Best Practices Guide. McAfee Security for Microsoft Exchange Software

Transcription

1 Best Practices Guide McAfee Security for Microsoft Exchange Software

2 COPYRIGHT Copyright 2011 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Security for Microsoft Exchange Software Best Practices Guide

3 Contents 1 Preface 5 About this guide Audience Conventions Finding product documentation Introduction 7 Features What's new in McAfee Security for Microsoft Exchange Global Threat Intelligence Installing McAfee Security for Microsoft Exchange 11 Minimum privileges for a fresh installation Supported Exchange Server versions and roles Installation and options Configuration Upgrading the software Microsoft Exchange Server roles 17 Microsoft Exchange Server Microsoft Exchange Server Microsoft Exchange Server Edge Server role Microsoft Exchange Server 2010 with Hub Transport role Microsoft Exchange Server 2010 with Mailbox + Hub role (Typical setup) Microsoft Exchange Server 2010 with Mailbox role Cluster support 23 Types of cluster installation Scheduling tasks 27 6 Policy Manager 29 On-Access policy Content scanning File filter Gateway policy Anti-phish scanner Mail size filter Disclaimers Common settings applicable to all roles 33 Notifications Anti-Spam Detected items User interface preferences McAfee Security for Microsoft Exchange Software Best Practices Guide 3

4 Contents Diagnostics DAT settings Import and Export configuration Whitelists and Blacklists 37 How to add an address to a whitelist or blacklist Error messages Frequently asked questions 43 Technical support Index 47 4 McAfee Security for Microsoft Exchange Software Best Practices Guide

5 Preface Contents About this guide Finding product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Users People who use the computer where the software is running and can access some or all of its features. Conventions This guide uses the following typographical conventions and icons. Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis. Bold User input or Path Code Text that is strongly emphasized. Commands and other text that the user types; the path of a folder or program. A code sample. User interface Hypertext blue Words in the user interface including options, menus, buttons, and dialog boxes. A live link to a topic or to a website. Note: Additional information, like an alternate method of accessing an option. Tip: Suggestions and recommendations. Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data. Warning: Critical advice to prevent bodily harm when using a hardware product. McAfee Security for Microsoft Exchange Software Best Practices Guide 5

6 Preface Finding product documentation Finding product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. Task 1 Go to the McAfee Technical Support ServicePortal at 2 Under Self Service, access the type of information you need: To access... User documentation Do this... 1 Click Product Documentation. 2 Select a product, then select a version. 3 Select a product document. KnowledgeBase Click Search the KnowledgeBase for answers to your product questions. Click Browse the KnowledgeBase for articles listed by product and version. 6 McAfee Security for Microsoft Exchange Software Best Practices Guide

7 1 Introduction 1 McAfee Security for Microsoft Exchange version 7.6 provides protection against Viruses, Trojans, Malware, Spyware, Mass Mailers, Packers, and potentially unwanted programs (PUP). It also contains filters for non-virus contents like Spam, Phish, Banned Content, Banned File Types, Signed Content, and invalid MIME types. McAfee Security for Microsoft Exchange protects Microsoft Exchange Server 2010 with the following roles: Mailbox Hub transport Mailbox + Hub transport Edge transport Contents Features What's new in McAfee Security for Microsoft Exchange 7.6 Global Threat Intelligence Features McAfee Security for Microsoft Exchange protects your Microsoft Exchange server from various threats that could adversely affect the computers, network, or employees. Some important features of McAfee Security for Microsoft Exchange are mentioned in this section. Integration with Anti-virus Engine version Integration with McAfee Agent (MA) version 4.5 Patch3 or Version 4.6. Centralized quarantine management using McAfee Quarantine Manager 7.0. All new Anti-Spam Engine version /7 Rules update for Anti-spam. Enhanced Reporting - Status reports, Configuration reports, Detection reports. Integration with McAfee epolicy Orchestrator 4.5 or 4.6. Protection from viruses, spam and phishing. Capability to detect packers and potentially unwanted programs. Content filtering. McAfee Security for Microsoft Exchange Software Best Practices Guide 7

8 1 Introduction What's new in McAfee Security for Microsoft Exchange 7.6 File filtering. Background scanning. Centralized scanner, filter rules, and enhanced alert settings. On-demand or time-based scanning and actions. Multipurpose Internet Mail Extensions (MIME) scanning. Quarantine management. Auto-update of virus definitions, extra DATs, anti-virus and anti-spam engine. Retention and purging of old DATs. Support for Site List editor. Support for Small Business Server. Denial-of-service attacks detection. Product health alerts. What's new in McAfee Security for Microsoft Exchange 7.6 The following table is a list of new features and their brief description. Feature Description Benefit Support for epolicy Orchestrator 4.6. Integrates with epolicy Orchestrator 4.5 or 4.6 to provide a centralized method for administering and updating McAfee Security for Microsoft Exchange across your Exchange servers. This reduces the complexity of, and the time required to, administer and update various systems. Support for Silent Installation. Installation and configuration have been simplified and includes customized silent installs. Installs only the components needed on the particular server role, and two built-in configuration profiles. Exchange Server Role based Installation and Modification. The modify installation feature allows you to add or remove new features to an existing McAfee Security for Microsoft Exchange installation without reinstalling the application. You can also modify the role of an existing McAfee Security for Microsoft Exchange installation depending on the requirement. You can modify the existing McAfee Security for Microsoft Exchange installation and include new capabilities of the application. You can modify the installation on the server with one role to additionally execute an additional role or remove a role, without uninstalling and reinstalling the application. Global Threat Intelligence for file and mail reputation. Content filtering based on regular expressions (Regex). A global threat correlation engine and intelligence base of global messaging and communication behavior, that significantly increases spam detection. It is an Always-on real-time protection that safeguards and secures you from emerging threats. Scans content and text in the subject line or body of an message and an attachment. If enabled, the rule is triggered for specified text that is a regular expression. Global Threat Intelligence prevents damage and data theft even before a signature update is available. It provides the most up-to-date malware detection for a number of Windows-based McAfee anti-virus products. This is a precise and concise method for matching strings of text, such as words, characters or patterns of characters. 8 McAfee Security for Microsoft Exchange Software Best Practices Guide

9 Introduction Global Threat Intelligence 1 Feature Description Benefit Automated Product Health Alert notifications using epolicy Orchestrator Support for Volume Mount Point. Improved notifications with enhanced templates. Product Health Alerts send notifications on the product's status. You can configure these alerts as required. You can add volumes to systems without adding separate drive letters for each new volume. You can configure the content and SMTP address for the administrator to send notifications. If your McAfee Security for Microsoft Exchange is managed by epolicy Orchestrator then you can send a notification to epolicy Orchestrator, or you can send a notification to the administrator. The local administrator can easily extend the storage capacity of any particular volume on a Windows system. Users on the local system or connecting to it over a network can continue to use the same drive letter to access the volume, but multiple volumes can be in use simultaneously from that drive letter. Configure and send separate notifications for individual types of events. UI support for importing black and whitelists from a file (.csv or.txt). Import a blacklist or a whitelist from another McAfee Security for Microsoft Exchange server or export blacklists and whitelists to another McAfee Security for Microsoft Exchange server. Reduces time and effort in configuring the McAfee Security for Microsoft Exchange servers. Enhanced reporting Reports display content phrase which triggered the content scanning rule. You can also view and forward quarantined items. You can exactly know which content or phrase triggered a particular content scanning rule. Improved handling of signed mails. Support for HTML disclaimer. Mailbox scanning exclusion. Capability to remove malicious content from within a signed mail. A disclaimer is a piece of text, typically a legal statement that is added to an message and are applicable only to outbound messages. You can configure mailboxes to be excluded from a VSAPI scan. You can stop malicious content from reaching the user's mailbox. The disclaimer can be entered in plain text and displayed as a HTML file according to the configuration. This gives you the option to exclude selected mailboxes from a VSAPI scan according to your requirements Global Threat Intelligence Global Threat Intelligence is a global threat correlation engine and intelligence base of global messaging and communication behavior, that significantly increases spam detection. It is an Always-on real-time protection that safeguards and secures you from emerging threats. Global Threat Intelligence prevents damage and data theft even before a signature update is available. It provides the most up-to-date malware detection for a number of Windows-based McAfee anti-virus products. We recommend that you enable this feature only on the Edge transport server. If the Edge transport server is absent, then enable it on the hub server. McAfee Security for Microsoft Exchange Software Best Practices Guide 9

10

11 2 2 Installing McAfee Security for Microsoft Exchange This section gives an overview of the various versions of Microsoft Exchange that are supported, what's included in the package, components installed by the application and various roles of Microsoft Exchange that can be installed with McAfee Security for Microsoft Exchange. Contents Minimum privileges for a fresh installation Supported Exchange Server versions and roles Installation and options Configuration Upgrading the software Minimum privileges for a fresh installation For a smooth installation, review the information which highlights the minimum requirements. Table 2-1 Minimum privileges required for a fresh installation Microsoft Exchange version Microsoft Exchange Server 2003 with Service Pack 2 Microsoft Exchange Server 2007 SP2 Microsoft Exchange Server 2007 SP3 Microsoft Exchange Server 2010 SP1 Minimum privileges Domain admin Domain admin Domain admin Domain admin Supported Exchange Server versions and roles McAfee Security for Microsoft Exchange 7.6 is compatible with different supported versions of Microsoft Exchange. Based on the Exchange version and role, the behavior, features, recommended settings, and configuration of McAfee Security for Microsoft Exchange varies accordingly. McAfee Security for Microsoft Exchange 7.6 supports the following versions of Microsoft Exchange server: McAfee Security for Microsoft Exchange Software Best Practices Guide 11

12 2 Installing McAfee Security for Microsoft Exchange Installation and options Microsoft Exchange Server 2003 with SP2 Microsoft Exchange Server 2007 SP2 and SP3 Microsoft Exchange Server 2010 SP1 Microsoft Exchange Server 2007 and 2010 can be installed in the following roles: Mailbox Server Mailbox + HUB server Hub Server Edge Transport Server Microsoft Exchange Server 2003 can be installed in the following roles: Front-end server Back-end server Both Installation and options McAfee Security for Microsoft Exchange can be installed with different versions of Microsoft Exchange Server. Components and services available with McAfee Security for Microsoft Exchange are installed according to the roles selected. This section briefly describes the installation process and the options available with the package. McAfee Security for Microsoft Exchange safeguards the following Microsoft Exchange products. They are: Microsoft Exchange Server 2003 SP2 Microsoft Exchange Server 2007 SP2, SP3 Microsoft Exchange Server 2010 SP1 McAfee Security for Microsoft Exchange 7.6 includes the following components. McAfee Anti-Spam for McAfee Security for Microsoft Exchange 7.6 McAfee Agent 4.6 What's included in the package The McAfee Security for Microsoft Exchange package contains the following folders: Setup Contains the setup.exe file, which is required for the standard installation, and the respective config.xml files for all the languages. setup_x86.exe Installs McAfee Security for Microsoft Exchange on a 32-bit system. setup_x64.exe Installs McAfee Security for Microsoft Exchange on a 64-bit system. ASAddon_x86.exe Installs the Anti-Spam component on a 32-bit system. ASAddon_x64.exe Installs the Anti-Spam component on a 64-bit system. MSMEePOUpgrade.exe Migrates policies from GroupShield for Exchange 7.0.X to McAfee Security for Microsoft Exchange 7.6. in an upgrade using epolicy Orchestrator. Readme Contains the release notes for the product. 12 McAfee Security for Microsoft Exchange Software Best Practices Guide

13 Installing McAfee Security for Microsoft Exchange Installation and options 2 Manuals Contains the installation guide, configuration guide and product guide in PDF format. epoextension Contains the extension that needs to be checked in to the epolicy Orchestrator server for managing the product using epolicy Orchestrator. Components installed by the software McAfee Security for Microsoft Exchange installs several components on your Exchange server. McAfee Anti-Spam for McAfee Security for Microsoft Exchange Detects spam and phishing content. Access Control Allows or denies access to the McAfee Security for Microsoft Exchange user interface for specific users or groups. Product Configuration Launches McAfee Security for Microsoft Exchange standalone version or through a web interface. Sitelist Editor Specifies the location from where automatic updates (including DATs and scanning engines) are downloaded. Cluster Replication Setup Replicates the quarantine database, policy configurations and product updates (Microsoft Exchange Server 2010 only). This is dependent upon the replication setting across a Data Availability Group (DAG), recognized by a McAfee Security for Microsoft Exchange installation. Depending on the type of installation you select, the features installed are: Typical Commonly used features are installed. Buffer Overflow Protection and Anti-Spam Add-On components are not installed. You will not be protected against spam and phish s. Buffer Overflow Protection is applicable for a 32-bit operating system and only if VirusScan Enterprise is installed. Web based Product Configuration (Web user interface) is installed in all three types of installation. Complete (Recommended) Web based Product Configuration, Buffer Overflow Protection and Anti-Spam Add-On are installed. The product is configured for maximum performance with protection against spam and phishing attacks. Custom Select the application features you want to install and where to install them. This is recommended for advanced users. If you select Custom, a dialog box displays the features you can install with an option to change the installation folder. If the Mailbox role has been installed in Microsoft Exchange Server 2007 or 2010, the service Cluster Replication Setup is installed (only for Microsoft Exchange Server 2010). Services available McAfee Framework Service Prerequisite for installing and using epolicy Orchestrator. For more details on this service, refer the epolicy Orchestrator product documentation. McAfee Security for Microsoft Exchange Protects your Microsoft Exchange Server (versions 2003, 2007, 2010) from viruses, unwanted content, potentially unwanted programs, and banned file types/ messages. McAfee Anti-Spam rules updater Required to update the anti-spam rules. McAfee Security for Microsoft Exchange Replication service This service is applicable for Microsoft Exchange Server 2010 only. McAfee Security for Microsoft Exchange Software Best Practices Guide 13

14 2 Installing McAfee Security for Microsoft Exchange Configuration Installing McAfee Security for Microsoft Exchange McAfee Security for Microsoft Exchange can be installed on a standalone server as well as be deployed using epolicy Orchestrator. See Managing using epolicy Orchestrator 4.5. and 4.6 for deployment using epolicy Orchestrator. Going forward with the installation, you can select the type of installation (typical or complete or custom). When the installation is complete, the installation wizard Completed screen appears. Select the options as required. Launch product User Interface To launch the McAfee Security for Microsoft Exchange user interface after you exit the installation wizard. Show the readme file To view the Release Notes of the product (Readme.txt) for information on any last minute additions or changes to the product, known issues or resolved issues. Update DAT and Engines To update McAfee Security for Microsoft Exchange with the latest DAT files, engine, and anti-spam updates. It is a best practice to update the DATs immediately. Register at McAfee Business Community to stay up to date To receive information regarding the product, new releases, updates and other relevant information. Configuration Important components like VSAPI scan, proactive scanning, and background scanning have to be configured correctly during installation to get the best performance of McAfee Security for Microsoft Exchange. VSAPI scan settings Microsoft Exchange Server 2010 uses VSAPI (Virus Scanning API) version 2.6. It is a virus scanning API provided by Microsoft to enable third-party Anti-Virus vendors to write virus scanning applications for Microsoft Exchange. When a new message reaches the Information Store, VSAPI will notify McAfee Security for Microsoft Exchange to scan this message. The message (MIME) will be split into different MIME parts (Header, Subject, Mail body and Attachment) and handed over to McAfee Security for Microsoft Exchange for scanning. Unlike McAfee Transport where McAfee Security for Microsoft Exchange acts on the entire MIME message, VSAPI scanning is done on each MIME parts or item. VSAPI gives more useful scanning options like proactive scanning and background scanning. It can also scan the outbound messages in Outbox and Sent Items folders. Proactive Scanning It is a VSAPI feature that places the unscanned and modified messages in the scanning queues based on a priority. Message attachment is put in the priority 1 queue and message body in the priority 2 queue. Background Scanning It is a VSAPI feature that scans the messages in the user Mailbox and public folders whenever there is a new version of DATs (virus definitions) updated on McAfee Security for Microsoft Exchange and whenever exchange information store is dismounted and mounted. For McAfee Security for Microsoft Exchange, there is an additional option given in the user interface to start and stop the background scanning at a scheduled time and date using the option Enable At and Disable At. Background Scan should be scheduled during the non-peak hours of the day or during weekends. Do not run the background scan unless it is absolutely necessary since it uses large amounts of system resources. 14 McAfee Security for Microsoft Exchange Software Best Practices Guide

15 Installing McAfee Security for Microsoft Exchange Upgrading the software 2 Upgrading the software You can upgrade a standalone product to McAfee Security for Microsoft Exchange 7.6 or you can also upgrade your product using epolicy Orchestrator. Earlier versions of GroupShield for Exchange can be upgraded to McAfee Security for Microsoft Exchange version 7.6. The product upgrades supported are: GroupShield for Exchange version Patch 1 and later GroupShield for Exchange version Rollup 2 and later Upgrading a standalone product McAfee Security for Microsoft Exchange version 7.6 supports upgrading your configuration settings from the previous version of the product. When upgrading to a new version of McAfee Security for Microsoft Exchange, you do not need to uninstall the existing version. The installation program updates your installation to the new version. Note the following: When upgrading, the dialog box for language options is not displayed. In the case of Exchange Server 2007 and 2010, the Exchange Server Role Detection screen appears. If you are upgrading, don't choose to import an existing configuration. Instead, select Next and make sure that the option Import existing configuration is selected. We recommend that you restart your computer after the installation process is complete. The option Import existing configuration is useful if you are installing McAfee Security for Microsoft Exchange on a new system and would like to retain the configuration from an existing installation on another system. You can also import existing configurations from versions of GroupShield for Exchange 7.0.x that are supported by McAfee Security for Microsoft Exchange. During the installation process, Exchange services could stop or restart. This includes all services related to Exchange Database and Exchange Transport. epolicy Orchestrator upgrade If your existing product is managed by epolicy Orchestrator and you upgrade it to McAfee Security for Microsoft Exchange version 7.6, then the policies present in epolicy Orchestrator also need to be upgraded to McAfee Security for Microsoft Exchange version 7.6. Existing GroupShield for Exchange 7.0.x policies are not be upgraded if you use epolicy Orchestrator to upgrade McAfee Security for Microsoft Exchange. To migrate policies from GroupShield for Exchange 7.0.x to McAfee Security for Microsoft Exchange 7.6. in an upgrade using epolicy Orchestrator, run the tool MSMEePOUpgrade.exe. See Upgrading the software for supported versions. Make sure you have epolicy Orchestrator version 4.5 or 4.6, which are the versions supported by McAfee Security for Microsoft Exchange version 7.6. After the policies are upgraded, you can continue to manage earlier versions of GroupShield for Exchange and McAfee Security for Microsoft Exchange from the same epolicy Orchestrator server with their existing policies. These older policies are not overwritten during the upgrade. In the case of epolicy Orchestrator 4.6, you will be prompted for the epolicy Orchestrator user password and the SQL user password. If the epolicy Orchestrator database is installed with a SQL Named Instance, you will be prompted for the name of the Named instance. McAfee Security for Microsoft Exchange Software Best Practices Guide 15

16 2 Installing McAfee Security for Microsoft Exchange Upgrading the software Make sure that all instances of GroupShield for Exchange and McAfee Security for Microsoft Exchange are closed before starting the upgrade. 16 McAfee Security for Microsoft Exchange Software Best Practices Guide

17 3 Microsoft Exchange Server roles Microsoft Exchange can be installed in various roles along with McAfee Security for Microsoft Exchange. Each role or combination of roles have corresponding components and services that are installed by McAfee Security for Microsoft Exchange. Contents Microsoft Exchange Server 2003 Microsoft Exchange Server 2007 Microsoft Exchange Server Edge Server role Microsoft Exchange Server 2010 with Hub Transport role Microsoft Exchange Server 2010 with Mailbox + Hub role (Typical setup) Microsoft Exchange Server 2010 with Mailbox role Microsoft Exchange Server 2003 Microsoft Exchange Server is the messaging platform that provides and scheduling functions and can be installed to execute various roles. Microsoft Exchange Server 2003 can be installed with the following roles: Mailbox Setup configures McAfee Security for Microsoft Exchange for the Mailbox role and installs the relevant component - VirusScan API. Gateway Setup configures McAfee Security for Microsoft Exchange for the Gateway role and installs the relevant components Transport Scan ( Anti-Spam and Anti-VirusScan API). Both Setup configures McAfee Security for Microsoft Exchange for both Mailbox and Gateway roles and install the relevant components: On-Demand Scan and Transport Scan ( Anti-Spam and Anti-VirusScan API). The option Enable User Junk folder Routing allows the scanner to route your spam s to the client's junk folder. This option is not available with Microsoft Exchange Server 2007 and See Chapter 7 - Common Settings applicable to all roles. This is applicable only for the Mailbox role, and if you have installed the McAfee Anti-Spam Add-on on your server. McAfee Security for Microsoft Exchange Software Best Practices Guide 17

18 3 Microsoft Exchange Server roles Microsoft Exchange Server 2007 Microsoft Exchange Server 2007 McAfee Security for Microsoft Exchange can be installed with Microsoft Exchange Server 2007 that has been configured with the Edge transport role, or Hub transport role, or Mailbox role. Depending on the role with which Microsoft Exchange Server has been installed, the corresponding components and services are installed. McAfee Security for Microsoft Exchange will execute Transport Scanning for the Edge transport and Hub transport roles, and VirusScan API for the Mailbox role. McAfee Security for Microsoft Exchange automatically detects the roles selected during the installation of Microsoft Exchange Server 2007 or If the Mailbox role has been installed in Microsoft Exchange Server 2007 or 2010, the service Cluster Replication Setup is installed (only for Microsoft Exchange Server 2010). Cluster Replication Setup is applicable only for a Microsoft Exchange Server 2010 installation. Microsoft Exchange Server Edge Server role The Edge server runs in the perimeter and provides message hygiene and security over the network. It is installed on a standalone server that is not a member of the Active Directory domain. The edge server is a standalone server in a workgroup with a dummy DNS suffix name (Domain Name.Com). Since this resides outside the Active Directory domain, it does not contain any AD user information of the domain, to which this server is going to route (send) and receive the messages. To enable Edge server to perform required mail transferring, you have to configure a Send connector to the Hub Transport server and a Receive connector from the same Hub Transport server. If there is an Edge Subscription between Edge and Hub servers, then you need not configure a separate send/receive connector. Microsoft Exchange Server 2010 installed with the Edge role contains only SMTP Transport agents and hence McAfee Security for Microsoft Exchange installed with this role performs only Transport Scanning using the McAfee Transport Scanner. We recommend that you enable the Transport scanning option. We recommend that you have the Anti-Spam add-on installed only on Edge transport servers, also on the Hub server if an Edge transport server is absent. Deselect this option if you already have any vendor's appliance running anti-spam. Microsoft Exchange Server 2010 with Hub Transport role The Hub transport role is responsible for all internal mail flow and is installed on a member server(s) in an Active Directory domain. In the Hub Transport role, Microsoft Exchange will have only the SMTP Transport agents registered due to which the Information Store service will not function. You can use only the McAfee Transport scanner to scan messages at the Hub Transport level. None of the VSAPI scanner settings are used in this role. You should make sure that McAfee Transport Scanner and its sub-options to scan Inbound, Outbound and Internal Messages are Enabled and Anti-virus scanning is Disabled. 18 McAfee Security for Microsoft Exchange Software Best Practices Guide

19 Microsoft Exchange Server roles Microsoft Exchange Server 2010 with Mailbox + Hub role (Typical setup) 3 We recommend that you disable the Anti-Spam policy, if you have a McAfee Appliance installed on the Edge server. Microsoft Exchange Server 2010 with Mailbox + Hub role (Typical setup) The Hub transport role is responsible for all internal mail flow and is installed on a member server(s) in an Active Directory domain. Microsoft Exchange 2010 has been developed stressing security and performance of the Exchange server. It can be installed with six different roles. McAfee Security for Microsoft Exchange supports the following roles: Mailbox role HUB role Mailbox + HUB role Edge role The Client Access Server (CAS) can be combined with the Mailbox role, HUB role or the Mailbox + HUB role. McAfee Security for Microsoft Exchange is supported on all these combinations. In Microsoft Exchange Server 2010, SMTP protocol comes along with Exchange server installation and does not use the SMTP protocol from IIS server. Therefore, when McAfee Security for Microsoft Exchange is installed on Microsoft Exchange Server 2010, Mailbox+Hub role registers McAfee Transport agents with Microsoft Exchange Server 2010 SMTP transport events. In Exchange 2010 Mailbox + Hub role, both VSAPI and McAfee Transport scanner are available for scanning. You can disable McAfee Transport scanning, if your organization has more than one Hub server and/or an Edge server with McAfee Security for Microsoft Exchange installed. In Exchange 2010, any mail (inbound, outbound and internal) has to pass through a Hub Transport server. An organization should have at least one Hub Transport server and can have multiple Hub Transport servers based on the number of Mailbox servers. Select the Anti-Spam add-on, so that McAfee Security for Microsoft Exchange blocks unsolicited mails and phish attacks at the Gateway to avoid unwanted messages reaching the user s Mailbox. Select this option if you do not have another Hub server or Edge server configured and there is no McAfee Security for Microsoft Exchange installed on it. Select the installation type Complete for this role. This will install all the features of McAfee Security for Microsoft Exchange along with two user interfaces, the Standalone UI and Web UI. Transport Scan settings You can enable or disable the whole Transport Scanning feature by deselecting the checkbox under the Settings and Diagnostics page. Transport Scan should be turned off on McAfee Security for Microsoft Exchange if it is already running on any McAfee Gateway appliance. Direction Based Scanning This is a McAfee Transport scanning feature. Administrator can choose to scan Inbound and/or Outbound and/or Internal messages. McAfee Security for Microsoft Exchange Software Best Practices Guide 19

20 3 Microsoft Exchange Server roles Microsoft Exchange Server 2010 with Mailbox role VSAPI Scanner settings Microsoft Exchange 2010 comes with VSAPI 2.6 to scan messages at the Information Store level. This has more granular control and options for the background scanning feature. It also includes an option to scan the Outbox. Proactive Scanning It is used to scan the unread and modified messages in the user inbox with its own priority queue. By default, this option is Disabled. Outbox Scanning This option enables McAfee Security for Microsoft Exchange to scan in the outbox folder. By default this option is enabled for both enhanced and default configurations. To use this feature, you need to enable Proactive Scanning along with Outbox scanning option. We recommend that you have this option enabled if you don't have McAfee Security for Microsoft Exchange installed on Hub or Edge servers. This feature is not present in Microsoft Exchange Server Background Scanning By default, Background Scanning is disabled in Exchange You need to enable this option or enable Background Scanning On/Off Tasks, and schedule it to start and stop at a specified time using Enable At and Disable At options. We recommend that you schedule Background Scan to run during non-peak hours, so that the performance of the Mailbox Server does not degrade. VSAPI 2.6 gives the following options for Background Scanning: To scan only unscanned messages To scan messages only with attachments To scan all messages You can also specify upper and lower age limits for background scanning to scan messages based on the time stamp of the message. We recommend that you do not select the option To scan all messages, because this will use more memory. Microsoft Exchange Server 2010 with Mailbox role The Mailbox server role hosts mailbox and public folder databases and provides scheduling services for Microsoft Office Outlook users. This section describes the best practices to be implemented while installing McAfee Security for Microsoft Exchange in a Microsoft Exchange Server 2010 environment with only the Mailbox role. Microsoft Exchange Server 2010 with only the Mailbox role contains only VSAPI scanning abilities. So, any scanning done on this server role will be at the Exchange Information Store level. While installing McAfee Security for Microsoft Exchange with this role, there is no need to select the Anti-Spam component. The Administrator can use the Typical or the Complete type of installation. The Administrator should make sure that VSAPI scanning is always Enabled under the Settings & Diagnostics page of McAfee Security for Microsoft Exchange. Other VSAPI version 2.6 features (like Proactive Scanning and Background Scanning) and its recommended settings will remain same as given in the Mailbox + Hub server role. 20 McAfee Security for Microsoft Exchange Software Best Practices Guide

21 Microsoft Exchange Server roles Microsoft Exchange Server 2010 with Mailbox role 3 None of the VSAPI scanner settings are used in this role. Make sure that McAfee Transport Scanner and its sub-options to scan Inbound, Outbound, and Internal Messages are Disabled and Anti-virus scanning is Enabled. For better performance, disable Proactive Scanning on the Mailbox role and make sure that McAfee Security for Microsoft Exchange is installed and configured with the HubTransport role. McAfee Security for Microsoft Exchange Software Best Practices Guide 21

22

23 4 Cluster 4 support Depending on the configuration settings, this utility replicates quarantined items from one server to the other, and makes them highly accessible. This utility is available only for a McAfee Security for Microsoft Exchange installation that is recognized by a Data Availability Group (DAG), in which case the McAfee Security for Microsoft Exchange Replication Service is also available. Database Availability Group (DAG) on Microsoft Exchange Server 2010 Cluster Replication Setup utility replicates the quarantine database, policy configurations and product updates, depending upon the replication settings across Data Availability Group (DAG) aware McAfee Security for Microsoft Exchange installation. This utility will make sure that quarantined items are readily available, by replicating the quarantined items from one server to another server depending up on the configuration. This utility is required only in a DAG-aware McAfee Security for Microsoft Exchange installation. We recommend that you disable the Anti-spam add-on in a cluster setup having a Mailbox role. This utility is available only if McAfee Security for Microsoft Exchange 7.6 is installed on a 64-bit system with Microsoft Exchange Server 2010 in the Mailbox role. If the Mailbox role is installed in Microsoft Exchange Server 2010, the service Cluster Replication Setup is automatically installed in all three types of setup (Typical, Complete and Custom). Types of cluster installation McAfee Security for Microsoft Exchange 7.6 can be installed as a cluster aware application in different configurations depending on the Microsoft Exchange Server version. Cluster Continuous Replication (CCR) on Microsoft Exchange Server 2007 McAfee Security for Microsoft Exchange 7.6 will not be a cluster aware application on Microsoft Exchange Server 2007 CCR cluster. Both the nodes have to be managed independently and will work as standalone instances. Single Copy Cluster (SCC) on Microsoft Exchange Server 2007 For clean installations, we recommend that you install McAfee Security for Microsoft Exchange on the Active node first, then on the Passive node. McAfee Security for Microsoft Exchange 7.6 should be added to the cluster groups where the Exchange virtual server is present after the installation on the nodes of the cluster. In case of an upgrade, make sure that the Active node is upgraded first. McAfee Security for Microsoft Exchange Software Best Practices Guide 23

24 4 Cluster support Types of cluster installation Cluster installation on Microsoft Exchange Server 2003 In Microsoft Exchange Server 2003, there are two types of nodes: Active node The cluster server that currently owns cluster group resources and responds to network requests made to those services. Passive node The cluster server that does not currently own cluster group resources, but is available if the active node fails. These nodes form two types of server clusters: Active/Passive cluster The cluster includes active and passive nodes. The passive nodes are used only if an active node fails. Active/Active cluster All nodes are active. In the event of a failover of an active node, the remaining active nodes take on the additional processing operations. We recommend that you install McAfee Security for Microsoft Exchange as a standalone node on an Active/ Active cluster. Adding McAfee Security for Microsoft Exchange as a resource to the cluster group on Windows 2003 (32-bit or 64-bit) You can add McAfee Security for Microsoft Exchange as a resource to a cluster group, so that McAfee Security for Microsoft Exchange can behave as a cluster application. Make sure that the McAfee Security for Microsoft Exchange cluster resource is created in the same cluster group where you have Microsoft Exchange resources configured. After the cluster resource is successfully created, in Cluster administrator, right-click the newly created resource and from the context menu, select Bring Online. This starts the McAfee Security for Microsoft Exchange service on the active node and the quarantine database is created in the designated drive. Multiple instances of the Postgress.exe*32 process appear under the Processes tab of the Task Manager along with RPCServ.exe*32, and SAFeService.exe*32. In a Windows 2003 (32-bit) environment, you will have Postgress.exe, RPCServ.exe, and SAFeService.exe running, because these are native 32-bit processes. See Cluster Replication in the Installation Guide for steps on how to create a cluster resource. Adding McAfee Security for Microsoft Exchange as a resource to the cluster group on Windows 2008 (64-bit) You can add McAfee Security for Microsoft Exchange as a resource to a cluster group in a Windows 2008 (64-bit) environment. To do so, make sure that you have logged in as the administrator. Make sure that the McAfee Security for Microsoft Exchange cluster resource is created in the same cluster group where you have Microsoft Exchange resources configured. Refer McAfee KB on steps to follow before you create a cluster resource. Perform the following steps to create and configure a GroupShield cluster resource. Make sure that the McAfee Security for Microsoft Exchange cluster resource is created in the same cluster group where you have Microsoft Exchange resources configured. 24 McAfee Security for Microsoft Exchange Software Best Practices Guide

25 Cluster support Types of cluster installation 4 After the cluster resource is successfully created, in Cluster administrator, right-click the newly created resource and select Bring Online. This starts the McAfee Security for Microsoft Exchange service on the active node and the quarantine database is created in the designated drive. Multiple instances of the Postgress.exe*32 process appears under the Processes tab of the Task Manager along with RPCServ.exe*32, and SAFeService.exe*32. McAfee Security for Microsoft Exchange Software Best Practices Guide 25

26

27 5 Scheduling 5 tasks In McAfee Security for Microsoft Exchange, you can schedule important tasks like On-demand scanning, Auto-update, and optimization frequency according to your requirement. You can schedule the following tasks: On-demand scanning Configuration Reporting Auto-update Purge of old items frequency Status Reporting Optimization frequency On-demand scanning is a feature, that you can use to schedule a scan on the users' mailboxes. This scan ensures that old and existing messages in the public folders and user mailboxes are not scanned by McAfee Security for Microsoft Exchange. By default McAfee Security for Microsoft Exchange has one On-demand scan in the Not Scheduled status. This is configured to scan all mailboxes and public folders of the server and uses On-demand default policy settings given under Policy Manager. You can schedule any number of on-demand scans and schedule multiple scans to run at the same time. However, it is recommended to run only one On-demand scan at the given time per user Mailbox. Running an on-demand scan will execute RunScheduled.exe process in the Task Manager. This process will get terminated once the on-demand scan is completed. It is designed to utilize the maximum available resources on the server and complete the task as quick as it can. So, on-demand scan using 60 to 80% of CPU is considered as normal behavior while running on huge mailboxes. We recommend that you run the on-demand scan during non-peak hours of the day or during the weekends. If the server is managed through epolicy Orchestrator, then we recommend that you do not to have any local update task running. McAfee Security for Microsoft Exchange has six on-demand scan policies having pre-configured settings and are used for different purposes as stated in the policy name. On-demand Default On-demand Remove Banned Content On-demand Full Scan On-demand Find Viruses On-demand Find Banned Content On-demand Remove Viruses Auto-update task is used to get the latest DATs, AV Engine, Spam Rules, and Spam Engine updates from the master repository. If McAfee Security for Microsoft Exchange is not managed by epolicy Orchestrator, by default McAfee Security for Microsoft Exchange will get product updates from the NAIHttp website. There is a Fallback NAIFTP repository as well which the user can utilize if required. This repository information will be present in SITELIST.XML under the \doc settings\all users\app data \McAfee\Common Framework folder. By default, the auto-update task is scheduled at 12:00 AM every night. You can change the update frequency through the Edit Schedule option given in the Dashboard. We recommend that you configure the auto-update task to run every 8 Hours. McAfee Security for Microsoft Exchange Software Best Practices Guide 27

28 5 Scheduling tasks A status report is a scheduled report sent to an administrator at a specific time. The report contains detection statistics within that specified time frame. You can choose a time, recipient address/ distribution list to send the report to, and a subject for the . Reports are sent in HTML or CSV format. A configuration report is a scheduled report sent to an administrator at a specific time. The configuration report will have a summary of product configurations such as: server information, version information, license status and type, product information, debug logging information, on-access settings, on-access policies, and gateway policies. The Purging of Old Items Frequency task is scheduled by default. You can edit the schedule of this task and configure it to delete old records from the detected items database, leaving only the recent detections. The Optimization frequency task is scheduled by default. This task can be scheduled and configured to improve the database performance by recovering the empty spaces created due to deletion of records. 28 McAfee Security for Microsoft Exchange Software Best Practices Guide

29 6 Policy 6 Manager Policy Manager is a product feature that allows you to configure or manage different policies and actions in the product. It determines how different types of threats are treated when detected. Each policy specifies the settings and actions that are used by the policy and the actions taken when a detection is triggered for the data in the Exchange environment. The settings are given names ad can be used by many policies at the same time. However, the actions are specific to a particular policy. For example, you can create anti-virus policies and create multiple child policies from it. However, you can have a different action for each policy. Contents On-Access policy Content scanning File filter Gateway policy Anti-phish scanner Mail size filter Disclaimers On-Access policy Create policies for messages every time they are opened, copied or saved to determine if they contain a virus or other potentially unwanted code. On-access scanning is also called real-time scanning. Anti-Virus scanner Anti-Virus scanner settings are used by both VSAPI (at store level) and McAfee Transport scanner (at postcat level). McAfee Security for Microsoft Exchange 7.6 uses the new virus scanning Engine, version 5400 and hence has the capability to detect Viruses, Trojans, Malwares, PUPs, and Packers and take different actions. By default, McAfee Security for Microsoft Exchange is configured to clean every infected message. If cleaning fails, then the infected item will be replaced with an alert Warning.txt and the original infected item is quarantined in the Postgres database. We recommend that you use the default settings in McAfee Security for Microsoft Exchange 7.6 for the Anti-Virus scanner. If needed, the administrator can select the secondary action Notify Administrator to get an notification about the infected detection. McAfee Security for Microsoft Exchange Software Best Practices Guide 29

30 6 Policy Manager Content scanning Content scanning The content scanning filter blocks unwanted bad content from reaching the user s mailbox. By default Content scanning is disabled. We recommend that you enable content scanning by assigning default or custom (newly created) content rules, assigned to the content scanner. Under Content Scanning page, you can select Include documents and database formats and Extend scan to all attachments to make McAfee Security for Microsoft Exchange scan for banned content in all types of attachments including documents, PDF files, databases and excel files. While assigning a content rule to the scanner, you have the option to apply the content rule to Everything or to selected file formats. It is recommended to assign the content rule to scan only Documents, Messages and HTML Files. File filter The file filter detects a harmful file within an and blocks the unwanted files from entering the users Mailboxes. This filter is disabled by default. You need to create new file filter rules and apply the rule to the filter. File Filter rules can be created based on Filename or Extensions, True File Type detection, and File Size. There are no recommended settings for this filter. However it is used mostly to block executables; packed files and archives based on extensions; and true type file filtering. For other filters (Corrupted Content, Encrypted Content, Password Protected Files, Protected Content, Signed Content, HTML Files, MIME Settings and Scanner Control) under On-Access settings, the administrator can configure specific actions based on the company s requirements or can use the default settings. Gateway policy Gateway policies are applied to messages every time they are opened, copied or saved to determine if it is a spam, phish, MIME files or HTML files. All scanners and filters under Gateway Policy are applied at the initial Transport level (at SMTP submit level). Anti-Spam Settings We recommend that you block unwanted bulk messages, phish messages at the Gateway level. This scanner blocks unsolicited from entering the organization. McAfee Security for Microsoft Exchange with Anti-Spam add-on applies rules and respective scores to each MIME component of the message and takes action, based on the total Spam score. By default, McAfee Security for Microsoft Exchange has three levels of Spam scores. The messages having scores between 5 and 10 are called Low, messages with scores between 10 and 15 are called Medium and messages with score 16 and above are called High. McAfee Security for Microsoft Exchange blocks (delete message) the High and Medium level Spam messages by default and allows the message with ****SPAM**** as the prefix in the subject line for messages with a lower spam score. It is recommended to have the default settings for Spam messages. This scanner is only applicable to Inbound messages. 30 McAfee Security for Microsoft Exchange Software Best Practices Guide

31 Policy Manager Anti-phish scanner 6 Anti-phish scanner The Anti-Phish scanner is used to block the phish messages at the Gateway. Using the spam rules and Engine, McAfee Security for Microsoft Exchange detects and takes action on phish messages. By default, phish messages are deleted and quarantined and this is the recommended configuration. This is applicable only to Inbound messages. Mail size filter This is a very useful filter, using which you can block the entire message based on the message size, attachment size and number of attachments. Blocking the message at the gateway level is recommended and preferred by many organizations. Based on the organization policy, you can filter the unwanted messages using this filter. This filter is applicable to both Inbound and Outbound messages. Disclaimers Using this feature you can attach the company s disclaimer text to all outbound messages. This is not enabled by default. You have to configure this with the legal content text that needs to be attached to all the messages with the following three options; attach disclaimer Before the Message, After the message or As an attachment. McAfee Security for Microsoft Exchange Software Best Practices Guide 31

32

33 7 Common settings applicable to all roles Common settings are settings that are applicable to any role in which the Microsoft Exchange server is installed. Contents Notifications Anti-Spam Detected items User interface preferences Diagnostics DAT settings Import and Export configuration Notifications Under Notifications, enter the correct SMTP address of the administrator. Select Enable Task Results Notifications. This allows the administrator to get notification about the Scheduled Tasks status (for example, on-demand scan). Anti-Spam This is an add-on component to McAfee Security for Microsoft Exchange that protects you from spam and phishing . The Anti-Spam component scans the messages and provides the result to McAfee Security for Microsoft Exchange before the content is written to the file system or read by Microsoft Exchange users. Type the SMTP address of the Mailbox that is by default identified as the System Junk Folder. To move the bulk and spam s to a different Mailbox, use Route to System Junk Folder primary action for Anti-Spam scanner. User Junk Folder Routing the Enable routing to the user junk folders on this server option, which was available in McAfee Security for Microsoft Exchange with Microsoft Exchange Server 2003 and in earlier versions of GroupShield for Exchange, is no longer available in McAfee Security for Microsoft Exchange. This is because, routing to user's Junk folder now occurs on a Hub server role. If the SCL Junk threshold value of the Exchange server is changed, the Junk Routing feature works only after 8 hours or after restarting McAfee Security for Microsoft Exchange services. These settings are only required on a McAfee Security for Microsoft Exchange server containing the Anti-Spam feature. These settings can be ignored on servers where there is no Anti-Spam add-on installed. McAfee Security for Microsoft Exchange Software Best Practices Guide 33

34 7 Common settings applicable to all roles Detected items Detected items On the detected Items page you can configure various settings or rules that would trigger a corresponding policy and take remedial action. If you are using McAfee Quarantine Manager (McAfee Quarantine Manager) for quarantining detected items, then you need to select Enabled under the McAfee Quarantine Manager heading and enter the correct IP Address of the McAfee Quarantine Manager server. After these settings, when McAfee Security for Microsoft Exchange detects and quarantines the first message item, the quarantined item will be stored in the McAfee Quarantine Manager server. If you intend to store the quarantined message locally, then do not select any option under the McAfee Quarantine Manager heading. Under Local Databases, select the path and folder name for the database, if you intend to change the DB location. If not, it is good to have the database at the default location. Maximum item size (MB) is the maximum size of the quarantine item that is allowed to get quarantined and logged into the database by GroupShield. The default value is 100MB and this can be changed as per the requirement/policy of an organization. Maximum query size (records) This is the number of records (view) that is displayed in the Detected Items page. By default it is set to 1000 and can be increased up to 20,000 records. That means, whatever the total detections in your database, McAfee Security for Microsoft Exchange can display only 20,000 records in one view. Maximum Item Age (days) This is the number of days McAfee Security for Microsoft Exchange retains the detected items in the database. The default value is 14, and the detected items older than 14 days will be deleted from the database. Maximum value allowed is 365. Purge of old items frequency This task can be scheduled to setup the purge task that removes items marked for deletion from the database. On the specified time and date, McAfee Security for Microsoft Exchange purges the old detected items older than the number of days mentioned in Maximum Item Age (days). By default this schedule is set to Monthly. Optimization Frequency This task can be scheduled to optimize the database at a specified date and time. This task recovers disk space taken up by the deleted records in the database. By default this schedule is set to "Monthly". User interface preferences Options on this page apply only to Dashboard and Graph settings and these can be changed according to your choice. Diagnostics This page helps you to enable the required diagnostics option when there is any issue found in the scanning behavior of McAfee Security for Microsoft Exchange. We recommend that you change these settings only if you need any diagnostics information for your analysis or if asked by the technical support representative for troubleshooting. Debug Logging This can be enabled and set to High, Medium or Low, based on the requirement. By default, the value is None where Debug Logging option is disabled. 34 McAfee Security for Microsoft Exchange Software Best Practices Guide

35 Common settings applicable to all roles DAT settings 7 Error Reporting service This is a built-in functionality by the McAfee supportability tool. This enables a Talkback process to keeps monitoring McAfee Security for Microsoft Exchange specific services. By default this tool is available with McAfee Security for Microsoft Exchange and it catches the exceptions and crashes found in McAfee Security for Microsoft Exchange services, and reports them with a dump file to McAfee website for further troubleshooting. We recommend that you do not change any settings under this. Event Logging Option for the administrator to log information, warnings, and error events to Event Log and Product Log. By default, all options are selected, and we recommend that you do not change these settings. Product Log On this page you can change the Location, Filename, Size Limits, and Time-out values for McAfee Security for Microsoft Exchange to log events to the product log. These settings can be changed according to your requirements and available disk space. DAT settings The DAT Settings page specifies the number of DAT folders that needs to be retained by the administrator. The maximum value is 10 and the minimum value is 3. This can be changed according to your requirements. Import and Export configuration Under the Configuration tab, you can import the Config.XML file (McAfeeConfig.xml) from a different McAfee Security for Microsoft Exchange server to retain the same settings on the newly installed McAfee Security for Microsoft Exchange server. You can also export the current settings and keep it as a backup or use the exported XML on the other McAfee Security for Microsoft Exchange server. Use the Restore Default option to go back to the default settings of McAfee Security for Microsoft Exchange. In the SiteList tab, you can import or export the Sitelist.xml file from Common Framework folder and use the same update repository settings on another McAfee Security for Microsoft Exchange server. The SiteList.xml file has information about the product update repositories that McAfee Security for Microsoft Exchange can contact during product updates. McAfee Security for Microsoft Exchange Software Best Practices Guide 35