Click Apply. 5. Just like with directory users, eprism will need to import the group information from your directory. Click the Import Settings button. 6. Enable the Import Group Data checkbox and specify a frequency and start time. 7. Click Apply when done. 8. Then click Import Now to perform an initial import of the group data. Reject on Unknown Recipient eprism has the ability to verify the existence of the intended recipients on inbound s prior to delivering the s to the mail server. Reject on Unknown Recipient utilizes the imported data from directory users to determine if the recipient addresses are valid. To utilize the Reject on Unknown Recipient feature, follow the instructions below: 1. Ensure that you have imported the user data from Active Directory either by manually clicking on the Import Now button under Basic Config -> Directory Services -> Directory Users or waiting until the automatic schedule had a chance to run the import process. 2. Then go to Mail Delivery -> Anti-Spam -> Anti-Spam. 3. Enable the checkbox next to Reject on unknown recipient and click Apply.

6 4. Go to the Activity page and stop then restart the mail process. Remote Authentication Remote authentication allows users to log in to the eprism without having a local account. eprism can utilize the existing account information on your Active Directory to allow authentication for the trusted sender feature, user spam quarantine and even for the Outlook Web Access proxy. 1. Go to User Accounts -> Remote Auth. 2. Under the LDAP Sources section, click New. 3. Select your directory server entry from the drop-down list and click Apply. 4. While still on the User Accounts -> Remote Auth page, scroll down to the Default LDAP/RADIUS User Profile section and make sure that the checkbox for This eprism Security Appliance is enabled. This will allow remote authentication to work properly with the trusted sender feature and spam quarantine.

7 5. Click Apply when finished. 6. Then go to Basic Config -> Network. 7. Scroll down to the network interface sections. 8. Enable the eprism mail client checkbox under the network interface that the users will be connecting to for their trusted sender list or spam quarantine. 9. Click Apply when completed. Any changes to this page will require a reboot. Trusted Senders The trusted sender feature allows users to create their own personal whitelists based on the sender s address. For more information, please read the Trusted Senders section on Chapter 6 of the eprism User Guide. To use directory services with trusted senders: 1. Configure directory users as specified in the previous sections. 2. Enable the remote authentication. 3. Go to Mail Delivery -> Anti-Spam -> Trusted Senders. 4. Click the Enable checkbox. 5. Type in the domain name and click Apply. The domain is the part after symbol (ex: domain.com for [email protected]).

8 6. Then go to User Accounts -> Secure WebMail. 7. Under the Access Types section, enable the checkbox next to Trusted Senders. 8. Click Apply. To add entries to the trusted sender list, users must log in to the eprism secure webmail using the instructions below: 1. Open a browser and bring up the eprism login page by entering (ex: 2. Enter the user s Windows account name and password and then click Login. 3. Use the navigation icons on the left and click Trusted Senders. 4. To whitelist an , enter an address in the textbox and click Add. 5. Click Logout when finished.

9 User Spam Quarantine The user spam quarantine is used to redirect spam mail into a local storage area for each individual user. Users will be able to log in to the eprism and manage their own quarantined spam. Those quarantined messages can then be released, deleted or even added to their trusted sender list. To configure user spam quarantine with Active Directory: 1. Ensure that the LDAP users are imported and mirrored properly by going to User Accounts -> Mirror Accounts. 2. Then go to Mail Delivery -> Anti-Spam -> Spam Quarantine. 3. Click the Enable Spam Quarantine checkbox. The default settings should suffice but you can modify them as necessary. 4. Click Apply when done. 5. Go to User Accounts -> Secure WebMail. 6. Under the Access Types section, enable the checkbox for Personal Quarantine Controls and click Apply.

10 Once the user spam quarantine has been set up, the anti-spam controls will have to be configured to utilize the spam quarantine. Use the following instructions to have each anti-spam control move the spam mail into the individual quarantine areas: 1. For Pattern Based Message Filtering, go to Mail Delivery -> Anti-Spam -> PBMF. 2. Click Preferences. 3. Change the action to Redirect to and type in the eprism s fully-qualified domain name (FQDN) in the action data textbox. If you do not know the FQDN, use the hostname and domain name under Basic Config -> Network (ex: myeprism.domain.com). 4. Click Apply on the PBMF preference page to save your changes. Any PBMF entry with an action of spam will now be moved to the user spam quarantine. 5. For the Real-Time Blackhole List, go to Mail Delivery -> Anti-Spam -> RBL. 6. Change the action to Redirect to 7. On the action data textbox, enter the same FQDN as before and click Apply. 8. For the Distributed Checksum Clearinghouse, go to Mail Delivery -> Anti-Spam -> DCC. 9. Use the Redirect to action along with eprism s FQDN and click Apply. 10. For the Statistical Token Analysis, go to Mail Delivery -> Anti-Spam -> STA 11. On the upper threshold, change the action to Redirect to and enter eprism s FQDN in the action data. The STA mode needs to be set to Scanning and Training for the upper threshold to quarantine spam properly. However, make sure that you have at least a week s worth of s before switching the STA mode from Training Only. 12. Click Apply when finished. Spam mail will now be redirected to the individual spam quarantine. To view the quarantined spam: 1. Open a browser and bring up the eprism login page by entering (ex: 2. Enter the user s Windows account name and password and then click Login. 3. Use the navigation icons on the left and click Spam Quarantine. You will be then be able to view, delete, release or whitelist any quarantined spam from this screen. 4. Click Logout when finished.

11 Policy Management eprism s policy controls allow different settings to be applied to users based on their group membership. Policy management can integrate with LDAP to use your existing AD security and distribution groups. The settings that can be customized include: Annotations Inbound Attachment Control Outbound Attachment Control Anti-Virus Distributed Checksum Clearinghouse (DCC) Statistical Token Analysis (STA) To integrate policy management with LDAP, follow the procedures below: 1. Ensure that you have imported the group information from Active Directory either by manually clicking on the Import Now button under Basic Config -> Directory Services -> Directory Groups or waiting until the automatic schedule had a chance to run the import process. 2. Go to Mail Delivery -> Policy. 3. Click the Default Policy entry from the list to configure the default settings first. 4. Click Apply when finished. 5. Click the Add Groups button. 6. Select the group(s) that you would like to have customized policy settings and click Add. Each group that you selected should now have an entry listed on the page. 7. Go through each entry and customize the settings for your group(s) as shown from the example below. 8. Click Apply when finished. 9. After each group has been customized, enable the policy management feature by clicking on the Enable Policy button from the Mail Delivery -> Policy page.

12 FAQs Question 1: What is ADAM? Answer 1: Microsoft ADAM or Active Directory Application Mode is a LDAP directory that runs as a user service rather than a system service. ADAM uses the same core Microsoft directory technologies as Active Directory but does not require domain controllers, forests, domains, etc. You can also run multiple instances of ADAM on the same system and even install it on non-server operating systems like Windows XP. For more information about ADAM, please see Question 2: When I run the LDAP query test, I get an error: Could not create LDAP session handle (5): Compare False Answer 2: Your URI entry is incorrectly formatted. It should look like ldap://ipaddressorhostname or ldaps://ipaddressorhostname for LDAP over SSL (LDAPS). Do not capitalize the ldap:// portion as it is casesensitive. Question 3: The URI is properly formatted but now I get the following error message when running the LDAP query test: ldap_bind: Can t contact LDAP server (81) Answer 3: Verify that eprism can query your AD server properly by checking the following items: Check if the IP address or hostname for the AD server is correct. You can test if the hostname is resolving to the proper IP address by going to Status/Reporting -> Status & Utility -> Hostname Lookup. Make sure that eprism can actually connect to your AD server. Try pinging the server from Status/Reporting -> Status & Utility -> Ping menu. If the pings are failing, check if ICMP echo requests and echo replies are allowed or if there are any network routing or connectivity issues. LDAP uses port 389/TCP for client-to-server communications. Check for any firewalls, filtering devices, or IPSEC policies preventing the eprism from connecting to port 389/TCP (or 636/TCP for LDAPS) on the AD server. If there is a NAT device between the eprism and the AD server, ensure that the source and destination addresses are getting translated correctly. Question 4: Importing the directory user or group information keeps failing. I tried using the LDAP query test to verify my configuration when I got this error message: ldap_bind: Invalid credentials (49) additional info: : LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece Answer 4: Invalid credential messages indicate that either the bind DN or the bind password is incorrect. Verify that both the password and the bind DN are correct. If you are unsure on what exactly the bind DN should be, use any LDAP utility like LDP from the Windows 2000 Support Tools to verify your entry. For more

13 information on using LDP, please see Microsoft KB article at Question 5: How do I use the new LDAP recipient feature with Reject on Unknown Recipient? Answer 5: The LDAP recipient feature currently requires Active Directory to allow anonymous binds and that all the user accounts be placed in one container. These limitations are removed in the next update so we recommend not using it until the update has been released. Reject on Unknown Recipient can still use the locally-cached data that was imported from directory users regardless of the LDAP recipient feature. Question 6: We have more than one domain for our organization. How do I enter additional internal domains for trusted senders? Answer 6: The trusted sender feature currently supports only one internal domain. Question 7: Is there a way to whitelist an entire domain under trusted senders? Answer 7: Only full addresses can be whitelisted under the trusted sender list. To whitelist an entire domain, use PBMF filters located under Mail Delivery -> Anti-Spam -> PBMF. Please refer to Chapter 6 of the eprism User Guide for more information on PBMF. Question 8: Can I use Outlook to retrieve my quarantined spam messages? Answer 8: Yes. eprism supports IMAP and IMAPS for accessing the user spam quarantine. To enable and configure IMAP/IMAPS access, please refer to Chapter 7 of the User Guide. Question 9: We have multiple domains in our Active Directory forest. How can I configure eprism to query the global catalog server? Answer 9: Global catalog servers contain the AD information for objects within its own domain plus a replica of the AD information for objects in other domains in the forest. In order to perform queries against the global catalog server, modify your directory server entry to point to the global catalog server and use TCP port 3268 instead (ex. ldap:// :3268). For secured LDAP queries over SSL, use ldaps:// in the URI and TCP port 3269 (ex. ldaps:// :3269). Contact Information Technical Support - USA, Canada, Pacific Rim and Latin America: Hours of Support - Pacific Time 7:00 am 4:00 pm, Excluding Holidays Tel: Fax: [email protected] Technical Support - Europe, Middle East, Africa: Hours of Support - UTC 08:30 17:30, Excluding Holidays Tel: Fax: [email protected]