McAfee(R) Email and Web Security Virtual Appliance 5.6 Installation Guide

McAfee(R) Email and Web Security Virtual Appliance 5.6 Installation Guide

COPYRIGHT Copyright 2010 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. License Attributions Refer to the product Release Notes. 2

Contents Introducing McAfee Email and Web Security Virtual Appliance....................... 6 Introduction to the virtual appliance features.................................................... 6 How to use this guide...................................................................... 10 Who should read this guide................................................................. 10 What you get in the virtual appliance download package......................................... 10 Graphical conventions...................................................................... 11 Documentation........................................................................... 11 Available resources....................................................................... 11 Preparing to Install the Virtual Appliance............................................. 13 Considerations before installing the virtual appliance............................................. 13 Network information you need to collect....................................................... 13 Operating modes and how they affect network connections....................................... 14 Explicit proxy mode........................................................................ 14 Network and device configuration..................................................... 14 Protocols......................................................................... 15 Firewall rules...................................................................... 15 Where to place the device........................................................... 15 Deployment strategies for using the device in a DMZ............................................ 16 SMTP configuration in a DMZ................................................................ 16 Mail relay......................................................................... 17 Mail gateway...................................................................... 17 Workload management..................................................................... 18 System requirements...................................................................... 18 Sample installation scenarios........................................................... 19 Running the virtual appliance as the only virtual machine on the host............................... 19 Running the virtual appliance with other virtual machines........................................ 19 Installing the Virtual Environment...................................................... 21 Overview of the virtual appliance installation process............................................ 21 Installation best practices................................................................... 21 Downloading the virtual appliance software................................................... 22 Installing the virtual appliance on VMware vsphere and VMware vsphere Hypervisor (ESXi)............ 22 3

Contents Improving performance on VMware vsphere........................................... 23 Installing the virtual appliance on VMware ESX or VMware ESXi................................... 24 A Tour of the Interface.................................................................. 27 The user interface......................................................................... 27 Dashboard status information and configuration options.......................................... 29 Testing the Virtual Appliance Configuration........................................... 34 Testing connectivity....................................................................... 34 Updating the DAT files..................................................................... 34 Testing mail traffic and virus detection........................................................ 35 Testing spam detection..................................................................... 35 Testing web traffic and virus detection........................................................ 35 Exploring the Virtual Appliance Features.............................................. 37 Scanning policies and how they affect your network............................................. 37 Scanning for content using email compliance rules.............................................. 37 Preventing loss of sensitive data............................................................. 39 Dealing with quarantined messages.......................................................... 39 Monitoring spam detection.................................................................. 40 Monitoring web-based activity using the default URL filtering settings and SiteAdvisor................. 41 Controlling user access by role............................................................... 41 Additional Configuration Options....................................................... 43 Upgrading to Email and Web Security Virtual Appliance 5.6....................................... 43 Installing the virtual appliance on VMware Server 2.0 running on Microsoft Windows.................. 44 Installing the virtual appliance on VMware Server 1.0 running on Microsoft Windows.................. 46 Running a virtual appliance on VMware Server in a transparent operating mode...................... 47 Running a virtual appliance on VMware ESX, VMware vsphere, or VMware ESXi in a transparent operating mode............................................................ 48 Changing the default Power Off and Reset actions.............................................. 48 Configuring the shutdown and restart option................................................... 49 Converting from a VMtrial installation......................................................... 49 Troubleshooting the Virtual Appliance................................................. 51 The appliance is not receiving traffic from the network........................................... 51 Interface problems........................................................................ 52 Mail issues............................................................................... 53 POP3................................................................................... 54 Physical configuration issues................................................................ 54 Anti-virus automatic updating issues.......................................................... 55 4

Contents Anti-spam issues.......................................................................... 55 5

Introducing McAfee Email and Web Security Virtual Appliance McAfee Email and Web Security Virtual Appliance delivers comprehensive, enterprise-class protection against web and email threats in an integrated and simple-to-manage virtual machine. The Email and Web Security Virtual Appliance runs on the following VMware virtual platforms: VMware vsphere 4.x and VMware vsphere Hypervisor (ESXi) 4.x VMware ESX 3.5 and VMware ESXi 3.5 VMware Server 2.0 and VMware Server 1.0 Contents Introduction to the virtual appliance features How to use this guide Who should read this guide What you get in the virtual appliance download package Graphical conventions Documentation Available resources Introduction to the virtual appliance features This information describes the features of the McAfee Email and Web Security Virtual Appliance and where to locate them in the product interface: Table 1: Email and Web scanning features Table 2: Reporting and System features NOTE: Instructions on how to use some of these features can be found later in this document. Table 1: Email and Web scanning features Feature Description Comprehensive scanning protection Anti-virus protection Email and Web Security Virtual Appliance offers anti-virus and anti-spam protection for the following network protocols: SMTP POP3 HTTP FTP ICAP Email Email Policies Scanning Policies [Anti-Virus] 6

Introducing McAfee Email and Web Security Virtual Appliance Introduction to the virtual appliance features Feature Description Web Web Policies Scanning Policies [Anti-Virus] Reduce threats to all protocol traffic using: Anti-virus settings to identify known and unknown threats in viruses in archives files, and other file types. Other threat detection settings to detect viruses, potentially unwanted programs, packers, and other malware. McAfee Global Threat Intelligence file reputation to complement the DAT-based signatures by providing the appliances access to millions of cloud-based signatures. This reduces the delay between McAfee detecting a new malware threat and its inclusion in DAT files, providing broader coverage. Anti-spam protection Email Email Policies Scanning Policies [Spam] Reduce spam in SMTP and POP3 email traffic using: Anti-spam engine, the anti-spam, and anti-phishing rule sets. Lists of permitted and denied senders McAfee Global Threat Intelligence message reputation to identify senders of spam email messages. Permit and deny lists that administrators and users can create using a Microsoft Outlook plug-in (user-level only). Detect phishing attacks and take the appropriate action. McAfee Global Threat Intelligence feedback Compliance Settings Email Email Policies Scanning Policies McAfee GTI feedback System Setup Wizard Traffic McAfee analyzes data about detections and alerts, threat details, and usage statistics from a broad set of customers to combat electronic attacks, protect vulnerable systems from exploit, and thwart cyber crime. By enabling this feedback service in your product, you will help us improve McAfee Global Threat Intelligence, thereby making your McAfee products more effective, as well as help us work with law enforcement to address electronic threats. Email Email Policies Scanning Policies [Compliance] Web Web Policies Scanning Policies [Compliance] This release of the McAfee Email and Web Security Appliance software includes enhancements to the way the appliance uses compliance rules: In the Compliance policy, use the Rule Creation wizard to specify the inbuilt dictionaries that you want to comply with, or create the a new rule using an existing rule as a template. Use the Mail size filtering and File filtering policies to check SMTP email messages for true file types and take action on email based on size and number of attachments. Data Loss Prevention Message Search Quarantine features Email Email Policies Scanning Policies [Data Loss Prevention] Use the Data Loss Prevention policy to upload and analyze your sensitive documents known as training and to create a fingerprint of each document. Email Message Search From a single location within the user interface, Message Search allows you to confirm the status of email messages that have passed through the appliance. It provides you with information about the email, including whether it was delivered or blocked, if the message bounced, if it was quarantined, or held in a queue pending further action. Email Quarantine Configuration Quarantine Options 7

Introducing McAfee Email and Web Security Virtual Appliance Introduction to the virtual appliance features Feature Description Quarantine digests Allow users to handle quarantined items without involving the email administrator. McAfee Quarantine Manager Consolidate quarantine management for McAfee products. Message Transfer Agent Reroute traffic on-the-fly based on criteria set by the administrator. For example, encrypted mail can be rerouted for decryption. Allow the administrator to determine the final status of each message. See a quick view summary of inbound email messages by domain with drill-down facilities per domain and undeliverable email by domain. Prioritize the redelivery of undeliverable email based on domain. Pipeline multiple email deliveries to each domain. Rewrite an email address on inbound and outbound email based on regular expressions defined by the administrator. Strip email headers on outbound messages to hide internal network infrastructure. Deliver messages using TLS. Manage certificates. Web reputation and categorization Web Web Policies Scanning Policies [Web reputation and Categorization] McAfee SiteAdvisor Web Reputation Create lists of permitted and denied websites, permit access according to their category using McAfee SiteAdvisor Web Reputation, and carry out remote URL category lookups. You can also specify periods when the access to websites can vary. For example, allow access to sites classified as Monitor Access during the daytime. SiteAdvisor classifies sites according to their behavior or reputation, enabling policies on the appliance to block access or issue warnings about unsuitable websites. It reduces nuisances such as spam and adware that users might receive from some websites. McAfee Global Threat Intelligence Web Categorization Global Threat Intelligence Web Categorization provides a simple to configure feature that enables your organization to understand, filter, control, and monitor Internet usage. With group-based policies and more than 90 web categories, the filtering capabilities can apply policies to users and groups based on their specific requirements. This provides you with the flexibility and controls you need to keep users safe and productive while on the web. ICAP support Web Web Configuration ICAP Pass HTTP messages from ICAP clients to ICAP servers for processing or transformation (adaptation). Email and Web Security Virtual Appliance supports the ICAP 1.0 protocol and acts as an ICAP server. Table 2: Reporting and System features Feature Scheduled Reports Logging options Description Reports Scheduled Reports Schedule reports to run on a regular basis and send them to one or more email recipients. System Logging, Alerting and SNMP 8

Introducing McAfee Email and Web Security Virtual Appliance Introduction to the virtual appliance features Feature Dashboard statistics epolicy Orchestrator management of appliances Cluster Management Virtual Hosts Role-based Access Control Internal Rescue Image Description You can configure the appliance to send emails containing information about viruses and other detected threats, and to use SNMP to transfer information from your appliance. You can also configure the appliance to use WebReporter to provide detailed reports about your users web browsing and use 3rd party integration for system logging (syslog) reporting using ArcSight and Splunk monitoring systems. Dashboard The Dashboard provides a single location for you to view summaries of the activities of the appliance, such as the email flowing through the appliance, the web traffic being scanned, and the overall system health of the appliance. You can also configure a list of links to tasks that you often use. System Setup Wizard epo Managed Setup You can monitor the status of your appliances and also manage your appliance from epolicy Orchestrator. You can directly manage your appliances from epolicy Orchestrator, without needing to launch the interface for each appliance. In epolicy Orchestrator, the user interface pages that you use to configure and manage your Email and Web Security Appliances have a familiar look-and-feel to the pages that you find within the appliances. System Cluster Management Cluster management enables you to set up groups of appliances that work together to share your scanning workloads, and to provide redundancy in the event of hardware failure. From these pages you can back up and restore your configurations, push configurations from one appliance to others, and set up load balancing between your appliances. System Virtual Hosting Virtual Hosts For the SMTP protocol, you can specify the addresses where the appliance receives or intercepts traffic on the Inbound Address Pool. Using virtual hosts, a single appliance can appear to behave like several appliances. Each virtual appliance can manage traffic within specified pools of IP addresses, enabling the appliance to provide scanning services to traffic from many customers. System Users, Groups and Services Role-Based User Accounts In addition to the Kerberos authentication method, RADIUS authentication is also available. System Appliance Management System Administration Manage Internal Rescue Image When managing your Email and Web Security appliances, having the image for each appliance stored on a protected partition on the hard disk of each appliance enables you to remotely reimage your appliances. 9

Introducing McAfee Email and Web Security Virtual Appliance How to use this guide Feature Description The rescue image negates the requirement for remote access cards to be fitted to your appliance (if you have suitable appliance models) for the appliances to be reimaged from a remote location. In addition to installing the software image on the protected partition, you can also create a bootable image on a USB drive for your appliances. How to use this guide This guide helps you to: Plan and perform your installation. Become familiar with the interface. Test that the product functions correctly. Apply the latest detection definition files. Explore some scanning policies, create reports, and get status information. Troubleshoot basic issues. You can find additional information about the product's scanning features in the online Help. Who should read this guide The information in this guide is intended primarily for network administrators who are responsible for their company's anti-virus and security program. What you get in the virtual appliance download package The Email and Web Security Virtual Appliance package is a.zip file that contains the software installation files. There are two package types available on the McAfee download site for you to choose from depending on your virtual environment: vsphere 4.x users All other VMware supported products NOTE: The download package does not contain the VMware product installation files. If you do not already have your virtual software set up, go to the VMware website (http://www.vmware.com) to purchase VMware vsphere, or download VMware Server or VMware vsphere Hypervisor (ESXi). 10

Introducing McAfee Email and Web Security Virtual Appliance Graphical conventions Graphical conventions Figures in this guide use the following symbols. Internet Mail server Other server (such as DNS server) User or client computer Router Switch Firewall Network zone (DMZ or VLAN) Network Actual data path Perceived data path Documentation This guide is included with your product. Additional information is available in the online Help included with the product, and other documentation available from the http://mysupport.mcafee.com website. Available resources This information describes where to get more information and assistance. McAfee products VMware operating environment McAfee KnowledgeBase. Go to https://mysupport.mcafee.com/eservice/default.aspx and click Search the KnowledgeBase. VMware website. Go to http://www.vmware.com/, and click Support & Downloads on the Links bar. Under 11

Introducing McAfee Email and Web Security Virtual Appliance Available resources Product Guide Online Help Support Resources, select Knowledge Base. McAfee download site. Includes information about basic concepts, policies, protocols (SMTP, POP3, FTP, HTTP, and ICAP), maintenance, and monitoring. You will need your grant ID number. Product interface. Includes information about basic concepts, policies, protocols (SMTP, POP3, FTP, HTTP, and ICAP), maintenance, and monitoring. 12

Preparing to Install the Virtual Appliance This information helps you prepare your environment and presents topics to consider before you install the McAfee Email and Web Security Virtual Appliance. Contents Considerations before installing the virtual appliance Network information you need to collect Operating modes and how they affect network connections Explicit proxy mode Deployment strategies for using the device in a DMZ System requirements Considerations before installing the virtual appliance Consider the following before you start the installation process: Choose your virtual environment: VMware vsphere, VMware vsphere Hypervisor (ESXi), or VMware Server. To achieve optimum performance and throughput in a virtual environment, McAfee recommends that you run the virtual appliance on VMware vsphere. VMware Server is suited to smaller deployments. Use the virtual appliance within your organization behind a correctly configured firewall. The virtual appliance is not a mail server. You must configure your firewall, mail server, and other equipment to route email traffic to the virtual appliance. The virtual appliance is not a web server or a caching web proxy server. Do not store or install extra software and files on the virtual appliance unless instructed by the documentation or your support representative. The virtual appliance cannot handle all types of traffic. Explicit proxy mode can route only supported protocols through the virtual appliance. Decide whether you want to use the out of band management interface. Network information you need to collect Gather the following information to complete the configuration: Protocols to scan (HTTP, SMTP, FTP, POP3, ICAP) Host name 13

Preparing to Install the Virtual Appliance Operating modes and how they affect network connections Domain name Default gateway LAN1 port IP address and subnet mask LAN2 port IP address and subnet mask Out of band management interface IP address and subnet mask DNS server IP address Operating modes and how they affect network connections The McAfee Email and Web Security Virtual Appliance can run in three operating modes. Before you install and configure your appliance, you must decide which mode to use. The following operating modes are available: Explicit proxy mode The virtual appliance acts as a proxy server and a mail relay. Transparent router mode The virtual appliance acts as a router. Transparent bridge mode The virtual appliance acts as an Ethernet bridge. The mode you choose determines how you physically connect your virtual appliance to your network. McAfee recommends that you run your virtual appliance in explicit proxy mode. Virtual appliances that run in either of the transparent modes are more difficult to set up and maintain in a virtual environment. Explicit proxy mode In explicit proxy mode, some network devices must be set up explicitly to send traffic to the device. The device then works as a proxy or relay, processing traffic on behalf of the devices. Explicit proxy mode is best suited to networks where client devices connect to the device through a single upstream and downstream device. TIP: This might not be the best option if several network devices must be reconfigured to send traffic to the device. Network and device configuration If the device is set to explicit proxy mode, you must explicitly configure your internal mail server to relay email traffic to the device. The device scans the email traffic before forwarding it, on behalf of the sender, to the external mail server. The external mail server then forwards the email message to the recipient. 14

Preparing to Install the Virtual Appliance Explicit proxy mode In a similar way, the network must be configured so that incoming email messages from the Internet are delivered to the device, not the internal mail server. Figure 1: Relaying email traffic The device scans the traffic before forwarding it, on behalf of the sender, to the internal mail server for delivery, as shown in Figure 1: Relaying email traffic. For example, an external mail server can communicate directly with the device, although traffic might pass through several network servers before reaching the device. The perceived path is from the external mail server to the device. Protocols To scan a supported protocol, you must configure your other network servers or client computers to route that protocol through the device, so that no traffic bypasses the device. Firewall rules Explicit proxy mode invalidates any firewall rules set up for client access to the Internet. The firewall sees only the IP address information for the device, not the IP addresses of the clients, so the firewall cannot apply its Internet access rules to the clients. Where to place the device Configure the network devices so that traffic needing to be scanned is sent to the device. This is more important than the location of the device. The router must allow all users to connect to the device. Figure 2: Explicit proxy configuration 15

Preparing to Install the Virtual Appliance Deployment strategies for using the device in a DMZ The device must be positioned inside your organization, behind a firewall, as shown in Figure 2: Explicit proxy configuration. Typically, the firewall is configured to block traffic that does not come directly from the device. If you are unsure about your network s topology and how to integrate the device, consult your network expert. Use this configuration if: The device is operating in explicit proxy mode. You are using email (SMTP). For this configuration, you must: Configure the external Domain Name System (DNS) servers or Network Address Translation (NAT) on the firewall so that the external mail server delivers mail to the device, not to the internal mail server. Configure the internal mail servers to send email messages to the device. That is, the internal mail servers must use the device as a smart host. Ensure that your client devices can deliver email messages to the mail servers within your organization. Ensure that your firewall rules are updated. The firewall must accept traffic from the device, but must not accept traffic that comes directly from the client devices. Set up rules to prevent unwanted traffic entering your organization. Deployment strategies for using the device in a DMZ A demilitarized zone (DMZ) is a network separated by a firewall from all other networks, including the Internet and other internal networks. The typical goal behind the implementation of a DMZ is to lock down access to servers that provide services to the Internet, such as email. Hackers often gain access to networks by identifying the TCP/UDP ports on which applications are listening for requests, then exploiting known vulnerabilities in applications. Firewalls dramatically reduce the risk of such exploits by controlling access to specific ports on specific servers. The device can be added easily to a DMZ configuration. The way you use the device in a DMZ depends on the protocols you intend to scan. Contents SMTP configuration in a DMZ The DMZ is a good location for encrypting mail. By the time the mail traffic reaches the firewall for the second time (on its way from the DMZ to the internal network), it has been encrypted. Devices which scan SMTP traffic in a DMZ are usually configured in explicit proxy mode. Configuration changes need only be made to the MX records for the mail servers. NOTE: You can use transparent bridge mode when scanning SMTP within a DMZ. However, if you do not control the flow of traffic correctly, the device scans every message twice, once in each direction. For this reason, explicit proxy mode is usually used for SMTP scanning. 16

Preparing to Install the Virtual Appliance SMTP configuration in a DMZ Mail relay Figure 3: Device in explicit proxy configuration in a DMZ If you have a mail relay already set up in your DMZ, you can replace the relay with the device. To use your existing firewall policies, give the device the same IP address as the mail relay. Mail gateway SMTP does not provide methods to encrypt mail messages you can use Transport Layer Security (TLS) to encrypt the link, but not the mail messages. As a result, some companies do not allow such traffic on their internal network. To overcome this, they often use a proprietary mail gateway, such as Lotus Notes or Microsoft Exchange, to encrypt the mail traffic before it reaches the internal network. To implement a DMZ configuration using a proprietary mail gateway, add the scanning device to the DMZ on the SMTP side of the gateway. Figure 4: Protecting a mail gateway in DMZ In this situation, configure: 17

Preparing to Install the Virtual Appliance Workload management The public MX records to instruct external mail servers to send all inbound mail to the device (instead of the gateway). The device to forward all inbound mail to the mail gateway, and deliver all outbound mail using DNS or an external relay. The mail gateway to forward all inbound mail to the internal mail servers and all other (outbound) mail to the device. The firewall to allow inbound mail that is destined for the device only. NOTE: Firewalls configured to use Network Address Translation (NAT), and that redirect inbound mail to internal mail servers, do not need their public MX records reconfigured. This is because they are directing traffic to the firewall rather than the mail gateway itself. In this case, the firewall must instead be reconfigured to direct inbound mail requests to the device. Workload management The virtual appliance includes its own internal workload management, distributing the scanning load evenly between all appliances configured to work together. You do not need to deploy an external load balancer. System requirements Make sure that your host computer adheres to the system requirements for whichever VMware virtual environment you choose. NOTE: Go to the VMware website http://www.vmware.com to get the system requirements for your VMware product. Additionally, ensure that the virtual machine where you will run McAfee Email and Web Security Virtual Appliance meets the following minimum system requirements: Option Processor Available virtual memory Free hard disk space Definition Two virtual processors 2 GB 80 GB NOTE: The appliance's interface is optimized for Microsoft Internet Explorer 7.0 or later, and Mozilla Firefox 3.5 or later. 18

Sample installation scenarios This section contains information about installing the virtual appliance in different server configurations. Running the virtual appliance as the only virtual machine on the host This information illustrates a possible single server deployment of the virtual appliance on your chosen VMware virtual environment. VMware ESX, VMware vsphere, or VMware ESXi are dedicated servers to the virtual appliance. Their hardware specification must exceed the minimum hardware requirements outlined in the Email and Web Security Performance Data guidelines. To manage multiple virtual machines running on one VMware host, read the information in Running the virtual appliance with other virtual machines. NOTE: This example assumes you are installing the virtual appliance in the recommended explicit proxy mode. Figure 5: A sample single server installation Running the virtual appliance with other virtual machines This information illustrates a deployment of the McAfee Email and Web Security Virtual Appliance on VMware ESX, VMware vsphere, or VMware ESXi alongside other virtual machines. In this example, one VMware host is responsible for the virtual appliance as well as other virtual machines, all of which run on the same hardware. Refer to the VMware website http://www.vmware.com for information on building a resource pool dedicated to the virtual 19

Sample installation scenarios Running the virtual appliance with other virtual machines appliance. The resource pool must also have the minimum levels of CPU and memory allocated to it as stated in the Email and Web Security Performance Data guidelines. NOTE: This example assumes you are installing the virtual appliance in the recommended explicit proxy mode. Figure 6: A sample multiple server installation 20

Installing the Virtual Environment This information helps you to set up the virtual environment and install the McAfee Email and Web Security Virtual Appliance on it. Contents Overview of the virtual appliance installation process Installation best practices Downloading the virtual appliance software Installing the virtual appliance on VMware vsphere and VMware vsphere Hypervisor (ESXi) Installing the virtual appliance on VMware ESX or VMware ESXi Overview of the virtual appliance installation process McAfee recommends that you install the Email and Web Security Virtual Appliance in the following order: 1 Install your chosen VMware product. 2 Download the Email and Web Security Virtual Appliance installation files. 3 Install the virtual appliance on the virtual environment. 4 Complete the graphical configuration wizard. 5 Log on to the virtual appliance. 6 Test the configuration. 7 Enable protocols. Installation best practices This information gives some important considerations to your installation on VMware ESX Server, VMware vsphere, and VMware ESXi. NOTE: McAfee recommends that you read and act upon this information before you start the installation process. The McAfee Email and Web Security Virtual Appliance is easiest to set up and maintain when it runs in the default explicit proxy operating mode. Familiarize yourself with the information about creating clusters and resource pools. See the VMware website http://www.vmware.com. 21

Installing the Virtual Environment Downloading the virtual appliance software Use a Storage Area Network (SAN) rather than a Network File System (NFS) share to achieve optimal performance. If you run Email and Web Security Virtual Appliance in either of the transparent modes: The VMware Distributed Resource Scheduler (DRS) and High Availability (HA) features may cause network interruptions if a failover takes place. Ensure that the virtual appliance NICs do not link to the same broadcast domain and that their IP addresses are not in the same subnet to avoid network loops. Ensure that each network adapter on the virtual appliance is connected to a different physical network on the host computer. You will need at least three NICs in your VMware host. The virtual appliance needs two NICs and VMware recommend a dedicated NIC for the Service Console. Downloading the virtual appliance software Use this task to download the McAfee Email and Web Security Virtual Appliance software. We provide the software as a.zip file available from the McAfee download website. Before you begin Read your VMware product installation guide. Get the McAfee grant ID number that you received when you purchased the virtual appliance. Task 1 Go to the McAfee website http://www.mcafee.com. Hover your cursor over your business type and click Downloads. 2 From My Products - Downloads, click Login. 3 Type the McAfee grant ID number that you received when you purchased the virtual appliance, and click Submit. 4 From the list of products, select Email and Web Security. 5 Agree to the license terms, select the latest.zip file and download it. NOTE: McAfee recommends that you read the Release Notes that accompany the virtual appliance before you continue with the installation. Installing the virtual appliance on VMware vsphere and VMware vsphere Hypervisor (ESXi) Use this task to install McAfee Email and Web Security Virtual Appliance onto a host computer running VMware vsphere 4 or VMware vsphere Hypervisor (ESXi) 4.0. If you used the Email and Web Security Appliance (VMtrial) product to test the software, you can save your VMtrial configuration and restore it onto the virtual appliance when the installation is complete. 22

Installing the Virtual Environment Installing the virtual appliance on VMware vsphere and VMware vsphere Hypervisor (ESXi) Before you begin Download the VMware vsphere version of the package.zip file from the McAfee download site and extract it to a location where the VMware vsphere Client can see it. Install a fully licensed copy of VMware vsphere 4 or VMware vsphere Hypervisor (ESXi) 4.0. Task 1 Start the VMware vsphere Client application. 2 Log on to the VMware vsphere server, or the vcenter Server. 3 From the Inventory list, select the host or cluster onto which you want to import the Email and Web Security Virtual Appliance software. 4 Click File Deploy OVF Template Deploy From File, and click Browse to go to where you extracted the.zip file you downloaded from the McAfee download site. 5 Select EWS-SIG-<build_number>.VMbuy.ova file, and click Open. 6 Click Next twice, and optionally type a new name. 7 Select the resource pool that you want to use if you have any configured. 8 Select the datastore that you want to use, and click Next. 9 Select the virtual networks to which the virtual appliance NICs will be connected. 10 Click Next, read the summary, then click Finish and wait for the import process to finish. 11 Start the virtual appliance. The installation starts automatically. 12 Read the End-User License Agreement to continue with the installation, then click y to accept it and start the installation. 13 At the installation menu, select 1 to perform a full installation and y to continue. 14 When the installation is complete, the virtual appliance restarts. 15 On the Email and Web Security Virtual Appliance Welcome screen, choose the language that you want to use. 16 Accept the terms of the license agreement. 17 Configure the Email and Web Security Virtual Appliance from the graphical configuration wizard. NOTE: McAfee recommends that you run the virtual appliance in the default, explicit proxy mode. 18 Apply the configuration to the virtual appliance. Depending on the settings you entered, it might restart. You can install the virtual appliance on more than one VMware ESX Server or VMware ESXi server. To do so: a b c Follow the steps in this task on another VMware ESX Server or VMware ESXi server. Return to the previously installed virtual appliance user interface. Go to System Cluster Management Configuration Push to send the configuration details to the second virtual appliance. Improving performance on VMware vsphere Use this task to potentially improve system performance in VMware vsphere environments by changing the default hard disk, network adapter, memory, and CPU settings. 23

Installing the Virtual Environment Installing the virtual appliance on VMware ESX or VMware ESXi Task 1 To edit the hard disk settings: a b Check that the virtual machine is shut down. Right-click the virtual appliance in the Inventory list, and click Edit Settings. In the Virtual Machine Properties dialog box, there are three hard disks available to the virtual appliance: Hard disk 1 holds the virtual appliance installation files, and must not be removed or changed. Hard disk 2 is the main hard disk used by the virtual appliance. You can increase its size but McAfee recommends that you do not reduce it. Hard disk 3 will hold the temporary swap space of the virtual appliance. NOTE: Putting the second and third hard disks on two separate datastores can potentially improve performance. 2 To change the network adapter settings: a b c Check that the virtual machine is shut down. Right-click the virtual appliance in the Inventory list, and click Edit Settings. In the Virtual Machine Properties dialog box, select Network adapter 1 and click Remove. d Repeat for adapters 2 and 3. e f Click Add. Select Ethernet Adapter, and click Next. g Under Adapter Type, select VMXNET 3. h i Ensure that you select the named network to which you want to connect LAN1 of the virtual appliance, and ensure that the Connect at power on option is selected. Click Next, then click Finish. j Repeat steps e through i for network adapters 2 and 3. NOTE: Network adapter 2 is connected to the virtual appliance LAN2 connection and the third adapter is used for the out of band configuration. 3 To edit the memory and virtual CPU settings: a b c Check that the virtual machine is shut down. Right-click the virtual appliance in the Inventory list, and click Edit Settings. In the Virtual Machine Properties dialog box, change the settings as necessary. NOTE: McAfee recommends that you do not reduce the settings to less than the default settings or the recommended virtual appliance system requirements. Installing the virtual appliance on VMware ESX or VMware ESXi Use this task to install McAfee Email and Web Security Virtual Appliance onto a host computer running VMware ESX 3.5 or VMware ESXi. 24

Installing the Virtual Environment Installing the virtual appliance on VMware ESX or VMware ESXi If you used the Email and Web Security Appliance (VMtrial) product to test the software, you can save your VMtrial configuration and restore it onto the virtual appliance when the installation is complete. Before you begin Download the package.zip file that contains the installation files for VMware ESX and VMware Server from the McAfee download site and extract it to a location where the VMware Virtual Infrastructure Client can see it. Install a fully licensed copy of VMware ESX Server 3.5 or VMware ESXi. Task 1 Start the VMware Virtual Infrastructure Client application. 2 Log on to the VMware ESX Server, VMware ESXi, or the Virtual Center Server. 3 From the Inventory list, select the VMware ESX Server or VMware ESXi server onto which you want to import the Email and Web Security Virtual Appliance software. 4 On the Getting Started tab, click Import Virtual Appliance, and select Import from file. 5 Click Browse to go to where you extracted the.zip file you downloaded from the McAfee download site. 6 Open the McAfee-EWS-SIG-<build_number>.VMbuy-OVF subfolder, select McAfee-EWS-SIG-<build_number>.VMbuy.OVF, and click Open. 7 Click Next twice and optionally type a new name. 8 Click Next. 9 If you are using the Virtual Center Server, select the datastore that you want to use and click Next. If you are using the Virtual Infrastructure Client, simply continue with the next step. 10 Select the virtual networks to which either of the virtual appliance NICs will be connected: Network 1 LAN 1 Network 2 LAN 2 Network 3 Out of band management interface NOTE: After installation, go to System Appliance Management Remote Access in the product interface for the out of band management settings. 11 Click Next, read the summary, then click Finish and wait for the import process to finish. NOTE: You can change the default Memory, Hard Disk, and Virtual CPU settings for the virtual appliance. Check that the virtual machine is shut down. Then, select the virtual appliance from the Inventory list and click Edit Settings. McAfee recommends that you do not reduce the settings to less than the default settings or the recommended virtual appliance system requirements. 12 Start the virtual appliance and select Connect CD/DVD1, then connect to the ISO image. 13 Browse to where you extracted the Email and Web Security Virtual Appliance.zip file, select the ISO file and click Open to connect the CD-ROM drive to the ISO file. 14 Click within the console window to reactivate the mouse pointer. 15 Wait for the "Operating System not found" message, then press ESC to start the CD-ROM ISO image. 25

Installing the Virtual Environment Installing the virtual appliance on VMware ESX or VMware ESXi 16 Read the End-User License Agreement to continue with the installation, then type y to accept it and start the installation. 17 At the installation menu, select 1 to perform a full installation and y to continue. 18 When the installation is complete, the virtual appliance restarts. McAfee recommends that you disconnect the ISO image from the CD-ROM after the installation is complete. To do so, select Disconnect CD/DVD1. 19 On the Email and Web Security Virtual Appliance Welcome screen, choose the language that you want to use. 20 Accept the terms of the license agreement. 21 Configure the Email and Web Security Virtual Appliance from the graphical configuration wizard. NOTE: McAfee recommends that you run the virtual appliance in the default, explicit proxy mode. 22 Apply the configuration to the virtual appliance. Depending on the settings you entered, it might restart. You can install the virtual appliance on more than one VMware ESX Server or VMware ESXi server. To do so: a b c Follow the steps in this task on another VMware ESX Server or VMware ESXi server. Return to the previously installed virtual appliance user interface. Go to System Cluster Management Configuration Push to send the configuration details to the second virtual appliance. 26

A Tour of the Interface This information tells you about the McAfee Email and Web Security Virtual Appliance interface and Dashboard page. Contents The user interface Dashboard status information and configuration options The user interface Use this information to get to know your way around the user interface. NOTE: The interface you see might look slightly different from that shown in Figure 7: The Dashboard, because it can vary depending on the appliance's hardware platform, software version, and language. The interface contains the following elements: Navigation bar The navigation bar contains four areas: user information, section icons, tab bar, and support controls. User information bar Section icons The number of section icons depends on the software version that you are using. Click an icon to change the information in the content area and the tab bar. The icons include the following: Table 3: Section items Icon Menu Features Dashboard Reports Email Use this page to see a summary of the appliance. From this page you can access most of the pages that control the appliance. Use the Reports pages to view events recorded on the appliance, such as viruses detected in email messages or during web access, and system activities such as details of recent updates and logins. Use the Email pages to manage threats to email messages, quarantine of infected email, and other aspects of email configuration. 27

A Tour of the Interface The user interface Icon Menu Web System Features Use the Web pages to manage threats to web downloads, and to manage other aspects of web configuration. Use the System pages to configure various features on the appliance. Troubleshoot Use the Troubleshoot pages to diagnose any problems with the appliance. Tab bar The contents of the tab bar are controlled by the selected section icon. The selected tab dictates what is displayed in the content area. Support control buttons The support control buttons are actions that apply to the content area. Table 4: Support control buttons Icon Description Refreshes or updates the content. Returns you to the previously viewed page. We recommend that you click this button, rather than your browser's Back button. Appears when you configure something to allow you to apply your changes. Appears when you configure something to allow you to cancel your changes. Opens a window of Help information. Much of the information in this window also appears in the Product Guide. View control The view control button shows or hides a status window. The status window, which appears in the bottom right of the interface, shows recent activity. New messages are added at the top of the window. If a message is blue and underlined, you can click the link to visit another page. You can also manage the window with its own Clear and Close links. Content area The content area contains the currently active content and is where most of your interaction will be. NOTE: The changes that you make take effect after you click the green checkmark. 28

A Tour of the Interface Dashboard status information and configuration options Dashboard status information and configuration options The Dashboard provides a summary of the activity of the appliance. Use this page to access most of the pages that control the appliance. On a cluster master appliance, use this page also to see a summary of activity on the cluster of appliances. NOTE: To change the view in any section, click Edit, which opens another window. The Dashboard provides a single location for you to view summaries of the activities of the appliance. Depending on how you have your appliance configured, you can view information about: The email flowing through the appliance. The web traffic being scanned. The overall system health of the appliance. Current detection rates. The performance of your network. Email messages being queued by the appliance. The number of scanning policies that you have in place, separate by protocol. You can also configure a list of links to tasks that you often use, providing you with a quick and easy method of moving to the correct area of the user interface. The lower pane of this page displays key graphic information about performance of the appliance. Each of these Dashboard panes can be customized to show the information that you need most often. When you log on to the appliance, and as you work within its configuration pages, a dialog box appears up in the bottom-right hand corner of the screen to inform you of any recommended configuration changes, or give warning messages concerning the appliance operation or settings. 29

A Tour of the Interface Dashboard status information and configuration options For example, it warns you when Global Threat Intelligence feedback is not enabled for all policies. Figure 7: The Dashboard Dashboard panes Table 5: Dashboard Option Definitions Option Email Detections and Web Detections System Health Current detection rates Network Email Queues Definition Displays the number of detections under each protocol. Click Edit to change the view in this window. Although you can choose not to display information about a protocol, the appliance continues to scan that traffic Displays the status of important components and lets you change the settings of recommended system configuration changes: For Updates, a green checkmark indicates that the components will update itself automatically. To make a manual update, click the blue link For other components, a green checkmark indicates that the component is operating within acceptable limits. For more information, click the blue links To adjust the levels at which the warning and alert icons appear, and to change what the recommended configuration changes dialog box displays, click Edit Displays the status of important detections by the appliance, using icons Displays the number of connections under each protocol. Although you can deselect a protocol after clicking Edit, the appliance continues to handle that traffic Displays the number of items, and the number of recipients for each queued item in the Queued, Quarantined, and Release requests queues maintained by the appliance, using icons. To visit the pages that manage the queues, 30