Transcription

1

2 Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files, release notes and the latest version of the Getting Started Guide, which are available from Trend Micro s Web site at: NOTE: A license to the Trend Micro Software usually includes the right to minor product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. Maintenance must be renewed on an annual basis at Trend Micro s then-current Maintenance fees. Trend Micro, the Trend Micro logo, InterScan, Spam Prevention Solution, Network Reputation Services, and Control Manager are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Copyright 2007 Trend Micro Incorporated. All rights reserved. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the express prior written consent of Trend Micro Incorporated. Release Date: February 2007 Patents Pending

3 The Getting Started Guide for Trend Micro InterScan Messaging Security Suite 7.0 is intended to introduce the main features of the device and deployment instructions for your production environment. You should read through it prior to deploying or using the device. Trend Micro is always seeking to improve its documentation. Your feedback is always welcome. Please evaluate this documentation on the following site:

4

5 Contents Preface Chapter 1: InterScan Messaging Security Suite 7.0 Documentation... vi Audience... vi Document Conventions... vii Introducing InterScan Messaging Security Suite About IMSS What s New IMSS Main Features Antivirus Protection Content Management Spam Filtering with IP Profiler and Network Reputation Services IntelliTrap Protection Against Other Threats Denial of Service (DoS) Attacks Malicious Content Degradation of Services Legal Liability and Business Integrity Mass Mailing Virus Containment Clustered Architecture IMSS Main Benefits About Spyware and Other Types of Grayware About SPS SPS Technology Using SPS About IP Filtering About NRS NRS Services How IP Profiler Works How NRS Works About End-user Quarantine (EUQ) About Centralized Reporting i

6 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide About Control Manager Chapter 2: Chapter 3: System Requirements and Component Descriptions System Requirements Ports Used by IMSS Planning for Deployment About IMSS Components The IMSS Admin Database The EUQ Database Central Controller Policy Services Policy Synchronization Scanner Services End-User Quarantine (EUQ) Service Primary and Secondary EUQ Services Component and Sub-module Installation Understanding Installation Scenarios Single-server Installation Multiple Scanner Service Installation Multiple EUQ Service Installation Complex Distributed Installation WAN Installation About Failover Installing IMSS on a Single Server Performing a Single-server Installation Installing Multiple Scanner Services and Policy Services Performing a Multiple Scanner Service Installation Installing Multiple EUQ Services Performing a Multiple EUQ Service Installation Installing with a Complex Architecture Installing over a WAN Trend Micro Control Manager Fault Tolerance and Failover in a WAN Scenario Considering Network Topology Installing without a Firewall Installing in Front of a Firewall ii

7 Incoming traffic Outgoing traffic Installing Behind a Firewall Incoming Traffic Outgoing Traffic Installing on a former SMTP gateway Incoming traffic Outgoing traffic In the DMZ Incoming traffic Outgoing traffic About Operating Models The Standalone Model The Sandwich Model The Proxy Model IP Filtering and Web End-user Quarantine (EUQ) Deploying IMSS with IP Filtering (IP Profiler and NRS) Deploying IMSS with Web-based EUQ Communication Between Servers Chapter 4: Installing IMSS Installing InterScan Messaging Security Suite Preparing Postfix Installing IMSS Components and End-User Quarantine Uninstalling IMSS Components Verifying the Installation Installing IP Filtering Components Installing Network Reputation Services and IP Profiler Uninstalling Network Reputation Services and IP Profiler Upgrading from Previous Versions Activation of Supported Services Settings That Cannot be Migrated Using Migration Reports Backing Up Your Settings Backing up IMSS 5.7 Data for a Single-server Deployment Backing Up IMSS 5.7 Data for a Distributed Deployment Migrating from Version 5.7 to Version iii

8 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Rolling Back the Migration Rolling Back in a Single-Server Deployment Scenario Rolling Back in a Complex Distributed Deployment Scenario Using Sendmail Sendmail Daemons Configuring Sendmail # Configuring Sendmail # Restarting Sendmail services Chapter 5: Chapter 6: Getting Started Opening the IMSS Web Console Viewing the Web Console Using SSL Opening the EUQ Console Performing Basic Configuration with the Setup Wizard Using Network Reputation Services (NRS) Using the SPS Activation Code Configuring NRS Preparing Your MTA Using the NRS Administration Console Troubleshooting, FAQ, and Support Troubleshooting Frequently Asked Questions (FAQ) Postfix MTA Settings IMSS Components IP Profiler EUQ Others Using the Knowledge Base Contacting Support Appendix A: Additional Configuration Notes Performing Additional Tasks...A-2 Index iv

9 Preface Preface Welcome to the Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide. This manual contains information to get InterScan Messaging Security Suite (IMSS) up and running. For detailed information on configuring all features, see the online help, which is attached to the Web console. This preface discusses the following topics: InterScan Messaging Security Suite 7.0 Documentation on page vi Audience on page vi Document Conventions on page vii v

10 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide InterScan Messaging Security Suite 7.0 Documentation The InterScan Messaging Security Suite 7.0 (InterScan MSS) documentation consists of the following: Getting Started Guide Helps you get IMSS up and running. Online Help Helps you configure all features through the user interface. To access the online help, open the Web console and then click the help icon ( ). Readme Files Contain late-breaking product information that might not be found in the other documentation. Topics include a description of features, installation tips, known issues, and product release history. The Getting Started Guide and readme file are available at Audience The InterScan MSS documentation is written for IT managers and administrators in medium and large enterprises. The documentation assumes that the reader has in-depth knowledge of messaging networks, including details related to the following: SMTP and POP3 protocols Message transfer agents (MTAs), such as Postfix LDAP Database management The documentation does not assume the reader has any knowledge of antivirus or anti-spam technology. vi

11 Preface Document Conventions To help you locate and interpret information easily, the IMSS documentation uses the following conventions. CONVENTION ALL CAPITALS Bold Italics Monospace Note: DESCRIPTION Acronyms, abbreviations, and names of certain commands and keys on the keyboard Menus and menu commands, command buttons, tabs, options, and other user interface items References to other documentation Examples, sample command lines, program code, Web URL, file name, and program output Configuration notes Tip: Recommendations WARNING! Reminders on actions or configurations that must be avoided vii

12 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide viii

13 Chapter 1 Introducing InterScan Messaging Security Suite This chapter introduces InterScan Messaging Security Suite (IMSS) features, capabilities, and technology, and provides basic information on other Trend Micro products that will enhance your anti-spam capabilities. Topics include: About IMSS 7.0 on page 1-2 IMSS Main Features on page 1-3 IMSS Main Benefits on page 1-7 About Spyware and Other Types of Grayware on page 1-8 About SPS on page 1-9 About IP Filtering on page 1-9 About End-user Quarantine (EUQ) on page 1-12 About Control Manager on page

14 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide About IMSS 7.0 InterScan Messaging Security Suite (IMSS) 7.0 integrates antivirus, anti-spam, anti-phishing, and content filtering for complete protection. This flexible software solution features award-winning anti-virus and zero-day protection to block known and unknown viruses. Multi-layered anti-spam combines the first level of defense in Network Reputation Services with customizable traffic management through IP Profiler and the blended techniques of a powerful composite engine. Multi-lingual anti-spam provides additional support to global companies. Advanced content filtering helps to achieve regulatory compliance and corporate governance, and provides protection for confidential information. This protection is delivered on a single, highly scalable platform with centralized management for easy, comprehensive security at the gateway. What s New Table Table 1-1provides an overview of what s new in version 7.0. New Feature Centralized policy Centralized logging and reporting Description A single IMSS policy with LDAP support helps you configure filtering settings that apply to specific senders and receivers based on different criteria. A consolidated, detailed report provides top usage statistics and key mail usage data. Centralized logging allows administrators to quickly audit message-related activities. Centralized archive and quarantine management Scalable Web End User Quarantine (Web EUQ) An easy way to search multiple IMSS quarantine and archive areas for messages. Multiple Web EUQ services offer your users the ability to view quarantined messages that were detected as spam. Together with EUQ notification, IMSS will help lower the cost of helpdesk administrative tasks. 1-2

15 Introducing InterScan Messaging Security Suite New Feature Multiple spam prevention technologies Description Three layers of Spam protection: Network Reputation Services filters spam senders at the connection layer. IP Profiler helps protect the mail server from attacks with smart profiles (SMTP IDS). Trend Micro Anti-spam engine accurately detects and remove unwanted mail. Delegated administration Easy deployment with Configuration Wizard Advance MTA functions Migration LDAP-integrated account management, which allows users to assign administrative rights for different configuration tasks. An easy-to-use configuration wizard to get IMSS up and running right out of the box. Opportunistic TLS, domain based delivery, and other MTA functions help IMSS handle efficiently with security. Easy upgrade process ensures settings to be transferred with minimum effort during setup. Mail Auditing and tracking TABLE 1-1. New Features Detailed logging for all messages to track and identify message flow related issues. IMSS Main Features The following describes the main features of IMSS. Antivirus Protection IMSS performs virus detection using Trend Micro s scan engine and a technology called pattern matching. The scan engine compares code in files traveling through your gateway with binary patterns of known viruses that reside in the pattern file. If the scan engine detects a match, it attempts to clean the file by removing the virus code. 1-3

16 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Content Management is an indispensable business tool, which organizations must manage properly to ensure its productive use. IMSS analyzes messages and their attachments, traveling to and from your network, for appropriate content. Content that you deem inappropriate, such as personal communication, large attachments, and so on, can be blocked or deferred effectively using IMSS. Spam Filtering with IP Profiler and Network Reputation Services With the integration of IP Filtering, which includes IP Profiler and Network Reputation Services (NRS), IMSS can block spammers at the IP level. IP Profiler is a self-learning, fully configurable feature that proactively blocks IP addresses of computers that send spam and other types of potential threats. NRS blocks IP addresses of known spam senders that Trend Micro maintains in a central database. IntelliTrap Trend Micro IntelliTrap is a new antivirus feature included in the InterScan MSS antivirus filter. Virus writers often attempt to circumvent virus filtering by using different file compression schemes. IntelliTrap provides heuristic evaluation of compressed files that helps reduce the risk that a virus compressed using these methods will enter your network via . Because there is the possibility that IntelliTrap may incorrectly identify a non-threat file as dangerous, Trend Micro recommends quarantining message attachments that fall into this category when the IntelliTrap feature is enabled. In addition, if your users regularly exchange compressed files, you may want to disable this feature. This feature is turned on by default, and is configured to quarantine message attachments that fall into this category. Protection Against Other Threats IMSS also protects against the following threats to your company s messaging system: 1-4

17 Introducing InterScan Messaging Security Suite Denial of Service (DoS) Attacks By flooding a mail server with large attachments, or sending messages that contain multiple viruses or recursively compressed files, malicious individuals can disrupt mail processing. IMSS allows you to configure the characteristics of messages that you want to stop at the SMTP gateway, thus reducing the chances of a DoS attack. Malicious Content Many types of file attachments, such as executable programs and documents with embedded macros, can harbor viruses. Messages with HTML script files, HTML links, Java applets, or ActiveX controls can also perform harmful actions. IMSS allows you to configure the types of messages that are allowed to pass through the SMTP gateway. Degradation of Services Non-business-related traffic has become a problem in many organizations. Spam messages consume network bandwidth and affect employee productivity. Some employees use company messaging systems to send personal messages, transfer large multimedia files, or conduct personal business during working hours. Most companies have acceptable usage policies for their messaging system IMSS provides tools to enforce and ensure compliance with existing policies. Legal Liability and Business Integrity Improper use of can also put a company at risk of legal liability. Employees may engage in sexual or racial harassment, or other illegal activity. Dishonest employees can use a company messaging system to leak confidential information. Inappropriate messages that originate from a company s mail server damage the company s reputation, even if the opinions expressed in the message are not those of the company. IMSS provides tools for monitoring and blocking content to help reduce the risk that messages containing inappropriate or confidential material will be allowed through your gateway. 1-5

18 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Mass Mailing Virus Containment -borne viruses that may automatically spread bogus messages through a company s messaging system can be expensive to clean up and cause panic among users. For this reason, when IMSS detects a mass-mailing virus, the action taken against this virus can be different from the actions against other types of viruses. For example, if IMSS detects a macro virus in a Microsoft Office document with important information, you can configure the program to quarantine the message instead of deleting the entire message, to ensure that important information will not be lost. However, if IMSS detects a mass-mailing virus, the program can automatically delete the entire message to avoid using server resources to scan, quarantine, or otherwise process messages and files that have no redeeming value. The identities of known mass-mailing viruses are in the Mass Mailing Pattern that is updated using the Trend Labs ActiveUpdate Servers. You can save resources, avoid help desk calls from concerned employees and eliminate post-outbreak cleanup work by choosing to automatically delete these types of viruses and their containers. Clustered Architecture The current version of InterScan MSS has been designed with a distributed deployment. This means that the various components can be installed on different machines, and some components can exist in multiples. For example, if your messaging volume demands, additional IMSS scanner components can be installed on additional servers, all using the same policy services. 1-6

19 Introducing InterScan Messaging Security Suite IMSS Main Benefits InterScan Messaging Security Suite includes the following benefits: Advanced Performance IMSS s enhanced virus/content scanner keeps your messaging system working at top efficiency. LDAP and domain-based policies Using LDAP, you can define multiple rules to enforce your company s usage guidelines. You can define rules for individuals or groups, based on the sender and recipient addresses. Integration with Trend Micro Control Manager Outbreak Prevention Services delivered through Trend Micro Control Manager reduces your risk of outbreaks. When a new -borne virus is detected, Trend Labs issues a policy that uses the advanced content filters in IMSS to block messages by identifying suspicious characteristics in these messages. These rules help minimize the window of opportunity for an infection before the updated pattern file is available. POP3 Scanning In addition to SMTP traffic, IMSS can scan POP3 messages at the gateway as messaging clients in your network retrieve them. Secure Web-based management console Manage IMSS quickly and securely using an SSL-compatible, Web-based management console. Integrated Messaging Content Filtering A new and improved set of filters ensure message security by scanning message content and attachments. Integrated Spam Filtering The detection technology used by Spam Prevention Solution (SPS) is based on sophisticated content processing and statistical analysis. Unlike other approaches to identifying spam, content analysis provides high-performance, real time detection that is highly adaptable, even as spam originators change their techniques. IMSS also provides IP Profiler and Network Reputation Services, which can block spam and other threats at the gateway before they enter your network. Quarantine and Archive Management With the Web-based management console, you can manage messages that IMSS quarantines or archives. Enhanced Server Access Control Connection restrictions prevent unauthorized use of your IMSS servers. System Availability Monitor A built-in agent monitors the health of your IMSS server and delivers notifications through or SNMP trap when a fault condition threatens to disrupt the mail flow. 1-7

20 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Delegated Administration IMSS offers the ability to create different access rights to the Web console. You can choose which sections of the console are accessible for different administrator log in account. About Spyware and Other Types of Grayware Your clients are at risk from potential threats other than viruses. Grayware can negatively affect the performance of the computers on your network and introduce significant security, confidentiality, and legal risks to your organization (see Table 1-2). Types of Grayware Spyware Adware Dialers Joke Program Hacking Tools Remote Access Tools Password Cracking Applications Others Description Gathers data, such as account user names and passwords, and transmits them to third parties. Displays advertisements and gathers data, such as user Web surfing preferences, to target advertisements at the user through a Web browser. Changes computer Internet settings and can force a computer to dial pre-configured phone numbers through a modem. Causes abnormal computer behavior, such as closing and opening the CD-ROM tray and displaying numerous message boxes. Helps hackers enter computers. Helps hackers remotely access and control computers. Helps hackers decipher account user names and passwords. Other types not covered above. TABLE 1-2. Types of Grayware 1-8

21 Introducing InterScan Messaging Security Suite About SPS Spam Prevention Solution (SPS) is a licensed product from Trend Micro that provides spam-detection services to other Trend Micro products. To use SPS, you must pay for and obtain an SPS Activation Code. For more information, refer to your sales representative. SPS Technology SPS uses detection technology based on sophisticated content processing and statistical analysis. Unlike other approaches to identifying spam, content analysis provides high performance, real-time detection that is highly adaptable, even as spammers change their techniques. Using SPS SPS works through a built-in spam filter that automatically becomes active when you register and activate the SPS license. About IP Filtering IMSS includes optional IP Filtering, which consists of two parts: IP Profiler Allows you to configure threshold settings, which it uses to analyze traffic. When traffic from an IP address violates the settings, IP Profiler adds the IP address of the sender to its database and then blocks incoming connections from the IP address. IP profiler detects any of the four potential Internet threats: Spam with unwanted advertising content. Viruses Various virus threats, including Trojan programs. Directory Harvest Attack (DHA) Programs that could add your user s addresses to spam databases. Bounced Mail An attack that uses your mail server to generate messages that have the target s domain in the From field. The messages are sent to fictitious addresses and when they are returned, they flood the target mail server. 1-9

22 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Network Reputation Services (NRS) Blocks from known spam senders at the IP-level. About NRS Trend Micro Network Reputation Services are designed to be used to identify and block spam before it enters a computer network by routing Internet Protocol (IP) addresses of incoming mail connections to Trend Micro Threat Protection Network for verification against an extensive Reputation Database. NRS Services NRS provides two types of services: Real-time Blackhole List (RBL+) Service Blocks spam at its source by validating IP addresses against the industry s most comprehensive and reliable reputation database. Your designated mail server makes a DNS query to the RBL+ database server whenever an incoming mail message is received from an unknown host. If the host is listed in the RBL+ database, IMSS can reject the connection and block spam from the sender. Network Anti-Spam Service a dynamic real-time solution that identifies and stops sources of spam while they are in the process of sending millions of messages. Network Anti-Spam Service is a DNS query-based service like RBL+ Service. At the core of this service is the RBL+ database, along with the QIL database, a dynamic real-time database. These two databases have distinct entries and there is no overlap of the IP addresses, allowing us to maintain a highly efficient and effective database that can quickly respond to zombies, BGP attacks and other highly dynamic sources of spam. How IP Profiler Works IP Profiler proactively learns IP addresses of computers that send containing the potential threats mentioned above. You can customize several criteria that determine when IMSS will start taking a specified action on an IP address. The criteria differ depending on the potential threat, but commonly include a duration during which IMSS monitors the IP address and a threshold. 1-10

23 Introducing InterScan Messaging Security Suite To accomplish this, IP Profiler makes use of several components, the most important of which is Foxproxy a server that communicates relays information about traffic to IMSS. The following process takes place after IMSS receives a connection request from a sending mail server: 1. Foxproxy queries the IP Profiler s DNS server to see if the IP address is on the blocked list. 2. If the IP address is on the blocked list, it denies the connection request. If the IP address is not on the blocked list, IMSS analyzes the traffic according to the threshold criteria you specify for IP Profiler. 3. If the traffic violates the criteria, IMSS adds the sender IP address to the blocked list. How NRS Works Trend Micro Network Reputation Services are Domain Name Service (DNS) query-based services. The following process takes place after IMSS receives a connection request from a sending mail server: 1. IMSS records the IP address of the computer requesting the connection. 2. IMSS forwards the IP address to the Trend Micro NRS DNS servers and queries the Reputation Database. If the IP address had already been reported as a source of spam, a record of the address will already exist in the database at the time of the query. 3. If a record exists, NRS instructs IMSS to permanently or temporarily block the connection request. The decision to block the request depends on the type of spam source, its history, current activity level, and other observed parameters. Figure 1-1.illustrates how NRS works. 1-11

24 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide s NRS reputation database Trend Micro Network Clients Incoming Spammers blocked at the IP (layer 3) level IMSS Quarantined (depends on your settings) FIGURE 1-1. How NRS works For more information on the operation of Trend Micro Network Reputation Services, visit About End-user Quarantine (EUQ) IMSS provides Web-based EUQ to improve spam management. The Web-based EUQ service allows end users to manage their own spam quarantine. Messages that are determined to be spam by Spam Prevention Solution (SPS), licensed separately from IMSS, are placed into quarantine. These messages are indexed into a database by the EUQ agent and are then available for end users to review and delete or approve for delivery. 1-12

25 Introducing InterScan Messaging Security Suite About Centralized Reporting To help you analyze how IMSS is performing, use the centralized reporting feature. You can configure one time (on demand) reports, or automatically generate reports (daily, weekly, and monthly). About Control Manager Trend Micro Control Manager (TMCM) is a software management solution that gives you the ability to control antivirus and content security programs from a central location regardless of the program s physical location or platform. This application can simplify the administration of a corporate virus and content security policy. Control Manager consists of the following components: Control Manager server The Control Manager server is the machine upon which the Control Manager application is installed. The Web-based Control Manager management console is generated on this server. Agent The agent is an application installed on a product-server that allows Control Manager to manage the product. It receives commands from the Control Manager server, and then applies them to the managed product. It also collects logs from the product, and sends them to Control Manager. Note: You do not need to install the agent separately. It automatically installs when you install IMSS. 1-13

26 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Entity An entity is a representation of a managed product on the Product Directory link. You see these icons in the directory tree of the Entity section. The directory tree is a composition of all managed entities, residing on the Control Manager console. IMSS can be an entity on the TMCM management console. When you install a scanner, the Control Manager agent is also installed automatically. After the agent is enabled, each scanner will register to the TMCM server and appear as separate entities. Note: The latest version of Control Manager server version 3.5 is required for use with IMSS. For more information on the latest version and the most recent patches and updates, see the Trend Micro Update Center:

27 System Requirements and Component Descriptions Chapter 2 This chapter explains what requirements are necessary to manage IMSS and explains the various software components it needs to function. Topics include: System Requirements on page 2-2 Ports Used by IMSS on page

28 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide System Requirements The following table provides recommended and minimum system requirements for running IMSS. Operating System Red Hat Enterprise Linux AS 3 Update 6 Red Hat Enterprise Linux AS 4 Update 2 SUSE Linux Enterprise Server 8 SUSE Linux Enterprise Server 9 SP3 Recommended CPU Minimum CPU Recommended Memory Minimum Memory Recommended Disk Space Minimum Disk Space Recommended Swap Space Minimum Swap Space Browser PostgreSQL Intel Dual Pentium IV 3GHz or above Intel Pentium IV 2.4GHz 2GB RAM 1GB RAM 2GB disk space for mail storage 1GB disk space for mail storage 4GB swap space 2GB swap space Internet Explorer 6 SP1 Firefox 1.5 Version or above LDAP server Microsoft Active Directory 2000 or 2003 IBM Lotus Domino 6.0 or above Sun One LDAP MTA Linux Libraries (for all platforms) Postfix for IMSS only: 2.1 or above Sendmail: 8.2 or above Qmail: or above glibc libstdc++-libc6.2-2.so.3 Note: To correctly display error messages, you must install and enable Java for your Web browser. This requirement applies to both the Internet Explorer and Mozilla Firefox. 2-2

29 System Requirements and Component Descriptions Ports Used by IMSS See Table 2-1 for the ports the IMSS uses. Items with an asterisk (*) are configurable from the IMSS Web console. Port Number Component and Role Configuration Store 25 * Postfix SMTP Daemon accepting external connections 110 * Scanning Daemon POP3 endpoint master.cf imss.ini / [Socket_2]/ proxy_port 5060 * Policy Service 8005 Web Console Tomcat shutdown port 8009 EUQ Server Console Tomcat AJP (load balance) port 8015 EUQ Server Console Tomcat shutdown port 8445 Administration Console Tomcat listen port 8446 EUQ Server Console Tomcat listen port {IMSS}/UI/adminUI/conf/server.xml : Server / port {IMSS}/UI/euqUI/conf/server.xml: Server / Service / Connector (protocol=ajp/1.3) / port {IMSS}/UI/euqUI/conf/server.xml: Server/port Tomcat listen port: {IMSS}/UI/adminUI/conf/server.xml : Server / Service / Connector / port {IMSS}/UI/euqUI/conf/server.xml: Server / Service / Connector / port 8447 Primary EUQ Server Apache Web Server listen port Scanning Daemon SMTP reprocess endpoint Scanning Daemon SMTP endpoint Postfix SMTP Daemon accepting connections from the Scanning Daemon imss.ini / [Socket_3]/ proxy_port imss.ini / [Socket_1]/ proxy_port master.cf 2-3

30 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Port Number Component and Role Configuration Store * IMSS manager port IMSS uses following ports when you enable related service: 389 LDAP server listening port 5432 PostgreSQL server port 80 TMCM server HTTP port 443 TMCM server HTTP port 88 KDC port for Kerberos realm Not configurable on the IMSS server. You cannot change this port. Not configurable on the IMSS server. Not configurable on the IMSS server. Not configurable on the IMSS server. 53 Bind port Not configurable on the IMSS server. * Items with an asterisk are configurable from the IMSS Web console. TABLE 2-1. Ports used by IMSS 2-4

31 Planning for Deployment Chapter 3 This chapter explains how to plan for IMSS deployment. Topics include: About IMSS Components on page 3-2 About IMSS Components on page 3-2 Understanding Installation Scenarios on page 3-7 Failover on page 3-23 Considering Network Topology on page 3-24 About Operating Models on page 3-29 IP Filtering and Web End-user Quarantine (EUQ) on page

32 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide About IMSS Components The new architecture of IMSS separates the product into distinct components that each perform a particular task in message processing. The following section provides an overview of each component. Components can be installed on a single computer or over multiple computers. For graphical representations of how these components work together, see Understanding Installation Scenarios on page 3-7. The IMSS Admin Database All global configuration information is stored in the IMSS admin database. The database contains server settings, policy information, log information, and other data that is shared between components. When installing IMSS, you must install the database server and run the appropriate queries to create the database tables before you install any other component. You can install a new database or use existing Postgre databases. The EUQ Database Quarantined spam information, and the end-user approved sender list are stored in the EUQ database. If you install EUQ, you must also install the EUQ database (or multiple databases for scalability). You can also use an existing Postgre database as an EUQ database. Central Controller The central controller contains a working Web server component that serves Web console interface screens to browsers, allowing administrators to configure and control the IMSS through the IMSS console. The console provides an interface between the administrator and the IMSS database that the various components use to perform scanning, logging, and other message processing tasks. 3-2

33 Planning for Deployment Policy Services To enhance performance and ensure that rule look-ups are efficient, IMSS uses a policy service to store the messaging rules using an in-memory cache. The policy service acts as a remote store of rules for the scanner services, caching rules that would otherwise require a database look-up (with associated network and disk I/O overhead). This mechanism also increases scanner service efficiency, allowing most message scanning tasks to occur in scanner service memory without the need for disk activity. Policy Synchronization The IMSS admin database schema includes a versioning mechanism. The policy service checks the database version periodically. If the version number in the database is different from the version cached on the policy service, the policy service performs a database query and retrieves the latest version. This keeps the cached version of the database synchronized with the database, without the need to check the entire database for new or changed entries. When you make changes through the IMSS Web console, the changes are pushed to the policy service immediately. Scanner Services Servers configured as scanner services accept SMTP and POP3 messaging traffic, request policy from a policy service, evaluate the message based on the applicable policies, and take the appropriate action on the message based on the evaluation outcome. Scanner services store quarantined and archived messages locally. Each scanner service also logs policy and system activity locally, and automatically updates the log portion of the IMSS database at scheduled intervals, providing indexing to allow users to search through quarantined items and logs. Because scanner service settings are applied globally, to all scanner services in your IMSS installation, choose servers that have the same hardware configuration to serve as scanner services. If your environment does not have machines with identical hardware configurations, you will need to set the scanner service limits so that they provide protection to the scanner service with the lowest resources. For instance, if you have two scanner services, one with a 10GB hard drive and another with an 3-3

34 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide 80GB hard drive, you will need to set the maximum disk usage to 9GB to protect the machine with the least resources. Alternatively, you can edit the scanner service s local configuration file to set the limit locally, as limits set in the configuration file override the global settings. Once you configure a scanner service locally, you can no longer configure it through the IMSS console, and the interface may not reflect all the details of the local configuration. Note: Use care when modifying an.ini file for customization. Contact your support provider if necessary. End-User Quarantine (EUQ) Service The primary EUQ Service hosts a Web-based console similar to the IMSS Web console so your users can view, delete, or resend spam that was addressed to them. Primary and Secondary EUQ Services To assist with load balancing, you can install additional EUQ services, referred to as secondary services. The first EUQ service you install, referred to as the primary service, runs Apache to work with the secondary services. 3-4

35 Planning for Deployment Component and Sub-module Installation When you install an IMSS component, additional sub-modules are also installed automatically. Table 3-1 lists each component sub-module. Main Component IMSS Admin Database Central Controller Installed Sub-module Administrator Database Database Server* Apache Tomcat Named Server FoxDNS IMSSMGR Sub-module Description The main IMSS admin database where all global settings are saved. The server on which the IMSS admin database runs. The Web server for the IMSS Web console, through which you configure settings. The DNS server for IP Profiler. Contains the list of blocked IP addresses for IP Profiler and writes the list to the named server. A module to manage IMSS-related processes. Scanner Service Scanning Services Performs all -scanning actions. Policy Services TMCM Agent IMSSMGR A remote store of rules for the scanner services, caching rules that would otherwise require a database look-up The software component required for Control Manager to manage IMSS. A module to manage scanner processes. EUQ Service Apache Tomcat The Web server for the EUQ Web console, though which your users can access the messages that IMSS quarantined as spam. Apache Service IMSSMGR A module that is installed with the primary EUQ services for load balancing purposes when you choose to install multiple EUQ services. A module to manage EUQ processes. EUQ Database EUQ Database The database that contains all messages that IMSS quarantined as spam. Database Server* The server on which the EUQ database runs. 3-5

36 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Main Component Installed Sub-module Sub-module Description IP Profiler Fox Proxy An IP Filtering module that checks the blocked list on FoxDNS to see if an request should be rejected or approved. Foxlib An IP filtering module that retrieves the IP address of the computer making a connection request and passes the IP address to Postfix. NRS Maillog Parser A module to parse NRS-related mail logs. * Sub-components that you can choose to install when you install the main component TABLE 3-1. Component and sub-module installation 3-6

37 Planning for Deployment Understanding Installation Scenarios IMSS provides tools for installing either a single instance of each component on a single server (single-server installation) or installing the IMSS components on multiple servers (distributed deployment installation). Use the following information as a guide to choose a scenario. Single-server Installation For a single-server installation, you will need to have a server that meets the single-server installation requirements. For this scenario, you will be installing all of the IMSS components on a single server: the IMSS admin database, central controller, policy service, the scanner service component, EUQ service and EUQ database. The single-server installation of IMSS can handle average messaging traffic for approximately 1,000 users. If you install IMSS as a single-server installation and need to add capacity later, you can easily add additional scanner services, creating a multiple scanner service installation, as described below. For details, see Installing IMSS on a Single Server on page Multiple Scanner Service Installation For some larger organizations, a single server cannot provide sufficient message throughput. In these cases, you can install all the IMSS components on one server, and then install the scanner service component on additional servers. The scanner services share access to the database and Policy Service installed on the first server. This installation scenario provides a high level of message throughput. You can also choose to install the end-user console to enable end-user quarantine (EUQ) management of spam quarantined items. For details, see Installing Multiple Scanner Services and Policy Services on page Multiple EUQ Service Installation You can improve access to quarantined spam by installing several EUQ services. 3-7

38 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide For details, see Installing Multiple Scanner Services and Policy Services on page Complex Distributed Installation For very large organizations, a distributed deployment installation is the best solution. You will need to have servers that meet the component installation requirements. In this scenario, you will be installing IMSS and EUQ components on different servers. You can install the database on one server, the central controller on another, and then install both a policy service and scanner service on additional servers. You can also choose to install multiple instances of the end-user console to enable EUQ management of spam quarantined items. Likewise, you can install multiple EUQ databases to enhance EUQ performance. For details, see Installing with a Complex Architecture on page WAN Installation If you have multiple sites over a wide area network, you can install components in a distributed scenario, but with each site having at least one Central Controller component and one IMSS admin database component. For details, see Installing over a WAN on page About Failover Table 3-2 shows what happens when certain IMSS components fail, and how you can plan for failover to keep your IMSS protection up and running. For more information about failover in a WAN deployment scenario, see Fault Tolerance and Failover in a WAN Scenario on page

39 Planning for Deployment Failed Component Scanner service is not running or becomes disconnected Expected Result 1. IMSS tries to restart the scanner service 2. IMSS sends an event notification if the service cannot be started within the time you specify for notifications. 3. All traffic to that scanner is stopped. Policy service is not running or a communication problem occurs with the IMSS server Policy service rule set is corrupt IMSS admin database is not running IMSS admin database rule set is corrupt EUQ service database is not running LDAP server is not running 1. Scanner services using the stopped policy service switch to an active policy service (if available). 2. IMSS tries to restart the policy service. 3. IMSS sends an event notification if the service cannot be started or reconnected within the time you specify for notifications. An internal error has occurred. 1. The IMSS server will continue to operate. 2. IMSS sends an event notification if the service cannot be started within the time you specify for notifications. An internal error has occurred. 1. An error message appears on the EUQ Web console. 2. IMSS sends an event notification if the service cannot be started within the time you specify for notifications. 1. An error message appears on the EUQ Web console. 2. Foxhunter will not use the LDAP settings. 3. If LDAP is enabled, IMSS will continue to run normally. and send an event notification if the service cannot be started within the time you specify for notifications. LDAP query response to a policy service is corrupt An internal error has occurred. TABLE 3-2. Failover Scenarios 3-9

40 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Installing IMSS on a Single Server You can install all the IMSS components on a single server, including: Central Controller IMSS Admin Database Policy Service Scanner Service Primary EUQ Service and EUQ Database Figure 3-1 shows how a single-server installation of IMSS fits into a standard messaging network topology. 3-10

41 Planning for Deployment Internet IP Filtering Components Edge MTA Central Controller IMSS Admin DB Policy Service Scanner Service Primary EUQ Service EUQ Database Mail Server HTTP Access to EUQ Clients FIGURE 3-1 Single server deployment 3-11

42 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Performing a Single-server Installation To perform a single-server installation: 1. Install IMSS and End-user Quarantine (see Installing IMSS Components and End-User Quarantine on page 4-4). 2. On the edge MTA server, install all IP Filtering components (see Installing IP Filtering Components on page 4-7). 3-12

43 Planning for Deployment Installing Multiple Scanner Services and Policy Services To handle a large amount of messaging traffic, you can install multiple IMSS scanner services. You can install one scanner service on your first server and then choose to append the installation to install another scanner on a second server. To increase performance, add additional scanner services or policy service/scanner service pairs to your installation later. Figure 3-2 shows how a single-server installation of IMSS with three additional scanner services fits into standard messaging network topology. A layer 4 switch must be located between the MTA and the scanner services. Note: A single IMSS central controller and database can manage up to eight (8) EUQ services/databases. 3-13

44 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Internet IP Filtering Components Edge MTA Layer 4 Switch Policy Service Scanner Service Policy Service Scanner Service Primary EUQ Service EUQ Database Central Controller IMSS Admin DB Mail Server HTTP Access to EUQ Clients FIGURE 3-2 Multiple scanner service and policy service deployment Performing a Multiple Scanner Service Installation To perform a multiple scanner service installation: 1. On one computer, install IMSS and End-user Quarantine (see Installing IMSS Components and End-User Quarantine on page 4-4). 3-14

45 Planning for Deployment 2. On other computers, install the necessary scanner service and policy services. Note that the policy service should always be installed on the same machine with scanner service. You can choose to start-up any policy service as needed. 3. On the edge MTA server, install all IP Filtering components (see Installing IP Filtering Components on page 4-7). 4. After you open the IMSS Web console and perform initial configuration (see Getting Started on page 5-1), go to the System Summary screen. 5. For the scanner or policy services you want to enable, click Start. 3-15

46 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Installing Multiple EUQ Services If your organization is receiving large amounts of spam and you want to give your users access to the spam, install multiple secondary EUQ services. Figure 3-3 shows how a single-server installation of IMSS with a separate primary EUQ service and additional secondary EUQ services (with Apache services for load balancing) and distributed EUQ databases fit into a standard messaging network topology. Internet IP Filtering Components Secondary EUQ Service Apache Service Edge MTA EUQ Database Secondary EUQ Service Primary EUQ Service EUQ Database Central Controller IMSS Admin DB Policy Service Scanner Service Apache Service Mail Server Secondary EUQ Service HTTP Access to EUQ Clients FIGURE 3-3 Multiple EUQ service deployment 3-16

47 Planning for Deployment Performing a Multiple EUQ Service Installation To perform a multiple EUQ service installation: 1. On one computer, install IMSS (see Installing IMSS Components and End-User Quarantine on page 4-4). 2. On another computer, install a single instance of the EUQ service. This will be the primary EUQ service (see Installing IMSS Components and End-User Quarantine on page 4-4). 3. On other computers that can communicate with the primary EUQ service, install additional EUQ services. For load balancing, the apache service is installed with the primary EUQ service. You must install at least one EUQ database for EUQ services. You can also install additional EUQ databases for better performance and install the EUQ database on the same computer where EUQ services will run, or on different computers. 4. On the edge MTA server, install all IP Filtering components (see Installing IP Filtering Components on page 4-7). 5. After you open the IMSS Web console and perform initial configuration (see Getting Started on page 5-1), go to the System Summary screen. 6. For the EUQ services you want to enable, click Start. 3-17

48 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Installing with a Complex Architecture If your environment requires high-throughput, you can install each IMSS component on a separate computer and deploy multiple scanner services, EUQ services, and databases. Note: Do not confuse EUQ databases with the IMSS admin database. You can install multiple EUQ databases, but only one IMSS admin database for each IMSS central controller and database. Note: A centralized IMSS deployment can manage up to eight (8) EUQ services/databases. Figure 3-4 shows how a centralized installation of IMSS with multiple scanner services, policy services, and EUQ services (with apache services for load balancing) fits in a standard messaging network topology. Note that the policy service should always be installed on the same machine with scanner service. You can choose to start-up any policy service as needed. 3-18

49 Planning for Deployment Internet IP Filtering Components Edge MTA Layer 4 Switch Central Controller IMSS Admin DB Mail Server Scanner Services Policy Services Apache Service Primary EUQ Service & Database Clients Apache Service Secondary EUQ Services HTTP Access to EUQ FIGURE 3-4 Complex architecture deployment 3-19

50 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Installing over a WAN If you have multiple sites over a WAN, you can deploy the IMSS components in a wide variety of ways. However, to ensure proper communications between components, Trend Micro recommends that each site have at least one Central Controller component and one IMSS admin database component. Trend Micro Control Manager To more easily manage all IMSS servers (with a central controller and database installed), Trend Micro recommends installing a Trend Micro Control Manager (TMCM) server. This scenario includes two TMCM servers, which manage all sites and communicate with each other to replicate database information. Figure 3-5 shows a multi-site WAN deployment. 3-20

51 Planning for Deployment Site 1 Policy Service Site 3 Scanner Service Policy Service Scanner Service Policy Service Policy Service Database Central Controller TMCM Central Controller Scanner Policy Service Service Scanner Policy Service Service Database Scanner Service Policy Service Scanner Service Database Central Controller Site 2 Internet TMCM Central Controller Scanner Service Policy Service Database Site 4 Scanner Service Policy Service Policy Service FIGURE 3-5 WAN deployment The following describes how each site differs in this scenario: Site 1 A Central Controller, IMSS admin database, and policy service + two IMSS scanner services with policy services enabled. Note that the TMCM agent is installed on computer with the Central Controller and is managed by a TMCM server at site 3 (for fault tolerance). Site 2 A Central Controller, IMSS admin database, and policy service + two IMSS scanner services with policy services enabled (for fault tolerance). Note that the TMCM agent is installed on computer with the Central Controller and is managed by a TMCM server at site 4. This allows the TMCM server to replicate IMSS admin database settings between sites 2 and

52 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Site 3 A Central Controller + IMSS admin database + a single policy service only + two IMSS scanner services with policy services enabled (for fault tolerance). Note that the TMCM agent is installed on computer with the Central Controller and is managed by a TMCM server at the same site. Site 4 A Central Controller and IMSS admin database + one IMSS scanner services with policy services enabled. Note that the TMCM agent is installed on computer with the Central Controller and is managed by a TMCM server at the same site. Note: The TMCM servers at sites 3 and 4 cannot replicate IMSS admin database information between them. If you want to keep two or more IMSS admin databases synchronized, they must be linked to the same TMCM server. Fault Tolerance and Failover in a WAN Scenario Three out of the four sites in this scenario use multiple scanner services with policy services installed. Policy services can access cached IMSS settings from the IMSS admin database. Any scanner service that goes down can use another active policy service. Therefore, if one policy service is stopped or if communication between the central database is interrupted, both scanner services will remain operational and continue processing mail by using the active policy service that has a connection to the IMSS server. See Figure 3-6. Each site has its own Central Controller and database server, all of which are reporting back to two TMCM servers. A TMCM server can replicate IMSS admin databases that directly report to it. If one of the IMSS admin databases become corrupt or unoperational, you can use the replica for restoration. Note that TMCM servers cannot replicate IMSS admin database information between them. For more information on failover, see About Failover on page

53 Planning for Deployment Scanner Service Central Controller Policy Service Database Service down Broken Link Scanner Service Policy Service FIGURE 3-6 Failover 3-23

54 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Considering Network Topology This section illustrates different ways to deploy IMSS based on the location of firewalls on your network. Installing without a Firewall Figure 3-7 illustrates how to deploy IMSS and Postfix when your network does not have a firewall: Mail Servers Internet IMSS Server FIGURE 3-7 Installation topology: no firewall 3-24

55 Planning for Deployment Installing in Front of a Firewall Figure 3-8 illustrates the installation topology when you install IMSS in front of your firewall: Internet Mail Server IMSS Server Firewall FIGURE 3-8 Installation topology: in front of the firewall Incoming traffic Postfix should receive incoming messages first, then transfer them to IMSS. Configure IMSS to reference your SMTP server(s) or configure the firewall to permit incoming traffic from the IMSS server. Configure the Relay Control settings to only allow relay for local domains. Outgoing traffic If there is no firewall, configure SMTP servers to route all outgoing to Postfix and out to the Internet. If there is a firewall, configure the firewall (proxy-based) to route all outbound messages to IMSS, so that: Outgoing SMTP goes to Postfix first and then InterScan MSS. Incoming SMTP can only come from Postfix to InterScan MSS. Configure IMSS to allow internal SMTP gateways to relay, through Postfix, to any domain. 3-25

56 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Installing Behind a Firewall Figure 3-9 illustrates how to deploy IMSS and Postfix behind your firewall: Internet Mail Server IMSS Server Firewall FIGURE 3-9 Installation scenario: behind a firewall Incoming Traffic Configure your proxy-based firewall, so: Outgoing SMTP goes to Postfix first and then to IMSS. Incoming SMTP goes first to Postfix, then to IMSS, and then to the SMTP servers in the domain. Configure your packet-based firewall. Configure IMSS to route destined to your local domain(s) to the SMTP gateway or your internal mail server. Configure relay restriction to only allow relay for local domain(s). Outgoing Traffic Configure all internal SMTP gateways to send outgoing mail to Postfix and then to IMSS. If you are replacing your SMTP gateway with IMSS, configure your internal mail server to send outgoing through Postfix and then to IMSS. Configure Postfix and IMSS to route all outgoing (to domains other than local), to the firewall or deliver the messages. Configure IMSS to allow internal SMTP gateways to relay to any domain using IMSS. 3-26

57 Planning for Deployment Installing on a former SMTP gateway You can also install IMSS and Postfix on the same server that formerly hosted your SMTP gateway. On the SMTP gateway: Allocate a new TCP/IP port to route SMTP mail to IMSS. It must be a port not in use by any other service. Configure IMSS to bind to the newly allocated port, which frees port 25. Note that the existing SMTP gateway binds to port 25. Incoming traffic Configure IMSS to route incoming to the SMTP gateway and the newly allocated port. Outgoing traffic Configure the SMTP gateway to route outgoing to the IMSS server port 25. Configure Postfix and IMSS to route all outgoing (those messages destined to domains that are not local) to the firewall or deliver them. 3-27

58 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide In the DMZ You can also install IMSS and Postfix in the DMZ: Incoming traffic Configure your proxy-based firewall, so that incoming and outgoing SMTP can only go from the DMZ to the internal servers. Configure your packet-based firewall. Configure Postfix and IMSS to route destined to your local domain(s) to the SMTP gateway or your internal mail server. Outgoing traffic Configure Postfix to route all outgoing (destined to other than the local domains) to the firewall or deliver using IMSS. Configure all internal SMTP gateways to forward outgoing mail to Postfix and then to IMSS. Configure IMSS to allow internal SMTP gateways to relay, through Postfix and IMSS, to any domain. 3-28

59 Planning for Deployment About Operating Models You can deploy IMSS in different ways with relation to how the IMSS server interacts with your existing MTAs and mail servers. There are three operating models: Standalone model IMSS is deployed on the same computer as an MTA, such as Postfix. Sandwich model IMSS is deployed between an upstream MTA and a downstream MTA. Proxy model IMSS is deployed between an upstream mail server and a downstream mail server. Note that this model does not support the use of IP Filtering features (IP Profiler and NRS). The Standalone Model In the standalone model, a computer hosts one Postfix instance acting as the MTA and one IMSS daemon: Delivering Receiving on port 25 POSTFIX Content_filter Interface Port Port IMSS for Unix Daemon FIGURE 3-10 Standalone model This setup meets most of the needs of a small to medium-sized company and has low impact on the network since all the processes are running on the same server. Since they are sharing the same resources, however, this configuration requires a powerful server to host Postfix and the IMSS daemon. The default configuration parameters for both sides are: 3-29

60 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide In /etc/postfix/main.cf: #IMSS:increase process limit from 50 default_process_limit=200 #IMSS:timeout parameters imss_timeout=10m imss_connect_timeout=1s #IMSS:content filter interface thru transport imss content_filter=imss:localhost:10025 imss_destination_recipient_limit=200 imss_destination_concurrency_limit=20 In /etc/postfix/master.cf: #IMSS:content filter smtp transport imss for IMSS imss unix - - n - - smtp disable_dns_lookups=yes smtp_connect_timeout=$imss_connect_timeout smtp_data_done_timeout=$imss_timeout #IMSS:content filter loop back smtpd localhost:10026 inet n - n - 20 smtpd content_filter= smtpd_timeout=$imss_timeout local_recipient_maps= myhostname=localhost.$mydomain smtpd_client_restrictions= 3-30

61 Planning for Deployment The Sandwich Model In this configuration, one server hosts a Postfix instance as an upstream MTA for receiving and a second server hosts a Postfix instance as the downstream MTA for delivering. A third server hosts the IMSS daemon, which sits between the two Postfix servers as a scanning proxy. Receiving on Port 25 Upstream MTA (Postfix 1) Server #1 for receiving Port or any other port IMSS for Unix daemon Server #2 for content scanning Port or any other port Downstream MTA (Postfix 2) Delivering Server #3 for delivering FIGURE Sandwich model This configuration is suitable for large corporations with heavy SMTP traffic. Each server has its own specific purpose and task and will not affect other servers. But, by using this type of setup, your network load will increase. 3-31

62 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide This configuration is highly flexible; you can replace Postfix with any SMTP MTA. But you are responsible for setting up connection control and domain relaying. Here are the configuration settings if you use Postfix as the MTA: In /etc/postfix/main.cf on server#1, add the following to relay mail to server #2: relayhost=smtp:[ip_of_server2]:10025 default_destination_recipient_limit=100 default_destination_concurrency_limit=50 In /opt/trend/imss/config/imss.ini, open connection restrictions and point the downstream server IP to server#3: imss socket binding address [socket] proxy_smtp_server_ip=all [smtp] smtp_allow_client_ip= , ip_of_server1 downstream_smtp_server_addr=ip_of_server3 In /etc/postfix/master.cf on server #3, modify smtpd settings to receive mail on port 10026: inet n - n - - smtpd 3-32

63 Planning for Deployment The Proxy Model In this model, the IMSS is located between an upstream and downstream mail server, with MTAs located in other places on the network. Receiving Upstream mail server Port 25 IMSS for Unix daemon Port or any other port Downstream mail server FIGURE Proxy model Delivering The greatest advantage of this model is better performance and faster throughput. However, with this model, you cannot use IP Profiler or NRS, which require that incoming IP addresses are not modified before they reach IMSS. 3-33

64 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide IP Filtering and Web End-user Quarantine (EUQ) If you will be deploying the IP Filtering (IP Profiler or NRS) or Web End-user Quarantine, there are some additional network topology considerations you must address. Deploying IMSS with IP Filtering (IP Profiler and NRS) IP Filtering (IP Profiler and NRS) both block connections at the IP level. IP Profiler uses your customized settings for messages that signify a different types of attacks. NRS uses information from the Trend Micro Threat Reputation Network to determine if the computer initiating an SMTP connection is a known sender of spam. Note: No address modification can occur between the edge of your network and the connection to IMSS. This means that any firewall between IMSS and the edge of your network must be of a type that does not modify the connecting IP address, or must be configured not to do so. If IMSS always accepts SMTP connections from a router, for instance, the IP filter will not work, as this address would be the same for every received message and the IP filtering software would be unable to determine if the original initiator of the SMTP session was a known sender of spam. Deploying IMSS with Web-based EUQ The Trend Micro Web-based EUQ service allows users access to messages which IMSS quarantined as spam. It is possible to deploy Web-based EUQ on the same server as InterScan MSS, or on a separate server. For the end users in your organization to be able to access the Web-based quarantine, they must have HTTP access to the server. In addition, server hosting the EUQ components must be able to connect to the EUQ database that IMSS uses to store information about quarantined items. 3-34

65 Planning for Deployment This means that any firewall between EUQ and end-user computers on your network must be of a type that does not prevent HTTP connections from internal addresses, or must be configured to allow such traffic. You can also install Web-based quarantine and the database on a separate server from IMSS. In this case, you must configure any firewall between IMSS and the other server to allow database connections between them. Communication Between Servers If you have an internal firewall, it must be configured to allow communication between IMSS, the EUQ service, and the database. For instance, if you install the EUQ service on one system, and the database on another, you must configure any firewall between the two systems to allow communication on port 5432, which is the port that they use for database connectivity. 3-35

66 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide 3-36

67 Installing IMSS Chapter 4 This chapter explains how to configure basic IMSS settings. Topics include: Installing InterScan Messaging Security Suite on page 4-2 Installing IMSS Components and End-User Quarantine on page 4-4 Installing IP Filtering Components on page 4-7 Upgrading from Previous Versions on page

68 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Installing InterScan Messaging Security Suite This section explains how to install IMSS. Preparing Postfix If you will install IMSS on the same computer that has a Postfix installation, configure Postfix as listed in this section. WARNING! Trend Micro strongly recommends that you install and use the Postfix distributed with your distribution of Linux. See for details. Insert or modify the following settings to /ect/postfix/main.cf mydomain = your.domain.name myhostname = your.hostname.domainname mydestination = $myhostname, localhost.$mydomain, $mydomain default_process_limit=200 imss_timeout=10m imss_connect_timeout=1s content_filter = imss:localhost:10025 imss_destination_recipient_limit=200 imss_destination_concurrency_limit=20 Insert the following settings to /ect/postfix/master.cf #IMSS: content filter smtp transport imss for IMSS imss unix n smtp o disable_dns_lookups=yes o smtp_connect_timeout=$imss_connect_timeout -o smtp_data_done_timeout=$imss_timeout 4-2

69 Installing IMSS #IMSS: content filter loop back smtpd localhost:10026 inet n n 20 smtpd o content_filter= o smtpd_timeout=$imss_timeout o local_recipient_maps= o myhostname=postfix.imss70 o smtpd_client_restrictions= 4-3

70 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Installing IMSS Components and End-User Quarantine The following is a list of the key steps you need to perform to install IMSS and End-User Quarantine. Note: The installer does not install an MTA during IMSS server installation. You should already have your MTAs installed and operational. If Postfix is installed on the same computer on which you will install IMSS, verify that the Postfix settings are correct (see Preparing Postfix on page 4-2). 1. Log in as a superuser and go the installation package directory. 2. Type./isinst.sh. The Main Menu displays showing the status of each component. If you are installing IMSS for the first time, [Not Installed] appears. 3. Enter 1 to begin installation. 4. Read and accept the license agreement. 5. Decide whether to install a new database server or append the installation to an existing installation. To append a scanner service or EUQ installation to an existing IMSS server, you will need the database information for those components. 6. Do one of the following: If you chose to append the installation, enter the database information. If you selected to install a new IMSS server, decide whether to install a new database server or use an existing database server, and then enter that database server s information. The Install Components Menu screen appears showing the status of the InterScan components. [YES] appears next to the component that the installer will install. By default, the Central Controller and a Scanner Service will be installed. These two components are necessary to use IMSS. 7. To modify the selection of the components to install, enter the corresponding number for the component and enter yes (Y y) or no (N n) to the install question. You can also modify the install directory. The default is opt/trend. If you want to install the EUQ service, you must install a primary service. Secondary services provide load-balance assistance to the primary service. 4-4

71 Installing IMSS If you want to install the EUQ database, you can install a new database service or use an existing database service, and then enter that database service s information. 8. Enter 6 to continue. The installer checks the available free disk space, memory, and swap space on the computer and gives you an opportunity to cancel the installation if your computer does not meet the minimum requirements. If you continue the installation, required settings for your Postfix server appear. For a summary of these settings, see Preparing Postfix on page Press Enter to continue. The installer provides a note on whether the DNS server on your computer is active. To use IP Profiler, which you can install later, the DNS server must be active and running properly. For instructions on how to install IP Profiler, see Installing IP Filtering Components on page Press Enter to begin installing the components you selected. Uninstalling IMSS Components You can uninstall the Central Controller, Scanner services, and EUQ components separately or concurrently. 1. Log in as a superuser and go the installation package directory. 2. Type./isinst.sh. The Main Menu shows the status of the components. If you already installed these products, [Installed] appears. 3. Enter 2. The uninstallation menu appears showing which components will be removed. By default, the uninstallation status for each component is set to [NO], signifying that they will not be removed. If a component was not installed, [Not installed] appears. 4. To remove the components, enter the number that corresponds to the component, and then enter Y/y to change the uninstall status to [YES] on the uninstallation menu. 5. After you have changed the uninstallation status to [YES] for the components that you want to uninstall, enter The components uninstall. 4-5

72 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Verifying the Installation After the installation is complete, to see a list of the daemons, type the following at the command prompt: # ps -ef grep imss Telnet to port 25 to ensure that IMSS/Postfix answers. 4-6

73 Installing IMSS Installing IP Filtering Components Trend Micro IP Filtering consists of two components: IP Profiler Take action on messages when IMSS detects spam, virus threats, DHA, or bounced mail attacks. Network Reputation Services (NRS) Blocks known spammers at the network (IP) level. Installing Network Reputation Services and IP Profiler The Trend Micro Network Reputation Service runs on a modified Postfix installation. The NRS installation script modifies the Postfix configuration files and installs a log parser to allow IP filter reporting. During installation, you will also be asked for an NRS Activation Code and for information about your IMSS Admin Database. You should install the database before installing Network Reputation Services and IP Profiler. The server on which you install NRS must already have an instance of Postfix installed. It must also be able to connect to the IMSS Admin Database and the server that is processing your messaging (most likely the IMSS server). Trend Micro recommends running NRS and IP Profiler on a gateway/edge server. Note: You must activate NRS during installation, you cannot activate it later from the Web console. Note: If you are issued an activation code for Trend Micro Spam Prevention Solution (SPS), you can activate Network Reputation Service (RBL+) using the same SPS activation code. To install IP Profiler and NRS: 1. Log in as a superuser and go the installation package directory. 2. Type./ipfilterinst.sh. The Main Menu displays showing the status of IP Profiler and NRS. If you are installing these products for the first time, [Not Installed] appears. 3. Enter 1 to begin installation. 4-7

74 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide 4. Read and accept the license agreement. The Installation List screen appears showing the status of the two IMSS components. [YES] appears next to the component that the installer will install. By default, IP Profiler and NRS will not be installed. 5. Choose to install IP Profiler or NRS: To install NRS: a. Enter 1. The NRS Configuration screen appears. b. Decide whether to install NRS on the current computer. c. Enter the NRS Activation Code. The installer prompts you with a note about how it will change the Postfix server. d. Accept the change. e. Enter the path for the mail log. The install menu reappears showing [YES] next to Install NRS. To install IP Profiler: a. Enter 2. The IP Profiler Configuration screen appears. b. Decide whether to install IP Profiler on the current computer. c. Enter a port for the IP Profiler (default is 25). The installer prompts you with a note about ports if port 25 is already in use. Change the port number if necessary or change your Postfix listening port to 2500 after installation is complete. d. Press Enter to continue. e. Type the IP address where you installed the Central Controller, which contains the IMSS foxdns. IP Profiler requires communication with foxdns. f. Enter the domain name of your mail server. g. Press Enter. The install menu reappears showing [YES] next to Install IP Profiler. 6. To modify the install directory, enter 3, and then enter the new directory path. The default is opt/trend. 7. Enter 4 to being the installation. 8. Press Enter to begin the installing the components you selected. 4-8

75 Installing IMSS Uninstalling Network Reputation Services and IP Profiler To uninstall NRS and IP Profiler: 1. Log in as a superuser and go the installation package directory. 2. Type./ipfilterinst.sh. The Main Menu displays showing the status of IP Profiler and NRS. If you already installed these products, [Installed] appears. 3. Enter 2. The uninstallation menu appears showing which components will be removed. By default, the uninstallation status for each component is set to [NO], signifying that they will not be removed. If a component was not installed, [Not installed] appears. 4. To remove the components, enter the number that corresponds to the component, and then enter Y/y to change the uninstall status to [YES] on the uninstallation menu. 5. After you have changed the uninstallation status to [YES] for the components that you want to uninstall, enter 3. The components uninstall. 6. If you are uninstalling NRS, select whether to remove the mail log file. If you don t remove the file, the Postfix mail log will still be written to this file. The installer also unregisters IP Profiler from the IMSS admin database. 4-9

76 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Upgrading from Previous Versions The InterScan MSS installation program can automatically upgrade from version 5.7 of IMSS on the supported platforms. If the installation program detects this version, it can do the following: Uninstall the previous version of IMSS Install IMSS Migrate the existing settings Note: If you choose not to migrate your old IMSS settings, we recommend that you completely uninstall IMSS and then do a clean install, rather than installing IMSS 7.0 over an existing installation. Activation of Supported Services After upgrade, you will still need to enter Activation Codes to use the following: Antivirus and Content Filter SPS (includes IP Profiler) However, to use NRS you must enter the Activation Code during installation. Settings That Cannot be Migrated The following settings cannot be migrated: EUQ Settings EUQ approved senders EUQ spam mail Report Settings Pearl reports SPS reports Configuration Settings Quarantine area and archive folder paths 4-10

77 Installing IMSS messages in archive folders Log paths Limits on notifications for processes per hour Web console password Product Activation Codes Database settings in odbc.ini and database.ini Policy Settings Security settings: number of clean attempts, number of viruses reported, and message size criteria User-defined virus filters in sub-policies Customized actions for No virus in the virus filter Virus scanning settings for Extensions to Exclude for Specified File Types Global spam scanning mode Additional sensitivity for SPS filtering Action settings for graymail Advanced action settings for spam Expression list matching for attachments or file type in the advanced content filter Actions for Archive Original Notifications with original mail attachments Forwarding original message attachments Using Migration Reports You can view two types of migration reports under $IMSS_Home/installlog/MigrationReport: GeneralReport.txt View all items that were not migrated. DetailReport.txt View the relationship between IMSS 5.7 and IMSS 7.0 for both migrated and non-migrated settings. 4-11

78 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Backing Up Your Settings Before you perform the migration, back up your settings. See the following sections: Backing up IMSS 5.7 Data for a Single-server Deployment on page 4-12 Backing Up IMSS 5.7 Data for a Distributed Deployment on page 4-13 Backing up IMSS 5.7 Data for a Single-server Deployment First, back up your IMSS 5.7 data before migration. To back up IMSS 5.7 data: 1. Stop all IMSS 5.7 processes by typing the following commands: # $IMSS_HOME/imss/script/S99ISIMSS stop # $IMSS_HOME/imss/script/S99ADMIN stop # $IMSS_HOME/imss/script/S99EUQ stop # $IMSS_HOME/imss/script/dbctl.sh stop 2. Stop postfix by typing the following command: # postfix stop 3. Backup the home folder of IMSS 5.7 by typing the following command: # tar cvf imss57.tar /$IMSS_HOME/imss 4. Backup the database-related data by typing the following command: # tar cvf imss57_db_data.tar /var/imss 5. Backup the Postfix configuration files by typing the following command: # tar cvf postfix_config.tar /etc /postfix/main.cf /etc/postfix/master.cf 4-12

79 Installing IMSS Backing Up IMSS 5.7 Data for a Distributed Deployment First, back up your IMSS 5.7 data before migration. This scenario assumes four types of servers: Server 1 running scanners Server 2 running the database Server 3 running EUQ and central reporting Server 4 running NRS In the commands below, s1 refers to server 1, s2 refers to server 2, and so on. To back up your IMSS 5.7 data: 1. Do the following on the relevant server (depending on your IMSS deployment): On computers with scanner services: a. Stop all IMSS 5.7-related processes with scripts by typing the following: # /$IMSS_HOME/imss/script/S99ISIMSS stop b. Back up the IMSS 5.7 home folder by typing the following: # tar cvf imss57_s1_scanner.tar /$IMSS_HOME/imss On computers with only an IMSS 5.7 admin database: a. Back up the database by typing the following: # $IMSS_HOME/imss/PostgreSQL/bin//pg_dump d imss U sa > /home/sam/imss57_db b. Stop all database-related processes by typing the following: # /$IMSS_HOME/imss/script/dbctl.sh stop c. Back up the IMSS 5.7 home folder by typing the following: # tar cvf imss57_s2_db.tar /$IMSS_HOME/imss d. Back up the database-related data folder by typing the following: # tar cvf imss57_s2_db_data.tar /var/imss On computers with EUQ and central reporting: a. Stop all IMSS related processes with scripts by typing the following: # /$IMSS_HOME/imss/script/S99ADMIN stop 4-13

80 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide b. Back up the IMSS 5.7 home folder by typing the following: # tar cvf imss57_s3_euq.tar /$IMSS_HOME/imss On computers with NRS: a. Stop all IMSS related processes and stop the maillog parser process if it is still running. b. Back up the IMSS 5.7 home folder by typing the following: # tar cvf imss57_s4_nrs.tar /$IMSS_HOME/imss c. Stop Postfix by typing the following: # postfix stop d. Back up the Postfix configuration files by typing the following: # tar cvf s4_postfix_config.tar /etc/postfix/main.cf /etc/postfix/master.cf Migrating from Version 5.7 to Version 7.0 Note: Before performing the migration, back up your version 5.7 settings. If problems occur during migration, you can roll back to version 5.7 (see Rolling Back the Migration on page 4-16). To migrate to IMSS version 7.0: 1. Log in as a superuser on the computer where version 5.7 is installed and go the installation package directory. 2. Type./isinst.sh. The Main Menu provides a message that previously installed components have been detected. 3. Enter 1 to migrate your settings and upgrade to version 7.0. The Database Migration Config screen appears. 4. Select whether to install a new IMSS admin database server or use an existing server. 5. Enter the database server details. If you selected to use an existing server, the installer connects to the server. 4-14

81 Installing IMSS The Install Components Menu screen appears showing the status of the InterScan components. [YES] appears next to the component that the installer will install. By default, the Central Controller and a Scanner will be installed. These two components are necessary to use IMSS. 6. To modify the selection of the components to install, enter the corresponding number for the component and enter yes (Y y) or no (N n) to the install question. Note: You cannot modify the install path. If you want to install the EUQ service, the installer will verify whether an EUQ service already exists on the current computer and whether it is a primary or secondary service. The installer will install a primary service if no EUQ service exists or if the existing service is a secondary service. If you want to install the EUQ database, you can install a new database service or use an existing database service, and then enter that database service s information. 7. Enter 6 to continue. The installer checks the available free disk space, memory, and swap space on the computer and gives you an opportunity to cancel the installation if your computer does not meet the minimum requirements. Note: By default, the installer uses the install path of the old version. You cannot modify the install path. The installer backs up the old settings. The Policy Migration Menu appears. The installer will automatically detect and migrate your policies to rules. Filters under your version 5.7 policies and sub-policies will appear as rules in version 7.0. For more information on rules, see the Web console help. 8. The installer might not be able to migrate old IMSS 5.7 policies with special routes. For these cases, select one of the following: [1] incoming [2] outgoing 4-15

82 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide The installer uninstalls the previous version. If you want to install Trend Micro IP Profiler later, make sure that the DNS server is operational. The installer then installs the new version. Rolling Back the Migration If any problems occur with the migration to version 7.0, you can roll back to version 5.7. For more information about IMSS 5.7 installation-related questions, see your IMSS 5.7 documentation for more information. This section explains how to perform the rollback for the following deployment scenarios for version 5.7: Single-server deployment Install all components of IMSS 5.7 on a single server before migration (see Rolling Back in a Single-Server Deployment Scenario on page 4-16). Complex distributed deployment Install each component of IMSS 5.7 on different servers (see Rolling Back in a Complex Distributed Deployment Scenario on page 4-17). Rolling Back in a Single-Server Deployment Scenario If you deployed version 5.7 on a single IMSS computer, follow these instructions. To roll back to version 5.7 in a single-server deployment scenario: 1. Uninstall the 7.0 version that you just installed (see Uninstalling IMSS Components on page 4-5). 2. Reinstall IMSS Stop all running IMSS 5.7 process by typing the following: # $IMSS_HOME/imss/script/S99ISIMSS stop # $IMSS_HOME/imss/script/S99ADMIN stop # $IMSS_HOME/imss/script/S99EUQ stop # $IMSS_HOME/imss/script/dbctl.sh stop 4. Stop postfix by typing the following: # postfix stop 4-16

83 Installing IMSS 5. Restore the IMSS 5.7 home folder by unpacking the file imss57.tar under the root directory. To do this, type the following: # tar vxf imss57.tar 6. Restore IMSS 5.7 database data by unpacking the file imss57_db_data.tar under the root directory. This replaces the data folder of IMSS 5.7 database. To do this, type the following: # tar vxf imss57_db_data.tar 7. Restore Postfix configuration by unpacking the file postfix_config.tar under the root directory. This replaces the configuration files of postfix. To do this, type the following: # tar vxf postfix_config.tar 8. Start all IMSS 5.7 processes of by typing the following commands: # $IMSS_HOME/imss/script/dbctl.sh stop # $IMSS_HOME/imss/script/S99ISIMSS start # $IMSS_HOME/imss/script/S99ADMIN start # $IMSS_HOME/imss/script/S99EUQ start 9. Start postfix by typing the following command: # postfix start Rolling Back in a Complex Distributed Deployment Scenario If you deployed version 5.7 components on multiple computers, follow these instructions. This scenario assumes four types of servers: Server 1 running scanner services and central controllers Server 2 running the IMSS admin database Server 3 running the EUQ service and EUQ database Server 4 running IP Filtering (IP Profiler and NRS) 4-17

84 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide To roll back to version 5.7 in a complex distributed deployment scenario: 1. Uninstall the 7.0 version that you just installed (see Uninstalling IMSS Components on page 4-5). 2. Reinstall IMSS 5.7 (see your IMSS 5.7 documentation). 3. Stop all running IMSS 5.7 process and component processes by typing the following: On computers with scanner services: # $IMSS_HOME/imss/script/S99ISIMSS stop On computers with only an IMSS 5.7 admin database: # $IMSS_HOME/imss/script/dbctl.sh stop On computers with Central Controllers only: # $IMSS_HOME/imss/script/S99ADMINUI stop On computers with EUQ: # $IMSS_HOME/imss/script/S99EUQ stop 4. On computers running NRS, kill the maillogparser process. 5. Stop postfix by typing the following: # postfix stop 6. Restore the IMSS 5.7 home folder by unpacking the file imss57.tar under the root directory. To do this, type the following: On computers with scanner services: # tar vxf imss57_s1_scanner.tar On computers with only an IMSS 5.7 admin database: # tar vxf imss57_s2_db.tar # tar vxf imss57_s2_db_data.tar On computers with Central Controllers or EUQ: # tar vxf imss57_s3_euq.tar On computers with NRS: # tar vxf imss57_s4_nrs.tar # tar vxf imss57_s4_postfix_config.tar 7. Start all IMSS 5.7 processes by typing the following commands: 4-18

85 Installing IMSS On computers with scanner services: # $IMSS_HOME/imss/script/S99ISIMSS start On computers with only an IMSS 5.7 admin database: # $IMSS_HOME/imss/script/dbctl.sh stop On computers with Central Controllers only: # $IMSS_HOME/imss/script/S99ADMIN start On computers with EUQ: # $IMSS_HOME/imss/script/S99EUQ start 8. Start postfix by typing the following command: # postfix start 4-19

86 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Using Sendmail This section explains how to configure and use sendmail with IMSS. Sendmail Daemons The following illustration depicts running two Sendmail daemons and IMSS on the same server. FIGURE 4-1. Sendmail daemons on one server Port and are arbitrary port numbers, so replace and with free ports when completing the configuration below. (Port 25 is the standard SMTP port.) Configuring Sendmail #1 To configure Sendmail #1: 1. Copy the Sendmail.cf file called Sendmail.cf.delivery. 2. Change the A option in sendmail.cf for Msmtp, Mesmtp, Msmtp8, and Mrelay from IPC $h to IPC localhost 10025, where is an arbitrary free port on box_1. 3. Add the k flag to the F option for Msmtp, Mesmtp, Msmtp8, and Mrelay in sendmail.cf. 4-20

87 Installing IMSS The changes for Msmtp (as an example) should look as follows: Msmtp Before: P=[IPC], F=mDFMuX, S=11/31, R=21, E=\r\n, L=990, T=DNS/RFC822/SMTP, A=IPC $h Msmtp After: P=[IPC], F=kmDFMuX, S=11/31, R=21, E=\r\n, L=990, T=DNS/RFC822/SMTP, A=IPC localhost Replace the local mailer with [IPC] for Mlocal in sendmail.cf. 5. Change the A option to IPC localhost for Mlocal in sendmail.cf. 6. Add the k flag to the F option for Mlocal in sendmail.cf. The changes for Mlocal look as follows: Mlocal Before: P=/usr/lib/mail.local, S=10/30, R=20/40, T=DNS/RFC822/X-Unix, A=mail.local -d $u 4-21

88 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Mlocal After: P=[IPC], S=10/30, R=20/40, T=DNS/RFC822/X-Unix, A=IPC localhost Note: Make sure the F option of Mlocal does not include the f flag. Configuring Sendmail #2 To configure Sendmail #2: 1. Change the listening port to in sendmail.cf.delivery file. Before: #O DaemonPortOptions=Port=esmtp After: O DaemonPortOptions=Port= Change the mail queue to a different directory in sendmail.cf.delivery. Before: O QueueDirectory=/var/spool/mqueue After: O QueueDirectory=/var/spool/mqueue1 3. Create the directory var/spool/mqueue1 and make sure it has the same ownership and permissions as the original in var/spool/mqueue. 4. Add the k flag to the F option for Mlocal, Msmtp, Mesmtp, Msmtp8, and Mrelay in sendmail.cf.delivery. 4-22

89 Installing IMSS Restarting Sendmail services To finish sendmail setup, restart Sendmail services: 1. Restart the first Sendmail daemon to receive SMTP traffic on port 25 using the following command: /usr/lib/sendmail bd q1h 2. Restart the second Sendmail daemon to receive SMTP traffic from IMSS using the following command: /usr/lib/sendmail bd q1h C/etc/mail/sendmail.cf.delivery 4-23

90 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide 4-24

91 Getting Started Chapter 5 This chapter explains how to log onto the Web console and provides tips on what to do immediately after installation. Topics include: Opening the IMSS Web Console on page 5-2 Viewing the Web Console Using SSL on page 5-2 Opening the EUQ Console on page 5-3 Performing Basic Configuration with the Setup Wizard on page

92 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Opening the IMSS Web Console You can view the IMSS management console with a Web browser from the server where you installed the program, or remotely across the network. To view the console in a browser, go to one of the following URL: (or IP):8445 An alternative to using the IP address is to use the target server s fully qualified domain name (FQDN). To view the management console using SSL, type before the domain name and append the port number after it. The default login credentials are as follows: Administrator user name: admin Password: imss7.0 Type the login credentials the first time you open the console and click the Enter button. To prevent unauthorized changes to your policies, we recommend that you configure a password immediately following installation. Tip: To prevent unauthorized changes to your policies, Trend Micro recommends changing the password regularly. Viewing the Web Console Using SSL The IMSS Web console supports encrypted communication, using SSL. After installing the IMSS, SSL communication should work because the installation contains a default certificate. Trend Micro suggests creating your own certificate to increase security. If you want to use your own certificate, replace the following: $IMSS_HOME/UI/tomcat/sslkey/.keystore 5-2

93 Getting Started Opening the EUQ Console You can view the EUQ Web console from the machine where the program was installed or remotely across the network. To view the console from another computer on the network, go to: Primary EUQ service server IP address>:8447 Secondary EUQ service server IP address>:8446 WARNING! To successfully access all Web consoles on secondary EUQ services, you must synchronize the system time of all EUQ services on your network. An alternative to using the IP address is to use the target server s fully qualified domain name (FQDN). The default login credentials are as follows: Administrator user name: {admin@domain} Password: {administrator-defined} 5-3

94 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Performing Basic Configuration with the Setup Wizard IMSS provides a configuration wizard to help you configure all the settings you need to get IMSS up and running. To use the setup wizard: 1. Access the wizard through one of the following methods: Log on to the Web console and make sure the Open Configuration Wizard is selected on the login screen, and then log in. The wizard opens. If you are already logged on the Web console, choose Administration > IMSS Configuration > Configuration Wizard. The wizard opens in a new window. 2. After you read the welcome screen, click Next. The Notification Settings screen appears. 3. Configure the following notification settings, which IMSS will use for all default system and policy event notifications: Settings Type the sender and receiver addresses, the name of the server on which IMSS delivers mail to, the SMTP server port, the language character set, and any additional headers or footers to add to the message. SNMP Trap If you have an SNMP server on your network, type the server name and the community name. 4. Click Next. The Update Source screen appears. 5. Configure the following update settings, which will determine from where IMSS will receive it s component updates and through which proxy (if any) IMSS needs to connect to access the Internet: Source Click Trend Micro ActiveUpdate server to receive updates directly from Trend Micro, or click Other source and type the name of the update source, such as you Control Manager server. Proxy Settings Select the Use proxy server check box and configure the proxy type, server name, port, user name, and passwords. 6. Click Next. The LDAP Settings screen appears. 7. Do the following to enable LDAP settings: 5-4

95 Getting Started a. Next to LDAP server type, select one of the following: Microsoft Active Directory Domino Sun iplanet Directory b. To enable one or both LDAP server, select the check boxes next to Enable LDAP 1 or Enable LDAP 2. c. Type the names of the LDAP servers and the port numbers they listen on. d. Under LDAP Cache Expiration for Policy Services and EUQ services, type a number that represents the time to live next to TTL in minutes. e. Under LDAP Admin, type the administrator account, it s corresponding password, and the based-distinguished name. f. Next to Authentication method, click Simple or Advanced authentication, which uses Kerberos authentication for Active Directory. For advanced authentication, configure the Kerberos authentication default realm, Default domain, KDC and admin server, and KDC port number. Note: Enter LDAP settings only if you will use LDAP for user-group definition, administrator privileges, or web quarantine authentication. You must enable LDAP to use End User Quarantine. 8. Click Next. The Internal Addresses screen appears. 9. Define your internal domains (known users or domains) that IMSS uses to determine which policies and events are Inbound and Outbound for reporting and rule creation. You will be asked to specify allowed domains later. To define domains, do one of the following: Select Enter domain from the drop down box, type the domain in the text box, and then click >>. Select Search for LDAP groups from the drop down box. A screen for selecting the LDAP groups appear. Type an LDAP group name for which you want to search in the text box and click Search. The search result appears in the list box. To move it add it to the Selected list, click >>. 10. Click Next. The TMCM Settings screen appears. 11. If you will use Control Manager to manage IMSS, do the following: 5-5

96 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide a. Select Enable TMCM Agent (already installed with IMSS). b. Next to Server, type the TMCM IP address or FQDN. c. Next to Communication protocol, select HTTP or HTTPS and type the corresponding port number. The default port number for HTTP access is 80, and the default port number for HTTPS is 443. d. Under Web server authentication, type the user name and password for the Web server if it requires authentication. e. If a proxy server is between IMSS and TMCM, select Enable proxy. f. Type the proxy server port number, user name, and password. 12. Click Next. The Product Settings screen appears. You must activate the Antivirus and Content Filter to enable scanning and security updates. To obtain an Activation Code, register the product online using the supplied Registration Key. 13. Type the Activation Codes for the products you want to activate. If you don t have an Activation Code, click Register Online and follow the directions at the Trend Micro Registration Web site. 14. Click Next. A Summary screen appears. 15. If your settings are correct, click Finish. To modify any of your settings, click Back and keep moving through the screens until your settings are complete. 5-6

97 Getting Started Using Network Reputation Services (NRS) Trend Micro recommends that you deploy NRS as the first line of defense in your messaging infrastructure. Although most messaging systems have a multilayer structure that often includes some pre-existing DNS blocking, spam filtering, and virus filtering, Trend Micro recommends that other DNS blocking techniques be removed completely from the messaging environment. NRS should act as the precursor to any application filtering you might use. Using the SPS Activation Code If you purchase the full service of Spam Prevention Solution (SPS), you will receive a registration key that will allow you to create a customer account with Trend Micro and upon completion of the registration process you will receive your Activation Code. The Activation Code will only allow you access to the level of service to which you are registered. Configuring NRS You can activate NRS during installation (see Installing IP Filtering Components on page 4-7) or from the Web console by activating SPS. To use NRS: 1. Choose IP Filtering > NRS from the menu. 2. Select the Enable check box. 3. Click a radio button next to one of the following: Default intelligent action NRS permanently denies connection (550) for RBL+ matches and temporarily denies connection (450) for Zombie matches. Take customized action for all matches Connection rejected with Reject any connects with a certain SMTP code. Type an SMTP code. 4. Click Save. 5-7

98 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Preparing Your MTA To prepare your MTA to use with NRS: RBL+ Service Configure the MTA to reject connections with a 550 level error code (connection refused), which indicates that a positive response was received from the RBL+ database. Listings in the RBL+ database are known to be spammers or sources that should not be sending . Therefore, the standard method for handling them is to reject these connections outright. For more information, see the following URL: Network Anti-Spam Service Configure your MTA to make 2 potential DNS queries. If the QIL database does not receive a positive response, the MTA will need to make a second query to the RBL+ database. The MTA should temporarily deny connections with a 450 level error code (server temporarily unavailable, please retry), when a positive response is received from this database. Listings in this database are occasionally legitimate mail servers that may have compromised hosts behind them temporarily sending spam. If the connection request is from a legitimate mail server, it will re-queue and try sending the message at a later time. This will cause a short delay in mail delivery until the listing expires, but will not permanently block the mail. For more information, see the following URL: Using the NRS Administration Console To access global spam information, view reports, create or manage Approved Sender IP and Blocked Sender IP lists, and perform administrative tasks, log on to the Network Reputation Services administration console. This section includes basic instructions on the NRS console. For detailed instructions on configuring each screen, see the NRS console online help. Click the help icon in the upper right corner of any help screen to access the online help. To use the NRS Administration Console: 1. Open a browser and access the following address: 5-8

99 Getting Started 2. Select Global Spam Update from the menu. 3. Click any of the following tabs: Spam Alert Provides a brief overview and discussion of current spamming tactics and their implication for organizations. It also describes how new tactics are being deployed and how they have been designed to get through Trend Micro systems, as well as how Trend Micro is responding to these new threats. ISP Spam.x The total spam volume from the top 100 ISPs for a specific week. The networks that are producing the most spam are ranked at the top. The ranking of the ISP s will change on a daily basis. 4. To view reports that summarize the query activity between your MTA and the Network Reputation Services database servers, do the following: a. Select Report from the menu. b. Click Percentage queries, Queries per hour, or Queries per day. 5. To create or manage Approved Sender IP and Blocked Sender IP lists, choose Policy from the menu. You can define your Approved Senders by individual IP address and CIDR by Country, or by ISP. 6. To add an ISP to the list, choose New ISP from the menu. To change your password or Activation code, choose Administration from the menu. 5-9

100 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide 5-10

101 Chapter 6 Troubleshooting, FAQ, and Support This chapter explains how to troubleshoot common IMSS issues, search the Trend Micro Knowledge Base, and contact support. Topics include: Troubleshooting on page 6-2 Frequently Asked Questions (FAQ) on page 6-6 Using the Knowledge Base on page 6-9 Contacting Support on page

102 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Troubleshooting Table 6-1 shows common troubleshooting issues you might encounter with IMSS. Read through the solutions below. If you have additional problems, check the Trend Micro Knowledge Base. Issue The imssps daemon is running but refusing connections Unable to activate products (Antivirus/eManager, SPS, NRS, IP Filtering) or update components Suggested Resolution If the imssps daemon is running, the policy service is working. Check the connection between the policy service and scanner service and verify your LDAP settings. If a proxy server is on your network, verify your proxy settings. To activate NRS, IMSS needs to connect to Trend Micro. This process requires a DNS query. Therefore, if a DNS server is not available or has connection problems, activation will fail. Verify your DNS server settings. To verify your DNS settings from the Web console: 1. Choose Administration > Updates from the menu. The Schedule tab displays by default. 2. Click the Source tab. 3. Configure the proxy settings. 4. Click Save. notifications do not display properly If your computer is running an non-english operating system and the notification message was not written in English, it may appear distorted. Modify the character set through the Web console. To modify the character set: 1. On the Web console menu, choose Configuration > Event Monitoring > Notification Settings. 2. Next to Preferred Charset, select the language in which the messages will be written. End User Quarantine Issues 6-2

103 Troubleshooting, FAQ, and Support Issue Users are unable to log into EUQ Web console The EUQ Web digest does not display quarantined information correctly Unable to access the Web EUQ Web console Some quarantined messages are not appearing on the EUQ Web console Suggested Resolution Do the following: 1. On the LDAP server, verify that the user accounts are in the correct group. Only user accounts in the approved group can access EUQ. 2. Verify LDAP and End-user Access settings through the IMSS Web console: a. Choose Administration > IMSS Configuration > Connections > LDAP. b. Verify all settings, especially the LDAP type and server information. c. Choose Administration > End-user Access. d. Enable end-user access. e. Verify that the correct LDAP groups appear under Selected Groups. 3. Verify that your users are using the correct login name and password. Verify that the correct character set is correct: 1. Choose Administration > Notifications > Settings. 2. Next to Preferred charset, choose the character set that will properly display the digest information. Do the following: 1. Verify that you are using the correct URL and port number. To view the console from another computer on the network, go to: Primary EUQ service server IP address>:8447 Secondary EUQ service server IP address>: Verify that the system time of each EUQ service on your network is synchronized. The first instance of the EUQ service, the primary EUQ service, runs Apache Web Server (httpd) while listening on port 8447 (HTTPS). This Web Server serves as a connection point for the EUQ clients and for load balancing for all EUQ services. If the Apache server is down, users will not be able to access EUQ console from the normal IP address: EUQ Service IP address}:8447/. The EUQ Web console can only access that IMSS identifies as spam or phishing attempts. From the EUQ Web console, you cannot view quarantined that violated other rules, such as the antivirus rule. 6-3

104 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Issue Suggested Resolution IP Filtering Issues Foxproxy cannot start up There are several reasons why Foxproxy might not start. To find out the reason, view the IP Profiler logs. To view IP Profiler logs: 1. Go to the directory where IP Profiler is installed (by default: /opt/trend). 2. Open foxproxy.ini. 3. Change the value for log_level to Restart Foxproxy by typing the following: /opt/trend/ipprofiler/script/foxproxyd restart 5. Open the log file by typing the following: /opt/trend/ipprofiler/logs/foxproxy-general.**** Unable to connect to Foxproxy Foxproxy processes messages slowly Verify that Foxproxy is running and that it is binding on port 25. When Foxproxy receives , it performs a DNS query on FoxDNS. If Bind is not running, Foxproxy continues to wait until the DNS query times out. Verify that the bind service is running on the machine where FoxDNS is installed: 1. Type the following command: ps ef grep named 2. Start the service if it is not running. Unable to view connections that Foxproxy is blocking FoxDNS is not functioning Every five (5) minutes, Foxproxy sends information about blocked connections to the IMSS server. Wait for at least five minutes before viewing the connection information. To change this time value: 1. Open foxproxy.ini. 2. Modify the value for report_send_interval. Verify that BIND service is running: 1. Type the following command: ps ef grep named 2. Start the service if it is not running. 6-4

105 Troubleshooting, FAQ, and Support Issue No IP Profiler log information exists The NRS installation does not validate the NRS Activation Code When installing NRS, the following error message appears: "Applying change to Postfix failed" Suggested Resolution The following IP Profiler-related log files are in the IMSS admin database: foxmsg.**** foxnullmsg.**** foxreport.**** Verify that the log files exit: 1. Go to the log directory on the where IMSS is installed (by default: /opt/trend/imss/log/). 2. If the files are not present, use the following command to check if imssmgr is running: ps ef grep imssmgr 3. Check is foxproxy is running: ps ef grep foxproxy 4. Verify that IP Profiler is enabled. In table t_foxhuntersetting, the following should exist: record: Type = 1 and enable = TRUE To validate the Activation Code, the NRS installation script accesses Trend Micro through the Internet. Verify that your DNS server is operating correctly and that the computer on which you are installing NRS has access to the Internet. Postfix is not running. The NRS installation script writes configuration information into the Postfix configuration files. Verify that Postfix is running, and then run the NRS installer again. The MTA settings on the SMTP Routing Web console screen are not being written into the Postfix configuration files TABLE 6-1. Troubleshooting Issues By default, the settings on the SMTP routing screen cannot be written to Postfix. Enable this function using the following steps: Go to the IMSS configuration directory (by default: /opt/trend/imss/config). Open the IMSS configuration file imss.ini Change the value for enable_postset_thd to yes or leave the value empty. Restart IMSS manager using the following command: /opt/trend/imss/script/s99manager restart 6-5

106 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Frequently Asked Questions (FAQ) Postfix MTA Settings How can I change my MTA settings without using the Web console? You can modify the IMSS configuration file and add the following key. 1. Open imss.ini. 2. Make the following modification: detach_key_postfix=smtpd_use_tls:queue_directory:{parameter1:{p arameter2}: ::{Parameter n} The parameters above will not be overwritten by any settings that you configure through the Web console. You can modify main.cf manually. WARNING! Use extreme caution when modifying the configuration file. IMSS Components Can I move the Central Controller from one computer to another? Yes. First, run the IMSS installation script to uninstall the Central Controller from the computer. Next, run the IMSS installation script and install the Central Controller on the other computer. How can I set up and maintain the database? The following commands can help you maintain the database: pg_dump imss > YYMMDD.HHMMSS.backup Back up the database. psql imss < YYMMDD.HHMMSS.backup Retrieve the latest data if errors occur. vacuum Clean up the database on tables that are frequently accessed or on tables that have large amounts of data. Use when traffic is low or when the device is not connected to your network. vacuumfull Clean up the entire database when the database is not being heavily utilized or when the device is not connected to your network. 6-6

107 Troubleshooting, FAQ, and Support redirect_stderr= and log_rotate_***= Turn on these options in postgresql.conf to redirect old database log entries to the system log, which is rotatable. You can name the log-file to start with a dash -. You can also delete some IP-Filtering and log data using SQL and modify the logs settings on the Logs > Settings screen. IP Profiler EUQ How can I purge the Foxproxy log? A log purge program exists in the IP Profiler installation directory (by default: /opt/trend/ipprofiler/foxpurgelog). The settings about log purge function are in the configuration file foxproxy.ini. The keys are as follows: log_purge log_purge_unit log_purge_num Who will monitor foxproxy s status? Who will rescue it when it shutdown? Foxproxy is a multiple-process program. The main process only monitors child processes. If child processes are dead, the main process rescues them. But if the main process is dead, the child processes cannot be rescued. If you are experiencing any problems with Foxproxy, verify that the main process is running. How are DNS queries performed? The DNS queries are done directly from the scanner service. A DNS server is automatically installed on the Central Controller. When you install IP Profiler, the installation script lets IP Profiler know that the DNS server is on the Central Controller. If I m using Kerberos, why can t users log into the EUQ console with a short name: domain\user_name? Kerberos servers cannot accept user names in the format: Domain\user_name. Kerberos requires the format [email protected] 6-7

108 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Others What do I have to do to use Transport Layer Security (TLS)? Upload the certificate for TLS and enable it on the Administration > IMSS Configuration > SMTP Routing screen. IMSS 7.0 uses the Postfix TLS function. All settings are written to the configuration file main.cf. For more information, see: 6-8

109 Troubleshooting, FAQ, and Support Using the Knowledge Base The Trend Micro Knowledge Base, maintained at the Trend Micro Web site, has the most up-to-date answers to product questions. You can also use Knowledge Base to submit a question if you cannot find the answer in the product documentation. Access the Knowledge Base at: The contents of Knowledge Base are being continuously updated, and new solutions are added daily. If you are unable to find an answer, however, you can describe the problem in and send it directly to a Trend Micro support engineer who will investigate the issue and respond as soon as possible. Contacting Support Trend Micro provides technical support, virus pattern downloads, and program updates for one year to all registered users, after which you must purchase renewal maintenance. If you need help or just have a question, please feel free to contact us. We also welcome your comments. Trend Micro Incorporated provides worldwide support to all of our registered users. Get a list of the worldwide support offices: Get the latest Trend Micro product documentation: In the United States, you can reach the Trend Micro representatives via phone, fax, or Trend Micro, Inc North De Anza Blvd. Cupertino, CA Toll free: +1 (800) (sales) Voice: +1 (408) (main) Fax: +1 (408) Web address: address: [email protected] 6-9

110 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide 6-10

111 Additional Configuration Notes Appendix A This appendix provides information on configuring additional settings that might be required to get IMSS up and running on your network. The settings depend heavily on your current environment and how you have configured your MTAs and mail servers, etc. Topics include: Performing Additional Tasks on page A-2 A-1

112 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide Performing Additional Tasks Table A-1 provides a list of additional tasks you might need to perform and their corresponding Linux commands or the file modifications you need to make. Task Uninstalling existing sendmail installations Installing postfix Verifying Bind installation Verifying Bind server and autostart configuration Changing the SMTP port to 2500 Verifying if the transport_maps parameter is configured Reconfiguring transport_maps Renaming and viewing settings of the transport file Compiling transportlist.db rpm -qa grep sendmail /etc/rc.d/init.d/sendmail stop rpm -e --nodeps sendmail Commands rpm -Uvh postfix rhel4.i386.rpm bind el4 binutils bind-libs el4 ypbind bind-chroot el4 bind-utils el4 service named status service named start chkconfig --list named chkconfig named on Replace smtp by 2500 in this line of master.cf smtp inet n - n - - smtpd to 2500 inet n - n - - smtpd postconf transport_maps postconf e 'transport_maps=$default_database_type:$config_directory /transportlist' cat /etc/postfix/transport >> /etc/postfix/transportlist postmap -v hash:/etc/postfix/transportlist A-2

113 Task Modifying main.cf Modifying master.cf Commands mydomain = tests-mexico.trendmicro.com myhostname = correo.tests-mexico.trendmicro.com mydestination = $myhostname, localhost.$mydomain, $mydomain default_process_limit=200 imss_timeout=10m imss_connect_timeout=1s content_filter = imss:localhost:10025 imss_destination_recipient_limit=200 imss_destination_concurrency_limit=20 #InterScan MSS: content filter smtp transport imss for InterScan MSS imss unix - - n - - smtp -o disable_dns_lookups=yes -o smtp_connect_timeout=$imss_connect_timeout -o smtp_data_done_timeout=$imss_timeout Changing to main.cf local_recipient_maps = #InterScan MSS: content filter loop back smtpd localhost:10026 inet n - n - 20 smtpd -o content_filter= -o smtpd_timeout=$imss_timeout -o local_recipient_maps= -o myhostname=postfix.imss70 -o smtpd_client_restrictions= Changing to imss.ini Changing the device IP address smtp_allow_client_ip= or smtp_allow_client_ip=all If the IP address of the IMSS machine changes, restart IMSS to change the old IP address to the new one. TABLE A-1. Commands for additional tasks The SMTP IP address is written in Postfix's main.cf file, so look for: "inet_interfaces" For the IMSS POP3 IP address, look for "proxy_pop3_server_ip" in the imss.ini file. A-3

114 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide A-4

115 Index Index A about IMSS 1-2 admin database 3-5 advanced performance 1-7 Apache 3-5 Tomcat 3-5 archive 1-2 audience vi B backing up settings 4-12 basic setup 5-4 benefits of IMSS 1-7 browser requirements 2-2 C central controller 3-2 centralized archive and quarantine 1-2 centralized logging 1-2 centralized policy 1-2 commands A-2 component and sub-module installation 3-5 configuration wizard 1-3 contact support 6-9 Control Manager 1-7 CPU requirements 2-2 D database on central controller 3-2 database server 3-5 disk space requirements 2-2 Documentation vi E threats 1-4 DoS 1-5 legal liability 1-5 malicious content 1-5 spam 1-5 unproductive messages 1-5 EUQ 1-2 about 1-12 Web console 5-3 F failover 3-8 FAQ EUQ 6-7 IMSS components 6-6 IP Profiler 6-7 postfix 6-6 TLS 6-8 filtering, how it works 1-7 Firefox 2-2 I IMSS 1-2 IMSS IMSS components admin database 3-2 central controller 3-2 EUQ database 3-2 EUQ primary and secondary services 3-4 installation 3-5 policy services 3-3 policy services synchronization 3-3 scanner services 3-3 IMSSMGR 3-5 Install 2-1, 5-1 installation clustered 3-8 complex architecture 3-18 I 1

116 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide IP Filtering 4-7 IP Filtering, installation EUQ 3-34 multiple EUQ services 3-16 multiple scanner services 3-13 preparing Postfix 4-2 procedures 4-4 removing IMSS 4-5 scenarios 3-7 single server 3-10 using TMCM 3-20 verifying 4-6 WAN 3-20 installing before a firewall 3-25 behind a firewall 3-10, 3-26 in the DMZ 3-28 no firewall 3-24 on SMTP gateway 3-27 using SSL 5-2 Internet Explorer 2-2 IP Filtering about 1-9 installation 4-7 removing 4-9 IP Profiler 1-3 about 1-9 detects 1-9 how it works 1-10 J Java requirements 2-2 K Knowledge Base 6-9 L LDAP policies 1-7 LDAP server requirements 2-2 logs 1-2 M maillog parser 3-6 mass mailing viruses pattern 1-6 Memory requirements 2-2 migrating settings 4-10 migration from 5.7 to rollback 4-16 minimum requirements 2-2 MTA Postfix preparation 4-2 with NRS 5-8 MTA features, opportunistic TLS 1-3 MTA requirements 2-2 N named server 3-5 new features 1-2 NRS 1-3 about 1-10 Activation Code 5-7 Administration Console 5-8 configuring 5-7 how it works 1-11 MTA settings 5-8 services 1-10 using 5-7 O Online Help vi P password EUQ Web console default 5-3 IMSS Web console default 5-2 I 2

117 Index pattern matching 1-3 policy 1-2 policy service 3-3 POP3 1-7 Postfix preparation 4-2 Postgre requirements 2-2 Preface v Q quarantine 1-2 R Readme File vi reports 1-2 requirements 2-2 rolling back the migration 4-16 S scanners 3-3 settings backup 4-12 migration 4-10 setup wizard 5-4 spam filtering, SPS 1-7 spam prevention 1-3 Spam Prevention Solution (SPS) about 1-9 Activation Code 5-7 spyware and grayware 1-8 SSL certificate 5-2 support 6-9 swap space requirements 2-2 system requirements 2-2 T TMCM 1-7 about, Control Manager about 1-13 TMCM agent, agent TMCM 1-13 Tomcat 3-5 Trend Micro Knowledge Base 6-9 troubleshooting 6-2 activating products 6-2 notifications 6-2 EUQ quarantined messages 6-3 EUQ Web console access 6-3 EUQ Web digest 6-3 imssps daemon 6-2 IP Filtering 6-4 NRS 6-5 U uninstallation 4-5 IP Filtering components 4-9 upgrading 4-10 user name EUQ Web console default 5-3 IMSS Web console default 5-2 V verifying the installation 4-6 version W Web console 5-2 Web EUQ 1-2 what s new 1-2 wizard 5-4 I 3

118 Trend Micro InterScan Messaging Security Suite 7.0 Getting Started Guide I 4