Getting Started Guide for Symantec On-Demand Protection for Outlook Web Access 3.0 PN: 12199694
Getting Started Guide for Symantec On-Demand Protection for Outlook Web Access 3.0 The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version PN: 12199694 Legal Notice Copyright 2007 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 http://www.symantec.com
Contents Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 About Symantec On-Demand Protection for Outlook Web Access Version 3.0 Endpoint security... 7 Using Symantec On-Demand Protection with Microsoft Outlook Web Access... 9 Evaluation key... 10 Planning On-Demand Protection policies... 10 Symantec On-Demand workflows... 11 Installing Symantec On-Demand Protection On-Demand Manager generates On-Demand Agents... 13 Minimum installation requirements... 13 On-Demand Agent downloaded to endpoint computers... 14 Installing Symantec On-Demand Protection... 15 Running Symantec On-Demand Protection Launching the On-Demand Manager... 17 Configuring the On-Demand Agent to implement protection policies... 17 Running the Virtual Desktop on client computers... 19 Running Host Integrity on client computers... 20 Previewing On-Demand Agents Previewing On-Demand Agent files... 21 Previewing Host Integrity... 22 Previewing Virtual Desktop... 23 Generating and Uploading On-Demand Agent files Generating On-Demand Agent files... 25 Uploading On-Demand Agent files to your web server... 26
6 Contents Chapter 6 Enforcement for Symantec On-Demand for Outlook Web Access Types of Enforcement... 27
Chapter 1 About Symantec On-Demand Protection for Outlook Web Access Version 3.0 This chapter includes the following topics: Endpoint security Using Symantec On-Demand Protection with Microsoft Outlook Web Access Evaluation key Planning On-Demand Protection policies Symantec On-Demand workflows Endpoint security Symantec On-Demand Protection provides a secure environment for Outlook Web Access (OWA). This secure environment allows organizations to enforce corporate security policies without preinstalling software or making permanent changes to remote endpoints web mail access. The implementation of Symantec On-Demand Protection to protect Outlook Web Access requires no additional hardware or software deployment. The Symantec On-Demand Agent package can simply be installed on the Outlook Web Server and integrated within the Outlook Web Access authentication process.
8 About Symantec On-Demand Protection for Outlook Web Access Version 3.0 Endpoint security Symantec On-Demand Protection safeguards information downloaded during and after an email Web session using state-of-the-art security technologies. With this protection tool, corporations can be confident that the unmanaged endpoints using Outlook Web Access for email will be in compliance with corporate and regulatory standards. To integrate On-Demand with OWA, you need to configure Symantec On-Demand Protection and the Microsoft Internet Information Services (IIS) server for which OWA Cookie enforcement is to be used. When On-Demand Cookie enforcement is configured, the Microsoft IIS server will force any user to download the On-Demand Agent before accessing their emails using OWA. Cookie enforcement for an IIS server prevents bypass of on-demand security for OWA. Cookies are used to control access when the On-Demand module is running. A specified cookie is configured for each browser session, and a server-side Agent verifies the cookie and then allows or blocks the request based on the results. Symantec On-Demand also provides an HTTP packet filter to improve cookie checking for applications such as OWA hosted on an IIS web server. The ISAPI verification filter allows administrators to control access to specific IIS directories. Symantec On-Demand Protection for Outlook Web Access offers the following protection technologies: Adaptive Policies Location switching based on endpoint parameters such as IP range, registry key, DNS, and others. Symantec On-Demand Agent has the ability to adapt security policies based on identification of specific network locations and the type of network device used (corporate-owned vs. non-corporate-owned) to ensure that confidential email data is protected without impacting the productivity of a user. Host Integrity Predefined checks for antiviruses, personal firewalls and service packs; custom checks for process, registry key, file, and operating system. The Symantec On-Demand Host Integrity module provides the ability to define, enforce, and restore the security of clients in order to secure enterprise networks and data. Host Integrity rules can be set up to verify that clients attempting network access are running antivirus software, personal firewall software, service packs, and patches. Virtual Desktop Email Data protection via virtualization and encryption of the file system combined with restricted system access. The Symantec On-Demand Virtual Desktop is an encrypted space in which a user has an online session using a browser. It is transparent and fully secure, requiring only a browser for access. Malicious Code Prevention/Application Control/Authorized Modules/Authorized Drivers Detect and prevent keyloggers, screen scrapers and account creation via behavioral and signature-based engines. Permit or
About Symantec On-Demand Protection for Outlook Web Access Version 3.0 Using Symantec On-Demand Protection with Microsoft Outlook Web Access 9 deny the execution of specific applications, modules or drivers within the Virtual Desktop. Connection Control Outbound connection blocking from endpoint based on domain/url, IP, or port. Cache Cleaner Data sanitization via deletion of browser history, downloaded data, temporary files, and cookies. An On-Demand location is the type of site from which a user connects to the corporate network to check email. Settings and options for the Symantec On-Demand Agent can be different based on the location from which the user is trying to connect. Typical locations include Work, Home, Remote, and Unknown. Symantec On-Demand Agent can be used to define as many locations as needed and each location can be configured with different settings and options. The On-Demand Agent settings and options are set and modified with the On-Demand Manager. Once you have selected the options and settings you want per location, the On-Demand Manager generates all of the required Agent files for you to upload to your Outlook Web Access server. You can then start providing protection with the On-Demand Agent to your users while they access their emails. Using Symantec On-Demand Protection with Microsoft Outlook Web Access On-Demand Protection and OWA integration require Cookie enforcement. Cookie enforcement is performed in eight steps. To configure Cookie enforcement 1 Install Symantec On-Demand Manager on a separate desktop. 2 Configure the Symantec On-Demand agent policies. 3 Move the Symantec On-Demand Agent directory to the IIS/Exchange Outlook Web Access Server. 4 Configure the Virtual Desktop Success URL and cookies. 5 Create a New Virtual Directory Named SecureMail to point to the On-DemandAgent Folder. 6 Edit SodaURLCookie.txt to point to the Exchange Server Directory. 7 Configure the ISAPI filter. 8 Restart the IIS/Exchange Outlook Web Access server Symantec On-Demand Protection provides a secure virtual workspace where the desktop of the endpoint is actually cloned and separated from the original desktop.
10 About Symantec On-Demand Protection for Outlook Web Access Version 3.0 Evaluation key The security policy aims to protect the information by encrypting and securing any data written to the hard drive. Additionally, it can enable the enforcement of policies that prevent the user from copying and pasting information, creating screen captures, and printing. Additionally, its outbound firewall disrupts Malware and Spyware communication. Note: For more information about the 8 steps required to integrate On-Demand Protection with OWA, and for detailed On-Demand/OWA deployment strategies for Small-Medium Business networks, High Availability networks, Enterprise-level networks, and ISA Firewall network installations, refer to the Symantec On-Demand Protection for Outlook Web Access Implementation Guide. Evaluation key If you have been given an Evaluation key, it has certain capabilities and a time period during which it is valid. If you have a full registration key, there is no time limit. Click License from the Options menu to review your licensed capabilities in the License Information dialog box. Planning On-Demand Protection policies Before you begin configuring your security policies using On-Demand Protection, you may want to plan protection strategies. Start with the following considerations: What kinds of endpoint machines will your users use: corporate-owned assets used offsite, home computers, public kiosks? What kind of On-Demand protection strategies do you want to enforce for users using corporate owned assets (versus unknown computers) when accessing Outlook Web Access? Symantec On-Demand can be used with Microsoft Outlook Web Access (OWA) deployment to secure endpoints that access your network. The following table shows a sample configuration of On-Demand modules based on the type of device and/or its location so as to determine the policies that need to be enforced on the endpoint. Table 1-1 shows a sample configuration of On-Demand modules based on the type of device and its location as a means for determining the policies that need to be enforced on the endpoint.
About Symantec On-Demand Protection for Outlook Web Access Version 3.0 Symantec On-Demand workflows 11 Table 1-1 Planning protection strategies Location Location Criteria Symantec On-Demand Modules Host Integrity Checks Virtual Desktop Settings Cache Cleaner Settings Office IP Range Host Integrity Antivirus None None Firewall OS patches Remote (using corporatecontrolled computer) Registry check for HKEY_LOCAL_ MACHINE = company_name Host Integrity Virtual Desktop Personal Firewall Antivirus Enable printing Allow writing to removable USB storage devices None Other (using non-controlled computer) All users who do not meet the criteria for Office or Remote Host Integrity Virtual Desktop Personal Firewall Antivirus Service Packs Enable automatic switch Enable file separation None Terminate Virtual Desktop on browser termination Symantec On-Demand workflows A series of generalized workflow steps for usage of Symantec On-Demand Protection for Outlook Web Access are provided as follows. To use Symantec On-Demand Protection for Outlook Web Access in general 1 Launch Symantec On-Demand Manager. 2 Define locations to be protected. 3 Configure the protection options for each location. 4 Deploy the On-Demand Agent files to the appropriate Outlook Web Access server(s). 5 Verify the On-Demand Agent execution on client machines. For example, a browser search on the client machine will pop-up the On-Demand Virtual Desktop. 6 Test the running of Symantec On-Demand Protection at client endpoints.
12 About Symantec On-Demand Protection for Outlook Web Access Version 3.0 Symantec On-Demand workflows
Chapter 2 Installing Symantec On-Demand Protection This chapter includes the following topics: On-Demand Manager generates On-Demand Agents Minimum installation requirements Installing Symantec On-Demand Protection On-Demand Manager generates On-Demand Agents This section describes how to install Symantec On-Demand Manager which is used to configure and generate the On-Demand Agents that are in turn configured to protect specified locations or endpoints. When you have configured the options and selected the desired location settings or adaptive policies, the On-Demand Manager generates all of the required files for you to put on your Outlook Web Access server. After the On-Demand Agent files are generated per your defined policies and configuration settings, you will move them to your Outlook Web Access server, after which you can start providing the On-Demand Agent directly to your users. See Generating On-Demand Agent files on page 25. Minimum installation requirements To install Symantec On-Demand Protection Manager, be sure your environment includes the following minimum requirements:
14 Installing Symantec On-Demand Protection Minimum installation requirements Windows 2000 Server, Windows Server 2003 32-bit editions, Windows 2000 Pro, Windows XP 32-bit editions, and all 32-bit editions of Windows Vista Pentium 633MHz or faster 128 MB RAM 20 MB available hard disk space Administrator privileges Java Runtime Environment (JRE) version 1.5.0 or 1.6.0. On-Demand Agent downloaded to endpoint computers The downloaded On-Demand Agent requires less than 1 MB of hard disk space. After the agent is downloaded to a client computer, it uncompresses and installs on that network endpoint. The agent requires a total of 5 MB of hard disk space. The size of the On-Demand Agent files depends on which modules are downloaded and implemented. Table 2-1 lists the size of each individual module during the download to the client. These numbers represent compressed file sizes on the server; the files are then expanded and deployed on the client. Table 2-1 Module Sizes on download to client machine Module Virtual Desktop Host Integrity Cache Cleaner Module Size for Windows XP/ 2003/2000 591 KB 490 KB 421 KB Module Size for Windows Vista 565 KB 490 KB 421 KB Note: On-Demand Agent modules share common files. Therefore, when On-Demand modules are downloaded individually to the client endpoint, their file sizes are larger than when downloaded in combination. For example, if you download both the Virtual Desktop and Host Integrity modules at the same time, the combined file size is only 701KB, whereas the Virtual Desktop alone is 591 KB. In the case of Virtual Desktop, because the underlying file system and registry are virtualized and encrypted, more space is required after the agent is downloaded. If the user runs an application that accesses user data from the regular desktop, more space may be required, because the data files themselves are virtualized and encrypted.
Installing Symantec On-Demand Protection Installing Symantec On-Demand Protection 15 Installing Symantec On-Demand Protection Use the following instructions to install Symantec On-Demand Protection for Outlook Web Access Note: Symantec On-Demand is officially supported only on English-language operating systems at this time, but the English versions of On-Demand Manager and Agent may work on non-english operating systems as well. To install Symantec On-Demand Protection 1 Download the Symantec On-Demand Protection software from the Symantec server or copy from the product CD. 2 Locate and double-click the downloaded SymantecOn-Demand.exe file. The installer runs and installs the application on your computer. 3 When you are prompted, enter your name, company name, and serial number. The serial number determines the options that are active in your version of On-Demand Protection. Be certain to enter the company name and license number carefully; they must match your registration confirmation exactly.
16 Installing Symantec On-Demand Protection Installing Symantec On-Demand Protection
Chapter 3 Running Symantec On-Demand Protection This chapter includes the following topics: Launching the On-Demand Manager Configuring the On-Demand Agent to implement protection policies Running the Virtual Desktop on client computers Running Host Integrity on client computers Launching the On-Demand Manager When the installation is complete, launch the On-Demand application from the Windows Start menu. The On-Demand Manager application loads and the main screen displays. To begin running Symantec On-Demand Protection for Outlook Web Access, first define the locations to be secured, then select the modules to be enabled per location. Lastly, configure the settings to be applied to your locations. Configuring the On-Demand Agent to implement protection policies To set up On-Demand Protection to implement your security policies at specified locations, use On-Demand Manager to perform three categories of configuration: Create your locations. Define the modules to load in each location.
18 Running Symantec On-Demand Protection Configuring the On-Demand Agent to implement protection policies Define the actions to be taken in those locations. For example, to create locations for Office, Remote, ot Other, use an IP address range to identify the endpoints that access your server from the Office location, and a registry check to identify endpoints using a company-owned computer from another location (Remote). All endpoints tha do not match any checking criteria are routed to Other. After your locations are created, you can define the protection modules to load in each location. For example, in the Remote location, you may want to implement the Host Integrity and Virtual Desktop modules. After you define the modules, define specific actions for these modules in each location. For example, in the Virtual Desktop module for Remote endpoints, you may want to allow users to print and copy information to removable USB media, while in the Other location you might want to force users to work only within the Virtual Desktop (Enable Automatic Switch) and to work with copies of files rather than the real versions (Enable File Separation). You may also want to terminate the Virtual Desktop when the browser session is terminated to ensure that the Virtual Desktop session does not remain active indefinitely on kiosks or shared computers. Note: For information about configuring locations, refer to the Implementation Guide for Symantec On-Demand Protection. Table 3-1 shows how to implement your security policies per location. Table 3-1 Protection policies per location Location Module Policy Success Action Failure Action Office (IP Range) Host Integrity Antivirus1, Antivirus 2, etc. www.yoursite.com/ hisuccess.htm Popup dialog displays; www.yoursite.com/ hifail.htm Remote (Registry Key) Host Integrity Personal Firewall1, Antivirus1, etc. Load the next module; www.yoursite.com/ hisuccess.htm Next module does not load; popup dialog displays; www.yoursite.com/ hifail.htm Virtual Desktop Enable printing, Allow writing to removable USB Virtual Desktop loads; www.yoursite.com/ vdsuccess.htm
Running Symantec On-Demand Protection Running the Virtual Desktop on client computers 19 Table 3-1 Protection policies per location (continued) Location Module Policy Success Action Failure Action Other Host Integrity Personal Firewall, Antivirus Load the next module; www.yoursite.com/ hisuccess.htm Next module does not load; popup dialog displays; www.yoursite.com/ hifail.htm Virtual Desktop Enable automatic switch, Enable file separation, Virtual Desktop loads; www.yoursite.com/ vdsuccess.htm Terminate Virtual Desktop on browser close Running the Virtual Desktop on client computers The On-Demand Virtual Desktop runs on computers meeting the following specifications: Pentium 633MHz or faster; For Vista: 1 GHz 256 MB RAM; For Vista: I GB RAM 25 MB MINIMUM available hard disk space is required for Agent to download and launch VD; For Vista: 100 MB MINIMUM available hard disk space required for Agent to download and launch the Virtual Desktop. Note: If the Virtual Desktop is not selected for use, then the system does not require 25 or 100 MB hard disk space. If you are selecting Host Integrity or Cache Cleaner instead, 5MB of free hard disk space is required. Be mindful that more space may be required for your computer to run smoothly after the Agent is downloaded because user data files must be virtualized for successful launch of certain applications. Windows Server 2003 32-bit editions, Windows 2000 Pro, Windows 2000 Server, Windows XP 32-bit editions, and all 32-bit editions of Windows Vista Browser: Internet Explorer 6.0 or 7.0, Netscape 8.1, Firefox 1.5 or 2.0 Java Runtime Environment (JRE) version 1.4.2, 1.5, or 1.6
20 Running Symantec On-Demand Protection Running Host Integrity on client computers Running Host Integrity on client computers Symantec On-Demand Host Integrity runs on computers meeting the following specifications: Pentium 633MHz or faster 128 MB RAM 5 MB available hard disk space required for Agent to download Windows Server 2003 32-bit editions, Windows 2000 Pro, Windows 2000 Server, Windows XP 32-bit editions, and all 32-bit editions of Windows Vista Browser: Internet Explorer 6.0 or 7.0, Netscape 8.1, Firefox 1.5 or 2.0 Java Runtime Environment (JRE) version 1.4.2, 1.5, or 1.6
Chapter 4 Previewing On-Demand Agents This chapter includes the following topics: Previewing On-Demand Agent files Previewing Host Integrity Previewing Virtual Desktop Previewing On-Demand Agent files Preview On-Demand Agents to view the results of your location configuration and module settings in the user environments you created. Preview the modules your user will see before you upload the On-Demand Agent files to your Web server.
22 Previewing On-Demand Agents Previewing Host Integrity To preview On-Demand Agent files 1 Click Preview (next to the Apply button). The On-Demand Manager launches the program that your users see, so that you can verify that the configured protection modules works as you designed them. When you are satisfied with the results of your testing, you can then deploy Agent files to your server. 2 As you preview modules with the On-Demand Manager, be sure to click Apply, at the top right corner of the primary dialog box, to confirm your changes and to save your work. You can also click File > Save. Previewing Host Integrity Either action Apply or File > Save generates the On-Demand Agent files that you will deploy to your server for use at specified locations and endpoints. If you opted to implement the Host Integrity module, endpoint users connecting to your network will download an Agent that performs host integrity checking. If any of the On-Demand Protection checks fail, users will see a preview message that explains the reason for the failure. Figure 4-1 shows the reason for the failure. Figure 4-1 Host Integrity preview message If you chose to provide a failure URL during configuration of this module, users will be taken to that URL. If you choose to remediate, users will be taken to the configured remediation page when they click Remediate at which point they are
Previewing On-Demand Agents Previewing Virtual Desktop 23 given the opportunity to remediate by downloading the appropriate or required software (antivirus, personal firewall, patch, etc.) Previewing Virtual Desktop If you implement the Virtual Desktop module, endpoint users connecting to your network will download an Agent that installs and launches the Virtual Desktop. Figure 4-2 shows the Virtual Desktop. Figure 4-2 Virtual Desktop preview To display Virtual Desktop options (About, Help, Run Web Browser, Switch Desktop, Exit), right-click the Taskbar lock icon. When the browser session is terminated or the inactivity time-out period has elapsed, the On-Demand Agent sanitizes the system, disabling or erasing all data from the session. Note: Data is not protected or sanitized after closing if it is created on the regular desktop. Only the On-Demand Virtual Desktop offers security and data protection.
24 Previewing On-Demand Agents Previewing Virtual Desktop
Chapter 5 Generating and Uploading On-Demand Agent files This chapter includes the following topics: Generating On-Demand Agent files Uploading On-Demand Agent files to your web server Generating On-Demand Agent files To generate files for the On-Demand Agent 1 Save any recent configuration or settings changes by clicking Apply at the top right corner of the On-Demand Manager screen or, alternatively, by clicking File > Save. 2 Review your configurations and selections by previewing them: Click the Preview button located next to the Apply button. Previewing saves all of your location and module configurations as Agent files and places them in the On-DemandAgent folder at: C:\Program Files\Symantec\Symantec On-Demand Next, you will copy the entire contents of the On-DemandAgent folder and upload it to your web server.
26 Generating and Uploading On-Demand Agent files Uploading On-Demand Agent files to your web server Uploading On-Demand Agent files to your web server To upload the generated On-DemandAgent folder s files 1 Navigate to the folder in which the On-Demand Manager has placed the Agent files (C:\Program Files\Symantec\Symantec On-Demand) and copy the entire OnDemandAgentfolder to your IIS/Exchange server for OWA integration. Note: Be sure you have configured locations and settings with the On-Demand Manager, including setting up your endpoint modules such as Host Integrity and Virtual Desktop. 2 Be sure you have saved your settings by clicking File Save in the On-Demand Manager screen, or by clicking Apply. This action generates all of the required On-Demand Agent files. They are stored in your On-DemandAgent folder by default inc:\program Files\Symantec\Symantec On-Demand\On-DemandAgent. 3 Transfer the contents of this folder to your IIS/Exchange - Outlook Web Access server. 4 Use the On-Demand Agent home page (index.htm), generated by the On-Demand Manager, as your Web server home page; it initiates the On-Demand agent download. This is the page that your users are directed in order to trigger the On-Demand agent download. 5 The On-Demand Agent creates a secure environment on the user s computer and then opens the protected web page (or any other page that you have set as a Success URL page). For more information about success or failure URLs, refer to the Implementation Guide for Symantec On-Demand Protection for Outlook Web Access. 6 After the Virtual Desktop, Host Integrity and other modules are installed, the Virtual Desktop opens and the page configured at step one loads automatically and takes users to their Outlook Webmail authentication page, which is now formally protected.
Chapter 6 Enforcement for Symantec On-Demand for Outlook Web Access This chapter includes the following topics: Types of Enforcement Types of Enforcement Enforcer integration is available in Symantec On-Demand for Outlook Web Access as Enforcement for Internet Information Services (IIS) Web Server and as Microsoft ISA Firewall Web Filter. Enforcement for Internet Information Services (IIS) Web Server Enforcement for Internet Information Services (IIS) Web Server prevents bypass of On-Demand security for Outlook Web Access. Symantec On-Demand uses cookies to control network access. When a Symantec On-Demand module is running, the specified cookie is available to the current browser session, and a server-side ISAPI filter can be configured to check if the required cookie is included and allowed; if not allowed, it might block the request based on the results. This HTTP packet filter also allows administrators to control access to specific IIS directories. Microsoft ISA Firewall Web Filter Microsoft ISA Firewall is used to protect the IIS/Exchange - Outlook Web Access server. When ISA Firewall Web Filter is configured, a Web Filter can be installed on the Firewall to enforce On-Demand Agent loading on the endpoint before the user can access webmail. The Web filter works similar to
28 Enforcement for Symantec On-Demand for Outlook Web Access Types of Enforcement the ISAPI filter in that it verifies the specified cookie and controls access to specific directories/urls on the Outlook Web Access server. Note: For more information about On-Demand IIS-ISAPI and ISA Web Filter enforcement configuration, refer to the Implementation Guide for Symantec On-Demand Protection for Outlook Web Access.