Secure Network Gateway / Secure E-Mail Gateway (SEG) Service Service Launch Guide Service Launch Guide (US Customer) SEG Filtering Overview The following information will guide you through the steps required to begin using the SEG Service. Section One: Section Two: Section Three: 6 steps to Start Filtering Optional Configurations Resources SECTION ONE: 6 steps to Start Filtering STEP 1: Verify initial configuration settings in SEG Control Console 1. Access the SEG Control Console at https://access.seg.att.com. 2. Click on the Forgot your password or need to create a password? 3. Enter you Email Address and click next to have password information sent to your primary email address. 4. You will see a confirmation page that confirms an email was sent to the desired address. 5. Once you have received the email, click on the URL included in the body copy, which will direct you to the Change Password page. 6. Create your password. All passwords must be a minimum of eight characters and include at least two characters that are a combination of at least two of the following three groups: letters, numbers, and symbols such as p%1as*+d5. Please note that passwords are case sensitive. 7. You will be prompted to supply the answer to a security question, such as Mother s birthplace or Name of first pet. Please note that answers to the security questions, unlike passwords, are not case sensitive. 8. Verify Domains/Verify Domain Spelling Go to Account Management > Domains to verify that your domains are present and that they are spelled correctly.
9. Verify Inbound Server host addresses Go to Email Protection Setup > Inbound Servers, and verify that the Inbound Server host addresses are accurate. 10. Verify Outbound Server IP addresses Go to Email Protection Setup > Outbound Servers and verify the Outbound Server public IP host addresses are accurate. The 10 procedures above must be completed prior to further configuration of your service. Do not move on to step 2 unless you have completed. STEP 2: Inbound Filtering Setup To being filtering inbound email it is necessary for you to change the MX record for your domain(s) to the following: YourDomain.com MX preference = 10, mail exchanger = grid1i.seg.att.com YourDomain.com MX preference = 20, mail exchanger = grid2i.seg.att.com DO NOT resolve grid1i.seg.att.com or grid2i.seg.att.com to an IP address. For optimal performance, this should be your ONLY MX record. STEP 3: Outbound Filtering Setup To begin filtering outbound email you must designate for each of your outbound mail servers the SEG server as your Smart Host. Your outbound email is then relayed through SEG before continuing to its final destinations. Configure your e-mail server to direct all outbound e-mail to outbound.seg.att.com Ensure that your outbound mail relay in not acting as an open relay: We recommend that you test for and disable any open relays on your mail server or network. Open relays are a major security concern, which if not corrected, can result in the immediate shutdown of Outbound Filtering by AT&T. STEP 4: Firewall Port Restrictions Follow the procedures below to properly lock-down your mail server. Wait 72 hours after changing your MX record to allow full propagation across the Internet. Next, restrict inbound port-25 SMTP traffic on your firewall or mail server(s) to only accept mail from the AT&T SEG IP Address Ranges listed below: 209.65.160.64/27 2
209.65.176.64/27 209.65.152.64/27 Customers using Cisco PIX or ASA firewalls: We suggest the SMTP Fix Up or Inspect ESMTP settings be disabled on your firewall prior to setting up your AT&T SEG service. Customers using firewalls with built-in spam filtering (i.e., Barracuda): Some firewalls using built- in spam filtering may block some AT&T IP addresses. If you use such an appliance and it is behind another firewall, it is recommended to also add the AT&T IP ranges to the appliance so that traffic from AT&T SEG is accepted. Not doing so can cause intermittent interruptions to email delivery. Note that some older versions of these appliances do not allow input of IP addresses/ranges. In this case, it is recommended that the appliance be disabled/removed from service as AT&T will provide the same type of spam filtering with a more user-friendly configuration. Customers using Sender Policy Framework (SPF): AT&T recommends that customers using the SEG Service disable any SPF checks and/or rejection, based on SPF failures. This will prevent delivery difficulties when the message is seen by a recipient as being sent by AT&T, as opposed to the actual sender. For outbound filtering should include the following segment in their SFP record to ensure that recipients understand that mail is being sent by AT&T on behalf of your organization: include:seg.att.com For more information on Sender Policy Framework, see: http://openspf.org http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard STEP 5: Deactivation of any prior email filtering services If you were a customer of any other email SaaS filtering service you must ensure that all settings and configurations are removed from that service. This will ensure that any e-mail received by that service will be properly routed to the new service and not utilize your legacy configuration settings. STEP 6: Message Filters There is no additional customer setup needed to utilize the SEG default message filtering policies. All inbound messages will be filtered for spam and viruses. Messages that have a high likelihood of being spam will be dropped. Messages that have a medium likelihood of being spam will be quarantined. Messages that contain viruses will be cleaned and forwarded to recipient. If cleaning is not possible then the message is quarantined. 3
All outbound messages will be filtered for viruses. Messages that contain viruses will be cleaned and forwarded to recipient. If cleaning is not possible then message is dropped. The messaging filters above are default settings and can be customized by the customer as needed. Spam is easy to define unsolicited email that a recipient does not want nor has asked to receive unlike graymail, which is usually legitimate bulk mail that was requested by the user in the past, but is no longer wanted by the user. Graymail is not automatically blocked by the AT&T Secure E-Mail Gateway service spam filters. You have the option of enabling the pre-defined graymail filter that you can configure within your inbound policy spam settings. WARNING! Do not set the graymail filter to the Allow action; this will enable messages that meet the graymail filtering criteria that are also scored as spam to be delivered to your user inboxes. SECTION TWO: Optional Configurations Some additional optional recommended configuration steps are listed below. ALL SEG customers Limit size of attachments for both incoming and outgoing email This setting will prohibit users from sending large attachments that may slow down your email platform. The recommended setting for this is 10 MB. Go to Policies > Attachments, and set the MB size limits for all file types. Note: The default settings disallow executable and script attachments. It is recommended that the customer retain these settings. User account creation with SMTP discovery If you are using SMTP discovery for user creation, your end users must create an account password within 30 days of initial user creation. If a user does not create a password and also does not meet minimum user activity levels within the SEG service their account could be deleted as part of the automatic removal performed by the service on inactive user accounts. This process is necessary to prevent the buildup of invalid user accounts that are created by the SMTP discovery user account creation process. SEG Premium customers only Encrypting Messages 4
Customers that have contracted for the SEG Premium service have the ability to encrypt outbound messages based on policy or end user action using the Send Encrypted Outlook Add-in. The SEG service contains a default policy that will encrypt messages with encrypt in the subject line. The send encrypted add-in can be downloaded from the SEG Support Site in the Setup & Support section. To create/modify policies to encrypt messages: Go to: Email Protection Policies Outbound Policies Branding Customers that have contracted for the SEG Premium service have the ability to upload one company logo to be used in branding of the encrypted message sender/recipient notification messages and the Encrypted Message Console. The logo image must be a GIF image that is no larger than 190 pixels wide by 63 pixels high. Go to: Account Management Customers Branding 1. Upload your logo 2. Add your custom host name: yourdomain.access.seg.att.com 3. Add sender email address: noreply@seg.att-mail.com Mixed seat-count customers only If you contracted for a mix of advanced and premium seats Customers with a mix of SEG Advanced and SEG Premium seats will need to create a separate group of SEG Premium email users with total count of users not to exceed SEG Premium licenses purchased and Customer will only create and apply outbound email filtering policies that use the encrypt action to the SEG Premium email user group. If you contracted for a mix of advanced / premium and archiving seats Customers with a mix of SEG Advanced or SEG Premium and SEG Archiving seats will need to create a separate journalized mail store within Microsoft Exchange for the SEG Archiving users with total count of users not to exceed SEG Archiving licenses purchased and Customer will only enable SEG Archiving for the SEG Archiving user mail store. SECTION THREE: Resources SEG Support Site 5
All information about the SEG service can be found on the SEG Support Site: http://support.seg.att.com Setup and Support We recommend that you download the Technical Support Overview and familiarize yourself with how to obtain support for the SEG service. Reference Materials & Training Center We recommend that the Customer Administrator thoroughly review the Administrator Guides and Online Training Modules available through the support site. End User materials are also available on the site to assist your end users. 6