McAfee(R) Email and Web Security Virtual Appliance 5.6 Installation Guide
COPYRIGHT Copyright 2010 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. License Attributions Refer to the product Release Notes. 2
Contents Introducing McAfee Email and Web Security Virtual Appliance....................... 6 Introduction to the virtual appliance features.................................................... 6 How to use this guide...................................................................... 10 Who should read this guide................................................................. 10 What you get in the virtual appliance download package......................................... 10 Graphical conventions...................................................................... 11 Documentation........................................................................... 11 Available resources....................................................................... 11 Preparing to Install the Virtual Appliance............................................. 13 Considerations before installing the virtual appliance............................................. 13 Network information you need to collect....................................................... 13 Operating modes and how they affect network connections....................................... 14 Explicit proxy mode........................................................................ 14 Network and device configuration..................................................... 14 Protocols......................................................................... 15 Firewall rules...................................................................... 15 Where to place the device........................................................... 15 Deployment strategies for using the device in a DMZ............................................ 16 SMTP configuration in a DMZ................................................................ 16 Mail relay......................................................................... 17 Mail gateway...................................................................... 17 Workload management..................................................................... 18 System requirements...................................................................... 18 Sample installation scenarios........................................................... 19 Running the virtual appliance as the only virtual machine on the host............................... 19 Running the virtual appliance with other virtual machines........................................ 19 Installing the Virtual Environment...................................................... 21 Overview of the virtual appliance installation process............................................ 21 Installation best practices................................................................... 21 Downloading the virtual appliance software................................................... 22 Installing the virtual appliance on VMware vsphere and VMware vsphere Hypervisor (ESXi)............ 22 3
Contents Improving performance on VMware vsphere........................................... 23 Installing the virtual appliance on VMware ESX or VMware ESXi................................... 24 A Tour of the Interface.................................................................. 27 The user interface......................................................................... 27 Dashboard status information and configuration options.......................................... 29 Testing the Virtual Appliance Configuration........................................... 34 Testing connectivity....................................................................... 34 Updating the DAT files..................................................................... 34 Testing mail traffic and virus detection........................................................ 35 Testing spam detection..................................................................... 35 Testing web traffic and virus detection........................................................ 35 Exploring the Virtual Appliance Features.............................................. 37 Scanning policies and how they affect your network............................................. 37 Scanning for content using email compliance rules.............................................. 37 Preventing loss of sensitive data............................................................. 39 Dealing with quarantined messages.......................................................... 39 Monitoring spam detection.................................................................. 40 Monitoring web-based activity using the default URL filtering settings and SiteAdvisor................. 41 Controlling user access by role............................................................... 41 Additional Configuration Options....................................................... 43 Upgrading to Email and Web Security Virtual Appliance 5.6....................................... 43 Installing the virtual appliance on VMware Server 2.0 running on Microsoft Windows.................. 44 Installing the virtual appliance on VMware Server 1.0 running on Microsoft Windows.................. 46 Running a virtual appliance on VMware Server in a transparent operating mode...................... 47 Running a virtual appliance on VMware ESX, VMware vsphere, or VMware ESXi in a transparent operating mode............................................................ 48 Changing the default Power Off and Reset actions.............................................. 48 Configuring the shutdown and restart option................................................... 49 Converting from a VMtrial installation......................................................... 49 Troubleshooting the Virtual Appliance................................................. 51 The appliance is not receiving traffic from the network........................................... 51 Interface problems........................................................................ 52 Mail issues............................................................................... 53 POP3................................................................................... 54 Physical configuration issues................................................................ 54 Anti-virus automatic updating issues.......................................................... 55 4
Contents Anti-spam issues.......................................................................... 55 5
Introducing McAfee Email and Web Security Virtual Appliance McAfee Email and Web Security Virtual Appliance delivers comprehensive, enterprise-class protection against web and email threats in an integrated and simple-to-manage virtual machine. The Email and Web Security Virtual Appliance runs on the following VMware virtual platforms: VMware vsphere 4.x and VMware vsphere Hypervisor (ESXi) 4.x VMware ESX 3.5 and VMware ESXi 3.5 VMware Server 2.0 and VMware Server 1.0 Contents Introduction to the virtual appliance features How to use this guide Who should read this guide What you get in the virtual appliance download package Graphical conventions Documentation Available resources Introduction to the virtual appliance features This information describes the features of the McAfee Email and Web Security Virtual Appliance and where to locate them in the product interface: Table 1: Email and Web scanning features Table 2: Reporting and System features NOTE: Instructions on how to use some of these features can be found later in this document. Table 1: Email and Web scanning features Feature Description Comprehensive scanning protection Anti-virus protection Email and Web Security Virtual Appliance offers anti-virus and anti-spam protection for the following network protocols: SMTP POP3 HTTP FTP ICAP Email Email Policies Scanning Policies [Anti-Virus] 6
Introducing McAfee Email and Web Security Virtual Appliance Introduction to the virtual appliance features Feature Description Web Web Policies Scanning Policies [Anti-Virus] Reduce threats to all protocol traffic using: Anti-virus settings to identify known and unknown threats in viruses in archives files, and other file types. Other threat detection settings to detect viruses, potentially unwanted programs, packers, and other malware. McAfee Global Threat Intelligence file reputation to complement the DAT-based signatures by providing the appliances access to millions of cloud-based signatures. This reduces the delay between McAfee detecting a new malware threat and its inclusion in DAT files, providing broader coverage. Anti-spam protection Email Email Policies Scanning Policies [Spam] Reduce spam in SMTP and POP3 email traffic using: Anti-spam engine, the anti-spam, and anti-phishing rule sets. Lists of permitted and denied senders McAfee Global Threat Intelligence message reputation to identify senders of spam email messages. Permit and deny lists that administrators and users can create using a Microsoft Outlook plug-in (user-level only). Detect phishing attacks and take the appropriate action. McAfee Global Threat Intelligence feedback Compliance Settings Email Email Policies Scanning Policies McAfee GTI feedback System Setup Wizard Traffic McAfee analyzes data about detections and alerts, threat details, and usage statistics from a broad set of customers to combat electronic attacks, protect vulnerable systems from exploit, and thwart cyber crime. By enabling this feedback service in your product, you will help us improve McAfee Global Threat Intelligence, thereby making your McAfee products more effective, as well as help us work with law enforcement to address electronic threats. Email Email Policies Scanning Policies [Compliance] Web Web Policies Scanning Policies [Compliance] This release of the McAfee Email and Web Security Appliance software includes enhancements to the way the appliance uses compliance rules: In the Compliance policy, use the Rule Creation wizard to specify the inbuilt dictionaries that you want to comply with, or create the a new rule using an existing rule as a template. Use the Mail size filtering and File filtering policies to check SMTP email messages for true file types and take action on email based on size and number of attachments. Data Loss Prevention Message Search Quarantine features Email Email Policies Scanning Policies [Data Loss Prevention] Use the Data Loss Prevention policy to upload and analyze your sensitive documents known as training and to create a fingerprint of each document. Email Message Search From a single location within the user interface, Message Search allows you to confirm the status of email messages that have passed through the appliance. It provides you with information about the email, including whether it was delivered or blocked, if the message bounced, if it was quarantined, or held in a queue pending further action. Email Quarantine Configuration Quarantine Options 7
Introducing McAfee Email and Web Security Virtual Appliance Introduction to the virtual appliance features Feature Description Quarantine digests Allow users to handle quarantined items without involving the email administrator. McAfee Quarantine Manager Consolidate quarantine management for McAfee products. Message Transfer Agent Reroute traffic on-the-fly based on criteria set by the administrator. For example, encrypted mail can be rerouted for decryption. Allow the administrator to determine the final status of each message. See a quick view summary of inbound email messages by domain with drill-down facilities per domain and undeliverable email by domain. Prioritize the redelivery of undeliverable email based on domain. Pipeline multiple email deliveries to each domain. Rewrite an email address on inbound and outbound email based on regular expressions defined by the administrator. Strip email headers on outbound messages to hide internal network infrastructure. Deliver messages using TLS. Manage certificates. Web reputation and categorization Web Web Policies Scanning Policies [Web reputation and Categorization] McAfee SiteAdvisor Web Reputation Create lists of permitted and denied websites, permit access according to their category using McAfee SiteAdvisor Web Reputation, and carry out remote URL category lookups. You can also specify periods when the access to websites can vary. For example, allow access to sites classified as Monitor Access during the daytime. SiteAdvisor classifies sites according to their behavior or reputation, enabling policies on the appliance to block access or issue warnings about unsuitable websites. It reduces nuisances such as spam and adware that users might receive from some websites. McAfee Global Threat Intelligence Web Categorization Global Threat Intelligence Web Categorization provides a simple to configure feature that enables your organization to understand, filter, control, and monitor Internet usage. With group-based policies and more than 90 web categories, the filtering capabilities can apply policies to users and groups based on their specific requirements. This provides you with the flexibility and controls you need to keep users safe and productive while on the web. ICAP support Web Web Configuration ICAP Pass HTTP messages from ICAP clients to ICAP servers for processing or transformation (adaptation). Email and Web Security Virtual Appliance supports the ICAP 1.0 protocol and acts as an ICAP server. Table 2: Reporting and System features Feature Scheduled Reports Logging options Description Reports Scheduled Reports Schedule reports to run on a regular basis and send them to one or more email recipients. System Logging, Alerting and SNMP 8
Introducing McAfee Email and Web Security Virtual Appliance Introduction to the virtual appliance features Feature Dashboard statistics epolicy Orchestrator management of appliances Cluster Management Virtual Hosts Role-based Access Control Internal Rescue Image Description You can configure the appliance to send emails containing information about viruses and other detected threats, and to use SNMP to transfer information from your appliance. You can also configure the appliance to use WebReporter to provide detailed reports about your users web browsing and use 3rd party integration for system logging (syslog) reporting using ArcSight and Splunk monitoring systems. Dashboard The Dashboard provides a single location for you to view summaries of the activities of the appliance, such as the email flowing through the appliance, the web traffic being scanned, and the overall system health of the appliance. You can also configure a list of links to tasks that you often use. System Setup Wizard epo Managed Setup You can monitor the status of your appliances and also manage your appliance from epolicy Orchestrator. You can directly manage your appliances from epolicy Orchestrator, without needing to launch the interface for each appliance. In epolicy Orchestrator, the user interface pages that you use to configure and manage your Email and Web Security Appliances have a familiar look-and-feel to the pages that you find within the appliances. System Cluster Management Cluster management enables you to set up groups of appliances that work together to share your scanning workloads, and to provide redundancy in the event of hardware failure. From these pages you can back up and restore your configurations, push configurations from one appliance to others, and set up load balancing between your appliances. System Virtual Hosting Virtual Hosts For the SMTP protocol, you can specify the addresses where the appliance receives or intercepts traffic on the Inbound Address Pool. Using virtual hosts, a single appliance can appear to behave like several appliances. Each virtual appliance can manage traffic within specified pools of IP addresses, enabling the appliance to provide scanning services to traffic from many customers. System Users, Groups and Services Role-Based User Accounts In addition to the Kerberos authentication method, RADIUS authentication is also available. System Appliance Management System Administration Manage Internal Rescue Image When managing your Email and Web Security appliances, having the image for each appliance stored on a protected partition on the hard disk of each appliance enables you to remotely reimage your appliances. 9
Introducing McAfee Email and Web Security Virtual Appliance How to use this guide Feature Description The rescue image negates the requirement for remote access cards to be fitted to your appliance (if you have suitable appliance models) for the appliances to be reimaged from a remote location. In addition to installing the software image on the protected partition, you can also create a bootable image on a USB drive for your appliances. How to use this guide This guide helps you to: Plan and perform your installation. Become familiar with the interface. Test that the product functions correctly. Apply the latest detection definition files. Explore some scanning policies, create reports, and get status information. Troubleshoot basic issues. You can find additional information about the product's scanning features in the online Help. Who should read this guide The information in this guide is intended primarily for network administrators who are responsible for their company's anti-virus and security program. What you get in the virtual appliance download package The Email and Web Security Virtual Appliance package is a.zip file that contains the software installation files. There are two package types available on the McAfee download site for you to choose from depending on your virtual environment: vsphere 4.x users All other VMware supported products NOTE: The download package does not contain the VMware product installation files. If you do not already have your virtual software set up, go to the VMware website (http://www.vmware.com) to purchase VMware vsphere, or download VMware Server or VMware vsphere Hypervisor (ESXi). 10
Introducing McAfee Email and Web Security Virtual Appliance Graphical conventions Graphical conventions Figures in this guide use the following symbols. Internet Mail server Other server (such as DNS server) User or client computer Router Switch Firewall Network zone (DMZ or VLAN) Network Actual data path Perceived data path Documentation This guide is included with your product. Additional information is available in the online Help included with the product, and other documentation available from the http://mysupport.mcafee.com website. Available resources This information describes where to get more information and assistance. McAfee products VMware operating environment McAfee KnowledgeBase. Go to https://mysupport.mcafee.com/eservice/default.aspx and click Search the KnowledgeBase. VMware website. Go to http://www.vmware.com/, and click Support & Downloads on the Links bar. Under 11
Introducing McAfee Email and Web Security Virtual Appliance Available resources Product Guide Online Help Support Resources, select Knowledge Base. McAfee download site. Includes information about basic concepts, policies, protocols (SMTP, POP3, FTP, HTTP, and ICAP), maintenance, and monitoring. You will need your grant ID number. Product interface. Includes information about basic concepts, policies, protocols (SMTP, POP3, FTP, HTTP, and ICAP), maintenance, and monitoring. 12
Preparing to Install the Virtual Appliance This information helps you prepare your environment and presents topics to consider before you install the McAfee Email and Web Security Virtual Appliance. Contents Considerations before installing the virtual appliance Network information you need to collect Operating modes and how they affect network connections Explicit proxy mode Deployment strategies for using the device in a DMZ System requirements Considerations before installing the virtual appliance Consider the following before you start the installation process: Choose your virtual environment: VMware vsphere, VMware vsphere Hypervisor (ESXi), or VMware Server. To achieve optimum performance and throughput in a virtual environment, McAfee recommends that you run the virtual appliance on VMware vsphere. VMware Server is suited to smaller deployments. Use the virtual appliance within your organization behind a correctly configured firewall. The virtual appliance is not a mail server. You must configure your firewall, mail server, and other equipment to route email traffic to the virtual appliance. The virtual appliance is not a web server or a caching web proxy server. Do not store or install extra software and files on the virtual appliance unless instructed by the documentation or your support representative. The virtual appliance cannot handle all types of traffic. Explicit proxy mode can route only supported protocols through the virtual appliance. Decide whether you want to use the out of band management interface. Network information you need to collect Gather the following information to complete the configuration: Protocols to scan (HTTP, SMTP, FTP, POP3, ICAP) Host name 13
Preparing to Install the Virtual Appliance Operating modes and how they affect network connections Domain name Default gateway LAN1 port IP address and subnet mask LAN2 port IP address and subnet mask Out of band management interface IP address and subnet mask DNS server IP address Operating modes and how they affect network connections The McAfee Email and Web Security Virtual Appliance can run in three operating modes. Before you install and configure your appliance, you must decide which mode to use. The following operating modes are available: Explicit proxy mode The virtual appliance acts as a proxy server and a mail relay. Transparent router mode The virtual appliance acts as a router. Transparent bridge mode The virtual appliance acts as an Ethernet bridge. The mode you choose determines how you physically connect your virtual appliance to your network. McAfee recommends that you run your virtual appliance in explicit proxy mode. Virtual appliances that run in either of the transparent modes are more difficult to set up and maintain in a virtual environment. Explicit proxy mode In explicit proxy mode, some network devices must be set up explicitly to send traffic to the device. The device then works as a proxy or relay, processing traffic on behalf of the devices. Explicit proxy mode is best suited to networks where client devices connect to the device through a single upstream and downstream device. TIP: This might not be the best option if several network devices must be reconfigured to send traffic to the device. Network and device configuration If the device is set to explicit proxy mode, you must explicitly configure your internal mail server to relay email traffic to the device. The device scans the email traffic before forwarding it, on behalf of the sender, to the external mail server. The external mail server then forwards the email message to the recipient. 14
Preparing to Install the Virtual Appliance Explicit proxy mode In a similar way, the network must be configured so that incoming email messages from the Internet are delivered to the device, not the internal mail server. Figure 1: Relaying email traffic The device scans the traffic before forwarding it, on behalf of the sender, to the internal mail server for delivery, as shown in Figure 1: Relaying email traffic. For example, an external mail server can communicate directly with the device, although traffic might pass through several network servers before reaching the device. The perceived path is from the external mail server to the device. Protocols To scan a supported protocol, you must configure your other network servers or client computers to route that protocol through the device, so that no traffic bypasses the device. Firewall rules Explicit proxy mode invalidates any firewall rules set up for client access to the Internet. The firewall sees only the IP address information for the device, not the IP addresses of the clients, so the firewall cannot apply its Internet access rules to the clients. Where to place the device Configure the network devices so that traffic needing to be scanned is sent to the device. This is more important than the location of the device. The router must allow all users to connect to the device. Figure 2: Explicit proxy configuration 15
Preparing to Install the Virtual Appliance Deployment strategies for using the device in a DMZ The device must be positioned inside your organization, behind a firewall, as shown in Figure 2: Explicit proxy configuration. Typically, the firewall is configured to block traffic that does not come directly from the device. If you are unsure about your network s topology and how to integrate the device, consult your network expert. Use this configuration if: The device is operating in explicit proxy mode. You are using email (SMTP). For this configuration, you must: Configure the external Domain Name System (DNS) servers or Network Address Translation (NAT) on the firewall so that the external mail server delivers mail to the device, not to the internal mail server. Configure the internal mail servers to send email messages to the device. That is, the internal mail servers must use the device as a smart host. Ensure that your client devices can deliver email messages to the mail servers within your organization. Ensure that your firewall rules are updated. The firewall must accept traffic from the device, but must not accept traffic that comes directly from the client devices. Set up rules to prevent unwanted traffic entering your organization. Deployment strategies for using the device in a DMZ A demilitarized zone (DMZ) is a network separated by a firewall from all other networks, including the Internet and other internal networks. The typical goal behind the implementation of a DMZ is to lock down access to servers that provide services to the Internet, such as email. Hackers often gain access to networks by identifying the TCP/UDP ports on which applications are listening for requests, then exploiting known vulnerabilities in applications. Firewalls dramatically reduce the risk of such exploits by controlling access to specific ports on specific servers. The device can be added easily to a DMZ configuration. The way you use the device in a DMZ depends on the protocols you intend to scan. Contents SMTP configuration in a DMZ The DMZ is a good location for encrypting mail. By the time the mail traffic reaches the firewall for the second time (on its way from the DMZ to the internal network), it has been encrypted. Devices which scan SMTP traffic in a DMZ are usually configured in explicit proxy mode. Configuration changes need only be made to the MX records for the mail servers. NOTE: You can use transparent bridge mode when scanning SMTP within a DMZ. However, if you do not control the flow of traffic correctly, the device scans every message twice, once in each direction. For this reason, explicit proxy mode is usually used for SMTP scanning. 16
Preparing to Install the Virtual Appliance SMTP configuration in a DMZ Mail relay Figure 3: Device in explicit proxy configuration in a DMZ If you have a mail relay already set up in your DMZ, you can replace the relay with the device. To use your existing firewall policies, give the device the same IP address as the mail relay. Mail gateway SMTP does not provide methods to encrypt mail messages you can use Transport Layer Security (TLS) to encrypt the link, but not the mail messages. As a result, some companies do not allow such traffic on their internal network. To overcome this, they often use a proprietary mail gateway, such as Lotus Notes or Microsoft Exchange, to encrypt the mail traffic before it reaches the internal network. To implement a DMZ configuration using a proprietary mail gateway, add the scanning device to the DMZ on the SMTP side of the gateway. Figure 4: Protecting a mail gateway in DMZ In this situation, configure: 17
Preparing to Install the Virtual Appliance Workload management The public MX records to instruct external mail servers to send all inbound mail to the device (instead of the gateway). The device to forward all inbound mail to the mail gateway, and deliver all outbound mail using DNS or an external relay. The mail gateway to forward all inbound mail to the internal mail servers and all other (outbound) mail to the device. The firewall to allow inbound mail that is destined for the device only. NOTE: Firewalls configured to use Network Address Translation (NAT), and that redirect inbound mail to internal mail servers, do not need their public MX records reconfigured. This is because they are directing traffic to the firewall rather than the mail gateway itself. In this case, the firewall must instead be reconfigured to direct inbound mail requests to the device. Workload management The virtual appliance includes its own internal workload management, distributing the scanning load evenly between all appliances configured to work together. You do not need to deploy an external load balancer. System requirements Make sure that your host computer adheres to the system requirements for whichever VMware virtual environment you choose. NOTE: Go to the VMware website http://www.vmware.com to get the system requirements for your VMware product. Additionally, ensure that the virtual machine where you will run McAfee Email and Web Security Virtual Appliance meets the following minimum system requirements: Option Processor Available virtual memory Free hard disk space Definition Two virtual processors 2 GB 80 GB NOTE: The appliance's interface is optimized for Microsoft Internet Explorer 7.0 or later, and Mozilla Firefox 3.5 or later. 18
Sample installation scenarios This section contains information about installing the virtual appliance in different server configurations. Running the virtual appliance as the only virtual machine on the host This information illustrates a possible single server deployment of the virtual appliance on your chosen VMware virtual environment. VMware ESX, VMware vsphere, or VMware ESXi are dedicated servers to the virtual appliance. Their hardware specification must exceed the minimum hardware requirements outlined in the Email and Web Security Performance Data guidelines. To manage multiple virtual machines running on one VMware host, read the information in Running the virtual appliance with other virtual machines. NOTE: This example assumes you are installing the virtual appliance in the recommended explicit proxy mode. Figure 5: A sample single server installation Running the virtual appliance with other virtual machines This information illustrates a deployment of the McAfee Email and Web Security Virtual Appliance on VMware ESX, VMware vsphere, or VMware ESXi alongside other virtual machines. In this example, one VMware host is responsible for the virtual appliance as well as other virtual machines, all of which run on the same hardware. Refer to the VMware website http://www.vmware.com for information on building a resource pool dedicated to the virtual 19
Sample installation scenarios Running the virtual appliance with other virtual machines appliance. The resource pool must also have the minimum levels of CPU and memory allocated to it as stated in the Email and Web Security Performance Data guidelines. NOTE: This example assumes you are installing the virtual appliance in the recommended explicit proxy mode. Figure 6: A sample multiple server installation 20
Installing the Virtual Environment This information helps you to set up the virtual environment and install the McAfee Email and Web Security Virtual Appliance on it. Contents Overview of the virtual appliance installation process Installation best practices Downloading the virtual appliance software Installing the virtual appliance on VMware vsphere and VMware vsphere Hypervisor (ESXi) Installing the virtual appliance on VMware ESX or VMware ESXi Overview of the virtual appliance installation process McAfee recommends that you install the Email and Web Security Virtual Appliance in the following order: 1 Install your chosen VMware product. 2 Download the Email and Web Security Virtual Appliance installation files. 3 Install the virtual appliance on the virtual environment. 4 Complete the graphical configuration wizard. 5 Log on to the virtual appliance. 6 Test the configuration. 7 Enable protocols. Installation best practices This information gives some important considerations to your installation on VMware ESX Server, VMware vsphere, and VMware ESXi. NOTE: McAfee recommends that you read and act upon this information before you start the installation process. The McAfee Email and Web Security Virtual Appliance is easiest to set up and maintain when it runs in the default explicit proxy operating mode. Familiarize yourself with the information about creating clusters and resource pools. See the VMware website http://www.vmware.com. 21
Installing the Virtual Environment Downloading the virtual appliance software Use a Storage Area Network (SAN) rather than a Network File System (NFS) share to achieve optimal performance. If you run Email and Web Security Virtual Appliance in either of the transparent modes: The VMware Distributed Resource Scheduler (DRS) and High Availability (HA) features may cause network interruptions if a failover takes place. Ensure that the virtual appliance NICs do not link to the same broadcast domain and that their IP addresses are not in the same subnet to avoid network loops. Ensure that each network adapter on the virtual appliance is connected to a different physical network on the host computer. You will need at least three NICs in your VMware host. The virtual appliance needs two NICs and VMware recommend a dedicated NIC for the Service Console. Downloading the virtual appliance software Use this task to download the McAfee Email and Web Security Virtual Appliance software. We provide the software as a.zip file available from the McAfee download website. Before you begin Read your VMware product installation guide. Get the McAfee grant ID number that you received when you purchased the virtual appliance. Task 1 Go to the McAfee website http://www.mcafee.com. Hover your cursor over your business type and click Downloads. 2 From My Products - Downloads, click Login. 3 Type the McAfee grant ID number that you received when you purchased the virtual appliance, and click Submit. 4 From the list of products, select Email and Web Security. 5 Agree to the license terms, select the latest.zip file and download it. NOTE: McAfee recommends that you read the Release Notes that accompany the virtual appliance before you continue with the installation. Installing the virtual appliance on VMware vsphere and VMware vsphere Hypervisor (ESXi) Use this task to install McAfee Email and Web Security Virtual Appliance onto a host computer running VMware vsphere 4 or VMware vsphere Hypervisor (ESXi) 4.0. If you used the Email and Web Security Appliance (VMtrial) product to test the software, you can save your VMtrial configuration and restore it onto the virtual appliance when the installation is complete. 22
Installing the Virtual Environment Installing the virtual appliance on VMware vsphere and VMware vsphere Hypervisor (ESXi) Before you begin Download the VMware vsphere version of the package.zip file from the McAfee download site and extract it to a location where the VMware vsphere Client can see it. Install a fully licensed copy of VMware vsphere 4 or VMware vsphere Hypervisor (ESXi) 4.0. Task 1 Start the VMware vsphere Client application. 2 Log on to the VMware vsphere server, or the vcenter Server. 3 From the Inventory list, select the host or cluster onto which you want to import the Email and Web Security Virtual Appliance software. 4 Click File Deploy OVF Template Deploy From File, and click Browse to go to where you extracted the.zip file you downloaded from the McAfee download site. 5 Select EWS-SIG-<build_number>.VMbuy.ova file, and click Open. 6 Click Next twice, and optionally type a new name. 7 Select the resource pool that you want to use if you have any configured. 8 Select the datastore that you want to use, and click Next. 9 Select the virtual networks to which the virtual appliance NICs will be connected. 10 Click Next, read the summary, then click Finish and wait for the import process to finish. 11 Start the virtual appliance. The installation starts automatically. 12 Read the End-User License Agreement to continue with the installation, then click y to accept it and start the installation. 13 At the installation menu, select 1 to perform a full installation and y to continue. 14 When the installation is complete, the virtual appliance restarts. 15 On the Email and Web Security Virtual Appliance Welcome screen, choose the language that you want to use. 16 Accept the terms of the license agreement. 17 Configure the Email and Web Security Virtual Appliance from the graphical configuration wizard. NOTE: McAfee recommends that you run the virtual appliance in the default, explicit proxy mode. 18 Apply the configuration to the virtual appliance. Depending on the settings you entered, it might restart. You can install the virtual appliance on more than one VMware ESX Server or VMware ESXi server. To do so: a b c Follow the steps in this task on another VMware ESX Server or VMware ESXi server. Return to the previously installed virtual appliance user interface. Go to System Cluster Management Configuration Push to send the configuration details to the second virtual appliance. Improving performance on VMware vsphere Use this task to potentially improve system performance in VMware vsphere environments by changing the default hard disk, network adapter, memory, and CPU settings. 23
Installing the Virtual Environment Installing the virtual appliance on VMware ESX or VMware ESXi Task 1 To edit the hard disk settings: a b Check that the virtual machine is shut down. Right-click the virtual appliance in the Inventory list, and click Edit Settings. In the Virtual Machine Properties dialog box, there are three hard disks available to the virtual appliance: Hard disk 1 holds the virtual appliance installation files, and must not be removed or changed. Hard disk 2 is the main hard disk used by the virtual appliance. You can increase its size but McAfee recommends that you do not reduce it. Hard disk 3 will hold the temporary swap space of the virtual appliance. NOTE: Putting the second and third hard disks on two separate datastores can potentially improve performance. 2 To change the network adapter settings: a b c Check that the virtual machine is shut down. Right-click the virtual appliance in the Inventory list, and click Edit Settings. In the Virtual Machine Properties dialog box, select Network adapter 1 and click Remove. d Repeat for adapters 2 and 3. e f Click Add. Select Ethernet Adapter, and click Next. g Under Adapter Type, select VMXNET 3. h i Ensure that you select the named network to which you want to connect LAN1 of the virtual appliance, and ensure that the Connect at power on option is selected. Click Next, then click Finish. j Repeat steps e through i for network adapters 2 and 3. NOTE: Network adapter 2 is connected to the virtual appliance LAN2 connection and the third adapter is used for the out of band configuration. 3 To edit the memory and virtual CPU settings: a b c Check that the virtual machine is shut down. Right-click the virtual appliance in the Inventory list, and click Edit Settings. In the Virtual Machine Properties dialog box, change the settings as necessary. NOTE: McAfee recommends that you do not reduce the settings to less than the default settings or the recommended virtual appliance system requirements. Installing the virtual appliance on VMware ESX or VMware ESXi Use this task to install McAfee Email and Web Security Virtual Appliance onto a host computer running VMware ESX 3.5 or VMware ESXi. 24
Installing the Virtual Environment Installing the virtual appliance on VMware ESX or VMware ESXi If you used the Email and Web Security Appliance (VMtrial) product to test the software, you can save your VMtrial configuration and restore it onto the virtual appliance when the installation is complete. Before you begin Download the package.zip file that contains the installation files for VMware ESX and VMware Server from the McAfee download site and extract it to a location where the VMware Virtual Infrastructure Client can see it. Install a fully licensed copy of VMware ESX Server 3.5 or VMware ESXi. Task 1 Start the VMware Virtual Infrastructure Client application. 2 Log on to the VMware ESX Server, VMware ESXi, or the Virtual Center Server. 3 From the Inventory list, select the VMware ESX Server or VMware ESXi server onto which you want to import the Email and Web Security Virtual Appliance software. 4 On the Getting Started tab, click Import Virtual Appliance, and select Import from file. 5 Click Browse to go to where you extracted the.zip file you downloaded from the McAfee download site. 6 Open the McAfee-EWS-SIG-<build_number>.VMbuy-OVF subfolder, select McAfee-EWS-SIG-<build_number>.VMbuy.OVF, and click Open. 7 Click Next twice and optionally type a new name. 8 Click Next. 9 If you are using the Virtual Center Server, select the datastore that you want to use and click Next. If you are using the Virtual Infrastructure Client, simply continue with the next step. 10 Select the virtual networks to which either of the virtual appliance NICs will be connected: Network 1 LAN 1 Network 2 LAN 2 Network 3 Out of band management interface NOTE: After installation, go to System Appliance Management Remote Access in the product interface for the out of band management settings. 11 Click Next, read the summary, then click Finish and wait for the import process to finish. NOTE: You can change the default Memory, Hard Disk, and Virtual CPU settings for the virtual appliance. Check that the virtual machine is shut down. Then, select the virtual appliance from the Inventory list and click Edit Settings. McAfee recommends that you do not reduce the settings to less than the default settings or the recommended virtual appliance system requirements. 12 Start the virtual appliance and select Connect CD/DVD1, then connect to the ISO image. 13 Browse to where you extracted the Email and Web Security Virtual Appliance.zip file, select the ISO file and click Open to connect the CD-ROM drive to the ISO file. 14 Click within the console window to reactivate the mouse pointer. 15 Wait for the "Operating System not found" message, then press ESC to start the CD-ROM ISO image. 25
Installing the Virtual Environment Installing the virtual appliance on VMware ESX or VMware ESXi 16 Read the End-User License Agreement to continue with the installation, then type y to accept it and start the installation. 17 At the installation menu, select 1 to perform a full installation and y to continue. 18 When the installation is complete, the virtual appliance restarts. McAfee recommends that you disconnect the ISO image from the CD-ROM after the installation is complete. To do so, select Disconnect CD/DVD1. 19 On the Email and Web Security Virtual Appliance Welcome screen, choose the language that you want to use. 20 Accept the terms of the license agreement. 21 Configure the Email and Web Security Virtual Appliance from the graphical configuration wizard. NOTE: McAfee recommends that you run the virtual appliance in the default, explicit proxy mode. 22 Apply the configuration to the virtual appliance. Depending on the settings you entered, it might restart. You can install the virtual appliance on more than one VMware ESX Server or VMware ESXi server. To do so: a b c Follow the steps in this task on another VMware ESX Server or VMware ESXi server. Return to the previously installed virtual appliance user interface. Go to System Cluster Management Configuration Push to send the configuration details to the second virtual appliance. 26
A Tour of the Interface This information tells you about the McAfee Email and Web Security Virtual Appliance interface and Dashboard page. Contents The user interface Dashboard status information and configuration options The user interface Use this information to get to know your way around the user interface. NOTE: The interface you see might look slightly different from that shown in Figure 7: The Dashboard, because it can vary depending on the appliance's hardware platform, software version, and language. The interface contains the following elements: Navigation bar The navigation bar contains four areas: user information, section icons, tab bar, and support controls. User information bar Section icons The number of section icons depends on the software version that you are using. Click an icon to change the information in the content area and the tab bar. The icons include the following: Table 3: Section items Icon Menu Features Dashboard Reports Email Use this page to see a summary of the appliance. From this page you can access most of the pages that control the appliance. Use the Reports pages to view events recorded on the appliance, such as viruses detected in email messages or during web access, and system activities such as details of recent updates and logins. Use the Email pages to manage threats to email messages, quarantine of infected email, and other aspects of email configuration. 27
A Tour of the Interface The user interface Icon Menu Web System Features Use the Web pages to manage threats to web downloads, and to manage other aspects of web configuration. Use the System pages to configure various features on the appliance. Troubleshoot Use the Troubleshoot pages to diagnose any problems with the appliance. Tab bar The contents of the tab bar are controlled by the selected section icon. The selected tab dictates what is displayed in the content area. Support control buttons The support control buttons are actions that apply to the content area. Table 4: Support control buttons Icon Description Refreshes or updates the content. Returns you to the previously viewed page. We recommend that you click this button, rather than your browser's Back button. Appears when you configure something to allow you to apply your changes. Appears when you configure something to allow you to cancel your changes. Opens a window of Help information. Much of the information in this window also appears in the Product Guide. View control The view control button shows or hides a status window. The status window, which appears in the bottom right of the interface, shows recent activity. New messages are added at the top of the window. If a message is blue and underlined, you can click the link to visit another page. You can also manage the window with its own Clear and Close links. Content area The content area contains the currently active content and is where most of your interaction will be. NOTE: The changes that you make take effect after you click the green checkmark. 28
A Tour of the Interface Dashboard status information and configuration options Dashboard status information and configuration options The Dashboard provides a summary of the activity of the appliance. Use this page to access most of the pages that control the appliance. On a cluster master appliance, use this page also to see a summary of activity on the cluster of appliances. NOTE: To change the view in any section, click Edit, which opens another window. The Dashboard provides a single location for you to view summaries of the activities of the appliance. Depending on how you have your appliance configured, you can view information about: The email flowing through the appliance. The web traffic being scanned. The overall system health of the appliance. Current detection rates. The performance of your network. Email messages being queued by the appliance. The number of scanning policies that you have in place, separate by protocol. You can also configure a list of links to tasks that you often use, providing you with a quick and easy method of moving to the correct area of the user interface. The lower pane of this page displays key graphic information about performance of the appliance. Each of these Dashboard panes can be customized to show the information that you need most often. When you log on to the appliance, and as you work within its configuration pages, a dialog box appears up in the bottom-right hand corner of the screen to inform you of any recommended configuration changes, or give warning messages concerning the appliance operation or settings. 29
A Tour of the Interface Dashboard status information and configuration options For example, it warns you when Global Threat Intelligence feedback is not enabled for all policies. Figure 7: The Dashboard Dashboard panes Table 5: Dashboard Option Definitions Option Email Detections and Web Detections System Health Current detection rates Network Email Queues Definition Displays the number of detections under each protocol. Click Edit to change the view in this window. Although you can choose not to display information about a protocol, the appliance continues to scan that traffic Displays the status of important components and lets you change the settings of recommended system configuration changes: For Updates, a green checkmark indicates that the components will update itself automatically. To make a manual update, click the blue link For other components, a green checkmark indicates that the component is operating within acceptable limits. For more information, click the blue links To adjust the levels at which the warning and alert icons appear, and to change what the recommended configuration changes dialog box displays, click Edit Displays the status of important detections by the appliance, using icons Displays the number of connections under each protocol. Although you can deselect a protocol after clicking Edit, the appliance continues to handle that traffic Displays the number of items, and the number of recipients for each queued item in the Queued, Quarantined, and Release requests queues maintained by the appliance, using icons. To visit the pages that manage the queues, 30
A Tour of the Interface Dashboard status information and configuration options Option Scanning Policies Tasks Load balancing Graphs... Definition click the blue links. To quickly search through email in the queues, click Quick search Displays a list of the policies that the appliance is applying. Although you can deselect a protocol after clicking Edit, the appliance continues to apply policies to that traffic. To view the scanning policies or add more policies, click the blue links Displays a list of common tasks. To remove or reorganize the tasks, click Edit On a master cluster appliance, displays the state of the cluster of appliances. To change the settings of the meter, click Edit Displays graphs that show appliance activity over time. Although you can deselect a protocol after clicking Edit, the appliance continues to monitor that traffic Load balancing NOTE: This section is available only on a cluster master appliance or management blade (on a Content Security Blade Server). Table 6: Load Balancing Option definitions Option Definition Email Web Message per hour (Email) Conversations per hour (Web) Status Scanning Device Type Name State When clicked, the meter displays Message per hour (Email) or Conversations per hour (Web) Displays the average throughput of the cluster, based on measurements taken every few minutes. If the cluster has twice as many scanning appliances, its throughput almost doubles too. Extra management activity consumes some of the processing power Displays the status of the device: Operating normally Needs attention Needs immediate attention Displays the type of scanning device: Cluster Master Cluster Failover Email and Web Security Appliance Email Security Appliance Web Security Appliance Web Gateway Appliance Displays the name of the appliance as configured Displays the current state of each appliance: Network Connected to the network 31
A Tour of the Interface Dashboard status information and configuration options Option Load Active Connections Component version information Definition Redundant The Cluster Failover device is not currently running but will take over if the master cluster appliance fails Install Installing software Synchronizing Synchronizing with the cluster master Boot Booting Shutdown Shutting down Malconfigured Configuration file is faulty Unconfigured Not configured for load balancing Disabled Disabled by the user Failed No longer on the network. No heartbeat was detected Fault A fault has been detected on this appliance Legacy Not compatible for load balancing Displays the average system load over a period of five minutes Displays the number of active connections for each appliance. The row for the cluster master shows the total for all appliance Displays the number of connections handled by each appliance since the counters were last reset Displays the versions of anti-spam and anti-virus DAT files. The version numbers are the same if the appliances are up-to-date. During updating, the values might be different. To see more information, move the cursor over the text and wait for a yellow box to appear Counter behavior All counters trigger once for every detection. For example, if a message contains two attachments that both contain viral content, the Viruses counter increments by two. The information in the following table applies to SMTP and POP3 statistics unless otherwise specified. Table 7: Counter behavior Counter Behavior Messages Secure Messages The SMTP counter increments once: When a TCP connection is made to the SMTP port on the appliance From the second <MAIL FROM> command if more than one email is received in the same SMTP conversation The POP3 counter increments once for every message that the appliance downloads Increments once: When a STARTTLS command is issued over the standard SMTP port When the appliance intercepts the TLS conversation, from the second <MAIL FROM> command if more than one email is received in the same SMTP conversation When messages are sent over SMTPS 32
A Tour of the Interface Dashboard status information and configuration options Counter Blocked connections Viruses, PUPs, Compliance, and Data Loss Prevention Spam and phish and Sender authentication Other Behavior Increments once for every SYN packet coming from an IP address that has triggered a Reject, close and deny (Block) action. The Real-time blackhole list (RBL) lookup feature is configured to perform this action by default for the next ten minutes. Increment once for every detection, for example, if a message contains two attachments that both contain viral content, the Viruses counter increments by two Increment once for every message that triggers the scanner Increment once for every detection. Applies to messages filtered because of their size, those that fail anti-relay and directory harvest checks, and those that contain corrupt content, protected content, encrypted content, or signed content NOTE: Due to the way that Dashboard counters are aggregated, there is a slight difference between the information displayed in the Dashboard and that returned in a scheduled report. Information about statistics shown in the Email Queues list This information applies to the Queued, Quarantined, and Release requests queues: If one message is sent to two recipients and is queued for delivery (for example, because the onward MTA is down): The number of items in the queue will be 1 because the appliance received one message. The number of recipients will be 2 because the message has two recipients. NOTE: If you click on the Queued hyperlink, you see two items because there is one message for each recipient. If two messages are sent to one recipient and are queued for delivery (for example, because the onward MTA is down): The number of items in the queue will be 2 because the appliance received two messages. The number of recipients will be 2 because each message has one recipient. NOTE: If you click on the Queued hyperlink, you see two items. Task Turn off the McAfee Global Threat Intelligence feedback disabled warning By default, the appliance displays a warning message if you have not enabled McAfee Global Threat Intelligence (GTI) feedback because McAfee considers it best practice to enable this form of communication. 1 On the appliance Dashboard, select Edit from the System Health area. 2 Deselect Show a warning if McAfee GTI feedback is not enabled. 3 Click OK. 33
Testing the Virtual Appliance Configuration This information describes how to test that the McAfee Email and Web Security Virtual Appliance is functioning correctly after installation. Contents Testing connectivity Updating the DAT files Testing mail traffic and virus detection Testing spam detection Testing web traffic and virus detection Testing connectivity Use this task to confirm basic connectivity. The McAfee Email and Web Security Virtual Appliance checks that it can communicate with the gateway, update servers and DNS servers. It also confirms that the virtual appliance name and domain name are valid. Task 1 Open the System Tests page using one of these methods: From the Tasks section of the Dashboard, select Run system tests. From the navigation bar, select Troubleshoot. 2 Select the Tests tab. 3 Click Start Tests. Each test should return positively. Updating the DAT files To ensure that the McAfee Email and Web Security Virtual Appliance has the most up-to-date detection definition (DAT) files, we recommend updating them before you configure the scanning options. As you progress using the virtual appliance, you can choose to update individual types of definition file and change the default scheduled updates to suit your requirements. Task 1 Open the Updates page using one of these methods: From the System Health area of the Dashboard, select Updates. Select System Component Management Update Status. 34
Testing the Virtual Appliance Configuration Testing mail traffic and virus detection 2 To update all DAT files, click Update Now. 3 To ensure the virtual appliance has the most up-to-date software patch installed, go to the product Dashboard, select Updates, and click Update Now. Testing mail traffic and virus detection Use this task to test that mail traffic is passing successfully through the McAfee Email and Web Security Virtual Appliance and that threats are correctly identified. We use the EICAR test file, a harmless file that triggers a virus detection. Task 1 Send an email message from an outside email account (such as Hotmail) to an internal mailbox and confirm that it arrived. 2 On the Dashboard, look at the Email Detections area. The listing for the protocol you used to send the message should show that a message was received. 3 Copy the following line into a file, making sure you do not include any spaces or line breaks: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* 4 Save the file with the name EICAR.COM. 5 From an external email account (SMTP client), create a message that contains the EICAR.COM file as an attachment and send the message to an internal mailbox. 6 Return to the Dashboard and look at the Email Detections area. You should see that a virus was detected. 7 Delete the message when you finish testing your installation, to avoid alarming unsuspecting users. Testing spam detection Use this task to run a General Test mail for Unsolicited Bulk Email (GTUBE) to verify that incoming spam is detected. Task 1 From an external email account (SMTP client), create a new email message. 2 In the body of the message, copy the following text: XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X Make sure that you type this line with no line breaks. 3 Send the new email message to an internal mailbox address. The software scans the message, recognizes it as a junk email message, and deals with it accordingly. The GTUBE overrides blacklists and whitelists. Testing web traffic and virus detection Use this task to test that web traffic is passing successfully through the McAfee Email and Web Security Virtual Appliance. For the purpose of this example, scanning is enabled for the HTTP protocol. 35
Testing the Virtual Appliance Configuration Testing web traffic and virus detection Task 1 Go to an external website to confirm a public connection. 2 Go to the Dashboard. The HTTP list shows that you accessed a website. 3 Go to the EICAR website (www.eicar.org) and open the EICAR test file. Your browser receives a blocked message. 4 Return to the Dashboard and look at the Web Detections area. The HTTP list shows that a virus was detected. 36
Exploring the Virtual Appliance Features This section contains tasks to demonstrate the McAfee Email and Web Security Virtual Appliance scanning features in action. It provides step-by-step instructions to create and test some sample policies and tells you how to generate applicable reports. Contents Scanning policies and how they affect your network Scanning for content using email compliance rules Preventing loss of sensitive data Dealing with quarantined messages Monitoring spam detection Monitoring web-based activity using the default URL filtering settings and SiteAdvisor Controlling user access by role Scanning policies and how they affect your network A policy is a collection of settings and rules that tells the McAfee Email and Web Security Virtual Appliance how to combat specific threats to your network. When you create real scanning policies for your organization, it is important that you spend time researching and planning your requirements. You can find guidelines to help you in your policy planning in the online Help available from the product interface. Scanning for content using email compliance rules Use compliance scanning to assist with conformance to regulatory compliance and corporate operating compliance. You can choose from a library of predefined compliance rules, or create your own rules and dictionaries specific to your organization. Compliance rules can vary in complexity from a straightforward trigger when an individual term within a dictionary is detected, to building on and combining score-based dictionaries which will only trigger when a certain threshold is reached. Using the advanced features of compliance rules, dictionaries can be combined using logical operations of any of, all of, or except. 1 Follow these steps to block email messages that violate the "threatening language" policy: a b c d e Go to Email Email Policies Scanning Policies and select Compliance. On the Default Compliance Settings dialog box, click Yes to enable the policy. Click Create new rule from template to open the Rule Creation Wizard. Select the Acceptable Use - Threatening Language policy, and click Next. Optionally change the name of the rule, and click Next. 37
Exploring the Virtual Appliance Features Scanning for content using email compliance rules f g Change the primary action to Accept and then drop the data (Block), and click Finish. Click OK and apply the changes. 2 Follow these steps to create a simple custom rule to block email messages that contain social security numbers: a b c d e f g Go to Email Email Policies Scanning Policies and select Compliance. On the Default Compliance Settings dialog box, click Yes to enable the policy. Click Create new rule to open the Rule Creation Wizard. Type a name for the rule, and click Next. In the Search field, type social. Select the Social Security Number dictionary, and click Next twice. Select the Accept and then drop the data (Block) action, and click Finish. 3 Follow these steps to create a complex rule that triggers when both Dictionary A and Dictionary B are detected, except when Dictionary C is also detected: a b c d e f g h Go to Email Email Policies Scanning Policies and select Compliance. On the Default Compliance Settings dialog box, click Yes to enable the policy. Click Create new rule to open the Rule Creation Wizard. Type a name for the rule, and click Next. Select two dictionaries to include in the rule, and click Next. Select a dictionary that you want to exclude from the rule in the exclusion list. Select the action that you want to take place if the rule triggers. From the And conditionally drop down box, select All, and click Finish. 4 Follow these steps to add a new dictionary to an existing rule: a b c d Go to Email Email Policies Scanning Policies and select Compliance. Expand the rule that you want to edit. Select Add dictionaries. Select the new dictionary that you want to include, and click OK. 5 Follow these steps to configure a Discontent rule to monitor at a low threshold and block at a high threshold: a b Go to Email Email Policies Scanning Policies and select Compliance. Click Create new rule, type a name for it such as Discontent - Low, and click Next. c Select the Discontent dictionary, and in Threshold, type 20. d e f g h i j Click Next, and Next again. In If the compliance rule is triggered, accept the default action. Click Finish. Repeat steps 2 through 4 to create another new rule but name it Discontent - High and assign it a threshold of 40. In If the compliance rule is triggered, select Accept and then drop the data (Block). Click Finish. Click OK and apply the changes. 38
Exploring the Virtual Appliance Features Preventing loss of sensitive data 6 Follow these steps to edit the threshold associated with an existing rule. This task assumes that your rule includes a dictionary which triggers the action based on a threshold, such as the Compensation and Benefits dictionary: a b c Go to Email Email Policies Scanning Policies and select Compliance. Expand the rule that you want to edit, then select the Edit icon next to the dictionary whose score you want to change. In dictionary threshold, type the score on which you want the rule to trigger, and click OK. 7 Follow these steps to restrict the score contribution of a dictionary term. This task assumes that your rule includes a dictionary which triggers the action based on a threshold score, such as the Compensation and Benefits dictionary. For such dictionaries, you can restrict how many times a term can contribute to the overall score: a b c Go to Email Email Policies Scanning Policies and select Compliance. Expand the rule that you want to edit, then click the Edit icon next to the dictionary whose score you want to change. In Maximum term count, type the maximum number of times that you want a term to contribute to the score. NOTE: You can apply the same policy to webmail by editing the HTTP policy. Preventing loss of sensitive data Use this task to block a sensitive financial document from being sent out of your organization. Task 1 Go to Email Email Policies Registered Documents, and create a category named Finance and upload documents to it. 2 Go to Email Email Policies Scanning Policy, and select the Data Loss Prevention policy. 3 On the Default Data Loss Prevention Settings dialog box, click Yes to enable the policy. 4 Click Create new rule, select the Finance category, and click OK to have the category appear in the Rules list. 5 Select the action associated with the category, change the primary action to Accept and then drop the data (Block), and click OK. 6 Click OK again, and apply the changes. Dealing with quarantined messages Use this task to search for email messages that have been quarantined due to compliancy issues, and release the message to the intended recipient. Task 1 Click Email Message Search. 39
Exploring the Virtual Appliance Features Monitoring spam detection 2 Select Quarantined from the Message status drop-down list. 3 Click Search/Refresh. All messages that have been quarantined are displayed in the lower part of the page. 4 To find those email messages quarantined due to compliancy issues, select Compliancy from the Category drop-down list. 5 Click Search/Refresh. The lower part of the screen is refreshed to show only the messages that have been quarantined due to compliancy issues. 6 To view the email message quarantined due to compliancy issues, select the relevant quarantined message using the check-box to the left of the page. 7 Click View Message. The selected message is displayed in a new window. From this window, you can view the content of the email message. You can also choose to view the detailed email header information. 8 To release the quarantined email message, click Release Selected. The selected email message is released from quarantine. NOTE: Email messages that contain viral content cannot be released from quarantine, as to do so would risk causing damage to your systems. Monitoring spam detection Use this task to monitor the spam detection rate using the out-of-the-box SMTP spam detection policy. As soon as you complete the configuration console, these settings are working to protect your network and your users from unwanted spam messages. The settings are described in greater detail in the online Help available from the user interface. By default, Email and Web Security Virtual Appliance: Blocks phish messages Marks messages that have a score greater than or equal to five as spam. Drops spam messages that have a score greater than or equal to ten. Has sender authentication enabled. Using these default settings, your virtual appliance detects more than 98 percent of all spam messages. NOTE: Sender authentication incorporates McAfee Global Threat Intelligence message reputation. If a sender fails the McAfee Global Threat Intelligence message reputation check, the virtual appliance rejects the email, closes the connection and denies the sending IP address. The sender's IP address is added to a list of blocked connections and is automatically blocked for ten minutes at the kernel level (you can alter the default blocking duration). The Email Detections area of the Dashboard displays the number of blocked connections. Task 1 From the Scanning Policies area of the Dashboard, select SMTP Default policy to view the standard anti-spam detection settings. 40
Exploring the Virtual Appliance Features Monitoring web-based activity using the default URL filtering settings and SiteAdvisor 2 Check that spam messages are identified correctly by sending a message through the virtual appliance that triggers the spam detection settings. 3 To monitor the detection rate, return to the Dashboard and look at the Email Detections area. The Spam and phish figure and the Sender authentication figure increment. The sender authentication detections figure includes the number of senders who fail the McAfee Global Threat Intelligence message reputation check. Email graphs give a graphical representation of the data. 4 To get a report on email activity, go to Tasks and select View favorite email reports. 5 Look at the Blocked (Today) report and the Top Spam Senders (Today) report. Monitoring web-based activity using the default URL filtering settings and SiteAdvisor Use this task to see McAfee SiteAdvisor and the default URL filtering settings in action with HTTP. As soon as you complete the Setup Wizard, these settings are working to protect your network and users from inappropriate or malicious websites. Task 1 From the Scanning Policies area of the Dashboard, select HTTP and click Default policy. 2 Select Enhanced URL filtering : Enabled : SiteAdvisor to view the default settings. SiteAdvisor denies access to a URL if it rates the site with a Warning classification. 3 To test that SiteAdvisor is scanning HTTP traffic correctly, go to http://warn.siteadvisor. 4 Return to the Dashboard and look at the Web Detections area. In the HTTP column, the SiteAdvisor entry will increment. 5 To get a visual representation of the web reputation activity from the Dashboard, look at the SiteAdvisor bar in the Web Graphs. 6 In the Tasks area, click View favorite web reports and select Web Reports. Look at the Blocked (SiteAdvisor, Today) report to find out how many web queries have been blocked, modified, or monitored that day. Look at the Top URL List report to see the most frequently opened URLs for that day. Controlling user access by role Use this task to create a user who can only create and view reports on McAfee Email and Web Security Virtual Appliance activity. Task 1 From the Tasks area of the Dashboard, select Manage Users. 2 In User Accounts And Roles, select Add User. 3 Type a user name, such as exampleuser. From Role, select Reports Administrator. 4 Type a password, type it again to confirm it, click OK, and apply your changes. Your new user appears in the Accounts list with the role Reports Administrator. 41
Exploring the Virtual Appliance Features Controlling user access by role 5 Log off and log on again using the credentials for the user you just created. 6 On the interface, note the following: The navigation bar contains only the Dashboard and Reporting icons. All status information is visible but cannot be edited. The Tasks list contains only reporting-related options such as Manage scheduled reports. 42
Additional Configuration Options This information gives some best practice tips and some advanced configuration options. Contents Upgrading to Email and Web Security Virtual Appliance 5.6 Installing the virtual appliance on VMware Server 2.0 running on Microsoft Windows Installing the virtual appliance on VMware Server 1.0 running on Microsoft Windows Running a virtual appliance on VMware Server in a transparent operating mode Running a virtual appliance on VMware ESX, VMware vsphere, or VMware ESXi in a transparent operating mode Changing the default Power Off and Reset actions Configuring the shutdown and restart option Converting from a VMtrial installation Upgrading to Email and Web Security Virtual Appliance 5.6 Use this task to upgrade to McAfee Email and Web Security Virtual Appliance 5.6 using the software ISO image. NOTE: You must have Email and Web Security Virtual Appliance 5.5 installed already. For more information, see the Email and Web Security Appliance 5.6 Release Notes, available from the McAfee download site. Task NOTE: After an operating system is installed on a virtual appliance, the virtual machine always starts from the hard disk first. To work around this feature, you have to shut down the virtual machine and configure a power-on-boot delay so that you have enough time to access the Boot menu and tell it to start from the installation CD instead. 1 Download the Email and Web Security Virtual Appliance 5.6.zip file from the McAfee download site and extract it. 2 Shut down the virtual appliance: a b c Log on to the virtual appliance user interface and go to System System Administration System Commands. Enter the password. Select Shutdown Appliance. 43
Additional Configuration Options Installing the virtual appliance on VMware Server 2.0 running on Microsoft Windows 3 Log on to VMware ESX Server or use the VMware Infrastructure Client, or the VMware vsphere Client to log on to VMware Virtual Center Server. 4 Enable a Power-on-Boot delay to get enough time to force the virtual machine to boot from CD: a b c Select the Email and Web Security Virtual Appliance virtual machine in the Inventory list and click Summary. Select Edit Settings Options Boot Options. In Power-on-Boot Delay, type 10,000 in the text box and click OK. 5 Turn on the virtual appliance. 6 Make sure the cursor focus is on the Virtual Appliance console. Then press the ESC key to open the Boot Menu. CAUTION: Do not select any options yet. 7 Release the cursor from the console and select Connect CD/DVD 1. 8 Browse to the folder where you extracted the Email and Web Security Virtual Appliance 5.6.zip file and double-click <McAfee-EWS-SIG-5.6-<build number>.vmbuy.iso>. 9 When the ISO file is connected, click back on to the console screen. Select CD-ROM Drive and press the ENTER key. 10 The virtual appliance starts from the ISO file. 11 Press y to agree to the terms of the license agreement. 12 Select the upgrade option that you want, and press the ENTER key to perform the upgrade. 13 Type y to confirm that you want to continue. Installing the virtual appliance on VMware Server 2.0 running on Microsoft Windows Use this task to install McAfee Email and Web Security Virtual Appliance onto a host computer running VMware Server 2.0. NOTE: To achieve optimum performance and throughput in a virtual environment, McAfee recommends that you run the virtual appliance on VMware vsphere. See Installing the virtual appliance on VMware ESX or VMware ESXi, or Installing the virtual appliance on VMware vsphere and VMware vsphere Hypervisor (ESXi). VMware Server 2.0 needs the Java Runtime Environment (JRE) installed on the host computer. If the JRE is not already installed, VMware Server 2.0 installs it for you. NOTE: VMware Server 2.0 is suitable to run the Virtual Appliance in a test environment or smaller deployments. After you install VMware Server 2.0, McAfee recommends that you disable DHCP on VMnet0 virtual network to avoid a conflict with any DHCP services that are running on your physical network. If you used Email and Web Security Appliance (VMtrial) to test the software, you can save your VMtrial configuration and restore it onto the virtual appliance when the installation is complete. Before you begin Download the package.zip file from the McAfee download site that contains the installation files for VMware ESX and VMware Server and extract it onto the host computer. 44
Additional Configuration Options Installing the virtual appliance on VMware Server 2.0 running on Microsoft Windows Download VMware Server 2.0 and make a note of your registration ID. If you have VMware Server 2.0 running on the Microsoft Windows operating system, McAfee recommends that you set the Windows Update feature to Download updates for me but let me choose when to install them to avoid the operating system restarting after the updates install and consequently damage the virtual disks. Task 1 Open the VMware Server Infrastructure Web Access console (Start VMware VMware Server Home Page). 2 Log on using your Microsoft Windows login and password. 3 In Commands, click Add Datastore and type a name for it. Type the full directory path to where you extracted the VMX file earlier and click OK. 4 Stop the VMware Server DHCP server to prevent it from interfering with DHCP servers on your network. a b c Open the Virtual Network Editor (Start VMware VMware Server Manage Virtual Networks). If you are using the Microsoft Windows Vista operating system, right-click Manage Virtual Networks and select Run as administrator. Click the DHCP tab. Click Stop and click OK. 5 Add the Email and Web Security Virtual Appliance as a virtual machine: a b In VMware Infrastructure Web Access, go to the Commands area, select Add Virtual Machine to Inventory, and select the datastore that you created earlier. Select the McAfee.vmx file in the Contents list, and click OK to have it appear in the Inventory list. 6 Set up the hardware options to run the virtual appliance either on your network to scan traffic, or on the host computer. NOTE: To avoid network loops, McAfee recommends that if you run your VMware Server in Host-only mode, you do not run the virtual appliance in transparent bridge mode. a b c In the VMware Infrastructure Web Access console, select the virtual machine. From the Hardware list, select Network Adapter 1 and click Edit. Change the hardware options as necessary. Repeat for Network Adapter 2. Click OK. 7 In VMware Infrastructure Web Access, select the Email and Web Security Virtual Appliance virtual machine and click the green button to start it. 8 View the virtual machine console: a b In VMware Infrastructure Web Access, select Console and click anywhere in the black window. You may be asked to install the VMware Remote Access console plug-in on first installation. Accept the license agreement. c Choose 1. d Type y to confirm that you want to continue and wait for the virtual appliance to install. The Email and Web Security Virtual Appliance Welcome screen appears. 9 On the Welcome screen, choose the language that you want to use. 10 Accept the terms of the license agreement. 45
Additional Configuration Options Installing the virtual appliance on VMware Server 1.0 running on Microsoft Windows 11 Complete the graphical configuration wizard. NOTE: If you are unfamiliar with any settings in the graphical configuration wizard, use the Quick Help panel on the left of the content area. To display the Quick Help in a new window, click the help icon in the navigation bar. 12 When complete, click Finish and wait for the settings to be applied. 13 To log on: a b c From a browser on the same network as the appliance, type https://<ip address>. Accept the security certificates. At the logon window, type the user name scmadmin and password. Installing the virtual appliance on VMware Server 1.0 running on Microsoft Windows Use this task to install McAfee Email and Web Security Virtual Appliance onto a host computer running VMware Server 1.0. NOTE: To achieve optimum performance and throughput in a virtual environment, McAfee recommends that you run the virtual appliance on VMware ESX Server 3.5 or VMware ESXi. See Installing the virtual appliance on VMware ESX or VMware ESXi, or Installing the virtual appliance on VMware vsphere and VMware vsphere Hypervisor (ESXi). NOTE: VMware Server is suitable to run the virtual appliance in a test environment or smaller deployments. After you install VMware Server, McAfee recommends that you disable DHCP on the VMnet0 virtual network to avoid a conflict with any DHCP services that are running on your physical network. If you used the Email and Web Security Appliance (VMtrial) product to test the software, you can save your VMtrial configuration and restore it onto the virtual appliance when the installation is complete. Before you begin Download the package.zip file from the McAfee download site that contains the installation files for VMware ESX and VMware Server and extract it onto the host computer. Download VMware Server and make a note of your registration ID. If you have VMware Server running on the Microsoft Windows operating system, McAfee recommends that you set the Windows Update feature to Download updates for me but let me choose when to install them to avoid the operating system restarting after the updates install and consequently damage the virtual disks. Task 1 On the host computer, go to the location where you extracted the contents of the virtual appliance.zip file. NOTE: Ensure that this is the location where you want to run the virtual appliance. Otherwise, move it before you continue with the installation. 2 Open the McAfee-EWS-SIG-5.x... folder that contains the Email and Web Security Virtual Appliance installation files. 46
Additional Configuration Options Running a virtual appliance on VMware Server in a transparent operating mode 3 Double-click the EWS-SIG-5.x<package number>.vmx configuration file. The VMware Server console starts up, listing the new virtual machine in its inventory list. 4 From the Inventory list, right-click the MWS... item and select Settings. 5 Check that Ethernet is set to Bridged mode and that Ethernet2 is set to Host-only mode. 6 On the VMware Server console Summary view, select Start this virtual machine. The panel on the right shows the virtual appliance startup sequence. 7 Read and accept the license agreement. 8 Select 1 to perform a complete installation, then y to confirm your choice. Wait while Email and Web Security Virtual Appliance is installed. The graphical configuration wizard appears. 9 Configure the settings in the Email and Web Security Virtual Appliance graphical configuration wizard. NOTE: McAfee recommends that you run the virtual appliance in the default, explicit proxy mode. On a default VMware Server, there are three virtual networks available for the virtual appliance that can remain unchanged if you run the virtual appliance in explicit proxy mode: VMnet0 (Bridged) The network is automatically bridged to one of your host's physical network adapters. VMnet1 (Host-only) A private network shared with the host. There is no bridge between this network and the host's physical network adapters. VMnet8 (NAT) Another private network shared with the host. It uses Network Address Translation to share the host's IP address. NOTE: If you are unfamiliar with any settings in the graphical configuration wizard, use the Quick Help panel on the left of the content area. To display the Quick Help in a new window, click the help icon in the navigation bar. 10 When complete, click Finish and wait for the settings to be applied. 11 To log on: a b c From a browser on the same network as the appliance, type https://<ip address>. Accept the security certificates. At the logon window, type the user name scmadmin and password. Running a virtual appliance on VMware Server in a transparent operating mode Use this task to set up a virtual appliance to run in either of the transparent operating modes. By default, VMware Server creates only one bridged interface. To run in either of the transparent modes on VMware Server, you need two bridged interfaces. NOTE: McAfee recommends that you run the McAfee Email and Web Security Virtual Appliance in the default explicit proxy mode and do not configure it to run in either of the transparent modes. Before you start To install the virtual appliance in either transparent router or transparent bridge mode, ensure that your host computer has two NICs. 47
Additional Configuration Options Running a virtual appliance on VMware ESX, VMware vsphere, or VMware ESXi in a transparent operating mode Task 1 Bridge the virtual appliance Network Interface Cards (NICs) to the host computer's physical network interface through a virtual network to create the second bridged interface: On VMware Server 1.0 running on the Microsoft Windows operating system, open the VMware Server Console and select Host Virtual Network Settings. On VMware Server 2.0, open the Virtual Network Editor (Start VMware VMware Server Manage Virtual Networks). If you are using the Microsoft Windows Vista operating system, right-click Manage Virtual Networks and select Run as administrator. On Linux, open a shell and run the vmware-config.pl script. Then, follow the Networking Setup instructions. Confirm that you want to create a second bridged interface. 2 Select VM Settings to connect the virtual appliance interfaces to the two bridged interfaces. 3 Start the Email and Web Security Virtual Appliance and run the graphical configuration wizard. 4 Configure the appliance as a transparent bridge or transparent router as applicable. Running a virtual appliance on VMware ESX, VMware vsphere, or VMware ESXi in a transparent operating mode Use this task to set up a virtual appliance running on VMware ESX Server, VMware vsphere, or VMware ESXi installations to run in either of the transparent operating modes. NOTE: McAfee recommends that you run the McAfee Email and Web Security Virtual Appliance in the default explicit proxy mode and do not configure it to run in either of the transparent modes. Task 1 Create two virtual switches for the two network interfaces on the physical network. NOTE: Ensure each virtual switch is connected to a different physical network interface on the VMware host. 2 Follow the instructions earlier in this guide to install the virtual appliance on the virtual host until you have to import the virtual appliance using OVF. 3 To connect the virtual appliance to the virtual network, choose the two virtual switches that you created in step 1. Changing the default Power Off and Reset actions Use this task to change the Power Off and Reset actions in VMware ESX Server, VMware vsphere, or VMware ESXi, so the McAfee Email and Web Security Virtual Appliance can shut down without corrupting the virtual machine file system. 48
Additional Configuration Options Configuring the shutdown and restart option Task 1 Within VMware Infrastructure Client, right-click the Email and Web Security Virtual Appliance and select Edit Settings. 2 Go to the Options tab and select VMware Tools. 3 Set the option next to the red square to Shut Down Guest. 4 Next to the Reset icon (red and green arrow), set the option to Restart Guest. Configuring the shutdown and restart option Use this task to configure the McAfee Email and Web Security Virtual Appliance to shut down automatically and restart if you restart VMware ESX Server, VMware vsphere, or VMware ESXi. Task 1 Select the ESX Host and click the Configuration tab. 2 Select Virtual Machine Startup/Shutdown in the Software box, click Properties, and do the following: Enable the Allow virtual machines to start and stop automatically with the system option. Change the Shutdown Action to Guest Shutdown. 3 Select the Email and Web Security Virtual Appliance in the list and click Move Up until it appears as the first item in the list. 4 Click Edit. 5 In Virtual Machine Autostart Settings, within the Shutdown Settings box, select the Use specified settings option and choose Guest Shutdown next to Perform shutdown action. 6 Click OK twice to shut down the configuration screen. The virtual appliance should now appear in the list underneath the Automatic Startup heading and the value in the Shutdown column should be Shut down guest. Converting from a VMtrial installation Use this task to migrate any configuration settings from a McAfee Email and Web Security Appliance (VMtrial) installation to the McAfee Email and Web Security Virtual Appliance. Task 1 From your VMtrial installation, go to System Cluster Management Backup and Restore Configuration. 2 Click Backup Configuration to save the configuration details. 3 Install the Email and Web Security Virtual Appliance software onto your chosen virtual environment. 4 Log on, and open the Email and Web Security Virtual Appliance software. 5 Go to System Cluster Management Backup and Restore Configuration, and click Restore From File. 49
Additional Configuration Options Converting from a VMtrial installation 6 Browse to the VMtrial configuration file you want to restore and click Open. 7 Select the parts of the file that you want to restore and click OK. 8 Check that the settings were imported successfully and apply the changes. NOTE: For more information about backing up and restoring configurations, see the Email and Web Security Appliance Migration Guide. 50
Troubleshooting the Virtual Appliance This information includes solutions to problems that you might encounter when installing and running McAfee Email and Web Security Virtual Appliance. NOTE: Contact VMware for advice about your VMware product or go to the VMware website, http://www.vmware.com. Contents The appliance is not receiving traffic from the network Interface problems Mail issues POP3 Physical configuration issues Anti-virus automatic updating issues Anti-spam issues The appliance is not receiving traffic from the network Check the following: The appliance is switched on and its software is running. If the power button LED is orange, the appliance is connected but is not turned on. If the power LED is green, the appliance is connected and turned on. The network cables are undamaged and connected properly to the appliance s ports and your network equipment. If you have not used the cables supplied with the appliance, ensure that your cables meet the correct specification. Your network equipment is connected to the correct LAN ports on the appliance. The NIC speeds and full or half duplex settings at both ends of the connections are compatible and have auto-negotiated their settings correctly. The LAN LEDs are on. If the appliance is still not receiving network traffic, check the network cables and the network ports on your network equipment. If the cables and ports are working, there is a problem with the appliance. Contact your supplier. 51
Troubleshooting the Virtual Appliance Interface problems Interface problems This section contains solutions to problems you might encounter when trying to configure the appliance through its interface. Why does using the Back button on my browser take me to the Logon screen? This is a known issue with the web browser version of the appliance software. Use the appliance application instead. I cannot access the Logon screen. Check the following: The appliance is turned on and its software is running the power LED is lit and the hard disk drive LEDs are off. You used https (not http) in the address field of your web browser. Ensure that your browser supports Secure Sockets Layer (SSL) encryption and that it is enabled. The computer you are using to manage the appliance does not have the appliance configured as its proxy. If you have a proxy between the management computer and the appliance, the proxy must be configured with the appliance as its handoff host. If you are remotely connected to the appliance (across the network) through the LAN1 port, ensure that: The computer you are using has a working connection to your network, and that it can reach the same subnet to which the appliance is connected. You have used the new IP address that you configured for the LAN1 port, in the URL field of your web browser. If you have not disabled or deleted the default IP address 10.1.1.108, try using that IP address (https://10.1.1.108). The appliance s IP address must be suitable for the subnet to which the appliance is connected. If it is not, use the default IP address and, if that fails, try a direct management connection. NOTE: You can obtain a direct management connection through the LAN2 port only if you are using the appliance in explicit proxy mode and you have not disabled the LAN2 port The appliance has a working connection to your existing network, indicated by the NIC 1 network activity LED flashing on the control panel. If the LEDs are not flashing, ensure that the cable you are using is undamaged and connected properly to the appliance s LAN1 port and your existing network equipment. If you have not used the blue cable supplied with the appliance, ensure that the cable is a UTP straight-through (uncrossed) network cable. If the appliance is operating in explicit proxy mode and you have a direct local management connection through its LAN2 port, ensure that: You have not disabled the LAN2 port. Connect remotely to check this. You used the new IP address that you configured for the LAN2 port (the default is 10.1.2.108), in the URL field of your web browser. The appliance has a working connection to your computer, indicated by the NIC 2 network activity LED flashing on the control panel. If the LED is not flashing, ensure that the cable you are using is undamaged and connected properly to the appliance s LAN2 port and your computer s network port. If you have not 52
Troubleshooting the Virtual Appliance Mail issues used the orange cable supplied with the appliance, ensure that the cable is a UTP crossed network cable. My password does not work. If you recently restored the appliance s software without maintaining the previous settings, the management password reverts to the default password, scmchangeme. I forgot my password. Using the appliance s recovery CD, return the appliance s password to the default passwords, which are scmchangeme and dlpchangeme. Some of the interface does not display properly. The appliance s interface is intended for Internet Explorer 6.0 or later on Windows, and Mozilla Firefox 2.0 on Linux. Check the accompanying release notes for known issues when using some web browsers on particular operating systems. Client (software) cannot communicate through theappliance. Check the following: The correct protocols are enabled for the appliance (all protocols are enabled by default). The clients and other devices are configured to route traffic to and from the appliance. The network has no problems, and your device is connected correctly. Web browsing does not work or URL blocking is not enforced. The appliance must have access to a DNS server to verify web browsing (HTTP) requests and determine which URLs to block, if URL blocking is configured. Mail issues This section discusses mail issues. Anti-relay is not working. To enable the anti-relay feature: 1 Go to Email Email Configuration Receiving Email Anti-Relay Settings. 2 Add at least one local domain. Otherwise, the appliance is open to relaying and abuse by spammers from outside your network. Why can t I just give the name of the sender that I want to block from relaying? Think of anti-relay as system-to-system blocking, while anti-spam is sender-based blocking. Anti-relay is configured using the domains and networks that the appliance delivers mail for, while the anti-spam configuration blocks a message based on who sent it. Directory Harvest Prevention does not work. For Directory Harvest Prevention to work correctly, your email server must check for valid recipients during the SMTP conversation, and then send a non-delivery report. 53
Troubleshooting the Virtual Appliance POP3 Several email servers do not send User unknown errors as part of the SMTP configuration. These include (but might not be limited to): Microsoft Exchange 2000 and 2003 (when using their default configuration). qmail. Lotus Domino. Check the user documentation for your email server to see if your email server can be configured to send 550 Recipient address rejected: User unknown reports as part of the SMTP conversation when a message to an unknown recipient is encountered. LDAP integration can provide a workaround for this. See the Product Guide for your version of Email and Web Security Appliances. POP3 This section discusses POP3 issues. I set up a dedicated POP3 connection, and POP3 no longer works. Check that the generic and dedicated servers do not share the same port. The default port number for POP3 is 110. The dedicated server will override the generic server. When fetching mail with Outlook Express over POP3, I sometimes get a time-out message, giving me the option to Cancel or Wait. The appliance needs to download and scan the entire mail message before it can start passing it to Outlook Express. For a large message or a slow mail server, this can take some time. Click Wait to force Outlook Express to wait for the appliance to finish processing the message. I sometimes get two copies of POP3 mail messages. Some mail clients do not handle timeouts correctly. If the appliance is downloading and scanning a very large message, the client might time out while waiting for a response. A popup window prompts you to wait for or cancel the download. If you select Cancel and try to download again, two copies of the message might appear in your mailbox. Physical configuration issues This section discusses physical configuration issues. My network has two appliances but I can log on to only one If you have installed a appliance, or recently used the Restore Configuration option, two or more appliances on your network might have the same default IP addresses. To make sure all appliances have unique IP addresses, you can use: The Setup Wizard. The network settings. The Configuration Console. 54
Troubleshooting the Virtual Appliance Anti-virus automatic updating issues Anti-virus automatic updating issues This section discusses issues with anti-virus automatic updating. When I request an immediate update, nothing happens. How do I know when the DAT is updated? To see the installed DAT version number: On the Dashboard, select Updates from the System Health area. Alternatively, select System Component Management Update Status. The DAT files are downloaded, checked and applied. The appliance does not wait for the update to complete (which can take a few minutes even with a fast Internet connection) but starts it in the background. Select System Component Management Update Status to show the new DAT version number when you next view the page after the new DAT files have been successfully installed. Anti-spam issues This section discusses anti-spam issues. I cannot find the anti-spam features described in this guide. Some anti-spam features need the Anti-Spam Module to be enabled. I have configured the appliance to reject spam with an RBL Servers check but some spam mail is still getting through. No anti-spam software is fully effective, and cannot guarantee to block all spam email messages. The appliance uses a list of the names of known email abusers and the networks they use. These lists are effective in reducing unwanted email messages but are not complete. To block a specific sender of spam: 1 In the navigation pane, select Configure SMTP. 2 Select Protocol Settings Permit and Deny Settings. 3 At Deny Sender, type the sender s email address. Users are not getting normal email messages. Users might not receive normal email messages for several reasons: The email messages might be coming from someone listed in the Deny Sender list. You might need to: Refine the Deny Sender list to ensure that wanted email messages are not blocked. For example, you might need to type specific email addresses rather than ban a whole domain or network. Add the sender, domain, or network to the Permit Sender list. The appliance does scan email from senders, domains and networks in this list for spam. The Permit Senders list overrides entries in the Deny Sender lists. 55
Troubleshooting the Virtual Appliance Anti-spam issues The email message might have been blocked because it comes from a sender or organization that has been recognized by one of your real time anti-spam lists as a potential source of spam. The balance between blocking spam and normal email messages might need changing. For example, if the appliance is blocking email messages when there is only a small chance that they contain spam, you risk unintentionally blocking normal email messages. It is better to risk letting some spam through. The email message might contain a virus or potentially unwanted program, and has been blocked by anti-virus scanning. Users are still receiving spam. Users might still receive spam for several reasons: No anti-spam software can block all email messages that might contain spam. For the best chance of detecting and preventing spam, ensure that the appliance is using the latest versions of the anti-spam engine, anti-spam rules, and extra rules files, as well as using all the features that can block unwanted email. The appliance is allowing streaming media to pass through. NOTE: Allowing streaming media to pass through the appliance is a security risk, because streaming media is not scanned by the appliance. McAfee recommends that you do not allow streaming media of type application/octet-stream or application/* to pass through the appliance because these MIME types are executable and are a security risk Scanning for spam is not enabled on the appliance. Scanning must be enabled in the right direction for spam detection. To detect spam from an external source, enable inbound scanning. To detect spam from an internal source, enable outbound scanning. You might need a more stringent anti-spam policy. For example, you might want to ensure that more email messages are marked as spam before they are received by users, or to simply block the spam at the appliance. The email messages might be coming from senders, domains, or networks that are in the Permit Sender list. Review the list to make sure that you really want email messages from these senders to bypass anti-spam scanning. You might need to refine the entry in the list. For example, rather than permitting whole domains or networks, specify individual email addresses instead. The mail client software does not automatically move unwanted messages into a spam folder, so users still see spam in their inboxes. The email message might be larger than is permitted, so it is not scanned for spam. See your advanced settings for spam to change the size. Email messages are not being routed through an appliance with the Anti-Spam Module enabled. How can I stop a particular type of spam? To ensure that you have the best chance of detecting and preventing spam, check that: The appliance is using the latest versions of the anti-spam engine and anti-spam rules. The appliance has not been configured to allow streaming media to pass through. Why has the performance changed? Scanning email messages for spam requires appliance resources and affects SMTP performance. 56
Troubleshooting the Virtual Appliance Anti-spam issues Users are complaining that their mailboxes are full. If users automatically divert spam to a spam folder in the mailbox, their mailboxes can quickly exceed their size limit. Remind users to regularly check their spam folder and delete spam. 57
For support information, visit mysupport.mcafee.com. Copyright 2010 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. 700-2807A00