McAfee Messaging and Web Security appliances

Product Guide McAfee Messaging and Web Security appliances version 4.5 McAfee Network Protection Industry-leading intrusion prevention solutions

COPYRIGHT Copyright 2007 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N), ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION THROUGH INNOVATION, MCAFEE, MCAFEE (AND IN KATAKANA), MCAFEE AND DESIGN, MCAFEE.COM, MCAFEE VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. Attributions This product includes or may include: Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). Cryptographic software written by Eric A. Young and software written by Tim J. Hudson. Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered under the GPL which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. Software originally written by Robert Nordier, Copyright 1996-7 Robert Nordier. Software written by Douglas W. Sauder. Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at www.apache.org/licenses/license-2.0.txt. International Components for Unicode ("ICU") Copyright 1995-2002 International Business Machines Corporation and others. Software developed by CrystalClear Software, Inc., Copyright 2000 CrystalClear Software, Inc. FEAD Optimizer technology, Copyright Netopsystems AG, Berlin, Germany. Outside In Viewer Technology 1992-2001 Stellent Chicago, Inc. and/or Outside In HTML Export, 2001 Stellent Chicago, Inc. Software copyrighted by Thai Open Source Software Center Ltd. and Clark Cooper, 1998, 1999, 2000. Software copyrighted by Expat maintainers. Software copyrighted by The Regents of the University of California, 1996, 1989, 1998-2000. Software copyrighted by Gunnar Ritter. Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A., 2003. Software copyrighted by Gisle Aas. 1995-2003. Software copyrighted by Michael A. Chase, 1999-2000. Software copyrighted by Neil Winton, 1995-1996. Software copyrighted by RSA Data Security, Inc., 1990-1992. Software copyrighted by Sean M. Burke, 1999, 2000. Software copyrighted by Martijn Koster, 1995. Software copyrighted by Brad Appleton, 1996-1999. Software copyrighted by Michael G. Schwern, 2001. Software copyrighted by Graham Barr, 1998. Software copyrighted by Larry Wall and Clark Cooper, 1998-2000. Software copyrighted by Frodo Looijaard, 1997. Software copyrighted by the Python Software Foundation, Copyright 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. Software copyrighted by Beman Dawes, 1994-1999, 2002. Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek 1997-2000 University of Notre Dame. Software copyrighted by Simone Bordet & Marco Cravero, 2002. Software copyrighted by Stephen Purcell, 2001. Software developed by the Indiana University Extreme! Lab (http://www.extreme.indiana.edu/). Software copyrighted by International Business Machines Corporation and others, 1995-2003. Software developed by the University of California, Berkeley and its contributors. Software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl project (http:// www.modssl.org/). Software copyrighted by Kevlin Henney, 2000-2002. Software copyrighted by Peter Dimov and Multi Media Ltd. 2001, 2002. Software copyrighted by David Abrahams, 2001, 2002. See http://www.boost.org/libs/bind/bind.html for documentation. Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, 2000. Software copyrighted by Boost.org, 1999-2002. Software copyrighted by Nicolai M. Josuttis, 1999. Software copyrighted by Jeremy Siek, 1999-2001. Software copyrighted by Daryle Walker, 2001. Software copyrighted by Chuck Allison and Jeremy Siek, 2001, 2002. Software copyrighted by Samuel Krempp, 2001. See http://www.boost.org for updates, documentation, and revision history. Software copyrighted by Doug Gregor (gregod@cs.rpi.edu), 2001, 2002. Software copyrighted by Cadenza New Zealand Ltd., 2000. Software copyrighted by Jens Maurer, 2000, 2001. Software copyrighted by Jaakko Järvi (jaakko.jarvi@cs.utu.fi), 1999, 2000. Software copyrighted by Ronald Garcia, 2002. Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, 1999-2001. Software copyrighted by Stephen Cleary (shammah@voyager.net), 2000. Software copyrighted by Housemarque Oy <http://www.housemarque.com>, 2001. Software copyrighted by Paul Moore, 1999. Software copyrighted by Dr. John Maddock, 1998-2002. Software copyrighted by Greg Colvin and Beman Dawes, 1998, 1999. Software copyrighted by Peter Dimov, 2001, 2002. Software copyrighted by Jeremy Siek and John R. Bandela, 2001. Software copyrighted by Joerg Walter and Mathias Koch, 2000-2002. Software copyrighted by Carnegie Mellon University 1989, 1991, 1992. Software copyrighted by Cambridge Broadband Ltd., 2001-2003. Software copyrighted by Sparta, Inc., 2003-2004. Software copyrighted by Cisco, Inc. and Information Network Center of Beijing University of Posts and Telecommunications, 2004. Software copyrighted by Simon Josefsson, 2003. Software copyrighted by Thomas Jacob, 2003-2004. Software copyrighted by Advanced Software Engineering Limited, 2004. Software copyrighted by Todd C. Miller, 1998. Software copyrighted by The Regents of the University of California, 1990, 1993, with code derived from software contributed to Berkeley by Chris Torek. Issued March 2007 / Messaging and Web Security software version 4.5 DBN-005-EN

Contents 1 Introducing Appliance Security 8 Introducing the appliances........................................... 8 Optional components and related products........................... 9 Product features...................................................10 What s new in this release...........................................11 Greylisting service..............................................11 SiteAdvisor....................................................11 Tagged VLAN support............................................12 Extended SNMP MIB Support.....................................12 Sender authentication............................................12 Anti-spam is no longer a separate feature............................12 Anti-spam and anti-phish for POP3..................................12 Editable compliancy lexicons......................................13 Data loss prevention.............................................13 Policy-based Reputation Service and Real Time Blocklists................13 Checking of IP addresses behind Mail Transfer Agents..................13 Using this guide...................................................14 Audience......................................................14 Conventions...................................................14 Getting product information..........................................15 Standard documentation.........................................15 Contact information.................................................16 2 Getting Started 17 Basic concepts....................................................17 Appliance features..............................................17 How secure is the appliance?......................................17 Important considerations.........................................18 Monitoring the appliance........................................ 23 Maintaining the appliance........................................ 24 Troubleshooting the appliance.................................... 24 Getting started with the Setup Wizard................................. 24 Before you start............................................... 25 Before you log on to the appliance................................. 25 Logging on to the appliance...................................... 26 Out-of-band management........................................ 29 Configuring using the console.................................... 31 Using the Setup Wizard......................................... 32 Changing network settings.......................................... 42 The interface..................................................... 43 Common tasks within the interface................................ 45 Configuring the protocols........................................... 48 Advanced configuration (all protocols).............................. 48 Basic configuration (all protocols).................................. 52 Activating optional components...................................... 53 Using SSH to access your appliance................................... 53 Enabling SSH access........................................... 53 Monitoring SSH events.......................................... 54 3

Contents 3 Policies Overview 55 Policies overview.................................................. 55 What is a policy?............................................... 55 Global policies................................................. 56 Non-global policies............................................. 57 Policy groups................................................. 62 Content rules................................................. 66 Compliancy and lexicons........................................ 66 Data loss prevention............................................ 66 Policy planning.................................................... 67 Spend time planning............................................ 67 Considering the legal implications................................. 67 Understanding policy pages and settings............................ 67 General guidelines............................................. 72 Actions...................................................... 73 Levels of anti-virus protection..................................... 78 Configuring anti-virus settings.................................... 78 Applying time restrictions to rules and settings....................... 79 Understanding priorities in policies.................................... 80 Connection policies............................................. 80 Content policies............................................... 80 Protocol policies............................................... 82 4 SMTP 83 How email messages are processed.................................. 84 Multiple policies for email messages............................... 85 Configuration for SMTP............................................. 86 Protocol settings............................................... 87 McAfee Quarantine Management................................. 91 Quarantine Digest.............................................. 91 Spam learning................................................. 94 User black and white lists........................................ 95 Denied Connections............................................ 96 Certificate management......................................... 97 Transport Layer Security......................................... 101 Greylisting service............................................. 101 DKIM key management.........................................102 Policies for SMTP.................................................103 SMTP content policies..........................................103 SMTP protocol policies..........................................127 SMTP connection policies.......................................143 Content rules and rule groups........................................146 SMTP email messages.............................................153 Message queues..............................................153 Deferred email messages........................................156 Integration with third-party email encryption gateway..................157 5 POP3 160 Configuration for POP3.............................................160 Policies for POP3..................................................161 POP3 content policies..........................................161 POP3 protocol policies..........................................166 POP3 connection policies........................................167 6 HTTP 168 Understanding traffic flow...........................................168 Configuration for HTTP.............................................169 User Authentication Settings.....................................169 User Authentication Settings [Advanced]............................177 Connection Settings [Advanced]...................................181 4

Contents Policies for HTTP..................................................182 HTTP Content Policies..........................................182 HTTP protocol policies..........................................190 HTTP connection policies........................................201 Logging and reporting.......................................... 202 Installing and configuring SmartReporter........................... 205 Client...................................................... 207 Time-outs................................................... 207 7 ICAP 209 ICAP overview................................................... 209 What is ICAP?................................................ 209 How is an ICAP message structured?..............................210 How does ICAP work?..........................................213 Configuring ICAP..................................................216 User authentication settings......................................216 User authentication settings [advanced]............................216 General Settings...............................................217 Request Modification Service Settings..............................217 Response Modification Service Settings............................217 Connection settings............................................217 Content policies..................................................218 Alert Settings.................................................218 Anti-Virus....................................................218 HTML Settings................................................218 Scanner Control...............................................219 URL Filtering..................................................219 Advanced connection policies....................................... 220 Client...................................................... 220 Time-outs................................................... 220 Protocol policies................................................. 221 Basic URL Blocking............................................ 221 Client Alert Messages......................................... 221 Data Trickling................................................. 222 Header Blocking and Modifications............................... 222 Instant Messaging............................................ 222 Request permissions.......................................... 223 Scanning.................................................... 223 Service settings.............................................. 224 Streaming media.............................................. 225 Troubleshooting ICAP issues........................................ 226 ICAP support................................................ 227 Glossary of ICAP terms............................................ 228 8 FTP 230 Understanding traffic flow.......................................... 230 Configuring FTP.................................................. 231 Policies for FTP.................................................. 232 FTP content policies........................................... 232 FTP protocol policies........................................... 233 FTP connection policies........................................ 235 9 Scanning 236 Anti-virus scanning............................................... 236 Main features................................................ 236 What is heuristic analysis?...................................... 237 Scanning settings............................................. 238 Updating your anti-virus software................................. 240 5

Contents Load sharing.................................................... 242 Basic concepts............................................... 242 Configuring load sharing........................................ 242 Load-sharing examples......................................... 245 Viewing the load-sharing status.................................. 246 10 Maintaining the appliance 247 Managing this appliance........................................... 247 Changing the management password............................. 247 Changing the DLP database password............................. 248 Turning off the appliance........................................ 248 Restarting the appliance........................................ 248 Setting the system date and time................................. 248 Setting the NTP server settings.................................. 249 Setting the operational language................................. 249 Viewing the configuration changes................................ 249 Managing a group of appliances..................................... 250 Backing up and restoring settings.................................... 251 Backing up system logs........................................ 251 Using Syslog for off-box logging.................................. 251 Backing up system configuration files............................. 252 Restoring the system settings................................... 252 Restoring default settings....................................... 253 Using epolicy Orchestrator with the appliance.......................... 254 Automatic updates............................................... 255 What are automatic updates?.................................... 255 Before configuring automatic updates............................. 256 Configuring automatic updates................................... 256 Monitoring automatic updates................................... 260 Viewing the MIB definition file...................................... 261 Removing old files................................................ 261 Restricting the log size............................................ 261 11 Monitoring the appliance 262 Overview....................................................... 262 Monitoring options............................................... 263 Status...................................................... 263 Performance................................................. 266 Logs....................................................... 268 Charts...................................................... 269 Updates.................................................... 271 Resources................................................... 271 Types of reports................................................. 272 Getting reports from your appliance............................... 273 Getting reports from epolicy Orchestrator..............................276 Installing the most recent appliance reports.........................276 Reports available from epolicy Orchestrator..........................276 Getting reports from SmartReporter.................................. 279 URL Filtering................................................. 282 Monitoring Internet access........................................ 283 Configuring logging and alerting..................................... 284 Selecting events of interest..................................... 284 Selecting the distribution method................................. 285 Changing distribution settings................................... 285 Configuring the appliance s SNMP agent.............................. 286 Reporting on loss of confidential data................................. 287 6

Contents 12 Updating the appliance 288 A Troubleshooting 290 Using the diagnostic tools.......................................... 290 Ping test.................................................... 291 Display routing information...................................... 291 Display system load........................................... 293 System configuration tests...................................... 293 Minimum escalation report...................................... 294 Capture network traffic......................................... 295 Save quarantine.............................................. 295 Error Reporting Tool........................................... 295 Remote access card........................................... 296 Frequently asked questions and problems............................. 297 General issues............................................... 297 Interface problems............................................ 297 Mail issues.................................................. 299 Delivery..................................................... 300 Email attachments............................................ 300 POP3...................................................... 302 Physical configuration.......................................... 302 System configuration.......................................... 303 System maintenance.......................................... 303 Anti-virus automatic updating.................................... 304 Anti-spam................................................... 304 Getting more help the Links bar................................... 306 B Configuring Mail Clients 307 Microsoft Outlook................................................ 308 On the appliance.............................................. 308 On each Microsoft Outlook mail client............................ 308 Lotus Domino Administration....................................... 309 On the appliance.............................................. 309 In Lotus Domino Administration.................................. 309 C Substitution Variables 310 Using substitution variables.........................................310 List of substitution variables.........................................311 D Word Separators 314 E Additional License Terms for epolicy Orchestrator Software 323 Menu Index 324 Index 331 7

1 Introducing Appliance Security The appliances protect your network from viruses, undesirable content, spam, and other threats. They can be installed at key points in your network, typically at the Internet gateway. This section describes: Product features. What s new in this release. Using this guide. Getting product information. Contact information. Introducing the appliances The appliances tailor protocol scanning to closely reflect typical network environments with separate high-performance scanning for messaging and web access. The types of appliance software are: SIG Secure Internet Gateway SMG Secure Messaging Gateway SWG Secure Web Gateway You can use appliances of the same type together to increase scanning throughput and provide fault tolerance. For more information, see the Deployment Guide. 8

Introducing Appliance Security Introducing the appliances 1 Optional components and related products The appliances have several components and related products. Some components can be fully integrated into the appliances. Other products provide a central point for monitoring and managing several McAfee products, including the appliances. The next table describes the optional components and related products. For more information, see the McAfee website. Table 1-1 Products Component/ Product McAfee epolicy Orchestrator McAfee Quarantine Manager Enhanced URL-filtering Data Loss Prevention Description Provides a central control point for many McAfee products. Includes graphical reporting and product deployment. Consolidates quarantine management for many McAfee products, including the appliances. Uses a Uniform Resource Locator (URL) filtering database and filtering policies to prevent inappropriate Internet use by your employees. The enhanced URL-filtering database categorizes websites according to their content, and filters access accordingly. Prevents loss of confidential data via the network Compatible with: SWG SMG SIG SMG SIG SWG SIG SIG Some appliances support auxiliary hardware: Table 1-2 Auxiliary hardware Auxiliary hardware Accelerator card Features Higher throughput for HTTP protocol. Appliance 3400 SWG Fiber card Connection via optical fiber instead of copper wire. 3300 3400 Remote Access card Remote access and some management of the appliance. For example, the card can re-image the appliance remotely using a CD in another computer. 3300 3400 The following combinations of software and hardware are possible: Table 1-3 Combinations of software and hardware Appliance SIG (combined) SMG (messaging) SWG (web) 3000 Yes No No 3100 Yes No No 3200 Yes No No 3300 Yes No No 3400 Yes Yes Yes 9

Introducing Appliance Security Product features 1 Product features The appliances have the following main features: SMG SWG SIG Feature Description Yes Yes Yes Anti-virus scanning Scans all protocols. Yes Yes Yes Anti-spyware scanning Scans for Potentially Unwanted Programs (PUPs) such as Spyware, Adware, and Cookies. Yes No Yes Anti-spam scanning Uses several techniques to reduce spam: Anti-spam engine, the anti-spam and anti-phishing rule sets. The spam-learning feature helps improve spam detection. Lists of permitted and denied senders. Real-time blackhole lists (RBLs). Blacklists and whitelists, defined by users and administrators. Yes No Yes Anti-phishing Detects phishing attacks and takes the appropriate action (if the Anti-Spam Module is enabled). No No Yes Compliance Ensures outgoing information complies with requirements for privacy. Yes No Yes Content scanning Scans SMTP email messages for potentially unwanted content, and takes the appropriate action. No No Yes Data Loss Prevention Ensures outgoing information complies with requirements for privacy. Yes No Yes Quarantine management Yes No Yes McAfee Quarantine Manager Allows users to handle quarantined items without involving the email administrator. For example, using the information in the Quarantine Digests, users can: Automatically release email messages that have been mistakenly identified as spam. Configure their own blacklists and whitelists. Submit spam and non-spam email samples for spam learning. Users can also request that their administrator releases email messages that were quarantined because of their content. Consolidates quarantine management for a range of McAfee products. Yes Yes Yes Remote access If the optional card is installed, remotely accesses the appliance and does limited management. No Yes Yes Enhanced HTTP scanning HTTP scanning has been enhanced, and can be further enhanced with the optional Accelerator card. No Yes Yes Enhanced URL-filtering Uses a URL-filtering database and URL-filtering policies to protect your organization from inappropriate use of the Internet by your employees. Websites are categorized and access is filtered according to their content. No Yes Yes ICAP support The ICAP protocol allows ICAP clients to pass HTTP messages to ICAP servers for processing or transformation (adaptation). The SWG and SIG appliances support the ICAP 1.0 protocol and act as an ICAP server. ICAP traffic can be scanned and the appropriate action taken. No Yes Yes SiteAdvisor Blocks or warns users about the reputation of requested websites. 10

Introducing Appliance Security What s new in this release 1 What s new in this release This release of the McAfee Messaging and Web Security appliances appliance includes the following new features or enhancements: Greylisting service SiteAdvisor on page 11 Tagged VLAN support on page 12 Extended SNMP MIB Support on page 12 Sender authentication on page 12 Anti-spam is no longer a separate feature on page 12 Anti-spam and anti-phish for POP3 on page 12 Editable compliancy lexicons on page 13 Data loss prevention on page 13 Policy-based Reputation Service and Real Time Blocklists on page 13 Checking of IP addresses behind Mail Transfer Agents on page 13 Greylisting service Previous release Current release Benefits Appliance was vulnerable to spam attacks from zombie computers. The greylisting service deliberately forces each new sender to retry. Genuine senders will send their messages again, but zombies typically do not retry. Spam attacks from zombie networks are deterred. The appliance does not spend time scanning this email. For more information See Greylisting service on page 101. SiteAdvisor Previous release Current release Benefits Users can access websites that use their email addresses to send spam, or that include advertising software (adware) with downloads. SiteAdvisor classifies sites according to their behavior or reputation, enabling policies on the appliance to block access or issue warnings about unsuitable websites. Reduces the spam, adware, and other nuisances that users receive. For more information See SiteAdvisor on page 184. 11

Introducing Appliance Security What s new in this release 1 Tagged VLAN support Previous release Current release Benefits No Virtual LAN support was available. Policies can be applied to virtual LANs in transparent bridge mode and transparent router mode. Policies can be set as easily for a VLAN as for a subnet. For more information See Creating a non-global policy on page 57. Extended SNMP MIB Support Current release Benefits The appliance issues Simple Network Management Protocol (SNMP) messages (known as traps) to other computers, and allows authorized computers access to its performance data and statistics. Appliance events can be viewed by SMNP trap managers. For more information See Configuring the appliance s SNMP agent on page 286. Sender authentication Current release Benefits The addresses of email senders can be verified by these sender authentication methods: Sender Policy Framework (SPF), Sender ID, and Domain Keys Identified Mail. Email with spoofed addresses can be rejected without the need for scanning. For more information See Sender authentication and reputation on page 127. Anti-spam is no longer a separate feature Previous release Current release Benefits Anti-spam software had to be purchased separately. Anti-spam is included with the SIG and SMG appliances. No evaluation or purchase is necessary. Anti-spam and anti-phish for POP3 Previous release Current release Benefits Spam and phish were scanned in SMTP protocol only. Spam and phish are scanned in POP3 protocol too. Email downloaded from POP3 servers can be scanned. For more information See POP3 content policies on page 161. 12

Introducing Appliance Security What s new in this release 1 Editable compliancy lexicons Current release Compliancy lexicons can be viewed and edited. Benefits Users can modify the score thresholds and add words, phrases and regular expressions to make the lexicons better suit their needs. For more information See Editing the content libraries on page 118. Data loss prevention Current release Benefits Appliance scans for information within files that have been tagged as confidential. Records and prevents loss of confidential data. For more information See Data loss prevention on page 113. Policy-based Reputation Service and Real Time Blocklists Previous release Current release Benefits The service applied to all email. The service can now be applied per policy. Allows the service to more precisely targeted. For more information See Sender authentication and reputation on page 127. Checking of IP addresses behind Mail Transfer Agents Previous release Current release Benefits To prevent spam from known IP addresses, the appliance checks the IP address of the device that forwarded the email. The appliance checks the IP addresses for all devices that relayed the email, not only the nearest MTA (Mail Transfer Agent). Prevents the appliance from scanning spam email messages that can be identified from the IP address in the email headers. For more information See Sender authentication and reputation on page 127. 13

Introducing Appliance Security Using this guide 1 Using this guide This guide provides information to help you use the appliance in your network. Audience This information is intended for network administrators who are responsible for their company s anti-virus and security program. Conventions This guide uses the following conventions: Bold Condensed Courier Italic Blue <TERM> All words from the interface, including options, pages, buttons, and dialog box names. Example: Type the User name and Password of the appropriate account. The path of a folder or program; text that represents something the user types exactly (for example, a command at the system prompt). Examples: The default location for the program is: C:\Program Files\McAfee\EPO\3.5.0 Run this command on the client computer: scan --help For emphasis or when introducing a new term; for names of product documentation and topics (headings) within the material. Example: See the VirusScan Enterprise Product Guide for more information. A web address (URL) and/or a live link. Example: Visit the McAfee web site at: http://www.mcafee.com Angle brackets enclose a generic term. Example: In the console tree, right-click <SERVER>. : Supplemental information; for example, another method of executing the same command. Tip Tip: Suggestions for best practices and recommendations from McAfee for threat prevention, performance and efficiency. Caution Caution: Important advice to protect your computer system, enterprise, software installation, or data. Warning Warning: Important advice to protect a user from bodily harm when using a hardware product. 14

Introducing Appliance Security Getting product information 1 Getting product information Unless otherwise noted, product documentation comes as Adobe Acrobat.PDF files, available on the product CD or from the McAfee download site. Standard documentation Installation Guide System requirements and instructions for installing and starting the appliance. Deployment Guide Information to help you deploy appliances within your network. Quick Help Information within the interface about each interface area. Configuration Guide For use with epolicy Orchestrator. Procedures for managing the appliance through the epolicy Orchestrator management software. Release s ReadMe. Product information, resolved issues, any known issues, and last-minute additions or changes to the product or its documentation. A text file is included with the software application and on the product CD. License Agreement The McAfee License Agreement booklet that includes all of the license types you can purchase for your product. The License Agreement presents general terms and conditions for use of the licensed product. Contacts Contact information for McAfee services and resources: technical support, customer service, Security Headquarters (Avert), beta program, and training. A text file is included with the software application and on the product CD. 15

Introducing Appliance Security Contact information 1 Contact information Threat Center: McAfee Avert Labs http://www.mcafee.com/us/threat_center/default.asp Avert Labs Threat Library http://vil.nai.com Avert Labs WebImmune & Submit a Sample (Logon credentials required) https://www.webimmune.net/default.asp Avert Labs DAT Notification Service http://vil.nai.com/vil/signup_dat_notification.aspx Download Site http://www.mcafee.com/us/downloads/ Product Upgrades (Valid grant number required) Security Updates (DATs, engine) HotFix and Patch Releases For Security Vulnerabilities (Available to the public) For Products (ServicePortal account and valid grant number required) Product Evaluation McAfee Beta Program Technical Support http://www.mcafee.com/us/support/ KnowledgeBase Search http://knowledge.mcafee.com/ McAfee Technical Support ServicePortal (Logon credentials required) https://mysupport.mcafee.com/eservice_enu/start.swe Customer Service Web http://www.mcafee.com/us/support/index.html http://www.mcafee.com/us/about/contact/index.html Phone US, Canada, and Latin America toll-free: +1-888-VIRUS NO or +1-888-847-8766 Monday Friday, 8 a.m. 8 p.m., Central Time Professional Services Enterprise: http://www.mcafee.com/us/enterprise/services/index.html Small and Medium Business: http://www.mcafee.com/us/smb/services/index.html 16

2 Getting Started This section provides information to help you configure the appliance for the first time. It includes: Basic concepts. Getting started with the Setup Wizard on page 24. Changing network settings on page 42. The interface on page 43. Configuring the protocols on page 48. Activating optional components on page 53. Using SSH to access your appliance on page 53. Basic concepts Appliance features This section includes information to help you integrate an appliance into your network. It briefly describes each concept and refers you to other parts of the guide for more information. The appliance has many features to help you combat electronic threats to your organization. See Product features on page 10. How secure is the appliance? The appliance can be accessed only through a secure HTTPS link. If you use a web browser when you type the URL for the appliance, use https and not http. For security, connections use Secure Sockets Layer (SSL) encryption. The SSL connection closes when you log off the session. To maintain security during long sessions, the SSL connection closes automatically after 15 minutes of inactivity. The appliance s operating system prevents unauthorized access to its internal file system. The appliance is protected by a password. 17

Getting Started Basic concepts 2 Important considerations When you set up the appliance for the first time, consider: Any patches that need to be installed first. See HotFixes and patch releases. The operational mode for the appliance. See Choosing the operational mode. The protocols that the appliance will scan. See Protocol support on page 19. How to integrate the appliance within your existing network. See Recommended network topologies on page 19. The access method. See Accessing the appliance on page 20. How to make the appliance more secure. See Improving the appliance s security on page 20. The networks and domains to include in the appliance s lists of inside and outside networks. See Specifying your inside and outside networks on page 21. How to make your network more secure. See Using anti-virus scanning on page 21. How to control SMTP email access and content. See SMTP considerations on page 22. The policies. See Using policies on page 23. Whether to use load sharing to share the scanning workload. See Sharing scanning resources on page 23. How to monitor the appliance. See Monitoring the appliance on page 23. The maintenance procedures. See Maintaining the appliance on page 24. What to do if you have a problem with the appliance, or want to submit a sample for analysis. See Troubleshooting the appliance on page 24. HotFixes and patch releases McAfee occasionally releases software HotFixes and patches for the appliance. You might need to install some of these before using the appliance. For the latest information, check the website as listed on page 16. Subsequent updating can be automated. Choosing the operational mode The appliance operates in one of the following modes: Transparent Bridge Transparent Router Explicit Proxy Carefully select the operational mode for the appliance because it affects how you integrate your appliance into your network and how the appliance handles traffic. After you select the mode, you do not need to change it unless you restructure your network. For details on operational modes, see the Deployment Guide. 18

Getting Started Basic concepts 2 Protocol support The protocols supported by each type of appliance are: Table 2-1 Types of appliance Appliance Supported protocols Secure Internet Gateway (SIG) SMTP for email messages. POP3 for email messages. HTTP for web browsing. lcap for use with ICAP clients. FTP for file transfer. Secure Messaging Gateway (SMG) SMTP for email messages. POP3 for email messages. Secure Web Gateway (SWG) HTTP for web browsing. ICAP used with ICAP servers and clients. FTP for file transfer. FTP over HTTP (download only) is also handled as part of HTTP support. All other protocols are refused or not scanned, depending on the appliance s operational mode. Handling protocol traffic You can enable or disable each protocol (SMTP, POP3, HTTP, ICAP and FTP). If the appliance is in Transparent Router or Transparent Bridge mode, and the protocol is disabled, traffic for the protocol passes through the appliance, but is not scanned. If the appliance is in Explicit Proxy mode, and a protocol is disabled, traffic directed to the appliance for that protocol is refused. The protocol is blocked at the appliance. In Explicit Proxy mode, only SMTP, POP3, HTTP, ICAP and FTP traffic is handled by the appliance. All other traffic is refused. Recommended network topologies The appliance can be used in almost any network topology. See Restrictions on page 19. Typical topologies for each operational mode are described in the Deployment Guide. To scan a supported protocol, ensure that traffic for that protocol passes through the appliance. Any traffic that bypasses the appliance is not scanned, leaving your network vulnerable to attack. For security reasons, use the appliance inside your organization behind an outer firewall. If you are in any doubt about your network s topology and how to integrate the appliance, consult your network expert. Restrictions The appliance is not a firewall. Place the appliance within your organization, behind your existing firewall. The appliance is not a replacement for a mail server. You might need to configure your firewall, mail server, and other devices to pass protocol traffic to the appliance or through the appliance. 19

Getting Started Basic concepts 2 The appliance is not a general-purpose web server for storing webpages. The appliance is not a general-purpose server for storing extra software and files. Do not install any software on the appliance or add extra files to it, unless instructed by the appliance s documentation or a McAfee support representative. Accessing the appliance When you have installed or upgraded the appliance, you can access it using: A web browser. When you type the URL for the appliance, use https not http. The appliance client application. You can point a web browser at the appliance you want to manage and, from the logon page, click on the link to install the client application. After you have installed the application, you can close the web browser and launch the application from the desktop icon. We recommend that you use the appliance s client application. If you use a web browser, the web browser s Back button takes you to the appliance s logon screen, losing any unsaved changes. Improving the appliance s security To improve security and deter hackers, change the default settings: Administrator user name Password Appliance name IP addresses See Getting started with the Setup Wizard on page 24 for more information. 20

Getting Started Basic concepts 2 Specifying your inside and outside networks The appliance uses two lists its inside and outside networks to identify whether traffic passing through it has come from an internal or external network source. Traffic is scanned according to direction. Direction is determined by the origin of the connection. If specifying a domain name, give the fully qualified domain name. If a connection originates from inside your network, include its IP address in the list of inside networks. Mail domains inside the organization must also be entered in inside networks. These are used to configure an initial anti-relay policy. So enter the information carefully in the lists of inside and outside networks. Decide which networks and domains will be treated as internal networks and which as external. Internal networks are typically trusted networks. By default, all domains and networks are treated as external networks, unless they are specified as internal networks. Typically your firewall belongs in the list of outside networks, because traffic originating from the firewall comes from outside. To scan traffic passing between the outside world and your network, add the networks and domains that are within your organization and protected by your firewall, to the list of inside networks. For more information about setting up internal and external networks, see the Deployment Guide. Using anti-virus scanning The appliance uses the McAfee anti-virus scanning engine and anti-virus definition (DAT) files to scan and clean network traffic. The scanners detect known viruses, new viruses and variants. The scanners can also detect potentially unwanted programs (PUPs) such as spyware, adware, and cookies. Traffic for a specific protocol is only scanned if that protocol is enabled and scanning is enabled in at least one direction. By default, all protocols are enabled, and traffic is scanned in both directions. The appliance shares its resources between the protocols. It scans each protocol s inbound and outbound traffic. If you disable scanning for either direction, traffic passes through the appliance unscanned in that direction. Caution Do not disable anti-virus scanning for any enabled protocol unless you are scanning its traffic elsewhere in your network. Allowing unscanned traffic to enter your organization leaves it vulnerable to infection. Configure your other network devices to route the protocols through the appliance, so nothing can bypass the appliance. Only traffic that passes through the appliance, or that is routed to the appliance in the case of Explicit Proxy mode, is scanned. For more information, see Scanning on page 236. 21

Getting Started Basic concepts 2 SMTP considerations For appliances that scan email, take the following steps to protect your organization and employees: Control SMTP email access. Use the appliance s anti-relay features to prevent third parties using the appliance, or the mail servers that it protects, to deliver their mail. See Anti-relay settings on page 88. Specify who is allowed or denied email access to your organization. See Permit and Deny settings on page 90. For more information about how the appliance attempts to deliver email messages, see Delivery settings on page 87. Sender authentication reduces the incidence of spam. See Sender authentication and reputation on page 127. Control the content of email messages that enter or leave your organization. To protect your organization from legal issues and loss of confidentiality, you can control the content of email messages. See Compliancy on page 117 and Data loss prevention on page 113. The appliance can use content rules to scan SMTP email messages for undesirable content. You create content rules, stating what is not permitted in email messages, and the appliance uses the rules to prevent such messages reaching their intended recipients. See Scanning for content on page 146. Redirect encrypted email to other mail servers. See Integration with third-party email encryption gateway on page 157. Control spam and phishing attacks. Unwanted email messages such as spam reduce productivity by distracting employees and reduce the bandwidth and storage capacity available for genuine business use. The appliance can use DNS block lists to block unwanted email messages from particular sources. The McAfee Anti-Spam Module provides extra protection from spam and phishing attacks. For more information, see The McAfee Anti-Spam Module on page 105. Phishing messages try to steal the identity of unsuspecting users. The stolen identity is used to fraudulently obtain goods and services. For more information, see What is spam? on page 104 and Anti-phishing on page 112. 22

Getting Started Basic concepts 2 Using policies A policy is a collection of settings and content rules that allow you to combat a specific threat to your network. You can tell the appliance how to handle each type of threat. See Policies Overview on page 55. Sharing scanning resources Load sharing enables you to share the anti-virus, anti-spam and other scanning workload between appliances. Appliances can only load share with other appliances that support the same protocols for scanning. An appliance can be set up so that when it receives traffic from supported protocols, it off-loads some or all of its scanning workload to other appliances. A controlling appliance off-loads some or all of its scanning workload. A load-sharing appliance receives scanning work from a controlling appliance. Settings on the controlling appliance control scanning on the load-sharing appliances. The anti-virus settings on the controlling appliance override any anti-virus settings on a load-sharing appliance whenever it receives traffic to scan from the controlling appliance. If the controlling appliance is load-sharing with five or more appliances, we recommend that it off-loads all of its scanning workload, so that more of its own resources can be dedicated to managing incoming traffic. For information about installing load-sharing appliances in your network, see the Deployment Guide and the Installation Guide. For information on configuring load sharing, see Load sharing on page 242. Monitoring the appliance To monitor the appliance, you can use: Status page summarizes the health of the appliance and the status of several parameters. Logs record information than can be presented as charts and reports. Alerts the appliance can generate alerts, enabling other devices to monitor the appliance. For example, the appliance can be remotely monitored by your SNMP manager, and by McAfee epolicy Orchestrator. Notifications the appliance can send email messages and other alert messages to users and network administrators to tell them about events. For more information, see Monitoring the appliance on page 262, and the protocol-specific sections in this guide. 23

Getting Started Getting started with the Setup Wizard 2 Maintaining the appliance You can save the appliance s configuration, so that it can be restored later. Regular maintenance of the appliance is important to ensure good performance. You can automate many of the maintenance tasks. See Maintaining the appliance on page 247. Troubleshooting the appliance If you are experiencing problems, see Troubleshooting on page 290. This section describes the diagnostic tools for identifying problems, and answers some frequently asked questions. Our contact information is on page 16. The Links Bar at the top of the appliance client application, and webpage provides links to the following information: Contacting support. Submitting a sample. The McAfee Virus Information Library. Additional resources, (including links to a list of McAfee addresses and to the SNMP MIB definitions. Getting started with the Setup Wizard This section describes how to log on to the appliance and use the Setup Wizard to perform the initial configuration. It includes: Before you start. Before you log on to the appliance on page 25. Logging on to the appliance on page 26. Configuring using the console on page 31. Using the Setup Wizard on page 32. The interface on page 43. Common tasks within the interface on page 45. 24

Getting Started Getting started with the Setup Wizard 2 Before you start Before you start, decide which operational mode the appliance will use. Depending on the mode, if you intend to use load sharing, you may need to configure other devices to route traffic to the appliance. Ensure that you have a suitable computer from which to configure and manage the appliance. Check the configuration requirements. See Requirements for the management computer, next. To integrate the appliance with your current network: 1 Gather the configuration information. See the Deployment Guide. 2 Prepare your network for the appliance. See Before you log on to the appliance on page 25. 3 Log on to the appliance. See Logging on to the appliance on page 26. 4 Use the Setup Wizard to continue with any initial configuration. You have already configured some information at the console. See Using the Setup Wizard on page 32. 5 Familiarize yourself with the interface and management options. See The interface on page 43. 6 Use this guide and the QuickHelp to find out how to further configure the appliance to meet your network and security requirements. 7 Back up your settings, so that you can reconfigure the appliance quickly to restore its settings. Who must configure the appliance? We strongly recommend that the appliance is configured by the administrator responsible for the area of your network that it will protect. Configuration requires information about the protocols that are to be scanned, and it must be done carefully. Details are in the following sections. Before you log on to the appliance Before you log on to the appliance for the first time, ensure that: You have installed the appliance into your network. See the Installation Guide. You have collected all the information you need. A computer is connected to the same network as the appliance, or directly to the appliance. This is known as the management computer. The computer has a compatible browser. The appliance s interface is optimized for Internet Explorer 6.0 or later or Mozilla Firefox 2.0. If you use a different web browser, you might be unable to access the interface and configure the appliance. 25

Getting Started Getting started with the Setup Wizard 2 Requirements for the management computer Before logging on to the appliance, check that the computer that you will use to set up and manage the appliance is correctly configured. Otherwise, the computer cannot access the appliance. The computer requires: 16 bit color (65,536 colors) or higher. 1024x768 resolution or higher. The Java 2 Standard Edition Runtime Environment. The appliance s browser interface uses the Java Runtime Environment (JRE) 1.4.2 or later version to display the appliance s interface. If you do not have this version installed on this computer, you are prompted to install it when you first view the interface. The appliance software has not been tested with Java SE 6. An IP address that allows the computer to communicate with the appliance using HTTPS. We recommend that: While configuring the appliance, your browser is set so that it does not use a proxy server unless it is essential. The web browser on the management computer is not set up to use the appliance as a proxy server. You do not try to connect to the appliance using the web browser until the appliance has completed its startup sequence. If you try to connect, the browser will not find the appliance on the first attempt. When you access the appliance, it checks that your web browser contains the correct components, and prompts you to install any missing components. Your web browser must have the following features enabled: Secure Sockets Layer (SSL) version 3.0 encryption. JavaScript. ActiveX (for Microsoft Internet Explorer). Ensure that Cookie Sessions are enabled. Set this up from your browser s Internet options. Logging on to the appliance When you have completed the tasks in Before you log on to the appliance on page 25, you are ready to log on to the appliance. Default settings The default system name is scmgateway. For all other defaults, click Resources in the links bar at the top of the appliance and select the relevant link. 26

Getting Started Getting started with the Setup Wizard 2 Initial configuration You can configure the appliance for the first time using the Setup Wizard. Network settings can be reconfigured using Network Settings on the navigation pane, or by relaunching the Setup Wizard using Network Setup Wizard. Logging on to the appliance 1 Turn on the appliance. 2 Wait approximately two minutes for the startup sequence to complete. If you try to connect to the appliance before the startup sequence is complete, your web browser might not find the appliance. 3 Log on to the computer that will manage the appliance. If you are a Linux user using the standalone application, and want the configuration application to be available to other users of the computer, log on as root. 4 To access the appliance s interface, open the web browser on the management computer and type the address of the appliance. Type https not http. If you cannot access the logon page, retry the URL. If that fails, see Interface problems on page 297. The IP address that you use depends on how you connect to the appliance: Table 2-2 Connection methods and IP addresses Connection Port IP Address Remotely (across the network) LAN1 Configured LAN1 Port IP address. Default is 10.1.1.108 Remotely (across the network) (Transparent modes only) Locally (directly connected) (Explicit Proxy modes only) LAN2 LAN2 Configured LAN2 Port IP address. Default is 10.1.2.108 Configured LAN2 Port IP address. Default is 10.1.2.108 5 When the web browser finds the appliance, a security alert message might appear, asking you to accept the appliance s security certificate. Click Yes to accept the certificate. In Microsoft Internet Explorer, the security alert message can appear at the start of each browser session. To stop this, you can view and install the certificate so that it is accepted automatically. To do this, click View Certificate in the security alert message, then click Install Certificate. When using Mozilla Firefox, we recommend that you select Accept this certificate temporarily for this session whenever you view the interface. The appliance checks the web browser to ensure that it is supported and contains the code to run the appliance s interface. For this reason, some security alerts and download dialog boxes might appear. Follow the instructions in the dialog boxes. 6 The Welcome to the Messaging and Web Security appliances appliance window appears, with two options: Install the standalone client application. Go to Step 7 if you are a Windows user, or Step 8 if you are a Linux user. 27

Getting Started Getting started with the Setup Wizard 2 Use the web browser client. The Logon page appears. Continue with Step 9 of this procedure. Tip For better speed and usability, we recommend that you use the standalone client application. 7 For Windows users: a When prompted, download the file SCMClientWin32.exe and save it to a suitable location. b Click Messaging and Web Security appliances version 4.5 Client to start the Installation Wizard, then follow the instructions on screen. c To run the client, click the icon on your desktop, or select Start Programs Messaging and Web Security appliances version 4.5 Client to display the appliance s logon page. Continue with Step 9 of this procedure. 8 For Linux users: a In a shell window, download the file SCMClientUnix.sh and save it to a suitable location. b Type sh./scmclientunix.sh to run the installation. During installation, press Enter to accept the value at the prompt, as shown enclosed in brackets [ ]. To interrupt the installation, type Ctrl-C. If an error message appears, the prompt becomes available for new or additional input. c The client prompts you for an installation directory. If it cannot use the default directory or you want to install it elsewhere, follow the on-screen text to locate or create a suitable location. d Follow any further instructions to complete the installation. e Type <path>/ws_ui_client to run the application and display the Logon screen. 9 Select the language for the appliance s interface. This does not affect the language in which the appliance operates. 10 If you are using the standalone client, type the IP address or name of the appliance to be configured. If you are using the browser client the IP address or host name of the appliance appears in the Appliance field, and cannot be changed. 11 Type the logon user name. This user will control access to functions within the interface. The default user name is scmadmin. 12 Type the logon password. The default password is scmchangeme. If you recently restored the appliance s software, the administrator name and password reverts to the default. 13 If needed, click Proxy Settings to enable client connections via a proxy server. a Select Enable client connections via a proxy server. 28

Getting Started Getting started with the Setup Wizard 2 b Type the IP address of the proxy server. c Type the port number for the server. 14 Click Logon. If this is the first time you have logged on, the Setup Wizard appears. Complete the setup wizard. See Using the Setup Wizard on page 32. If the interface has been accessed before, the System Status page appears. See The interface on page 43 for an introduction to the interface. More detailed information on using the interface is in later sections of this guide. Out-of-band management Using out-of-band management separates the network traffic that manages your appliance from the network traffic scanned by your appliance. This slightly reduces the scanned traffic passing through the appliance. Also, if the management traffic is removed from the scanned part of the network, management access to the appliance is maintained when network issues prevent in-band management. In the event of a network issue for example, after making a configuration change to the appliance that causes it to block all network traffic the appliance can still be managed using the out-of-band connection, enabling the appliances' configuration to be corrected. Scanning is not permitted for any protocol on the out-of-band connection. Also, the out-of-band computer cannot access the Internet or other networks or subnets protected by the appliance. Out-of-band management can be configured when first setting up a new appliance, or it can be added to an existing appliance. To set up out-of-band management, see: New appliance: setting up out-of-band management. Existing appliance: adding out-of-band management on page 30. New appliance: setting up out-of-band management When you first install and set up a new appliance, you can configure out-of-band management from the console displayed on a monitor connected to the appliance. 1 Connect your appliance to your network. See the Installation Guide for your appliance. 2 Connect the USB 10/100 Ethernet Adapter to a USB socket on your appliance. 3 Connect the Ethernet cable from the computer you will use for out-of-band management to the USB 10/100 Ethernet Adapter. 4 Switch on your appliance. 29

Getting Started Getting started with the Setup Wizard 2 5 From the monitor and keyboard connected to your appliance, use the console to set the basic configuration information such as the appliance name, the operational mode and the IP and sub-net mask addresses for your appliance. 6 Select the Network option. 7 Select the OOB option. 8 Select Yes in the Out of band management enabled screen. 9 Select the driver for your USB Ethernet adapter. 10 Type the IP address for the out-of-band management interface. 11 Type the Subnet mask address for the out-of-band management interface. 12 Select Autonegotiate. 13 Complete the configuration process from within the console. 14 After the appliance has restarted services using the new configuration, log on to the appliance from the out-of-band management computer by browsing to the IP address that you assigned in Step 10. Tip Use https:// when browsing to the appliance. Existing appliance: adding out-of-band management You can add out-of-band management to an appliance that is already set up and running. You do not need to turn off the appliance to add this feature. 1 Connect the USB 10/100 Ethernet Adapter to a USB socket on your appliance. 2 Connect the Ethernet cable from the computer you will use for out-of-band management to the USB 10/100 Ethernet Adapter. 3 From a computer on the scanned network, log on to the appliance. This is the same process that you previously used to manage your appliance. 4 In the navigation pane, select System Manage Appliances. 5 Under Out of Band Management: a Enable out-of-band management. b Select the driver for your Ethernet adapter. When using the supplied Ethernet adapter, select Belkin F5D5050 USB 10/100 Ethernet Adapter. c Edit the IP address and subnet mask. 6 Make a list of blocked ports, using Add, Modify or Delete. 7 Click Apply All Changes. 30

Getting Started Getting started with the Setup Wizard 2 8 After the appliance has restarted services using the new configuration, log on to the appliance from the out-of-band management computer by browsing to the IP address assigned in Step 4. Tip Use https:// when browsing to the appliance. Configuring using the console To use the console, have a monitor and keyboard connected to your appliance. The console enables you to configure the basic network settings for your appliance, without having to configure an additional computer to match the default IP and other network settings of your appliance. The console automatically launches after an unconfigured appliance is started, or after an appliance is reset to its factory defaults. When launched, the console prompts you to enter information for each configurable setting. After you have specified all settings, you are prompted to apply the configuration to your appliance. Using the console, you can configure the: Host name and domain that the appliance is to use. Operational mode for the appliance. LAN1 settings. LAN2 Settings. NIC settings (when run on 3300 and 3400 appliances). Gateway information. DNS server settings. Out-of-band management. Using the console When the appliance is in its factory default state when first shipped or when you restore factory defaults the console is displayed at the end of the startup sequence. The console prompts you to type the basic configuration details, including the host name, the domain name, the IP addresses for each local area network used by the appliance, and other details that enable communication between the appliance and the other devices on your network. When you have typed all the information, you are prompted to apply the configuration to the appliance. Depending on the settings, the appliance might reboot. After this configuration information has been applied, the console is no longer displayed on further reboots, unless you restore the factory defaults. When you have completed the basic network configuration from the console, you can connect to the appliance from a computer on the same network. Select Network Settings from the navigation pane within the interface to complete the detailed network configuration options for your appliance, such as defining the computers on the inside and outside networks and other advanced options. 31

Getting Started Getting started with the Setup Wizard 2 Accessing the system console logon prompt To access the logon prompt for the system console when the console is being displayed, press CTRL+ALT+F2 to start another session on the appliance. Using the Setup Wizard This section describes how to use the Setup Wizard. The wizard is automatically displayed when you first log on to the appliance, and provides a quick and easy way to configure the basic network and appliance settings. You can also access the Setup Wizard from the navigation pane. Select Network Setup Wizard. Figure 2-1 Setup Wizard The wizard has several pages. The page numbers are displayed, and the number of the current page is highlighted. If displayed, Quick Help appears on the right of the screen. It is important to select the correct settings for your network. If you are unfamiliar with the purpose of any settings in the Setup Wizard, use the Quick Help panel. If the Quick Help panels are not displayed, select Show Quick Help in the navigation bar. Work through each page of the Setup Wizard. When you have completed each page, click Next. The steps are: Page 1 Initial network settings Page 2 Operational mode of the appliance Page 3 Protocols to process Page 4 Network interface settings Page 5 Inside and outside networks Page 6 DNS servers and routing information Page 7 Load-sharing servers Page 8 Date, time, password and language settings 32

Getting Started Getting started with the Setup Wizard 2 Page 1 Initial network settings 1 Type the name by which the appliance is known to other devices in the network. If you are using McAfee epolicy Orchestrator, this is also the name that epolicy Orchestrator uses to identify the appliance. Change the default name to prevent hackers attacking the appliance. The name must be unique, no more than 15 characters long, and must not contain spaces. Make sure that the appliance name is registered in the appropriate DNS servers. 2 Type the name of the domain or sub-domain in which the appliance resides. For example, example.com. On the Internet, computers and networks are generally grouped in domains according to their organization type or location. 3 Type the IP address of the default gateway. The default gateway is the next hop out of your network or subnet. If you have more gateways or routers on your network that the appliance needs to use, specify them on Page 6 DNS servers and routing information, where you configure routing information. 4 Click Next. Page 2 Operational mode of the appliance 1 Select the mode in which the appliance will operate. The choices are: Transparent Bridge Transparent Router Explicit Proxy Carefully select the operational mode for the appliance because it affects how you integrate the appliance into your network and how the appliance handles traffic. For more information, see the Deployment Guide. If you select Transparent Router or Explicit Proxy mode, go to Page 3 Protocols to process. Otherwise, continue with the next step. 2 If the operational mode is Transparent Bridge and the feature is required, enable Spanning Tree Protocol. See the Deployment Guide for more information. If the appliance is operating in Transparent Bridge mode, and you are running the Spanning Tree Protocol (STP) on your network, make sure that the appliance is configured according to STP rules. STP prevents physical loops in networks that have two or more bridges. STP uses a Root Bridge that calculates all the redundant paths from other bridges back to itself. Bridge Protocol Data Units (BPDU) exchange status information between bridges. Each bridge port is assigned a path cost weighting, and this path cost determines which ports are disabled by STP to remove any physical loops in the network. To create the best path through the network, some bridge ports are in forwarding mode, while others are blocking. 33

Getting Started Getting started with the Setup Wizard 2 Type the bridge priority for this appliance. Bridge priority determines if a bridge is the preferred choice for forwarding data traffic. Assign a unique number, in the range 0 through 65535, to each Transparent Bridge appliance. A low number indicates a high bridge priority. Type appropriate time values for: Forwarding Delay bridges are not allowed to forward data traffic while the Root Bridge is calculating redundant paths. This forward delay is set by the Root Bridge. If the appliance has been chosen as the Root Bridge by STP, the Forwarding Delay is set here. The default value is 4 seconds. Hello Time the time that the appliance waits before sending messages about its configuration. The configuration BPDUs are known as Hello packets, and the Hello Time is the time between Hello packets. The default value is 1 second. Maximum Age if the appliance has been chosen as the Root Bridge, this is the longest time the appliance will store information it has received and used to create the current BPDU. The default value is 6 seconds. Garbage Collect periodically the appliance checks its bridge-forwarding database and removes timed-out entries. You can specify how long the appliance waits between checks. The default value is 0 seconds. Ageing Time how long dynamically learnt entries remain in the appliance s bridge-forwarding database before they time out. The default value is 120 seconds. Click Next. 3 If the operational mode is Transparent Bridge and the feature is required, enable the Fail-Open Unit. See the Deployment Guide for more information. When the appliance is working normally, the Fail-Open Unit directs traffic through the appliance. If the appliance fails, the Fail-Open Unit detects the failure and bypasses the appliance. Traffic continues to flow but is no longer scanned. Page 3 Protocols to process You can enable or disable each of the supported protocols. By default, all the protocols are enabled, and traffic is scanned in both directions. 1 Select the protocols that the appliance will handle. Selecting a protocol means that the appliance will handle that protocol (intercept it) but it does not automatically enable scanning for it. Enabling scanning is not part of the initial configuration. For each of the protocols to be scanned, individually enable each type of scan (anti-virus, anti-spam, and content scanning) from the main configuration pages. See: SMTP on page 83 POP3 on page 160 HTTP on page 168 34

Getting Started Getting started with the Setup Wizard 2 ICAP on page 209. FTP on page 230. 2 Click Next. Page 4 Network interface settings Use this page to set up the TCP/IP network address information for the appliance so that it can communicate with your network. This page and those that follow have additional buttons displayed down the right hand side. Use these buttons to change settings as necessary. This page also has an Advanced button available on the LAN 1 and LAN 2 tabs, but not on the Bridge tab. You can use the Advanced button to configure the network adapter settings. Specify multiple IP addresses for each port 1 Select the LAN1 tab. The default IP addresses and mask for LAN1 are shown. 2 Use Add, Modify or Delete to make a list of IP addresses. Use Move Up and Move Down to reorder the list of IP addresses. The first IP address in the list is the primary IP address, and any IP addresses below it are known as aliases. The appliance adds the new IP addresses to the ports when you click Apply All Changes. To prevent duplication of IP addresses on your network and to deter hackers, give the appliance new IP addresses, and disable or remove the default IP addresses. The IP addresses must be unique and suitable for your network. You can specify as many IP addresses as you need. 3 Repeat Step 1 using the LAN2 and Bridge tabs, noting the following: If you are using the appliance in Transparent Bridge mode, the IP addresses are combined into one list of bridge addresses for both ports. If you are using the appliance in Explicit Proxy mode, the LAN2 port is a dedicated management port. You can disable the LAN2 port to prevent any direct management connections to the appliance. Adding a new IP address 1 Select Add. 2 In Interface Address, type the appliance s IP address, for example: 192.168.254.200. 3 In Network Mask, type the subnet mask, for example: 255.255.255.0. 4 If necessary, use Move Up and Move Down to reposition an IP address within the list. 35

Getting Started Getting started with the Setup Wizard 2 An IP address at the top of a list is known as a primary IP address, and any IP addresses below it are known as aliases. You cannot delete or disable a primary IP address unless your appliance is running in Explicit Proxy mode, where the primary IP address on the LAN2 interface can be disabled as part of the whole LAN2 interface. Enabling/disabling the LAN2 IP address The status of the IP address appears in the State column. A check indicates that the address is enabled, a cross indicates that it is disabled. 1 Select the IP address. 2 Click Modify and respond to the dialog box. An IP address at the top of a list is known as a primary IP address, and any IP addresses below it are known as aliases. The actions of the buttons such as Modify and Delete vary according to the position of the entry that you select in the table. You cannot use Delete on the primary IP address, and you cannot use Modify to disable the primary IP address. However you can use Move Up to change the position of any entry. To disable LAN2, click Disable LAN. Changing the NIC settings If necessary, you can use this page to change the appliance s Network Interface Card (NIC) settings. 1 Click Advanced. This is not available on the Bridge tab. 2 Type the Maximum Transmission Unit (MTU) size. The MTU size is the largest size in bytes of a single unit of data (for example, an Ethernet frame) that can be sent over the connection. 3 In Autonegotiation state, select On or Off: On the NIC automatically negotiates the speed and type of connection. Off allows you to: Type the speed of the connection in Connection speed. Specify if the connection will be full duplex or half duplex in Duplex state. 4 Click Next. 36

Getting Started Getting started with the Setup Wizard 2 Page 5 Inside and outside networks The appliance uses two lists a list of inside networks and a list of outside networks to identify whether its traffic comes from an internal or external network source. Because traffic can be scanned according to direction, enter the information carefully in your lists of inside and outside networks. The appliance will refuse access to network devices that are not in the lists. What must be in the list of inside networks? The list of inside networks must include: The IP addresses or fully qualified domain names of the internal networks (those inside your organization and behind a firewall) with which the appliance communicates. Controlling appliances for load-sharing appliances. What must be in the list of outside networks? The appliance uses a * domain to identify everything not specified as an internal network as an external network. You can accept this default or list individual networks and domains. To list individual networks and domains, include: The firewall. Any internal test domains that are to be treated as external networks. The list of outside networks must have at least one entry, namely your firewall. To allow incoming connections from the Internet, we strongly recommend that you keep the * domain entry in your list of outside networks. This is important for inbound mail. Hosts not listed as internal or external are blocked from using the appliance. All other entries must be added above the * domain entry. Resolving conflicts If a network device is listed in both the inside networks and the outside networks, the appliance needs to know whether to treat the device as part of the internal or external network. The appliance compares the entries for the device and applies the following rules, in order, to determine how to treat the device: 1 A more precise domain name takes precedence over a less well defined one. For example: host.sales.example.com takes precedence over *.sales.example.com sales.example.com takes precedence over *.example.com 2 A more restrictive subnet mask takes precedence. For example: 255.255.255.0 takes precedence over 255.255.0.0 255.255.0.0 takes precedence over 255.0.0.0 37

Getting Started Getting started with the Setup Wizard 2 3 If the entries are identical for both lists, the network device is treated as part of the internal network. Although you can type a mixture of domain names and IP addresses in the lists of inside and outside networks, we recommend that you type IP addresses to avoid confusion. Configuring the lists of inside and outside networks 1 Select the Inside Networks and Outside Networks tabs in turn, and configure each as required. To import lists of supported domains or addresses that you have previously saved as.csv files, use Import. If you import a.csv file, each entry in the file must be on a separate line: Table 2-3 CSV entry formats Type Format Example Network N, <IP address>, <IP subnet mask> N, 192.168.254.200, 255.255.255.0 Address Domain D, <domain> D, www.nai.com Alternatively, you can manually specify the domain and network information by entering the domain name or the IP address. See Step 2. If you use domain names, the appliance does reverse DNS server lookups to check the hosts. You can identify as many domains and networks as you want. When you configure the list of inside networks in the Setup Wizard, the information is used as the local domains. The appliance uses this information to prevent email messages being relayed through your organization. See Anti-relay settings on page 88. By default, the appliance uses the * wildcard symbol in its list of outside networks. This identifies as external, all networks other than those specified in the list of inside networks list. We recommend that you keep the * domain entry in your external networks because it ensures that the appliance can process traffic for the Internet. Ensure that you include the IP address of your firewall or the next device. In the list of outside networks, specify the IP subnets or domains for the external networks (those outside your organization s firewall). Specify as many networks as you need. 2 To add a network, click Add, then specify its IP address and subnet mask, or its domain. 3 Click OK to add the network to the list of outside networks. 4 Click Next. 38

Getting Started Getting started with the Setup Wizard 2 Page 6 DNS servers and routing information This page displays three tabs: DNS Servers, Static Routes and Dynamic Routes. From here, you can specify the IP address of one or more DNS servers. DNS servers translate or map the names of network devices into IP addresses (and the reverse operation). The appliance sends requests to DNS servers in the order that they are listed here. The appliance uses the local DNS server to: Attempt to deliver scanned SMTP email messages, if the DNS delivery method is selected. Verify web browsing (HTTP) requests and determine which URLs to block, if URL blocking is configured. To specify the DNS servers: 1 Under the DNS Servers tab, place your fastest, or most reliable, server at the top of the list. If the first server in the list cannot resolve the request, the appliance contacts the second server in the list. If no servers in the list can resolve the request, the appliance forwards the request to the DNS root name servers on the Internet. 2 If your firewall prevents DNS lookup (typically on port 53), specify the IP address of a local server that can resolve domain names. 3 To prevent requests to root DNS servers. The appliance will cache the name-resolution information locally. Select Use forward only mode to prevent requests being sent to the root name servers (except from specific DNS servers). By default, Use forward only mode is deselected. This means that if none of the forwarding servers respond, the requests go to the root servers for the requested domains. 4 Configure static or dynamic routing. Specify the default gateway or router in the Initial network settings page of the wizard (in Default gateway) if the appliance will use more than one gateway or router to communicate with the entire network. Specify the other gateways or routers here. Select the Static Routes tab to configure static routing for the appliance. Type the routing information that is stored in the appliance's routing table. Every network is different. If you do not know the routing information for your network, ask your network expert. Select the Dynamic Routes tab to set dynamic routing for the appliance. Select Enable dynamic routing to switch dynamic routing on. If you are using the appliance in a transparent mode, enable dynamic routing. Dynamic routing allows your network devices, including the appliance, to listen for the routing information that routers broadcast on your network. The devices can use that information to configure their own routing information. The appliance supports only the Routing Information Protocol (RIP) and Open Shortest Path First (OSPF) routing protocols. 39

Getting Started Getting started with the Setup Wizard 2 Routing information is in the Dynamic Routing table. In the navigation pane, select Network Settings or Troubleshoot Diagnostics Display Routing Information to view the appliance's routing table, and ensure that it is receiving routing information. If you disable dynamic routing, reboot the appliance to remove any dynamic routing information that it already has. Every network is different. If you do not know the routing information, ask your network expert. 5 Click Next. Page 7 Load-sharing servers Several appliances can share traffic scanning on the same network. Appliances can give some of their scanning workload to other appliances. They can also accept or refuse requests to scan traffic on behalf of other appliances. For more information, see Load sharing on page 242. Use this page to specify settings for servers to which the appliance can make requests for load sharing. 1 In Requests, select: Accept to allow the appliance to accept requests for load sharing. Make to allow the appliance to make requests for load sharing. 2 If you selected Make, specify the list of servers to which the appliance can make requests for load sharing. 3 Click Next. Page 8 Date, time, password and language settings Use this page to set the date and time, passwords, the operational language, and NTP server information. NTP synchronizes timekeeping among devices in a network. Some Internet Service Providers (ISPs) provide a timekeeping service. For more information about NTP, see RFC 1305 at www.apps.ietf.org/rfc/rfc1305.html, www.ntp.org or www.ntp.isc.org. 1 To set or change the passwords, type each new password and click Set the password in the Set... password sections. For security reasons, we strongly recommend that you change the default passwords when configuring the appliance for the first time. 2 Under Set the date and time, select the time zone. By default, the appliance uses Coordinated Universal Time (UTC), or temps universel coordonné. You can select a time zone from the list of time zones. Set the date and time to reflect the current date and time, then click Set Now. The appliance updates its date and time. The time appears in 24-hour format. These values are used when time-stamping the traffic that passes through the appliance, and when logging and alerting. 40

Getting Started Getting started with the Setup Wizard 2 3 The appliance can synchronize its time settings to other devices, keeping the appliance's logs and schedules accurate. The appliance can accept Network Time Protocol (NTP) messages from a broadcast or from specified servers. Under Set the NTP server settings, enable the use of the NTP server list. Add the servers by adding a network address or a domain name. 4 If required, enable NTP client broadcasts. See Making lists on page 45. If you specify several servers, the appliance examines each NTP message in turn to determine the correct time. Because NTP messages are not sent as often as other messages, they do not noticeably affect the appliance's performance. 5 Under Set the operational language, select the operational language from the menu. This is the language in which the appliance s operating system will work. It is not necessarily the same as the language displayed by the interface that you selected at the Logon screen. 6 Under Out of Band Management, select drivers, IP address and port numbers. For more information, see Out-of-band management on page 29. 7 Under Set the SSH Configuration, specify the names or addresses of other computers that are allowed to access the appliance by SSH. See Using SSH to access your appliance on page 53. 8 Select Finish. 9 Select Apply All Changes. 10 The appliance prompts you to confirm the changes and to log off. The Logon screen appears. 11 Log on to the appliance again. that the IP address might now be different. The System Status page appears. This is the home page of your appliance. See The interface on page 43. Tip We recommend that you run the diagnostic system test now to confirm that your initial configuration is functional. In the navigation pane, select Troubleshoot Diagnostics System Configuration Tests. 41

Getting Started Changing network settings 2 Changing network settings To change the network settings: Use the Setup Wizard. See Using the Setup Wizard on page 32. Follow the instructions in: Configuring the initial settings. Selecting the protocols. Changing all other settings. Configuring the initial settings 1 In the navigation pane, select Network Settings. 2 Type the unique name by which the appliance is known to other devices in the network. 3 Type the name of the domain in which the appliance resides. For example, example.com. 4 Type the IP address of the default gateway. The default gateway is the next hop out of your network or subnet. If you have more gateways or routers on your network that the appliance needs to use, you can specify them as described on Page 6 DNS servers and routing information on page 39. Selecting the protocols In the navigation pane, select Network Settings Protocol, then select the supported protocols that you want the appliance to handle. When selecting a protocol, the appliance can handle the protocol (in other words, the appliance can intercept traffic in that protocol) but the appliance does not automatically scan that traffic. Most scanning is not enabled as part of the initial configuration. For each protocol, individually enable each type of scan (anti-spam, and content scanning and so on) from the main configuration pages. Changing all other settings For all other changes, select Network Settings in the navigation pane, then follow the instructions in Using the Setup Wizard on page 32. 42

Getting Started The interface 2 The interface The interface you see might look different from that shown here, because it can vary depending on the appliance s hardware platform, software version and language. Figure 2-2 Areas of the interface E B A C D Table 2-4 Key A B C Navigation pane Quick Help Main pane D E Control buttons Links bar The appliance s interface has the following sections: A Navigation pane The navigation pane contains menu options that provide links to the status and configuration pages. It also displays a Home link and a Quick Help link. You can click on the + sign next to a menu to expand that menu and see the menu options. To close a menu, click the - sign. If any of these options are unavailable (dimmed), complete the current task, then click Close or Finish. The other menu options will be re-activated. B Quick Help This pane provides extra information to help you complete a task. To display the Quick Help pane, select Show Quick Help in the navigation pane. To hide the pane, select Hide Quick Help. 43

Getting Started The interface 2 C Main pane The main pane displays status pages, configuration pages and more menus. The changes that you make take effect after you click Apply all changes. D Control buttons The interface has the following control buttons: Apply all changes Applies the changes that you made to the appliance. When you click this button, the appliance automatically restarts, and your changes are applied. Cancel all changes Cancels all the changes that you made to all pages during this session (or since you last applied all changes to the appliance). If you made changes to multiple pages, all the changes are canceled. Print Prints the main pane. Logoff Terminates the current management session. You return to the Logon page, and must log on again with your password to continue managing the appliance. E Links bar The Links bar at the top of the screen provides links to more resources and sources of support. This black bar has the following links: Table 2-5 Links from the Links bar Link Technical Support Submit a Sample Virus Information Library About Resources Help Topics Description Frequently asked questions on our Technical Support website. Instructions for submitting a virus sample to us. Links to the Virus information Library, which describes every virus and other potentially unwanted programs that we detect and clean. Product and licensing information. Contact information and other information. Help information. Similar to clicking Show Quick Help in the navigation pane. Depending on your configuration, some links might not be available, or they might redirect to other locations. Changing the size of a pane To change the size of any pane, click on the borders between the panes and drag the border to its new position. This is useful when viewing information in the Quick Help pane. 44

Getting Started The interface 2 Common tasks within the interface This section describes some common procedures for setting up, configuring and managing your appliance. Enabling each feature To ensure good detection and best performance, some features on the appliance are on (enabled) by default, while others are off (disabled). Many dialog boxes and windows have an Enabled checkbox. To use any feature, make sure you have selected this checkbox. Making lists You will use lists to specify information such as domains, addresses or port numbers. Figure 2-3 Example of a list Permit Sender Type Address Add Email Email Email Domain user1@example.com user2@example.com user3@example.com example.net Modify Delete Move Up Move Down Import You can add new information to a list, or modify or delete existing information. In some lists, you can import information from other sources, or change the order of the items within the list by moving each item up and down the list. Building a list of information To build a list: 1 Use Add, Modify or Delete to change the information in a list. 2 Type or change the information within the dialog box. Some dialog boxes have multiple fields. Type suitable information for each field. 3 Click OK. Ordering information in a list Some lists display information in priority order. The first item in the list is the highest priority, the last entry is the lowest priority. To change the priority of any item: 1 Select the item. 2 Click Move Up or Move Down to change the order. 45

Getting Started The interface 2 Importing prepared information Newly imported information normally overwrites the original contents of the list. Caution Where possible, the appliance allows you to import previously prepared information from an external file, such as a.csv file. To import information: 1 Click Import. 2 Browse to the file. 3 Click Open. The information in the imported file is displayed in the list. Editing alert messages Your appliance uses alert messages to notify your users and administrators when an event, such as a virus detection, takes place. The appliance includes several default alert messages. For example: Appliance is downloading %COMFORT_PERCENTCOMPLETE% % complete McAfee 2007 You can customize these alert messages. 1 From the dialog box, click the blue underlined link next to Alert to open the Alert Editor dialog box. The underlined text is Default, unless the alert message has previously been modified. 2 Deselect Use default alert. You can use the Alert Editor dialog box in two modes viewed as HTML or plain text. If you view the alert as HTML, you see the alert message as it appears to your users. You have the following options when you view the alert messages as HTML: Table 2-6 Alert Editor HTML options Option Edit View Style Size Color Insert Description Cut, copy, and paste selected text. You can also click the first three icons on the icon bar. View the alert as HTML or as plain text. Change the style of the selected text bold, italic and underline. You can also click the formatting buttons on the icon bar. Change the size of the selected text. Change the color of the selected text. Show a list of tokens to insert into your alert message. For example, insert %DETECTIONS% in the alert message to show the number of detections. 46

Getting Started The interface 2 If you view the alert as plain text, you see the alert message with all the HTML code revealed, enabling you to edit the HTML code directly. You have the following options when you view the alert messages as plain text: Table 2-7 Alert Editor plain-text options Option Edit View Description Cut, copy, and paste selected text. You can also click the first three icons on the icon bar. View the alert as HTML or as plain text. 3 Type or edit the alert message using your chosen method. Tip After editing the alert message as plain text, switch to viewing as HTML to preview your changes. See Substitution Variables on page 310 for information about the tokens in your alert messages. 4 Click OK. 47

Getting Started Configuring the protocols 2 Configuring the protocols The appliance protects your network traffic by protocol. This section describes the settings that apply to all protocols scanned by the appliance. The protocols available depend on the version of the appliance. It includes the following topics: Advanced configuration (all protocols). Basic configuration (all protocols). Advanced configuration (all protocols) For TCP and UDP protocols, port numbers identify the ends of logical connections that carry specific services. Each service has an associated port number. The default port numbers are: SMTP 25 POP3 110 HTTP 80 FTP 21 We recommend that you change intercept port numbers only if you understand port assignments and the implications of changing the numbers. You can configure the following connection settings: Intercept ports. Listening ports on page 50. Allocating scanning resources on page 51. Reverse lookup on page 51. Transparent exceptions on page 49. Intercept ports Intercept ports apply only to appliances operating in Transparent Bridge or Transparent Router mode. For TCP and UDP protocols, port numbers identify the ends of logical connections that carry specific long-term services. You can specify the ports that the appliance uses to intercept email traffic. 48

Getting Started Configuring the protocols 2 Each service has an associated port number. For example: Table 2-8 Typical intercept ports used by each protocol Protocol Typical Port SMTP 25 POP3 110 HTTP 80 or 8080 ICAP 1344 FTP 21 You can set up one or more intercept ports for your traffic. The appliance intercepts the traffic on those designated port numbers. When you have configured these areas, click Apply all Changes. See Making lists on page 45 for details about entering and modifying the information for the intercept ports. Transparent exceptions If an appliance is operating in Transparent Router or Transparent Bridge mode, you can exclude individual hosts, domains or entire subnets from scanning at set times known as exceptions. Caution The most secure option is to scan all traffic. Exceptions prevent scanning of some traffic and might introduce a security risk. Each exception contains: The port number associated with the exception. Any sources that are exempt from scanning. Any destinations that are exempt from scanning. The start time associated with the exception. Only one exception can be in effect at any given time. For example, if an exception starts at 05:00am, and another starts at 08:00am, the 05:00am exception applies only until the 08:00am exception starts. Exceptions might fail if there are any changes to the IP addresses to which the domain names/host names resolve. 49

Getting Started Configuring the protocols 2 Table 2-9 Information to configure a Transparent Exception Information Example Exception Port POP3 = 110 HTTP = 80 FTP = 21 Rule Start Time 00:00 Source List Type Network Address 192.168.254.200, 255.255.255.0 Destination List Type Domain Address www.example.com See Making lists on page 45 for details about entering and modifying information. Managing intercept port numbers 1 In the navigation pane, select Configure, then select a protocol. 2 Select Protocol Settings, then select Connection Settings [Advanced]. 3 At Intercept Ports, use Add, Modify or Delete to make a list of the port numbers. 4 Click Apply all Changes. Listening ports In Listen on ports, you can specify the ports the appliance uses to listen for traffic. At least one port must be set up for listening. Table 2-10 shows typical port numbers. Table 2-10 Typical list.ening ports used by each protocol Protocol Typical port POP3 110 HTTP 80 ICAP 1344 FTP 21 The appliance listens for traffic arriving on the designated port numbers. You can set up one or more listening ports for POP3, HTTP, ICAP or FTP traffic on your appliance. Managing listening port numbers 1 In the navigation pane, select Configure, then select a protocol. 2 Select Protocol Settings, then select Connection Settings [Advanced]. 3 At Listen on ports, use Add, Modify or Delete to make a list of the port numbers. 4 Click Apply all Changes. 50

Getting Started Configuring the protocols 2 Allocating scanning resources You can set up scanning resources on a protocol-by-protocol basis, and can change the resources available for scanning each protocol. For each protocol, you can set up the number of processes listening for the protocol-specific traffic. These listeners can handle a number of connections. The available resources determine the number of scans that can be done simultaneously for each of the protocols and are equal to the number of listeners multiplied by the number of connections. Caution Changing these settings might seriously affect scanning performance. Consult your network expert before making the changes. Because resources are limited, there is always a trade-off between the: Number of listeners for a protocol. Number of connections handled by the listeners for the protocol. Memory needed to scan the protocol. Scanning resources assigned to other protocols. When you first use the appliance, some default values are in place. You can restore these settings at any time if the modified values are unsuitable. You can specify: The number of listeners for each listen port on the appliance. Do this when the appliance first starts. The number of connections that the appliance assigns to each listener. The memory reserved for each connection to scan traffic. To change these settings: 1 In the navigation pane, select Configure, then select a protocol, such as SMTP or HTTP. 2 Expand the Connection Settings [Advanced] section. To restore the settings to their default values, click Restore (near Listeners). Reverse lookup To find the host name associated with an IP address, the appliance can use DNS servers on the Internet. This action is called a reverse DNS lookup. For example, the appliance can use a reverse DNS lookup to determine that the IP address 192.168.254.200 refers to a host, host.example.com. However, a reverse DNS lookup can take some time and affects your appliance s performance. You can prevent the appliance from making reverse DNS lookups when email messages or POP3 or HTTP requests are intercepted by the appliance. Caution Change reverse lookup settings only if you fully understand the consequences. If you deny reverse DNS look-ups, some functions might fail. 51

Getting Started Configuring the protocols 2 Basic configuration (all protocols) Before the appliance can scan the traffic for a specific protocol: Enable the protocol itself. See Enabling and disabling protocols on page 52. Enable the type of scanning. Most scanning is not enabled by default. The following topics apply to all settings: Actions. Applying time restrictions to rules and settings on page 79. Enabling and disabling protocols You can enable and disable each of the protocols that the appliance supports. Enabling a protocol effectively turns on that protocol, so that all the settings for that protocol can be applied by the appliance. Enabling a protocol does not automatically enable all the different scan options. These must be enabled separately. For example, if anti-virus scanning is enabled, but anti-spam scanning is disabled, enabling the SMTP protocol causes email messages to be scanned for viruses but not for spam. If you disable a protocol, the appliance will not apply the settings for that protocol. If a protocol is disabled, the appliance will not scan any traffic for that protocol, even if the specific scan options are enabled. You can enable or disable a protocol using the Setup Wizard or the Network Settings page. Using the Setup Wizard 1 In the navigation pane, select Network Setup Wizard. 2 Use Next to locate the Protocol to process page. 3 Select the protocols to activate. 4 Click Next until you reach the end of the Setup Wizard. 5 Click Finish. Using the Network Settings option 1 In the navigation pane, select Network Settings. 2 Under Protocols, select the protocols to activate. 52

Getting Started Activating optional components 2 Activating optional components Some components of the appliance are available separately for purchase, or can be evaluated. To activate: 1 In the navigation pane, select System Manage Components. 2 Locate the section and click the buttons. Optional components include: Enhanced URL filtering. Data Loss Prevention. Only available on Secure Internet Gateway (SIG) appliances. Using SSH to access your appliance You can use Secure Shell (SSH) to remotely gain access to the appliance. This section describes: Enabling SSH access Monitoring SSH events Enabling SSH access SSH must be enabled before you can use an SSH client to gain access to the appliance. To enable access: 1 In the navigation pane, select System Manage Appliances. 2 Select Enable SSH Access. 3 Select the devices that will be allowed access. The appliance is initially set to allow SNMP query from all devices. We recommend that you change this setting and allow access from known hosts only. Specify the IP addresses of the devices that are permitted to read the appliance's MIB parameters. 4 Click Apply All Changes. You can also configure SSH access from Network Setup Wizard. Caution If you are using out-of-band management and have blocked port 22, change the SSH configuration to allow Secure Shell access. After you have enabled Secure Shell access on your appliance, you can use your SSH client to access the support account on the appliance. Use the same password that you use to access the interface from a remote computer. 53

Getting Started Using SSH to access your appliance 2 Monitoring SSH events To monitor SSH events: 1 In the navigation pane, select Monitor Logs Resource and System, then select User and User Interface. 2 To limit the display to show only a few of the events, select a range of dates, at the bottom of the window. 3 Click Next. The appliance lists all the user and user interface events that occurred within your selected range. 54

3 Policies Overview This section describes policies and what you can do with them. It contains the following sections: Policies overview on page 55. Policy planning on page 67. Actions on page 73. Understanding priorities in policies on page 80. Policies overview This section briefly describes policies and how to use the policy pages. It includes the following topics: What is a policy? Global policies on page 56. Non-global policies on page 57. Policy groups on page 62. Content rules on page 66. What is a policy? A policy is a collection of settings and rules that tells the appliance how to combat specific threats to your network. See Policy actions on page 56 for more information about what the appliance must do. For example, you can set up a policy to determine how viruses are handled. You can: Apply ready-made global policies to your entire organization. See Global policies on page 56. Create new policies that can be tailored to the needs of any part of your organization. These non-global policies are based on the global policies. See Inheriting global settings on page 59. 55

Policies Overview Policies overview 3 Set up groups to which you can assign policies. These Policy Groups can represent the departments or functions within your organization. See Policy groups on page 62. Create rules, which define what content triggers a response from the appliance. You can create content rules independently of a policy and apply them to policies later. See Content rules on page 66. Policy actions A policy specifies how the appliance acts against a threat. For example, you can specify the action the appliance must take if: Any part of the policy triggers. For example, if a virus is detected, you can choose to clean, quarantine, or delete the detected item. It detects a phrase specified in a content rule. You can choose to block the item or allow it through. It detects a large file. The appliance can block it, or allow it through and issue an alert. Issuing alerts and notifications Each item in the policy has an action associated with it. When a rule or setting is triggered, the appliance can inform the sender, the recipient, and an administrator. The appliance replaces the offending message or attachment with text that you prepare. Any users who later read the message see the replacement text only. You can also configure the appliance to send a message to an administrator and record the event in a log. The appliance uses substitution variables (tokens) to customize alert messages. For example, a message of the form: Bad content detected at %LOCALTIME%. might become: Bad content detected at 12:34 on Monday. For more information, see Substitution Variables on page 310. Global policies The appliance has some global policies that describe how items are scanned for viruses, potentially unwanted programs, file-filtering rules, and various other settings. Initially, such policies apply to the whole organization. From a global policy, you can create further policies, which you can apply to groups of users or domains. As you create further policies, each one records whether any of its current settings are inherited from the global policy. A change to the global policy such as increased anti-virus protection or a new rule is inherited immediately by the other policies. The global policy also indicates how many other policies have inherited its settings. 56

Policies Overview Policies overview 3 Non-global policies The appliance has some ready-made global policies, from which you can create exceptions to the rules, making your own non-global policies. For example, suppose that no-one in your organization except the marketing department may send or receive email attachments. You can configure the global policy to disallow attachments, then create a non-global policy to allow attachments for the marketing department. To set up non-global policies, do the following tasks: Creating a non-global policy. Inheriting global settings on page 59. Ordering non-global policies on page 59. Adding time-specific settings to non-global policies on page 60. Deleting non-global policies on page 61. Deleting items in non-global policies on page 62. Creating a non-global policy 1 In the navigation pane, select Policy, then select the protocol. 2 Select the type of policy. You can create: Content policies under Content, these policies determine how content is scanned. For example, you can tell the appliance how to handle email messages that contain viruses, spam, certain words or file types. Connection policies under Advanced Policies Connection, these policies are based on the computers that transfer the data rather than on the people who are senders or recipients. The settings relate to TCP/IP aspects of the conversation rather than the content. For example, you can configure connection time-outs. Protocol policies under Advanced Policies Protocol, these can set up protocol-specific policies. For example, for HTTP you can set up policies that prevent users from accessing certain websites. 3 Select the direction of the traffic: From Outside to set up policies for connections originating from hosts in your outside networks. From Inside to set up policies for connections originating from hosts in your inside networks. Inside and outside networks are described in the Setup Wizard Page 5 Inside and outside networks on page 37. 4 Right-click the selected direction, and select Create Policy from the menu. Alternatively, click on the Create Policy icon in the tree pane to display the same dialog box. 57

Policies Overview Policies overview 3 If you have previously set up any policy groups, the names of these groups are displayed. For example, you might have set up a policy group for managers. To continue using an existing group, go to Step 10. Otherwise, continue from the next step. 5 Click Create a new policy group. 6 In Policy Name, type a unique name to identify this policy group. When a policy is applied to this policy group, the name you type here is used as the name of that policy. 7 Define the policy group by setting up a number of membership conditions. For example, you can specify that to be in a specific group, a user must be in the Managers email group, or that a host must have an IP address within a set range. You can also specify which attributes the user or host must not have to be considered a member of a policy group. For example, the user must not be in the Managers email group, and must not have an IP address with a set range. Use the following groups of options to set up the membership conditions. You can click on the option and then click the arrow key (>), or double-click the option. Directory Group use these options if you have already imported email groups from your Lightweight Directory Access Protocol (LDAP) servers. You will be prompted to select a directory group. SMTP email address use these options if you are not using LDAP servers. You will be prompted to type an email address. You can use the * and? wildcard characters to specify a range of email addresses. Network Source use these options to define which IP addresses or domains are part of this policy group. You will be prompted to type an IP address, IP address subnet, domain name, or sub-domain range. VLAN use these options to define any virtual LANs. You will be prompted for a VLAN ID in the range 1 to 4094. Service path use these options to define the service path to identify an ICAP service. User name use these options to define specific users. URL use these options to define websites. You can use literal names (such as www.example.com), or you can use regular expressions to define groups of websites. 8 Specify the conditions that must be met for the appliance to apply a policy to this policy group. Select one of the following: Match all all of the conditions must be met before the policy can be applied. Match one at least one of the conditions must be met before the policy can be applied. Match none none of the conditions must be met for a policy to be applied to the policy group. 9 Click Finish. The new policy group appears in the policy group list. 10 Select the policy group to which the new policy will apply. 58

Policies Overview Policies overview 3 11 In Based on, select an existing policy on which to base this new policy. 12 To inherit the settings from a global policy, select Inherit settings from. The other settings for this non-global policy are inherited from the global policy. The new policy appears as an icon in the tree pane. Initially, the new policy is identical to the policy from which it was created. To change any part of the new policy, you modify the items in the policy. Inheriting global settings Non-global policies can inherit settings from global policies. In the following table, the global policy is on the left. It is suitable for most departments in the organization but is not ideal for the sales department, which often handles large files. Therefore the sales department needs a different policy. You can create their policy by setting up a new non-global policy based on the global policy, then modifying parts of the new policy to better suit the department. Global policy Apply medium-level scanning for viruses. Do not accept files that are larger than 10MB. Non-global policy for the Sales Department Apply medium-level scanning for viruses. Do not accept files that are larger than 50MB. The sales department has inherited one rule from the global policy (for medium-level scanning) and modified one rule (for the size of files). For each non-global setting, you can specify whether the rules are inherited or modified (disinherited). Ordering non-global policies Sometimes, items such as files, email messages, or users documents are covered by several policies. It is also possible that a person can be in more than one policy group. For example, a person might work for two different departments. You can create a different non-global policy for each of these departments. For example, one group might be allowed to access a certain website, while the other group is banned from accessing that website. When the person tries to access the website, the appliance must know which of the two conflicting policies to apply. The appliance will apply only the topmost non-global policy. For this reason, it is important that non-global policies are correctly ordered. Changing the order of non-global policies 1 In the navigation pane, select Policy, then select the protocol for the policies. 2 Right-click the non-global policy. 3 Select Change Order. The non-global policies that can be reordered are displayed. 4 Click a policy in the list and use Move up or Move down to change its position in the list. 59

Policies Overview Policies overview 3 Adding time-specific settings to non-global policies The settings within global policies apply at all times. For example, you cannot configure the global anti-virus setting to scan email messages between 02:00 and 04:00 only on a Friday morning. You can only enable or disable the anti-virus setting. You can apply time restrictions to non-global content policies. For example, you can specify that users can only send email messages with large attachments at specific times of the day, typically when the network is less busy. To do this, set up a global policy that prevents users sending email messages with large attachments, then set up a non-global policy that allows large attachments at a specific time each day. To do this, set up a global policy that prevents the sending of email messages that have large attachments. Then set up a non-global policy that allows the sending of large attachments at a specific time each day. The appliance gives precedence to a more precise policy. In this example, the non-global policy that applies at a specific time only is more precise than the global policy that applies at any time of the day. At the specified time, this non-global policy will take precedence over the less specific global policy. Multiple instances of rules and settings A policy can have multiple instances of rules or other settings. For example, a sales department has the following schedule: Time Monday morning Monday afternoon Tuesday Wednesday Thursday Friday morning Friday afternoon Activity Prepare a list of sales targets for the week. Publish the target sales report. Sell! Sell! Sell! Sell! Publish the achieved sales report. The two reports are sent or published on Monday afternoon and Friday afternoon. The reports must not be circulated or modified at any other times. To control this, you can create two rules: Ban any document that contains the phrase Sales Report on Monday mornings. Ban any document that contains the phrase Sales Report between Tuesday morning and Friday morning. The rules are identical but their times are different. Handling overlapping time restrictions If you specify time restrictions that overlap, the appliance operates like this: One instance only of a specific rule is active at any one time. One instance only of the anti-virus settings is active at any one time. 60

Policies Overview Policies overview 3 If a rule or anti-virus setting is set to operate all the time, it has the lowest priority and becomes active only if no time-restricted rule or anti-virus setting is in operation. If a rule or anti-virus setting is set to operate at various times, the most recently activated instance is active. For example, you have these settings: Apply a low-level of anti-virus scanning all the time. Apply a medium-level of anti-virus scanning on weekdays only. Apply a high-level of anti-virus scanning on Thursday mornings only. The first set of anti-virus settings applies unless it is a weekday. This setting is ignored if it is Thursday morning. In general, avoid creating complex time restrictions. If a rule or anti-virus setting has several time restrictions applied to it, the restriction that is in force has: Latest start time. Earliest finish time. Latest first day (using Sunday as the first day of the week). Earliest last day (using Sunday as the first day of the week). Least number of days. Adding time-specific settings You can add additional content rules and other policy settings to content policies. 1 In the navigation pane, select Policy, then select the protocol for the policy. 2 Under Content, right-click the policy to which additional settings will be added. You cannot add additional settings to Connection or Protocol policies. 3 Select Add Settings. 4 Under Available settings, select the setting to add. You can specify time restrictions to the minute. For example, you can specify a period such as Morning to be 09:05 to 11:59. 5 Under Properties, specify when and how the appliance will respond. Deleting non-global policies You can only delete non-global policies. Deleted non-global policies cannot be restored. Any policies deleted in error must be recreated. 1 In the navigation pane, select Policy, then select the protocol for the policy. 2 Under Content, right-click the policy. 61

Policies Overview Policies overview 3 3 Select Delete Policy, and confirm the deletion. The policy is removed from the list of policies. Deleting items in non-global policies You can delete some items in non-global policies. You cannot delete items in a global policy. You cannot restore deleted items. Any items deleted in error must be created again. 1 In the navigation pane, select Policy, then select the protocol for the policy item. 2 Right-click on the non-global item. 3 Select Delete, and confirm the action. The item is removed from the non-global policy. Modifying items in the policy 1 In the navigation pane, select Policy, then select the protocol for the policy item. 2 In the tree pane, select the policy icon. The details pane displays the policy. 3 In the policy, right-click any item under the Setting column, and select Edit Settings to open a dialog box. 4 Make your changes. Policy groups You can apply different policies to the groups and functions within your organization. For example, you can apply a policy to some groups of email users. To apply policies to groups, first define these policy groups. This section describes how you can set up the different groups to which the policies can be applied. It includes: Creating a policy group on page 63. Modifying a policy group on page 64. Deleting a policy group on page 64. Using LDAP servers on page 65. Importing directory information from LDAP servers on page 66. To use information from your LDAP servers to create email groups, import their directory information before you create a policy group. 62

Policies Overview Policies overview 3 Creating a policy group 1 In the navigation pane, select Policy, then select Groups. 2 Click Add. 3 In Policy Name, type a unique name to identify this policy group. When a policy is applied to this policy group, the name you type here is used as the name of that policy. 4 Define the policy group by setting up the membership conditions. For example, you can specify that to be in a specific group, a user must be in the Managers email group, or that a host must have an IP address within a set range. You can also specify which attributes the user or host must not have to be considered a member of a policy group. For example, the user must not be in the Managers email group, and must not have an IP address with a set range. Use the following groups of options to set up the membership conditions for each member that you add to the group. You can click on the option and then click on the arrow key (>), or double-click the option. Directory Group use these options if you have already imported email groups from your LDAP servers. You will be prompted to select a directory group. SMTP email address use these options if you are not using LDAP servers. You will be prompted to type an email address. You can use the * and? wildcard characters to specify a range of email addresses. Network Source use these options to define which IP addresses or domains are part of this policy group. You will be prompted to type an IP address, IP address subnet, domain name, or sub-domain range. See Issues with policies applied to network sources on page 64. VLAN use these options to define any virtual LANs. You will be prompted for a VLAN ID in the range 1 to 4094. Service path use these options to define the service path to identify the requested ICAP service. User name use these options to define specific users. URL use these options to define websites. You can use literal names (such as www.example.com), or you can use regular expressions to define groups of websites. 5 Specify the conditions that must be met for the appliance to apply a policy to this policy group. Select from: Match all all of the conditions listed must be met before the policy can be applied. Match one at least one of the conditions listed must be met before the policy can be applied. Match none none of the conditions listed must be true for a policy to be applied to the policy group. 6 Click Finish. The new policy group appears in the policy group list. 63

Policies Overview Policies overview 3 Now you can create policies that apply to the policy groups you have created. Each resulting policy takes the name of the policy group to which it applies. For example, if you create a policy group called Managers, policies that apply to that policy group will also be called Managers. Issues with policies applied to network sources If your appliance is in Explicit Proxy mode and is scanning HTTP traffic, policies based on connections to network destinations will not trigger. This limitation is a result of the nature of explicit HTTP scanning, and the point during connection at which the appliance applies policies. The appliance must determine which policy to apply before it starts scanning. In HTTP communications, the appliance scans the request header. In an explicit proxy configuration, this means the appliance must apply policies during the initial HTTP request, before it has established communication with the other end. No verifiable destination information is available at this point, so policies based on destination cannot trigger. Modifying a policy group To change the membership conditions for a policy group: 1 In the navigation pane, select Policy Groups to display a list of all the policy groups. 2 For the policy group, select Modify. You can change: The name of the policy group. When you change the policy group name in Policy Name, the names of all the policies that refer to this policy group are automatically updated to use the new name. The membership details for the policy group the conditions that must be met for the appliance to apply a policy to this policy group. 3 Make the changes you require, then click Finish. Deleting a policy group If a policy group is not required and is not used in any of the policies you have created, you can delete it. 1 In the navigation pane, select Policy Groups. The appliance displays a list of all the policy groups. 2 Select the policy group, click Delete and confirm the action. To delete all policy groups, click Delete All. 64

Policies Overview Policies overview 3 Using LDAP servers If your network has LDAP servers, you can create policy groups from their directory information. To use LDAP servers: 1 Make sure that the group information on the LDAP servers is up-to-date. 2 Make a list of LDAP servers that the appliance can use. 3 Import the directory information from the LDAP servers. Setting up the LDAP server list Before you can import directory information from your LDAP servers, provide the information that the appliance needs to contact those servers. Position the LDAP server entries in the list in the order in which you want the appliance to contact the servers. The appliance contacts them starting from the top of the list. Making the list of LDAP servers To make the list of LDAP servers: 1 In the navigation pane, select Policy Groups LDAP Servers, then use Add, Modify or Delete. 2 To add to the list or modify the list: a In LDAP server name or LDAP server address, type the domain name or IP address of the LDAP server. b Select the type of LDAP server. c In Base DN, specify which part of the database on the server will be queried for the email group information. d In Group query, type text that queries the LDAP server for a list of all the email groups in that part of its database. The text depends on the type of LDAP server you are using. For more information about LDAP queries, see the user documentation that accompanies your LDAP server. e f In Member query, type text that queries the LDAP server whether a user is a member of the particular group. Members are known by their email address or their user name. The text depends on the type of LDAP server you are using. For more information about LDAP queries, see the user documentation that accompanied your LDAP server. Type the user name to access the LDAP server. g Type the password to access the LDAP server. Caution Do not use a domain administrator account. Use a name and password of an account that has read-only permission, because this information might be transmitted in clear text. 3 Click Finish. 65

Policies Overview Policies overview 3 Importing directory information from LDAP servers You can import directory information from LDAP servers to create policy groups. See Creating a policy group on page 63. If you have just set up the LDAP server list, click Apply All Changes before you can import the directory information from your LDAP servers. 1 In the navigation pane, select Policy Groups. 2 Click Import from LDAP. Content rules A content rule defines unacceptable content. For example, a rule can ban a particular word in email messages that enter or leave your organization. The content rule can then be applied to any content policy, and you can configure the appliance to act in a specific way if the rule is triggered. For example, if the appliance detects the word in an email message coming from the Sales department, it can block the email message and inform an administrator. Because you can create a large number of content rules, they are organized into rule groups. Each rule group can have any number of content rules. The appliance is already configured with some rule groups. You can add content rules to these groups or create your own rule groups. You create the groups first, then add rules to them. You can assign a whole rule group or just selected content rules to a policy. Assigning selected rules enables you to set up policy-specific settings for those content rules. Compliancy and lexicons To prevent the loss of confidential data, the appliance can scan for particular words and patterns of text, according to lists of words (or lexicons) that are available to organizations such as hospitals. To view the lexicons, click Policy in the navigation pane, then Compliancy in the main pane. For more information, see Compliancy on page 117. Data loss prevention To prevent the loss of confidential data, the appliance can scan for fingerprints. Software (called the Data Fingerprinting Tool) on the file server scans the organization s confidential data, and generates coded information about the file contents the fingerprints. The file server forwards new fingerprints to the appliance at regular intervals. To view the fingerprint information, click Policy SMTP or Policy HTTP in the navigation pane, then Fingerprint Groups in the main pane. For more information, see Data loss prevention on page 113. 66

Policies Overview Policy planning 3 Policy planning This section describes what to do before creating policies. It also describes advanced connection settings, advanced transparent exceptions, and alert settings that apply to more than one protocol. It includes the following topics: Spend time planning. Considering the legal implications. Understanding policy pages and settings. General guidelines on page 72. Spend time planning To make full use of policies, spend time planning. Poorly configured policies can cause serious security and connectivity issues for your network. Familiarize yourself with the policy concepts. Understand especially the importance of establishing good global policies before deriving any other policies from them. Consider how to organize users and computers into policy groups. Caution The number of non-global policies can affect the number of scans that the appliance runs. This in turn can affect the appliance s performance. Decide which policies to assign to the policy groups. Consider the order in which policies are applied. See Understanding priorities in policies on page 80. Consider the legal implications of setting some policies. See Considering the legal implications. Follow the general guidelines. See General guidelines. Considering the legal implications Before applying any restrictions to employees email and Internet access, check any local legal requirements. Some restrictions might be illegal. Consider informing employees that restrictions are in force, for example by displaying a statement when they start their computers, or attaching a disclaimer to each email message. We recommend that you discuss the implications with your legal department. Understanding policy pages and settings Before setting up your policies, familiarize yourself with the policy pages and settings. You can access the configuration pages for the policies by selecting Policy in the navigation pane, then the protocol. The main pane then displays a page that can access the policies and content rules pages. 67

Policies Overview Policy planning 3 The main pane has several areas: Tree pane. Details pane on page 69. Toolbars on page 72. Tree pane In the left-hand section of the main pane, the tree pane can access policies and rule groups. The icons are organized in a tree structure, and you can click the + symbols to expand each node and see all parts of the tree. The tree pane uses the following icons: Icon Description Global policy. Non-global policy Rule group To manage an item in the tree pane, right-click on it or use the toolbars. Right-click options A page is displayed if you right-click on an item in the tree pane. The options displayed depend on the type of item selected. Not all options are available for global policies. Right-click on a policy item in the tree pane to display the following options: Option Create Policy Delete Policy Change Order Add Settings Paste Description Create a new policy. Delete the selected policy. This option is not available for a top-level policy. Determine the order in which policies are applied to scanned items. Add extra items such as content rules to your policy. Paste rules that have been cut or copied from other policies. 68

Policies Overview Policy planning 3 Right-click on a content rule group in the tree pane to display the following options: Option Create Rule Group Export Import Delete Rule Group Rename Rule Group Create Content Rule Assign Rules Cut, Copy, Paste Description Create a new rule group. Export the selected rule group as an XML file. Only available by right-clicking on Rule Groups. Import a rule group as an XML file. Only available by right-clicking on Rule Groups. Delete a rule group. You cannot delete a rule group if it is in use by any policy. Change the name of a rule group. Create a new rule group. Assign a rule or group of rules to a policy. Make a copy of the selected rule to create new rules based on these, or to add the rules to a policy. Details pane If you select an item in the tree pane, policy settings and rules appear in the details pane (to the right of the tree pane). You can then select the policy settings or content rules to configure. Policy settings This section describes the type of information that is shown for global policies and non-global policies. Global policy settings The following table shows the types of status information that can be displayed for each global policy setting. Setting Anti-virus Inherited by 2 Policies Content Scanner Encrypted Content 2 Policies Item The checkbox to the left of an item in the Setting column indicates whether the item is enabled. An item can be: Currently enabled. Can be disabled. Currently disabled. Can be enabled. Permanently enabled. Some features cannot be disabled at global or non-global level. For example, you must specify how encrypted content will be handled; you cannot disable the feature. 69

Policies Overview Policy planning 3 Inherited by Uses the following icons to show which items are inherited by other policies. It also shows how many policies have inherited those settings: This item is inherited by other policies. This item is not inherited by other policies. To see a brief description of any item in the policy, move your cursor over the text and wait for a pop-up message to appear. To sort the items into a different order, click the headings. Non-global policy settings The following table shows the types of information that can be displayed for each non-global policy setting. Item Anti-virus Inherited Content Scanner Encrypted Content File Filtering Item The checkbox on the left of an item indicates whether the item is enabled. If the checkbox is unavailable, the item is inherited from a global policy, and its values cannot be changed. If the checkbox is white, the item is not inherited from a global policy and its values can be changed. The checkbox states are described in more detail in the table. Not inherited. Currently enabled. Can be disabled. Not inherited. Currently disabled. Can be enabled. Currently inherited and enabled. Cannot be disabled if the global policy from which it is inherited cannot be disabled. This setting has been inherited from a global policy, and cannot be disabled if that global policy cannot be disabled. For example, specify how encrypted content will be handled. It cannot be disabled at a global or non-global level. Currently inherited and disabled. Can be enabled only if it is first disinherited from the global policy. Time Indicates when the item applies. Most types of items show All the time but you might see settings that apply to weekdays, weekends, or specific times of day. 70

Policies Overview Policy planning 3 Inherited Uses the following icons to indicate whether an item is inherited from a global policy. If an item is inherited, it has the same values as the global policy. Inherited Not Inherited To see a brief description of any item in the policy, move your cursor over the text and wait for a pop-up message to appear. To sort the items into a different order, click the headings. Right-click options for policies To manage the items within a policy, right-click a row to display the available options: Option Add Settings (Content policies only) Paste Delete Edit Settings Description Add content rules and policy settings that you can tailor for the selected policy. For example, you can tailor a setting by applying time restrictions or by changing the actions. You cannot add extra anti-virus settings to a global policy. Add rules (previously cut or copied) to the selected policy. Delete an item. Change the setting details. For some items such as anti-virus settings, you can change the action and time restrictions. You cannot change the time restriction for the anti-virus setting in a global policy, because it must be available at all times. Instead of using this option, you can double-click the row. Content rules If you select a content rule group in the tree pane, the details pane displays a summary of the rules. The summary shows each rule by name and description, and includes a checkbox so that you can enable or disable a rule. For example: Rule name Insult 1 Description One insult Insult 2 Another insult Right-click options To manage the rules within a rule group, right-click on an item to display the available options: Option Create Content Rule Edit Content Rule Assign Rules Cut, Copy, Paste Delete Description Create a new rule. Modify the content rule. Assign selected rules, or an entire rule group, to the policy associated with an identity. Move rules to other rule groups. Delete a rule. 71

Policies Overview Policy planning 3 Toolbars The toolbars at the top of the panes contain buttons that help you do common tasks quickly. The icons in the toolbars change as you select items in the panes. The following icons are always available: Cut the selected item. Copy the selected item. Paste the selected item. Some toolbar icons are a combination of other icons. They include a subject, such as a policy or content rule icon, and an action to tell you what is happening to the subject. Table 3-1 shows the actions: Table 3-1 Actions Add Edit Import Create Reorder Export Rename (Label appears below icon) Delete Assign Table 3-2 shows examples of combined icons: Table 3-2 Combined icons Create a rule group Edit a content rule Export a rule group Import a rule group Create a policy Assign a content rule Create a content rule Delete a rule group Delete a content rule General guidelines When setting up policies: Set up global policies to cover most situations. See Global policies on page 56. Set up non-global policies only to cover exceptions to the way that the global policy handles an item for example, to create exceptions to the way that connections or traffic are normally handled by the appliance. See Inheriting global settings on page 59. If the appliance is in Transparent Router or Transparent Bridge mode, consider the priority assigned to non-global policies. See Ordering non-global policies on page 59. Caution Incorrect configuration of advanced policy settings can cause serious security and connectivity issues for your network. We recommend that you do not change advanced settings unless instructed to do so by McAfee Technical Support or your network expert. 72

Policies Overview Policy planning 3 Actions You can configure the appliance to act in various ways when a scanner triggers. For example, you can tell the appliance to try to clean an email message if the anti-virus scanner detects a virus. The actions that are available depend on the selected policy setting and on the scanner that detected the issue. The actions are: Primary actions. These determine how the original email message is handled. Secondary actions. These apply to additional copies of the original email messages and notifications. To view the actions, select Policy <protocol> Content in the navigation pane, then select a policy. The primary actions are displayed. Any secondary actions are displayed when you click on one of the primary actions. The actions vary according to the protocol. See the tables: FTP actions in Table 3-3 HTTP actions in Table 3-4 ICAP actions in Table 3-5 POP3 actions in Table 3-6 SMTP actions in Table 3-7 Table 3-3 FTP actions Action Refuse the original data Allow Through Description The appliance rejects the data. The appliance lets the file through. Any detections are logged but not acted on. The most secure option is to scan all file types. Before using the Allow Through option, carefully consider the security risks. Table 3-4 HTTP actions Action Allow Through Block access Description The appliance takes no action. The requested URL appears without any messages being displayed. The most secure option is to scan all file types. Before using the Allow Through option, carefully consider the security risks. For more information on the risk with each file type, see the Virus Information Library. See Contact information on page 16. The appliance denies a request to access a website. A message tells the user that access to the website is considered inappropriate and was blocked. 73

Policies Overview Policy planning 3 Table 3-4 HTTP actions (continued) Action Coach Access Deny access Replace the content with an HTML alert Description The appliance issues a message, telling the user that the request is considered inappropriate. The user can ignore this warning and access the website anyway. When a user is granted coached access to the requested URL, access is granted for a period. If the user does not refresh or reload the browser within this period, the user sees a further coaching message. When the user refreshes or reloads the browser, a further coaching message is displayed when the period expires, unless the user has since browsed to an uncoached URL. To be compatible with most browsers, the appliance sets a time at which access is reassessed. If the system clocks are not synchronized on the appliance and the user s computer, user access might be blocked. For example, if the period is 15 minutes, and the clock in the user s computer is 30 minutes earlier than the appliance s clock, the user will not be able to browse to any URLs that have coached access. The appliance prevents the user from viewing the requested URL. An explanatory message appears in its place. If a detection is triggered because of the content of a file, the appliance replaces the content with an HTML alert that explains why the original was replaced. Table 3-5 ICAP actions Action Allow Through Replace the content with an HTML alert Description The appliance lets the file through. Any detections are logged but not acted on. For example, if you are expecting some large files that normally trigger the denial-of-service limits, you can temporarily set the appliance to allow these files through, rather than replace them with an HTML alert. The most secure option is to scan all file types. Before using the Allow Through option, carefully consider the security risks. If a detection is triggered due to the content of a file, the appliance replaces the content with an HTML alert that explains why the original was replaced. Table 3-6 POP3 actions Action Accept and then drop the data Allow changes to break the signed email Do not allow changes to break the signed email Refuse the original data and return a rejection code Remove the content Replace the content with an HTML alert Description The appliance accepts the email message and discards it. The appliance sends a OK message to the POP3 client. If a detection triggers because of the content of an email message, the appliance modifies the message, even if this breaks the digital signature. The appliance sends the modified email message to the recipient. The appliance only performs actions that do not break the signed email message signature. The appliance then tries to deliver the email message to the original recipients. The appliance rejects the email message and sends a rejection message to the to the POP3 client. If an email message exceeds the limits for the number and size of attachments, the appliance removes the excess content, scans the remaining email message, and sends the modified message to the recipient. If a detection is triggered due to the content of a file, the appliance replaces the content with an HTML alert that explains why the original was replaced. The appliance sends the modified email message to the recipient. 74

Policies Overview Policy planning 3 Table 3-6 POP3 actions (continued) Action Allow Through Attempt to clean Description The appliance lets the file through. The email message remains unchanged but the event might be logged or the administrator alerted. For example, select this action to monitor the use of certain words in files without preventing their use. Some email software does not accept changes to signed messages, and therefore you cannot allow the appliance to alter the content. If you allow all signed messages through, an undesirable item inside a signed message can escape detection. If you allow all signed messages through, be sure that the messages come from a trusted source, or that they are scanned later. Any detections are logged but not acted upon. The most secure option is to scan all file types. Before using the Allow Through option, carefully consider the security risks. For more information on the risk associated with each file type, use the Virus Information Library. See Contact information on page 16. On detecting a virus within the email message, the appliance tries to clean the virus. If the email message can be cleaned, the appliance sends the modified email message to the recipient. The appliance can also handle files that have zero bytes after cleaning: Keep zero byte files the appliance allows cleaned files to have zero bytes. Remove zero byte files the appliance removes any file that has zero bytes after cleaning. Treat zero byte file as a failure to clean the appliance treats the files as if it cannot clean them, and takes a specified action. Table 3-7 SMTP actions Action Accept and drop the email Description The appliance issues an acceptance code (SMTP 250 OK) at the post-data stage after the final dot (.). We do not recommend this option because it suggests to the sender that the message was received as intended. Accept and ignore the recipient The appliance accepts the message and sends an acceptance code (SMTP 250 OK) at the RCPT TO stage. We do not recommend this option because it suggests to the sender that the message was received as intended. Accept and then drop the data Add score to spam score Allow changes to break the signed email The appliance accepts the email message and discards it. The appliance sends a SMTP 250 OK response to the mail server. The appliance adds a spam score to the overall anti-spam score for this email message. This determines whether the email message is treated as spam. If you select this option, you cannot select secondary actions. Instead you are prompted to type a spam score between -99.9 and +99.9 to add to the overall spam score for the email message. If a detection triggers because of the content of an email message, the appliance modifies the message, even if this breaks the signature. The appliance sends the modified email message to the recipient. 75

Policies Overview Policy planning 3 Table 3-7 SMTP actions (continued) Action Allow Through Clean the content Close the connection Deliver a notification email to the original recipient(s) (Secondary action) Deliver a notification email to the original sender (Secondary action) Deliver an annotated modified email to a GUI defined recipient (Secondary action) Deliver an annotated original email to a GUI defined recipient (Secondary action) Deliver an email alert to a GUI defined recipient (Secondary action) Deliver modified email message to sender (Secondary action) Deny connection Deny connection and quarantine mail Do not allow changes to break the signed email Description The appliance lets the file through. The email message remains unchanged but the event might be logged or the administrator alerted. For example, select this action to monitor the use of certain words in files without preventing their use. Some email software might not accept any changes to signed messages, and therefore you cannot allow the appliance to alter the content. If you choose to allow all signed messages through, an undesirable item can escape detection if it is inside a signed message. If you allow all signed messages through, be sure that the messages come from a trusted source, or that they are scanned at a later stage. Any detections are logged but not acted upon. The most secure option is to scan all file types. Before using the Allow Through option, carefully consider the security risks. For more information on the risk associated with each file type, see the Virus Information Library. See Contact information on page 16. If the appliance detects a virus within the email message, it attempts to clean that virus. If the email can be cleaned, the appliance sends the modified email message to the recipient. The appliance can also handle files that have zero bytes after cleaning: Keep zero byte files. Remove zero byte files. Treat zero byte files as a failure to clean. The appliance sends an SMTP 550 (permanent failure) response code and closes the connection. If a scanner is triggered by the content of an email message, the appliance sends an email message to the original recipients. This notification email message tells the recipient that there is a problem. If a scanner is triggered by the content of an email message, the appliance sends an email message to the original sender. This notification email message tells the sender that there is a problem. The appliance sends an annotated modified email message to a predefined recipient, such as an email administrator or a spam administration mailbox. An annotated email message is similar to a notification email message, but it contains the modified email message as an attachment. The appliance sends an annotated original email to a predefined recipient such as the email administrator or a spam administration mailbox. If a scanner is triggered by the content of an email message, the appliance send an email message to a predefined recipient, such as an email administrator or a spam administration mailbox. This notification email message tells the recipient that there is a problem. The appliance returns a copy of the modified email message to the sender. The appliance closes the connection when a content rule triggers or when the number of recipients exceeds a limit, typically 10 recipients. You can specify the period that the connection continues to be denied. To view the connections that are currently denied, use the navigation pane to select Configure SMTP, then Denied Connections. The appliance closes the connection when the number of recipients exceeds a limit. The appliance quarantines the email message. The appliance only performs actions that do not break the signed email message signature. The appliance then attempts to deliver the email message to the original recipients. 76

Policies Overview Policy planning 3 Table 3-7 SMTP actions (continued) Action Forward the modified email to a GUI defined recipient (Secondary action) Forward the original email to a GUI defined recipient (Secondary action) Keep zero byte files Off Quarantine the modified email (Secondary action) Quarantine the original email (Secondary action) Refuse the original data and return a rejection code Reject or ignore all commands except QUIT Reject the email Reject the email and close the connection Reject the email and deny the connection The appliance forwards an email message that it has modified to a predefined recipient, such as an email administrator or to a spam administration mailbox. When a scanner triggers, the appliance forwards the offending email message to a predefined recipient, such as an email administrator or to a spam administration mailbox. The appliance allows files that have been cleaned to have zero bytes. The appliance takes no action against the attack. The appliance quarantines email messages that it has modified. The appliance quarantines email messages. The appliance rejects the email message and sends a rejection message to the mail server. The appliance sends an SMTP 550 (permanent failure) response code and keeps the connection open. All subsequent commands are rejected or ignored, except for the QUIT command that closes the connection. The appliance rejects the message and keeps the connection open. The sender is normally informed that the message was not accepted. The appliance sends a rejection code (SMTP 550 Fail). Before closing the connection, the appliance sends a rejection code, SMTP 550 (permanent failure) response code or a 421 Temporarily unavailable service due to potential threat message, and closes the connection. The appliance returns a 421 Temporarily unavailable service due to potential threat message and closes the connection. The connection is then placed in the Deny Connection list. Reject the recipient The appliance rejects the message, and sends a rejection code, SMTP 550 (permanent failure) response code. We recommend this option because the sender is normally informed that the message was not relayed. Remove the content The appliance limits the number and size of attachments it scans. If an email message exceeds the limits, the appliance removes the excess content, scans the remaining email message, and sends the modified message to the recipient. Remove zero byte files Replace the content with an HTML alert Tarpit Tarpit then deny connection Treat zero byte files as a failure to clean Attempt to clean Description The appliance removes any file that has zero bytes after it has been cleaned. If a detection is triggered due to the content of a file, the appliance replaces the content with an HTML alert that explains why the original was replaced. The appliance sends the modified email message to the recipient. The appliance delays its response, typically by several seconds. The appliance delays the response by several seconds, then drops the connection. The appliance treats files as if it cannot clean them, and does the action specified in If cleaning fails, take the following action. If the appliance detects a virus within the email message, it tries to clean that virus. If the email message can be cleaned, the appliance sends the modified email message to the recipient. The appliance can also handle files that have zero bytes after cleaning: Keep zero byte files the appliance allows cleaned files to have zero bytes. Remove zero byte files the appliance removes any file that has zero bytes after cleaning. Treat zero byte file as a failure to clean the appliance treats the files as if it cannot clean them, and takes a specified action. When you configure content policy settings, not all actions are available for all protocols or for all policies. 77

Policies Overview Policy planning 3 Levels of anti-virus protection To specify the level of protection for scanning for viruses or potentially unwanted programs: 1 At Level of protection select a level: High Most secure. Scans all files, including compressed files. Medium Scans executables, Microsoft Office files, and compressed files. Low Least secure. Scans executables and Microsoft Office files. Custom You choose what types of file to scan and a range of scanning options. 2 If you selected Custom, click Settings and select one of the following: Scan all files offers the highest security, but might affect performance. Scan default file types are the most susceptible file types. For a list of default file types, click View. Scan defined file types to create your own list of file types use Add, Edit and Delete to create your own list. To create a list based on the default list, click Add defaults, then use the other buttons to build the list. 3 Select the scanning options that will apply to the files. Configuring anti-virus settings 1 For a sub-policy, inherit settings from the global policy. Select Inherit settings from. This step does not apply when changing a global policy. 2 Double-click Anti-Virus to open the dialog box. 3 Select Enable anti-virus scanning. 4 For a sub-policy, specify any time restrictions. See Applying time restrictions to rules and settings on page 79. This step does not apply when changing a global policy. 5 To specify the actions that the appliance must take when a detection occurs, see Actions on page 73. 6 Specify the level of protection required. See Levels of anti-virus protection. 7 Customize or create any alert messages. See Editing alert messages on page 46. 8 Ensure your anti-virus protection is current. Examine the details under Scanner information. To confirm the numbers for the latest engine and DAT files, refer to our website. See page 16. The date is also useful. The DAT files are normally updated daily though sometimes more often. See Updating the appliance on page 288. 78

Policies Overview Policy planning 3 Applying time restrictions to rules and settings Within a non-global policy, you can configure some items of a policy to operate only within a specified period, such as weekends, weekdays, and business hours. For example, you can specify that a policy only applies between the hours of 8 A.M. and 6 P.M., Monday to Friday. To specify any time restrictions: 1 From Action settings, select Time. 2 Select Selected time: To use an existing period, select the name. To change an existing period, click Edit, and make your changes. To create a new period, click Add, and type the new name. Select the days, start time and finish time in the Add Time dialog box. When you create a period, it becomes available to every policy. You cannot remove a period that is in use by another policy. 79

Policies Overview Understanding priorities in policies 3 Understanding priorities in policies This section describes problems arising when a policy is applied to several users. It covers: Connection policies Content policies Protocol policies Connection policies If the appliance receives an email message with multiple recipients, and needs to apply connection policies to that message, it always applies the highest priority policy to all of the recipients. The priority is determined by the order of the non-global policies within the tree node, no matter which operational mode is being used by the appliance. Content policies If the appliance receives an email message with multiple recipients, and needs to apply content policies to that message, it handles the message as described in the next table: Table 3-8 Content policies and multiple recipients Operational mode Multipolicies setting Maximum number of policies Explicit Proxy Not applicable Not exceeded How the email message is treated The email message is effectively replicated according to the policies that must be applied. Each replicated email message passes through the scanners separately, and the policies and actions are applied. Separate entries appear in the logs and reports for each replicated email message. If the appliance is configured to generate alerts, separate alerts are generated for each replicated email message. Explicit Proxy Not applicable Exceeded The highest priority policy only is applied, and it is applied to all recipients. Transparent Bridge or Transparent Router Disabled Not applicable The highest priority policy only is applied, and it is applied to all recipients. 80

Policies Overview Understanding priorities in policies 3 Table 3-8 Content policies and multiple recipients (continued) Operational mode Transparent Bridge or Transparent Router Transparent Bridge or Transparent Router Multipolicies setting Enabled Exceeded The highest priority policy only is applied, and it is applied to all recipients. Enabled Maximum number of policies Not exceeded How the email message is treated The email message is effectively replicated according to the policies that must be applied. Each replicated email message passes through the scanners separately, and the policies and actions are applied. Separate entries appear in the logs and reports for each replicated email message. If the appliance is configured to generate alerts, separate alerts are generated for each replicated email message. The replicated email messages are delivered using proxy delivery methods. If the highest priority method is applied, the email message is not replicated and passes through the scanners only once. Content policies and performance issues When setting up content policies, ensure that most email messages are covered by the global policy. Each time the appliance has to replicate a message to apply a non-global policy to it, the email message is scanned again. The extra scanning affects the appliance s performance. Example You have two non-global policy groups, Directors and Managers. director1@example.com is a member of the Directors policy group. manager3@example.com is a member of the Managers policy group. You have assigned a policy for mail size to each policy group: Members of the Directors policy group can receive email messages with attachments over 5 Megabytes. Members of the Users policy group can receive attachments only if they are less than 5 megabytes. If an attachment is more than 5 Megabytes, the Users policy group receives an HTML alert instead of the attachment. 81

Policies Overview Understanding priorities in policies 3 Example 1 The appliance receives an email message containing a 5-Megabyte attachment addressed to: director@example.com manager@example.com The appliance scans the email message twice and applies two actions, because the email message is addressed to two recipients. Each recipient is affected by a different policy with different actions: recipient director@example.com the appliance allows the attachment through. recipient manager@example.com the appliance replaces the attachment with an HTML alert, telling the recipient that the attachment has been removed. Example 2 The appliance receives an email message containing a 5-Megabyte attachment addressed to: director1@example.com manager3@example.com user5@example.com The appliance scans the email message three times and applies three actions because the three recipients are members of three different policy groups. The appliance applies the actions for director@example.com and manager@example.com as previously described. However, user@example.com is not a member of either of the policy groups affected by the Directors and Managers policies. When deciding how to handle the attachment for user@example.com, the appliance must refer back to the default global policy and apply whatever action the global policy states. For example, the global policy might be From Outside, and the Mail Size Filtering setting states that the appliance action is Refuse the original data and return a rejection code. Protocol policies If the appliance receives an email message with multiple recipients, and needs to apply protocol policies to that message, it always applies the highest priority policy to all of the recipients. The priority is determined by the order of the non-global policies within the tree node, no matter which operational mode is being used by the appliance. 82

4 SMTP Simple Mail Transfer Protocol SMTP is used to transfer email between computers. This section describes the appliance s SMTP support, and includes the following topics: How email messages are processed on page 84. Configuration for SMTP on page 86. Policies for SMTP on page 103. Content rules and rule groups on page 146. SMTP email messages on page 153. 83

SMTP How email messages are processed 4 How email messages are processed The appliance handles an email message according to: Who sent the email message. Who will receive the email message. The content of the email message. On receiving an email message, the appliance processes it in the following order: Table 4-1 Email message processing CONNECT EHLO/MAIL FROM Denied Connections Permit Sender Deny Sender Reputation Service Real-time Blackhole Lists (RBL) SPF (Sender Policy Framework) Permit Sender Deny Sender Sender Authentication RCPT TO Anti-Relay Anti-relay checks are made in the following order: Permit domains Deny domains Local domains Greylisting Permitted Recipient list LDAP recipient check Directory Harvest Prevention DATA Postini Threat If behind an MTA. Identification Network (PTIN) RBL If behind an MTA. SPF If behind an MTA. Sender ID Domain Keys Identified Mail (DKIM) Scanning Anti-spam If anti-spam software is in use. Mail size filter Corrupt content Signing check File filter Encrypted content HTML check Content Compliancy 84

SMTP How email messages are processed 4 Table 4-1 Email message processing (continued) Data Loss Prevention Anti-virus The anti-virus scan always runs even if some of the other scans are not. Delivery Proxy Mode Domain Relay If a domain relay is specified, a domain relay check is carried out. An MX lookup may also be required if only a domain name was specified. If there is an IP address, no further checks are done. If no domain relay is specified, then the DNS and fallback steps are carried out instead. DNS If DNS delivery is enabled, then an MX record lookup is carried out. If there is no MX record, an A record lookup is done. Fallback relay After the DNS checks, a Fallback relay list lookup is done, followed by an A record lookup if only a domain name was specified. Transparent Mode If the appliance is running in transparent mode, the client does all the required DNS lookups. If any actions are associated with anti-virus scanning and content scanning detections, the highest priority primary action is done. The priority that the appliance gives to actions is predetermined and cannot be reconfigured. Multiple policies for email messages If an email message (being sent or received) has more than one recipient, the appliance needs to know which policies to apply to that email message. If the recipients are in the same policy group, the appliance applies the policies for that policy group. If the recipients are in different policy groups, with perhaps conflicting policies, the appliance must decide how best to handle the email message. How it handles the email message depends on: The policies that need to be applied content, protocol or connection. Operational mode Transparent Bridge, Transparent Router, or Explicit Proxy. Whether handling of multiple policies is enabled (for transparent modes only). The maximum number of policies allowed to apply to a single email message as specified in the navigation pane at Policy SMTP Advanced Policies Protocol Message Processing [Advanced]. See Message processing on page 141. The priority assigned to a non-global policy by its order in the tree node. 85

SMTP Configuration for SMTP 4 Configuration for SMTP The following options for controlling SMTP traffic are available from the navigation pane when you select Configure SMTP: Protocol settings on page 87. Delivery settings on page 87. Anti-relay settings on page 88. Permit and Deny settings on page 90. Connection settings [advanced] on page 90. Retryer [Advanced] on page 90. McAfee Quarantine Management on page 91. Quarantine Digest on page 91. Quarantine Digest settings on page 92. Quarantine Digest Schedule on page 93. Quarantine Digest Messages [Advanced] on page 93. Quarantine digest HTML responses [advanced] on page 94. Spam learning on page 94. User black and white lists on page 95. Denied Connections on page 96. Certificate management on page 97. Trusted Certificate Authorities on page 100. Certificates on page 100. Transport Layer Security on page 101. Greylisting service on page 101. DKIM key management on page 102. 86

SMTP Configuration for SMTP 4 Protocol settings From the navigation pane, Configure SMTP Protocol Settings enables you to configure: Delivery settings. Anti-relay settings on page 88. Permit and Deny settings on page 90. Connection settings [advanced] on page 90. Retryer [Advanced] on page 90. Delivery settings In the navigation pane, select Configure SMTP Protocol Settings Delivery Settings to specify the methods for delivering scanned SMTP email messages. You can configure: Policy Based Relays To relay messages that require encryption (for example, because of confidential content). Hosts You can specify a Fully Qualified Domain Name (FQDN), an IP address or an IP address and port number, separated by a colon (:). Domain Relays To relay email messages destined for specific domains to particular mail servers. Add the following information for each domain relay: Domains To create a single relay that routes messages from all domains, use the * wildcard symbol. If you position the wildcard entry beneath other entries in the list, the other entries are tried first, then the wildcard entry routes messages for all other relays. Hosts Specify network addresses and domains here. If you type more than one network address and/or domain, separate them by a space. The appliance tries these addresses in the order you type them. Identify the fastest or most reliable server first because the appliance tries the relays in order. DNS If no Domain Relays are specified, allow the appliance to look up mail recipients IP addresses using DNS. If the appliance cannot resolve an email address to an IP address, the appliance tries to deliver the message to the entries in its list of fallback relays. If the message still cannot be delivered, it is rejected. Fallback Relays To route email messages that cannot be delivered using DNS resolution. This list contains relays for local hosts, such as mail servers and enables the appliance to try local domains, to route undeliverable messages into the organization. You can add as many relays as you want. Fallback relays are typically Internet Service Providers (ISPs). Because the appliance tries them in order, list the most common first. Add the following information (as described under Domain Relays) for each fallback relay: Domains. Hosts. 87

SMTP Configuration for SMTP 4 Postmaster The postmaster handles queries from senders about email messages that were returned because of a virus or content. Tip We recommend that you assign a postmaster, so that queries from your users are dealt with promptly. The postmaster must be someone who reads email regularly. You can use the name of a single user or a distribution list. Anti-relay settings Relaying is often used for malicious purposes such as mail bombing or spamming. The anti-relay feature prevents unscrupulous third parties from using the appliance, or the mail servers that it protects, to deliver mail for them. Consider the consequences of your clients receiving distasteful, relayed messages that appear to come from your organization. The anti-relay feature prevents such embarrassment and protects the professional image of your organization. Messages with special routing characters such as % can be permitted or denied access. See Anti-Relay (routing characters) on page 143. Only networks and domains specified in a list of local domains or permitted domains can use the appliance to relay messages. When you configure the list of inside networks using the Installation Wizard or the Setup Wizard, the information is used to populate the list of local domains. See Getting started with the Setup Wizard on page 24 or the Installation Guide for more information. All local domains must also be valid domains in the DNS, otherwise email messages will be rejected. If the list of local domains is left empty, the appliance is an open relay, accepting and passing on all the email messages it receives, even if there are entries in its list of Deny Domains or Permit Domains. If the list of local domains is not empty, the appliance checks the email messages that pass through it. For each message, the source IP address and recipients are checked against entries in Local Domains, Deny Domains and Permit Domains: Example Local Domains Deny Domains Permit Domains Outcome 1?? Yes Allowed 2? Yes No Rejected 3 Yes No No Allowed Example 1 If the message matches an entry in Permit Domains, it is allowed through, even if it matches entries in the other lists. Example 2 If the message does not match an entry in Permit Domains, but matches an entry in Deny Domains, it is rejected, even if it matches entries in Local Domains. Example 3 If the message only matches an entry in Local Domains, it is allowed through. 88

SMTP Configuration for SMTP 4 The following information is specified for each domain: Table 4-2 Domain details Type Format Example Network address <IP address>, <IP subnet mask> 192.168.254.200, 255.255.255.0 Domain <domain> *.example.com In all three lists, you can specify several IP address ranges and domains. When checking each message to determine a match, the appliance interprets the entries as follows: IP address or IP address range entry the appliance checks the message s source IP address (the sending server) for a match. Domain entry the appliance checks the message s destination email address (the recipient) for a match. If the Domain entry has A records on the DNS server, this address is also checked against the source IP address. Wildcard domains the appliance checks the message s destination email address for a match. If the appliance receives an email message addressed to a specific IP address, it interprets the entries as follows: IP address or IP address range entry the appliance checks the message s source IP address and the destination email address for a match. Domain entry the appliance accesses the A records using DNS to retrieve the domain s corresponding IP address. The appliance then checks the message s source IP address and the destination email address against the IP address for a match. You cannot use wildcard characters to specify these domains, because the IP addresses cannot be determined. To configure the anti-relay settings: 1 In the navigation pane, select Configure SMTP Anti-Relay Settings. 2 Build the lists of local domains, deny domains and permit domains. See Making lists on page 45. For local domains, you can import information from a.csv file. See Importing prepared information on page 46. Domains in the permit domains list override domains in the deny domains list. For the Permit Domains and Deny Domains lists, you can add sub-domains after the parent domain is listed. 3 Specify the actions the appliance takes if it rejects an email message. See Actions on page 73. 4 Enable Resolve hostnames to allow the appliance to use DNS to resolve the IP addresses of the domains. These lookups take place when the SMTP proxy is initialized. 89

SMTP Configuration for SMTP 4 Permit and Deny settings In the navigation pane, select Configure SMTP Permit and Deny Settings to prevent unauthorized senders from using the appliance to deliver email messages. The appliance maintains two lists: Permit Sender specifies sources from which email messages are permitted. Deny Sender specifies sources from which email messages are to be denied, or are considered unwanted sources. Each list can contain email addresses, networks, and domains. If you already have this information in text form, you can import it as a.csv file. See Importing prepared information on page 46. You can also manually specify this information. See Making lists on page 45 for details about adding and modifying information in lists. Having made the lists, you can specify how the appliance responds to email messages that come from any source in the list of denied senders. For example, the appliance can reject the email message and close the connection. You can specify whether the appliance: Uses DNS to resolve hostnames to IP addresses from a domain name. These lookups take place when the SMTP proxy is initialized. Uses DNS to do a reverse lookup of the sending IP address to match domains in the list. Because this requires an extra lookup for each connection, this can affect performance. See Reverse lookup on page 51. Connection settings [advanced] In the navigation pane, select Configure SMTP Connection settings [Advanced] and configure the following: Intercept Ports. See page 48. Listen Ports. See page 50. Listeners. See page 50. Connections. See Allocating scanning resources on page 51. Memory. See Allocating scanning resources on page 51. Reverse lookup. See page 51. Retryer [Advanced] If the appliance cannot deliver an email message, it can try to deliver the message later. In the navigation pane, select Configure SMTP Retryer [Advanced] and specify: How often the appliance tries to forward a stored email message. Typically the appliance retries every few minutes or hours. How long the appliance will try to forward an email message before it drops the message. 90

SMTP Configuration for SMTP 4 The number of retryers (processes) that can try to forward messages at the same time. McAfee Quarantine Management From the McAfee Quarantine Management (MQM) feature, you can: Enable the appliance s use of the MQM software. Specify the IP address of the MQM server. Specify the appliance ID. If you replace the appliance, it will have a new ID. Because items released from the MQM software use this ID to communicate with the appliance, some email might not reach its intended destination. If you enable MQM, the appliance s own quarantine digest facilities, spam learning, user blacklists and user whitelists, and quarantine queue options are disabled. For information on the appliance s own quarantine digest facilities, see Quarantine Digest. Quarantine Digest A quarantine digest is an email message that the appliance sends to an email user. The digest includes information about the user s email messages that have been quarantined because they contain unacceptable content or spam. It does not contain information about viruses and other potentially unwanted program detections. For information about the quarantine digests that are available if MQM software is enabled, see the McAfee Quarantine Manager Administrators Guide and Users Guide. The types of quarantine digest are: Non-interactive quarantine digests A summary of the email messages that the appliance has quarantined for users. These digests cannot be used to manage quarantined messages. To request changes to the quarantined email messages, users must contact their administrator. For example, a user might ask the administrator to release a message that has been mistakenly quarantined. Interactive quarantine digests A summary that enables users to request certain actions on email messages addressed to themselves. The benefits of using interactive quarantine digests are: Less effort for email administrators because users can do some actions themselves. Users receive a single email summary rather than a number of individual alerts. Users can quickly respond to new sources of spam by creating and changing their own blacklists and whitelists. Users need not wait for email administrators to approve the release of messages from the spam quarantine area. 91

SMTP Configuration for SMTP 4 Administrators retain control over the content of users blacklists and whitelists, and can override incorrect entries. Administrators retain control of messages that have been quarantined because of their content, and must approve the release of these messages. If a user does not respond to a digest message after a predefined time, any email detected as spam is automatically deleted. See Email Message Queues Daily Quarantine Maintenance in the navigation pane. If a user requests the release of a non-spam email message, the request is added to the Digest Release Requests queue. Within the appliance s interface, the Digest Release Requests are under Email Message Queues Digest Release Requests. Under Configure SMTP Quarantine Digest in the navigation pane, the following options are available: Quarantine Digest settings. Quarantine Digest Schedule on page 93. Quarantine Digest Messages [Advanced] on page 93. Quarantine digest HTML responses [advanced] on page 94. Quarantine Digest settings To enable and set up the quarantine digest email message: 1 In the navigation pane, select Configure SMTP Quarantine Digest, then select Quarantine Digest Settings. 2 Enable the scheduler. 3 Type the address that is used in the From section of the quarantine digest email messages (the sender address). 4 Select the format for presenting digest email messages to users. The format can be plain text or HTML. If HTML is selected, you can make the digest email messages interactive. 5 Specify the character set encoding. 6 Select the communication method. This specifies whether users are allowed to use POST or GET requests if the interactive format is used. Each method has it own advantages and disadvantages: Table 4-3 Communication methods Method Advantages Disadvantages POST GET Parameters are hidden, which means internal information is not visible. Works with any mail client. A user can receive a response from the appliance. A user does not receive a response from the appliance when their request is received. Information is displayed in the action URL, which means internal information is visible. 7 Type the address of the appliance which you want to use to handle interactive digests. You can use the appliance s IP address or FQDN. 92

SMTP Configuration for SMTP 4 Quarantine Digest Schedule To specify how often quarantine digests are sent to users, and at what time they are sent: 1 In the navigation pane, select Configure SMTP Quarantine Digest, then select Quarantine Digest Settings. 2 Ensure the scheduler is enabled. 3 Select Quarantine Digest Schedule. 4 If necessary, send any outstanding quarantine digest messages immediately. Any current or outstanding digest messages are sent to your users. If you select immediate delivery, you can specify whether a quarantine digest must contain information about all of the user s quarantined email messages, or just those not mentioned in previous quarantine digests. 5 Select the frequency for future quarantine digests. We recommend that you select a time when the network is less busy. Quarantine digests might not be delivered exactly at your specified time. The appliance staggers the delivery times to prevent overloading the mail servers. Quarantine Digest Messages [Advanced] To configure the quarantine digest message that users receive: 1 In the navigation pane, select Configure SMTP Quarantine Digest, then select Quarantine Digest Settings [Advanced]. 2 Type the text for the subject line. 3 If necessary, change the styles within the message and customize the style sheet. We recommend that you do not change the style names, because this might prevent the digest message using the styles. 4 Customize the body text, using the available tools. You can use substitution variables to control the content of quarantine digests. See Substitution Variables on page 310. 5 Customize the column headings of the quarantine digest email message. 93

SMTP Configuration for SMTP 4 Quarantine digest HTML responses [advanced] When a user makes a request (such as releasing a quarantined message) from an interactive quarantine digest, the appliance responds with a standard message in HTML format. To customize the message, for example by editing the text or changing its format, or to revert to the default version: 1 In the navigation pane, select Configure SMTP Quarantine Digest, then select Quarantine Digest HTML Responses [Advanced]. 2 Edit the body text of the messages using the available tools or revert to the default versions. You can use substitution variables to control the content of quarantine digests. See Substitution Variables on page 310. Spam learning Email messages that contain spam or that have been mistakenly identified as spam can be submitted for spam or non-spam learning. They can be sent directly to McAfee, or can be managed by the administrator through the appliance using the spam learning function. Spam (or Bayesian) learning enables your appliance to analyze email messages and to learn about those that you consider to be spam, so that similar messages can be blocked in the future. Bayesian learning is a way of assigning scores to email messages that might be spam. A Bayesian database calculates the probability that an email message contains spam. The database can be trained to recognize spam when users submit spam samples to the administrator, who then decides which email samples to submit to the database. The content of the sample is analyzed and its spam-like phrases are learnt for future reference. If users receive email messages that have been incorrectly identified as spam, they can submit these messages for non-spam learning. As more email messages are correctly submitted for training, spam is more likely to be correctly identified in the future. 1 In the navigation pane, select Configure SMTP Spam Learning, then select the Spam, Non-Spam or McAfee Quarantine Management tab. If you have configured your appliance to use McAfee Quarantine Manager, only the McAfee Quarantine Management tab is available. See McAfee Quarantine Management on page 91. If you have not enabled McAfee Quarantine Management, only the Spam and Non Spam tabs are available. The processes for using spam and non-spam learning are the same. 2 Select Spam Learning, then Spam or Non Spam. 3 Select the learning method: Off The appliance does not learn from previously received email messages. Queue email for manual learning Email messages that your users identify as spam or non-spam are sent to mailboxes that you set up. You decide if the messages will be added to the appliance s spam or non-spam databases. 94

SMTP Configuration for SMTP 4 4 Type the email address of the mailbox to use for manual spam and non-spam learning. This is not a real email address. On detecting an email message with this To address, the appliance moves the email message to the learning queue. 5 Select the settings used for manual learning: Modify the Bayes database selected by policy group Modify all Bayes databases 6 If necessary, type the forwarding email address. 7 If necessary, enable learning in a transparent mode from the Advanced section. This specifies whether Bayesian learning is to be enabled when the appliance is operating in Transparent Router or Transparent Bridge mode. If you have a McAfee Quarantine Manager server, and McAfee Quarantine Management is enabled on the appliance, you can configure the appliance to use the server for spam learning. The server receives email messages for spam learning and forwards them to the appliance. 1 From Spam Learning, select the McAfee Quarantine Management tab. 2 If necessary, type the forwarding email address. User black and white lists A blacklist is a list of email addresses that are probably senders of spam or phishing email messages. Email messages from blacklisted senders receive a high spam score, so they are more likely to have a high overall spam score and will be treated as spam by the appliance. A whitelist is a list of email addresses that are probably senders of email messages that look like spam, but which you do not want to be treated as spam. For example, you might want to receive certain promotional email messages, which the appliance usually treats as spam. Email messages from whitelisted senders are given a high negative spam score, so they are more likely to have a negative overall spam score and be treated as non-spam by the appliance. Your appliance provides local blacklists and whitelists if anti-spam software is in use. If you have configured your appliance to use McAfee Quarantine Manager, user blacklists and whitelists are provided and maintained by McAfee Quarantine Manager. See page 91. Blacklists and whitelists also appear in the Anti-Spam policy option. See What is spam? on page 104. However, we recommend you do not use both options as this can lead to conflict. An email address can appear on a blacklist and a whitelist. An email address can also appear in more than one blacklist and more than one whitelist. The appliance changes the overall anti-spam score of an email message once only for each type of blacklist and whitelist that the message triggers. If a blacklist and a whitelist trigger, they cancel out each other s effect on the overall spam score. 95

SMTP Configuration for SMTP 4 The final spam score determines whether the message is treated as spam, regardless of whether the address is in a blacklist or whitelist. To configure user blacklists and whitelists: 1 In the navigation pane, select Configure SMTP. 2 Select User Black and White Lists, then select local lists or use the McAfee Quarantine Management lists. 3 Manage the whitelists, blacklists, and users blacklists and whitelists. See Making lists on page 45. User lists are created by users using Quarantine Digests to whitelist or blacklist addresses. These lists are based on the senders of email messages. The user list cannot contain wildcard characters; the whitelist and blacklist can. A question mark? matches a single character. An asterisk (*) matches portions of an address such as an entire domain. For example: Table 4-4 Wildcard examples *@example.com user1@example.* user?@example.com Refers to all users at example.com. Refers to user1 at example.net, example.com, example.org and so on. Refers to user1, user2, and so on at example.com. 4 Use the filter options to view specific entries in the user lists. 5 If necessary, override a user s whitelist and blacklist entries by deleting unwanted entries. Denied Connections You can configure actions on the appliance to add connecting IP addresses to the denied connections list. Use Denied Connections to: View currently denied connections. Permit selected connections. Specify the largest number of entries that can be viewed in the Deny Connections From These Addresses list. If the limit is reached, no more addresses can be added to the list until an existing address expires. Permitting a connection does not override any time constraints set up by the policy that denies the connection. For example, if a policy states that a connection will be denied for 600 seconds and you change the connection to permitted within the 600 seconds, the connection continues to be denied until the 600 seconds have elapsed. This is why a connection can temporarily appear in both the denied and permitted connections list. To set the duration, select Policy SMTP Advanced Policies Protocol in the navigation pane, then Denial of Service Prevention. See Denial of Service prevention on page 138. 96

SMTP Configuration for SMTP 4 When an email message triggers the Deny Connection action, the following information is added to the Deny Connection From These Addresses list: Table 4-5 The Deny Connections From These Addresses list Information IP Address Port VLAN ID Deny Time (secs) Description The address that the denied message came from. The port on which the message was received. The virtual LAN on which the message was received. How long the appliance will continue denying this connection. See Denial of Service prevention on page 138. You can: Refresh the list to see the current contents of the list. Move denied connections to the Permit Connections From These Addresses list, by selecting the connection you want to move, and clicking >. Remove selected entries from the denied list with immediate effect. You can also manually manage the Permit Connections list, using: Table 4-6 The Permit Connections From These Addresses list Information Network address Network Mask VLAN ID Description The address from which connections will be permitted. The subnet mask of the address. The virtual LAN on which the message was received. See Making lists on page 45 for information about managing lists. Certificate management Certificate management is used to specify the Certificate Authorities (CAs), and the certificates needed for use with Transport Layer Security (TLS) encryption. You can: Import the details of the certificate authorities. See Trusted Certificate Authorities on page 100. Specify which certificates to use. See Certificates on page 100. What is TLS? TLS provides privacy and data integrity between two communicating applications. TLS provides security by ensuring that the connection is both private and reliable. TLS allows the server and client to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before the application protocol transmits or receives any data. TLS provides connection security because: The peer's identity can be authenticated using asymmetric, or public key, cryptography. The negotiation of a shared secret is secure. 97

SMTP Configuration for SMTP 4 The negotiation is reliable. No attacker can modify the negotiation communication without being detected by the parties to the communication. SMTP servers and clients normally communicate over the Internet. Unencrypted messages may pass through uncontrolled entities, allowing a man in the middle to eavesdrop and tamper with messages. A secure SMTP server accepts communications only from SMTP agents it recognizes. After TLS encryption is enabled, the entire SMTP communication including the sending and receiving addresses is encrypted, making messages secure against man-in-the-middle attacks. If the server is authenticated, its certificate message may optionally provide a valid certificate from an acceptable Certificate Authority (CA). Authenticated clients may also be required to supply a valid certificate to the server. Each party is responsible for verifying that the other's certificate is valid and has not expired or been revoked. TLS uses the Secure Sockets Layer (SSL) to send and receive data. The underlying principles are: Server verification is mandatory. The server sends its certificate to the client. If the certificate is signed by a CA that the client has in its trusted CA section, verification is successful. Client verification is optional. The client sends a certificate to the server. If the certificate is signed by a CA that the server has in its trusted CA section, verification is successful. You can: Specify the networks or domains with which the appliance will communicate using TLS. The participating organizations must also use TLS. Configure TLS encryption for inbound mail. The appliance encrypts email if the other end offers or suggests encryption. After encryption is configured, the appliance requires TLS encryption from participating organizations (where available). If encryption is configured as always, the appliance rejects mail from participating organizations if they do not attempt to start encryption. Configure TLS encryption for outbound mail. The appliance can require TLS before any SMTP mail is sent. The appliance rejects the transfer if it cannot start TLS encryption with the recipient email server. In the example in Figure 4-1, the appliance sends email to the server using TLS. Therefore: The appliance (the SSL client) requires a CA. The email server (the SSL server) requires the same CA as the client, and a certificate and a key generated by the CA. Set up the certificates using the third-party certificate management software. Figure 4-1 provides a simplified example of TLS encryption. 98

SMTP Configuration for SMTP 4 Figure 4-1 TLS encryption 1 4 6 2 3 5 7 In this example: 1 Local email clients 5 Internet 2 Mail server 6 Certificates at email server of participating organization 3 Appliance 7 Email server at participating organization 4 Certificates at appliance Several clients (1) need to communicate securely with an email server (7) by SMTP email over the Internet. The administrator has configured the network so that all internal email messages go from the email server (2) through the appliance (3), and configured the appliance so that all email sent from the appliance to the email server (7) uses TLS encryption. The appliance (3) and the email server (7) hold certificates (4 and 6 respectively) that were signed by a CA that they both recognize. The email server (7) sends a certificate (6) to the appliance (3) for verification against the list of trusted CAs. Also, the appliance might send a certificate (4) back to the email server (this depends on how the email server and the appliance are configured). Assume a user at a client computer tries to send email to a recipient at an external email server. In a typical communication: 1 The client sends an initial (EHLO) message to start the communication. In this example, TLS encryption is mandatory, so the server sends its certificate to the client. The appliance refers to its list of trusted CAs to verify that this certificate is valid. 2 The appliance sends a certificate to the email server for verification. 3 The encrypted SMTP conversation is initiated. For more information, see Transport Layer Security on page 101. 99

SMTP Configuration for SMTP 4 Trusted Certificate Authorities 1 In the navigation pane, select Configure SMTP Certificate Management, then select Trusted Certificate Authorities. 2 Import the details of the CAs. These details are held in separate files in Privacy-enhanced Electronic Mail or Privacy Enhanced Mail (PEM) format. You can only import one file at a time. During the import, you are prompted to change the display name of the certificate to a friendly name. If you do not rename the CA, by default it takes the name of the file from which it was imported. Convert the files to PEM format if necessary (for example, using OpenSSL). You can also: Export information on a selected CA. View a CA as text. Remove a selected CA. Import all the intermediate certificates. Certificates 1 In the navigation pane, select Configure SMTP Certificate Management, then Certificates. 2 Import a certificate for each mail domain. These certificates are imported using files in PEM format. The files contain both the server or client certificate and the private key (which must not be password-protected). During the import process, you are prompted to change the display name of the certificate to a friendly name. If you do not rename the certificate, by default it takes the name of the file from which it was imported. Unlike the CA name, you can change the name of the certificate later. You can also: Export a selected certificate. If you export a certificate, the interface prompts you to state whether to export the private key as well. Rename the certificate. View a certificate as text. Remove a selected certificate. Verify a certificate. 3 After you have imported all the certificates, click Apply All Changes. 4 Select your newly imported certificate and click Verify to ensure that the complete certificate chain is in place. Do this before configuring TLS itself. If the certificate chain is not verified, ensure that any intermediate certificates have imported correctly. Normally there is only one intermediate certificate, but occasionally there might be two or even three. 100

SMTP Configuration for SMTP 4 Transport Layer Security To configure TLS, first import the trusted CAs and the certificates from the participating organizations, then configure TLS encryption. See Trusted Certificate Authorities on page 100 and Certificates on page 100. From Transport Layer Security, you can: Specify the network or domain of the source and destination. Map certificates to specific domains. Each domain can have different certificates for sending and receiving email messages. Configure the type of TLS encryption (Never, When Available or Always). Specify whether the client must verify itself to the recipient before sending email. To configure the way email is received or sent: 1 Add network addresses and network masks, or domain names (which can include wildcard characters). The match is done on the connecting IP address. 2 If necessary, select Respond to client verification. 3 If you are configuring how email messages are sent, from the list of your installed certificates, select the certificate(s) to use to respond to your intended email recipients. 4 Manage the lists as necessary. See Making lists on page 45. Greylisting service Spammers often exploit other computers (zombies) to deliver their spam. The appliance uses a greylist to block such attacks. The greylist records a triplet three pieces of information for each email message: the sender's IP address, the email address of the sender, the email address of the recipient. When the appliance first encounters this combination, it records the triplet in its greylist, then returns a Temporary Service Error message. The appliance then ignores any retries for a period, typically one hour. Managing the greylist To create an effective greylist, the appliance must record the triplets of regular email senders to your network. The records can grow quickly so the appliance deletes records as follows: Any email address that did not try sending again. Genuine email senders retry many times over many hours or days. Zombies typically do not resend email. Any email address that the appliance has not encountered for over 36 days. Although you can change it, we recommend this number for handling regular email such as monthly newsletters. Old email addresses. As the number of records approaches a specified limit, the appliance removes records of senders that it has not encountered for some time. In the navigation pane, select Configure SMTP Greylisting Service to change these settings. 101

SMTP Configuration for SMTP 4 To use greylisting within a policy, see Greylisting on page 135. DKIM key management The Domain Keys Identified Mail (DKIM) technique uses RSA private and public keys and DNS TXT records to enable the recipient to verify the identity of an email sender. The sender signs the email message with a private key by adding an extra header the DKIM-Signature header. The header provides the email message with a cryptographic signature. The signature is typically derived from the message body and email headers such as From and Subject, then encrypted using the sender's private key. Recipients can verify that the message is genuine by making a query on the signer's domain to retrieve the signer's public key from a DNS TXT record. The recipient then verifies that the email and its signature match. The recipient can be confident that the email was sent from the stated sender and was not deliberately altered during transit. The appliance can verify signatures from incoming mail and attach signatures to outgoing mail. See DKIM on page 131. Signing keys To create or import signing keys, select Configure SMTP DKIM Key Management in the navigation pane. The appliance can create public keys of various lengths. Place the public key on your DNS server (or give it to your Internet Service Provider) so that recipients can verify email from your organization. The public key must not contain spaces or newline characters. 102

SMTP Policies for SMTP 4 Policies for SMTP This section describes how you use Policy SMTP in the navigation pane to set up policies that tell the appliance how to handle email messages. It contains the following sections: SMTP content policies. SMTP protocol policies on page 127. SMTP connection policies on page 143. SMTP content policies To set policies that control how the appliance handles email messages, select Policy SMTP Content in the navigation pane. You can configure the following content policy features: What is spam? on page 104. Anti-phishing on page 112. Anti-virus on page 113. Data loss prevention on page 113. Compliancy on page 117. Content scanner on page 118. Scanner control on page 119. Encrypted content on page 120. Protected content on page 120. Signed content on page 121. Corrupt content on page 122. Disclaimer text on page 122. Alert settings on page 123. File filtering on page 123. Mail size filtering on page 125. HTML settings on page 125. Mail settings on page 126. 103

SMTP Policies for SMTP 4 What is spam? Spam is any unsolicited and unwelcome email message. It includes commercial email messages, the electronic equivalent of junk mail, and unwanted non-commercial email messages, such as virus hoaxes, jokes, and chain letters. Often spammers (those who create spam) forge the headers of their email messages to hide their true identity, often deflecting the blame toward innocent parties. You can configure the appliance to detect spam. Anti-spam and anti-phishing use the same techniques. You see the anti-phishing option only if the anti-spam option is available. Although you can enable and disable the options independently, you gain little in performance by doing so. Quarantined spam is placed in the Spam Quarantine area. Other quarantined messages are placed in other queues. Tips to avoid spam Make these tips available to your users to help them reduce spam: Use a different email address or public email address when participating in news groups, joining contests, or responding to any third-party requests online. Do not respond to email requests to validate or confirm any of your account details. Your bank, credit card company, and other online services already have your account details, so they do not need you to validate them. Avoid using a Reply or Remove option. Some senders remove the address, but others record the email address and later send more spam, or sell the address to other spammers. Do not respond to spam. If you reply, you are confirming that your email address is valid and the spam has been successfully delivered. Lists of confirmed email addresses are valuable, and are frequently bought and sold by spammers. Check whether your email address is visible to spammers by typing it into a search engine. If your e-mail address is posted to any websites or news groups, remove it if you can. Limit Internet use at work. When at work, do not access sites that are not relevant to business such as message boards, e-trade sites, Internet auctions, and e-commerce sites. Do not post email addresses online. Know whether your email address will be displayed or used before posting an email address online. Read the privacy policy on the website before posting your address, and opt out if possible. Do not post your email address in a plain format on the Internet. If you need to post your email address, disguise it so it is not easy to replicate. For example, type user-at-example.com instead of user@example.com. Beware of purchasing products that are advertised by spam. When you respond to this type of email, you often make more personal information (such as your name, address, telephone number or credit card number) available to spammers, which can lead to increased spam. Furthermore, to provide themselves with an income, spammers must issue large numbers of email messages to get enough responses. By not responding, you discourage this advertising and make it unprofitable. 104

SMTP Policies for SMTP 4 The McAfee Anti-Spam Module The Secure Internet Gateway version of the appliance has an anti-spam component, which protects your email traffic, scanning for spam and phishing email messages and enabling you to use the reputation service. For the Secure Messaging Gateway version of the appliance, the Anti-Spam Module must be separately activated. The Anti-Spam Module uses the anti-spam engine and anti-spam rules to scan email traffic for spam. The anti-spam engine uses anti-phishing rules to scan email messages for phishing attacks. Identifying spam is not an exact science. Anti-spam software identifies characteristics within an email message that make it likely that the message contains spam. For example, a simple anti-spam rule looks for phrases that typically appear in spam messages, such as get rich quick. Try to maintain a balance between blocking potential spam and allowing normal email messages through. If your anti-spam measures are too stringent, normal email might be wrongly identified as spam and blocked. Users will complain that they are not receiving the email they were expecting. If your anti-spam measures are not stringent enough, too much spam gets through and interferes with normal email. Maintaining the right balance is difficult because: The nature of spam is always changing, and its senders change their tactics to avoid detection. The definition of spam varies according to context. For example, a joke you receive at home from a friend might not be considered spam; the same joke sent to 300 employees might be considered spam by your employer. Some exceptions might be needed. For example, you want to block email containing commercial advertising unless it comes from similar organizations, because you need to keep up-to-date with their products and promotions. For these reasons, we cannot guarantee that the anti-spam software will detect and block all email messages that might contain spam. The Anti-Spam Module works with the appliance s other anti-spam features to help you maintain the best balance between blocking potential spam and accepting normal email. In particular: To counter changing spammer tactics, McAfee regularly updates the anti-spam engine and anti-spam rules files. These files can be automatically downloaded using the appliance s update facility. You can also load special extra rules that combat a sudden outbreak of a specific type of spam. Anti-phishing rules are downloaded at the same time as the anti-spam rules. 105

SMTP Policies for SMTP 4 You can set up separate inbound and outbound anti-spam policies, and specify the level of spam detection to use for each policy. For more information, see Anti-spam policy on page 108. You can also set up separate anti-phish policies. For more information, see Anti-phishing on page 112. The anti-spam software can decide how to handle the spam after it has been identified. You can: Deal with spam at the appliance so that it never reaches the end users. For example, email messages that contain potential spam can be refused, discarded, or forwarded to a special mailbox. Use the appliance to add a spam indicator to email messages containing potential spam, and let the recipients choose how to deal with the messages. For example, the mail administrators and users can set up their mail clients to automatically place spam into a special folder. You can control the spam that your organization receives by blocking all email from known unwanted senders, marking the subject line of any suspicious email messages, deleting messages, or moving messages to a quarantine area. You can inform an administrator of the detection, or record the event in a log. Spam scores The appliance matches a large set of rules against every email message. Each rule has a score positive or negative. Rules that match spam-like characteristics give a positive score. Rules that match characteristics of legitimate messages give a negative score. When added, the scores give each message an overall spam score. Some rules are simple, and match only on popular phrases. Others are more complex and match on the header information and structure of email messages. In a similar way, the anti-spam engine uses the anti-phishing rules to detect phishing attacks. Rules that match anti-phishing characteristics add to the overall phish score, while rules that match non-phish characteristics reduce the overall phish score. The appliance examines the overall anti-spam score and overall anti-phish score to determine if the anti-spam or anti-phish policy must be applied to the email message. The email message is categorized as spam or phish. The score for each rule in the anti-phish rule set is fixed and cannot be changed. The score for each anti-spam rule can be changed. See What is spam? on page 104. 106

SMTP Policies for SMTP 4 Examples of anti-spam scoring Spam often contains well-known phrases. For example, these phrases are good indicators: Table 4-7 Anti-spam scoring Phrase Spam score per phrase Dear Friend 1.5 amazing offers 1.0 believe your eyes 1.2 incredibly low 0.8 best ever 0.8 The values in the table are examples only. The actual values might be different in the appliance. This example is deliberately simple, and does not demonstrate any complex matching. Consider the following messages. The phrases are highlighted for clarity. Message Dear John, Our computer suppliers have some amazing offers on PCs this year. I ll send you their catalogue and discuss my requirements with you on Tuesday. Looking forward to our best ever year on this project! Regards, Peter Dear Friend, See our website for amazing offers on PCs. You won t believe your eyes! These incredibly low prices are our best ever! Total spam score 1.0 + 0.8 = 1.8 1.5 + 1.0 + 1.2 + 0.8 + 0.8 = 5.3 The second message has a higher score, which indicates that it is possibly spam. A legitimate message may have a high score. Therefore, the detection of spam cannot be precise. You can determine how the appliance will respond to messages based on their spam scores: Specify a level at which you regard a message as spam. Typically, a score of 5 indicates that a message is spam. You can inform the recipients that a message is likely to be spam by adding some text, such as ** spam **, to the subject line of the message. Recipients can then easily identify spam and decide how to handle it. For example, some email products such as Microsoft Outlook and Lotus s can redirect mail to specific folders based on rules or filters. Specify a level at which the appliance handles spam messages automatically. For example, the appliance can automatically accept and then drop messages that have high spam scores. In addition, you can inform an administrator or log the event. Add a report to a message s Internet headers that records any rules that triggered and the message s spam score. You can choose whether to add the report, and whether such information is included in all messages or only those messages that the appliance identifies as spam. The report includes a spam score and, optionally, a spam score indicator. For example, a spam score of 5.6 can have an indicator of five asterisks, and a spam score of 6.95 can have an indicator of six asterisks. The indicator is rounded to the lower integer, ignoring any decimal fractions. The indicator provides a simple character string for filtering messages. 107

SMTP Policies for SMTP 4 We recommend that you set this option for initial testing only because it can affect your server s performance. After you have collected enough information, turn off the option. Disabling rules The appliance contains many anti-spam rules that it applies against email messages. You can disable rules that might not be appropriate for your organization. For example, advertisements for unproven slimming aids are common, so a rule that detects the phrase weight loss is useful for identifying possible spam. However, if your organization produces health products, you might not want to apply this rule against your own email. Changing the score associated with rules To prevent some types of email being treated as spam (or not), you can change the score associated with each of the anti-spam rules. Caution The anti-spam scores have been carefully optimized. Change a score only if you understand the consequences. You cannot change the scores for phish rules. Anti-spam policy Using the anti-spam policy option, you can: Enable or disable anti-spam scanning. Specify the action the appliance must take for different levels of spam detection. Set up global and group-specific blacklists and whitelists. Configure anti-spam rules. Configure Bayesian learning. Specify when and how to add a spam report to email messages. Configure the advanced anti-spam settings. The anti-spam software does not detect offensive images but can detect email that contains mainly graphics. To configure the anti-spam option: 1 In the navigation pane, select Policy SMTP Content From Inside or From Outside Anti-Spam. 2 To inherit settings from the global policy, see Step 12 on page 59. 3 To specify any time restrictions, see Adding time-specific settings to non-global policies on page 60. 108

SMTP Policies for SMTP 4 4 To specify the actions that the appliance must take when a detection occurs, see Actions on page 73. Incorrectly configured anti-spam settings can block legitimate messages. We recommend that you experiment first with the use of quarantine and a prefix to subject lines. 5 You can use the global anti-spam policy to create a global blacklist and whitelist, or use anti-spam sub-policies to create blacklists and whitelists for groups of users. See Making lists on page 45. If an email address is in a whitelist, messages from that address are less likely to be treated as spam in the future. If an email address is in the blacklist, subsequent messages from that address are more likely to be treated as spam. Alternatively, users can create their own blacklists and whitelists. For more information about user blacklists and whitelists, see User black and white lists on page 95. 6 Manage the list of anti-spam rules to use. See Making lists on page 45. These rules define which email characteristics are identified as potential spam. You can also disable these rules, which means they will not be used in anti-spam detection, and can change the score associated with the rules. 7 Clear the Bayesian learning databases if necessary. You need only do this if the database has become poisoned by email messages that have been incorrectly submitted as spam or non-spam. 8 Specify the reporting threshold. The values are: Low. A spam score of 5 or more. Medium. A spam score of 10 or more. High. A spam score of 15 or more. You can also specify a custom level. Only change a threshold if its default value is not effective. You can type numbers with decimal fractions, for example 6.25. 9 For reporting you can specify: If the appliance will add the spam score indicator to the email headers. An optional symbol (such as an asterisk) to replace the indicator. The spam score that must be reached before the appliance adds information about spam detection to email messages. The type of email messages to which spam reports are attached. When a report will be generated. The type of report. Normal reports includes the anti-spam rule names that have triggered. Verbose reports includes the anti-spam rule names and descriptions of the anti-spam rules that have triggered. 109

SMTP Policies for SMTP 4 The text to add to the start of the email message subject line. The subject prefix cannot contain any characters for multi-byte (extended) character sets. For example, you cannot enter characters from the Japanese (ISO-2022-JP) character set. 10 To set up advanced anti-spam features: a Specify the maximum size of message that the appliance will scan for spam. Spam messages are usually small. b Type the maximum width for the spam headers. We recommend that you do not reduce this value below 76 characters because it might truncate some of the rule descriptions in the verbose spam report. c Type the maximum number of reported rules that can be included in the report. The default is 180. d Add a customized email header. You can give a name and value to the email header, and specify to which type of email message it is added. For example, you can add the customized email header to spam, non-spam, or both. e Specify that an alternative header name is used when email messages are not spam. You may want to use an alternative header if you choose to always add the spam score to messages. Extra headers and spam reporting In this example, a user called 99mailbot1 from example.com sends an email to a user at McAfee, with the subject line, Get rich quick. For simplicity, the HTML content of the email message and some headers are not shown here. The anti-spam policy has the following settings: Spam reporting threshold 5 Prefix for subject line Customized mail header and value ++spam++ MyHeader, myvalue Spam score indicator * Report attached To spam, and verbose 110

SMTP Policies for SMTP 4 The appliance adds extra text (shown in bold) to the email message. The mail user normally sees only the change to the subject line. Information in the X- headers is not visible to the users, and is intended for analysis by other devices and software in the network. From: 99mailbot1@example.com To: <user@mcafee.com> Subject: ++spam++ Get rich quick! Date: Wed, 23 May 2007 MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MyHeader: myvalue X-NAI-Spam-Flag: YES X-NAI-Spam-Level: ********* X-NAI-Spam-Threshold: 5 X-NAI-Spam-Score: 9.8 X-NAI-Spam-Report: 13 Rules triggered * 4.1 -- FROM_STARTS_WITH_NUMS -- From: starts with nums * 2.5 -- BAYES_99 -- Bayesian spam probability is 99 to 100% * 1.9 -- SUBJ_GET_RICH_QUICK -- Subject includes get rich quick * 1.3 -- FROM_HAS_MIXED_NUMS -- From: contains numbers mixed in with lette * -0.8 -- HTML_LINK_CLICK_HERE -- HTML link text says click here * 0.4 -- INVALID_DATE_TZ_ABSURD -- Invalid Date: header (timezone does not * 0.2 -- HTML_LINK_CLICK_CAPS -- HTML link text says CLICK * 0.2 -- HTML_SHOUTING4 -- HTML has very strong shouting markup * -0.2 -- DATE_IN_PAST_24_48 -- Date: is 24 to 48 hours before Received: d * 0.1 -- HTML_FONTCOLOR_RED -- HTML font color is red * 0.1 -- HTML_MESSAGE -- HTML included in message * 0 -- BTAMAIL_URL -- Message contains a URL at btamail.net.cn * 0 -- HTML_FONT_FACE_CAPS -- HTML font face has excess capital characters <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> : </HTML> What the headers and report mean: The prefix ++spam++ appears in the Subject line. The header line, X-NAI-Spam-Flag: YES indicates that the message is spam, having exceeded the X-NAI-Spam-Threshold: 5 with a spam score X-NAI-Spam-Score: 9.8. The spam score is 9.8, as indicated by the header line, X-NAI-Spam-Level with an indicator of 9 asterisks. The spam report appears in the header, X-NAI-Spam-Report. The verbose report shows a description of each triggered spam rule. A simple report shows only the rule names and scores: X-NAI-Spam-Rules: 13 Rules triggered FROM_STARTS_WITH_NUMS=4.1, BAYES_99=2.5, SUBJ_LIFE_INSURANCE=1.9, FROM_HAS_MIXED_NUMS=1.3, HTML_LINK_CLICK_HERE=-0.8, INVALID_DATE_TZ_ABSURD=0.4, HTML_LINK_CLICK_CAPS=0.2, HTML_SHOUTING4=0.2, DATE_IN_PAST_24_48=-0.2, HTML_FONTCOLOR_RED=0.1, HTML_MESSAGE=0.1, BTAMAIL_URL=0, HTML_FONT_FACE_CAPS=0 Content rules that are treated as spam rules are also included in the report. For more information, see Specifying the action to take when a rule is triggered on page 147. 111

SMTP Policies for SMTP 4 Updating your anti-spam software The anti-spam rules help you maintain a balance between the email you want to stop because it probably contains spam, and email that you want to let through because it is unlikely to contain spam. In the navigation pane, select Update Anti-Spam to regularly download: Anti-spam rules. These define what is spam. Some anti-spam rules are updated regularly, but McAfee also produce extra rules to combat sudden outbreaks of new types of spam. Anti-spam engine. This uses anti-spam rules to scan email messages for spam. Streaming updates. These updates are made available every few minutes. Anti-phishing You can configure the appliance to detect phishing email messages. Phishing is the illegal activity of using spoofed email messages to persuade unsuspecting users to disclose personal identity and financial information. Criminals can use the stolen identity to fraudulently obtain goods and services and to steal directly from bank accounts. The appliance s anti-phishing software uses the anti-spam engine and phishing rules to scan email messages for phishing characteristics. A phishing score is then associated with each email message. For more information, see What is spam? on page 104. To enable scanning for phish, the McAfee Anti-Spam Module must be enabled. See The McAfee Anti-Spam Module on page 105. Anti-phishing rules are updated as part of the anti-spam rules update. See Updating your anti-spam software on page 112. 1 In the navigation pane, select Policy SMTP Content From Inside or From Outside Anti-Phishing. 2 To inherit settings from the global policy, see Step 12 on page 59. 3 From the dialog box, enable anti-phishing scanning. 4 To specify any time restrictions, see Adding time-specific settings to non-global policies on page 60. 5 To specify the actions that the appliance must take when a detection occurs, see Actions on page 73. 6 To customize or create any alert messages, see Editing alert messages on page 46. 7 Specify the type of reporting required. You can also add a phish indicator, and type any text you want to add to the message subject line. 112

SMTP Policies for SMTP 4 Anti-virus The appliance can be configured to detect viruses and other potentially unwanted programs. If a detection occurs, the appliance can act as described in Actions on page 73. 1 In the navigation pane, select Policy SMTP Content From Inside or From Outside Anti-Virus. 2 Follow the instructions in Chapter 3, Policies Overview starting from Step 1 on page 78. To update your anti-virus software with for regular downloads of anti-virus definition files, select Update Anti-Virus in the navigation pane. See Updating the appliance on page 288. Data loss prevention McAfee Secure Internet Gateway appliances help prevent the accidental loss of confidential information from your organization through email or website posting. The technique is called Data Loss Prevention (DLP), flow control, or Outbound Content Compliance (OCC). See also Compliancy on page 117. When enabled on the appliance, the DLP feature relies on separate software, called the Data Fingerprinting Tool which resides on a file server. The tool constantly examines your organization s confidential files, and maintains some coded information known as fingerprints about each file in its own local database. The tool regularly passes copies of the information to the McAfee appliance. See the Data Fingerprinting Tool Product Guide. The appliance scans email messages and HTTP posting requests, searching for the fingerprints, and thereby prevents confidential information leaving your organization. For example: The appliance blocks the accidental sending of a spreadsheet (or part of it) from the Finance department. The appliance warns that a paragraph of a product specification (perhaps in a Microsoft Word document) is embedded in an email message The appliance warns that a confidential report was posted to a website. The next sections describe the fingerprint database. Classifications Confidential files are organized into classifications. For example, a classification can include files that belong to the Finance department, or all the product specifications, or personal information about the employees. Classifications are created using the Data Fingerprinting Tool on the file server. However, to help with creating policies, you can create further classifications based on the originals. See Creating further classifications under Creating policies on page 114. 113

SMTP Policies for SMTP 4 Locations Within each classification, are the location of these files. For example: The Finance department keeps all its Excel spreadsheet files in a folder: \\server3\finance. Product specifications are in several folders: \\server1\specs2005, \\server2\specs2006 and \\server1\specs2007. Employees names and addresses are in two files: \\server1\office1\employees.mdb and \\server4\office2\employees.mdb. File types Folders often contain a variety of files, and protection can cover all the files or just some of the files, such as all Microsoft Excel spreadsheets. Fingerprints The database does not contain any of the original text or numerical data from your confidential files, but rather it contains a large number of data patterns known as signatures or fingerprints that represent the data in an abstracted form. The database stores the fingerprints in these forms: Fine fingerprints Each confidential file is represented in the database as a large number of fingerprints. Each fingerprint corresponds to a small portion of data. Consequently, large files have more fingerprints than small files. Fine fingerprinting is useful for protecting any part of the original text or numerical data in a confidential file. Compact fingerprints Each confidential file is represented in the database as a fixed number of fingerprints. Each fingerprint corresponds to a portion of the data. Consequently, large files have the same number of fingerprints as small files. Compact fingerprinting is useful for protecting whole files or large sections within them. Collecting fingerprints The Data Fingerprinting Tool software includes a process that regularly examines the confidential files on your server typically every few hours and updates the fingerprint database on the file server. The database, or incremental updates to the database, are regularly sent to the appliance. Creating policies The appliance s policies operate on classifications and the folders within them. The appliance monitors SMTP and HTTP posted traffic, in other words, email and files posted to websites, so the actions that apply to confidential data depend on the form in which it is sent. For example, the appliance can block email that contains any confidential data from the Finance department, or warn the administrator if confidential data about employees is posted to a website. 114

SMTP Policies for SMTP 4 Partial detection To detect the transfer of confidential data, the appliance looks for the fingerprints. In other words, the appliance scans for data patterns that are recorded in its own fingerprint database. However, if the original confidential information has been edited or copied in part into other documents, only some of the fingerprints remain. Within each policy, you can specify how much of the original fingerprint information the appliance must detect before taking some action. For example, a document might be confidential if its full original contents are made public. However, a copy of the document that has had several changes throughout is no longer considered confidential. Perhaps, if the copy matches the original by less than 50%, it is considered safe to release. This type of detection is possible if the appliance s database holds compact fingerprints from the original document. Also within each policy, you can specify how many of the fingerprints the appliance must detect before taking some action. The appliance can consider a document confidential if it contains a small part of any confidential document. For example, if the appliance finds three small consecutive parts of an original document, the appliance considers that the document is still confidential. This type of detection is possible if the appliance s database holds fine fingerprints from the original document. These features are available in the navigation pane at Policy protocol Content From Inside or From Outside. Select Data Loss Prevention, then click Advanced. Creating further classifications As explained in Classifications on page 113, the classifications are created on the file server. On the appliance, you create policies that describe how the appliance will respond upon detecting fingerprints from files in these classifications. You can also create your own sub-classifications on the appliance, which are based on those classifications and their locations. Normally, you do not need to create further classifications. However, they allow you more control over the flow of confidential information. For example, you can change the appliance respond to monitoring or blocking of some files. To create a new classification on the appliance: 1 In the navigation pane, select Policy, then select the protocol. 2 Right-click Fingerprint Groups and select Create Fingerprint Groups. 3 In the Create Fingerprint Group dialog box, type a name, for example, Finance Only. 4 Click OK to close the dialog box. The new group appears below Fingerprint Groups. 5 Select Imported Classifications. The pane on the right shows all the classifications that have been imported from the file server. 6 Select one rule name (for example Finance). Right-click and select Cut or Copy. 7 Select your new group. Right-click and select Paste. 8 To add more rules to the new group, repeat Step 5 to Step 7. You now have a new classification, to which you can apply a policy. 115

SMTP Policies for SMTP 4 Applying a policy to a fingerprint classification 1 In the navigation pane, select Policy SMTP Content From Inside or From Outside Content Scanner. 2 In the Content Scanner dialog box, enable content scanning. Select Include document and database formats in content scanning, and click OK. 3 Select Policy SMTP Content From Inside or From Outside Data Loss Prevention. 4 In the Data Loss Prevention dialog box, ensure that the feature is enabled. 5 To inherit settings from the global policy, see Step 12 on page 59. 6 Under Summary, change the alert message if you do not want to use the default message. 7 Under Rule List, click Add Rule to open the Select DLP Rule or Group dialog box. 8 In the dialog box, under Available Rules, select a classification. 9 Under Properties, select the actions that the appliance will take upon detecting fingerprints for this classification. See Actions on page 73. 10 Click OK to close the Select DLP Rule or Group dialog box. The Rule List and Summary are updated in the Data Loss Prevention dialog box. 11 To change the actions associated with any rule, select the rule, click Set Actions and use the dialog box. 12 To add more rules, repeat Step 7 to Step 11. 13 Click OK to close the Data Loss Prevention dialog box. As an alternative, you can assign classifications to policies. See Assigning a fingerprint classification to policies, next. Assigning a fingerprint classification to policies 1 In the navigation pane, select Policy SMTP and expand Fingerprint Groups 2 Right-click a classification, and select Assign Fingerprint Rules from the menu. 3 In the upper part of the Assign Fingerprint Group dialog box, select the policy. 4 Under Assignment summary in the dialog box, click the blue underlined text to open the Action dialog box. 5 In the dialog box, choose the actions, then click OK. The settings are shown under Assignment summary in the Assign Fingerprint Group dialog box. 6 Click OK to close the Assign Fingerprint Group dialog box. As an alternative, you can apply policies to classifications. See Applying a policy to a fingerprint classification, earlier. Excluding files from data loss prevention Consider a file that was wrongly marked as confidential on the file server. Any part, or copy of the file s data, will cause false alerts when the appliance detects the file s fingerprints as the data leaves the organization. To prevent these false detections, you can exclude the file from any classification. 116

SMTP Policies for SMTP 4 To exclude a file: 1 From the menu, select Policy, then select the protocol. 2 Under Fingerprint Groups, select the classification. You have at least one group here Imported Classifications. 3 Under Rule name (on the right), click the classification to open the Edit Fingerprint Rule dialog box. 4 Select the location and click Add Exclusion to open the Select Rule Path dialog box. 5 Expand the classification until you see the file name. 6 Select the file name. The name appears in the Path field. 7 Select Enter file name or path, then click OK to close the Select Rule Path dialog box. The file name appears under Exclusion List in the Edit Fingerprint Rule dialog box. 8 Click OK to close the Edit Fingerprint Rule dialog box. The fingerprints for the selected file are excluded from any further scanning. Compliancy As a result of increasingly stringent regulations, many organizations in the health care, finance and government sectors need to prevent the leaking of private and sensitive information. See also Data loss prevention on page 113. Compliancy uses content libraries of key terms to ensure content complies with health care and privacy regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Graham-Leach Bliley Act (GLBA), and the Sarbanes-Oxley Act (SOX). The feature enforces compliancy where determined by policy, and reports any violations. You can: Create policies against email and HTTP posting using the content libraries for groups of users. An HTTP posting occurs when a user attaches a document to an email message and sends the message via web-based email service. Create policies to support specific regulations such as HIPAA or the Privacy lexicon. This is done using compliance libraries, and by encrypting email and filtering the content of email messages to ensure that they comply with the regulations. The following example policies prevent private information being sent without encryption: Identify a Social Security Number by looking for a pattern of alphanumeric characters. Identify an account by looking for a pattern (for example, a letter, a digit, a hyphen, and 7 digits as in A1-764532). Compliancy can: Examine email messages or HTTP postings against content libraries. Report violations of policy that refer to specific pre-defined content libraries. 117

SMTP Policies for SMTP 4 Take action against non-compliant email messages or HTTP postings. You must enable content scanning before you can enable compliancy. To use this feature, select Policy protocol Content From Inside Compliancy in the navigation pane. You can: Specify the action to take if content is non-compliant. The default primary action is to allow the content through and log its occurrence. For information about the available actions, see Actions on page 73. Specify the alert to send if an email or HTTP posting is non-compliant. You can use the default alert, or configure your own version. See Editing alert messages on page 46. Specify which content libraries to use to ensure compliance. Specify the threshold(s) for non-compliance for email or HTTP postings scanned against each content library. Editing the content libraries You do not normally need to change the contents of content libraries. The content libraries are intended for general use by the appliance and therefore contain some information that is relevant only to some protocols. To change the contents: 1 In the navigation pane, select Policy protocol Compliancy. 2 Expand Compliancy to view the list of expressions and lexicons. 3 Select from the list. 4 In the right pane, read the editing guidelines to understand the structure of the file. 5 Use the icons in the toolbar (above) to edit the text. Content scanner The appliance can be configured to detect unwanted content in email messages by applying content rules to the files being scanned. If you disable content scanning, email compliancy does not work. For a detailed description of content scanning, see Scanning for content on page 146 and Content rules and rule groups on page 146. To enable content scanning: 1 In the navigation pane, select Policy SMTP Content... Content Scanner. 2 To inherit settings from the global policy, see Step 12 on page 59. 3 If necessary, include document and database formats in content scanning. 118

SMTP Policies for SMTP 4 4 If necessary, include text scanning into all attachments to scan any text strings within binary attachments. 5 If necessary, edit the text to replace the banned content. Use plain text or HTML format. You can use substitution variables. See Substitution Variables on page 310. Scanner control Large or complex files such as compressed files or.zip files can take some time to scan. Such files can be used to attack your network, deliberately slowing its performance. For these reasons, you can limit the size to which any file may be expanded and the depth of nesting. When expanding a file, we recommend an upper limit of 500 MB. The default maximum nesting depth is 100. If you intend to scan HTML files, set this value to two or more. For compressed files, nesting depth is rarely more than one a single file or several files are compressed or zipped only once. An attacker might wrap an infected file several times inside zipped files within zipped files. If you set the nesting depth low, the appliance will not detect such files because it will not unwrap the zipped file completely. However, because deep nesting is unlikely to occur in normal cases, we recommend that you try a nesting depth of 10, blocking any files that exceed this nesting depth. Log the activity of the scanner control for a while before deciding whether to retain this value. You can also specify the time that the appliance may spend scanning any file. When scanning a file on a server, we recommend 15 minutes maximum. A typical minimum value is one minute. Depth of nesting in compressed files To understand the effect of scanning to a depth of nesting, consider the next figure, which shows a compressed file that contains documents and a compressed file. That compressed file contains more documents and another compressed file, and so on. A depth of two scans the non-compressed files inside a compressed file (only as shaded). The contents of any compressed files are not scanned. 119

SMTP Policies for SMTP 4 A depth of three scans the non-compressed files inside a compressed file, plus the non-compressed files inside any compressed file that it contains (as shaded). 1 Select Scanner Control. 2 To inherit settings from the global policy, see Step 12 on page 59. 3 To specify any time restrictions, see Adding time-specific settings to non-global policies on page 60. 4 To specify the actions that the appliance must take when a detection occurs, see Actions on page 73. 5 Type suitable values in the remaining fields and set the actions for each field. An item can be a file or document. A file that contains several files or documents (such as a.zip file) is regarded as several items, not one item. 6 To customize or create any alert messages, see Editing alert messages on page 46. Encrypted content Because scanners cannot read encrypted content, such as password-protected.zip files, you must specify how the appliance handles this. If you allow encrypted content through, it must be scanned after it is decrypted, and this typically occurs at the user s computer. 1 In the navigation pane, select Policy SMTP Content policy Encrypted Content. 2 To inherit settings from the global policy, see Step 12 on page 59. 3 To specify any time restrictions, see Adding time-specific settings to non-global policies on page 60. 4 To specify the actions that the appliance must take when a detection occurs, see Actions on page 73. In particular, encrypted email can be forwarded to other devices for decryption. See policy-based relays in Delivery settings on page 87. 5 To customize or create any alert messages, see Editing alert messages on page 46. Protected content You can specify how the appliance handles email messages that contain data that cannot be scanned because it is protected in some way. For example, it is protected by password. The Protected Content option applies only when: You have created a content rule and selected a file format from: Databases Documents 120

SMTP Policies for SMTP 4 Graphics/Presentations Spreadsheets You have enabled the precise format for that document, database, graphics or presentation package, or spreadsheet. For example, if you have enabled scanning for documents, but only for Microsoft Word for Windows 2.0 documents, and protected content is found in a Microsoft Word for Windows 1.x document, the protected content option will not be applied. The Include document and database formats in content scanning option is enabled in Content Scanner. 1 In the navigation pane, select Policy SMTP Content... Protected Content. 2 To inherit settings from the global policy, see Step 12 on page 59. 3 To specify any time restrictions, see Adding time-specific settings to non-global policies on page 60. 4 To specify the actions that the appliance must take when a detection occurs, see Actions on page 73. 5 To customize or create any alert messages, see Editing alert messages on page 46. Signed content Whenever information is sent electronically, it might be accidentally or wilfully altered. To overcome this, some email software uses a digital signature the electronic form of a handwritten signature. This extra information is added to a sender s message, and identifies and authenticates the sender and the information in the message. It is an encrypted summary of the data. Typically, a long string of letters and numbers appears at the end of a received email message. The email software re-examines the information in the message, and creates a digital signature. If that signature is identical to the original, the recipient can be sure that the data was not altered. If the message contains a virus, bad content, or is too large, the appliance might clean or remove some part of it. The original digital signature is now broken, and its signature is invalidated although the message is still valid and usually readable. Now the recipient cannot rely on the contents of the message at all because the contents might also have been altered in other ways. Signed email messages are only quarantined if a virus or banned content is detected within the message. Signed messages are not quarantined just because the appliance detects that the message has a digital signature. 1 In the navigation pane, select Policy SMTP Content From Inside or From Outside Signed Content. 2 To inherit settings from the global policy, see Step 12 on page 59. 3 To specify the actions that the appliance must take when a detection occurs, see Actions on page 73. 4 Customize or create the alert messages. See Editing alert messages on page 46. 121

SMTP Policies for SMTP 4 If you select Quarantine the original mail or Quarantine the modified mail as the secondary action, signed email messages are only quarantined if a virus or banned content is detected within the message. Corrupt content Because scanners and other applications can have difficulty reading corrupt content, specify how the appliance will handle this type of content. 1 In the navigation pane, select Policy SMTP Content From Inside or From Outside Corrupt Content. 2 To inherit settings from the global policy, see Step 12 on page 59. 3 To specify any time restrictions, see Adding time-specific settings to non-global policies on page 60. 4 To specify the actions that the appliance must take when a detection occurs, see Actions on page 73. 5 To customize or create any alert messages, see Editing alert messages on page 46. Disclaimer text A disclaimer is text an explanation, information, a legal statement, or warning that the appliance adds to all email messages. The appliance enables you to add disclaimers to inbound and outbound email messages, and to email messages for specific groups of users. For example, you can: Add a disclaimer to outbound messages, to limit the liability posed by statements that might be legally damaging, for example, those containing offensive remarks. Disclaimers are also useful for renouncing the contents of a message as the view of the author, not of the organization, to avoid any damaging publicity. Add a disclaimer to inbound messages, making staff aware that all email messages and attachments are being scanned for viruses and content. Add a disclaimer that protects your organization against costly misunderstandings. A disclaimer can be added to all incoming and outgoing email messages. The type and position of the disclaimer can be configured, for example at the end of each message. Caution The appliance cannot add a disclaimer to an email message that contains unsupported character sets, such as the Hebrew character set, ISO-8859-8-I. In the navigation pane, select Policy SMTP Content From Inside or From Outside Disclaimer to use this feature. 122

SMTP Policies for SMTP 4 Alert settings The appliance sends a message to clients when a specific event occurs. Although a default message is available, you can specify the header and footer text for alert messages that the appliance issues upon detecting unwanted content. 1 In the navigation pane, select Policy SMTP Content From Inside or From Outside Alert Settings to use this feature. 2 Specify whether to use HTML or rich text format (RTF), then set up the alert, give it a name, and edit the header and footer as required. You can use the substitution variables described in Appendix C, Substitution Variables. For more information, see Alert messages on page 286. File filtering You can configure the appliance to filter different file types. To restrict the use of certain file types: 1 In the navigation pane, select Policy SMTP Content From Inside or From Outside File Filtering. 2 To inherit settings from the global policy, see Step 12 on page 59. 3 Set the period for which this rule will apply. See Applying time restrictions to rules and settings on page 79. 4 Add the rules. See Adding a new file filtering rule on page 123. 5 Select an action to take when no file filtering applies. 6 To customize or create an alert message, see Editing alert messages on page 46. Adding a new file filtering rule When creating file filtering rules, you can: Filter by file name For example, some graphic file formats such as bitmap (.BMP) use large amounts of computer memory and can affect network speed when transferred. You might prefer that users work with other more compact formats such as.gif or.jpeg. If your organization produces computer software, you might see executable (.EXE) files moving around the network. Within another organization, those files might be games or illegal copies of software. Similarly, unless your organization regularly handles movie files (.MPEG or.mpg), they are probably for entertainment only. Filter by file format For example, much of your organization s most valuable information such as designs and lists of customers is in databases or other special files, so it is important to control the movement of these files. The appliance examines files based on their true content. 123

SMTP Policies for SMTP 4 Any file can be made to masquerade as another. A person with malicious intent might rename an important database file called CUSTOMERS.MDB to NOTES.TXT and attempt to transfer that file, believing that it cannot be detected. Fortunately, you can configure the appliance to examine each file based on its content or file format, and not on its file name extension alone. Size of the file For example, although you might allow graphic files to be included in email messages, you probably want to restrict the size of graphic files that can be sent by email. When you create settings to control the use of any file, remember that some departments within your organization might need fewer constraints. For example, a marketing department might send large graphic files for advertising. To add a new file filtering rule: 1 Click Create in the File Filtering dialog box to open the Create Rule dialog box. 2 Type a suitable Rule name for your new rule. Remember that over time, your list of rules might become large, so careful naming is important. 3 Under When the rule applies..., select an action. 4 To act on a particular file, select When the file name is, and click Create or Edit. 5 Type the file name in the filename filter dialog box. Case is not important. For example, you may type GOODGAME.EXE or goodgame.exe. 6 To act on a family of files, use the wildcard symbol *. For example: *.EXE refers to all files that have the file name extension.exe, such as GAME.EXE and ABC.EXE. FILE.* refers to files such as FILE.EXE, FILE.AB, FILE.TXT.HTM, FILE. (which has a final dot), and FILE.1 but not FILE alone. 7 To act on files of a particular format, select When the file format is. In the table below the checkbox, select a format in the left list and then select individual formats in the right list. Icons in the left list change as you select or deselect items in the right list: All formats are selected in this group. Some formats are selected in this group. No formats are selected in this group. You can use Select all and Clear to select and deselect formats quickly. 8 To act on files of a certain size, select When the file size is and set the details. The selections in Step 4 to Step 8 act in combination. For example, to create a rule that acts on large program files, detect *.EXE files that are greater than 10 MB. 124

SMTP Policies for SMTP 4 Managing the file filtering rules Buttons on the File Filtering dialog box enable you to manage the rules. Table 4-8 File filtering dialog box buttons Button Create Edit Delete Move up Move down Action Create a new file filtering rule. Edit the selected rule. Delete the selected rule. Change the priority of the selected rule. Rules at the top of the list are applied first. Mail size filtering Large email messages, especially those with large attachments or many attachments, can seriously affect the performance of a network. When you apply settings to control these, we recommend that you consider carefully whether individual policies need to differ from a global policy. The constraints might seriously disrupt the working of some departments within your organization. The appliance can remove attachments from email messages if they exceed a size or quantity that you specify. The appliance can replace the discarded attachments by a small text file, which informs the recipient that attachments were removed. You can also specify actions against email messages that exceed a specified size overall. 1 In the navigation pane, select Policy SMTP Content From Inside or From Outside Mail Size Filtering. 2 To inherit settings from the global policy, see Step 12 on page 59. 3 To specify any time restrictions, see Adding time-specific settings to non-global policies on page 60. 4 To specify the actions that the appliance must take when a detection occurs, see Actions on page 73. 5 To customize or create any alert messages, see Editing alert messages on page 46. Most email messages are based on the MIME format, and have several parts one for the message body, and one for each attachment. However, some messages encode all their attachments as a single uuencoded attachment. In this case, you can choose only to remove all attachments. HTML settings You can configure how the appliance handles certain elements and components embedded in HTML data. When users view a webpage, their browsers can download ActiveX components, MacroMedia Flash objects, Java applets, and scripting languages such as VBScript and JavaScript. Such objects can sometimes contain potentially unwanted programs. Although the anti-virus detection finds many unwanted objects, you can provide extra security by choosing to block some or all such objects. Webpages can also contain metadata, comments, and links (URLs) to other pages or websites. If you are concerned that these areas might harbor potentially unwanted programs or undesirable content, you can choose to scan them too. 125

SMTP Policies for SMTP 4 To use this feature, select Policy SMTP Content From Inside or From Outside HTML Settings in the navigation pane. Mail settings Most email messages use MIME format, and this complex format has often been exploited to transfer potentially unwanted programs. You can specify how the appliance handles email messages that use the MIME format: The action that the appliance must take when a partial message (a message that has been divided into smaller parts for sending as several separate email messages) is detected. The action that the appliance must take when a message contains a reference to an external resource and the scheme needed (usually FTP) to retrieve that resource. These messages are known as external-body messages. The alert message to use. You can also customize the alert text. The prefix for the subject line of a message. How the appliance handles MIME messages that have corrupt header files. The position of the alert and disclaimer attachments. The text can appear in the body text of the email message or be included as an attachment. Re-encoding options. How to handle MIME header files that contain null characters. How many MIME parts a message can have before the appliance considers it to be corrupt or a possible denial-of-service attack. The MIME types that must be treated as text attachments or binary attachments. The preferred transfer-encoding method for text parts. Encoding of 7-bit text. The character set that must be used by default for decoding. To specify the mail settings: 1 In the navigation pane, select Policy SMTP Content From Inside or From Outside Mail Settings. 2 To inherit settings from the global policy, see Step 12 on page 59. 3 To specify any time restrictions, see Adding time-specific settings to non-global policies on page 60. 4 To specify the actions that the appliance must take when a detection occurs, see Actions on page 73. 5 If necessary, specify the advanced MIME settings. Caution Change the settings of these advanced features only if you understand the effects that your changes can cause. 6 To customize or create any alert messages, see Editing alert messages on page 46. 126

SMTP Policies for SMTP 4 SMTP protocol policies Use Policy SMTP Advanced Policies Protocol in the navigation pane to set policies that control the communication between the appliance and hosts in your inside and outside networks. You can configure the following advanced policy features: Sender authentication and reputation. Greylisting on page 135. Permitted recipients and directory harvest prevention on page 135. Transparency options on page 136. Denial of Service prevention on page 138. Email address configuration on page 139. Message processing on page 141. Data Command options on page 142. Sender authentication and reputation Many email attacks are made by individuals or organizations that you do not recognize, or that masquerade as known senders. To counteract such attacks, the appliance offers several methods that examine the sender s details. The methods are available in the navigation pane, at Policy SMTP Advanced Policies Protocol From Inside or From Outside Sender Authentication and Reputation. The methods are: Reputation Service. The appliance uses an online service to verify whether the sender s IP address has recently sent email that contained viruses, phish, spam, or was part of a directory-harvest attack. See Reputation service on page 128. Real-time Blackhole List (RBL). The appliance compares senders against lists of potential sources of spam. You specify the organizations that provide these regularly updated lists. See RBL on page 129. Sender Policy Framework (SPF). The appliance checks the validity of the domain hosts that sent the message, preventing forged addresses in the SMTP MAIL FROM (Return-Path). The appliance can also add its own SPF result header to each email message. See SPF on page 129. SenderID. The appliance verifies the IP address of the sender with the stated owner of the sending domain. The appliance can also add a result header to each email message. See SenderID on page 130. Domain Keys Identified Mail (DKIM). The appliance examines a DKIM header inside the email message, then requests the sender s public key to verify the sender s domain and the integrity of the message. See DKIM on page 131. The most efficient methods are the Reputation Service and the Real-time Blackhole List. The lookup time is typically short, they avoid the need for any scanning or analysis of unwanted email messages, and prevent more attacks from the same source. 127

SMTP Policies for SMTP 4 After deciding the methods to use, you can decide how the appliance will respond to any message that fails a check, for example, the appliance can reject the message. After the appliance tries one method, it moves on to the next selected method. The action, Allow through is slightly different in this case. It means, Allow the email message to be examined by the next method. Where the appliance is preceded by Mail Transfer Agents (MTAs), several of the methods check the IP address of the MTA. To allow these checks to work correctly, you can specify the number of hops from the appliance to the MTA. The appliance then parses the email headers to find the original sender and runs a check against that IP address. Scoring If no single method is entirely effective against most attacks or some methods work better than others in your network, you can refine the detection by associating a score to each method instead. A score can be a positive or negative number. After running your selected methods, the appliance examines the cumulative score. Again, you can choose how the appliance responds on reaching or exceeding the threshold, for example, by denying the connection. Tarpit To deter zombie networks sending spam, the appliance can delay the response to email messages. Mail servers normally send the message again later, but typically zombies do not. The default delay is five seconds. We do not recommend the tarpit feature, because it slows the receipt of all email. Reputation service The reputation service uses third-party reputation-based filters to identify connection and content threats before they reach your network. On receiving a connection request for incoming email, the appliance forwards the IP address to an online service the Postini Threat Identification Network (PTIN), which determines the reputation of IP addresses. PTIN is a real-time information service that identifies malicious computers by their behavior, such as whether they have recently launched email attacks (involving viruses, phishing, spam, or directory-harvest attacks). For more information, visit www.postini.com. The performance of the appliance is not adversely affected by performing each query because the appliance uses caching techniques. The reputation service functions only if the Anti-Spam Module is enabled. The reputation service: Assesses the probability that a message from an IP address is unwanted email. Enables you to decide what to do with any identified threats. See Actions on page 73. 128

SMTP Policies for SMTP 4 Identifies senders whose email messages you want to receive. Identifies senders whose email messages you want to block. The service cannot be easily defeated because the reputation service database does not allow senders to certify their own good reputation. To use this feature: 1 Ensure that anti-spam is enabled, 2 Select Policy SMTP Advanced Policies Protocol From Inside or From Outside in the navigation pane, 3 Select Sender Authentication and Reputation. 4 Enable the reputation service, and specify the action to take if a message is a threat. You might need to reconfigure your firewall to allow the appliance to communicate with the Reputation Service. To determine if this is necessary, select Troubleshoot Diagnostics System Configuration Tests in the navigation pane, and run the test for the Reputation Service. The appliance tries to make a static query to the reputation service. If the query fails, the appliance lists the IP addresses to which it requires DNS access. RBL The appliance can block unwanted email messages from specific sources by comparing the IP address of an email source against lists of potential sources of spam. The real-time blackhole or block lists (RBLs) are maintained by organizations such as Spamhaus. An RBL typically contains millions of website addresses (URLs), and is updated many times every day. To use this feature, select Policy SMTP Advanced Policies Protocol From Inside or From Outside in the navigation pane, then select Sender Authentication and Reputation. You can: Enable the use of RBLs. Specify the names of the servers for obtaining RBLs. See Making lists on page 45 for more information. Specify the action to be taken if a message is a threat. Change the score associated with a message. SPF Sender Policy Framework (SPF) prevents forgery of a sender s address by verifying the envelope sender address, which is used for delivering email messages. Like posted mail, email messages have at least two types of sender address one on the envelope (the envelope sender address) and one in the letterhead (the header sender address): The envelope sender address (also known as the return-path) is used to transport the message from mail server to mail server, for example, to return the message to the sender in the case of a delivery failure. The email user does not normally see the envelope sender address. 129

SMTP Policies for SMTP 4 The header sender address is seen by the email user as the From or Sender address. Generally, mail servers do not consider the header sender address when delivering email. The header sender address can therefore be forged. SPF allows the domain owner to specify which mail servers send mail from the domain. The domain owner publishes this information in an SPF record in the domain's DNS zone. See Example of an SPF record. On receiving a message claiming to come from that domain, the appliance checks whether the message complies with the domain's SPF information. If the message comes from an unknown server, it can be considered a fake. The appliance can take various actions against the email message depending on whether the verification passed or failed. After verifying an email message, the appliance can optionally attach its own header to the email message. The Received-SPF header indicates to other mail servers in your organization that the email message has been verified. For example: Received-SPF: pass (include.example.com: domain of mailer@include.example.com designates 192.168.254.200 as permitted sender) receiver=include.example.com; client_ip=192.168.254.200; envelope-from=mailer@include.example.com; For more information about SPF, visit the website www.openspf.org. To use this feature, select Policy SMTP Advanced Policies Protocol From Inside or From Outside in the navigation pane, then select Sender Authentication and Reputation. You can: Enable SPF. Specify the action to be taken if a message is a threat. Change the score associated with a message. Add a result header to the email. Example of an SPF record The Example organization sends email via its server, server1 in addition to its incoming mail server. The domain owner of example.com publishes an SPF record of this form: example.com. TXT "v=spf1 mx a:server1.example.com -all" The parts of the SPF record are: v=spf1 mx a:server1.example.com -all SPF version 1 is in use. The incoming mail servers (MXes) of the domain are authorized to send mail. server1.example.net is authorized to send mail. All other servers are not authorized. SenderID SenderID is a technique to counter spoofing forging a sender's address on email messages. Spoofed email is often used in phishing attacks. SenderID is also known as SPF/PRA (Sender Policy Framework/Purported Responsible Address). 130

SMTP Policies for SMTP 4 With SenderID, the appliance determines the Purported Responsible Address (PRA) by examining the contents of the several header fields, namely From, Sender, Resent-From, Return-Path, Resent-Sender, and Received. Some headers might appear more than once in a mail header as an email is passed from server to server, making this a more complex process. SenderID seeks to verify that every email message originates from the Internet domain from which it appears to be sent. SenderID checks the address of the server that sent the email against a list of servers that the domain owner has authorized to send email. The domain owner typically keeps the list on its own domain servers or gives this information to its Internet Service Provider (ISP). If the SenderID verification passes, the message is delivered as normal. If the check fails, the appliance can apply various actions against the email message. To use this feature, select Policy SMTP Advanced Policies Protocol From Inside or From Outside in the navigation pane, then select Sender Authentication and Reputation. You can: Enable SenderID. Specify the action to be taken if a message is a threat. Add a result (Received-PRA) header to the email, giving details of the PRA result (pass or fail). Change the score associated with a message. DKIM The Domain Keys Identified Mail (DKIM) technique uses RSA private and public keys and DNS TXT records to enable the recipient to verify the identity of an email sender. The sender signs the email message with a private key by adding an extra header the DKIM-Signature header. The header provides the email message with a cryptographic signature. DKIM verification The appliance examines an email header, DKIM-Signature in the email message for details of the sender, then issues a query to retrieve the public key, and deciphers the cryptographic signature. This ensures that no alterations were made to the email headers and body during transit. The appliance can take various actions against the email message depending on whether the verification passed or failed. To use this feature, select Policy SMTP Advanced Policies Protocol From Inside or From Outside in the navigation pane, then select Sender Authentication and Reputation. You can: Enable DKIM Verification. Specify the action to be taken if a message is a threat. Change the score associated with a message. Add an extra header to the email message to indicate the result. See Extra header. 131

SMTP Policies for SMTP 4 Extra header After the appliance has examined the signature, it can attach a further X-header to the email message. The header indicates to other devices or mail servers in your organization whether the email has been verified. For example: X-NAI-DKIM-Results: 192.168.254.200 header.from=<user1@example.com>; verification=success; key strength=1024 bits; result=pass DKIM signing To use this feature, select Policy SMTP Advanced Policies Protocol From Inside or From Outside in the navigation pane, then select Sender Authentication and Reputation. Enable DKIM signing, and specify various details for signing, such as domain name, private key, and selector. Several options are available when signing email: Selector and Domain Name. During verification, the recipient extracts your Selector and Domain Name from the signature to retrieve the public key associated with the appliance s private signing key. For example, if your Selector is mail and your Domain Name is example.com, the recipient must issue a DNS query for the TXT record of mail._domainkey.example.com. Canonicalization describes how formatting is handled within the headers and body of the email message. During transit, mail servers might change some parts (known as white space) of the email message typically tabs, spaces and end-of-line characters. When the recipient generates the hash from the message, such changes result in a different hash, so the message will not verify successfully. If you specify relaxed canonicalization, the appliance creates the signature after ignoring much of the white space. Then any such changes to the email will likely have no effect, allowing the recipient to verify the message successfully. Simple canonicalization creates a signature based exactly on the original content of the message and therefore tolerates almost no changes to the email message. Signed Headers. The appliance usually creates the cryptographic signature based on all the headers in the email message. However, you can choose from common headers such as Date and Subject, or type your own header names, separated by colons. The From header is mandatory and is always signed. Header names are in English only. Signing Identity. Signing Identity is used to delegate signing responsibilities to other users or agents (such as a mailing list manager). The value can either be a full email address (such as mailer@domain1.example.com or mailer@example.com) or an email address with no local part (such as @domain1.example.com). The domain part of the signing identity must be the same as the Domain Name (described earlier), or one of its subdomains. In most cases, the signing identity is not used. Expiry. You can specify a date for the expiry of the signature. If the email message is presented for verification after the specified date, verification fails. 132

SMTP Policies for SMTP 4 Example DKIM Signature The settings at the Key Signing Options dialog box are: Domain Name Selector Signing Key Canonicalization Sign These Headers Key expiry example.com mail mykey (the private key) header=simple; body=relaxed All Headers Eternal These settings create a signature of the form: DKIM-Signature: v=0.8; a=rsa-sha256; d=example.com; s=mail; c=simple/relaxed; t=1117574938; h=from:to:subject:date; bh=klz6kar4behqqim3kdreyk84usrieaiyesvvrlxkou; b=tvjwl6m1uovneigl+byqb7kb4nn9mxmwlfomvx4a8ffprj3x0drve yqocwnxrf5kxky5o6u/s0cnnlvyjgd68w+we7rg7yhlqv9nisgfpnchh SPZV58v6NtIs4L7VXMpC1UBOLQm57wSCBDwPCNfx62m/v2VJpABQMb694Uzl+k= The signature has the following information: The version (v) of the protocol is 0.8, with which the email message was signed. The cryptographic algorithm (a) is RSA-SHA256. The domain name (d) is example.com. The selector (s) is mail. The canonicalization (c) is simple for the mail header, and relaxed for the body. The time stamp (t), stating when the email was signed. The headers (h) that contain the from, to, subject and date information are signed in this email message. The hash (bh), derived from the body of the email message. The cryptographic signature of the body (b) of the email message. The verifier will then need to look up a DNS TXT record for mail._domainkey.example.com. Here, mail is the selector (s) value, and example.com is the domain (d) value. The DNS TXT record entry might look like this example: mail._domainkey IN TXT "p=migvma0gcsqgsib3dqebaquaa4gdadcbmqkbkqcmxbphlqpjs356vsinw0srr1rtaet jv4wi3cmenaj4abrsjvy1/k90in4vp9j8ypowkebybpnqfditgfojeus5eaczg8vp+ux5y Oeddo3bLjL10HsSWhKFfsjSTyehbKqiGbcP35Z1ktxZ0WEJl2nUuHjU2HgJxYARHLk28DQ xcwa692dwtr0kzvkmepj/2s8caweaaq==" where p= contains the public key derived from the private signing key, mykey. The options in the DNS text record are defined in the Creating DNS TXT records for use with DKIM. 133

SMTP Policies for SMTP 4 Creating DNS TXT records for use with DKIM This section describes the DKIM fields for the DNS record. Table 4-9 Tags for the DNS field Tag Mandatory/ optional Description v=dkim1 Optional If present, this must be the first entry in the TXT record. h Optional Hashing algorithm registry. List of acceptable hashing algorithms for generating the signature. Acceptable values are sha1, sha256, sha1:sha256. p Mandatory Public key. Normally this is the public key for the private key that generated the signature. p=; means the key has been revoked. g Optional Granularity of the key. If present, this value must match the local-part of the signing identity tag of the DKIM signature (or its default value of the empty string if there is no signing identity tag (i=) in the DKIM signature), with a single, optional * character (wildcard) that matches a sequence of any number of characters. Default is g=*;. Acceptable values are g=;, g=*; or g='local part of email address'. g=; means no value is mentioned for the g tag. An asterisk in the g tag means any number of characters. If g=;, the signature must not have a signing identity because this results in failure. If g=; and the signature has no signing identity, g=; has no effect. If g has a value other than g=; or g=*;, the value of g must match the local part of the signing identity, otherwise verification fails with a Public key user granularity error. For example, if g=mail*, the local part of the signing identity must begin with mail, for example, Mail.manager@smtp.domain1.dom. t Optional Selector flag registry. Acceptable values are t=s; t=y; and t=y:s. t=y The public key is in testing mode. Even if the DKIM signature fails verification, it is considered successful because it is in this mode. To aid diagnosis, the appliance adds the failure reason to the email header and states that the key is in test mode. t=s The domain in i in the signature must be the same as the value of d. That is, no subdomains are allowed to use the key. t=y:s The key is in testing mode and no subdomains are allowed. k Optional Key type registry. Type of key used in the p tag. Currently, the only supported value is rsa. s Optional Service type registry. List of service types to which this selector can apply. Acceptable values are email, or * (default). If the value is neither, the appliance fails to verify the signature, citing a Public key service type error. n Optional s for the DNS record. These are rarely used because the DNS TXT record has a limited length to hold the public key. The appliance ignores this key when verifying a signature. 134

SMTP Policies for SMTP 4 Example This is an example of a DNS text record (Bind version 9 entry): key1024._domainkey IN TXT "t=s; k=rsa; p=migfmib3dn6inaaq34dylq... D4QaB" where: key1024 The name of the selector. p= The public key. The string of characters has been shortened for clarity. t=s k=rsa No subdomains are allowed in the signing identity. The key type is RSA. The record must be in a single line. Greylisting Zombies typically cannot resend email messages, therefore their spam email messages are blocked without the need for scanning. Genuine senders will retry, often many times over several hours, or even days. When the appliance next encounters the attempt, it allows the email to proceed. Thus, genuine, regular senders are not delayed when sending further email. To avoid delaying trusted senders from outside networks, we recommend that you configure your policies to prevent greylisting being applied to those policy groups. Do this using Policy SMTP Advanced Policies Protocol From inside or From outside <policy group name> Greylisting Service in the navigation pane. See Greylisting service on page 101. Additionally, to overcome delays caused by anti-spam measures on other devices, configure your policies to handle SMTP callback requests. This overcomes delays caused by anti-spam measures on other devices. If an email server is configured to verify senders, it issues an SMTP callback typically an email message with a null sender before accepting an outgoing email message. If the appliance rejects such return email at the RCPT TO phase, all outgoing email is unnecessarily delayed. When this feature is selected, the appliance postpones the Temporary Service Error until the later DATA phase. Because SMTP callbacks complete their delivery attempt before the DATA phase, the SMTP callback is successful. You need to enable the greylisting feature, by selecting Configure SMTP Greylisting Service in the navigation pane. Permitted recipients and directory harvest prevention This feature applies only to policies that affect email from outside networks. Spammers try to build lists of valid email addresses from unprotected email servers. In a directory harvest attack (DHA), a spammer sends an email message to numerous email addresses that are generated from a scripting program. When a mail server receives an email message, it checks the recipient s email addresses. If the email server recognizes the email address as genuine, it accepts the email message for that user. The email server returns a message if the sender is not recognized. The names from accepted email messages are harvested by the spammer who can sell the names to other spammers. 135

SMTP Policies for SMTP 4 The appliance identifies directory-harvest attacks by comparing the number of valid and invalid recipients in an email message. The appliance enables you to select the methods to prevent directory-harvest attacks for different modes. These include tarpitting (slowing the responses down), and denying connections and quarantining the email. The appliance can also block any email message that has a large number of recipients, because this often indicates an attack. To prevent directory harvest attacks and attacks that issue large numbers of email messages (known as flooding), you can provide the appliance with a list of permitted recipients. Your network might already have this information on its LDAP servers. Alternatively, you can import a list of email addresses from a text file. See Making lists on page 45. Directory Harvest Prevention might not work as expected with some email servers. See Directory Harvest Prevention does not work on page 299. To use this feature, select Policy SMTP Advanced Policies Protocol From Outside Directory Harvest Prevention in the navigation pane. You can specify the actions against directory-harvest attacks for each circumstance: Table 4-10 Actions against directory-harvest attacks Condition The appliance operates in a transparent mode. The appliance operates in Explicit Proxy mode. The email message is deferred and is to be retried. Possible actions Off Tarpit Tarpit then deny connection Deny connection (default) Off Deny connection (default) Off Deny connection Deny connection and quarantine mail (default) See Actions on page 73 for more information. Transparency options The following settings apply only to appliances operating in a transparent mode. You can set up the appliance to: Use the Welcome Message from the mail server, or use the appliance s own message. Add text to the front of the mail server s Welcome Message. Allow Extended Simple Mail Transfer Protocol (ESMTP) extensions. For example, Delivery Sender Notification (DSN), Authentication (AUTH), and eight-bit data transfer (8BITMIME). Send NOOP keep-alive commands to the destination server, while the appliance receives data from the source server (the DATA phase). This prevents the appliance-to-destination server connection timing-out. 136

SMTP Policies for SMTP 4 Allow the use of these extensions: X-EXPS, X-LINKSTATE, XEXCH50, and CHUNKING. If the appliance operates between two Microsoft Exchange servers, it must allow these email headers to be exchanged without scanning. You can specify the interval between keep-alive commands. Generate extra scanning alerts to warn a network administrator or other users when specific events occur. For example, the appliance can issue alerts when viruses, spam, or banned content have been detected. Allow or prevent the use of multiple policies for email messages with more than one recipient. Within the Advanced area of Transparency Options, you can: Configure the appliance to generate additional scanning alerts. Allow multiple policies per email message. Add Received headers to the email message. Define any ESMTP extensions that are allowed to pass through the appliance. Define the Microsoft Exchange server extensions that are allowed to pass through the appliance. The extensions are not scanned. Changing the welcome message You can specify which welcome message appears when a host using SMTP connects to an appliance operating in a transparent mode. The appliance can display its own welcome message, or the welcome message of the mail server at the other end of the connection. If the mail server s welcome message is used, the appliance can add some of your own text to the start of that message. To use this feature, select Policy SMTP Advanced Policies Protocol... Transparency Options in the navigation pane. Keeping the connection open To prevent the connection between the appliance and the onward email server from timing-out when the appliance is scanning large email messages, the appliance can send a keep-alive command to the destination server. This keeps the connection alive until the DATA phase from the sending email server to the appliance has completed. When the data has been transferred to the appliance, the appliance stops sending the commands and starts the DATA phase between the appliance and the destination email server. You can specify how often to send the keep-alive commands during the DATA phase. To use this feature, select Policy SMTP Advanced Policies Protocol... Transparency Options in the navigation pane. 137

SMTP Policies for SMTP 4 Generating additional scanning alerts The appliance can be configured to act in certain ways when a detection triggers. The actions that the appliance takes when one of these events occurs, depends on which detection was triggered and how the content policies have been set up for each protocol. The actions can be divided into primary actions and secondary actions. See Actions on page 73. By default, most secondary actions are not available when the appliance is operating in a transparent mode. Only the quarantine actions are available by default. 1 Set up email delivery addresses. See Email address configuration on page 139. 2 In the navigation pane, select Policy SMTP Advanced Policies Protocol... Transparency Options. 3 Click Advanced. 4 Select Allow the appliance to generate additional scanning alerts. Allowing multiple policies If an email message has more than one recipient, you can configure the appliance to allow different policies to apply to each of the recipients. If you do not allow multiple policies, the appliance applies only the highest priority policy, as defined by the order of your policies. See Ordering non-global policies on page 59. To use this feature, select Policy SMTP Advanced Policies Protocol... Transparency Options in the navigation pane, then click Advanced. Adding received email headers The appliance can be configured to add received email headers to email messages. To use this feature, select Policy SMTP Advanced Policies Protocol... Transparency Options in the navigation pane, then click Advanced. Allowing ESMTP extensions ESMTP supports additional email commands, such as DSN and AUTH. You can set up the appliance to allow the use of these extra commands. To use this feature, select Policy SMTP Advanced Policies Protocol... Transparency Options in the navigation pane, then click Advanced. Denial of Service prevention To prevent denial-of-service attacks: 1 In the navigation pane, select Policy SMTP Advanced Policies Protocol... Denial of Service Prevention. 2 Type the minimum acceptable throughput, as bytes per second. 3 Type the highest number of SMTP trivial commands (such as NOOP) that the appliance allows before receiving a successful DATA command. 138

SMTP Policies for SMTP 4 4 Type the highest number of characters that are acceptable in any command name. 5 Type how long the appliance waits to receive a final dot (.) command, before closing the connection. Configuring advanced denial-of-service prevention 1 In the navigation pane, select Policy SMTP Advanced Policies Protocol... Denial of Service Prevention. 2 Click Advanced. 3 If the appliance is operating in Transparent Bridge mode, you can limit the number of commands allowed in the authentication logon (AUTH) phase of the communication. 4 Type the number of AUTH conversation attempts that the appliance allows before closing the connection. 5 Type the highest number of recipients (RCPT commands) that the email message can have before the appliance issues an SMTP (452 too many recipients) response. 6 To delay the response when the number of recipients is exceeded: a Type the number of seconds the response will be delayed. b Type the highest number of recipients (RCPT commands) that are allowed. Email address configuration The appliance can send a response to a sender when: An email message has triggered a detection setting. The appliance cannot deliver an email message. For example, the receiving mail server tells the appliance that it cannot deliver the email because it does not recognize the recipient s address. The appliance can forward email messages to different recipients when: A detection setting has been triggered and the appliance has carried out an action on the email message. For example, if spam is detected, the appliance can forward the email message to a mailbox where the network administrator collects spam. The appliance can generate: A notification email message the appliance can notify a recipient that an email message has triggered a detection setting. The notification email message does not contain the original email message. It contains only the notification, as an HTML attachment. An annotated email message contains the original email message and some additional notification text, sent as an HTML attachment. 139

SMTP Policies for SMTP 4 To use the feature: 1 In the navigation pane, select Policy SMTP Advanced Policies Protocol... Email Address Configuration and set up a sender (MAIL FROM) address by adding this information: Bounced email On receiving an unwanted email message, the appliance can send a response to the sender. You can specify the email address that appears in the From line of the response. Failed delivery If the appliance cannot deliver the email message, it informs the sender that the delivery has failed. You can specify the address that the appliance places in the From line of the response. Forwarded email (sender) The appliance can forward an email message that has triggered a detection setting. Use this option to specify whether the original sender s address or the address set up in Bounced email appears in the FROM field in the response. 2 In the navigation pane, select Policy SMTP Advanced Policies Protocol... Email Address Configuration and set up a sender (To) address by adding this information: Forwarded email (recipient) The appliance can forward any unwanted email to another email user. For example, the appliance can send an email message to a network administrator rather than the original recipient. To send the message to a single recipient, such as an email administrator, select Standard and type the recipient s email address. To send the message to a designated mailbox, such as a spam mailbox for specific email users, or a corporate spam mailbox, select Template and set up a customized email address. For example, if you already have spam mailboxes set up for each user, use the format spam-<user name>@example.com, type spam- in the left box, and leave the middle and right boxes empty. If you have spam mailboxes that use the format <user name>-spam@example.com, type -spam in the middle box, and leave the other boxes empty. If you have a corporate mailbox that takes the format <user name>@spam.example.com, leave the left and middle boxes empty, and type spam. in the right box. The appliance uses the email option specified in Forwarded email (sender) as the From address when forwarding an email message. See Email address configuration on page 139. Annotated email An annotated email message contains the original email message and the notification text (sent as an HTML attachment, and defined in the When sending a notification email section). To send the message to a single recipient, select Standard, and type the recipient s email address. To send the message to a designated mailbox, select Template and set up a customized email address. 140

SMTP Policies for SMTP 4 Notification email The appliance can be set up to notify a recipient that an email message has triggered a detection setting. The notification text is defined in the When sending a notification email section, and is also used for annotated email messages. Use this option to specify which address to use when sending a notification to a recipient, such as an email administrator. The appliance uses the email address specified in Bounced Email as the From address when sending an annotated email message or a notification email message. If you do not type an address in Bounced Email, the From field appears empty. 3 Select E-mail Address Configuration and set up the text that will be used for notification and annotated email messages. You can type the name of the notification attachment file, and specify the text that appears in the subject field of the email message. You can also specify the attachment text that appears in the notification. 4 Select E-mail Address Configuration and set up advanced address parsing options. An email address such as user@example.com has two parts: The local part is before the @ character user. The domain part is after the @ character example.com. When parsing an email address, you can specify how many characters can be used in the local part (the RFC limit is 64 characters) and how many characters can be used in the domain part (the RFC limit is 255 characters). You can also specify whether characters that are not RFC-compliant are allowed in the domain part. 5 Select Policy SMTP Advanced Policies Protocol... Email Address Configuration, then Advanced and specify an email address to send the original email message when an audit copy is required. Message processing In the navigation pane, using Policy SMTP Advanced Policies Protocol... Message Processing, you can: Change the welcome message that is displayed when a host using SMTP connects to an appliance in Explicit Proxy mode. By default, the following welcome message is displayed: <appliance name and domain>scm<product number>/smtp Ready For example: appliance1.example.com SCM4.5/SMTP Ready. You can replace this welcome message with your own text. The text must be in the US-ASCII character set. Set up store and forward options for email messages. By default, the appliance attempts to immediately deliver email messages addressed to a single recipient, and to the first recipient of any email messages with more than one recipient. This does not involve storing the message for that recipient. 141

SMTP Policies for SMTP 4 This method typically increases throughput. It also causes the connection to the sending mail server to be held open while delivery is attempted. Alternatively, the appliance can be configured to store and forward email messages. The appliance can be set up to store email messages when: The email message is larger than a maximum size that you can specify. The number of recipients exceeds a limit that you can specify. The appliance will try to forward the stored email message later. How often the appliance attempts to forward the email message is defined in the Retryer option. See Retryer [Advanced] on page 90. Set up the appliance to store and scan email messages in the background. If the email message is too large (as specified here), the appliance can store and scan the message in the background. Set up DNS data limits. When the appliance tries to deliver an email message by doing a DNS look-up, it examines the number of mail exchange (MX) records and Address (A) records returned by the DNS server. MX records list the host names that accept mail for a specific domain. A records provide the mapping of host name to IP address. You can limit the number of delivery attempts that the appliance makes, by setting limits on the number of MX and A records that the appliance will try. Set up advanced SMTP options. You can use advanced features to: Send SMTP traffic to a different port number. You need to use the same port number that the receiving mail server uses when listening for SMTP traffic. Specify the largest number of policies that can be applied to an email message. Add the IP address of the connecting server to the Received email header. Force the HELO command to automatically reset (RSET command). Force the use of the HELO or EHLO command in any SMTP communication. Data Command options In the navigation pane, select Policy SMTP Advanced Policies Protocol... Data Command Options to set up how the appliance responds to email messages that exceed any of the following parameters: Most data that can be received during the DATA phase of the communication. Largest number of characters per line. Most hops allowed in the email header. Largest size allowed for any email message before the appliance closes the connection. This is accessed from Advanced in the dialog box. For more information about the actions that can be taken, see Actions on page 73. 142

SMTP Policies for SMTP 4 SMTP connection policies In the navigation pane, use Policy SMTP Advanced Policies Connection to set up policies for SMTP connections initiated by hosts in your inside and outside networks. You can configure the following SMTP connection policy features: Anti-Relay (routing characters). Time-outs on page 143. Transport logging on page 144. Anti-Relay (routing characters) In the navigation pane, select Policy SMTP Advanced Policies Connection Anti-Relay to set up permitted and denied routing characters. An email address can contain routing characters (such as %,!, and ) which are a former method of enabling a message to be passed between computers. You can permit or block this form of relaying by specifying the routing characters. For example, to block the relaying of addresses of the type user@host @relay.com, add *@* to the list of denied characters. Typically you set up the routing characters as follows: Do not type any patterns as permitted characters. Type these standard patterns as denied characters: Table 4-11 Anti-relay routing patterns Pattern Pattern Description *%* Right-binding route character (%-exploit). *!* Local or mail gateway routing. * * Pipe is used by some mail servers to execute commands (security hole). An email address consists of parts before and after the final @. These patterns work on the part of the address before the final @. The appliance examines the destination email address for these patterns. Entering these patterns as denied characters prevents computers inside your network relaying email messages (spam) on behalf of unauthorized users. Time-outs Select Time-outs to specify time-outs. Client to appliance time-outs. These include: How long the appliance waits to receive an SMTP command from the mail server sending the email message. How long the appliance waits to receive the next chunk of data from the sending mail server. This time-out applies only during the DATA phase of communication between the sending and receiving mail servers. 143

SMTP Policies for SMTP 4 Appliance to server time-outs. These include: How long the appliance waits to connect to the mail server receiving the email message. How long the appliance waits to receive a MAIL command from the mail server receiving the email message. How long the appliance waits to receive a RCPT command from the mail server receiving the email message. How long the appliance waits to receive an acknowledgement of the DATA command from the mail server receiving the email message. How long the appliance waits to receive the next chunk of data from the receiving mail server. This time-out applies only during the DATA phase of the communication between the receiving and sending mail servers. How long the appliance waits to receive an acknowledgement of the final dot (.) command from the mail server receiving the email message. Advanced time-outs. When the appliance receives an email message, it has a set time to process that email message, deliver it to the next MTA, and return an SMTP 250 command back to the sending mail server. You can specify how long the appliance has to complete this task. If the time-out period expires while the appliance is scanning the email message, the appliance returns a 421 command to the sending mail server. If the time-out period expires during the onward delivery phase, the appliance defers the email and issues a 250 command. Transport logging The appliance can log certain events that occur when handling SMTP email messages. An entry in the log is created when: The sender is listed in the Real-Time Blackhole Lists. The sender is listed in the Anti-Spam Deny Sender list. The sender is listed in the Anti-Relay Deny Domains list. An SMTP 250 OK message is sent to the sender s mail server. The appliance receives an SMTP 250 OK message from the receiving mail server. An email message is deferred. The appliance attempts to deliver a deferred email message. The appliance has successfully delivered a deferred email message to the next mail server, and received an SMTP 250 OK message from that mail server. The appliance has determined what eventually happened to the email message. For example, it was delivered, refused, or accepted and dropped. 144

SMTP Policies for SMTP 4 The transport log can also be configured to include additional entries when the following scanning events occur: A virus is detected. Banned content is detected. For example, banned words. Banned content type is detected. For example, banned file types. An email message is encrypted, signed, a partial email message, or corrupt. Spam is detected. Where appropriate, the transport log will record information about: Sender. Recipients. Number of recipients. Email message identification number. Size of the email message. Mail relay that forwarded the email message (host name and IP address). Which detection was triggered. To enable this feature, select Policy SMTP Advanced Polices Connection From Inside or From Outside Transport Logging in the navigation pane. When transport logging is on, a large amount of data is added to the logs. 145

SMTP Content rules and rule groups 4 Content rules and rule groups A content rule defines unacceptable content. For example, you can create a content rule to stop a particular offensive word being used in email messages that enter or leave your organization. That content rule can then be assigned to an SMTP content policy, and the appliance configured to act in certain ways if the content rule is triggered. For example, if the appliance detects the word in a message, it can refuse the message and send a warning to an administrator. Because you can create a large number of content rules, content rules are organized into rule groups. Each rule group has one or more content rules. For example, you can create a rule group called offensive descriptions, then within the group you can create a content rule that detects cruel, another that detects unkind, another that detects uncaring, and so on. You can assign the whole rule group to a policy or just assign selected content rules. You can assign selected content rules to set up policy-specific settings for those content rules. The appliance comes pre-configured with a standard set of rule groups. You can add content rules to these rule groups, or create new rule groups of your own. Create the rule groups first, then add content rules to them. Content rules grow in number and complexity over time. Think carefully about how you group your rules, and the names for each group and rule. Importing and exporting content rules Having created a content rule, you can share its rules and settings with other computers and with our other products, because you can import and export rules as text files in XML format. Scanning for content You can have a large number of content rules, and each content rule can specify words in various combinations. The content rules can be simple, such as detecting the use of a single word or phrase, or the rules can be more complex and include combinations of phrases that appear closely together. A complex content rule can allow the use of a word in one situation, but prevent its use in other situations. Creating content rules To use content scanning, create rules by: Giving a name and description to the rule. Specifying where the rule applies on page 147. Specifying the action to take when a rule is triggered on page 147. Adding optional advanced features on page 149. 146

SMTP Content rules and rule groups 4 Giving a name and description to the rule Over time, you can create many rules, so each needs an accurate name and description. Remember that if the rule is triggered, the name of the rule appears in the alert message that users see. Therefore, if you are trying to prevent the use of an insulting phrase, do not include that phrase in the name of the rule. Instead, name your rule something like Banned Insult 23. Each rule can also have a description that provides more information about the purpose of the rule. The rule s description does not appear in the alert message. Specifying where the rule applies A banned phrase might appear inside various files or documents attached to an email message. You can specify which file formats will be scanned for content. For example, content rules can be applied to: Databases Documents Graphics Presentations HTML content Spreadsheets You can then select the sub-categories to be scanned. For example, if you select Documents, you can specify that Microsoft Word 7.0 will be scanned. You can also specify which parts of the email messages are scanned. The appliance can scan: All headers Attachment file name Body Epilogue Preamble Recipient Sender Subject line Text attachments Specifying the action to take when a rule is triggered You can take several actions against any item that triggers a rule. See Actions on page 73. 147

SMTP Content rules and rule groups 4 If Verbose reporting is enabled as part of an anti-spam policy, the name and description of any rules that trigger are displayed. For content filtering that triggered as spam, the appliance uses the content rule name as the name of the rule, and for the description, indicates the first location where the rule triggered for example, Content rule triggered in [Message Body]. For consistency with existing anti-spam rules, we recommend that you assign content rule groups rather than individual rules when setting up content rules. We also recommend that you use the following naming convention for content rule groups: Indicate that it is a content rule rather than a spam rule. Use uppercase letters in the name for consistency with anti-spam rules. Suffix the name with a number that uniquely identifies the content rule. For example, you might use the following naming convention: CONTENTRULE_1, CONTENTRULE_2, CONTENTRULE_3, and so on. Specifying the word or phrase you want to detect You can specify precisely how a word or phrase appears by specifying its case, using wild cards, and by specifying its position: Ignoring case Normally the appliance scans for the word or phrase exactly as it is written. If you specify that case is to be ignored, the appliance matches the word or phrase regardless of its case, so abc will match abc, Abc, ABC and abc, or any combination of uppercase and lowercase letters in the phrase. Using wildcards The characters * and? represent missing characters:? represents any single character. For example,??g will match dig, dog and tug. * represents any number of characters including none at all. For example, s*ing will match sing, singing and sting. Specifying characters at the start or end of words: You can match characters that appear only at the start of a word. For example, hat matches hat, hate, hats and hatter. You can match characters that appear only at the end of a word. For example, hat matches hat, that and what. You can match characters at the start and end of a word (exact word matching). For example, hat matches hat but does not match hate, that or what. You can match characters anywhere in the word. For example, hat matches hat, hate, that and what. Some types of file use special formatting characters to specify the layout of text. For example, attachments can contain characters that denote word breaks, line breaks, tabs, cells, end of lines, and other format information. See Word Separators on page 314. Characters such as currency symbols and accented characters might be difficult to match because of variations in character sets. You might need to experiment to ensure that your rules can detect such characters. 148

SMTP Content rules and rule groups 4 Adding optional advanced features You can further refine the conditions that trigger a rule by specifying how other words or phrases may appear in combination with the first word or phrase their context and nearness. See: Words in context with other words. Words that are near other words. Words in context with other words A rule may trigger if all of the additional words or phrases are present. For example, a rule is triggered if the name of a secret new product is used in the same email message as the date for the product s launch. A rule may trigger if any of the additional words or phrases are present. For example, a rule is triggered if any word appears that is on a list of offensive words, or a list of secret projects. A rule may trigger if none of the additional words or phrases are present. A rule is triggered when an offensive word for example dog is used except when it is used to specify a type of that animal, for example, a corgi or alsatian. Words that are near other words Normally, when you are searching content in a small document, the banned words are near each other. However, in a longer document, the words might appear anywhere, and falsely trigger the rule. To avoid this, your rule can consider the nearness of the words. For example, a rule might trigger if two words such as ugly and manager appear together within a block of 50 characters. In the following example, the second paragraph is detected, and the document is blocked to prevent the insult. The latest version of the product looks ugly. We need to consider several problems. I will discuss improvements with the manager of that department. I attended the meeting about that new product today. The new manager is so ugly, nobody will ever want to work with him. This feature is useful in blocking offensive phrases. They often contain words that do not cause offense when used alone, but become offensive when grouped together. Nearness is best suited to plain text. It cannot accurately interpret character counts in binary files or files that contain complex text formatting. Definition of a word A word is any number of characters bounded by a word separator. The word separator is usually some form of punctuation. For a full list of word separators recognized by the appliance, see Word Separators on page 314. Understanding complex content rules for email messages Email messages typically have a different structure from documents, and this can affect the way that content rules apply. For example, consider the following text in a document: I think our manager is stupid and ugly. 149

SMTP Content rules and rule groups 4 To prevent the words stupid and ugly appearing together in a document, you can create a rule with a complex phrase the rule triggers when these words appear together. The same rule works on the following simple email message: To: user1@example.com From: user2@example.com Subject: Our manager I think he is stupid and ugly. What do you think? Now consider a second example: To: user1@example.com From: user2@example.com Subject: Our stupid manager I think he is ugly too. What do you think? The complex rule you have already created will not trigger. Most email messages are based on the MIME format, and comprise several parts. You can think of each part as a separate file the To address, the From address, the subject line, and the message body. In this example, no part contains both words stupid is in the subject line; ugly is in the message body. To trigger a content rule on the words stupid and ugly appearing together in an email message, create a rule that combines two simple conditions the rule triggers when the word stupid appears anywhere in an email message and when the word ugly appears anywhere in an email message. Understanding limitations in content scanning A rule can apply only to a single file, document or attachment at any time. For example, you may have a rule that triggers on finding the word ugly in databases and spreadsheets. When the appliance encounters any database, it searches for the word ugly. Similarly, when it encounters any spreadsheet, it also searches for ugly. You can make such rules more complex. For example, you can make the rule search for both ugly and stupid in databases and in spreadsheets. When the appliance encounters any database, it searches for the word ugly and the word stupid. If both words are present, the rule triggers your defined action. When the appliance encounters the words in any spreadsheet, the rule is also triggered. You can create combinations of rules that will not work. For example, if you need two conditions to be true for a rule to be applied, the rule is not applied in the following situation: The appliance scans an email message that has another email message as an attachment. The top-level email message triggers one of the conditions and the attached email message triggers the second condition. The appliance treats each of the email messages as separate objects. The content rule requires that both conditions are met within the same object for that content rule to trigger. As each object triggers one of the two conditions, the content rule is not triggered for either object. 150

SMTP Content rules and rule groups 4 Examples of content rules Content scanning enables you to create rules that detect the appearance of words and phrases in many situations and combinations: Keeping information confidential. Reducing network load. Blocking offensive words on page 152. Stopping nuisance email messages on page 152. Reducing distractions on page 152. Each example described here can block email messages by destroying them, or by moving them to a quarantine area where they can be examined later. Before deciding what to do with such messages, be aware of local legislation that affects how email may be treated. Keeping information confidential If your organization prefers that details of a new event, product or project are not discussed outside the organization, you can prevent the name being included in outbound email messages. For example, your organization plans to release a new product called SuperThing. To prevent anyone outside the organization knowing about the product, detect the word inside each email message. You create a rule called Confidential information about new product and apply this rule to plain-text attachments, the body of messages, and the subject line of messages. You specify SuperThing as the word on which to trigger the rule. As a second example, your organization plans to launch the new product in January. The date must be kept secret. Messages like this must not leave the organization: We are ready to launch SuperThing in January. Before that date, less harmful email messages will discuss the product s details and preparations for its launch. Other products will also be launched, but their dates are less important. You do not want to block this message: The agenda for tomorrow s meeting: 1 Progress towards the launch of SuperThing 2 How to reduce our stationery costs 3 Launch of MegaBox in January You can create a rule that triggers when the two words SuperThing and January are close to each other, perhaps within 30 characters. As a final example, your organization is planning to promote Mr. Jones to the position of CEO. Your rule must trigger on the combination of two words CEO and Jones. Reducing network load The transfer of some file types, such as movie files (MPEGs) and bitmap graphic files, impact heavily on networks. By creating a list of unacceptable file extensions, you can discourage their use. Your trigger words might be BMP or MPG and you set them to apply to the names of attachments only. 151

SMTP Content rules and rule groups 4 Blocking offensive words Insulting messages from your own staff or customers might damage the organization's reputation. By creating a list of unacceptable words, you can prevent their use. For example, imagine that it is very offensive to say You are a dog to another person. However when used in other contexts, such as discussing types of dog like corgi or alsatian, the word is not offensive. To prevent the word entering or leaving the organization in its offensive context, create a new rule called Offensive word. You set the rule to apply inside the body of the message, and you set an action to discard such messages. After entering the word dog, you can further refine its context. For example, this rule is to be triggered only if none of these words alsatian, corgi, spaniel, and so on appear in the message. Stopping nuisance email messages Disgruntled ex-employees, virus hoaxers, and unscrupulous retailers who know the email addresses of your staff can cause problems. For example, John Smith has been annoying employees by sending unwanted email messages. The content of his messages vary, but he always uses one of two email addresses. You create a rule called Annoying Person. As the trigger phrase, type John Smith s two email addresses, and apply the rule to the message s sender only. The appliance incorporates an anti-spam feature that prevents known spam sources from attacking your network. However, you can also scan content for common or known phrases to further limit this kind of attack. Phrases such as get rich quick or this virus will destroy your computer can become the trigger phrase for another useful rule. Reducing distractions When frequent inappropriate messages are distracting your staff, the appliance can block these messages and deter their senders. For example, advertisements broadcast by email message might have Car for sale or House for sale as their subject line. The messages waste your email resources and distract your staff. To block such messages, create a rule called Distracting Advertisements. Specify the trigger phrase as for sale and apply the rule to the subject line of a message only. Many games are sent by email as computer programs (.EXE files). You can block these by creating a rule that triggers when attachments have.exe in their name. This type of rule has an added advantage because games are a popular hiding place for viruses. 152

SMTP SMTP email messages 4 SMTP email messages This section describes the non-policy based SMTP email message options, and includes the following: Message queues. Deferred email messages on page 156. Message queues This section describes the queue options for email messages that are not policy-based, and includes: Managing email message queues. Maintaining email message queues on page 155. Managing email message queues This section describes the types of email message queues under Email Message Queues in the navigation pane. Email messages go to a message queue while waiting to be processed. If McAfee Quarantine Management is enabled, the appliance s email message queue options are no longer available. The following message queues are available: Quarantined anti-virus engine detections holds email messages that have been quarantined because they contain viruses or potentially unwanted programs. Quarantined content shows email messages that are quarantined because they have triggered content-scanning rules. For example, the email messages might contain obscene words, confidential information, or potential phishing attacks. Quarantined spam shows email messages that have been quarantined because they contain potential spam. Digest release requests shows requests from users who want the email administrator to release email messages from the Content Quarantine area. For more information, see Quarantine Digest on page 91. Spam learning shows email messages that have been submitted by users because they contain spam. The email administrator can review the messages, and if appropriate, add them to the Bayesian learning database to improve spam detection. Non-spam learning shows email messages that have been submitted by users because they have been mistakenly identified as spam. The email administrator can review these email messages, and if appropriate, remove them from the Bayesian database. Data loss shows email messages that have been quarantined because they contain confidential data. 153

SMTP SMTP email messages 4 The appliance displays information about each email message in each queue: Sender's email address. Email address of each recipient. Size of the message. When the message was received. Reason for the quarantine: Names of the detections that have triggered. Rule that has been broken, or name of the virus that was detected. Text that appears in the subject line of the email message. The appliance also displays the following information for the quarantined content queue and the quarantined spam queue: Users whose quarantined email messages contain banned content. Number of messages for each user. Email messages that have been quarantined because they contain content that triggered the detection. You can do the following actions on the queues: Table 4-12 Queue actions Action Accept Apply Clear Close Delete Delete All Email selection filters Forward Learn Refresh Reject Release Search Description Release the selected email message(s) from the Content Quarantine to the user s inbox. Digest release requests queue only. Apply any changes. Deselect entries that have been marked for any reason, such as learning, forwarding, and deletion. Return to the Message Queues. Delete the selected entry in the queue. Delete all entries in the queue including all email messages that are not shown because of the current filter settings. Use these filters to find, select, and view the entries in the queue. Forward the selected email messages to one or more email addresses. You are prompted for a forwarding address. Quarantined anti-virus engine detections queue only. Sends email messages to the Bayesian database for spam or non-spam learning. Spam learning queue and non-spam learning queue only. Get the latest information from the appliance. Quarantined content queue and quarantined spam queue only. Reject selected requests. Digest release requests queue only. Return all the selected email messages to the Deferred area on the appliance. Quarantined content queue and quarantined spam queue only. Start the search. 154

SMTP SMTP email messages 4 Table 4-12 Queue actions (continued) Action Select All Select another user Show Logs Stop Unlearn View Description Select all entries in the current list. All queues except quarantined content queue and quarantined spam queue. Select a different user. Quarantined content queue and quarantined spam queue only. Show all logs relating to the selected email message. If no results are displayed, no logs exist for the selected item. Stop the search. Removes selected email messages that have been mistakenly added to the Bayesian database for spam or non-spam learning. Spam learning queue and non-spam learning queue only. Display the email header and, depending on its size, all or some of the email content. Maintaining email message queues This section describes the features that help you maintain email message queues. It contains the following topics: Daily quarantine maintenance Manual maintenance Daily quarantine maintenance You can use Daily Quarantine Maintenance to: Specify how long email messages stay in the quarantine area before they are deleted. Specify if the appliance must include users with no quarantined messages on the list. Set up the maintenance schedule. When you click Perform the Maintenance Now, the results of the maintenance are displayed: User's mailbox name. Total number of messages in each mailbox before the maintenance began. Total number of bytes in each mailbox before the maintenance began. How many messages were deleted. How many bytes were deleted. Number of messages remaining in the mailbox. Number of bytes remaining in the mailbox. To change the order in which the list is sorted, click the up and down arrows in each column heading. 155

SMTP SMTP email messages 4 Manual maintenance Use Spam Quarantine Manual Maintenance and Content Quarantine Manual Maintenance to remove quarantined spam messages for specific users mailboxes. Table 4-13 shows the available actions. Table 4-13 Manual maintenance actions Action Clear Close Delete Delete all Mailboxes Refresh Search Description Deselect entries that have been marked for deletion. Return to the Message Queues. Delete selected mailboxes. Delete all mailboxes. Display the latest list of mailboxes. Search for all mailboxes matching a regular expression. Deferred email messages This section explains why email messages are deferred and how to manage the queue of deferred messages. If the appliance cannot deliver the email messages immediately for example if a forwarding mail server is unavailable the appliance holds the messages in its deferred queue. To view the deferred queue, select Email Deferred in the navigation pane. The appliance displays the following information about each email message in the list: Sender s email address. Recipient s email address. Size of the email message. When it was received by the appliance. Reason for it being deferred, including: Error code returned by the MTA. Recipient addresses. Last known error message returned for that recipient. Text that appears in the subject line of the email message. Table 4-14 shows the available actions. Table 4-14 Deferred message queue actions Action Apply Clear Delete Delete All Email selection filters Description Apply any changes. Deselect entries that have been marked for forwarding or deletion. Delete the selected entry in the queue. Delete all entries in the queue including all email messages that are not shown because of the current filter settings. Find, select, and view the entries in the queue. 156

SMTP SMTP email messages 4 Table 4-14 Deferred message queue actions (continued) Action Forward Real-time retry Retry Retry All Search Select all Show Logs Stop View Description Forward the selected email messages to a specific email address. When you apply the changes you are prompted to provide the forwarding address. Attempt to deliver the selected messages and show logging in real-time. Attempt to deliver selected deferred email messages to the original recipients. Attempt to deliver all the deferred email messages to their original recipients. This includes email messages not shown because of the current filter settings. Start the search process. Select all entries in the current list. Show any logs relating to the selected email message. Stop the search process. Display the email header and, depending on its size, all or some of the email content. Integration with third-party email encryption gateway This section describes integration with third-party email encryption, and includes the following topics: What is email encryption? What does integration with third-party email encryption do? on page 158. How does integration with third-party email encryption work? on page 158. Routing email to encryption servers on page 158. What is email encryption? Encryption obscures information, making it unreadable without special knowledge. In response to regulations, organizations increasingly combine encryption techniques to secure email messages. Transport Layer Security (TLS) is one technique. An alternative technique is to encrypt email messages based on policies. See Transport Layer Security on page 101. TLS encrypts the communication channel. Email encryption encrypts the body of the email message; details of the sender and recipient are usually still visible. Organizations such as PostX, PGP, and Voltage offer gateway-based products that work with email security gateways to encrypt email for groups of users based on policies. These products are easy to configure and can be used where the recipient organization does not encrypt email messages. Email is routed to third-party encryption products. Email encryption can: Send email for encryption based on policy. Send inbound encrypted email for decryption based on policy. 157

SMTP SMTP email messages 4 What does integration with third-party email encryption do? Integration with third-party email encryption: Selectively routes email for encryption. Routes inbound encrypted email for decryption. Reports the number of encrypted email messages sent and received. How does integration with third-party email encryption work? An email message is routed to the encryption product depending on: The inbound and/or outbound domain and policy settings. Whether the email message is recognized as encrypted. See Encrypted email. Encrypted email The appliance can recognize several types of encrypted messages: OpenPGP Has a content-type header of multipart/encrypted. S/MIME Has a content-type header of application/pkcs7-mime and x-pkcs7-mime including an smime-type field verification for enveloped-data (encrypted). PGP/MIME Has text (including Unicode) with a signature of BEGIN PGP ENCRYPTED. Decoding is done before this check. Where encryption masks any underlying signing, in S/MIME for example. Routing email to encryption servers To route email to an encryption server: 1 In the navigation pane, select Configure SMTP Protocol Settings Delivery Settings Policy Based Relay. 2 Provide the IP address of the encryption server as the policy-based relay. For example: 192.168.200.254:123 sends email to a port other than the default port 25. You can: Scan outbound email messages. If they require encryption (for example, because of content), you can set the primary action to route email to a policy-based relay within the policy. If an email message is identified as requiring encryption, the appliance routes the email message to the encryption server to be encrypted, then the server sends the email message to its destination. If the email message is routed back through the appliance, it is scanned again. 158

SMTP SMTP email messages 4 Scan inbound encrypted email messages. If they require decryption, you can set the primary action to route email to a policy-based relay within the policy. If an email message is identified as encrypted, it is routed to the encryption server to be decrypted. After decryption, the encryption server sends the inbound email to its destination. If the email message is routed back through the appliance, it is scanned again. Update the events and statistics counters each time an email message is sent to the encryption server. 159

5 POP3 Post Office Protocol POP3 is a protocol for collecting email from a remote server. This section describes the appliance s support for POP3, and includes the following topics: Configuration for POP3. Policies for POP3 on page 161. Configuration for POP3 In the navigation pane, select Configure POP3 Protocol Settings, select Connection settings [Advanced] and configure the following: Intercept Ports. See page 48. Listen Ports. See page 50. Dedicated Ports. See Dedicated ports. Listeners. See page 50. Connections. See Allocating scanning resources on page 51. Memory. See Allocating scanning resources on page 51. Reverse lookup. See page 51. Dedicated ports POP3 allows email messages to be downloaded (pulled) from a mailbox on a remote server. The modes of operation are: Generic connection allows connection to any POP3 server, but does not support Authenticated POP (APOP). If you configure the appliance with a port number for generic connections, your POP3 clients (software) do not need to specify the port number whenever they make a generic POP3 connection through the appliance. Dedicated connection allows connections to dedicated POP3 servers with APOP. If a user makes a dedicated proxy connection through the appliance, the appliance uses one of its own ports to reach the POP3 server. For example, if the dedicated ports are specified as in Table 5-1, all requests on port 456 are directed to the second POP3 server. 160

POP3 Policies for POP3 5 Table 5-1 Example of dedicated ports and POP3 servers Port POP3 server 123 pop3server1.example.com 456 pop3server2.example.com 789 pop3server3.example.com Specify a unique port number for each server. Choose port numbers in the range 1024 to 65535, because numbers below 1024 are generally assigned to other protocols. The server must have an FQDN, for example pop3server.example.com. You can use the default generic proxy port (110) for a dedicated proxy connection. The dedicated connection overrides any generic connections. To make a list of dedicated ports, select Configure POP3 Connection settings (Advanced) Dedicated Port in the navigation pane. Policies for POP3 This section describes how to set up policies for the appliance to handle POP3 email messages. It contains the following sections: POP3 content policies. POP3 protocol policies on page 166. POP3 connection policies on page 167. POP3 content policies To set policies that control how the appliance handles POP3 email messages, select Policy POP3 Content in the navigation pane, You can configure the following content policies: Anti-spam on page 162. Anti-phishing on page 162. Anti-virus on page 163. Scanner control on page 163. Encrypted content on page 164. Signed content on page 164. Corrupt content on page 164. Alert settings on page 165. Mail size filtering on page 165. Mail settings on page 165. 161

POP3 Policies for POP3 5 Anti-spam You can configure the appliance to detect unwanted email messages, known as spam. For more information about how anti-spam works, see What is spam? on page 104. To scan for spam, the McAfee Anti-Spam Module must be enabled. The POP3 anti-spam feature differs from the SMTP feature: The appliance marks email messages as spam but you cannot specify any spam score-based actions. No Bayesian databases are available. To configure the appliance to detect spam: 1 In the navigation pane, select Policy POP3 Content Anti-Spam. 2 To inherit settings from the global policy, see Step 12 on page 59. 3 To specify any time restrictions, see Adding time-specific settings to non-global policies on page 60. 4 Set up your blacklists and whitelists. See User black and white lists on page 95. 5 Set up the list of anti-spam rules to use. These rules define which email characteristics are identified as potential spam. 6 Specify the reporting required and when reports will be generated. You can also type any text you want to add to the message subject line. The subject prefix cannot contain any characters for multi-byte (extended) character sets. For example, you cannot enter characters from the Japanese (ISO-2022-JP) character set. 7 Set up any advanced anti-spam features, including: Maximum mail size for spam scanning. Maximum width of spam headers. Maximum number of reported rules that can be included in the report. Customizable mail header details. Whether to use alternative header names when a mail is not spam. Anti-phishing You can configure the appliance to detect phish a message that tries to trick you into giving sensitive information. To scan for phish, the Anti-Spam Module must be enabled. For more information about scanning for phish, see Anti-phishing on page 112. 1 In the navigation pane, select Policy POP3 Content Anti-Phishing. 2 To inherit settings from the global policy, see Step 12 on page 59. 3 To specify any time restrictions, see Adding time-specific settings to non-global policies on page 60. 162

POP3 Policies for POP3 5 4 To specify the actions that the appliance must take when a detection occurs, see Actions on page 73. 5 To customize or create any alert messages, see Editing alert messages on page 46. 6 Specify the type of reporting required. You can also add a phish indicator, and type any text you want to add to the message subject line. Anti-virus The appliance can be configured to detect viruses and other potentially unwanted programs. For more information, see Anti-virus on page 113. If a detection occurs, the appliance can act as described in Actions on page 73. In POP3, mail can be blocked but not quarantined. In the navigation pane, select Policy POP3 Content Anti-Virus, then follow the instructions in Chapter 3, Policies Overview starting from Step 1 on page 78. Scanner control You can set limits on scanning to overcome performance problems caused by a complex file or a denial-of-service attack. For more information about attacks and depth of nesting in compressed files, see Scanner control on page 119. 1 In the navigation pane, select Policy POP3 Content Scanner Control. 2 To inherit settings from the global policy, see Step 12 on page 59. 3 To specify any time restrictions, see Adding time-specific settings to non-global policies on page 60. 4 Specify the nesting depth and the action the appliance takes if it is exceeded. We recommend 100. If you intend to scan HTML files, this value must be 2 or more. 5 Specify the maximum size of an expanded file and the action the appliance takes if it is exceeded. We recommend 500. 6 Specify the maximum scanning time and the action the appliance takes if it is exceeded. The minimum value is one minute. We recommend 15 minutes when in use on a server. For information about the available actions, see Actions on page 73. An item can be a file or document. A file that contains several files or documents (such as a.zip file) is regarded as several items, not one item. 7 To customize or create any alert messages, see Editing alert messages on page 46. 163

POP3 Policies for POP3 5 Encrypted content The appliance cannot scan encrypted content, such as password-protected.zip files. You can specify how the appliance handles this type of content. If you allow encrypted content through, it must be scanned after it is decrypted, and this typically occurs at the client computer. 1 In the navigation pane, select Policy POP3 Content Encrypted Content. 2 To inherit settings from the global policy, see Step 12 on page 59. 3 To specify any time restrictions, see Adding time-specific settings to non-global policies on page 60. 4 To specify the actions that the appliance must take when a detection occurs, see Actions on page 73. 5 To customize or create any alert messages, see Editing alert messages on page 46. Signed content If the appliance alters a signed message (for example by removing a virus), the digital signature is broken and is no longer effective. You can specify how the appliance handles the message. For more information, see Signed content on page 121. 1 In the navigation pane, select Policy POP3 Content Signed Content. 2 To inherit settings from the global policy, see Step 12 on page 59. 3 To specify the actions that the appliance must take when a detection occurs, see Actions on page 73. If you quarantine the original mail or quarantine the modified mail as a secondary action, signed email messages are quarantined only if they contain a virus or banned content. Corrupt content Scanners and other applications can have difficulty reading corrupt content. To specify how the appliance will handle this type of content: 1 In the navigation pane, select Policy POP3 Content Corrupt Content. 2 To inherit settings from the global policy, see Step 12 on page 59. 3 To specify any time restrictions, see Adding time-specific settings to non-global policies on page 60. 4 To specify the actions that the appliance must take when a detection occurs, see Actions on page 73. 5 To customize or create any alert messages, see Editing alert messages on page 46. 164

POP3 Policies for POP3 5 Alert settings The appliance sends a message to clients when specific events occur. For more information, see Alert messages on page 286. 1 In the navigation pane, select Policy POP3 Content Alert Settings to open the dialog box. 2 Specify whether to use HTML or rich text format. 3 Set up the alert, give it a name, and edit the header and footer as required. You can use the substitution variables. See page 310. Mail size filtering You can specify limits on the size of email messages and then specify how the appliance handles messages that are too large overall, or have large attachments, or have too many attachments. For more information, see page 125. 1 In the navigation pane, select Policy POP3 Content Mail Size Filtering. 2 To inherit settings from the global policy, see Step 12 on page 59. 3 To specify any time restrictions, see Adding time-specific settings to non-global policies on page 60. 4 To specify the actions that the appliance must take when a detection occurs, see Actions on page 73. Mail settings Most email messages use MIME format, and this format has often been exploited to transfer potentially unwanted programs. For more information, see Mail settings on page 126. 1 In the navigation pane, select Policy POP3 Content Mail Settings. 2 To inherit settings from the global policy, see Step 12 on page 59. 3 To specify any time restrictions, see Adding time-specific settings to non-global policies on page 60. 4 To specify the actions that the appliance must take when a detection occurs, see Actions on page 73. 5 Add a prefix to the subject line of a message. 6 Specify the preferred arrangement for alert attachments. You can specify inline with the message body or as attachments. 7 Set the re-encoding options. 8 If necessary, specify the advanced MIME settings, including: How to handle MIME header fields that contain null characters. The largest number of MIME parts that a message can have before the appliance considers it to be corrupt or a possible denial-of-service attack. 165

POP3 Policies for POP3 5 Which MIME types must be treated as text attachments and which MIME types must be treated as binary attachments. The preferred transfer-encoding method for text parts, and whether 7-bit text must be encoded. The character set that must be used by default for decoding. Caution Change the settings of these advanced features only if you understand the effects your changes can cause. 9 To customize or create any alert messages, see Editing alert messages on page 46. POP3 protocol policies To set policies that control the communication between the appliance and computers in your inside and outside networks, select Policy POP3 Advanced Policies Protocol in the navigation pane. You can configure the following advanced policy features: Server Keepalives The appliance can repeatedly send a POP3 command to prevent the connection between the appliance and the mail server timing-out. Specify the command and how long the appliance will wait between keep-alive commands. Client Keepalives The appliance can repeatedly send a POP3 command to prevent the connection between the appliance and the POP3 mail client timing-out. Specify how often the appliance will send a keep-alive command. For more information, see Keeping the connection open on page 137. Proxy Delimiters You can specify how to interpret the user's address when a generic proxy connection is made through the appliance. You can specify the characters that identify each part of that address. By default, the user name part of the address is separated from the host name by a hash (#), and the host information is separated from the port number by a colon (:). For example, <user name>#<host name>:<port number>. Caution Change the delimiter characters only if your POP3 user names contain the delimiter character.. POP3 Extensions Specifies whether the appliance responds to CAPA (capability) requests. To discover which POP3 extensions are supported by any POP3 server, POP3 uses the CAPA command. The command returns a list of extensions supported by the POP3 server. It is available in both the AUTHORIZATION and TRANSACTION states. 166

POP3 Policies for POP3 5 POP3 connection policies To set up policies for POP3 connections initiated by hosts in your inside and outside networks, select Policy POP3 Advanced Policies Connection in the navigation pane You can configure the following POP3 connection policy features: How long the appliance waits for a POP3 command before closing a connection. How long the appliance waits for the client to complete the data transfer before closing a connection. How long the appliance waits for the server to complete the data transfer before closing a connection. How long the appliance waits for a response while trying to connect to a POP3 server. 167

6 HTTP Hypertext Transfer Protocol HTTP is a protocol used for accessing websites. This section describes the appliance s support for HTTP, and includes the following topics: Understanding traffic flow. Configuration for HTTP on page 169. Policies for HTTP on page 182. Authentication on page 201. Understanding traffic flow For Internet traffic, policies are applied according to the source of the request not the location from which a file is retrieved. For example, consider a user downloading a test virus file from www.eicar.com. You might assume that the infected file is going from the Internet (the outside network) to the internal (inside) network, so the From Outside policy must apply. However, this is not the case. The source of the initial connection was the user on the internal network. The request was made to the Internet the outside network. The request originated from inside, so the From Inside policy applies. Figure 6-1 Requests from inside 168

HTTP Configuration for HTTP 6 If your organization has a web server, the From Outside policy applies to HTTP requests that come into your network from an outside network, namely the Internet. Figure 6-2 Requests from outside Include the IP address of the firewall in the list of outside networks. Configuration for HTTP The following options are available from Configure HTTP in the navigation pane. User Authentication Settings. User Authentication Settings [Advanced] on page 177. Connection Settings [Advanced] on page 181. User Authentication Settings User authentication (or transparent authentication) controls web access for specific users and groups. A user s identity is established without the need to type the user name and password again. User authentication can be used with HTTP or ICAP. User authentication: Authenticates users and group membership using a directory service such as Microsoft Windows Active Directory or Novell edirectory. Kerberos, NT LAN Manager (NTLM) and Lightweight Directory Access Protocol (LDAP) are the authentication mechanisms. See Set up the appliance for Kerberos on page 174, Set up the appliance for NTLM on page 175 and Set up the appliance for LDAP on page 176. Enforces policies by user identity. See Configuring authentication policy options on page 180. Uses ICAP to control access to the Internet by applying URL filtering policies to users and groups. See Viewing URL filtering reports on page 205 and Configuring the HTML error and redirect pages on page 205. 169

HTTP Configuration for HTTP 6 In addition, you can also: Include information about user identities in URL filtering reports. See Logging and reporting on page 202. Track users activity and provide reports of enhanced URL filtering events using Smart Reporter from Secure Computing. The data does not need to be stored on the appliance. See Installing and configuring SmartReporter on page 205. Where is user authentication used? When user authentication is set up (on Authentication on page 201), and authentication is enabled, you can: Assign policies by user identity instead of IP address. This provides more detail (for example, in an environment where Network Address Translation [NAT] and/or terminal services multiple users on a single IP address are used). The interface provides a global configuration option to enable or disable transparent authentication. Authentication is supported in both transparent and proxy mode. Authentication uses several configurable authentication services, and multiple services can be active at the same time. The services supported are: Kerberos for authentication to Active Directory or other Kerberos authentication services. See Setting up Kerberos for use with Active Directory on page 173. NTLM for authentication to Microsoft (Windows Active Directory integration and Windows Domain support). See Set up the appliance for NTLM on page 175. LDAP for authentication to directories that support LDAP (for example Novell edirectory). See Set up the appliance for LDAP on page 176. Configure authentication groups that define the authentication services that the policies will use. If you do not use single sign-on, NTLM or LDAP services repeatedly prompt you to sign on until a full sign-on is successful. Use policies to control whether authentication is done and, if it is, which authentication groups are used. You can use other existing policies to exclude IP subnets, individual IP addresses (using existing selection criteria) and URLs from authentication. You can also specify user-agent exceptions to allow agents (such as an automatic updating program) not to authenticate. Configure the action to take if authentication fails. You can block access, or allow users access under a user name that has limited access only. Base URL filtering policies (and other settings) on user identity and group membership. User group membership is verified by LDAP using an enhanced version of LDAP support. Suppress HTTP verbs in case the authentication or redirection results in problems (for example with POST or PUT requests). Include names and IP addresses for authenticated users in URL filtering reports (including on-box reporting and epolicy Orchestrator reports). For non-authenticated users, the reports show Internet usage by IP address and the user identity remains blank. Export data about Internet access to SmartReporter at regularly scheduled intervals, and, if necessary, purge the data from the appliance after it has been transferred. 170

HTTP Configuration for HTTP 6 How does user authentication work? You can configure user authentication using any of the following authentication services: Kerberos Provides authentication for client/server applications using public-key cryptography. NTLM The appliance provides an interface to add the appliance to a Microsoft Active Directory or NT domain. LDAP for directories that provide a standard LDAP interface. You can use: Lotus Domino-based directory services. Novell NetWare Directory Services (NDS). Other standards-compliant LDAP directories. The LDAP options are also available to Active Directory if Active Directory is used as an LDAP server. The appliance uses session-based cookies to identify users when they make HTTP requests: The HTTP handler looks for the cookie in HTTP requests. If the cookie is present, the handler extracts the user s identity and the appropriate URL filtering policy. The identity is also included in any URL filtering events logged to the URL database. If the cookie is not present, the user is redirected to an authentication broker on the appliance. The broker handles authentication between the web browser and the authentication service. For Microsoft single sign-on support, the user is transparently authenticated by the authentication broker and directed back to the destination URL with a valid cookie if: The appliance is configured for Kerberos or NTLM authentication to Active Directory. The user is logged on to a Windows client logged on to the same Active Directory. The user uses Microsoft Internet Explorer or another browser that supports Integrated Windows Authentication. Internet Explorer s security configuration enables Integrated Windows Authentication. In this instance, the user is not presented with a logon page. For authentication to other services that support single sign-on (for example non-microsoft Kerberos-based authentication schemes), single sign-on can also be supported as described above. Otherwise, the browser displays a logon page. If users successfully authenticate using this page, they are directed back to the original URL with a valid authentication cookie. If users fail to authenticate, their access to the Internet is blocked by a message page or they can continue (for example, using a more restrictive URL filtering policy). 171

HTTP Configuration for HTTP 6 Setting up the appliance To set up the authentication server: For Kerberos, see Set up the appliance for Kerberos on page 174. For NTLM, see Set up the appliance for NTLM on page 175. For LDAP, see Set up the appliance for LDAP on page 176. See also Setting up the authentication group on page 177. To avoid performance problems, ensure that the authentication server is physically close (or at least logically close) to the appliance. Setting up user authentication To set up user authentication: Set up the directory: See Setting up Kerberos for use with Active Directory. For Microsoft Windows NT 4 Domain Controllers, see Setting up the Domain Name Service on page 174. Set up the appliance. See Setting up the appliance. See Set up the appliance for Kerberos. See Set up the appliance for NTLM on page 175. See Set up the appliance for LDAP on page 176. See Setting up the authentication group on page 177. Set up the browser. See Setting up the browser on page 178. See Configuring Internet Explorer on page 178. See Configuring Mozilla Firefox 1.0 on page 178. Setting up the directory If you are using: Active Directory, see Setting up Kerberos for use with Active Directory on page 173. Microsoft Windows NT 4 Domain Controllers, see Setting up the Domain Name Service on page 174. For maximum security, we recommend Kerberos for Active Directory installations. NTLM can be used for Windows NT 4 domain controllers. LDAP can be used for other directory services such as Novell edirectory. 172

HTTP Configuration for HTTP 6 Setting up Kerberos for use with Active Directory 1 To create an Active Directory user that corresponds to the appliance, start the Active Directory Users and Computers: a Select Users. Right-click New, then click User. b Type the user s First name (for example, scmuser) and the User Logon Name (for example, scmuser), then click Next. c Select User cannot change password and password never expires. Deselect any other options. Type the password and confirm it, then click Next. d Click Finish. 2 Get the ktpass utility available from Windows 2000 and Windows 2003 support tools. To install the support tools, you need your Windows 2000 or Windows 2003 software CD. The files are in the following locations: \Support\Tools\suptools.msi (Windows 2003) \Support\Tools\Setup.exe (Windows 2000) If you are using Windows 2003, see the Microsoft Knowledge Base article http://support.microsoft.com/kb/843071/en-us for more information. 3 Create a keytab file called scm.keytab on the Active Directory host using ktpass (for example, if the fully qualified domain name is scm.example.com and the Kerberos realm is EXAMPLE.COM). See Set up the appliance for Kerberos on page 174. At the Windows command prompt, type: ktpass -princ HTTP/scm.example.com@EXAMPLE.COM -mapuser scmuser -pass scmuserpassword -out scm.keytab. A typical response is: Targeting domain controller: ad.example.com Successfully mapped HTTP/scm.example.com to scmuser. Key created. Output keytab to apache.keytab: Keytab version: 0x502 keysize 83 HTTP/scm.example.com@EXAMPLE.COM ptype 1 (KRB 5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0x807cc80b8397dfab) Account scmuser has been set for DES-only encryption. Create a separate keytab file with a different user name and password for each appliance. 173

HTTP Configuration for HTTP 6 Setting up the Domain Name Service The appliance must be fully known to the Domain Name Service (DNS). Configure forward and reverse lookups for the FQDN of the appliance. Set up the appliance for Kerberos 1 In the navigation pane, select Configure HTTP. 2 Select User Authentication Settings and enable authentication. By default, authentication is disabled here, and overrides any settings in policies. 3 Add a Kerberos authentication server. Click Add from Configure Authentication. 4 Specify the Authentication Service Name. This is the default name for the service. It is displayed in the logon page and in logs that track the authentication service being used. 5 Ensure that the default SCM fully qualified host name is correct. This is the host name of the appliance as seen by users of the authentication service. A DNS entry must exist for users to authenticate using this service because this is the name the appliance uses for authentication redirection. It is used by Kerberos to verify that the keytab imported onto the appliance is the correct one for the service. Because Kerberos is sensitive to DNS entries, it expects the DNS to exist. In more complex environments, this name might be different for different services. For example, if you have two schools with two active directories, the DNS name of the appliance might differ for each school. 6 To use policies based on group membership, specify the LDAP Membership query server. 7 Select Kerberos Authentication. 8 Specify the KDC hostname. This is the fully qualified domain name of the Active Directory server and is used to validate the keytab. 9 Use the Select the action when authentication fails pane to specify whether an alert is displayed and/or configure a default user identity for any user who fails authentication. To configure the alert, see Client alert messages on page 191. You can also create a specific policy for the identity. For example, you can give the default user only limited access to the Internet. 10 Click OK. 11 Click Apply All Changes to save the new configuration information. The status then changes to Setup Required and Setup is enabled. 12 Select the new authentication server and click Setup from Configure Authentication to create the Kerberos keytab. See Step 3 on page 173. 13 Select the scm.keytab file and open it to install it on the appliance. Keytab files are version controlled. If you create a new keytab for any reason, the old version ceases to work, and you need to import the new version. Users must log out and log on before they can authenticate successfully. 174

HTTP Configuration for HTTP 6 Setting up the Network Time Protocol Kerberos is sensitive to dates, therefore the times must all be synchronized on the browsing computers, the Active Directory server/kdc and appliance. Ensure that the Network Time Protocol (NTP) is set up before you enable authentication. In some instances, setting up the NTP may require the installation of third-party software. 1 On the appliance, select System Manage Appliances in the navigation pane. 2 Under Set the NTP server settings: a Enable the use of the NTP, and make a list of the NTP servers by network address or host name. b If required, enable NTP client broadcasts. 3 On the Active Directory server, set up NTP. See the documentation supplied with the server. 4 On the browsing computers, set up NTP. Set up the appliance for NTLM 1 In the navigation pane, select Configure HTTP. 2 At User Authentication Settings, enable authentication. By default, authentication is disabled here, and overrides any settings in policies. 3 At Configure Authentication, click Add. 4 In the dialog box, type the Authentication Service Name. This is a friendly name for the service. It is displayed in the logon page and in logs that track the authentication service being used. 5 Type the appliance s fully qualified host name. This is the host name of the appliance as seen by users of the authentication service. 6 To use policies based on group membership, select the LDAP Membership query server. 7 Select NTLM Authentication. 8 Specify the Fully qualified NTLM server name. This is the fully qualified Windows server DNS name or IP address for the domain controller. 9 Specify the domain name. This is the name of the Windows domain that the appliance joins. 10 Under Select the action when authentication fails, specify whether an alert is displayed or configure a default user identity for any user who fails authentication. To configure the alert, see Client alert messages on page 191. You can also create a specific policy for the identity. For example, you can give the default user only limited access to the Internet. 11 Click OK to return to User Authentication Settings. 175

HTTP Configuration for HTTP 6 12 Click Apply All Changes to save the new configuration information. The status changes to Setup Required, and Setup is enabled. 13 Select the new authentication server and click Setup on Configure Authentication. 14 Type your Administrator s user name and Administrator s password, then join the appliance to the NTLM domain. Set up the appliance for LDAP Before you set up LDAP authentication, ensure that you already have an LDAP server configured on the appliance. See User Authentication Settings [Advanced] on page 177. 1 In the navigation pane, select Configure HTTP. 2 Select User Authentication Settings to enable authentication. By default, authentication is disabled here, and overrides any settings in policies. 3 At Configure Authentication, click Add. 4 In the dialog box, type the Authentication Service Name. This is a friendly name for the service. It is displayed in the logon page and in logs that track the authentication service being used. 5 To use policies based on group membership, specify the LDAP Membership query server. This is the server used to identify the authentication group to which the user belongs. This information is used to decide if a policy is triggered. The LDAP Membership query server drop-down list is available only after an LDAP server. See User Authentication Settings [Advanced] on page 177. 6 Type the appliance s fully qualified host name. This is the host name of the appliance as seen by users of the authentication service. 7 Select LDAP Authentication. 8 Select the LDAP Authentication server. Other settings for user and group queries are in the LDAP server configuration. See User Authentication Settings [Advanced] on page 177. 9 Specify the Relative DN. The Relative Distinguished Name is the DN relative to the Base DN where the user objects reside. On Active Directory, by default, users are created under a relative DN of cn=users. However, in a large organization, users might be under a different relative DN depending on their physical location. Ask your directory administrator for the correct setting. Base DN The Base Distinguished Name as specified for the selected LDAP server under policy groups is displayed for information only. It cannot be changed. 10 Ensure the User identity attribute is correct. This is the attribute used to test an identity. It determines the name that a user must specify when authenticating using LDAP. By default, this is samaccountname for Active Directory (for example, to match the logon name a user uses for NTLM authentication) and cn for Novell edirectory. The default value is filled in when you select the LDAP authentication server. 11 If necessary, select Use secure LDAP. See Step 13. 176

HTTP Configuration for HTTP 6 12 Under Select the action when authentication fails, specify whether an alert is displayed or configure a default user identity for any user who fails authentication. To configure the alert, select Policy HTTP Advanced Policies Protocol From Inside Client Alert Messages in the navigation pane. You can also create a specific policy for the identity. For example, you can give the default user only limited access to the Internet. 13 If you specified Use secure LDAP, click Setup. A CA certificate is imported for LDAP over SSL (LDAPS) and used to verify the LDAP server. If you did not select Use secure LDAP, basic unsecured LDAP queries are run in the same way as for the configured LDAP server. User Authentication Settings [Advanced] After transparent authentication is enabled, the advanced settings are available. Change these settings only if requested to do so by McAfee Technical Support. In the navigation pane, select Configure HTTP, then select User Authentication Settings [Advanced] to specify: Authentication Server Address IP address of the authentication service (the appliance itself). This is normally left blank. Authentication Server Port Port used to connect to the authentication server. Local Redirection Port Internal port used to redirect HTTP requests to the authentication server. Log User Identity To include user names in the log file. If the feature is off, the user name is blank. Authentication Cookie Suffix This is required for load-balancing only. Policy Caching To enable the caching of the authentication cookies. Kerberos Reverse DNS Enables reverse DNS lookups when using Kerberos authentication. See Set up the appliance for Kerberos on page 174. Setting up the authentication group An authentication group consists of one or more authentication services. If a group contains more than one service, the appliance tries to authenticate the user against each service in order. An authentication group can be used globally or for specific policies (for example, for this IP address, authenticate users using this authentication group). To create a new authentication group: 1 Create an authentication group containing the new server from the Configure Authentication Groups list. 2 Specify the authentication group name. This identifies the authentication group when you create a policy. 3 Select from the globally configured Ordered list of authentication services. This selects the order in which authentication services are tried. Add the already configured authentication service. 177

HTTP Configuration for HTTP 6 4 In the navigation pane, select Policy HTTP Advanced Policies Connection to assign the authentication group to a policy. See Configuring authentication policy options on page 180. Setting up the browser You can configure Internet Explorer or Firefox browsers to participate in transparent authentication. See Configuring Internet Explorer on page 178 or Configuring Mozilla Firefox 1.0 on page 178. The browser selects Kerberos or NTLM. Configuring Internet Explorer To enable Internet Explorer to use Kerberos or NTLM authentication: 1 If the appliance is running in proxy mode: a Set the proxy as the fully qualified domain name of the appliance. From Internet Explorer, click Tools then Internet Options, then Connections. Click LAN Settings and select Use a proxy server for your LAN. Type the address and the port of the appliance. The default port is 80. b Set the proxy not to be used for the appliance itself (that is, not for Internet addresses starting with the appliance s name). From Internet Explorer, click Tools then Internet Options, then Connections. Click Advanced and select Do not use proxy server for addresses beginning with. Type the appliance s FQDN, if necessary prefaced by an asterisk (*) and a dot, for example, *.FQDN. 2 Because authentication requires browser redirections to the appliance, the appliance must be in the local intranet zone. To add the appliance to the local intranet: a From Internet Explorer, click Tools then Internet Options. b Click Security, then Local intranet, Sites and Advanced. c Type the fully qualified domain name of the appliance, then click Add. 3 From Internet Explorer, click Tools then Internet Options. Select Security. Click Custom Level and enable redirection to sites within the intranet zone by selecting Web sites in less privileged web content zone can navigate into this zone (under Miscellaneous). 4 From Internet Explorer, click Tools then Internet Options. Select Advanced, then select Enable Integrated Windows Authentication (under Security). 5 Restart Internet Explorer. Configuring Mozilla Firefox 1.0 To enable Firefox: 1 In the menu, click Tools, then Options, Connection Settings and Manual Proxy Configuration. Type the HTTP Proxy (the appliance s FQDN) and the Port. The default port is 80. 2 At No Proxy for, type the appliance s FQDN. 178

HTTP Configuration for HTTP 6 3 Do about:config then: network.negotiate-auth.delegation-uris = https://fqdn,http://fqdn network.negotiate-auth.trusted-uris = https://fqdn,http://fqdn Where FQDN is the fully qualified domain name of the appliance. Configuring an LDAP server To use policies based on a user s group membership, set up the appliance to use an LDAP server. The server is selected when you configure the group membership and is used for authentication or to resolve group memberships. Do not specify a privileged account in the LDAP server configuration. Testing an LDAP server You can use the group membership lookup for specific user names. We recommend that you test this feature before you configure any policies based on user group membership. The user name format depends on the authentication service (Kerberos, NTLM or LDAP), and you might want to verify the user group lookup for each authentication scheme that you configure. 1 In the navigation pane, select Policy Groups, and click LDAP Servers to display the LDAP server list. 2 Select the new server, and click Modify. 3 Click Test. 4 From the Options dialog box, click Test group query. The LDAP server response page appears. If it does not, see Fixing LDAP server configuration errors on page 180. If the configuration has any problems, you might need to adjust some connection settings, the Base DN or the Group query settings. Error messages appear in the status area at the bottom left side of the interface. 5 To test group membership for a specific user, type the User name and click Find Group(s). See Table 6-2 on page 203. For Kerberos authentication, the user name in LDAP is userprincipalname. For NTLM authentication, the user name in LDAP is samaccountname. For LDAP authentication, the user name is the full LDAP distinguished name, equivalent to the distinguishedname in LDAP (for Active Directory). 179

HTTP Configuration for HTTP 6 Fixing LDAP server configuration errors If the LDAP server response page with the group list does not appear when you click Test group query, verify the following: The supplied username and/or password are correct. Ensure that you can connect to the LDAP server on the insecure port (by default, TCP port 389). Try this using the supplied credentials and another LDAP tool (such as dapsearch on Linux or LDIFDE on Windows Server 2003 with Active Directory) and by performing an LDAP simple bind. The server address is correct and can be found. Is the name right? Is the DNS correct? Does the name resolve to a real address? Try specifying the IP address of the LDAP server directly. The LDAP server is running on the default LDAP port. If the LDAP server is on a different port, include the port number in the server address (for example abc.example1.example.com:390). The LDAP server has enabled port 389, and not just the secure port (by default TCP port 636). Consult your LDAP server administrator and ask that the insecure port be enabled. The appliance cannot connect to the secure port for group lookups. If the LDAP server response page appears but does not contain any groups, the appliance is able to connect to the LDAP server. Verify the following: The Server type is correct (Active Directory). This must be set when the LDAP server configuration is first created. If you have edited fields and saved the configuration, changing the server type might not correct this. The Base DN is correct. No group objects were found under the supplied Base DN, which typically takes the form dc=example,dc=com for the domain example.com. The Group query is correct. The appliance supplies defaults for each server type, but the specific configuration of your LDAP server might differ. Configuring authentication policy options To complete the authentication policy options for your appliance, see HTTP connection policies on page 201. Configuring authenticated user-based content policies To configure content policies based on authenticated users, create policy groups which match criteria for specific user names or for group membership: 1 In the navigation pane, select Policy Groups, then click Add. 2 Specify a policy name. Ideally this reflects the policy selection criteria and its intended use. 3 Select a user-based policy criteria in the form The User is. Click > to define the criteria. You can select policies based on: Individual user names. See Selecting policies based on individual user names on page 181. User group membership. See Selecting policies based on group membership on page 181. 180

HTTP Configuration for HTTP 6 4 When you have made your selection, click Finish then Apply All Changes. Selecting policies based on individual user names For policies based on user name, select The user is 'User Name' or The user is not 'User Name'. See also Configuring authentication policy options. The user name (see Table 6-2 on page 203) must match the format for one of the configured authentication service types: For Kerberos, the format is the userprinciplename property in Active Directory LDAP. It looks like an email address, for example user_1@example.com. For NTLM, the format is the samaccountname property in Active Directory LDAP. It must not include the domain name. For LDAP, the format is always the fully distinguished name (LDAP DN) of the user in the LDAP directory (for example cn=user1a,cn=users,dc=scm-auth-ad2,dc=example1,dc=example,dc=com). Selecting policies based on group membership For policies based on group membership, select The user is in 'Directory Group' or The user is not in 'Directory Group'. See also Configuring authentication policy options on page 180. For this type of policy, the policy criteria records one or more LDAP group identities. For policy selection, the user name from authentication is used to do a group membership query. The query uses the LDAP server configuration selected for group membership (based on the authentication service configuration). See Set up the appliance for Kerberos on page 174, Set up the appliance for NTLM on page 175 and Set up the appliance for NTLM on page 175. If the group identified by the query matches the group specified in the policy, the appliance applies that policy to the user, the policy can be selected and the settings applied to the user (specific URL filtering policies can be applied to groups of users). See Configuring URL filtering based on policy groups on page 188. Connection Settings [Advanced] 1 In the navigation pane, select Configure HTTP. 2 Select Connection Settings to configure the settings for the connections available to the appliance. See Advanced configuration (all protocols) on page 48. You can configure: Intercept Ports. See page 48. Listen Ports. See page 50. For more information about advanced transparent exceptions, see Transparent exceptions on page 49. Listeners. See page 50. Connections. See Allocating scanning resources on page 51. Memory. See Allocating scanning resources on page 51. Reverse lookup. See page 51. 181

HTTP Policies for HTTP 6 Policies for HTTP This section describes how to set up policies that tell the appliance how to handle HTTP traffic. It contains the following sections: HTTP Content Policies on page 182. HTTP protocol policies on page 190. HTTP connection policies on page 201. HTTP Content Policies To set policies that control how the appliance handles HTTP traffic, select Policy HTTP Content in the navigation pane. You can configure the following content policies: Anti-virus. HTML settings. URL filtering. Scanner control on page 189. Data loss prevention on page 190. Alert settings on page 190. Anti-virus The appliance can be configured to detect viruses and other potentially unwanted programs. For more information, see Anti-virus on page 113. HTML settings You can configure how the appliance handles some elements and components embedded in HTML data. When users view a webpage, their browsers can download ActiveX components, Flash objects, Java applets, and scripting languages such as VBScript and JavaScript. Such objects sometimes contain unwanted software. Although the anti-virus scanner in the appliance detects many potentially unwanted objects, you can provide extra security by choosing to block all such objects. To access this feature, select Policy HTTP Content HTML Settings. URL filtering On the Secure Internet Gateway and Secure Web Gateway versions of the appliance, you can evaluate and activate an optional feature enhanced URL filtering. Enhanced URL filtering policies can be applied to HTTP and ICAP traffic. 182

HTTP Policies for HTTP 6 If the enhanced URL filtering component is activated, the appliance can also control access to websites based on the category of their content. To access this feature, select Policy HTTP Content URL Filtering. What is enhanced URL filtering? Enhanced URL filtering provides extra URL filtering for the following appliances: Secure Web Gateway Secure Internet Gateway Enhanced URL filtering uses a URL filtering database and policies to prevent inappropriate use of the Internet. The appliance can block requests, warn ( coach ) users if requests are not appropriate, or allow requests through. Enhanced URL filtering uses the following components: The enhanced URL filtering database categorizes websites according to their content, such as pornography or gambling. SiteAdvisor classifies websites for safe use. See SiteAdvisor on page 184. URL whitelist specifies that access must always be allowed for certain websites, regardless of their category within the enhanced URL filtering database. URL blacklist specifies that access must always be denied for certain websites, regardless of their category within the enhanced URL filtering database. Customizable alert messages inform users if a request is denied or considered inappropriate. For example, if a user tries to access an inappropriate site, the appliance can respond with a message that explains your organization s policy on Internet usage. Logs and reports capture and display information about web access. Enhanced URL filtering: Controls Internet access and reduces: Risk of legal issues over the misuse of the Internet. Employee exposure to inappropriate or insecure websites. Misuse of network resources by preserving bandwidth for genuine business use. Can be customized to reflect changes in the way your organization uses the Internet. Can be customized to reflect changes in the type of content that is available on the Internet. Can filter access according to the URL or IP address of the requested website. Can filter access to a whole website or just some parts of a website. Can control the type of searches employees make while using an Internet search engine. 183

HTTP Policies for HTTP 6 Produces information that can be logged and used to create detailed reports, which allow you to monitor Internet use. Integrates fully into the appliance and the appliance s interface. SiteAdvisor SiteAdvisor software helps Internet users stay safe as they search, browse and transact online. The SiteAdvisor organization patrols the Internet, browsing sites, downloading files, and filling forms. When supplemented with user feedback, comments from website owners, and other analysis, their results classify websites as: Green - Safe. SiteAdvisor tested the site and did not find any significant problems. Yellow - Caution. SiteAdvisor found some minor security or nuisance issues, or the site has previously had security issues (directly or through corporate affiliations). Red - Warning. SiteAdvisor found some serious issues at this website. For example, the site sends spam, includes adware with downloads, or has a business relationship with an organization known for bad practices. Grey - Untested. SiteAdvisor has no information about this site yet. How does URL blocking and filtering work? When a user tries to access a website over an HTTP or ICAP connection, the appliance uses basic URL Blocking and enhanced URL filtering policies to determine how to handle the request. The appliance checks if the Basic URL Blocking policies block access to the website. See Basic URL blocking on page 191. If access is not blocked, and the enhanced URL filtering option has been enabled, the appliance checks the URL against the URL whitelist or blacklist. If the URL is in the whitelist, access to the site is allowed. If the URL is in the blacklist, access to the site is blocked. You can also specify how the appliance handles uncategorized URLs. If the URL is not in the whitelist or blacklist, the appropriate enhanced URL filtering policy is applied. Depending on the type of policies that have been set up, a request might be considered inappropriate because: The website is in a category that your organization considers to be inappropriate for business use. The website is requested at an inappropriate time. For example, an employee accessed a website during the working day, instead of outside of normal working hours only. The website request came from an IP address that is not allowed to access that web site. The website is classified as unsuitable by SiteAdvisor. 184

HTTP Policies for HTTP 6 For each category, the appliance can be set up to take a specific action. See Actions on page 73. Caution URL filtering is done only on the request, not the response. The response may contain banned URLs, but the content for these is blocked if the user subsequently requests them. URL filtering is normally configured using the From Inside setting, because typically you want to control access only for users inside your network. Evaluating enhanced URL filtering The Secure Internet Gateway and Secure Web Gateway versions of the appliance include a free 30-day evaluation of the enhanced URL-filtering component. 1 In the navigation pane, select System Manage Components Activate the enhanced URL filtering component, then click Start Evaluation. 2 Type the email address and administrator s display name. These are used to request the unblocking of blocked URLs. Then click Apply All Changes. 3 Type the evaluation serial number or, if necessary, request one. Your evaluation serial number is sent to the email address you provide. 4 Ensure that you have the most up-to-date version of the URL database installed, and confirm that the evaluation version of the enhanced URL filtering component has been correctly registered. Activating enhanced URL filtering After you buy the enhanced URL filtering component for your appliance, you receive a serial number for activating the component. 1 In the navigation pane, select System Manage Components Activate the enhanced URL filtering component, then click Activate. 2 Type the email address and the administrator s display name. These are used to request the unblocking of blocked URLs. Then click Apply All Changes. 3 Type the serial number. 4 Activate the serial number. This contacts a website to register the Activation Serial Number. 5 Type the requested information, then click Submit. 6 Log on to the appliance and select System Manage Components in the navigation pane. 7 Ensure that you have the most up-to-date version of the URL database installed, and confirm that the evaluation version of the enhanced URL filtering component has been correctly registered. 185

HTTP Policies for HTTP 6 The URL filtering database The URL filtering database contains a list of millions of websites that have been organized into 70 or more categories according to their content. For example, a website might be categorized as a pornography site, an extreme site, or both. The standard categories might be updated from time to time to reflect changes in the type of websites that are available on the Internet. In addition, you can customize up to eight of your own categories. You cannot view the content of the URL filtering database. For a list of the categories, see the www.securecomputing.com website. You can: Use the URL Filter Database Updating feature to download the latest URL filtering database from the preconfigured site. The downloaded database includes newly categorized URLs and, occasionally, new categories. Add new URLs to existing categories. Create your own categories and add URLs to them. Specify how keywords used in search engine URLs will be categorized. When you activate the evaluation or the licensed version of enhanced URL filtering, we recommend that you immediately update the URL filtering database. To ensure that the appliance always uses the latest database, we suggest that you regularly update the database and that you review the update schedule. Updates are managed locally through the appliance. They are not managed from within the McAfee epolicy Orchestrator software. To update the database: 1 In the navigation pane, select Update URL Filter to display information about any scheduled updates. 2 Click Update URL Filter Database to open the first page of a wizard. You can use the following updates: Full automatic updates configure the appliance to automatically download the latest URL filtering database from a preconfigured site. The database can be downloaded hourly, daily, or weekly. Incremental updates configure the appliance to download only the differences between your existing URL filtering database and the latest database. Full manual updates download the whole database manually at any time. Updating the URL filtering database does not overwrite your own categories. Tip For regular daily updates, the incremental option usually provides a quicker update. If the incremental update fails, run a full update. 3 If necessary, type the requested HTTP proxy server information, then click Next. 186

HTTP Policies for HTTP 6 4 Choose when to update the URL Filter database. We recommend an Immediate update. After the immediate update completes, set up a regular scheduled update, to ensure that your database is kept up-to-date. 5 Click Finish. Your chosen update immediate or scheduled runs as configured. When an update is running, progress messages are displayed in the status bar of the URL Filter Database Updates. When an update has been successful, the status bar briefly displays URL Database finished successfully. You can also select Monitor Updates in the navigation pane to check the current update status and information about when the last update was run. If you are running the first update after activating the licensed or the evaluation versions of enhanced URL filtering, pay particular attention to the status of the update. If the update fails, it can indicate that the activation did not complete successfully. To see additional detailed information about the URL database updates: 1 In the navigation pane, select Monitor Logs. 2 Under Resource and System, select Updates, then click Next. The log of update events for your appliance appears. Because of the way that the updates are obtained from the update server, the log will record an update as failing if the server does not send an update. This includes when the server reports that the current database is up-to-date. 3 Double-click a log entry to view Event Properties, containing detailed information about that entry. If an update has failed because the database is currently up-to-date, this is described in the Event Properties. Configuring enhanced URL filtering When activated, enhanced URL filtering is available within the HTTP and ICAP protocols. See also URL Filtering on page 219. You can: Add specific URLs to any of the existing categories of websites. Add URLs to your own definable categories. Blacklist a URL to always block a site. Whitelist a URL to always allow a site to be viewed, regardless of its category. Edit the categories to which a URL has been assigned. Delete the user categorization for a URL. 187

HTTP Policies for HTTP 6 To configure the filter settings: 1 Select URL Filtering and enable the feature. You can also select this feature from a customer policy. If URL Filtering is not visible, the enhanced URL filtering component might not be correctly installed and activated. 2 The Summary of filtering controls area of the URL Filtering dialog box lists the number of categories that are assigned to each of the filtering actions. 3 Use the default alert messages or modify the text that appears within each alert. See Editing alert messages on page 46. 4 Click the link that follows User categorized URLs. The User Categorized URLs dialog box appears. Make a list of URLs to be blacklisted, whitelisted or categorized. See Making lists on page 45. To import and categorize a list of URLs, ensure that the file has each URL on a separate line. 5 Click the Action column for the category and select the action. Submitting URLs for classification You can check if a URL has been categorized within the public URL filtering databases, or you can submit URLs for consideration to be added to the databases. 1 Click Show Quick Help in the navigation pane. 2 Click URL Filtering from the Quick Help. The URL Filtering Quick Help topic appears in a pop-up window. 3 Click the link to the URL check/submission website, then type the URLs that you want to check or submit. 4 Click Check URLs and follow any further instructions. Configuring URL filtering based on policy groups After you configure any user and group-based policies, configure any URL filtering policies for the users and groups, based on the authenticated user name. See also Viewing URL filtering reports on page 205. Set individual user-specific policies to a higher priority than group-based policies. For a specific user, the policy used is the first one that matches. Enabling URL filtering This setting is not mandatory, but might be useful during the configuration, because you can then view logs containing the names of users who have browsed undesirable websites. See Testing policy selections on page 189. 188

HTTP Policies for HTTP 6 To configure enhanced URL filtering: 1 In the navigation pane, select System Manage Components, then select Activate the Enhanced URL filtering component. You will need a license key. 2 In the navigation pane, select Policy HTTP, then Content, and enable URL Filtering. 3 In the navigation pane, select Configure Logging, Alerting and SNMP. 4 At Source Filters, select the HTTP tab. 5 At Detection Events, click Advanced to log Allow events and track the effects of transparent authentication. Testing policy selections After you have configured the content policies, if you have URL filtering (see Setting up the directory on page 172) enabled, you can examine the reports for any events logged against the configured policies. To view URL events by policy name: 1 Apply your policy configurations. See Configuring authenticated user-based content policies on page 180. 2 Browse the Internet for sites that meet the criteria set. You might want to create test users for this. 3 Generate URL filtering reports: a In the navigation pane, select Monitor Logs, then select URLs filtered. b Click Next. c Select a time range for collecting log data. d From the drop-down list under Display Category, select Policy. e f Click Apply Filter. Select the Itemized View tab. g Click Show full results to display URL events against the various policies. For each policy, drill down and ensure that the expected user names have been monitored as accessing the sites. Scanner control To overcome performance problems caused by a denial-of-service attack or a complex file, you can set limits on scanning. For more information, see Scanner control on page 119. 1 In the navigation pane, select Policy HTTP Content From inside or From outside Scanner Control. 2 To inherit settings from the global policy, see Step 12 on page 59, if this is a sub-policy. 3 To specify any time restrictions, see Adding time-specific settings to non-global policies on page 60. 189

HTTP Policies for HTTP 6 4 To specify the actions that the appliance must take when a detection occurs, see Actions on page 73. 5 To customize or create any alert messages, see Editing alert messages on page 46. Data loss prevention To prevent confidential data being posted to external websites, the appliance scan the text of each upload. To use this feature, select Policy HTTP Content From inside or From outside Data Loss Prevention in the navigation pane. For more information, see Data loss prevention on page 113 and Compliancy on page 117. Compliancy As a result of increasingly stringent regulations, many organizations in the health care, finance and government sectors need to prevent the leaking of private and sensitive information. See also Data loss prevention on page 113. Compliancy uses content libraries of key terms to ensure content complies with health care and privacy regulations. The feature enforces compliancy where determined by policy, and reports any violations. You do not normally need to change the contents of content libraries. The content libraries are intended for general use by the appliance and therefore contain some information that is relevant only to some protocols. To use the feature, select Policy HTTP Content From inside or From outside Compliancy in the navigation pane. For more information, see Compliancy on page 117. Alert settings The appliance sends a message to clients when specific events occur. For more information, see Alert messages on page 286. To use the feature, select Policy HTTP Content From inside or From outside Alert Settings in the navigation pane. Set up the alert and type its text. You can use the substitution variables described in Substitution Variables on page 310. HTTP protocol policies To set policies that control the communication between the appliance and hosts in your inside and outside networks, select Policy HTTP Advanced Policies Protocol in the navigation pane. You can configure the following policy features: Basic URL blocking on page 191. Client alert messages on page 191. Client download status messages on page 192. Denial-of-service prevention on page 192. 190

HTTP Policies for HTTP 6 Download status and data trickling on page 192. FTP over HTTP on page 196. HTTPS URL blocking on page 196. Handoff host on page 196. Header blocking and modifications on page 197. Instant messaging on page 197. Protocol details on page 198. Request permissions on page 199. Scanning on page 200. Streaming media on page 200. This section also includes: Setting up Internet Explorer to proxy requests to the appliance on page 207. Basic URL blocking The appliance can block access to certain websites. You can: Block specific URL addresses, by specifying those addresses in a list of denied URLs. For example, to block access to any website that contains the word guns, add guns to the list. To block access to all websites hosted by a specific company, add the company name to the list. Use regular expressions to block all websites that contain certain text patterns in their URL addresses. For example, ^http://.*/images/ matches URLs that begin http:// and have the text string /images/ within the address. Block based on specific characters within URL addresses. Some characters within URL addresses can cause problems for older browsers. You can set up the appliance to reject URL requests that contain these characters. This option is included for backward compatibility with older browsers. As new browser versions replace those older browsers, it is unlikely that you will need this feature. If you have activated the optional Enhanced URL filtering component, the appliance also uses a URL filtering database to control access to websites. The database categorizes websites according to their content such as pornography and violence, and is regularly updated. To block these websites, select Policy HTTP Advanced Policies Protocol Basic URL Blocking on the navigation pane. Client alert messages You can edit the messages that the appliance sends to alert users about specific events that have occurred. You can set up a standard header and footer for use in all the alert messages to users. 1 In the navigation pane, select Policy HTTP Advanced Policies Protocol Client Alert Messages. 191

HTTP Policies for HTTP 6 2 To customize or create an alert message, see Editing alert messages on page 46. Client download status messages You can edit the message that the appliance shows to a user who downloads a large file from a website. The download status message reassures the user that the download is still in progress. This message is also known as a comfort page. For example: Appliance is downloading File: aaa.doc 10,234, 555 bytes 70 % complete To stop this download, click Cancel. Caution Take care when changing these settings, because incorrect settings might prevent your users downloading information. To create a message: 1 In the navigation pane, select Policy HTTP Advanced Policies Protocol Client Download Status Messages. 2 To customize or create an alert message, see Editing alert messages on page 46. Denial-of-service prevention To prevent denial-of-service attacks, the appliance can refuse an HTTP request if: The HTTP header exceeds a defined size. The number of lines in an HTTP header exceeds a defined limit. To use this feature, select Policy HTTP Advanced Policies Protocol Denial of Service Prevention in the navigation pane. Download status and data trickling You can use one of the following options to help overcome the problems with downloading large files: Download status pages When a user downloads a file over HTTP, the appliance contacts the server and starts downloading the file to a storage area on the appliance. The appliance downloads the whole file and scans it before sending the file to the user. Large files can take a long time to download and scan, and users might think that the connection has timed-out if they do not see any activity from the appliance. To prevent this problem, you can configure the appliance to display a download status page that reassures the user that the download is still in progress. 192

HTTP Policies for HTTP 6 Download status pages can be generated when: The appliance receives an HTTP request from a client whose web browser has been set up to use the appliance as an HTTP proxy. The appliance operates in Transparent Router or Transparent Bridge mode, and receives an HTTP request from a client whose web browser has not been set up to use the appliance as an HTTP proxy. The client s browser has been configured to make FTP requests over an HTTP connection. In this case, the web browser sends an HTTP request to the appliance, typically using port 80. The appliance examines the HTTP request to see which service is being requested. The appliance sees that an FTP service is being requested, and makes an FTP connection (typically using port 21) to the FTP server. To find out how to set up the browser to use the appliance as a proxy, and how to set it up to use FTP over HTTP, see Setting up Internet Explorer to proxy requests to the appliance on page 207. You can: Enable or disable status pages during downloads when the appliance is operating in Transparent Router or Transparent Bridge mode. Specify which browser can display the status pages. Internet Explorer is assumed. If your users have them, specify Mozilla and other browsers. Specify the file extensions that will trigger the download status pages, such as GZ, EXE, ZIP, PDF, ISO and BMP. Specify which content types prevent the use of download status pages. Configure the display settings for the download status page. Specify if download status pages will be used when there are no referers. Data trickling When a user downloads a file over HTTP, the appliance contacts the server and starts downloading the requested file to a storage area on the appliance. The appliance typically downloads the whole file and scans it before sending the file to the user. Large files can take a long time to download and scan, and users might think that the connection has timed-out if they see no activity from the appliance. The appliance can be configured to send the file to the client as a series of smaller data chunks, before the whole file has been received from the server and scanned by the appliance. This is known as data trickling. 193

HTTP Policies for HTTP 6 The table describes the advantages and disadvantages of using data trickling. Table 6-1 Advantages and disadvantages Data trickling is enabled Data trickling is disabled Advantages Good user experience Instead of waiting for the whole file to be downloaded, the file can be downloaded as a series of much smaller data chunks. Information in these data chunks can be displayed as it is downloaded making the download process seem faster to users. The user can leave large files to download without the risk that the web browser will time out the connection in their absence. More secure. The whole file is scanned before it is downloaded. Disadvantage Less secure A file is downloaded as a series of small data chunks, which are placed on the user s hard disk drive before the appliance can scan the whole file. These data chunks might contain a virus or some other potentially unwanted programs. More administration for users. Users will need to remove these files. Poor user experience. The user must wait for the entire file to download before it can be used. Caution Data trickling can leave your network vulnerable to viruses and other potentially unwanted programs. We recommend using client download status messages (comfort pages) instead. You can specify: How long the appliance will wait before data trickling starts. How long the appliance will wait between each series of data chunks. How many bytes are trickled each time. How much of the file can be trickled as a percentage of the total file size. Keep-alive headers When a user downloads a file over HTTP, the appliance contacts the server and starts downloading the requested file to a storage area on the appliance. The appliance typically downloads the whole file and scans it before sending the file to the user. Large files can take a long time to download and scan, and the client software can time-out the connection if it detects no activity from the appliance. For more information, see Keeping the connection open on page 137. To set up data trickling: 1 In the navigation pane, select Policy HTTP Advanced Policies Protocol Download Status and Data Trickling. 2 To display status pages, select Enable status pages during downloads. 3 In Display download status pages in these browsers, use Add, Modify and Delete to manage the list of browsers that can display the status pages. 194

HTTP Policies for HTTP 6 When the appliance receives an HTTP request, it checks the browser information in the User-Agent part of the HTTP request header against this list of permitted browser types. If the browser type is in the list, the download status page can be displayed. If the browser is not in the list, a download status page is not displayed. The default value, Mozilla is suitable for the most commonly used browsers, including Microsoft s Internet Explorer. 4 In File types that trigger download status pages, use Add, Modify and Delete to build the list of file extensions that will trigger the appliance to display download status pages. You do not need to type the dot (.). For example, type EXE to cause executable files to trigger download status pages. 5 In Content types that prevent download status pages, use Add, Modify and Delete to build the list of content (MIME) type that will not trigger download status pages. 6 To display download status pages for appliances in Transparent Router or Transparent Bridge mode, from Display status pages when, select In transparent mode. Otherwise, to display download status pages when there are no referers, select There are no referers. When a user requests a service by clicking on a link, the URL of the webpage containing that link is known as the referer and is part of the HTTP standard. Most browsers pass the referer URL as part of the request for that service. Referer information is not always produced. For example, when the Save Target As option is used to download a file to a local computer, there is no need for referer information to be passed in the request. You can specify whether download status pages must be used when there is no referer information in the request. If you select There are no referers, and a user tries to download a file to their local computer using the Save Target As option, the download status page instead of the requested file might be saved. This is because the computer cannot distinguish between the download status page and the file requested by the user. For this reason, you might not want to display download status pages when there are no referers. 7 Under When displaying status pages: a Type how long the appliance waits before displaying the first download status page. b Type how long the appliance waits before updating the download status page. c To display how long the appliance has been scanning the file it is downloading, select Display the elapsed time. d To use JavaScript-based HTML for the download status page, select Use JavaScript based HTML. 8 Under Enable data trickling during downloads, specify: a How long the appliance waits before starting to trickle data. b How often the data will be trickled to the servers. c The largest number of bytes of data that can be sent each time data is trickled to the server. 195

HTTP Policies for HTTP 6 d The percentage of data (as a percentage of the total amount downloaded so far) that can be trickled each time. 9 In Send a keepalive every, type how long the appliance waits to send a keep-alive message. FTP over HTTP The appliance allows FTP transfers over an HTTP connection. For example, a user might click on a link in a webpage that launches a dialog box allowing a download of software or a user guide. You can configure the appliance to use passive FTP when transferring data to or from the remote FTP server over an HTTP connection. You can also specify which format will be used when the FTP directory information is returned. Typically, FTP over HTTP is used only when the client browser is configured to use the appliance as a proxy. 1 In the navigation pane, select Policy HTTP Advanced Policies Protocol FTP over HTTP. 2 Select Enable passive FTP mode. 3 Select the format that will be used when the FTP directory information is returned. HTTPS URL blocking To intercept HTTPS (secure HTTP) traffic and pass requests to URL filtering, select Policy HTTP Advanced Policies Protocol HTTPS URL Blocking in the navigation pane. Logging of events is controlled by the existing HTTP settings. For appliances running in Transparent Mode, you can enable URL filtering for HTTPS traffic by ensuring that the port is still correctly set to capture HTTPS traffic. To do this, use Configure HTTP Connection Settings [Advanced] in the navigation pane. The port for HTTPS traffic is 443. Handoff host The appliance can be configured to use a handoff host for HTTP traffic. A handoff host diverts all client requests to a specific server. This server is then responsible for handling the client requests. For example, a handoff host is used to divert requests to another proxy, such as a web cache. You can use this feature to: Set up a handoff host for the appliance. Specify if the HTTP GET requests sent by the appliance will be formatted for use by a proxy or by a web server. 196

HTTP Policies for HTTP 6 If a GET request is formatted for use by a proxy, it contains a URL that includes the domain name or IP address of the server hosting the requested HTTP service and the name of requested page. For example, if the user wants to view the default page (index.html) for the website example.com, the GET request might look like this: GET http://example.com/index.html HTTP/1.0 If the GET request is formatted for use by a web server, it contains only the name and path of the requested page (index.html in this example): GET /index.html HTTP/1.0 1 In the navigation pane, select Handoff Host. 2 If you want the appliance to format the GET requests for use by a proxy, select Handoff host is a proxy. If you want the appliance to format the GET requests for use by a web server, deselect that option. 3 Type the IP address and the port number that the handoff host uses to receive HTTP traffic from the appliance. Header blocking and modifications The appliance can be configured to: Remove certain request and response headers. Add Via: headers to HTTP requests and responses. The Via: general-header field is used by gateways and proxies to indicate the intermediate protocols and recipients between the client and the server on requests, and between the original server and the client on responses. The VIA: headers are intended to: Track messages forwards. Avoid request loops. Identify the protocol capabilities of all senders along the request/response chain. Incorrectly configured settings can cause serious network problems. We recommend that you change these settings only at the request of McAfee Technical Support or a network expert. 1 In the navigation pane, select Policy HTTP Advanced Policies Protocol Header Blocking and Modifications. 2 In Denied request headers, make the list of request headers that are not allowed. 3 In Denied response headers, make the list of request headers that are not allowed. 4 In Add Via: headers to select the requests and responses to which the VIA headers will be added. Instant messaging Instant messaging offers real-time text conversations between users. Examples of instant messaging clients include: MSN Messenger from Microsoft Corporation. 197

HTTP Policies for HTTP 6 Yahoo! Messenger from Yahoo! Inc. AOL Instant Messenger (AIM) from America Online Inc. Instant messaging can sometimes install malware. Its inappropriate use can also distract employees and reduce productivity. Thus, many organizations block instant messaging protocols by firewall at the network gateway. However, if a firewall blocks their usual port number, some instant messaging clients try other port numbers. For example, some instant messaging clients try to tunnel instant messaging traffic over HTTP. They wrap the message in an HTTP message complete with the HTTP headers and send it like HTTP. The appliance blocks instant messaging by detecting certain phrases within the HTTP headers and POST body data. Caution If the appliance is operating in a transparent mode, and HTTP traffic is not intercepted on an intercept port, instant messaging traffic passes through the appliance unscanned. To prevent this, set up the Intercept Ports option (see Configuration for HTTP on page 169), or use a firewall to restrict access to any open ports. In the navigation pane, select Policy HTTP Advanced Policies... Instant Messaging then select the instant messaging services you want to block. Protocol details You can specify how the appliance displays NTLM failure pages. Some clients and servers use the Microsoft Windows NT LAN Manager (NTLM) authentication protocol for the secure transmission of credentials, including passwords. This is also known as Windows NT challenge/response authentication. Sometimes, the NTLM authentication process fails. For example, if a client using a web browser configured to operate in proxy mode tries to connect via the appliance to a server that requires NTLM authentication, the authentication fails. NTLM works in transparent modes only. 1 In the navigation pane, select Policy HTTP Advanced Policies Protocol Protocol Details. 2 Under General, if necessary: a Select Display NTLM failure pages. b Forward non-compliant POST requests through the appliance. A POST request is a request made by an HTTP client to send data to a server. A non-compliant POST request occurs when the client (web browser) appends non-compliant characters, such as line breaks, to the POST request. Such malformed requests may be part of an attack on a web server. This option is off by default. c Specify the maximum number of requests that can be made through the same connection before the appliance drops the connection. 198

HTTP Policies for HTTP 6 3 If required, downgrade to HTTP version 1.0. Some clients and servers support HTTP version 1.0 only. The appliance supports HTTP version 1.1 protocol. To communicate with older clients and servers, the appliance can be configured to use HTTP version 1.0 when dealing with HTTP requests or redirections. 4 Select your TRACE and OPTIONS settings. See the HTTP RFC (2616) for more information. 5 Under Advanced, configure the appliance to include information about itself when issuing certain pages, such as download status pages. This information includes the IP address of the appliance and the HTTP port number on which it receives HTTP traffic. This is required only in large networks that have many appliances and additional load-balancing hardware. The load-balancing devices use the information to make sure that HTTP requests are routed to the appliance. Caution Configure this option only if you are advised to do so by McAfee Technical Support or your network expert. Request permissions Request permissions allow you to restrict some HTTP and FTP activity. For example, you can prevent users outside your network using POST or PUT to put files onto your website. 1 In the navigation pane, select Policy HTTP Advanced Policies Protocol Request Permissions. 2 Create a list of verbs that can be used in communication between the hosts and the appliance. The HTTP verbs include GET, PUT, HEAD, OPTIONS, TRACE, POST, DELETE and CONNECT. Not all HTTP verbs are mentioned here. See RFC 2616 for more information. 3 Create a list of request schemes that can be used. If you type schemes in the permitted list, by implication all other schemes are rejected. URLs include text that defines which resource is being requested. For example: http Hypertext Transfer Protocol ftp File Transfer Protocol 4 Create a list of HTTP port numbers that can be used for HTTP traffic that is not sent over the Secure Socket Layer (SSL). The appliance will forward requests to certain port numbers only. The entry 1025- means port number 1025 or above. 5 Create a list of SSL port numbers that can be used. To prevent circumvention of scanning, the appliance forwards requests to certain port numbers only. The port numbers that can be used depend on which HTTP verb is being used. Access using the CONNECT verb is more tightly restricted than other verbs, because after the CONNECT verb is accepted, most data can be transferred. Caution Changing port numbers can cause serious security and connectivity issues for your network. We recommend that you change these settings only if requested to do so by McAfee Technical Support or by your own network expert. 199

HTTP Policies for HTTP 6 6 Specify whether proxy requests are allowed. Scanning The appliance can scan request and response bodies, cookies and headers. In the navigation pane, select Policy HTTP Content Anti-Virus, enable the scanning, then follow the instructions starting from Step 1 on page 78. Some items can be identified by the type of Internet cookies they use. The appliance can be configured to detect and block those cookies. A special cookie blocking action, if selected, overrides the usual HTTP primary action. For example, if the primary action is to Replace infected item with alert, and you select Or remove detected cookies, the appliance removes the affected cookies, but does not replace them with an alert. Streaming media Streaming media is a technique for transferring data such that it can be processed as a steady and continuous stream. The user can therefore view or listen to the data before the entire file has been transmitted. The appliance cannot scan streaming media. To be able to scan a file for viruses, all of the data contained in that file must be available to the appliance. Streaming media is a continuous stream of data without a clear end-marker to indicate that the transmission is complete. The appliance does not know if it has received the whole file, and therefore cannot complete the scan. The appliance can be set up to allow streaming media to pass through it unscanned. Allowing streaming media to pass through the appliance is a security risk, because streaming media is not scanned by the appliance. We strongly discourage allowing streaming media of type application/octet-stream or application/* to pass through the appliance because some of these MIME types may be executable and are a potential security risk. You can specify: Whether streaming media is allowed to pass through the appliance. Types of data that the appliance considers to be streaming media. Types of servers where the appliance treats all data as streaming media. Data received from these servers is treated as streaming media and is not scanned by the appliance. This presents a security risk to your network. Configure this option only at the request of McAfee Technical Support or your network expert. 200

HTTP Policies for HTTP 6 Incoming streaming media must satisfy some security conditions before it passes to internal users. These security conditions depend on the operating mode of the appliance: Explicit Proxy mode Streaming media on ports not scanned by the appliance cannot pass through the appliance. Set up an alternative network route for this traffic. For streaming media arriving on port 80, Allow streaming media must be selected. The media stream must also identify itself as a MIME type that is treated as streaming media by the appliance. Transparent mode Streaming media on ports not scanned by the appliance passes through the appliance to the users. For streaming media arriving on port 80, the Allow streaming media checkbox must be selected and the media stream must also identify itself as MIME type audio/*. Advanced configuration You can allow other types of streaming media such as video/* and application/x-mms-framed to pass through the appliance. 1 In the navigation pane, select Policy HTTP Advanced Policies Protocol... Streaming Media. 2 Make a list of data types (such as text/plain) that will be allowed to pass through the appliance. 3 Make a list of server types from which the appliance will accept streaming media files, for example, cougar. HTTP connection policies To configure policies for HTTP connections initiated by hosts in your inside and outside networks, select Policy HTTP Advanced Policies Connection in the navigation pane. You can configure the following HTTP connection features for Secure Internet Gateway and Secure Web Gateway appliances: Authentication Client on page 207 Time-outs on page 207 Authentication You can: Enable user authentication for the selected policy. By default, authentication is disabled. Select an authentication group from the list of all available authentication groups configured globally. The list is disabled if authentication is off. The selected authentication group defines which authentication service is used. Authentication can be configured to try more than one authentication service in a defined order. 201

HTTP Policies for HTTP 6 Expand the dialog box to show the advanced settings. You can specify: P3P Cookie Compact Policy Privacy policy information that prevents Internet Explorer from rejecting the cookies that hold the authentication information used for single sign-ons. See http://www.w3.org/p3p. Request Verbs Request verbs are acted on to start the authentication redirect process. This is normally set to GET. User Agent Exceptions Using the information from the HTTP header User-Agent field, you can configure a list of agents (such as automatic updating programs) that must not be authenticated. These entries can include wildcard characters. For Internet Explorer, the policy settings can be centrally controlled by Active Directory (that is, they can be entered once in Active Directory and pushed down as a Group Policy Object [GPO] to all the Internet Explorer browsers within the organization). For more information, see your Microsoft documentation. Logging and reporting You can use SmartReporter from Secure Computing to log and report Internet usage. SmartReporter is only supported on English-language operating systems. Using SmartReporter, you can understand how your organization uses the Internet, monitor bandwidth use, isolate problems, document inappropriate activity, and tailor your filter settings to enforce your policies on Internet usage. You can use SmartReporter to: Monitor the sites that a user visits. Monitor users who visit specific websites. Monitor users who are active during particular times of day. Monitor sites that are visited despite users receiving a coach message stating that the site might be inappropriate. Produce reports showing a user identity. Send scheduled reports by email. SmartReporter provides real-time reports and snapshots of an organization's Internet usage and trends by category, location, or individual. You can identify any abuse and isolate problems, while other departments and staff can run reports and charts without the need for IT involvement. SmartReporter requires a valid URL filtering license key. For further information about SmartReporter and how to use it, see Configuring reporting on page 204 and Secure Computing s own documentation. 202

HTTP Policies for HTTP 6 Configuring policy selection criteria for URL filtering You need to create the groups to which policies will apply. A policy group might be, for example, all users on the same subnet or users in the Sales group. Click Add under Policy Groups in the navigation pane to specify the criteria. The following criteria are available for content policies: The User is in Directory Group The user s name or identity is in this group. The appliance issues a query to an LDAP server to determine if the user is in this directory group. The User is not in Directory Group The user identity is not in this group. The User is User Name The user identity is in this list of names or matches this pattern. The User is not User Name The user identity is not in this list of names or does not match this pattern. The following criteria are available for HTTP connection policies: URL matches URL The user is trying to access this URL. URL does not match URL The user is not trying to access this URL. User name formats The format of the user name depends on the type of service Kerberos, NTLM or LDAP. If the appliance is configured for multiple authentication schemes, user name formats in the URL filtering logs will vary according to the authentication service used for that user. For a user known as user1 on the Active Directory named scm-auth-ad2 in domain example.example1.com, the user name formats are: Table 6-2 User name formats Service Kerberos NTLM LDAP Format/ Example/ LDAP group lookup username@domain.com user1@scm-auth-ad2.example.example1.com Match to userprincipalname attribute. domain\username scm-auth-ad2\user1 Match to samaccountname attribute. LDAP DN for user cn=username,cn=users,dc=domain,dc=machine,dc=com) cn=user1,cn=users,dc=scm-auth-ad2,dc=example,dc=example1,dc=com Match to dn attribute. The format might vary according to directory layout and whether the authentication service is Windows. 203

HTTP Policies for HTTP 6 Configuring policy-based control of URL log events The enhanced URL filtering actions include a Monitor Access option. This enables you to specify which URLs to log and report to the URL filtering database for HTTP or ICAP. See Table 6-3. Table 6-3 URL log events Action Deny access Coach access Allow through Monitor access Result Displays a webpage preventing access to the site. The result is logged. Displays a webpage warning against visiting the site but still allows access to the site. The result is logged as Coach and Pass. Users can go to URLs in this category. Users can go to URLs in this category. The action is logged. Although you can log every allowed access to websites, the Allow Through option is disabled by default because of the volume of data that results. Events can be reported using: SmartReporter from Secure Computing. The reports available when you select Monitor Logs URL filtering. The charts and reports available when you select Monitor Charts and Monitor Logs URLs blocked. Email sent to your account. epolicy Orchestrator, using reports provided in the SCM reports package (NAP) file. By default, the following options are set: Smart Reporter Disabled by default. You need a valid URL filtering license. URL-filtering Enabled by default. You need a valid URL filtering license. Email Disabled by default. epolicy Orchestrator Disabled by default. Configuring reporting You can set up reports to give information in different ways, including: URL filtering reports. See Viewing URL filtering reports. HTML error and redirect pages. See Configuring the HTML error and redirect pages on page 205. SmartReporter reports. See Installing SmartFilter and configuring SmartReporter on page 206. 204

HTTP Policies for HTTP 6 Viewing URL filtering reports To configure the way you view URL filtering reports, select Monitor Logs URLs Filtered in the navigation pane. The following criteria are available: User Name under the Display category lists enables you to select reports by user identity. Reports enables you to select user reports for Top 10 Users and Top 50 Users. Reports show full details of allowed URLs for users where detailed URL-logging is enabled or if allowed URLs are set up to be logged globally. For epolicy Orchestrator reports, more reports are available: Top Ten Blocked by Users to show user identities (in place of IP addresses). Top Ten Blocked by IP Addresses. Configuring the HTML error and redirect pages Use Policy HTML Advanced Protocol in the navigation pane to configure HTML messages and alerts for user authentication for your appliance. Using the HTML editing already available for HTML alerts under the Policy section, you can configure the following Client Alert Messages: HTML alerts if connection to the configured authentication service fails. HTML alerts for user authentication failure (an unauthorized user and/or an incorrect password). HTML messages for URL redirect failures. Installing and configuring SmartReporter SmartReporter from Secure Computing creates reports about Internet activity for a variety of server platforms. SmartReporter normally stores processed data in its own database, although for Windows platforms, it can be configured to use an external Microsoft SQL Server database. The appliance exports data to the SmartReporter HTTP interface, where SmartReporter then processes the data into its own reporting database. SmartReporter is only supported on English-language operating systems. The log files from the appliance include user identity (where this is available from transparent authentication). SmartReporter then provides reporting by user. These reports can be viewed through a browser-based interface, or can be scheduled and sent by email. SmartReporter provides the following reports: Internet-based reports by category, user, site, time and so on. User identities (if transparent authentication is enabled), or the originating IP address of the HTTP request. Scheduled reports by email. To use this, configure an SMTP server in the SmartReporter configuration. 205

HTTP Policies for HTTP 6 To obtain SmartReporter, go to http://www.securecomputing.com/index.cfm?skey=181 and click SmartReporter Download Center. Configuring the appliance for SmartReporter The appliance can upload log data at regular intervals to SmartReporter given suitable account details. To configure the appliance to work with SmartReporter: 1 In the navigation pane, select System Manage Components, then enable SmartReporter off-box logging. 2 Specify the destination for the log data. The format for SmartReporter is http://<server_address>:<port>/logloader. The default port is 9011. 3 Type a user name and password of the SmartReporter account. 4 Specify the interval. 5 Specify whether the log data must be purged from the appliance after a successful upload. 6 If the log data is required to pass through a proxy, specify the server, port, user name, and password for the HTTP proxy. Installing SmartFilter and configuring SmartReporter To configure SmartReporter to upload data from the appliance, install SmartFilter using the setup program from Secure Computing, then configure SmartReporter. See Installing SmartFilter on page 206 and Configuring SmartReporter on page 206. Installing SmartFilter For information about installing SmartFilter, see the Secure Computing supporting documentation for this product. Configuring SmartReporter After installing SmartFilter, configure SmartReporter: 1 Access the interface. The address is http://<server-address>:9011 (for non-secure access) or https://<server-address>:9012 (for secure access) where <server-address> is the server where SmartReporter is installed. 2 Log on to the interface using the user identity and password specified during installation. 3 From Administrator Options System Options Log Processing Processing Accounts: a Type the friendly name of the account where logs are uploaded. b Select the log format. This is Squid SFv4 Squid Native Format or McAfee SCM Format. c Deselect Categorize unknown URLs using local control list. d Type a logon name and password for the upload. 206

HTTP Policies for HTTP 6 Also specify these details in the appliance configuration. After the account is configured, the appliance can upload logs to the SmartReporter server at http://<server-address>:9011/logloader or https://<server-address>:9012/logloader. Use the Logon Name and Password to configure this. You can use the administration account on SmartReporter, or create one or more reporting accounts using the SmartReporter interface from System Options Accounts. Client When an HTTP request from a client has been scanned by the appliance, the appliance passes that request onto the intended web server. When the web server responds, the appliance waits until the web server has finished its conversation. At regular intervals during downloading and scanning, the appliance can check that the HTTP client is still present. For example, if the user decides not to wait for the information to be downloaded, the appliance can drop the conversation with the web server, freeing up the resources being used. To specify how often the appliance checks that the client is present, select Client and specify the interval. Time-outs Select Time-outs to specify the following: How long the appliance waits while trying to establish a connection with the remote web server. How long the appliance waits for activity during the data transfer phase of the communication. Setting up Internet Explorer to proxy requests to the appliance To allow proxy requests, you might also need to set up Microsoft Internet Explorer to use the appliance as a proxy for HTTP requests. This information is correct at the time of publication. If in doubt, follow the instructions in the Microsoft Internet Explorer documentation. If you are using other web browsers, read their user documentation. 1 Open the browser. 2 In the menu, select Tools Internet Options Connections, then click LAN Settings. 3 Select Use a proxy server. 4 Type the IP address or name of the appliance that will be used for proxy requests. 5 Type the port number on which the appliances receives HTTP traffic (typically port 80). 207

HTTP Policies for HTTP 6 6 To set up the web browser to use FTP over HTTP, click Advanced. In the FTP section, type the IP address or host name of the appliance, and the HTTP port number on which it receives HTTP traffic (typically port 80). 208

7 ICAP Internet Content Adaptation Protocol The appliance supports ICAP protocol and can act as an ICAP server. This section describes the appliance s support for ICAP, and includes the following topics: ICAP overview on page 209. Configuring ICAP on page 216. Content policies on page 218. Advanced connection policies on page 220. Protocol policies on page 221. Troubleshooting ICAP issues on page 226. Glossary of ICAP terms on page 228. ICAP overview This section introduces ICAP and includes the following topics: What is ICAP? How is an ICAP message structured? on page 210. How does ICAP work? on page 213. Caution Before using ICAP in your network, be familiar with the ICAP standard and how it applies to your ICAP servers and clients. For more information about ICAP, see the RFC 3507 standard and ICAP forum: www.i-cap.org/home.html. What is ICAP? ICAP allows ICAP clients to pass HTTP messages to ICAP servers for processing or transformation (adaptation). 209

ICAP ICAP overview 7 Web caches such as the Open Source program Squid also act as ICAP clients. See www.squid-cache.org. They can intercept HTTP traffic, and pass HTTP requests and responses to the ICAP server for adaptation. The HTTP requests and responses are encapsulated in ICAP requests. The type of adaptation depends on the policies set up on the ICAP server. For example, the ICAP server can be configured to check for viruses or to block access to certain websites. ICAP implementation varies according to the product used in your network. For example, some ICAP clients do not support all ICAP services. See the user documentation for your ICAP clients. By default, the appliance offers a REQMOD service and a RESPMOD service. Each service can have its own policy settings that control how the appliance processes the ICAP requests. For example, if the appliance receives a REQMOD request, it applies the URL-filtering, scanning, and other REQMOD policies to the ICAP request. The appliance does not act as an ICAP client to other ICAP servers. How is an ICAP message structured? The following basic ICAP messages pass between ICAP clients and ICAP servers: ICAP requests from ICAP clients. ICAP responses from ICAP servers. ICAP requests from ICAP clients An ICAP client makes an ICAP request to an ICAP server for an ICAP service. When an ICAP client device (such as a web cache or web proxy) intercepts an HTTP request or response that it wants to pass to an ICAP server for processing, it sends an ICAP request to that server. The request has the following parts: Request header on page 210 Request body on page 211 Request header The request header tells an ICAP server what type of service is needed. It starts with a request line, indicating the verb, the URL of the service, and the ICAP version, for example: RESPMOD icap://icap.example.net/translate?mode=french ICAP/1.0 Table 7-1 Parts of a request header Part Description Example Action required Action required the RESPMOD method or verb. Service Full URL of the ICAP icap://icap.example.net/translate?mode=french requested service being requested. ICAP version Version of ICAP that the ICAP/1.0 ICAP client is using. 210

ICAP ICAP overview 7 An ICAP client can use the following verbs when requesting a service from an ICAP server: REQMOD for dealing with HTTP requests (REQuest MODification). RESPMOD for dealing with HTTP responses (RESPonse MODification). OPTIONS for requesting information about the ICAP server s configuration. Depending on the vendor you use, some ICAP servers can be configured to offer more than one ICAP service, and some ICAP clients can be configured to use more than one ICAP server. For example, an ICAP client that requires URL blocking and anti-virus scanning might be configured (depending on its capabilities) to use one ICAP server for URL blocking and another for scanning viruses. Alternatively, if an ICAP server offers URL blocking and scanning services, the ICAP client might use that ICAP server for both. The first line of the request header can be followed by other lines that describe the data in the request, and control aspects of the ICAP transaction. User-defined header extensions are allowed in ICAP requests, and follow the HTTP X- naming convention. For a full description of ICAP headers, see RFC 3507, the ICAP Extensions document, and other ICAP documents on the ICAP Forum website. Request body The content of an ICAP request body depends on the type of request made by the ICAP client. It also depends on the basic capabilities of the ICAP client, because some clients support the REQMOD verb and some support the RESPMOD verb. If the request contains REQMOD, the ICAP request body contains: The HTTP request header. The HTTP request body, if there is body data associated with the request. For example, the body might contain data being sent to a webserver using an HTTP POST command in the request header. If the request contains RESPMOD, the ICAP request body contains: The original HTTP request header. The HTTP response header provided by the HTTP server. The HTTP response body, if there is body data associated with the response. For example, the body might contain data returned from the HTTP server, such as a webpage that is downloaded from a webserver. If the request contains OPTIONS, there is no request body. The HTTP message is said to be encapsulated (enclosed) in the ICAP message. Encapsulated HTTP bodies are transferred using data chunking, but encapsulated HTTP headers are not chunked. For information about HTTP version 1.1 and chunked transfer-encoding, see the HTTP RFC2616 standard. 211

ICAP ICAP overview 7 ICAP responses from ICAP servers An ICAP response is a response made by an ICAP server to an ICAP request from an ICAP client. When an ICAP server responds to an ICAP request, it sends an ICAP response message to that ICAP client. The response has the following parts: Response header Response body Response header ICAP response headers start with an ICAP status line that shows an ICAP version number, status code and a status description, for example: ICAP/1.0 200 OK. Table 7-2 Parts of an ICAP status line Part Description Example ICAP version number Version of ICAP that the ICAP server is using when ICAP/1.0 responding to the ICAP request. ICAP status code Status of the ICAP exchange. See Understanding ICAP status codes on page 226. User-defined header extensions are allowed in ICAP responses, and follow the HTTP X- naming convention. See the ICAP Extensions document on the ICAP Forum website. Status description Description of the status code. OK 204 The first status line can be followed by other response header lines that describe the data in the response, and control aspects of the ICAP transaction. For full details of the type of headers, see the ICAP RFC standard. Response body The content of an ICAP response body depends on: The verb used in the original ICAP request (REQMOD or RESPMOD). ICAP requests that use the OPTIONS verb do not have a response body. Whether the HTTP header and HTTP data encapsulated in the ICAP request need modification. The policies that have been set up on the ICAP server. Policies specify how the ICAP server modifies HTTP messages received from ICAP clients. The status of the ICAP exchange. For example, the content of the ICAP response body might change if the ICAP server has a problem. 212

ICAP ICAP overview 7 How does ICAP work? This section describes what happens when the following occurs: An HTTP request is intercepted by the ICAP client device. An HTTP response is intercepted by the ICAP client device. The ICAP client and ICAP server use the Preview feature. An HTTP request is intercepted by the ICAP client device The ICAP client device intercepts HTTP requests and redirects them to an ICAP server for processing. Some web caches and similar devices have ICAP client capabilities. When a device intercepts an HTTP request, the ICAP client within that device encapsulates the HTTP request in an ICAP request message and sends this request to the ICAP server for processing. The ICAP client request message includes: The ICAP REQMOD verb. The HTTP request header. Any HTTP body data associated with that request. The server processes the request and sends a response to the client. The content of the response might be: The server does not need to modify the HTTP request the server sends a response that contains the original unmodified HTTP request, or just sends a 204 No modification needed response. The implementation of the client and server determines which response is sent. In some implementations, the server returns the unmodified request, and the client device passes the request to the HTTP server. In other implementations, the client device keeps a copy of the HTTP request, which it passes to the HTTP server when the client receives the 204 No modification needed response from the server. This is the case when the ICAP client sends the ICAP header: Allow:204. The server modifies the request the server can modify the request header, body data, or both. The type of modification depends on the policies set up on the server. The server encapsulates the modified message in an ICAP response and sends it to the client. The client device receives the response and passes the modified request to the HTTP server. The server blocks the HTTP request the server creates an HTTP response header, such as 403 Forbidden and includes it in the response. The client device receives the response and passes the HTTP response to the HTTP client. If there is a problem with the server, or with communication between the client and server, the client device sends an error message to the HTTP client. 213

ICAP ICAP overview 7 An HTTP response is intercepted by the ICAP client device The ICAP client within the ICAP client device can encapsulate the HTTP response in an ICAP request. The request is sent to the ICAP server for processing. The request contains: The ICAP RESPMOD verb. The HTTP request that caused the response from the HTTP server. The HTTP response header returned by the HTTP server. Any HTTP body data returned by the HTTP server. The server processes the request and sends an ICAP response to the client. The content of the response might be: The server does not need to modify the HTTP response the server sends an ICAP response that contains the original unmodified HTTP response, or sends a 204 No modification needed response. The implementation of the client and server determines which response is sent. The server modifies the HTTP response the server can modify the response header, body data, or both. The type of modification depends on the policies that have been set up on the server. The server encapsulates the modified message in an ICAP response that it sends to the client. The client device receives the response and passes the modified HTTP response to the HTTP server. If there is a problem with the server, or with the communication between the server and client, the client device sends an error message to the HTTP client. The ICAP client and ICAP server use the Preview feature Sometimes you might not want the ICAP client to send all the HTTP data to the ICAP server. For example, sending large graphic files to an ICAP server that cannot process them is an inefficient use of network resources and the ICAP server. To improve efficiency, the server and clients can be configured to use the ICAP preview function. Instead of sending all the HTTP data to the server, the client sends a few bytes of data. By default, the ICAP RFC standard specifies that up to 4096 bytes of data can be sent in a preview. The preview function is available only if it is enabled on both the ICAP server and the ICAP client. The server uses the preview information to decide if the client must send the rest of the message for possible modification. The response from the server to the client might be: If modification is not required, the server sends a 204 No modification needed response to the client. The rest of the message is not sent to the server. If modification is required, and all the data was not received as part of the preview, the server sends a 100 Continue after ICAP Preview response to the client. The client then sends the rest of the data to the server. 214

ICAP ICAP overview 7 If the server has already received all of the HTTP message in the preview, it continues to process the message as if the preview had not been sent, and sends the response to the client. By default, the appliance ensures that all HTTP data is transferred from the ICAP client regardless of the preview settings.the preview function really comes into operation only when you have policies on the appliance that prevent the scanning of certain data types. For example, you have a policy that prevents the scanning of some MIME data types. When the appliance receives the preview, it detects the MIME data type, applies the policy, and returns a 204 No modification needed ICAP response to the ICAP client. The ICAP client does not transfer the remaining data to the appliance and the file is not scanned. Some ICAP clients require the server to send the header Transfer-Preview in order to make preview work. See Service settings on page 224 for details. Caution For best security, we recommend scanning all file types. Before turning off the scanning of any file type, carefully consider the security risks. To do this, you must set Transfer-Complete to * in Service Settings. See page 224 for details. For more information about the risks, see the Virus Information Library at http://vil.nai.com or speak to your support representative. 215

ICAP Configuring ICAP 7 Configuring ICAP This section describes how to configure the following ICAP settings: User authentication settings User authentication settings [advanced] General Settings on page 217. Request Modification Service Settings on page 217. Response Modification Service Settings on page 217. Connection settings on page 217. Ensure that you understand the ICAP protocol and its use before you configure the ICAP settings on your appliance. For the correct operation of ICAP, HTTP scanning must be enabled. On the navigation pane, select Network Settings, and under Protocols, select HTTP. All settings described in this section are available from the navigation pane by selecting Configure ICAP. User authentication settings In the navigation pane, select Configure ICAP, then User Authentication Settings to configure the following: Authenticated user header Authenticated user encoding Authenticated user pattern Authenticated groups header Authenticated group encoding Authenticated group pattern User authentication settings [advanced] In the navigation pane, select Configure ICAP, then User Authentication Settings [Advanced] to configure the following: Log User Identity Default User 216

ICAP Configuring ICAP 7 General Settings In the navigation pane, select Configure ICAP, then General Settings to configure some of the common ICAP protocol settings. See the ICAP specifications and the ICAP Extensions documents for more information about these parameters. X-Include string This is a comma-separated list of any ICAP header extension names that you want the ICAP client to add to requests. The defaults are: X-Client-IP, X-Server-IP, and X-Authenticated-User. OPTIONS Time To Live You can recommend how long an ICAP client will wait before sending another OPTIONS request to the appliance. This tells the ICAP client how often the ICAP server configuration is likely to change. The default is 300 seconds. Service String A description of the vendor and product name that can be added to the OPTIONS response. The default string is Secure Internet Gateway. Idle Timeout The time that the ICAP server will wait for a request from the ICAP client. The default is 300 seconds. Chunk Size The largest block of HTTP data that can be transmitted from the ICAP server. The default is 1024 bytes. Disable Reverse Lookup You can prevent the appliance from making reverse DNS lookups when ICAP requests are intercepted. Request Modification Service Settings In the navigation pane, select Configure ICAP Request Modification Service Settings to configure ICAP protocol settings for the request modification service. After enabling the service, type the service path. The default is /REQMOD. Response Modification Service Settings In the navigation pane, select Configure ICAP Response Modification Service Settings to configure the ICAP protocol settings for the response modification service. After enabling the service, type the service path. The default is /RESPMOD. Connection settings For more information about connection settings, see Advanced configuration (all protocols) on page 48. 217

ICAP Content policies 7 Content policies This section describes how to configure policies that relate to the content of an ICAP message: Alert Settings. Anti-Virus. HTML Settings. Scanner Control on page 219. URL Filtering on page 219. ICAP policies are under the Request Modification and Response Modification options rather than the more usual From Inside or From Outside options. Alert Settings You can edit the text that appears at the start and end of an HTML alert. You can also specify the file name to use for the HTML alert. In the navigation pane, select Policy ICAP Content, then select Alert Settings. See Editing alert messages on page 46. Anti-Virus The appliance can be configured to detect viruses and other potentially unwanted programs. For more information, see Anti-virus on page 113. If a detection occurs, the appliance can act as described in Actions on page 73. In the navigation pane, select Policy ICAP Content, then select Anti-Virus. Follow the instructions in Chapter 3, Policies Overview starting from Step 1 on page 78. HTML Settings You can configure how the appliance handles some elements and components embedded in HTML data. In the navigation pane, select Policy ICAP Content, then select HTML Settings. Select the elements to strip out. A Flash object is an ActiveX element. If the appliance has been configured to modify the HTTP body data associated with an ICAP request that uses the REQMOD verb, the appliance blocks the request rather than making changes, which might be unacceptable to the user. For example, if the appliance receives a REQMOD request containing an ActiveX element in the HTTP request body, and the appliance has been configured to strip out ActiveX elements, the appliance blocks the request. This prevents modified data being forwarded to the webserver without the user s consent. 218

ICAP Content policies 7 Scanner Control You can set limits on scanning to overcome performance problems caused by a denial-of-service attack or a complex file. For more information, see Scanner control on page 119. 1 In the navigation pane, select Policy ICAP Content, then select Scanner Control. 2 To inherit settings from the global policy, see Step 12 on page 59. 3 To specify any time restrictions, see Adding time-specific settings to non-global policies on page 60. 4 To specify the actions that the appliance must take when a detection occurs, see Actions on page 73. 5 To customize or create any alert messages, see Editing alert messages on page 46. URL Filtering In the navigation pane, select Policy ICAP Content, then select URL Filtering then follow the instructions in Configuring enhanced URL filtering on page 187. If URL Filtering is not visible, the enhanced URL-filtering component might not be correctly installed and activated. 219

ICAP Advanced connection policies 7 Advanced connection policies This section describes how to configure the following ICAP connection policies: Client. Time-outs. Client You can specify how often the appliance checks that the client is present. 1 In the navigation pane, select Policy ICAP Advanced Policies Connection, then select Client. 2 Specify how long the appliance waits between checks that the client is still present. For more information, see Client on page 207. Time-outs In the navigation pane, select Policy ICAP Advanced Policies Connection, then select Time-outs, to specify: How long the appliance waits to receive data from the ICAP client. How often the appliance checks that the ICAP client is still connected. 220

ICAP Protocol policies 7 Protocol policies This section describes how to configure policies that are specific to the ICAP protocol and includes: Basic URL Blocking. Client Alert Messages. Data Trickling on page 222. Header Blocking and Modifications on page 222. Instant Messaging on page 222. Request permissions on page 223. Scanning on page 223. Service settings on page 224. Streaming media on page 225. Basic URL Blocking The appliance can block access to: Specific URL addresses by referring to a list of addresses. Groups of websites that can be identified by similar characters in their addresses. For example, ^http://.*/images/ matches addresses that begin http:// and have the text string /images/ within the address. 1 In the navigation pane, select Policy ICAP Advanced Policies Protocol Request Modification, then select Basic URL Blocking. 2 Under Denied URLs, make a list of URLs to block, using Add, Modify and Delete. 3 Under Denied URLs (Via Regular Expressions), make a list of regular expressions to block groups of URLs. 4 Type the text and regular expression to block the URLs. 5 In Forbidden URL characters, type any characters that are not allowed in the URL addresses. Some characters cause problems for older browsers. Client Alert Messages You can edit the messages that the appliance sends to alert users when specific events occur. In the navigation pane, select Policy ICAP Advanced Policies Protocol, then select Client Alert Messages to customize or create an alert message. 221

ICAP Protocol policies 7 Data Trickling For Response Modification only, you can configure data trickling. See the description on page 193. In the navigation pane, select Policy ICAP Advanced Policies Protocol Response Modification, then select Data Trickling to enable the feature. You can: Specify how long the appliance waits before it starts to trickle data. Specify how often the data is trickled to the clients. Specify how much data can be sent each time data is trickled to the client. Specify how much data (as a percentage of the total downloaded so far) is trickled each time. For NetCache clients only, as an advanced feature, enable data trickling during data receipt. Header Blocking and Modifications The appliance can be configured to: Remove certain request and response headers. For example, the appliance can be set up to remove HTTP header records Accept-Encoding and Accept-Ranges records. Add VIA headers to HTTP requests and responses. Incorrectly configured settings can cause serious network communication problems. We recommend that you change these settings only at the request of McAfee Technical Support, or a network expert. 1 In the navigation pane, select Policy ICAP Advanced Policies Protocol, then select Header Blocking and Modifications. 2 Click Add or Modify, then type the text that will not be allowed in the request header. 3 From Add Via headers to, select the type of requests and responses to which the Via headers will be added. Instant Messaging The appliance can be configured to block HTTP tunnelling of instant messaging services. For more information, see Instant messaging on page 197. In the navigation pane, select Policy ICAP Advanced Policies Protocol, then select Instant Messaging, and select the services you want to block. 222

ICAP Protocol policies 7 Request permissions For Request Modification only, you can specify: The HTTP verbs that can be used in the communication between the ICAP client and the appliance when the ICAP client uses the REQMOD option. The request schemes that can be used. URLs include text that defines which resource is being requested. The HTTP port numbers that can be used. The appliance will forward requests to certain port numbers only. The SSL port numbers that can be used. The appliance will forward requests to certain port numbers only. 1 In the navigation pane, select Policy ICAP Advanced Policies Protocol Request Modification, then select Request Permissions. 2 In Permitted HTTP verbs, use Add, Modify and Delete to create a list of HTTP verbs that are allowed. 3 In Denied HTTP verbs, create a list of HTTP verbs that are not allowed. 4 In Permitted request schemes, create a list of HTTP verbs that are allowed. 5 In Denied request schemes, create a list of HTTP verbs that are not allowed. 6 In Permitted HTTP port numbers, create a list of HTTP ports that are allowed. 7 In Permitted SSL port numbers, create a list of port numbers that can be used when forwarding traffic over SSL. The entry 1025- means port number 1025 or above. Scanning The appliance can be configured to scan: Headers Bodies Cookies Caution To enable cookie scanning, you must first enable scanning of potentially unwanted programs. 1 In the navigation pane, select Policy ICAP Advanced Policies Protocol, then select Scanning. 2 Select the items to scan. 223

ICAP Protocol policies 7 Service settings You can configure the appliance to provide information about the ICAP services that is provides to your ICAP client software. See the documentation for your ICAP client for further details. You can: Recommend the number of bytes of data that will be sent by an ICAP client using the ICAP Preview option. The default value is 4096. Some ICAP clients do not accept values greater than 4096. Recommend the types of file that will be sent to the appliance without using the Preview option. (ICAP header: Transfer-Complete). By default, this is set to *, which disables previews. Recommend the types of file that will be sent to the appliance using the Preview option. (ICAP header: Transfer-Preview) Some ICAP clients will enable preview only if this header is set. If most files sent for scanning are smaller than the preview size, set this value to *. By default, this field is empty, and preview is disabled by the * in the field above. Recommend the types of file that the ICAP client must not send to the appliance. (ICAP header: Transfer-Ignore) The file, favicon.ico is the small icon that appears before the URL in some websites. It is safe to add ico to this list to avoid sending this content for scanning. Provide an ICAP service name when the ICAP client uses the OPTIONS requests for information about the ICAP server configuration. 1 In the navigation pane, select Policy ICAP Advanced Policies Protocol, select Request Modifications or Response Modifications, then select Service Settings. 2 In Preview Size, specify the number of bytes of HTTP data that will be sent in the preview. 3 Use Add, Modify, and Delete to make lists of files that will be sent to the appliance without using the preview option, that will be sent using the preview option, and that must not be sent to the appliance for scanning. Caution The most secure option is to scan all file types. Before turning off the scanning of any file type, consider the security risks. For more information on the risks associated with each file type, see the Virus Information Library at http://vil.nai.com or speak to your support representative. 4 Specify the ICAP service ID that is returned when the ICAP OPTIONS request is made by an ICAP client. 224

ICAP Protocol policies 7 Streaming media For Response Modification only, you can configure the appliance to allow streaming media to pass through it unscanned. By default, this feature is disabled. Streaming media might be handled by your ICAP client. See your ICAP client documentation for more information. For more information about streaming media, see page 200. 1 From Response Modification, allow Streaming Media. 2 Manage the list of MIME types that will be allowed to pass through the appliance unscanned. See Making lists on page 45. Caution We strongly recommend that you do not allow streaming media of type application/octet-stream or application/* to pass through the appliance because these MIME types are executable and are a security risk. 3 Manage the list of servers that the appliance will treat as if they are sending streaming media. See Making lists on page 45. Caution Data received from these servers is treated as streaming media and is not scanned by the appliance. This presents a security risk. Only configure this option at the request of McAfee Technical Support or your network expert. 225

ICAP Troubleshooting ICAP issues 7 Troubleshooting ICAP issues This section describes configuration and resource issues that can occur when using ICAP. It contains the following topics: ICAP service not found Appliance connections are unavailable Understanding ICAP status codes ICAP service not found This section describes a common configuration problem that occurs when setting up or reconfiguring your ICAP services. If the ICAP client cannot find the requested service: Check that the ICAP client is requesting a valid ICAP service. When configuring the ICAP client, it is easy to mistype the service path. Service paths start with a forward slash (/) and are case-sensitive. Make sure that you use the exact path name. For example, the path /REQMOD is different from the path /REQMOD/. Check that the appliance supports the ICAP service, and that the requested service has not been disabled on that appliance. Some ICAP servers do not support all ICAP verbs. For example, some ICAP clients support the REQMOD verb only. By default, the appliance supports the REQMOD, RESPMOD and OPTIONS verbs. However, the REQMOD and RESPMOD services can be disabled on the appliance. Check that the network connection between the ICAP client and the ICAP server is working. See the ping test in Troubleshooting on page 290. Appliance connections are unavailable If the appliance runs out of available connections, you might have to restart the ICAP protocol. In the navigation pane, select Monitor Resources. Understanding ICAP status codes This list of ICAP status codes was accurate at the time of publication. If a status code is not in the table, see the ICAP RFC standard for the latest information. Table 7-3 ICAP status codes Code Description 100 Continue after ICAP preview. 200 OK. The appliance understands the request and will reply. 204 No modifications are needed (also known as 204 No content). 400 Bad request. 404 ICAP service was not found. 405 The method is not allowed for this service. For example, a RESPMOD request was issued to a service that supports only REQMOD. 226

ICAP Troubleshooting ICAP issues 7 Table 7-3 ICAP status codes (continued) Code Description 408 Request has timed-out. ICAP server gave up waiting for a request from an ICAP client. 500 ICAP server error. For example, the ICAP server might have run out of disk space. 501 Method (verb) not implemented. 502 Bad gateway. 503 Service is overloaded. The ICAP server has exceeded a connection limit associated with the service. The ICAP client must not exceed this limit in the future. 505 The ICAP version is not supported by the ICAP server. ICAP support ICAP header extensions that might be present in REQMOD and RESPMOD requests, such as X-Authenticated-User and X-Authenticated-Groups, provide information about the source of the encapsulated HTTP message. Using this information, the appliance can identify the user s name for its user-based policies and URL filtering reports, without the need to configure authentication services or authentication groups on the appliance. See http://www.i-cap.org/spec/draft-stecher-icap-subid-00.txt. The appliance can extract the user name and group names from the ICAP header extensions. The appliance does not authenticate users. Authentication is done by another server (for example, a web-caching appliance). However, if the appliance can extract the user s identity, it can apply URL filtering and other policy settings based on that identity. In the navigation pane, select Configure ICAP to show the values that the appliance uses to extract the names. You do not normally need to change the default values. The values are: Enable authentication Turns on the X-headers. Authenticated user header or Authenticated groups header The ICAP server adds this header after it has authenticated the user or group to show who made the request. Typically the values are X-Authenticated-User and X-Authenticated-User-Group. Authenticated user encoding or Authenticated group encoding The user name or group name. Typically this is in plain text or by default base 64. Authenticated user pattern or Authenticated group pattern A regular expression that enables the appliance to extract the user or group name from the text of the Authenticated user header or Authenticated groups header. Log User Identity Display user names in the log file. If this is set to off, the user name is blank. Default User Sets the identity to use if no information is provided in the X-Authentication headers. The following tokens can be used in email messages from ICAP logging events: ICAP_X_CLIENT_IP Replaced by the origin client's IP address, as supplied by the ICAP request header record X-Client-IP. ICAP_X_SERVER_IP Replaced by the destination webserver's IP address, as supplied by the ICAP request header record X-Server-IP. 227

ICAP Glossary of ICAP terms 7 You can customize an email alert as follows: %EVENT% %REASON% User: %AUTH_USER% Computer: %WEBSHIELDNAME% IP Address: %WEBSHIELDIP% DAT: %AVDATVERSION% Engine: %AVENGINEVERSION% Detection(s): %DETECTIONS% Client IP: %ICAP_X_CLIENT_IP% Server IP: %ICAP_X_SERVER_IP% Scanned object: %ATTACHMENTNAME% Subsystem: %APPLICATION% To parse X-Client-IP and X-Server-IP, enable User Authentication from Configure ICAP User Authentication Settings, as well as by customizing the email messages. Glossary of ICAP terms Table 7-4 ICAP terms Term Adaptation Chunked transfer-coding Encapsulated ICAP client device ICAP client ICAP request header ICAP request ICAP response header ICAP response ICAP server ICAP services ICAP OPTIONS Description Changes made by an ICAP server to an HTTP request or HTTP response received from an ICAP client. A method used to transfer HTTP body data as a series of small data chunks. Contained within the body of another message. For example, an HTTP message that is contained within the body of an ICAP message is said to be encapsulated in the ICAP message body. A device, such as a web cache or similar device, that intercepts HTTP messages and uses its ICAP client capabilities to redirect those messages to an ICAP server for processing. Software that sends ICAP requests to the ICAP server for processing, and receives ICAP responses from the ICAP server. Information contained in an ICAP request that tells the ICAP server what type of service is required and controls certain aspects of the ICAP transaction. A request made by an ICAP client to an ICAP server for an ICAP service. Information contained in an ICAP response that tells the ICAP client about the ICAP response and controls aspects of the ICAP transaction. A response made by an ICAP server to an ICAP request from an ICAP client. A device that provides ICAP services to ICAP clients. Services offered by ICAP servers to ICAP clients. For example, the ICAP REQMOD request modification service and the RESPMOD response modification service. The Internet Content Adaptation Protocol (ICAP) allows ICAP clients to pass HTTP messages to ICAP servers for some kind of processing or transformation (known as adaptation). A request made by an ICAP client to an ICAP server for information about that ICAP server s configuration. 228

ICAP Glossary of ICAP terms 7 Table 7-4 ICAP terms Term REQMOD RESPMOD Description A request modification service offered by an ICAP server. The use of the REQMOD verb in an ICAP client request tells an ICAP server that it is the HTTP request that might require modification. A response modification service offered by an ICAP server. The use of the RESPMOD verb in an ICAP client request tells an ICAP server that the HTTP response might require modification. 229

8 FTP File Transfer Protocol The appliance includes an FTP proxy for transferring files between computers. This section describes the appliance s support for FTP, and includes the following topics: Understanding traffic flow. Configuring FTP on page 231. Policies for FTP on page 232. Understanding traffic flow For Internet traffic, the source of the request not the location from which a file is retrieved is the basis for policy selection. You might assume that an infected file is traveling from the Internet (the outside network) to the internal (inside) network, so the From Outside policy will apply. However, the source of the initial connection is the user on the internal network. The request was made to the Internet the outside network. The request originated from inside, so the From Inside policy will apply. For example, if a user on the internal network downloads a file from the Internet using FTP GET, the From Inside policy is applied. If the user uploads a file to the Internet using FTP PUT, the initial connection is again from the inside network, so again the From Inside policy is applied. In summary, even though the files are traveling in different directions, the appliance still applies its From Inside policy. Figure 8-1 Requests from inside 230

FTP Configuring FTP 8 The appliance applies its From Outside policy to FTP requests coming into your network from the Internet. Figure 8-2 Requests from outside The list of outside networks must include the IP address of the firewall. Configuring FTP On the navigation pane, select Configure FTP Protocol Settings, then select Connection settings [Advanced] and configure the following: Intercept Ports. See page 48. Listen Ports. See page 50. Listeners. See page 50. Connections. See Allocating scanning resources on page 51. Memory. See Allocating scanning resources on page 51. Reverse lookup. See page 51. For more information about advanced transparent exceptions, see Transparent exceptions on page 49. 231

FTP Policies for FTP 8 Policies for FTP This section describes how to set up policies on the appliance to handle FTP connections. It contains the following sections: FTP content policies. FTP protocol policies on page 233. FTP connection policies on page 235. FTP content policies To set up policies that control how the appliance handles FTP connections, select Policy FTP Content on the navigation pane. You can configure the following content policies: Alert Settings. Anti-Virus. Scanner Control. Alert Settings You can edit the text that appears at the start and the end of the FTP alert. You can also specify the file name to be used for the FTP alert. See Alert messages on page 286. On the navigation pane, select Policy FTP Content, then Alert Settings to open the dialog box. Set up the alert and type its text. You can use substitution variables described in Substitution Variables on page 310. Anti-Virus You can configure the appliance to detect viruses and other potentially unwanted programs. On the navigation pane, select Policy FTP Content, then Anti-Virus, and follow the instructions in Chapter 3, Policies Overview starting from Step 1 on page 78. Scanner Control To overcome performance problems caused by the transfer of a large file or a denial-of-service attack, you can set limits on scanning. On the navigation pane, select Policy FTP Content, then Scanner Control, and follow the instructions in Scanner control on page 189. 232

FTP Policies for FTP 8 FTP protocol policies To set policies that control the communication between the appliance and hosts in your inside and outside networks, select Policy FTP Advanced Policies Protocol on the navigation pane. You can configure the following policy features: Data processing. Download status and data trickling. Handoff Host. Upload Status and Data Trickling. Data processing You can: Configure client messages that are generated by the appliance and seen by users who connect to the appliance using FTP. The messages prevent FTP downloads timing-out, and are available in Explicit Proxy mode or in transparent modes when connecting through the appliance s proxy. Configure the appliance to repeatedly send a keep-alive command to the server software. For more information, see Keeping the connection open on page 137. Specify which FTP commands will not be accepted by the appliance. 1 On the navigation pane, select Policy FTP Content, select Data Processing, then: Change the help message that is displayed when a client sends an FTP request for help to the appliance. Change the welcome message that a user sees when connecting to the appliance using FTP. The messages must be in plain text and US-ASCII compliant. 2 Configure the keep-alive command. 3 Click Advanced, then build a list of denied commands. Download status and data trickling You can configure the appliance to start downloading (data trickling) the file to the client before the whole file has been received from the server and scanned by the appliance. For more information, see Download status and data trickling on page 192. FTP allows data to be passed between computers in two modes binary and 8-bit American Standard Code for Information Interchange (ASCII). Binary is consistent across computer platforms, so its data can be scanned effectively. However, 8-bit ASCII can contain different character codes and formatting, depending on the computer systems in use, so viruses can be concealed within its data. You can configure the appliance to allow or block 8-bit data transfers. The appliance allows this transfer mode by default. 233

FTP Policies for FTP 8 Blocking 8-bit file transfers in ASCII mode prevents binary files being transferred in ASCII mode, but might also prevent legitimate text files being transferred. If your users need to transfer text files in 8-bit character sets using FTP, we recommend that they transfer the files in binary mode and convert them to the appropriate local file format using utilities such as recode. Some file transfer utilities use the 8-bit ASCII mode by default. If the appliance blocks the 8-bit ASCII mode, change your utility to binary mode. 1 On the navigation pane, select Policy FTP Content, then Download Status and Data Trickling. 2 To configure file downloading, under For data downloads, select Permit downloading and Permit scanning, and if necessary Block 8-bit data in ASCII mode. 3 To use download status messages, select Enable messages, then specify how long the appliance waits before sending an updated message to the command line. 4 To use data trickling, enable data trickling and configure it. You can use the download status message option or the data trickling option, but not both together. For more information, see Download status and data trickling on page 192. Handoff Host An FTP handoff host diverts all client requests to a specific FTP proxy server. This server is then responsible for handling the client requests. For example, if your firewall has an FTP proxy server, use this option to redirect FTP requests to the firewall. On the navigation pane, select Policy FTP Content, then Handoff Host, and type the name or IP address. Upload Status and Data Trickling The appliance can be configured to permit or deny the uploading of files over an FTP connection, to display status messages informing a client that an upload is still in progress, and can start uploading (data trickling) a file to a client before the whole file has been received from the server and scanned by the appliance. 1 On the navigation pane, select Policy FTP Content, then Upload Status and Data Trickling. 2 To configure file uploading, under For data downloads, select Permit uploading and Permit scanning, and if necessary, select Block 8 bit data in ASCII mode. 3 To use upload status messages, select Enable messages, then specify how long the appliance waits before sending an updated message to the command line. 4 To use data trickling, select Enable trickling during uploads and configure it. For more information, see Download status and data trickling on page 192. 234

FTP Policies for FTP 8 FTP connection policies To set up policies for FTP connections initiated by hosts in your inside and outside networks, select Policy FTP Advanced Policies Connection on the navigation pane. You can select Time-outs to specify: How long the appliance waits to close an FTP connection if it has received no FTP command. How often the appliance checks the FTP connection. 235

9 Scanning This section describes the principles behind scanning traffic for viruses and other potentially unwanted programs, and describes how to share the scanning workload between appliances. It includes: Anti-virus scanning. Load sharing on page 242. Anti-virus scanning This section describes how to protect your network from viruses and other potentially unwanted programs. It includes the following topics: Main features. What is heuristic analysis? on page 237. Scanning settings on page 238. Updating your anti-virus software on page 240. Main features The appliance s anti-virus software: Detects and cleans viruses. Protects your network from potentially unwanted programs (PUPs): The appliance can be configured to: Enable or disable detection of potentially unwanted programs. Detect specific types of potentially unwanted programs, such as mass mailers and Trojan horses. Detect named malware. Take specific actions when malware is detected. 236

Scanning Anti-virus scanning 9 Protects your network from named packers. You can add and remove packer names from the list of packers that will be detected. Packers compress files and can effectively disguise executable programs. They can also compress Trojan horses and make them harder to detect. The appliance can be configured to: Detect named packers. Exclude named packers from detection. Take specific actions when a packer is detected. Protects your network from PUPs. A cautious user might want to be informed of PUPs, and might want to remove them. Caution McAfee anti-spyware software detects and, with your permission, removes potentially unwanted programs. Some purchased or intentionally downloaded programs act as hosts for other potentially unwanted programs. Removing these potentially unwanted programs may prevent their hosts from working. Review the license agreement for these host programs for further details. McAfee does not encourage nor condone breaking any license agreements. Read the details of all license agreements and privacy policies carefully before downloading or installing any software. Automatically scans within compressed files. Automatically decompresses and scans files compressed in the packages that include PKZip, LHA, and ARJ. Detects macro viruses. Detects polymorphic viruses. Detects new viruses in executable files and OLE compound documents, using a technique called heuristic analysis. Upgrades easily to new anti-virus technology. For information on cookie scanning, see Scanning settings on page 238. What is heuristic analysis? An anti-virus scanner uses signatures and heuristic analysis to detect viruses. A virus signature is a binary pattern found in a virus-infected file. Using information in its DAT files, the appliance searches for those patterns. This approach cannot detect a new virus because its signature is not yet known. Therefore another technique, known as heuristic analysis, is employed. Programs that carry a virus often have distinctive features. They might attempt unprompted modification of files, invoke mail clients, or self-propagate. The scanner analyzes the program code to detect these kinds of computer instructions. It also searches for legitimate behavior, such as prompting the user before taking action, and thereby avoids raising false alarms. 237

Scanning Anti-virus scanning 9 To avoid detection, some viruses are encrypted. Each computer instruction is simply one or more binary number, but the computer does not use all the possible combinations. By searching for unexpected instructions inside a program file, the scanner can detect an encrypted virus. Using these techniques, the scanner can detect both known viruses and many new viruses and variants. Scanning settings When you prepare settings for scanning viruses and other potentially unwanted programs, consider the following: Action to take when a virus is found. See Setting actions. Setting other actions. See Setting actions. How to handle mass-mailer viruses. See Blocking specific threats on page 240. The level of anti-virus protection that you need. See Setting the level of scanning and type of protection on page 238 and Customizing anti-virus settings on page 239. Caution We recommend that the appliance scans all file types. Before turning off the scanning of any file type, carefully consider the security risks. For more information on these risks, see the Virus Information Library at http://vil.nai.com or speak to your support representative. Setting actions You can configure the appliance to clean each virus that it detects and act in a specific way. If the virus cannot be cleaned, you can configure the appliance to take some other action, such as delete a file, move a file to a safe quarantine area, inform the administrator, or record the event in a log. You can also configure the appliance to take action when malware, packers, or potentially unwanted programs are detected. All these actions are protocol-specific. See: Specifying the action to take when a rule is triggered on page 147. Actions on page 73. Setting the level of scanning and type of protection The appliance provides several levels of anti-virus scanning: Low Least secure. Scans most susceptible files. Medium Scans most files. High Most secure. Scans all files and inside compressed files. High-level scanning provides good security but can affect performance. Sometimes, high-level scanning is unnecessary if data is being scanned for viruses elsewhere in your network. 238

Scanning Anti-virus scanning 9 You can also customize scanning by choosing exactly what to scan. See Customizing anti-virus settings on page 239. You can also determine when scanning occurs. See Content rules on page 66. Customizing anti-virus settings Besides giving you the levels of scanning described in Setting the level of scanning and type of protection, the appliance also allows you to specify various options when scanning for viruses. Although more options can provide greater security, scanning will take longer. The scanning capabilities are: Detecting possible new viruses in programs and documents. Documents that carry a virus often have distinctive features such as a common technique for replicating themselves. Using heuristics, the scanner analyzes the document to detect these kinds of computer instructions. Program file heuristics scans program files and identifies potential new file viruses. Macro heuristics scans for macros in the attachments (such as those used by Microsoft Word, Microsoft Excel, and Microsoft Office) and identifies potential new macro viruses. See What is heuristic analysis? on page 237. Scanning inside archive files. By default, the scanner does not scan inside file archives such as.zip or.lzh files because any infected file inside them cannot become active until it has been extracted. Scanning default file types. Normally, the scanner examines only the default file types it scans only those files that are susceptible to infection. For example, many popular text and graphic formats are not affected by viruses. Currently, the scanner examines over 100 file types by default, including.exe and.com. Scanning all files. This option ensures that every file is scanned. Some operating systems, such as Microsoft Windows, use the extension names of files to identify their type. For example, files with the extension EXE are programs. However, if an infected file is renamed with a harmless extension such as TXT, it can escape detection and the operating system can run the file as a program if it is renamed later. Scanning files according to file name extension. You can specify the types of files you want to scan according to their file name extensions. Treating all macros as viruses. Macros inside documents are a popular target for virus writers. Therefore, for added security, consider scanning all files for macro viruses, and optionally removing any macros found, regardless of whether they are infected. Scanning compressed program files. This is used to scan compressed files such as those compressed using PKLITE. If you are scanning selected file extensions only, add the appropriate compressed file extensions to the list. 239

Scanning Anti-virus scanning 9 Blocking specific threats Normally, the appliance handles all potentially unwanted programs in the same way. However you can specify that certain types are handled differently. For example, you can configure the appliance to inform the sender, the recipient and an administrator with an alert message whenever a virus is detected in an email message. This feature is useful because it shows that the anti-virus detection is working correctly, but it can become a nuisance if a mass-mailer virus is encountered. Mass-mailer viruses (for example Melissa and Bubbleboy) propagate themselves rapidly using email. Numerous alerts are generated, and these can be as annoying as the surge of detected email messages that has been blocked. The appliance can handle any mass-mailer virus separately from other types of virus. You example, you can choose to discard the detected document immediately, and thereby suppress any alert messages that will otherwise be generated. Updating your anti-virus software Every month, hundreds of new viruses appear. To ensure that your network is always protected, keep your anti-virus software up-to-date. All appliances need updating individually. The anti-virus software has two parts: DAT files the DAT files contain descriptions of new viruses, enabling the engine to detect and clean them. New DAT files are normally released daily. We occasionally release ExtraDAT files to counter sudden appearances of new malware. An anti-virus scanning engine the engine contains the software to process the DAT files. When new types of virus appear, the engine might need to be improved to handle them. If an outdated engine tries to use current DAT files, it will not make full use of the new content. The engine file is upgraded less often than the DAT files, usually every few months. Both parts are essential to provide full protection against computer viruses, and both must be kept updated. They can be downloaded from the McAfee FTP site or other authorized website using automatic updating. See page 16 for the location of the download site. Why update? To offer you the best protection, McAfee continually updates the DAT files that the software uses to detect viruses. Although the software uses heuristic analysis, which enables it to detect some previously unknown variants, many new types of malware appear frequently. Often, your existing software cannot detect this software because the DAT files have become outdated. 240

Scanning Anti-virus scanning 9 When is the best time to update? Choose a time when the network is not too busy possibly during the night, or during the day but outside normal business hours. For the best protection, we strongly recommend that you update your files at least daily. Scheduling the updates The appliance allows you to schedule frequent updates from any of these sources: Our FTP servers or other authorized provider. A computer acting as a proxy if your appliance cannot access those servers directly. A computer within your network to which the files have already been downloaded. The files are compressed to ensure fast downloading. On the navigation pane, select Monitor Status General Status or Monitor Updates to view information about version number and update information. Use Update on the navigation pane to make an update schedule or to update immediately. The appliance also allows you to download the latest DAT, anti-virus scanning engine and ExtraDAT files from a local computer. 241

Scanning Load sharing 9 Load sharing This section describes load sharing, and includes: Basic concepts. Configuring load sharing on page 242. Load-sharing examples on page 245. Viewing the load-sharing status on page 246. Basic concepts An appliance receiving traffic from supported protocols can off-load some or all of its scanning workload to other appliances. This technique is called load sharing. Load sharing enables larger numbers of concurrent connections, but reduces throughput. Appliances can also accept or refuse requests to scan traffic on behalf of other appliances. An appliance that off-loads its scanning workload is a controlling appliance. A controlling appliance can share its scanning workload with many load-sharing appliances. An appliance that receives scanning work from a controlling appliance is a load-sharing appliance. The controlling and load-sharing appliances must be compatible for load-sharing. See Table 9-1. Table 9-1 Load-sharing capability Controlling appliance Can give scanning work to: McAfee Secure Messaging Gateway McAfee Secure Messaging Gateway McAfee Secure Internet Gateway McAfee Secure Web Gateway McAfee Secure Web Gateway McAfee Secure Internet Gateway McAfee Secure Internet Gateway McAfee Secure Internet Gateway Configuring load sharing You can set up load sharing in several ways: Specify if an appliance can accept load-sharing requests from other appliances. See Configuring the controlling appliance on page 243. Specify if an appliance can make load-sharing requests to other appliances. See Configuring the load-sharing appliances on page 243. We recommend that you use appliances of the same type and configuration when load-sharing. The appliances involved in load sharing must access the update servers to ensure that they remain up to date with DAT files and the anti-virus scanning engine. If load-sharing anti-spam scanning, all the appliances must have access to the anti-spam engine and anti-spam rules package server. 242

Scanning Load sharing 9 Set up a servers list. Each appliance can have an list of appliances to contact for sharing the scanning workload. Appliances at the top of the list are contacted before appliances at the bottom of the list. See Configuring the controlling appliance. Change the number of scans that can be run simultaneously. See Changing the number of scans that run on page 245. The following examples are described: Single appliance with one scanner per connection. See Example 1 single appliance in non-sharing mode on page 245. Single appliance with multiple scanners per connection. See Example 2 single appliance in sharing mode on page 245. Multiple appliances with the controlling appliance off-loading some of its scanning workload to other appliances. See Example 3 controlling appliance off-loads some workload on page 246. Multiple appliances with the controlling appliance off-loading all of its scanning workload to other appliances. See Example 4 controlling appliance off-loads all workload on page 246. Configuring the controlling appliance 1 On the controlling appliance, select Network Load Sharing on the navigation pane. 2 In Requests, select Make. 3 From the Servers list, click Add. 4 Type a unique load server name to identify the load-sharing appliance. 5 Type the IP address or fully qualified host name of the load-sharing appliance. A host name must resolve to a single IP address in DNS. The load-sharing appliances must be in the appliance s inside network. 6 If necessary, click Move Up and Move Down to change the order in which the controlling appliance contacts the load-sharing appliances. Repeat this procedure for each load-sharing appliance that the controlling appliance will use. Configuring the load-sharing appliances 1 For security reasons, load sharing is disabled by default. To enable load sharing: a On the load-sharing appliance, select Network Load Sharing on the navigation pane. b To enable the appliance to accept load-sharing requests from other appliances, select Accept. 243

Scanning Load sharing 9 2 Add the controlling appliance to the list of inside networks for the load-sharing appliance: a On the load-sharing appliance, select Network Settings on the navigation pane. b Click Inside Networks. c If the controlling appliance is not already listed, select Add. d Type the IP address, subnet mask, or host name of the controlling appliance. If necessary, change the total number of scans that this load-sharing appliance can run simultaneously by changing the Listeners and Connections settings under Load Sharing Servers. The total number of scans is equal to the number of listeners multiplied by the number of connections, and is the total number of scans for all protocols. For example, if SMTP and POP3 scanning is enabled on the controlling appliance, and the load-sharing appliance has 4 listeners and 20 connections, the largest number of simultaneous scans for that load-sharing appliance is 80. The total number of scans also depends on the available memory. In most cases, the default values are sufficient and do not need to be changed. 3 Repeat Step 1 and Step 2 for each load-sharing appliance, or select System Manage Appliances Manage a group of appliances Load Sharing Settings on the navigation pane to set up the other load-sharing appliances. For more information, see Managing a group of appliances on page 250. Configuring the Servers list To make load-sharing requests to other appliances, add the appliance to the servers list. To remove appliances from the list if necessary, use the Delete option. Removing an appliance from a particular Servers list does not prevent an appliance being involved in load-sharing with other appliances. Managing the appliances in a servers list 1 On the navigation pane, select Network Load Sharing, then select Make. 2 In Servers list, click Add or select an existing appliance and click Modify. 3 In Load server name, type the user-friendly name of the appliance with which the controlling appliance will share some or all of its scanning workload. 4 Type the IP address or the domain name of that load-sharing appliance. 5 If necessary, use Move up and Move Down to reorder appliances in the list. Appliances at the top of the list are more likely to be used for load-sharing. Therefore, put appliances with more resources at the top of the list. 244

Scanning Load sharing 9 Changing the number of scans that run This section describes how to allocate scanning resources when using load sharing and how to control the number of scans that can be run simultaneously. In most load-sharing cases, the default number of scans and the memory usage is sufficient and must not be changed. The total number of scans is equal to the number of listeners times the number of connections. The total number of scans is the total number of scans for all protocol types. 1 From the load-sharing appliance, select Network Load Sharing Connection Settings [Advanced] on the navigation pane, and change the numbers of listeners and connections. 2 If necessary, change the amount of memory available for each scanned connection. Load-sharing examples This section explains how to configure your appliances for the following examples: Example 1 single appliance in non-sharing mode. Example 2 single appliance in sharing mode. Example 3 controlling appliance off-loads some workload. Example 4 controlling appliance off-loads all workload. Example 1 single appliance in non-sharing mode By default, the appliance does all the scanning itself and can be thought of as being in non-sharing mode, which reduces the number of concurrent connections that it can support. In non-sharing mode, each connection has a dedicated scanner. If the appliance is configured to operate in sharing mode, you can return the appliance to its default configuration; select Network Load Sharing on the navigation pane, then deselect Make. Example 2 single appliance in sharing mode The appliance can be set up to load share with itself (indicated by the entry localhost 127.0.0.1 in its Servers list). It does not off-load any of its scanning workload to other appliances. When the appliance receives traffic to scan, it uses its own internal scanners to scan that traffic. The appliance can be thought of as sharing the scanning workload for each connection across a number of internal scanners. The connection and the scanners have a one-to-many relationship. To configure the single appliance: 1 On the navigation pane, select Network Load Sharing. 2 In Requests, select Make. 3 In the Servers list section, select Add. 4 Type localhost as the name of the server. 5 Type 127.0.0.1 as the IP address. Do not type any other IP address for the localhost entry. 245

Scanning Load sharing 9 6 Click OK. The appliance restarts when the changes are applied. Example 3 controlling appliance off-loads some workload The controlling appliance continues to do some scanning, but also off-loads some of the scanning to other appliances. To configure the appliance: 1 Configure the appliances. See Configuring load sharing on page 242. 2 Make sure that the controlling appliance is listed in its own Servers list. The appliance must be represented by the entry localhost 127.0.0.1. If the controlling appliance is not listed, add it. See Example 2 single appliance in sharing mode. Example 4 controlling appliance off-loads all workload This example is similar to example 3, except that the controlling appliance off-loads all of its scanning workload to the load-sharing appliances. To configure the appliance: 1 Configure the appliances. See Configuring load sharing on page 242. 2 Stop the appliance load-sharing with itself: a On the controlling appliance, select System Load Sharing on the navigation pane. b In the Servers list section, select localhost 127.0.0.1. c Click Delete. The appliance restarts when the changes are applied. For five or more load-sharing appliances, we recommend that the controlling appliance off-loads its scanning workload to the other appliances to free its resources for traffic management. Viewing the load-sharing status To view the load sharing status, select Monitor Status on the navigation pane. The tabs near the bottom of the System Status page show the general status of the appliance, and the load-sharing status of up to nine other appliances. The following information is displayed: Queue size on the controlling appliance. The number of connections on the controlling appliances that are still waiting to be scanned. Algorithm used by the controlling appliance to distribute work to the load-sharing appliances. By default, the controlling appliance uses the Least used algorithm. Number of concurrent connections that are supported by each load-sharing appliance. Number of connections still available on each of the load-sharing appliances. 246

10 Maintaining the appliance This section describes the changes that you might need to make to the appliance to ensure its correct configuration and operation over time. It includes the following topics: Managing this appliance. Managing a group of appliances on page 250. Backing up and restoring settings on page 251. Using epolicy Orchestrator with the appliance on page 254. Automatic updates on page 255. Viewing the MIB definition file on page 261. Removing old files on page 261. Restricting the log size on page 261. Managing this appliance This section describes features available when you select System Manage Appliances in the navigation pane, and select the Manage this appliance tab. Some features can also be specified using the Setup Wizard. For more information, see Page 8 Date, time, password and language settings on page 40. Changing the management password By default, the password to access the appliance is scmchangeme. For security reasons, change this password as soon as possible. To change the password: 1 Under Manage this appliance, select Set the password. 2 Type the new password. 3 Confirm the password, and click OK. 247

Maintaining the appliance Managing this appliance 10 Changing the DLP database password By default, the password to access the database for the Data Loss Prevention feature is dlpchangeme. For security reasons, change this password as soon as possible. To change the password: 1 Under Data Loss Prevention settings, select Set the password. 2 Type the new password. 3 Confirm the password, and click OK. Turning off the appliance The appliance can be turned off completely. To prevent tampering, or accidental stopping of the appliance, this feature works only if the correct password is given. Depending on your hardware, the appliance is then turned off, or taken to a state where you can safely turn off its power. To stop the appliance: 1 Select Stop the appliance. 2 Type the management password. 3 Click Appliance Stop. Restarting the appliance The appliance can be restarted remotely. To prevent accidental restarting, this feature works only if the correct password is given. To restart the appliance: 1 Select Reboot the appliance. 2 Type the management password. 3 Click Appliance Reboot. Setting the system date and time To set the system date and time, which the appliance uses for reporting and other purposes: 1 Select the time zone for this appliance. 2 Specify the current date and time. 3 Click Set Now. 248

Maintaining the appliance Managing this appliance 10 Setting the NTP server settings You can specify the NTP server that the appliance uses, and enable NTP client broadcasts. NTP synchronizes timekeeping among devices in a network. Some Internet Service Providers (ISPs) provide a timekeeping service. For more information about NTP, see RFC 1305 at www.apps.ietf.org/rfc/rfc1305.html, www.ntp.org or www.ntp.isc.org. For more information, see Page 8 Date, time, password and language settings on page 40. 1 Select Set the NTP server settings. 2 Configure the NTP settings. Setting the operational language You can specify the language used for internal reporting and error messages. For more information, see Page 8 Date, time, password and language settings on page 40. Under Set the operational language, and at Operational Language, select the language. Viewing the configuration changes In the navigation pane, select System Manage Appliances View configuration changes. You can: View recent configuration changes to the appliances. Compare the differences between configuration versions. Revert to previous configurations. 249

Maintaining the appliance Managing a group of appliances 10 Managing a group of appliances In the navigation pane, select System Manage Appliances Manage a group of appliances to: Make a list of appliances that you want to configure as a group. Apply the configuration from one appliance to a group of appliances. Set up appliances to have different configuration groups. Specify settings to apply to all appliances. For example, you can specify that load-sharing settings apply to all appliances. The password of the appliance configuration that is distributed to the group must be the same as the logon password for all the other appliances. Not all configuration parameters are pushed to the other appliances. Parameters such as an appliance s IP address are not distributed around the group. The status of the configuration update is displayed in the Update Progress column, and is updated every two seconds. When all the appliances in the group have been successfully set up, click Apply Configuration to make sure the changes take effect. 250

Maintaining the appliance Backing up and restoring settings 10 Backing up and restoring settings The appliance maintains several logs that record changes. For example: System logs information about system events, such as failed log on attempts. Appliance logs the appliance maintains other logs that record appliance events, such as virus detections. You cannot disable the system or appliance logs. You can choose the types of events to capture in the appliance logs. Select Configure Logging, Alerting and SNMP from the navigation pane to set up the appliance logs. Charts and reports show only events that have been logged. See Monitoring the appliance on page 262 for more information about charts and reports. You can save the system logs and the system configuration files offline. You can also back up the system configuration files and restore them later. To save the logs to another computer, select System Backup and Restore Save logs in the navigation pane. This section describes the backup and restore settings, and includes: Backing up system logs. Using Syslog for off-box logging. Backing up system configuration files Restoring the system settings on page 252. Restoring default settings on page 253. Backing up system logs The appliance stores information about system events, such as failed logon attempts in its system log. You can save the log as a.zip file and store it on your network as a backup copy. To save logs: 1 In the navigation pane, select System Backup and Restore, then select Save Logs. 2 Specify any date range, file size limits and an output file. Wait while the logs are saved to a.zip file. Using Syslog for off-box logging To send logging information to an off-box syslog file: 1 In the navigation pane, select Configure Logging, Alerting and SNMP Channel Settings Syslog. 2 Enable logging to the syslog. 3 Specify a computer to use for off-box logging. 251

Maintaining the appliance Backing up and restoring settings 10 4 Specify the event types to send to the syslog. Backing up system configuration files You can safely store details about the appliance s configuration offline, and restore that information later. The system configuration files are saved to a.zip file, which contains mainly XML files and associated DTD files. The.ZIP file size is typically less than 100 KB. To save the files: 1 In the navigation pane, select System Backup and Restore. 2 Click Save Configuration. Wait a few minutes while the configuration is saved. 3 Find a folder for the files, and click Save. Tip If you have difficulty saving configuration details to a file, try taking screenshots. Restoring the system settings You can restore previously saved settings onto an appliance. You might do this because: You have upgraded the appliance s software and want to use the previous settings. You have reinstalled the appliance s software because of a problem, and want to use the previous settings. You have another appliance and want to copy the settings. For a better way of copying configuration, see Managing a group of appliances on page 250. If you use the same system settings file for more than one appliance, they will all have the same appliance name (host name) and IP addresses. After you click Restore Configuration, change the appliance name and IP addresses so that each appliance has a unique name and IP address. If you install new software on the appliance, or turn on the appliance and log on for the first time, you see a special version of the appliance s home page. You can also restore settings from this page. The user name and password are not saved from a previous configuration. Log on to the appliance using its user name and default password, then change the password. See Managing a group of appliances on page 250. To restore the configuration to the appliance: 1 In the navigation pane, select System Backup and Restore. 2 Under Restore, click Restore Configuration. 3 Select the configuration file and click Open. 252

Maintaining the appliance Backing up and restoring settings 10 Restoring default settings To restore the appliance to its default state: 1 In the navigation pane, select System Backup and Restore. 2 Under Restore, click Restore Defaults. To view the default settings, from the Links Bar, select Resource, then click Default Settings. 253

Maintaining the appliance Using epolicy Orchestrator with the appliance 10 Using epolicy Orchestrator with the appliance McAfee epolicy Orchestrator enables you to distribute anti-virus software from a single point and to monitor virus activity. To communicate with epolicy Orchestrator, enable the epo agent on the appliance. The appliance can then send status information to a port on the epolicy Orchestrator server, so that the appliance can be monitored remotely with epolicy Orchestrator. For more information, see the Configuration Guide For use with epolicy Orchestrator that accompanies your appliance. If you do not intend to use the epo agent, select System Manage Components in the navigation menu, and uninstall the agent. The epolicy Orchestrator software can manage the following: Global configuration for authentication services and authentication groups. Policy-based configuration for authentication (on, off, authentication group selection). The following must be done separately on each appliance: Import the keytab for Kerberos authentication. Join the appliance to the domain for NTLM authentication. Import TLS certificates. See Transport Layer Security on page 101. Upgrading the NAP files See the Configuration Guide for use with epolicy Orchestrator for full information. If you are installing an appliance for the first time, you can import a policy from an existing appliance to replace the default policy provided with the NAP files. To upgrade from an existing appliance that is already managed by epolicy Orchestrator: 1 Upgrade your appliance to the new Feature Pack. 2 Back up any existing policies on your appliance. 3 Add the new Feature Pack NAP files to the epo server. 4 Enable the epo agent on your appliance. 5 Import the backed up policy information to epolicy Orchestrator. If policy enforcement is enabled, policies sent from the server replace any existing policies on the appliances. 254

Maintaining the appliance Automatic updates 10 Automatic updates This section describes how to use the automatic updates feature, and includes the following topics: What are automatic updates? Before configuring automatic updates on page 256. Configuring automatic updates on page 256. Monitoring automatic updates on page 260. What are automatic updates? Automatic updates download and install new features and product fixes, without having to wait for the next major software release. New features and fixes are made available as software releases known as update packages. The types of update packages are described in Types of update packages. You can use automatic updates to: Check which packages are available for downloading and installing on an appliance, and review information about those packages. Download some or all of the packages for installing at a more convenient time. Download and simultaneously install some or all of the packages. Set up a schedule for automatically reviewing, downloading, or downloading and simultaneously installing packages. List which packages have been downloaded or installed on the appliance. View information logged when an automatic update event takes place. For more information about monitoring automatic update events, see Viewing the event logs on page 261. Types of update packages You can download and install several types of package: Feature Pack a software release that contains one or more new features. HotFix a software release that fixes a single known issue with a previous version of the software. Patches a file that contains more than one fix. Service Pack software that integrates several patches into a single software release. 255

Maintaining the appliance Automatic updates 10 Before configuring automatic updates Before configuring automatic updates, decide how you will deploy any packages: Decide who needs to be notified when a new package becomes available. For more information about email notification, see Notifying someone when a new update package is available on page 257. Decide to test any new features or fixes. See Deploying packages. Follow your standard policy for scheduling any network outages, because the appliance might need to be restarted after you install a new package. Deploying packages Most organizations test new features and fixes on a test network before deploying them in their production environment. We recommend the following deployment: 1 Download the packages to an appliance that is connected to the Internet. 2 If you have a test environment, export the packages to a local computer and transfer them to an appliance in the test environment. 3 Test the packages according to your own standard test procedures to check that they are suitable for your network environment. 4 When you are satisfied that the packages are suitable, you can install the packages on appliances in your production environment. To allow you to retain control over the installation process, you can choose which method to use when installing packages on an appliance: Use the Automatic Package Updating wizard to automatically download and install packages according to a pre-defined schedule. For more information, see Setting up a schedule on page 257. Use the Package Review Screen to manually install packages that have been previously downloaded to the appliance using the Automatic Package Updating wizard. For more information, see Manually installing a package on page 259. Use the export option described in Exporting packages on page 260 to export the package to a local computer. Install the exported package on a different appliance. See Manually installing a package on page 259. Configuring automatic updates This section includes the following topics: Notifying someone when a new update package is available. Setting up a schedule on page 257. Viewing information about a package on page 258. Manually downloading a package on page 259. Manually installing a package on page 259. 256

Maintaining the appliance Automatic updates 10 Exporting packages on page 260. Monitoring automatic updates on page 260. Notifying someone when a new update package is available When a new update package is made available by McAfee, the appliance can send an email notification. 1 In the navigation pane, select Configure Logging, Alerting and SNMP. 2 Under Channel Settings, select the Email tab. 3 At Send email to the following recipients, make a list of recipients. 4 To specify the text that appears in the email messages, edit the text in the E-mail body for hardware and resource events section. Make sure that your text is also suitable for other hardware and resource notifications, because those email notifications also use this text. Setting up a schedule You can use the Automatic Package Updating wizard to configure the appliance to automatically check the McAfee FTP site for update packages that are suitable for your appliance. 1 In the navigation pane, select Update Installable packages to display a summary of the current schedule settings. 2 Select Update Packages. 3 Specify the FTP site details that the appliance will use to obtain automatic package updates. You can specify: Our FTP server or one of our authorized providers. A computer acting as a proxy, if your appliance cannot access the FTP server directly. 4 Select Next. 5 Specify the package types. For more information, see Types of update packages on page 255. 6 Specify what the appliance will do with those packages. You can specify one of the following actions: Review the appliance downloads information about the packages. Download the appliance automatically downloads the selected types of package from the McAfee download website. Download and Install the appliance automatically downloads and simultaneously installs the selected package types from the McAfee download website. When you select Download and Install, you can specify whether packages that require an automatic restart of services or a reboot of the appliance are to be installed. 257

Maintaining the appliance Automatic updates 10 7 Click Next. 8 Specify an immediate update or set up a new update schedule for the selected package types. 9 Click Finish. The appliance performs the selected actions at the appropriate time and displays the results in the Package Review screen. For more information about viewing information about selected pages, see Viewing information about a package. Viewing information about a package The Package Review screen shows information about a package. For example, you can see which packages have been installed, or have been downloaded but are not yet installed. You can also view other details. 1 In the navigation pane, select System Manage Components. 2 Under Package Management, select Review Packages. A list of packages for this appliance are displayed with the following information: Package type such as a Service Pack or HotFix. Name, which uniquely identifies the package. Description of the package, for example, the issues that it fixes. Whether we recommend that you install the package, or allow you to decide. Action status, showing for example, whether the package has been downloaded or downloaded and installed. Whether the appliance needs to be restarted when the package is installed. Any additional information. List of packages that must installed before the selected package. List of packages that are replaced by the selected package. List of the issues that are fixed by the selected package. Tip To change the order of columns, click the column heading and drag it to its new position. To change the order of information in the list, click the column heading. For example, to group packages according to their type, click on the Package Type column heading. 3 To view information about a specific package, click on that package and select Details. The information includes, for example, name, description, issues fixed, and dependencies on other packages. 258

Maintaining the appliance Automatic updates 10 Manually downloading a package 1.In the navigation pane, select System Manage Components. 2 Under Package Management, select Review Packages to display a list of packages for this appliance. 3 Choose an option: To download a single package, click the package and select Download. To download several packages, use Shift-click or Ctrl-click to highlight the packages, and select Download. To download all packages, click Download All. Tip You can select different actions to apply to different packages. For example, you can select one package to Download, and another to Install. It is only when you click Apply that you accept the selected actions. You cannot download a package that has already been installed. 4 Click Apply. 5 Specify whether the download occurs immediately or later. 6 Click Finish. Manually installing a package To use the Package Review screen to manually install packages: 1 In the navigation pane, select System Manage Components. 2 Under Package Management, select Review Packages to display a list of packages for this appliance. 3 Choose an option: To install a single package, click on that package and select Install. To install several packages, use Shift-click or Ctrl-click to highlight the packages, and click Install. To install all packages, click Install All. If a selected package has not yet been downloaded, your appliance downloads the package before installing it. Tip You can select different actions for each package. For example, you can select one package to download, and another to install. It is only when you click Apply that you accept the selected actions. 4 Click Apply. 5 Specify if the installation occurs immediately or later. 6 Click Finish. 259

Maintaining the appliance Automatic updates 10 Exporting packages To copy a package configuration to another appliance: 1 In the navigation pane, select System Manage Components. 2 Under Package Management, click Review Packages. 3 Click on the package. 4 Click Export. 5 Specify where to save the file. You can then manually install the package on another appliance. See Manually installing a package on page 259. Monitoring automatic updates This section describes the features for monitoring the appliance, and contains the following topics: Listing the update packages installed on an appliance, next. Viewing automatic updates schedule information. Monitoring the action status of update packages. Viewing the event logs on page 261. Listing the update packages installed on an appliance To check which packages are currently installed on an appliance, select About the appliance from the interface title bar. Viewing automatic updates schedule information To view a summary of the automatic updates schedule, select Update Installable Packages in the navigation pane. The summary displays a list of packages currently in the schedule and a summary of when the automatic updates will take place. Monitoring the action status of update packages You can perform certain actions on update packages. For example, you can: Review information about the package. Download the package. Install the package. 1 In the navigation pane, select System Manage Components. 2 Under Package Management, click Review Packages to display descriptions of all available packages. The Status column shows information about the status of each package. 260

Maintaining the appliance Viewing the MIB definition file 10 Viewing the event logs Events for automatic updates are recorded in the Updates log. To view the Updates logs: 1 In the navigation pane, select Monitor Logs. 2 Under Resource and System, select Updates. 3 To limit the number of event entries for display, select a range of dates (at the bottom of the page). 4 Click Next. The appliance lists the update events that occurred within the period. Viewing the MIB definition file To view the SNMP Management Information Base (MIB) definition file: 1 In the Links Bar, select Resources. 2 In the Resource Information window, click the MIB file for the required language. Removing old files To prevent the appliance running out of resources, regularly remove unwanted data including: Email messages in the quarantine area. See Message queues on page 153. Deferred email messages. See Deferred email messages on page 156. Information in the System logs. See Restricting the log size. Restricting the log size Over time, the number of logs stored on the appliance increases. To manage the space used by the log files, restrict how long the logs are kept before being deleted. To change the period: 1 In the navigation pane, select Configure Logging, Alerting and SNMP. 2 Under Channel Settings, select the XML tab. 3 Type the period in Keep logs. 261

11 Monitoring the appliance This section describes how the appliance captures information about its performance and status, and how you can use reports, charts and other monitoring options to view that information. It includes the following topics: Overview. Monitoring options on page 263. Types of reports on page 272. Getting reports from epolicy Orchestrator on page 276. Getting reports from SmartReporter on page 279. Monitoring Internet access on page 283. Configuring logging and alerting on page 284. Configuring the appliance s SNMP agent on page 286. Reporting on loss of confidential data on page 287. Overview The appliance generates information about its performance and status, and records this in a log over weeks or months. You can review the information when convenient. You can configure the appliance to respond to certain types of information by sending an alert (an alerting message) when an event needs an administrator or other person to be informed quickly. You can select the type of data that the log records, the detail, and whether to monitor specific events. You can also filter the log, for example to show the occurrences of one particular virus. The appliance provides a variety of reports, so you can choose how information is presented. The information recorded in the log includes: Viruses detected and the action taken against them whether the files have been cleaned, deleted, or quarantined. Attempts to access websites that are considered inappropriate to business purposes. 262

Monitoring the appliance Monitoring options 11 Spam email messages including date, time, and sender. Phish email messages. Content rules that triggered because of the banned content inside an email message. System and management events, such as failed logon attempts and service failures. Decide how much detail to record in the log, and configure this as soon as possible. See Configuring logging and alerting on page 284). Reports and charts are based only on data that is saved in the log. If you do not set the log to record enough detail, your reports might not contain all the information you need. To view information saved in the log, see Monitoring options, next. Monitoring options This section describes the options used to monitor the appliance. For information about configuring logging and alerting, see Configuring logging and alerting on page 284. The following options are available when you select Monitor in the navigation pane: Status. Performance on page 266. Logs on page 268. Charts on page 269. Updates on page 271. Resources on page 271. Status In the navigation pane, select Monitor Status to display status information, including the volume of traffic and detection rates. Here you can check that the correct components are installed on the appliance, and that the appliance is operating within an acceptable range. The page shows the value of each parameter since the counters were last reset. These values are refreshed according to a schedule. For an immediate update, click Refresh. To reset the counters, click Reset Counters. To define a range of values for status parameters such as the protocol health parameters, click Settings. You can select the period used to calculate status values, and set the refresh rate for the display. To view an individual item, select it. A performance chart appears showing the values for the parameter you selected. 263

Monitoring the appliance Monitoring options 11 The following sections are available: Protocol status. Dashboard status on page 264. General status on page 265. Protocol status This shows scanning statistics collected for each protocol since the appliance was last reset. The statistics depend on the type of appliance, and include totals for a variety of information, such as: Traffic received for each protocol. Viruses detected for each protocol. The information is shown as viruses detected from inside and from outside connections. Viruses and potentially unwanted programs detected. Email received, and deferred email. Email quarantined because of viruses or banned content. Email blocked using the real-time blackhole lists (RBLs). Spam and phish detected and blocked. Websites (URLs) blocked by basic URL blocking and by enhanced URL-filtering. Websites that triggered a coaching message. Email or HTTP postings that contained confidential data. Instant messages blocked. Dashboard status The Dashboard shows: Health of each protocol whether the protocol can accept a new connection. Rate at which the appliance swaps program pages between memory and the swap space on its hard disk. If the swap rate is often high, consider using extra appliances to share the workload. Load average the number of processes waiting to run. A small number of queued processes is best. Processors used processor loading, of up to four processors. Storage space (as a percentage of the total) used for each type of partition on the hard disk, and the space still available. Web throughput. If the percentage is high, consider upgrading the appliance or load sharing with other appliances. 264

Monitoring the appliance Monitoring options 11 Health of the optional HTTP accelerator card, if installed. CPU usage in megabytes and the number of free files. General status You can view the following information on the tabs: General Status shows general status information. It includes: Time elapsed since the appliance was last restarted. Name of the appliance. Version number of the virus definition (DAT) files and the anti-virus scanning engine. Version number of the anti-spam rules and anti-spam engine. Version number of the appliance software. Language used in reports and messages. It can be different from the language in which the interface is displayed. When the DAT files, engine, URL database, rules, and other files were updated. Other information, depending on the type of appliance. Hardware Status shows information about the hardware configuration: Status of the RAID arrays (Redundant Arrays of Independent Disks), used for mirroring disks on some appliances with more than one disk. Transparent bridge status, if the appliance is configured as a bridge. If bridging is turned on, the bridge is shown as forwarding or blocking traffic. Physical address (Media Access Control [MAC] address), link status, speed, and connection type of the Local Area Network ports, LAN 1 and LAN 2. Link status, speed, and connection type of the LAN1 and LAN2 ports. Hardware card status (for 3400 appliances only). Load-sharing status shows information for the load-sharing servers: Queue size on the controlling appliance the number of connections that are still waiting to be scanned. Name of the algorithm used to distribute the scanning workload to the load sharing appliances. The default algorithm is Least Used. Name of each load-sharing server. Connection status. If the status is UP, the appliance can contact the load-sharing server. Number of concurrent connections that are supported by each load-sharing appliance, and the number of connections still available on each appliance. 265

Monitoring the appliance Monitoring options 11 Performance To monitor the performance of up to four appliances, select Monitor Performance on the navigation pane. You can: Select the appliances. Set up a chart for each appliance. Save the settings for each chart, so you do not have to type those settings each time you view the chart. These settings include: The label for the vertical axis. How often the chart will be updated. The name of the chart. The counters to display. The grid to display. Select the counters to display for each of the appliances. Load the previously saved chart and counter settings. Save the current counter values to a file for later reference. To monitor a further appliance, click New Chart, and type its IP address or name. You can monitor other appliances only if they have the same logon name and password as your current appliance. Selecting appliances to monitor A tabbed pane is created for each of the selected appliances, and the IP address or host name of the selected appliance appears on its tab. To add appliances, see Managing a group of appliances on page 250. Setting up a chart for an appliance 1 In the navigation pane, select Monitor Performance, then select the tab for the appliance. 2 Click Configure Chart. 3 Specify how often the chart is to be updated with the latest information. 4 To display vertical and horizontal lines at set intervals, select the grids. 5 Set up the legends. 6 Specify the scale for the vertical axis. 7 To save the chart and its settings, click Save, and specify where to save the file. 266

Monitoring the appliance Monitoring options 11 Using previously saved configuration settings 1 At the navigation pane, select Monitor Performance, then select the tab for the appliance. Up to four tabs are available. 2 Click Configure Chart. 3 Click Load. 4 Locate and select the configuration file. Managing counters for the chart To manage the counters in the chart: 1 At the navigation pane, select Monitor Performance, then select the tab for the appliance. Up to four tabs are available. 2 To add a new counter, click Add. Use Modify or Remove to manage the counters. 3 In the Performance Counters dialog box, under Performance objects, select the performance object. If the Protocol menu is enabled, make further choices here. 4 In Performance counters, select the counter to display. As you click on any counter, its description is displayed under Explanation. 5 Double-click the swatch at Line color. In the Line color selection dialog box, select a color for displaying the counter, then click OK. 6 In Scale, select a factor to scale the counter. For example, if you select 10.0, the appliance multiplies each value for that counter by ten. This is useful for viewing side-by-side counters that have different ranges. If one counter always appears at the bottom of the chart and another counter always appears in the higher value ranges at the top of the chart, you might want to scale up the bottom counter. Both counters then appear closer together, making it easier to monitor them side-by-side. The values of the scaled-up counter become relative values rather than absolute values. 7 Click Add. 8 To continue adding more performance objects, repeat Step 3 to Step 7. 9 Click Close to close the Performance Counters dialog box. Saving the current values 1 At the navigation pane, select Monitor Performance, then select the tab for the appliance. 2 Click Save Chart. 3 Specify where the data will be saved. 4 Click Save to save the details as a tab-separated-values (.TSV) file. 5 Click Close Chart to close all the charts, except the original chart. To display previously saved charts, click Configure Chart and select the file. 267

Monitoring the appliance Monitoring options 11 Logs The log displays information according to the report type and period you select. To view the log, click Logs, then choose the type of report. Different information is logged in different reports. For example, to find out how much traffic has been blocked by the IP reputation service, from the Detections pane, select SMTP Blocked. The blocked traffic statistics appear under Reputation Service Triggered. If there is more than one page of information, you can scroll up and down. To create and view reports based on the information in the appliance's log, first enable logging. See Configuring logging and alerting on page 284. To view the logs: 1 In the navigation pane, select Monitor Logs, and select the type of report, such as Hardware and Resources. 2 Select the date range that you want to review. 3 If you select Custom, use the Start and End options to specify the time. 4 Click Next. For most reports, continue with Step 5. For Data Loss Prevention, see Data Loss Prevention reports on page 274. 5 The report appears on the screen. Each page displays up to 1000 entries. 6 Use the following: First Page, Last Page, Previous Page, and Next Page to display pages of the report. Previous <period> to step through the reports according to the time selected in Date Range under Logs. For example, if you select Last 5 days in the Date Range field, the button shows Previous 5 days. Click Previous 5 days to step back through the reports 5 days at a time. The button becomes unavailable when you reach the start of the recorded data. Next <period> to step through the reports according to the time selected in Date Range under Logs. For example, if you select Last 5 days in the Date Range field, the button shows Next 5 days. Click Next 5 days to step forward through the reports 5 days at a time. The button becomes unavailable when you reach the end of the recorded data. Close to return to Logs, so that you can choose another report or change the date range for the current report. You cannot use the browser s Back button to take you back to Logs. Clicking the browser s Back button takes you to the logon screen. Logs and reports for load sharing display an underscore in the host name when it is load sharing. For example, <name of appliance>_<name> indicates that the appliance was load sharing with the appliance <name> when an event was recorded. 268

Monitoring the appliance Monitoring options 11 Displaying data graphically Click Show Chart to display information in the appliance s log. You can select the properties to show on the chart and the largest number of categories you want the appliance to display. See Charts on page 269. Reporting using TSV format You can usually export information in the appliance s log as a text-based file in TSV format. A simplified form of TSV format is shown: Time Event Date Event Id Event Text Reason Text 12:55:07 12/12/2001 18100 Found a virus Ripper 12:55:30 12/12/2001 18100 Found a virus Love Letter The TSV (Tab Separated Value) format is ideal for importing the information into a spreadsheet or database tool such as Microsoft Excel, Microsoft Access, or Lotus 123, where you can manipulate the data and produce reports. The TSV file contains information for the selected report type and period. To generate a TSV file, click Save As. Measuring spam-blocking rates To measure the anti-spam performance of your appliance, add the number of messages blocked by the IP reputation service (shown in the logs under SMTP Blocked) to the Anti-Spam Module detections (shown in the logs under Spam and Phish). For more information, see Logs on page 268. Charts To view charts: 1 In the navigation pane, enable logging by selecting Configure Logging, Alerting and SNMP. 2 In the navigation pane, select Monitor Charts to display logged information as charts. 3 Select the type of chart: Statistics charts display statistics about spam detection. Timelines charts display historic information. 269

Monitoring the appliance Monitoring options 11 Top ten charts display the most frequently reported virus detections, denied spam sources, spam recipients, denied connections. The information is shown as a pie chart. For example: The chart can show up to ten items. For example, if the spam has two sources, only two segments appear in the pie chart. 4 Specify a period such as last week for your chart. To cover any range of dates, select Custom. 5 In Maximum number of categories to display, type the largest number of different scores that can appear in the pie chart. The largest number of categories is not the same as the largest number of top scorers, or the largest number of segments that a pie chart can have. Entries that have the same score are considered to be in the same category, although they can be displayed as separate segments in the pie chart. 6 Click Show Charts to display the charts. The appliance filters the data, and displays the charts. 270

Monitoring the appliance Monitoring options 11 Updates In the navigation pane, select Monitor Updates to display the updating schedules for the following components: Anti-virus DAT files and engine Anti-spam rules and engine Anti-Spam Streaming URL Filter Database The schedules show: Name of each scheduled update. Current status of each scheduled task. Date of the last update. Some components are available only if their related feature is enabled. Resources In the navigation pane, select Monitor Resources to: Enable or disable the generation of disk usage events. Specify when the different disk usage events will trigger. Enable or disable the restarting of protocols. A protocol can be restarted when the appliance detects that no connections are available for that protocol. If the restart option is disabled, the appliance will not be able to process traffic for that protocol. 271

Monitoring the appliance Types of reports 11 Types of reports You can generate reports from your appliances using the following methods: On-box reporting. epolicy Orchestrator. See the epolicy Orchestrator product documentation. SmartReporter from Secure Computing. This generates reports about Uniform Resource Locator (URL) filtering activities. See the Secure Computing SmartReporter Administration Guide, available from the Secure Computing website (www.securecomputing.com). Each type of report produces similar information. You need to consider how long to hold the data. The following sections discuss why you might use each type of report. On-box reporting The appliance s own reporting features can generate reports, or show logs, statistics, performance counters and graphs for a wide range of data about the appliance and its activities. On-box reporting also provides reports about the appliance itself such as memory and processor usage. Information held on the appliance is typically removed after 14 days. epolicy Orchestrator reports epolicy Orchestrator provides reports from multiple appliances and security software within your organization. Use epolicy Orchestrator to collect information such as the total number of viruses detected within your organization. SmartReporter Use SmartReporter to provide information and reports from the enhanced URLfiltering function. SmartReporter provides URL-filtering reports on data in US English American Standard Code for Information Interchange (ASCII) format only. Use SmartReporter only for US English reports that do not include non-ascii characters. 272

Monitoring the appliance Types of reports 11 Getting reports from your appliance The appliance generates information about its performance and status, and records this information in a log. This log can record activity over weeks or months and you can review the information at any time. You can configure the appliance to respond to certain types of information by sending an alert when specific events require an administrator or other person to be informed quickly. You can configure logging using several means, including: Email. extensible Markup Language (XML). SNMP. Syslog (this can be configured to send data to an off-box store). Email and SNMP deliver specific alerts. You can select the type of data you want the log to record, the amount of detail, and whether to monitor specific events. The generated information can also be filtered. For example, you can restrict the information to show only the occurrences of one particular virus. The appliance provides many reports, from which you can choose how to present the information. The type of information that is available for logging, alerting, and reporting is subject to change. See any Release s for the latest information. The information recorded by the log includes: Viruses detected and the action taken against them whether the files have been cleaned, deleted, or quarantined. Attempts to access websites that are banned because they are considered inappropriate to business purposes. Spyware, potentially unwanted programs and other files detected and the action taken against them. Incidences of spam email messages, including date, time, and sender. Incidences of phish email messages. Incidences of content rules that triggered because of the banned content inside an SMTP email message. URLs blocked by basic URL-filtering. URLs filtered. This includes URLs blocked, coaching and allowed actions. Email compliance. This includes details of policy violations that refer to specific predefined content libraries, and action taken against non-compliant email messages. 273

Monitoring the appliance Types of reports 11 System and management events, such as failed logon attempts and service failures. Decide how much detail you want the log to record, and configure this as soon as possible. To view information in the log, use Monitor in the navigation pane. The following options are available: Status displays information such as the volume of traffic and detection rates. See page 263. Performance monitors up to four appliances, each with its own tab. See page 266. Logs selects which charts and reports to generate. See page 268. Charts. See page 269. Updates displays the anti-virus and anti-spam update schedules. See page 271. Resources. See page 271. Data Loss Prevention reports The Data Loss Prevention report includes many controls to enable you to view details about any loss of confidential data. 1 In the navigation pane, select Monitor Logs. 2 Select Data Loss Prevention, and click Next to open the Data Loss Prevention page. 3 Choose how much information to display: At Start, click the date button and set the calendar control Select a period such as a month or week. For a period of one hour, select the starting time too. Select the required protocol and classification. Choose the type of item to display, such as the sender or policy. The box below your choice lists the items of that type. For example, if you select a policy, you will see From Inside and From Outside plus any other policies that have been created. Use the buttons on the right to build a list, if necessary. 4 Click Apply filter to generate a report, which appears under Results. 5 To see different views of the report, click the tabs. Each view includes blue links that you can click to refine (or drill down) the information. In the Totals View tab, click the blue links to show the type of policy action, such as Blocked. 274

Monitoring the appliance Types of reports 11 On the Time View tab, click the blue numbers above the colored vertical bars to view further details for each period such as a week and day. Click the link (in the top left) such as show containing week to return to viewing results over the previous (longer) period. Figure 11-1 Time View On the Itemized View tab, click the blue links around the colored bars to refine the information. On the Detailed View tab, select any row in the table, then click Details to open the Event Properties window. 6 To save a HTML file that shows the bar charts from the Totals View, Time View, and Itemized View, click Export and use the Select file dialog box. To ensure that the graphs print correctly, set your browser to print the background colors. For example on Internet Explorer, select Tools Internet Options, then in the dialog box, select the Advanced tab, and locate Printing. To see other periods of results, click Previous and Next at the top of the page. For example if Range is Day, click these buttons to view results for adjacent days. 275

Monitoring the appliance Getting reports from epolicy Orchestrator 11 Getting reports from epolicy Orchestrator epolicy Orchestrator enables you to view several standard reports and create custom reports using Business Objects Crystal Reports 8.5. For information on configuring epolicy Orchestrator to work with your appliance, see the epolicy Orchestrator product documentation. Installing the most recent appliance reports Before trying to create epolicy Orchestrator reports from your appliances, ensure that you have installed the most recent reports onto epolicy Orchestrator. 1 In the epolicy Orchestrator console, select Repository. 2 Select Check in NAP. 3 Select Add new reports. 4 Click Next. 5 Browse to SCM45_RPT.nap. 6 Click Open. Reports available from epolicy Orchestrator The following reports are provided when you install the appliance reports onto your epolicy Orchestrator server: Anti-virus reports. Anti-spam and anti-phish reports on page 277. Content filter reports on page 277. Email compliancy reports on page 277. Data loss prevention reports on page 278. URL-filtering reports on page 278. epolicy Orchestrator does not produce a standard set of reports. The exact reports available depend on the version of the appliance software, and any optional modules installed on your appliance. Additionally, epolicy Orchestrator reports on events from other McAfee products. From epolicy Orchestrator, you can also create custom reports using Business Objects Crystal Reports 8.5. Anti-virus reports These include: Infection History. Infections by Custom Data Groups. Viruses detected. 276

Monitoring the appliance Getting reports from epolicy Orchestrator 11 Number of Infections Detected by Product for Current. Number of Infections Detected Monthly Showing Virus. Number of Infections For the Past 24 hours. Outbreaks Weekly History. Outbreaks Current. Product Events by Severity. Number of Infections from Removable Media. Security Summary. Virus Type. Top 10 Detected Viruses. Top 10 Infected Files. Top 10 Infected Machines. Top 10 Infected Users. Anti-spam and anti-phish reports If installed, the following anti-spam and anti-phish reports are available from epolicy Orchestrator: Throughput By Day. Throughput By Month. Throughput By Week. Top 10 Recipients. Top 10 Source IP Addresses. Content filter reports The following content filter reports are available from epolicy Orchestrator: Content Filter Report By Rule And Time. Content Filter Report Rules Triggered. Content Scanning Detections By Appliance. Content Filter Report By Rule. Email compliancy reports If installed, the following email compliancy reports are available from epolicy Orchestrator: Email Compliancy By Sender. Email Compliancy By Source IP Address. Top Ten Senders. Top Ten Source IP Address. 277

Monitoring the appliance Getting reports from epolicy Orchestrator 11 Data loss prevention reports The following reports are available from epolicy Orchestrator: Data Loss Prevention By... Details of data loss by sender, file name and so on. Throughput Pie charts showing throughput over various periods. Top Ten... Bar charts showing details such as the top ten senders of data. URL-filtering reports The appliance includes basic URL-filtering as standard. epolicy Orchestrator provides the following reports: Blocked URLs basic blocking. If the enhanced URL-filtering feature is installed, the following URL-filtering reports are also available: Blocked Summary by Day. Blocked Summary by Month. Blocked Summary by Week. Top Ten Blocked by Source IP Address. Top Ten Blocked by Policy. Top Ten Blocked by User name. Top Ten Blocked by Sites. Top Ten Blocked by Categories. Generating reports To generate a report: 1 Select the report to generate. 2 Click Yes to set a data filter for your report. If you do not set a data filter for your report, the report might take a long time to generate. 3 Define your data filter criteria. 4 Confirm that the data filter information is correct. Finding detailed information On some reports, you can find more detailed information on parts of the report. Within the table part of the report, click an item to display greater detail on that aspect of the report. 278

Monitoring the appliance Getting reports from SmartReporter 11 Further information about epolicy Orchestrator For more information about epolicy Orchestrator, epolicy Orchestrator reports and how you can use them, see the epolicy Orchestrator product documentation. Getting reports from SmartReporter SmartReporter from Secure Computing exports data from the appliance s database and uploads it to its own reporting database for processing. SmartReporter is supported on English-language operating systems only. To obtain SmartReporter, visit http://www.securecomputing.com/index.cfm?skey=181 and click SmartReporter Download Center. For information on configuring SmartReporter to work with your appliance, see Installing and configuring SmartReporter on page 205. For fully up-to-date information, see the Secure Computing SmartReporter Administration Guide (available from the SmartReporter download center). Not all features available within SmartReporter are relevant to reports generated from the appliances. Also, you cannot make changes to the appliance s policies from within SmartReporter. To view web activity reports for your network: 1 Open SmartReporter and log on. 2 Click one of the following: Quick View for a summary of recent web activity. See Quick View, next. View Reports to generate a specific report. See View Reports on page 280. Schedule Reports to schedule reports to be sent by email. See Schedule Reports on page 281. Administrator Options to manage system settings. Quick View A Quick View displays statistics of web activity for today, yesterday, and the past seven days, giving a snapshot of activity on your network. It includes the following tabs: Categories the top five categories requested today, yesterday, and the past seven days. It does not include data for uncategorized sites. It shows the number of site requests per category, and bar graphs that indicate the percentage of requests blocked, coached (warned), monitored, and allowed. It also displays the percentage of coached requests for which the coaching page was bypassed. Users the top five active users for today, yesterday, and the past seven days. It shows the number of requests per user, and bar graphs that indicate the percentage of requests blocked, monitored, and so on. 279

Monitoring the appliance Getting reports from SmartReporter 11 Sites the top five requested sites for today, yesterday, and the past seven days. It shows the number of requests per site, and bar graphs that indicate the percentage of requests blocked, monitored, and so on. Action the actions taken on site requests made today, yesterday, and during the past seven days. It shows the number of requests per action type, and bar graphs that indicate the number of requests relative to other action types. The action types for each period are listed from most to least requests. Click the appropriate link to view more detail about activity during any period, or activity related to any Category, User, Site or Action in the first column. To view a full report listing up to 50 categories, users or sites, click Today, Yesterday or Past 7 Days on the appropriate tab. For example, to view the top 50 users for the past seven days, click Past 7 Days on the Users tab. You can also drill down to view more detail on any item in the Category, User, Site or Action columns. View Reports View Reports enables you to view custom reports. You can select from the following criteria: Custom Dates Type the first and last dates of the period. Category activity Top categories for all web activity, or for a specific user, group, IP address or IP range. User activity Top users for all web activity, for a specific category, or for a specific website. Site activity: Top sites for all web activity. Top sites in a specific category. Top sites for a specific user, group, IP address or IP range. Top sites in a specific category for a specific user, group, IP address or IP range. Time-based activity: Number of site requests by hour or day for a specific category, site, or user, group, IP address or IP range. Requests by hour or day in a specific category for a specific user, group, IP address or IP range. Requests by hour or day for a specific site by specific user, group, IP address or IP range. Detailed user activity View activity for a user, group, IP address or IP range. Detailed site activity View user activity on any website. My favorite reports Choose a report from a list of saved reports. You can also choose how many items to include in the report, and choose how to sort report data. After you specify the criteria for your report, click View. The report appears in the report viewer window. 280

Monitoring the appliance Getting reports from SmartReporter 11 Schedule Reports Scheduling reports makes it easy to receive regular updates about web activity on your network. SmartReporter generates reports at scheduled times, for specified periods, then sends them to a specified email address so you can view the reports. After you view a report, you can schedule it to run automatically daily, weekly or monthly, or once in a range of dates. To schedule a report: 1 Click Schedule Reports. 2 Click Add to schedule a report for the first time. To change schedule settings for an existing report, choose the report from the list then click Change. 3 Choose the report to schedule. a To schedule the last report you viewed, click Schedule the Report I Just Viewed, then type a name for that report. b To schedule an existing favorite report, select Schedule This Favorite Report, then click the report. 4 Choose how often to generate the report. a Select Daily to generate the selected report at the end of each day. b Select Weekly to generate a report for the previous week. Weekly reports are generated every Sunday. c Select Monthly to generate a report for the previous month. Monthly reports are generated on the first day of the month. d Select Once For This Date Range to generate the report only once, then specify the first and last dates of the range. Use Once For This Date Range if the report includes a lot of data and might therefore take a long time to generate. 5 Type the email addresses that will receive the report. Further information about SmartReporter For more information about SmartReporter reports and how you can schedule and use them, download the Secure Computing SmartReporter Administration Guide from the SmartReporter download center. 281

Monitoring the appliance Getting reports from SmartReporter 11 URL Filtering You can monitor the URL-filtering activity detected by your appliance. The appliance creates a log of the activities, and also enables you to view charts relating to URL-filtering. Logs When the appliance detects a request for a website, it compares the URL against the URL-filtering database, then applies an action. The appliance also logs information about the request. Viewing the URL-filtering logs created by the appliance zzzz8888 1 In the navigation pane, select Monitor Logs. 2 Under Detections, select URLs filtered, then click Next. 3 Use the filter options to refine the displayed information. You can: Change the starting date. Select the time Range and select the Start hour (when the range is equal to Hour). Filter HTTP or ICAP requests. Select the information to display: Category information about requests within all categories, or select specific categories to view. Policy information from all policies, or select specific policies to view. IP address information about requests from specific IP addresses. Site information about the sites requested. URL information about pages within requested sites. Reports when you select Reports, you can choose Top 10 and Top 50 reports, which show, for example, the most often requested sites and URLs and the IP addresses of your users. 4 Click Apply Filter to view the selected information. The information appears in the lower part of the URLs filtered page. Viewing more detailed information The lower part of the URLs filtered page has several tabs, each containing different types of information. These are: Totals View total number of requested URLs that were blocked, coached, passed or allowed. Time View times when each request was made. Itemized View requested URLs. Reports View only enabled when you select Reports from the Display list, the Reports view enables you to quickly view popular reports, such as the top 10 blocked sites. 282

Monitoring the appliance Monitoring Internet access 11 1 Select the tab for the type of information to view. 2 Click the links displayed to drill down to the information that you require. Tip You can swap between tabs as you drill down to find information. For example, you can select the Time View, and examine a particular period in more detail. Then you can select the Itemized View to find specific information about the requests made at that time. Charts The appliance provides graphs of requested URLs detected by enhanced URL-filtering. The following charts contain information about URL filtering: URLs Blocked. Top URL categories. 1 In the navigation pane, select Monitor Charts, then select URLs Blocked and Top URL categories. 2 Select the Date Range. 3 Select the Maximum number of categories to display. 4 Click Show Charts. The appliance filters the data, and displays the charts. Monitoring Internet access You can configure the appliance to record how employees use the Internet. Within the appliance interface, you can view summary information or more detailed reports. The following categories are used when displaying URL-filtering information: Block requests that were blocked. Coach requests that caused a Coach alert message. Pass requests where the Coach alert message was ignored. Allow requests that were automatically allowed by the appliance. If a requested URL is blocked and the requested website contains a virus, only the URL blocking is reported. 283

Monitoring the appliance Configuring logging and alerting 11 Configuring logging and alerting The appliance generates many alerts arising from events such as: Detection of a virus. Detection of a banned word or phrase. Detection of a spam email message. A failed attempt to log on. Resources becoming exhausted. You can configure the appliance to respond in different ways to these events. For example, the appliance can send an email message to a network administrator when the disk is nearing full. This feature is available at Configure Logging, Alerting and SNMP in the navigation pane. You can: Specify which events the appliance records. See Selecting events of interest on page 284. Specify how the appliance responds when specific events occur. For example, the appliance can send an email message, or create a syslog entry. Each means of distributing the information is called a channel. See Selecting the distribution method on page 285. Configure the settings for each channel. For example, you can specify the text of an email message, or specify the address of the SNMP trap manager. See Selecting the distribution method on page 285. Selecting events of interest For each supported protocol, you can decide which events to record. You can specify the: Severity of protocol events such as a protocol conversation error. Severity of communication events such as a DNS lookup failure. Type of detection events such as virus or spam detections. Each event has a unique event ID code, and a description to help you select the event. The appliance records most events. However, some events occur frequently and can soon fill the log files, so by default, such events are disabled. You can include or exclude individual events. Every event that you specify at this stage is recorded in log files on the appliance. To see the log files, select Monitor Logs in the navigation pane. 284

Monitoring the appliance Configuring logging and alerting 11 Selecting the distribution method The appliance has several methods (or channels) for distributing information: Email messages the appliance sends information as email messages to any number of recipients. McAfee epolicy Orchestrator events An agent program on the appliance generates files that contain information about the system, virus detection, anti-spam detection, and other information. The agent creates a file for each event, then sends the information to the epolicy Orchestrator server for monitoring and reporting. SNMP traps The appliance sends information as alerts to an SNMP trap manager. The MIB file on the appliance tells the SNMP manager how to interpret the data in the traps. Syslog entries the appliance sends information to the Syslog for off-box logging. You can also specify the type of event to send for each type of distribution channel. These channel filters allow you, for example, to send some alerts by email only, and some information to an off-box syslog, according to the facility. You select the events that the appliance will generate, and then choose how the event will be notified, using a channel such as email or SNMP. Figure 11-2 Filtering events from the appliance syslog epo SNMP Changing distribution settings You can configure the settings for the distribution methods: Email specify the recipients, and design a template for each type of email notification. The templates use substitution variables. See Substitution Variables on page 310 and Alert messages. XML specify how long the logs are kept before being deleted. All events go to the XML channel, and this channel cannot be disabled. However, you can specify how long the appliance keeps the event logs. SNMP specify the address of the trap manager and other details. Syslog enable off-box logging of the syslog, specify a host for off-box logging, and select which syslog facilities to send off-box. 285

Monitoring the appliance Configuring the appliance s SNMP agent 11 Alert messages The appliance sends a message to clients when specific events occur. To view the content of the messages, select Configure Logging, Alerting and SNMP in the navigation pane, select Channel settings, then Email. To specify other details of the message, select Policy <protocol> Content in the navigation pane, then select Alert Settings. You can specify: Your own alert message (or use the default message). Whether to send an HTML alert message or a plain text message. Type of character encoding, if required. File name of the alert. Text that appears in the alert header and the alert footer. Configuring the appliance s SNMP agent The appliance uses Simple Network Management Protocol (SNMP) to issue messages (known as traps) to other computers, and can give authorized computers access to its performance data and statistics. An SNMP trap is an unsolicited message from the appliance to an SNMP manager (such as InterMapper, SNMP Watcher or HP OpenView NNM) indicating that an event has occurred. Traps can notify conditions (such as a failed attempt to log on or a disk nearing full capacity) to other devices immediately. These conditions might otherwise be discovered only during occasional polling. The appliance records each piece of information (or MIB variable) about its activities in a database, called the Management Information Base (MIB). SNMP managers and other network-monitoring tools can query the appliance about its MIB variables and display the results. To view the structure of the appliance's MIB file (MCAFFEE-SCM-MIB.txt or MCAFFEE-SCM-MIB.[locale].txt), click Resources in the black links bar near the top of the main window, then click a link to one of the localized MIBs. Parameters for the agent Versions 1 and 2 of the SNMP protocol use the community name like a password. The community name is required with each SNMP Get request to allow access to the appliance. The default Community Name is public. Version 3 incorporates both authentication and privacy. You need to set the user name, and the protocols and passwords for authentication and privacy. Provide your own values for name, location and contact. If you have several appliances, change the default name of SCM appliance. The appliance is set to allow SNMP queries from all devices. We recommend that you change the settings to allow access from known devices only. Specify the IP address numbers of the devices that may read the appliance s MIB parameters. 286

Monitoring the appliance Reporting on loss of confidential data 11 Reporting on loss of confidential data The appliance can send reports about loss of confidential data by email. The types of reports are: Trend Report Summary of the violations and how the number of violations changes over a period. This high-level report shows the overall trend in violations. Activity Report Detailed view of each violation showing its sender, recipient and document. This report is intended for those who define the information that needs to be protected. To use this feature, select Configure DLP Reporting in the navigation pane. You can configure the following settings: Type of report trend or activity. Address to use as a sender. List of recipients. Subject line for the email message that contains the report. Encoding for the email message, such as UTF-8. Period covered by the report. Schedule for issuing the reports such as daily or monthly. The format of the report such as HTML or PDF. You can select a page size for PDF reports. The maximum number of items appearing in each table or list. For example, if the value is 5, a list of 10 confidential files shows only the first 5 file names, followed by a... symbol. To view more detailed reports, select Monitor Logs in the navigation pane, then select Data Loss Prevention. See Data Loss Prevention reports on page 274. 287

12 Updating the appliance Ensuring that your network is always protected New threats like malware and spam arise continuously, so you must ensure that the appliance can continue to protect your network. This section describes how the appliance maintains its protection by obtaining regularly updated files from our website. Updating can be automated. You need only specify the locations and schedules that the appliance will use to obtain the updates. To use the updating feature, select Update from the navigation pane, and use the wizards. About the wizards Each wizard has two or three steps, which prompt for information: Where to collect the updates. Which files are needed. How often to get the updates. Where to collect the updates The appliance can get the updated components from: A local computer that has already downloaded the files. If several appliances need updating and your Internet connection is slow, busy or expensive, we recommend that you put the files on a local computer. Instead of each appliance having to use an Internet connection, the appliances need only download the files over your internal network. For maximum protection, ensure that the local computer always has the latest files. An FTP site from the McAfee FTP server or one of our authorized providers. If your appliance cannot access a server directly, it can use a proxy server. You must provide details such as the name of the proxy server and a password. 288

Updating the appliance 12 Which files are needed For anti-virus protection, the appliance locates a file called UPDATE.INI file, which tells the appliance which anti-virus scanning engine and DAT files are available for loading and where to find those files. The ExtraDAT file, which we occasionally provide during virus outbreaks, can also be requested. For anti-spam protection, the appliance locates a file called SPAMUPD.INI file which tells the appliance which anti-spam engine and anti-spam rules are available for loading and where to find those files. Also available is a streaming service, which can provide updates as often as every few minutes. For packages such as service packs, the appliance provides a choice of actions. For example, the appliance can restart automatically upon installing a package. How often to get the updates You can schedule updates at any time. For the best protection, update the anti-virus and anti-spam files regularly at least daily. If your network is often busy, choose the time of day carefully. Updates can also be run immediately. You might need to do this if we issue an ExtraDAT or extra spam rule files, which protect against sudden outbreaks. The anti-spam rules help you maintain a balance between the email you want to filter out because it probably contains spam, and email that you want to let through because it is unlikely to contain spam. Use Update Anti-Spam to regularly download: Anti-spam rules. These define what is spam. Some anti-spam rules are updated regularly, but McAfee also produce extra rules to combat sudden outbreaks of new types of spam. Anti-spam engine. This uses anti-spam rules to scan email messages for spam. Streaming updates. You can update the appliance with critical rules more frequently, possibly every few minutes. Anti-phishing rules are also downloaded when the anti-spam rules are downloaded. 289

A Troubleshooting This section describes how to solve problems that might occur while using the appliance. It includes: Using the diagnostic tools. Frequently asked questions and problems on page 297. Getting more help the Links bar on page 306. Using the diagnostic tools To verify your appliance s configuration and help you analyze problems, you can use the following diagnostics tests: Ping test on page 291. Display routing information on page 291. Display system load on page 293. System configuration tests on page 293. Minimum escalation report on page 294. Capture network traffic on page 295. Save quarantine on page 295. Error Reporting Tool on page 295. Remote access card on page 296. 290

Troubleshooting Using the diagnostic tools A Ping test A ping test determines whether a device can be reached over the network. The appliance sends a message to the device it is trying to contact. If the request times out, the device cannot be reached. A ping test can check that another device is switched on, and rules out physical problems with the network connection. Ping by itself is not a reliable test for connectivity, because some devices might be configured not to respond to ping requests. To run a test: 1 In the navigation pane, select Troubleshoot Diagnostics, and click Ping Test. 2 Type the IP address or host name of the device. To ping the appliance itself, type localhost. 3 Type the size of the data packet to be sent. 4 Type the number of times the request must be sent. 5 Optionally request that the response includes routing information. 6 Click Ping to start the test. The results are displayed in the list box. As the results start to appear, you can cancel any remaining retry requests. 7 If necessary, save the results to a Tab-Separated-Value (.TSV) file. 8 To return to Diagnostics, click Close. Display routing information The appliance can display information about: Routes configured on the appliance. Routes used to access certain networks. Routes used to access hosts that have recently received IP packets from the appliance. This host information is stored in the appliance s local cache. To display routing information: 1 In the navigation pane, select Troubleshoot Diagnostics, and click Display Routing Information. 2 To display the configured routes on the appliance: a Deselect Display routing cache. b Click Route. 3 To display the cache of routes built up by network traffic though the appliance: a Select Display routing cache. b Click Route. 291

Troubleshooting Using the diagnostic tools A 4 If necessary, save the routing information to a.tsv file. 5 To return to Diagnostics, click Close. Routing information for networks The appliance displays the routing information that it uses to send an IP packet to a network: Destination Network where IP packets are sent for this route. A destination of 0.0.0.0 means that the default route, specified using the Setup Wizard, is used. Gateway IP address of the router used as the next hop out of the network. The address, 0.0.0.0 means that route has no default gateway. Netmask Network mask that determines whether an IP address is the address of a network or of a specific host. Flags Information about the route:! A route has been rejected, probably in preference for an alternative route. A C D G H M R U Installed by addrconf. An entry in the appliance s cache. A dynamically installed route. The destination is a gateway or network (excluding the appliance s internal network). The destination is a host. A dynamically modified route. The route was re-instated by dynamic routing. The route is available and operational. Metrics Preference given to the route. A low number indicates a high preference for that route. Use Number of times that the appliance recently selected the route. Interface Port that the IP packets are sent to. lo means that the packet is sent to the local interface. Routing information for hosts You can display the routing information for hosts that recently received IP packets from the appliance. This information is stored in the appliance s cache. The appliance can display: Source IP address of the device that sent the IP packets. Destination IP address of the recipient device. Gateway IP address of the router used as the next hop out of the network, when delivering those IP packets. Metrics Preference given to the route. A low number indicates a high preference to use that route. 292

Troubleshooting Using the diagnostic tools A Use Number of times that the appliance recently selected the route. Interface Port on which the IP packets are sent for that destination. The port is one of the appliance s Ethernet ports or the appliance s local (internal) interface. The term lo indicates that the packet will be sent to the local interface. Display system load This test is the equivalent of the Linux top command, and shows the CPU usage of each process currently running on the appliance. 1 In the navigation pane, select Troubleshoot Diagnostics, then click Display System Load. 2 To update the page with the latest system load information, click Refresh. 3 If necessary, save the current information to a text (.TXT) file. 4 To return to Diagnostics, click Close. System configuration tests The appliance can check the following basic configuration and connections: Check that the default gateway is on the same subnet as the appliance. The appliance first tries to ping the default gateway. After this test, the appliance checks if the gateway is listed in the ARP routing table. Ping by itself is not a reliable test of connections, because some devices might be configured to ignore ping requests. However, even if the ping test fails, the gateway must always appear in the ARP routing table. Check that the appliance can contact the DNS servers. The appliance checks that each DNS server can resolve the address www.mcafee.com into the correct set of IP addresses. Check that the default DNS server has: An associated name server and start-of-authority server for the appliance's domain. The correct IP address associated with the appliance s address. Check that the gateway can be pinged for every static route. After this test, the appliance checks if the gateway is listed in the ARP routing table. Check that the anti-virus and anti-spam update sites can be accessed. The appliance tries to use FTP to access the update sites. Check that the appliance can access other appliances that are sharing the scanning workload. Check that the appliance can access the SMTP domains and fallback relays. The appliance first tries to ping each of the relays and sends a simple SMTP HELO. If you have enabled the Reputation Service, check that the appliance can access the Postini website. 293

Troubleshooting Using the diagnostic tools A If you have defined an RBL server, the appliance checks that: A name server record exists for the RBL domain name. An A (address) record for 2.0.0.127@RBL_DOMAIN exists. Most RBL servers use the address 127.0.0.2 for testing. The appliance performs a static query against the servers to verify the connection. Running system configuration tests To run tests on the system configuration: 1 In the navigation pane, select Troubleshoot Diagnostics, click System Configuration Tests. 2 Click Start. The test starts. The appliance shows whether each part of the test has been successful. The test might run for a few minutes. 3 To stop the test at any time, click Stop. 4 To return to the other test options, click Close. Do not use the web browser s Back button. Minimum escalation report This report helps McAfee technical support to diagnose problems with your appliance. To collect information for the report: 1 In the navigation pane, select Troubleshoot Minimum Escalation Report. 2 Select the information for the report. You can: Run network tests. Collect the appliance logs. Collect the system logs. Collect SMTP proxy dump files. Collect user authentication files. 3 Type or browse for the name of the output file. The file will be a.zip archive. 4 Click Next to generate the file. 5 Send the file to McAfee technical support as directed. l 294

Troubleshooting Using the diagnostic tools A Capture network traffic You can capture information about TCP traffic passing through the appliance. 1 In the navigation pane, select Troubleshoot Capture Network Traffic. You can: Capture all TCP packets, or only TCP packets at a port for a selected protocol. Change the length of the capture. Change the path of the output file. The file will be a gzip-compressed tcpdump capture file. 2 Analyze the traffic with a tool such as Ethereal. See www.ethereal.com. Save quarantine To save the content of the quarantine areas and various queues: 1 In the navigation pane, select Troubleshoot Save Quarantine. Caution If you select Quarantine Viruses, Quarantine Queue or McAfee Quarantine Management, deferred infected files are put into the final archive. 2 Select what to save: Quarantined viruses. Quarantined content. Quarantined spam. Spam/non-spam learning queues. Deferred queues. Quarantine queues. Deferred spam/non-spam. Deferred McAfee Quarantine Management messages. 3 Type or browse for the name of the output file. The file will be a.zip archive. Error Reporting Tool To collect information for McAfee technical support: 1 In the navigation pane, select Troubleshoot Error Reporting Tool. 2 Select from the following: Enable or disable the monitoring of error messages. Add content data. Collect the system logs. Automatically submit the error events, or submit the information at any time. Remove the event information automatically after a few days. 295

Troubleshooting Using the diagnostic tools A Remote access card The Remote Access card enables you to control the appliance remotely from a personal computer. The card is supplied with the 3300 and 3400 appliances only, and behaves like another NIC (Network Interface Card) to the appliance. To test the Remote Access card information: 1 In the navigation pane, select Troubleshoot Remote Access. 2 Configure the following information: Ethernet address of the card. IP address information. DNS settings. Various communications details. 296

Troubleshooting Frequently asked questions and problems A Frequently asked questions and problems This section describes some of the problems you might encounter when integrating your appliance into the existing network. The problems are presented in these groups: General issues. Interface problems. Mail issues on page 299. Delivery on page 300. Email attachments on page 300. POP3 on page 302. Physical configuration on page 302. System configuration on page 303. System maintenance on page 303. Anti-virus automatic updating on page 304. Anti-spam on page 304. General issues I increased the number of listeners but the performance is worse Increasing the number of listeners increases the number of transfers that the appliance can handle in parallel. However, running more listeners means using more memory, and possibly more swapping to disk. Eventually, the advantage of more parallel connections is offset by the increased disk swapping, leading to slower overall performance. The defaults give an idea of the correct value to use. I increased the memory for anti-virus scanning per listener but performance is worse The appliance allocates an area of memory for anti-virus scanning. When this size is exceeded, the message is written to disk before being scanned, which is slower. Usually a larger area of memory means better performance. However, if you set it too high, the appliance cannot allocate the memory, and starts swapping to disk. This leads to an overall slowing of performance. The defaults give an idea of the correct value to use. Interface problems This section contains solutions to problems you might encounter when trying to configure the appliance through its interface. If you are not sure where to look on your appliance for the components listed here, see the Installation guide. Why does using the Back button on my browser take me to the Logon screen? This is a known issue with the web browser version of the appliance software. We recommend that you use the appliance application instead. 297

Troubleshooting Frequently asked questions and problems A I cannot access the Logon screen Check the following: The appliance is turned on and its software is running the power LED is lit and the hard disk drive LEDs are off. You used https (not http) in the address field of your web browser. Ensure that your browser supports Secure Sockets Layer (SSL) encryption and that it is enabled. The computer you are using to manage the appliance does not have the appliance configured as its proxy. If you have a proxy between the management computer and the appliance, the proxy must be configured with the appliance as its handoff host. If you are remotely connected to the appliance (across the network) through the LAN1 port, ensure that: The computer that you are using has a working connection to your network, and that it can reach the same subnet to which the appliance is connected. You have used the new IP address that you have configured for the LAN1 port, in the URL field of your web browser. If you have not disabled or deleted the default IP address 10.1.1.108, try using that IP address (https://10.1.1.108). The appliance s IP address must be suitable for the subnet to which the appliance is connected. If it is not, use the default IP address and, if that fails, try a direct management connection. You can obtain a direct management connection through the LAN2 port only if you are using the appliance in Explicit Proxy mode and you have not disabled the LAN2 port. The appliance has a working connection to your existing network, indicated by the NIC 1 network activity LED flashing on the control panel. If the LEDs are not flashing, ensure that the cable you are using is undamaged and connected properly to the appliance s LAN1 port and your existing network equipment. If you have not used the blue cable supplied with the appliance, ensure that the cable is a UTP straight-through (uncrossed) network cable. If the appliance is operating in Explicit Proxy mode and you have a direct local management connection through its LAN2 port, ensure that: You have not disabled the LAN2 port. Connect remotely to check this. You have used the new IP address that you configured for the LAN2 port (the default is 10.1.2.108), in the URL field of your web browser. The appliance has a working connection to your computer, indicated by the NIC 2 network activity LED flashing on the control panel. If the LED is not flashing, ensure that the cable you are using is undamaged and connected properly to the appliance s LAN2 port and your computer s network port. If you have not used the orange cable supplied with the appliance, ensure that the cable is a UTP crossed network cable. My password does not work If you recently restored the appliance s software without maintaining the previous settings, the management password reverts to the default password, scmchangeme. The password for the DLP database reverts to dlpchangeme. 298

Troubleshooting Frequently asked questions and problems A I have forgotten my password Using the appliance s recovery CD, return the appliance s password to the default passwords, which are scmchangeme and dlpchangeme. Some of the interface does not display properly The appliance s interface is intended for Internet Explorer 6.0 or later on Windows, and Mozilla Firefox 2.0 on Linux. Check the accompanying release notes for known issues when using some web browsers on particular operating systems. Clients (software) cannot communicate through the appliance Check the following: The correct protocols are enabled for the appliance (all protocols are enabled by default). The clients and other devices are configured to route traffic to and from the appliance. The network has no problems, and your device is connected correctly. Web browsing does not work or URL blocking is not enforced The appliance must have access to a DNS server to verify web browsing (HTTP) requests and determine which URLs to block, if URL blocking is configured. Configure the DNS server as described on page 39. Mail issues Anti-relay is not working To enable the anti-relay feature: 1 In the navigation pane, select Configure SMTP. 2 Select Protocol Settings Anti-Relay Settings. 3 Specify at least one local domain in Local Domains. Otherwise, the appliance is open to relaying and abuse by spammers from outside your network. See Delivery settings on page 87. Why can I not just give the name of the sender that I want to block from relaying? Think of anti-relay as system-to-system blocking, while anti-spam is sender-based blocking. Anti-relay is configured using the domains and networks that the appliance delivers mail for, while the anti-spam configuration blocks a message based on who sent it. Directory Harvest Prevention does not work For Directory Harvest Prevention to work correctly, your email server must check for valid recipients during the SMTP conversation, and then send a non-delivery report. 299

Troubleshooting Frequently asked questions and problems A Several email servers do not send User unknown errors as part of the SMTP configuration. These include (but might not be limited to): Microsoft Exchange 2000 and 2003 (when using their default configuration). qmail. Lotus Domino. Check the user documentation for your email server to see if your email server can be configured to send 550 Recipient address rejected: User unknown reports as part of the SMTP conversation when a message to an unknown recipient is encountered. LDAP integration can provide a work around for this. See Using LDAP servers on page 65 or Transparency options on page 136. Delivery When I select Retry All in the Deferred Mail folder, why are the messages not sent? After selecting Retry All, select Refresh to see the progress that the appliance has made through the list of messages. The appliance works through the messages until each one has been sent. If there is still a delivery problem caused by the network or an appliance configuration problem, the message is returned to the Deferred Mail folder. The appliance automatically retries all the deferred messages after 30 minutes, and periodically after that. What can I check if I have problems with mail delivery? To deliver mail via DNS, ensure that the DNS option is selected in the interface. If your internal mail server is not receiving inbound mail, check that this mail server is configured to accept email from the appliance. In the list of local domains for email delivery, do not specify a wildcard catch-all rule. Instead, enable the fallback relay, and specify it there. Email attachments The appliance blocks all email when I reduce the number of attachments to block This setting is intended to block email messages with huge numbers of attachments, which waste bandwidth. Some mail clients (like Outlook Express) store extra information in extra attachments, and even embed the main body of the message in an attachment. If this number is set too low, even normal email might be rejected. 300

Troubleshooting Frequently asked questions and problems A EICAR (the test virus) or content that must be blocked is still getting through Make sure the appliance is in the mail path; look at the headers of an email message (in Outlook, select View Options Internet Headers). If the appliance is in the mail path, you will see a header of the form Received: from sender by appliance_name via ws_smtp with sender and appliance_name replaced with the actual sender s name and the name of the appliance. When the appliance detects a virus, I get notification of a content violation This problem might be due to a conflict between the HTML template warning page, and a content-scanning rule. For example, if you are content-filtering on the word Virus but you have also set up the HTML template for virus detection to warn you A virus has been detected, an incoming message containing a virus triggers the message to be replaced with the message, A virus has been detected. This replacement message then passes through the content filter which triggers on the word Virus, and the message is replaced with a content violation instead of a virus notification. The appliance is slow to respond when I log on to the interface Do the following: Clear the Java cache: a Right-click the Java (cup) icon in the system tray, and on the menu, select Open Control Panel. b In the Java Control Panel dialog box, under Temporary Internet Files, click Delete files. c In the Delete Temporary Files dialog box, select every item, then click OK. d To close the Java Control Panel dialog box, click OK. e Refresh the browser window, and log on again. Make sure the browser from which you are connecting is not using the appliance itself as a proxy. In Internet Explorer, go to Tools Internet Options Connections LAN Settings, and deselect Use a proxy server. Check the DNS setup on the appliance. Under System Configuration, the DNS server field must contain the IP address of a valid DNS server, which must be accessible from the appliance. If the appliance is experiencing a heavy load, responses from the interface are slower. Consider using out-of-band management. See the Installation Guide. Mail from some senders is getting through, while others are being blocked Check the configuration of your inside and outside networks. Make sure that the list of outside networks has an asterisk (*) as the last entry. Also make sure that the list of inside networks does not have an asterisk. 301

Troubleshooting Frequently asked questions and problems A POP3 I have set up a dedicated POP3 connection, and POP3 no longer works Check that the generic and dedicated servers do not share the same port. The default port number for POP3 is 110. The dedicated server will override the generic server. When fetching mail with Outlook Express over POP3, I sometimes get a time-out message, giving me the option to Cancel or Wait The appliance needs to download and scan the entire mail message before it can start passing it to Outlook Express. For a large message or a slow mail server, this can take some time. Click Wait to force Outlook Express to wait for the appliance to finish processing the message. I sometimes get two copies of POP3 mail messages Some mail clients do not handle time-outs correctly. If the appliance is downloading and scanning a very large message, the client might time-out while waiting for a response. A pop-up window prompts you to wait for or cancel the download. If you select Cancel and try to download again, two copies of the message might appear in your mailbox. Physical configuration I connected the appliance to the network but I cannot connect to it with my browser In Explicit Proxy mode, make sure you have connected the LAN1 adapter to your network. LAN2 is for administration only, and needs a cross-over connection directly to a laptop or computer. An orange cross-over cable is supplied with the unit. My network has two appliances but I can log on to only one If you have installed an appliance, or recently used the Restore Configuration option, two or more appliances on your network might have the same default IP addresses. To make sure all appliances have unique IP addresses, you can use: The Setup Wizard. See Using the Setup Wizard on page 32. The network settings. See Changing network settings on page 42. The console. See Configuring using the console on page 31. 302

Troubleshooting Frequently asked questions and problems A System configuration I set up different rules for inbound and outbound traffic. When I receive email messages or browse outside websites, the Outbound rule is triggered instead of the Inbound rule Make sure that the IP address of the firewall is included in the list of outside networks. Connections from the outside appear to the appliance as though they were coming from the firewall. For HTTP (website) traffic, see also Understanding traffic flow on page 168. For FTP traffic, see also Understanding traffic flow on page 230. I have disabled the FTP protocol but my users can still use FTP with their browsers Check the browser s FTP proxy settings. On Internet Explorer, select Tools Internet Options Connections LAN Settings Proxy Server Advanced. The appliance can support FTP over its HTTP protocol handler, so if the FTP proxy is set to use port 80, your users can still use FTP. This is for FTP download only. The appliance does not support FTP uploads over HTTP. System maintenance The appliance does not accept the HotFix file Do not unzip the HotFix file before uploading it to the appliance. The appliance accepts the original file as you received it with a.tgz extension. How can I control the size of the appliance s log files? The appliance stores its log files in a text-like (XML) format in a partition (/log) on its internal disk. By default, the logs are purged every few days. The appliance issues warnings when its areas are nearing full, typically at 75% and 90%. To find the percentage usage of the logging partition, select Monitor Status in the navigation pane. Click Settings to adjust the indicator colors. To purge the log, select Configure Logging, Alerting and SNMP in the navigation pane, then under Channel settings, select the XML tab. To adjust the warning levels, select Monitor Resources in the navigation pane, then select Disk usage. 303

Troubleshooting Frequently asked questions and problems A Anti-virus automatic updating When I request an immediate update, nothing happens. How do I know when the DAT is updated? To see the installed DAT version number: In the navigation pane, select Monitor System Status, then General Status. Alternatively, select Monitor Updates. The DAT files are downloaded, checked and applied they are not just plugged in regardless. The appliance does not wait for the update to complete (which can take a few minutes even with a fast Internet connection) but starts it in the background. Select Monitor System Status to show the new DAT version number when you next view the page after the new DAT files have been successfully installed. Anti-spam I cannot find the anti-spam features described in this guide Some anti-spam features need the Anti-Spam Module to be enabled. I have configured the appliance to reject spam with an RBL Servers check but some spam mail is still getting through No anti-spam software is fully effective, and cannot guarantee to block all spam email messages. The appliance uses a list of the names of known email abusers and the networks they use. These lists are effective in reducing unwanted email messages but are not complete. To block a specific sender of spam: 1 In the navigation pane, select Configure SMTP. 2 Select Protocol Settings Permit and Deny Settings. 3 At Deny Sender, type the sender s email address under. Users are not getting normal email messages Users might not receive normal email messages for several reasons: The email messages might be coming from someone listed in the Deny Sender list. You might need to: Refine the Deny Sender list to ensure that wanted email messages are not blocked. For example, you might need to type specific email addresses rather than ban a whole domain or network. See Permit and Deny settings on page 90 for information on editing the list. Add the sender, domain, or network to the Permit Sender list. The appliance does does scan email from senders, domains and networks in this list for spam. The Permit Senders list overrides entries in the Deny Sender lists. 304

Troubleshooting Frequently asked questions and problems A The email message might have been blocked because it comes from a sender or organization that has been recognized by one of your real time anti-spam lists as a potential source of spam. See Integration with third-party email encryption gateway on page 157 for more details about the anti-spam check lists. The balance between blocking spam and normal email messages might need changing. For example, if the appliance is blocking email messages when there is only a small chance that they contain spam, you risk unintentionally blocking normal email messages. It is probably better to risk letting some spam through. See What is spam? on page 104 for more information on anti-spam policies. The email message might contain a virus or potentially unwanted program, and has been blocked by anti-virus scanning. Users are still receiving spam Users might still receive spam for several reasons: No anti-spam software can block all email messages that might contain spam. For the best chance of detecting and preventing spam, ensure that the appliance is using the latest versions of the anti-spam engine, anti-spam rules, and extra rules files. See also Sender authentication and reputation on page 127 to ensure that you are using all the features that can block unwanted email. The appliance is allowing streaming media to pass through. See Streaming media on page 200. Allowing streaming media to pass through the appliance is a security risk, because streaming media is not scanned by the appliance. We recommend that you do not allow streaming media of type application/octet-stream or application/* to pass through the appliance because these MIME types are executable and are a security risk. Scanning for spam is not enabled on the appliance. Scanning must be enabled in the right direction for spam detection. To detect spam from an external source, enable inbound scanning. To detect spam from an internal source, enable outbound scanning. See What is spam? on page 104 for details about enabling anti-spam scanning. You might need a more stringent anti-spam policy. For example, you might want to ensure that more email messages are marked as spam before they are received by users, or to simply block the spam at the appliance. See What is spam? on page 104. The email messages might be coming from senders, domains, or networks that are in the Permit Sender list. Review the list to make sure that you really want email messages from these senders to bypass anti-spam scanning. You might need to refine the entry in the list. For example, rather than permitting whole domains or networks, specify individual email addresses instead. See Permit and Deny settings on page 90 for more information on editing the Permit Sender list. The mail client software does not automatically move unwanted messages into a spam folder, so users still see spam in their inboxes. See Configuring Mail Clients on page 307 for information on setting mail clients. 305

Troubleshooting Getting more help the Links bar A The email message might be larger than is permitted, so it is not scanned for spam. See your advanced settings for spam to change the size. Email messages are not being routed through an appliance with the Anti-Spam Module enabled. How can I stop a particular type of spam? To ensure that you have the best chance of detecting and preventing spam, check that: The appliance is using the latest versions of the anti-spam engine and anti-spam rules. The appliance has not been configured to allow streaming media to pass through. Why has the performance changed? Scanning email messages for spam requires appliance resources, and affects SMTP performance. If you have more than one appliance, you can try sharing the anti-spam scanning workload between the appliances. This is known as load sharing. See Page 7 Load-sharing servers on page 40 to set up load sharing. Users are complaining that their mailboxes are full If users automatically divert spam to a spam folder in the mailbox, their mailboxes can quickly exceed their size limit. Remind users to regularly check their spam folder and delete spam. Getting more help the Links bar The Links bar in the appliance interface window provides links to more sources of information. You can: Access the McAfee online virus information library to find out more about a specific virus. to Submit a virus sample to McAfee for analysis. Contact McAfee Technical Support. See The interface on page 43 and Contact information on page 16 for more information. 306

B Configuring Mail Clients Users can configure their mail clients to handle email messages according to the characteristics of the email message. For example, users can configure their email clients so that when they receive an email with the words [spam] in the subject line, that email message is automatically forwarded to a spam folder in the user s mailbox. To configure some of the popular email client programs, see: Microsoft Outlook on page 308. Lotus Domino Administration on page 309. 307

Configuring Mail Clients Microsoft Outlook B Microsoft Outlook On the appliance To customize your Microsoft Outlook mail clients, you do some tasks on the appliance and some in the Outlook client. 1 Log onto the appliance. 2 In the navigation pane, select Policy SMTP From Outside or From Inside, then select Enable anti-spam scanning. 3 Select Prefix subject to spam. 4 If necessary, change the text that appears at the start of the subject line in email messages that contain spam, by editing the text in the Add prefix to spam text box. 5 Click Apply all changes and log off. On each Microsoft Outlook mail client To configure a Microsoft Outlook mail client: 1 In the menu, select Rules Wizard Tools New Check messages when they arrive. 2 Click Next. 3 Select the conditions under which you want the email message to be checked. For example, if you have set up the appliance s anti-spam features so that the word [spam] appears in the email header, select with specific words in the message header. 4 In the rule description, specify the words that will trigger the Microsoft Outlook rule. In this case, click specific words, and type [spam]. 5 Click Next. 6 Specify what Microsoft Outlook will do with messages that contain the specific words. For example, to move all email messages with the word [spam] into a separate spam folder, select move it to a specified folder. 7 In the rule description box, select specified, and select an existing folder or use New to create a new folder to store email messages containing spam. 8 Specify any exceptions to this rule, for example, if it comes from a specific distribution list. 9 Select Finish. 308

Configuring Mail Clients Lotus Domino Administration B Lotus Domino Administration On the appliance To customize your Lotus Domino mail clients, you do some tasks on the appliance and some in Lotus Domino Administration. 1 Log onto the appliance. 2 In the navigation pane, select Policy SMTP From Outside or From Inside, select Enable anti-spam scanning. 3 Select Prefix subject to spam. 4 If necessary, change the text that appears at the start of the subject line in email messages that contain spam, by editing the text in the Add prefix to spam text box. 5 Click Apply all changes and log off. In Lotus Domino Administration 1 In Lotus Domino Administration, click Configuration. 2 Expand the Messaging section, then click Configurations. 3 Select the configuration settings document for the server you want to administer and click Edit Configuration. 4 Select Router/SMTP. 5 Select Restrictions and Controls. 6 Select Rules. 7 Click Edit Server Configuration. 8 Click New Rule. 9 In the Conditions section of the new server rule, choose the Subject field. 10 Make sure that the contains condition shows the same text that you typed in the appliance s Add prefix to spam text box. 11 In the Specify Actions section of the Server Mail Rule dialog box, select the action that is applied when an email message containing spam is detected. For example, you can create a spam database and specify that all email messages containing spam must be moved to that database (spam.nsf). 12 Click Save and Close. 309

C Substitution Variables This section describes the substitution variables that you can use to change messages generated by the appliance. It includes: Using substitution variables. List of substitution variables on page 311. Using substitution variables A substitution variable is a placeholder for a value that the appliance substitutes later. For example, you can set up a template for some text that the appliance sends to users when an email attachment contains a virus or unwanted content. When you set up the template, you do not know the name of the attachment that triggers a detection or which detections will be triggered. The appliance can fill in those details later, if you type the following text: %ATTACHMENTNAME% has caused %SCANNER% to trigger. In this example, the appliance replaces the substitution variable %ATTACHMENTNAME% with the name of the attachment that triggered the detection, and %SCANNERS% with the names of any detections. 310

Substitution Variables List of substitution variables C List of substitution variables This section lists the substitution variables that are supported by the appliance s software, and describes how to use the information in the tables. Table C-1 Usage list Usage Supported by Usage Supported by 1 SMTP notification 9 Denial-of-Service notification 2 Anti-Virus notification 10 File Filter notification 3 Content Filter notification 11 MIME format notification 4 Email Alerting Anti-Virus 12 Corrupt Content notification 5 Email Alerting Anti-Spam 13 Download Status Page HTML 6 Email Alerting Data Loss Prevention 14 Blocking access to websites, URLs 7 Email Alerting Content Filter 15 Client Message HTML 8 Email Alerting Resource Table C-2 displays: Substitution variable the names of the substitution variables. Substitution variables begin and end with the % character. Definition the type of information that replaces the substitution variable. Protocol(s) protocols where you can use the substitution variable. Usage the appliance features that support a particular substitution variable. Cross-reference the numbers in that column with the following numbers: Table C-2 Substitution Variables Substitution Variable Description Protocols Usage %ADD_BLACK_LIST% HTML form allowing the user to add an email address to the blacklist SMTP %ADD_WHITE_LIST% HTML form allowing the user to add an email address to the whitelist SMTP %ALERTFOOTER% HTML Alert footer SMTP, HTTP, POP3 1,2,3 %ALERTHEADER% HTML Alert header SMTP, HTTP, POP3 1,2,3 %APPLICATION% Name - for example smtp, cmdline SMTP, HTTP, POP3 4,5,7,8 %ATTACHMENTNAME% File name of detected item SMTP, HTTP, POP3 1,2,3,4, 6 %AVDATVERSION% Version of anti-virus DAT files SMTP, HTTP, POP3 1,2,3,4 %AVENGINEVERSION% Version of anti-virus scanning engine SMTP, HTTP, POP3 1,2,3,4 %BLACK_LIST% List of email addresses in the blacklist. An HTML form allowing the deletion of email addresses from the blacklist. SMTP %COMFORT_DECORATIONHOST% Host for embedded HTML items HTTP 13 %COMFORT_DECORATIONPORT% Port number for embedded HTML HTTP 13 items %COMFORT_DOWNLOADED% Bytes downloaded HTTP 13 %COMFORT_FILE% File being downloaded HTTP 13 %COMFORT_ID% Download Status Page identification HTTP 13 %COMFORT_INTERNALMARKER% Mark URL as served by appliance HTTP 13 311

Substitution Variables List of substitution variables C Table C-2 Substitution Variables (continued) Substitution Variable Description Protocols Usage %COMFORT_PERCENTCOMPLETE% Download percentage complete HTTP 13 %COMFORT_REFRESHINTERVAL% Interval between HTML page HTTP 13 refreshes %COMFORT_SCANNINGTIME% How long the scan has run HTTP 13 %COMFORT_SCMLOGO% URL of the appliance logo HTTP 13 %COMFORT_SIZE% Expected size of the download HTTP 13 %CONTENT_LIST% List of the email in the content quarantine, added since the last digest. An HTML form allowing the user to delete, or request release of email in the Content quarantine (Only for messages added since the last digest.) SMTP %CORRUPTIONTYPE% Name of corruption SMTP, POP3 12 %DESTINATIONHOST% Host name of outgoing connection SMTP, HTTP, POP3 1,2,3 %DESTINATIONIP% IP address of outgoing connection SMTP, HTTP, POP3 1,2,3 %DETECTIONS% Detection - for example, virus name SMTP, HTTP, POP3 1,2,4 %DIGEST_DATE% Date when the digest was generated SMTP 5 %DLP_RULE% %DLP_FINGERPRINTCLASSIFICATION% Name of the triggered Data Loss Prevention rule Classification of the confidential documents SMTP, HTTP, POP3 6 SMTP, HTTP, POP3 6 %DLP_FINGERPRINTLOCATION% Location of the confidential SMTP, HTTP, POP3 6 documents %DLP_FINGERPRINTSOURCE% Name of the confidential documents SMTP, HTTP, POP3 6 %DLP_FINGERPRINTVERSION% Version of the Data Fingerprinting SMTP, HTTP, POP3 6 Tool %DOSLIMIT% Denial-of-service limit SMTP, HTTP, POP3 9 %EXP_DELAY% User expiration delay in days SMTP %FILESYSTEM% File system name wsstatd 8 %FILTERCONTEXT% Content Filter Rule SMTP 3,7 %FILTERNAME% File filter name SMTP 10 %FORMAT% %FULL_CONTENT_LIST% %FULL_SPAM_LIST% MIME format name - for example, partial message Full list of the email in the content quarantine, added since the last digest. An HTML form allowing the user to delete or request release of email in the content quarantine. Full list of the email in the spam quarantine. HTML form allowing the user to delete, release or whitelist email in the spam quarantine. SMTP, POP3 11 SMTP SMTP %HTTP_STATUS_STRING% HTTP response code and description HTTP 15 %ID% Unique message ID SMTP, HTTP, POP3 1,2,3 %LOCALTIME% Local time SMTP, HTTP, POP3 1,2,3 %MAX_EXP_DELAY% Maximum expiration delay in days SMTP %POST_MASTER% Email address of the postmaster SMTP %PROTOCOL% Protocol SMTP, HTTP, POP3 1,2,3 %REASON% Descriptive reason SMTP, POP3 9,10 312

Substitution Variables List of substitution variables C Table C-2 Substitution Variables (continued) Substitution Variable Description Protocols Usage %RECIPIENT% Email address of the recipient SMTP %RECIPIENTS% SMTP Envelope Recipients SMTP 1,2,3,4, 5,7 %REQUEST_DNSURL% Requested URL after DNS lookup HTTP 15 %REQUEST_PORT% Port number of the requested URL HTTP 15 %REQUEST_RESULT% %REQUEST_SCHEME% HTML table showing the results of the actions done Scheme of the request (such as HTTP) SMTP HTTP 15 %REQUEST_URL% Requested URL HTTP 15 %REQUEST_VERB% Verb of the request (such as GET) HTTP 15 %RULE% Rule that matched to block URL HTTP 14, 15 %SCANNER% List of triggered detections SMTP 1 %SCMIP% Appliance IP Address SMTP, HTTP, POP3 1,2,3,4, 5,7,8 %SCMLOGO% URL of the product s logo HTTP 15 %SCMNAME% Appliance host name SMTP, HTTP, POP3 1,2,3,4, 5,7,8 %SENDER% SMTP Envelope Sender SMTP 1,2,3,4, 5,7 %SERVER_RESPONSE% Response string from the server HTTP 15 %SET_EXP_DELAY% HTML form that allows the user to SMTP set the user expiration delay %SITEADVISOR% Text that advises about the suitability HTTP 14 of a website %SOURCEHOST% Host name of incoming connection SMTP, HTTP, POP3 1,2,3 %SOURCEIP% IP address of incoming connection SMTP, HTTP, POP3 1,2,3 %SOURCEIP% IP address of incoming connection SMTP, HTTP, POP3 1,2,3 %SPAM_LIST% List of the email messages in the spam quarantine added since the last digest. HTML form allowing the user to delete, release, or whitelist email in the spam quarantine (only for messages added since the last digest) SMTP %SPAMENGINEVERSION% Version of Spam engine SMTP 1 %SPAMRULESBROKEN% Spam rules broken SMTP 5 %SPAMSCORE% Spam score SMTP 1,5 %SPAMTHRESHOLD% Spam threshold SMTP 5 %SYS_ERROR_CODE% System error code HTTP 15 %UTCTIME% %WHITE_LIST% Time in Coordinated Universal Time (UTC) format List of email addresses in the whitelist. An HTML form allowing the deletion of email addresses from the whitelist. SMTP, HTTP, POP3 1,2,3 SMTP 313

D Word Separators When you create content-scanning rules, you need to know how the appliance treats the word separators in email headers, body content, and attachments. The appliance recognizes punctuation, separators, and math symbols as word separators within content rules. This section lists the Unicode and ASCII characters that the appliance recognizes as word separators when scanning email. When the text being scanned is in ASCII format, only the Latin characters with decimal values up to and including 127 are used. This section does not show the actual characters. They can be viewed at the Unicode Consortium website. Characters are grouped into charts according to their hexadecimal range. Each range is typically a regional character set such as Latin, or a functional grouping such as symbols. To view the charts, go to: http://www.unicode.org/charts The character index lists the character names in alphabetical order, and provides links to the chart. To view the character index, go to: http://www.unicode.org/charts/charindex.html For each character, Table D-1 on page 315 shows: Character name. Hexadecimal code used to generate the character on a computer. Decimal code used to generate the character on a computer. Type of character. 314

Word Separators D Table D-1 Character List Hexadecimal Code Decimal Code Type Character Name 0x0009 09 Punctuation, Other HORIZONTAL TABULATION 0x000a 10 Punctuation, Other LINE FEED 0x000d 13 Punctuation, Other CARRIAGE RETURN 0x0020 32 Separator, Space SPACE 0x0021 33 Punctuation, Other EXCLAMATION MARK 0x0022 34 Punctuation, Other QUOTATION MARK 0x0023 35 Punctuation, Other NUMBER SIGN 0x0025 37 Punctuation, Other PERCENT SIGN 0x0026 38 Punctuation, Other AMPERSAND 0x0027 39 Punctuation, Other APOSTROPHE 0x0028 40 Punctuation, Open LEFT PARENTHESIS 0x0029 41 Punctuation, Close RIGHT PARENTHESIS 0x002a 42 Punctuation, Other ASTERISK 0x002b 43 Math Symbol PLUS SIGN 0x002c 44 Punctuation, Other COMMA 0x002d 45 Punctuation, Dash HYPHEN-MINUS 0x002e 46 Punctuation, Other FULL STOP 0x002f 47 Punctuation, Other SOLIDUS 0x003a 58 Punctuation, Other COLON 0x003b 59 Punctuation, Other SEMICOLON 0x003c 60 Math Symbol LESS-THAN SIGN 0x003d 61 Math Symbol EQUALS SIGN 0x003e 62 Math Symbol GREATER-THAN SIGN 0x003f 63 Punctuation, Other QUESTION MARK 0x0040 64 Punctuation, Other COMMERCIAL AT 0x005b 91 Punctuation, Open LEFT SQUARE BRACKET 0x005c 92 Punctuation, Other REVERSE SOLIDUS 0x005d 93 Punctuation, Close RIGHT SQUARE BRACKET 0x005f 95 Punctuation, Connect LOW LINE 0x007b 123 Punctuation, Open LEFT CURLY BRACKET 0x007c 124 Math Symbol VERTICAL LINE 0x007d 125 Punctuation, Close RIGHT CURLY BRACKET 0x007e 126 Math Symbol TILDE 0x00a0 160 Separator, Space NO-BREAK SPACE 0x00a1 161 Punctuation, Other INVERTED EXCLAMATION MARK 0x00ab 171 Punctuation, Initial quote LEFT-POINTING DOUBLE ANGLE QUOTATION MARK 0x00ac 172 Math Symbol NOT SIGN 0x00ad 173 Punctuation, Dash SOFT HYPHEN 0x00b1 177 Math Symbol PLUS-MINUS SIGN 0x00b7 183 Punctuation, Other MIDDLE DOT 0x00bb 187 Punctuation, Final quote RIGHT-POINTING DOUBLE ANGLE QUOTATION MARK 0x00bf 191 Punctuation, Other INVERTED QUESTION MARK 0x00d7 215 Math Symbol MULTIPLICATION SIGN 315

Word Separators D Table D-1 Character List (continued) Hexadecimal Code Decimal Code Type Character Name 0x00f7 247 Math Symbol DIVISION SIGN 0x037e 894 Punctuation, Other GREEK QUESTION MARK 0x0387 903 Punctuation, Other GREEK ANO TELEIA 0x055a 1370 Punctuation, Other ARMENIAN APOSTROPHE 0x055b 1371 Punctuation, Other ARMENIAN EMPHASIS MARK 0x055c 1372 Punctuation, Other ARMENIAN EXCLAMATION MARK 0x055d 1373 Punctuation, Other ARMENIAN COMMA 0x055e 1374 Punctuation, Other ARMENIAN QUESTION MARK 0x055f 1375 Punctuation, Other ARMENIAN ABBREVIATION MARK 0x0589 1417 Punctuation, Other ARMENIAN FULL STOP 0x058a 1418 Punctuation, Dash ARMENIAN HYPHEN 0x05be 1470 Punctuation, Other HEBREW PUNCTUATION MAQAF 0x05c0 1472 Punctuation, Other HEBREW PUNCTUATION PASEQ 0x05c3 1475 Punctuation, Other HEBREW PUNCTUATION SOF PASUQ 0x05f3 1523 Punctuation, Other HEBREW PUNCTUATION GERESH 0x05f4 1524 Punctuation, Other HEBREW PUNCTUATION GERSHAYIM 0x060c 1548 Punctuation, Other ARABIC COMMA 0x061b 1563 Punctuation, Other ARABIC SEMICOLON 0x061f 1567 Punctuation, Other ARABIC QUESTION MARK 0x066a 1642 Punctuation, Other ARABIC PERCENT SIGN 0x066b 1643 Punctuation, Other ARABIC DECIMAL SEPARATOR 0x066c 1644 Punctuation, Other ARABIC THOUSANDS SEPARATOR 0x066d 1645 Punctuation, Other ARABIC FIVE POINTED STAR 0x06d4 1748 Punctuation, Other ARABIC FULL STOP 0x0700 1792 Punctuation, Other SYRIAC END OF PARAGRAPH 0x0701 1793 Punctuation, Other SYRIAC SUPRALINEAR FULL STOP 0x0702 1794 Punctuation, Other SYRIAC SUBLINEAR FULL STOP 0x0703 1795 Punctuation, Other SYRIAC SUPRALINEAR COLON 0x0704 1796 Punctuation, Other SYRIAC SUBLINEAR COLON 0x0705 1797 Punctuation, Other SYRIAC HORIZONTAL COLON 0x0706 1798 Punctuation, Other SYRIAC COLON SKEWED LEFT 0x0707 1799 Punctuation, Other SYRIAC COLON SKEWED RIGHT 0x0708 1800 Punctuation, Other SYRIAC SUPRALINEAR COLON SKEWED LEFT 0x0709 1801 Punctuation, Other SYRIAC SUBLINEAR COLON SKEWED RIGHT 0x070a 1802 Punctuation, Other SYRIAC CONTRACTION 0x070b 1803 Punctuation, Other SYRIAC HARKLEAN OBELUS 0x070c 1804 Punctuation, Other SYRIAC HARKLEAN METOBELUS 0x070d 1805 Punctuation, Other SYRIAC HARKLEAN ASTERISCUS 0x0964 2404 Punctuation, Other DEVANAGARI DANDA 0x0965 2405 Punctuation, Other DEVANAGARI DOUBLE DANDA 0x0970 2416 Punctuation, Other DEVANAGARI ABBREVIATION SIGN 0x0df4 3572 Punctuation, Other SINHALA PUNCTUATION KUNDDALIYA 0x0e4f 3663 Punctuation, Other THAI CHARACTER FONGMAN 316

Word Separators D Table D-1 Character List (continued) Hexadecimal Code Decimal Code Type Character Name 0x0e5a 3674 Punctuation, Other THAI CHARACTER ANGKHANKHU 0x0e5b 3675 Punctuation, Other THAI CHARACTER KHOMUT 0x0f04 3844 Punctuation, Other TIBETAN MARK INITIAL YIG MGO MDUN MA 0x0f05 3845 Punctuation, Other TIBETAN MARK CLOSING YIG MGO SGAB MA 0x0f06 3846 Punctuation, Other TIBETAN MARK CARET YIG MGO PHUR SHAD MA 0x0f07 3847 Punctuation, Other TIBETAN MARK YIG MGO TSHEG SHAD MA 0x0f08 3848 Punctuation, Other TIBETAN MARK SBRUL SHAD 0x0f09 3849 Punctuation, Other TIBETAN MARK BSKUR YIG MGO 0x0f0a 3850 Punctuation, Other TIBETAN MARK BKA- SHOG YIG MGO 0x0f0b 3851 Punctuation, Other TIBETAN MARK INTERSYLLABIC TSHEG 0x0f0c 3852 Punctuation, Other TIBETAN MARK DELIMITER TSHEG BSTAR 0x0f0d 3853 Punctuation, Other TIBETAN MARK SHAD 0x0f0e 3854 Punctuation, Other TIBETAN MARK NYIS SHAD 0x0f0f 3855 Punctuation, Other TIBETAN MARK TSHEG SHAD 0x0f10 3856 Punctuation, Other TIBETAN MARK NYIS TSHEG SHAD 0x0f11 3857 Punctuation, Other TIBETAN MARK RIN CHEN SPUNGS SHAD 0x0f12 3858 Punctuation, Other TIBETAN MARK RGYA GRAM SHAD 0x0f3a 3898 Punctuation, Open TIBETAN MARK GUG RTAGS GYON 0x0f3b 3899 Punctuation, Close TIBETAN MARK GUG RTAGS GYAS 0x0f3c 3900 Punctuation, Open TIBETAN MARK ANG KHANG GYON 0x0f3d 3901 Punctuation, Close TIBETAN MARK ANG KHANG GYAS 0x0f85 3973 Punctuation, Other TIBETAN MARK PALUTA 0x104a 4170 Punctuation, Other MYANMAR SIGN LITTLE SECTION 0x104b 4171 Punctuation, Other MYANMAR SIGN SECTION 0x104c 4172 Punctuation, Other MYANMAR SYMBOL LOCATIVE 0x104d 4173 Punctuation, Other MYANMAR SYMBOL COMPLETED 0x104e 4174 Punctuation, Other MYANMAR SYMBOL AFOREMENTIONED 0x104f 4175 Punctuation, Other MYANMAR SYMBOL GENITIVE 0x10fb 4347 Punctuation, Other GEORGIAN PARAGRAPH SEPARATOR 0x1361 4961 Punctuation, Other ETHIOPIC WORDSPACE 0x1362 4962 Punctuation, Other ETHIOPIC FULL STOP 0x1363 4963 Punctuation, Other ETHIOPIC COMMA 0x1364 4964 Punctuation, Other ETHIOPIC SEMICOLON 0x1365 4965 Punctuation, Other ETHIOPIC COLON 0x1366 4966 Punctuation, Other ETHIOPIC PREFACE COLON 0x1367 4967 Punctuation, Other ETHIOPIC QUESTION MARK 0x1368 4968 Punctuation, Other ETHIOPIC PARAGRAPH SEPARATOR 0x166d 5741 Punctuation, Other CANADIAN SYLLABICS CHI SIGN 0x166e 5742 Punctuation, Other CANADIAN SYLLABICS FULL STOP 0x1680 5760 Separator, Space OGHAM SPACE MARK 0x169b 5787 Punctuation, Open OGHAM FEATHER MARK 0x169c 5788 Punctuation, Close OGHAM REVERSED FEATHER MARK 0x16eb 5867 Punctuation, Other RUNIC SINGLE PUNCTUATION 317

Word Separators D Table D-1 Character List (continued) Hexadecimal Code Decimal Code Type Character Name 0x16ec 5868 Punctuation, Other RUNIC MULTIPLE PUNCTUATION 0x16ed 5869 Punctuation, Other RUNIC CROSS PUNCTUATION 0x17d4 6100 Punctuation, Other KHMER SIGN KHAN 0x17d5 6101 Punctuation, Other KHMER SIGN BARIYOOSAN 0x17d6 6102 Punctuation, Other KHMER SIGN CAMNUC PII KUUH 0x17d7 6103 Punctuation, Other KHMER SIGN LEK TOO 0x17d8 6104 Punctuation, Other KHMER SIGN BEYYAL 0x17d9 6105 Punctuation, Other KHMER SIGN PHNAEK MUAN 0x17da 6106 Punctuation, Other KHMER SIGN KOOMUUT 0x17dc 6108 Punctuation, Other KHMER SIGN AVAKRAHASANYA 0x1800 6144 Punctuation, Other MONGOLIAN BIRGA 0x1801 6145 Punctuation, Other MONGOLIAN ELLIPSIS 0x1802 6146 Punctuation, Other MONGOLIAN COMMA 0x1803 6147 Punctuation, Other MONGOLIAN FULL STOP 0x1804 6148 Punctuation, Other MONGOLIAN COLON 0x1805 6149 Punctuation, Other MONGOLIAN FOUR DOTS 0x1806 6150 Punctuation, Dash MONGOLIAN TODO SOFT HYPHEN 0x1807 6151 Punctuation, Other MONGOLIAN SIBE SYLLABLE BOUNDARY MARKER 0x1808 6152 Punctuation, Other MONGOLIAN MANCHU COMMA 0x1809 6153 Punctuation, Other MONGOLIAN MANCHU FULL STOP 0x180a 6154 Punctuation, Other MONGOLIAN NIRUGU 0x2000 8192 Separator, Space EN QUAD 0x2001 8193 Separator, Space EM QUAD 0x2002 8194 Separator, Space EN SPACE 0x2003 8195 Separator, Space EM SPACE 0x2004 8196 Separator, Space THREE-PER-EM SPACE 0x2005 8197 Separator, Space FOUR-PER-EM SPACE 0x2006 8198 Separator, Space SIX-PER-EM SPACE 0x2007 8199 Separator, Space FIGURE SPACE 0x2008 8200 Separator, Space PUNCTUATION SPACE 0x2009 8201 Separator, Space THIN SPACE 0x200a 8202 Separator, Space HAIR SPACE 0x200b 8203 Separator, Space ZERO WIDTH SPACE 0x2010 8208 Punctuation, Dash HYPHEN 0x2011 8209 Punctuation, Dash NON-BREAKING HYPHEN 0x2012 8210 Punctuation, Dash FIGURE DASH 0x2013 8211 Punctuation, Dash EN DASH 0x2014 8212 Punctuation, Dash EM DASH 0x2015 8213 Punctuation, Dash HORIZONTAL BAR 0x2016 8214 Punctuation, Other DOUBLE VERTICAL LINE 0x2017 8215 Punctuation, Other DOUBLE LOW LINE 0x2018 8216 Punctuation, Initial quote LEFT SINGLE QUOTATION MARK 0x2019 8217 Punctuation, Final quote RIGHT SINGLE QUOTATION MARK 318

Word Separators D Table D-1 Character List (continued) Hexadecimal Code Decimal Code Type Character Name 0x201a 8218 Punctuation, Open SINGLE LOW-9 QUOTATION MARK 0x201b 8219 Punctuation, Initial quote SINGLE HIGH-REVERSED-9 QUOTATION MARK 0x201c 8220 Punctuation, Initial quote LEFT DOUBLE QUOTATION MARK 0x201d 8221 Punctuation, Final quote RIGHT DOUBLE QUOTATION MARK 0x201e 8222 Punctuation, Open DOUBLE LOW-9 QUOTATION MARK 0x201f 8223 Punctuation, Initial quote DOUBLE HIGH-REVERSED-9 QUOTATION MARK 0x2020 8224 Punctuation, Other DAGGER 0x2021 8225 Punctuation, Other DOUBLE DAGGER 0x2022 8226 Punctuation, Other BULLET 0x2023 8227 Punctuation, Other TRIANGULAR BULLET 0x2024 8228 Punctuation, Other ONE DOT LEADER 0x2025 8229 Punctuation, Other TWO DOT LEADER 0x2026 8230 Punctuation, Other HORIZONTAL ELLIPSIS 0x2027 8231 Punctuation, Other HYPHENATION POINT 0x2028 8232 Separator, Line LINE SEPARATOR 0x2029 8233 Separator, Paragraph PARAGRAPH SEPARATOR 0x202f 8239 Separator, Space NARROW NO-BREAK SPACE 0x2030 8240 Punctuation, Other PER MILLE SIGN 0x2031 8241 Punctuation, Other PER TEN THOUSAND SIGN 0x2032 8242 Punctuation, Other PRIME 0x2033 8243 Punctuation, Other DOUBLE PRIME 0x2034 8244 Punctuation, Other TRIPLE PRIME 0x2035 8245 Punctuation, Other REVERSED PRIME 0x2036 8246 Punctuation, Other REVERSED DOUBLE PRIME 0x2037 8247 Punctuation, Other REVERSED TRIPLE PRIME 0x2038 8248 Punctuation, Other CARET 0x2039 8249 Punctuation, Initial quote SINGLE LEFT-POINTING ANGLE QUOTATION MARK 0x203a 8250 Punctuation, Final quote SINGLE RIGHT-POINTING ANGLE QUOTATION MARK 0x203b 8251 Punctuation, Other REFERENCE MARK 0x203c 8252 Punctuation, Other DOUBLE EXCLAMATION MARK 0x203d 8253 Punctuation, Other INTERROBANG 0x203e 8254 Punctuation, Other OVERLINE 0x203f 8255 Punctuation, Connect UNDERTIE 0x2040 8256 Punctuation, Connect CHARACTER TIE 0x2041 8257 Punctuation, Other CARET INSERTION POINT 0x2042 8258 Punctuation, Other ASTERISK 0x2043 8259 Punctuation, Other HYPHEN BULLET 0x2045 8261 Punctuation, Open LEFT SQUARE BRACKET WITH QUILL 0x2046 8262 Punctuation, Close RIGHT SQUARE BRACKET WITH QUILL 0x2048 8264 Punctuation, Other QUESTION EXCLAMATION MARK 0x2049 8265 Punctuation, Other EXCLAMATION QUESTION MARK 0x204a 8266 Punctuation, Other TIRONIAN SIGN ET 0x204b 8267 Punctuation, Other REVERSED PILCROW SIGN 319

Word Separators D Table D-1 Character List (continued) Hexadecimal Code Decimal Code Type Character Name 0x204c 8268 Punctuation, Other BLACK LEFTWARDS BULLET 0x204d 8269 Punctuation, Other BLACK RIGHTWARDS BULLET 0x207d 8317 Punctuation, Open SUPERSCRIPT LEFT PARENTHESIS 0x207e 8318 Punctuation, Close SUPERSCRIPT RIGHT PARENTHESIS 0x208d 8333 Punctuation, Open SUBSCRIPT LEFT PARENTHESIS 0x208e 8334 Punctuation, Close SUBSCRIPT RIGHT PARENTHESIS 0x2329 9001 Punctuation, Open LEFT-POINTING ANGLE BRACKET 0x232a 9002 Punctuation, Close RIGHT-POINTING ANGLE BRACKET 0x3000 12288 Separator, Space IDEOGRAPHIC SPACE 0x3001 12289 Punctuation, Other IDEOGRAPHIC COMMA 0x3002 12290 Punctuation, Other IDEOGRAPHIC FULL STOP 0x3003 12291 Punctuation, Other DITTO MARK 0x3008 12296 Punctuation, Open LEFT ANGLE BRACKET 0x3009 12297 Punctuation, Close RIGHT ANGLE BRACKET 0x300a 12298 Punctuation, Open LEFT DOUBLE ANGLE BRACKET 0x300b 12299 Punctuation, Close RIGHT DOUBLE ANGLE BRACKET 0x300c 12300 Punctuation, Open LEFT CORNER BRACKET 0x300d 12301 Punctuation, Close RIGHT CORNER BRACKET 0x300e 12302 Punctuation, Open LEFT WHITE CORNER BRACKET 0x300f 12303 Punctuation, Close RIGHT WHITE CORNER BRACKET 0x3010 12304 Punctuation, Open LEFT BLACK LENTICULAR BRACKET 0x3011 12305 Punctuation, Close RIGHT BLACK LENTICULAR BRACKET 0x3014 12308 Punctuation, Open LEFT TORTOISE SHELL BRACKET 0x3015 12309 Punctuation, Close RIGHT TORTOISE SHELL BRACKET 0x3016 12310 Punctuation, Open LEFT WHITE LENTICULAR BRACKET 0x3017 12311 Punctuation, Close RIGHT WHITE LENTICULAR BRACKET 0x3018 12312 Punctuation, Open LEFT WHITE TORTOISE SHELL BRACKET 0x3019 12313 Punctuation, Close RIGHT WHITE TORTOISE SHELL BRACKET 0x301a 12314 Punctuation, Open LEFT WHITE SQUARE BRACKET 0x301b 12315 Punctuation, Close RIGHT WHITE SQUARE BRACKET 0x301c 12316 Punctuation, Dash WAVE DASH 0x301d 12317 Punctuation, Open REVERSED DOUBLE PRIME QUOTATION MARK 0x301e 12318 Punctuation, Close DOUBLE PRIME QUOTATION MARK 0x301f 12319 Punctuation, Close LOW DOUBLE PRIME QUOTATION MARK 0x3030 12336 Punctuation, Dash WAVY DASH 0x30fb 12539 Punctuation, Connect KATAKANA MIDDLE DOT 0xfd3e 64830 Punctuation, Open ORNATE LEFT PARENTHESIS 0xfd3f 64831 Punctuation, Close ORNATE RIGHT PARENTHESIS 0xfe30 65072 Punctuation, Other PRESENTATION FORM FOR VERTICAL TWO DOT LEADER 0xfe31 65073 Punctuation, Dash PRESENTATION FORM FOR VERTICAL EM DASH 0xfe32 65074 Punctuation, Dash PRESENTATION FORM FOR VERTICAL EN DASH 0xfe33 65075 Punctuation, Connect PRESENTATION FORM FOR VERTICAL LOW LINE 320

Word Separators D Table D-1 Character List (continued) Hexadecimal Code Decimal Code Type Character Name 0xfe34 65076 Punctuation, Connect PRESENTATION FORM FOR VERTICAL WAVY LOW LINE 0xfe35 65077 Punctuation, Open PRESENTATION FORM FOR VERTICAL LEFT PARENTHESIS 0xfe36 65078 Punctuation, Close PRESENTATION FORM FOR VERTICAL RIGHT PARENTHESIS 0xfe37 65079 Punctuation, Open PRESENTATION FORM FOR VERTICAL LEFT CURLY BRACKET 0xfe38 65080 Punctuation, Close PRESENTATION FORM FOR VERTICAL RIGHT CURLY BRACKET 0xfe39 65081 Punctuation, Open PRESENTATION FORM FOR VERTICAL LEFT TORTOISE SHELL BRACKET 0xfe3a 65082 Punctuation, Close PRESENTATION FORM FOR VERTICAL RIGHT TORTOISE SHELL BRACKET 0xfe3b 65083 Punctuation, Open PRESENTATION FORM FOR VERTICAL LEFT BLACK LENTICULAR BRACKET 0xfe3c 65084 Punctuation, Close PRESENTATION FORM FOR VERTICAL RIGHT BLACK LENTICULAR BRACKET 0xfe3d 65085 Punctuation, Open PRESENTATION FORM FOR VERTICAL LEFT DOUBLE ANGLE BRACKET 0xfe3e 65086 Punctuation, Close PRESENTATION FORM FOR VERTICAL RIGHT DOUBLE ANGLE BRACKET 0xfe3f 65087 Punctuation, Open PRESENTATION FORM FOR VERTICAL LEFT ANGLE BRACKET 0xfe40 65088 Punctuation, Close PRESENTATION FORM FOR VERTICAL RIGHT ANGLE BRACKET 0xfe41 65089 Punctuation, Open PRESENTATION FORM FOR VERTICAL LEFT CORNER BRACKET 0xfe42 65090 Punctuation, Close PRESENTATION FORM FOR VERTICAL RIGHT CORNER BRACKET 0xfe43 65091 Punctuation, Open PRESENTATION FORM FOR VERTICAL LEFT WHITE CORNER BRACKET 0xfe44 65092 Punctuation, Close PRESENTATION FORM FOR VERTICAL RIGHT WHITE CORNER BRACKET 0xfe49 65097 Punctuation, Other DASHED OVERLINE 0xfe4a 65098 Punctuation, Other CENTRELINE OVERLINE 0xfe4b 65099 Punctuation, Other WAVY OVERLINE 0xfe4c 65100 Punctuation, Other DOUBLE WAVY OVERLINE 0xfe4d 65101 Punctuation, Connect DASHED LOW LINE 0xfe4e 65102 Punctuation, Connect CENTRELINE LOW LINE 0xfe4f 65103 Punctuation, Connect WAVY LOW LINE 0xfe50 65104 Punctuation, Other SMALL COMMA 0xfe51 65105 Punctuation, Other SMALL IDEOGRAPHIC COMMA 0xfe52 65106 Punctuation, Other SMALL FULL STOP 0xfe54 65108 Punctuation, Other SMALL SEMICOLON 0xfe55 65109 Punctuation, Other SMALL COLON 0xfe56 65110 Punctuation, Other SMALL QUESTION MARK 0xfe57 65111 Punctuation, Other SMALL EXCLAMATION MARK 321

Word Separators D Table D-1 Character List (continued) Hexadecimal Code Decimal Code Type Character Name 0xfe58 65112 Punctuation, Dash SMALL EM DASH 0xfe59 65113 Punctuation, Open SMALL LEFT PARENTHESIS 0xfe5a 65114 Punctuation, Close SMALL RIGHT PARENTHESIS 0xfe5b 65115 Punctuation, Open SMALL LEFT CURLY BRACKET 0xfe5c 65116 Punctuation, Close SMALL RIGHT CURLY BRACKET 0xfe5d 65117 Punctuation, Open SMALL LEFT TORTOISE SHELL BRACKET 0xfe5e 65118 Punctuation, Close SMALL RIGHT TORTOISE SHELL BRACKET 0xfe5f 65119 Punctuation, Other SMALL NUMBER SIGN 0xfe60 65120 Punctuation, Other SMALL AMPERSAND 0xfe61 65121 Punctuation, Other SMALL ASTERISK 0xfe63 65123 Punctuation, Dash SMALL HYPHEN-MINUS 0xfe68 65128 Punctuation, Other SMALL REVERSE SOLIDUS 0xfe6a 65130 Punctuation, Other SMALL PERCENT SIGN 0xfe6b 65131 Punctuation, Other SMALL COMMERCIAL AT 0xff01 65281 Punctuation, Other FULLWIDTH EXCLAMATION MARK 0xff02 65282 Punctuation, Other FULLWIDTH QUOTATION MARK 0xff03 65283 Punctuation, Other FULLWIDTH NUMBER SIGN 0xff05 65285 Punctuation, Other FULLWIDTH PERCENT SIGN 0xff06 65286 Punctuation, Other FULLWIDTH AMPERSAND 0xff07 65287 Punctuation, Other FULLWIDTH APOSTROPHE 0xff08 65288 Punctuation, Open FULLWIDTH LEFT PARENTHESIS 0xff09 65289 Punctuation, Close FULLWIDTH RIGHT PARENTHESIS 0xff0a 65290 Punctuation, Other FULLWIDTH ASTERISK 0xff0c 65292 Punctuation, Other FULLWIDTH COMMA 0xff0d 65293 Punctuation, Dash FULLWIDTH HYPHEN-MINUS 0xff0e 65294 Punctuation, Other FULLWIDTH FULL STOP 0xff0f 65295 Punctuation, Other FULLWIDTH SOLIDUS 0xff1a 65306 Punctuation, Other FULLWIDTH COLON 0xff1b 65307 Punctuation, Other FULLWIDTH SEMICOLON 0xff1f 65311 Punctuation, Other FULLWIDTH QUESTION MARK 0xff20 65312 Punctuation, Other FULLWIDTH COMMERCIAL AT 0xff3b 65339 Punctuation, Open FULLWIDTH LEFT SQUARE BRACKET 0xff3c 65340 Punctuation, Other FULLWIDTH REVERSE SOLIDUS 0xff3d 65341 Punctuation, Close FULLWIDTH RIGHT SQUARE BRACKET 0xff3f 65343 Punctuation, Connect FULLWIDTH LOW LINE 0xff5b 65371 Punctuation, Open FULLWIDTH LEFT CURLY BRACKET 0xff5d 65373 Punctuation, Close FULLWIDTH RIGHT CURLY BRACKET 0xff61 65377 Punctuation, Other HALFWIDTH IDEOGRAPHIC FULL STOP 0xff62 65378 Punctuation, Open HALFWIDTH LEFT CORNER BRACKET 0xff63 65379 Punctuation, Close HALFWIDTH RIGHT CORNER BRACKET 0xff64 65380 Punctuation, Other HALFWIDTH IDEOGRAPHIC COMMA 0xff65 65381 Punctuation, Connect HALFWIDTH KATAKANA MIDDLE DOT 322

E Additional License Terms for epolicy Orchestrator Software McAfee has included a copy of the McAfee epolicy Orchestrator software with this software. The use of the epolicy Orchestrator software is subject to the terms and conditions of the License Agreement accompanying the product and subject to these additional terms and conditions. The epolicy Orchestrator software is intended for use only with a validly licensed copy of the appliance software and is not intended or licensed as a stand-alone product or for use with any other products other than the McAfee appliance software. Only use this copy of the epolicy Orchestrator software to report on the appliance software on your network. Unless you have purchased licences to use McAfee epolicy Orchestrator separately, you are not entitled to use the copy contained herein to manage, or report from, any other computers on your network or within your organization. Contact your local McAfee representative if you need to obtain a fully licensed copy of the epolicy Orchestrator software. 323

Menu Index Find a feature from the menu A ActiveX alert settings alerts anti-spam anti-virus appliance, stopping authentication B blacklist bounced email C charts comfort page compliancy configuration connections content scanning Policy HTTP Content... HTML Settings Policy SMTP Content... HTML Settings Policy FTP Content Policy HTTP Content From Outside or From Inside Policy POP3 Content Alert Settings Policy SMTP Content Policy SMTP Content... Alert Settings Policy POP3 Content Policy SMTP Content Policy FTP Content Policy FTP Content... Anti-Virus Policy HTTP Content Policy ICAP Content Request Modification Policy ICAP Content Response Modification Policy POP3 Content Policy SMTP Content Policy SMTP Content... Anti-Virus System Manage Appliances Manage this appliance Policy SMTP Advanced Policies Protocol From Inside or From Outside Sender Authentication and Reputation Configure SMTP User Black and White Lists Policy SMTP Advanced Policies Protocol... Sender Authentication and Reputation Policy SMTP Advanced Policies Protocol... Email Address Configuration Monitor Chart Policy HTTP Protocol... Client Download Status Messages Policy protocol Content Policy protocol Content... Compliancy System Backup and Restore Restore Restore Configuration System Backup and Restore Save Configuration System Manage Appliances View configuration changes Troubleshoot Diagnostics System Configuration Tests Configure SMTP Connection settings (Advanced) Policy SMTP Content... Encrypted Content 324

Menu Index Menu Index cookies corrupt content counters D dashboard Data command data leakage data loss data loss, report data trickling decryption default settings delivery settings denial of service denied domains deny senders diagnostics digest release digital signatures directory harvesting disclaimer disk usage DKIM DKIM keys E email alerts Policy ICAP Advanced Policies Protocol Request Modification Policy ICAP Advanced Policies Protocol Response Modification Policy SMTP Content Policy SMTP Content... Corrupt Content Monitor Status Monitor Status Policy SMTP Advanced Policies Protocol Policy protocol Content... Compliancy Policy SMTP Content... Data Loss Prevention Policy HTTP Content... Data Loss Prevention Policy SMTP Content... Data Loss Prevention Configure DLP Reporting Policy FTP Advanced Policies Protocol Policy HTTP Protocol... Download Status and Data Trickling Policy ICAP Advanced Policies Protocol Response Modification Policy SMTP Content... Encrypted Content System Backup and Restore Restore Restore Defaults Configure SMTP Protocol Delivery Settings Policy FTP Content... Scanner Control Policy HTTP Content... Scanner Control Policy HTTP Protocol... Denial of Service Prevention Policy ICAP Content Request Modification Policy ICAP Content Response Modification Policy SMTP Advanced Policies Protocol Policy SMTP Content... Scanner Control Configure SMTP Protocol Settings Anti-Relay Settings Configure SMTP Protocol Settings Permit and Deny Settings Troubleshoot Diagnostics System Configuration Tests Email Message Queues Digest Release Requests Policy SMTP Content... Signed Content Policy SMTP Advanced Policies Protocol Policy SMTP Content Monitor Resources Policy SMTP Advanced Policies Protocol... Sender Authentication and Reputation Configure SMTP DKIM Key Management Configure Logging... Channel Settings Email 325

Menu Index Menu Index email size email, deferred encryption encryption server epolicy Orchestrator error report ESMTP F fallback relays file filtering G greylisting group of appliances H handoff host header blocking health HTML HTML objects HTTPS I instant messaging intercept ports J Java JavaScript K keep alive Policy SMTP Content... Mail Size Filtering Email Deferred Policy SMTP Content Policy SMTP Content... Encrypted Content Configure SMTP Protocol Settings Delivery Settings Policy Based Relay System Manage Components Troubleshoot Error Reporting Tool Policy SMTP Advanced Policies Protocol... Transparency Options Configure SMTP Protocol Settings Delivery Settings Policy SMTP Content Policy SMTP Content... File Filtering Configure SMTP Greylisting Service Policy SMTP Advanced Policies Protocol From inside System Manage Appliances Manage a group of appliances Policy FTP Advanced Policies Protocol Policy ICAP Advanced Policies Protocol Request Modification Policy ICAP Advanced Policies Protocol Response Modification Monitor Status Policy SMTP Content... HTML Settings Policy ICAP Content Request Modification Configure HTTP Connection Settings (Advanced) Policy HTTP Advanced Policies Protocol... HTTPS URL Blocking Monitor Status Protocol Status Policy HTTP Advanced Policies... Instant Messaging Policy ICAP Advanced Policies Protocol Request Modifications Policy ICAP Advanced Policies Protocol Response Modifications Configure SMTP Connection settings (Advanced) Policy SMTP Content... HTML Settings Policy HTTP Content... HTML Settings Policy SMTP Advanced Policies Protocol... Transparency Options 326

Menu Index Menu Index L language LDAP listeners load sharing load sharing, status loading logs logs, lifetime of M mail settings mail size memory MER tool MIB MIME format N notification notifications NTP System Manage Appliances Manage this appliance Policy Groups LDAP Servers Configure SMTP Connection settings (Advanced) Network Load Sharing Monitor Status Troubleshoot Diagnostics Display System Load System Backup and Restore Save logs Configure Logging, Alerting and SNMP Channel Settings XML Keep logs Policy SMTP Content... Mail Settings Policy POP3 Content Mail Size Filtering Policy SMTP Content... Mail Size Filtering Configure SMTP Connection settings (Advanced) Troubleshoot Minimum Escalation Report Links Bar Resource MIB File Policy SMTP Content... Mail Settings Policy SMTP Advanced Policies Protocol... Email Address Configuration Configure Logging, Alerting and SNMP Channel Settings Email Send email to the following recipients System Manage Appliances System Manage Appliances Manage this appliance O operational mode Network Settings out of band management System Manage Appliances P partition use Monitor Status password System Manage Appliances Manage this appliance password-protected email Policy SMTP Content... Protected Content performance Monitor Performance phishing Policy SMTP Content... Anti-Phishing ping Troubleshoot Diagnostics Ping Test 327

Menu Index Menu Index policies, maximum number of Policy SMTP Advanced Policies Protocol... Message Processing (Advanced) ports Configure SMTP Connection settings (Advanced) protected content Policy SMTP Content... Protected Content protocols Network Settings protocols, activate Network Settings Protocols protocols, disable Monitor Resources protocols, enable Network Settings Protocol Q quarantine queues, email Troubleshoot Save Quarantine Email Message Queues R RBL Policy SMTP Advanced Policies Protocol... Sender Authentication and Reputation reboot appliance System Manage Appliances Manage this appliance recipient limit Policy SMTP Advanced Policies Protocol... Message Processing report Troubleshoot Minimum Escalation Report reputation Policy SMTP Advanced Policies Protocol From Inside or From Outside Sender Authentication and Reputation reputation service Policy SMTP Advanced Policies Protocol... Sender Authentication and Reputation reputation service, testing Troubleshoot Diagnostics System Configuration Tests routing Troubleshoot Diagnostics Display Routing Information routing characters Policy SMTP Advanced Policies Connection routing table Network Settings Troubleshoot Diagnostics Display Routing Information S Sender ID senders sensitive data signed content signed email SiteAdvisor SmartReporter Policy SMTP Advanced Policies Protocol... Sender Authentication and Reputation Configure SMTP Protocol Settings Permit and Deny Settings Policy HTTP Content... Data Loss Prevention Policy SMTP Content... Signed Content Policy SMTP Content... Data Loss Prevention Policy SMTP Content... Signed Content Policy HTTP Content... URL Filtering System Manage Components 328

Menu Index Menu Index spam Monitor Updates Policy POP3 Content Policy SMTP Content Policy SMTP Content... Anti-Spam spam, blocking spammer Configure SMTP Permit and Deny Settings Deny Sender SPF Policy SMTP Advanced Policies Protocol... Sender Authentication and Reputation SSH events Monitor Logs Resource and System, User and User Interface SSH, access System Manage Appliances statistics Monitor Status stop appliance System Manage Appliances Manage this appliance, Stop the appliance store and forward Policy SMTP Advanced Policies Protocol... Message Processing streaming media Policy HTTP Advanced Policies Protocol... Streaming Media Policy ICAP Advanced Policies Protocol Response Modification substitution variables Configure Logging... Channel Settings Email support Troubleshoot Minimum Escalation Report syslog Configure Logging, Alerting and SNMP Channel Settings Syslog system load Troubleshoot Diagnostics Display System Load T tarpit time time setting time zone time, NTP time-out TLS top 10 traffic traffic volume transport logging U undelivered email Policy SMTP Advanced Policies Protocol From Inside or From Outside Sender Authentication and Reputation System Manage Appliances System Manage Appliances Manage this appliance, Set Now System Manage Appliances Manage this appliance System Manage Appliances Manage this appliance Policy FTP Advanced Policies Connection Policy ICAP Advanced Policies Connection Request Modification Policy ICAP Advanced Policies Connection Response Modification Policy SMTP Advanced Policies Connection... Time-outs Configure SMTP Transport Layer Security Monitor Chart Troubleshoot Capture Network Traffic Monitor Status Policy SMTP Advanced Policies Connection Policy SMTP Advanced Policies Protocol... Email Address Configuration 329

Menu Index Menu Index URLs V VBScript virus Visual Basic W welcome message whitelist Monitor Updates Policy HTTP Content... HTML Settings Policy SMTP Content... HTML Settings Monitor Updates Policy HTTP Content Policy POP Content Policy SMTP Content Policy SMTP Content... HTML Settings Policy SMTP Advanced Policies Protocol... Message Processing Policy SMTP Advanced Policies Protocol... Transparency Options Configure SMTP User Black and White Lists 330

Index A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Symbols * domain 37 Numerics 8-bit file transfer 234 8BITMIME 136 A A, address records 142 accelerator card 9 account number 117 actions, upon detection 73 activation 53 Active Directory 171, 172 ActiveX 26, 125, 182, 218 addrconf 292 advertising, unwanted 10 adware 10 alert messages 46 alerts 23, 284 alert editor 123, 165, 190, 232 alert messages 123 alert settings for ICAP 218 email 285 epolicy Orchestrator 285 SNMP 285 aliases 35 allow relay, see anti-relay 88 amazing offers, spam phrases 107 anti-phishing, see phishing 106 anti-relay 88, 143 local domains 38, 88 problems 299 resolve host names 89 response 89 routing characters 88 anti-spam 10 see also spam 104 Anti-Spam Module 104, 105, 162 overview 105 anti-spyware 10 anti-virus 10 ExtraDAT files 241 local updates 241 scanning 236 scanning, disabling 119 scheduling updates 241 software 240 software updating, problems 304 updating 240 anti-virus engine, see engine 240 anti-virus scanning 236 FTP 232 HTTP 182 level of protection 78 SMTP 113 anti-virus software 240 APOP protocol 160 appliance configuration 24, 25, 27 connecting to 27 copying configuration between 250 language for interface 28 maintenance 24 management computer 25, 26 management interface 20 management options 27 managing groups of 250 monitoring 23, 262 number of connections 51 positioning 19 remote management of 10 resource allocation 51 restoring configuration 252 restrictions 19 status page 23 view configuration 249 what is it? 8 who must configure it 25 application/x-mms-framed 201 Apply all changes, button 44 archive files 237 expand and scan 239 ARP routing table 293 ASCII 314 * domain 37 asymmetric cryptography 97 attacks denial-of-service 119 directory harvesting 136 flooding 136 man in the middle 98 audience for this guide 14 audio, streaming media 200 AUTH command 136, 138, 139 authenticated client 98 authentication group 177 authentication policy, configuration 180 authentication service 170, 171, 174, 175, 176, 177, 179, 181, 201, 203, 205 advanced settings 177 user name formats 203 automatic updates 240 anti-spam 112, 289 anti-virus 240 autonegotiation appliance ports 36 speed 36 state 36 Avert Labs Threat Center 16 B backing up 251 appliance 251 files 251 Bayesian learning 94, 109 BEGIN PGP ENCRYPTED 158 beta program website 16 bind9 entry 135 bitmap, see BMP 151 blackhole lists problems 304 see also block list and RBL 127, 129 see also whitelists and blacklists 95 block lists 129 BMP 151 331

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Index bounced email 140 BPDU, Bridge Protocol Data Unit 33 bridge address 35 bridge priority 33 for appliance 34 Bridge Protocol Data Unit (BPDU) 33 Bubbleboy virus 240 bypass device or switch, see Fail-Open Unit 34 C CA, acronym for Certificate Authority canonicalization 132 CAPA requests, POP3 extensions 166 capture network traffic 295 CEO, example 151 certificate authority 98, 100 certificates 27, 100 for LDAP 177 character set translation 234 character sets Hebrew 122 not-supported 110, 162 characters not detected 148 used as delimiters 149 charts 269 check for client HTTP 207 CHUNKING 137 classifications 113 client alert messages 191, 221 client application, managing appliance with 20 client download status message 192 client verification Transport Layer Security 98 codes ICAP status 226 comfort pages 192, 194 commands DATA 136 HELO 293 keep-alive 136 NOOP 136 compliancy see also data loss prevention 117, 190 changing the content libraries 118, 190 email 117, 190 components, optional 9 compressed files 237 confidential information 151 confidential reports 287 confidentiality, see also compliancy 113 configuration authentication policy 180 changes 249 copying 250 HTML error pages 205 initial 25 Kerberos authentication 174 LDAP authentication 176 multiple appliances 250 NTLM authentication 175 redirect pages 205 reports 205 SmartReporter 205, 206 user authentication 174 configuration groups user authentication 170 connection policies 57 FTP 233, 235 HTTP 201 ICAP 217 POP3 167 SMTP 143 connection speed 36 contacting McAfee 16 content policies 57 actions 73 anti-virus scanning 218 denial-of-service 219 FTP 232 HTML settings 218 HTTP 182 SMTP 73 content rules 56, 71 and rule groups 66, 146 definition 56, 66, 146 right-click options 71 using 66, 146 warning about names of 147 content scanning 10, 120, 314 depth of scanning 120, 163 enabling 119 HTML 125 protected content 120 quarantine queues 153 signed content 121 SMTP 22 word separators 314 content-filtering policies email compliancy 117 control buttons, in interface 43 controlling appliance 23, 242 cookies blocking 200 scanning 200 session-based for authentication 171 sessions 26 user authentication 171 Coordinated Universal Time 40 corrupt content 122, 164 CPU usage 265, 293 cryptography asymmetric 97 public key 97 CSV files 38 CTRL+ALT+F2 32 currency symbols 148 customer service, contacting 16 CyberPatrol, see enhanced URL filtering 9 D dashboard, see Status 263 DAT files automatic updates 240 Avert Labs notification service for updates 16 definition 240 updates, website 16 why they are important 21 data chunking 211 HTTP 211 DATA command 136, 138 data commands, SMTP 142 data loss queue 153 reports 278, 287 Data Loss Prevention 113 activation of 53 data trickling FTP 234 HTTP 193 decryption, inbound email 157 deep sight, see Virus Information Library 24 default gateway, for appliance 33 default settings number of connections 51 password 28 system name 26 deferred email 156 problems 300 defs, see DAT files 21 delimiter characters 149 332

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Index delivery methods SMTP email 87 denial-of-service 138, 219 attacks 119 policy settings 219 prevention 119, 189, 192 depth of nesting 119 in compressed files 119, 163 depth of scanning 120 details pane 69 detection events 284 diagnostics tests, for appliance 290 digests 10 release queue 92, 153 directory harvest attack 135 550 recipient address rejected 300 prevention 300 directory harvesting 136 disclaimers 122 characters missing 122 disk usage 271 distinguishedname 179 distractions 152 DKIM 127 DLP, Data Loss Prevention 113 see also email compliancy 113 DNS acronym for Domain Name Service data limits 142 look up 142 reverse lookup 51 servers 39, 87 text record 135 DNS servers 39 Domain Keys Identified Mail (DKIM) 127 domain name 33 appliance 33 domain part, email address 141 domain relays 87 domains * domain 37 appliance domain 33 inside networks 21, 37 adding 38 outside networks 21, 37 adding 38 Domino, directory harvesting 299 download status page, HTTP 192 download website 16 downloading, anti-spam files 112, 289 DRAC 296 DSN 136 dynamic routes 39 disabling 40 E EHLO command 142 EICAR 301 email administration 83, 168, 216 alert messages 123 anti-virus scanning 113 compliancy 117, 190 content-filtering policies 117 content scanning 118 data commands 142 denial-of-service 138 encryption 157, 158 ESMTP extensions 138 limiting size of 125 logging 285 maximum size 162 messages 87 notification text 141 recipient address setting up 140 scanning on web-based services 117 sender setting up address 140 store and forward setting up 141 subject field 141 transparency options 136 welcome message 141 email address bounced email 140 configuration 139 delivery failure 140 forwarding address 140 From 140 non-compliant characters in 141 parsing options 141 To field 140 email delivery 87 domain relays 87 fallback relays 87 problems 300 email headers 138 non-spam alternative 110 received headers 138 email notification 141 text 141 email recipients, multiple policies 138 encrypted content 120 encryption 158 of email 157, 158 Transport Layer Security 97 engine anti-virus, automatic updates 240 definition of anti-virus 240 enhanced HTTP scanning 9 enhanced URL filtering 9, 10 envelope sender address 129 epolicy Orchestrator 33 agent 254 license terms 323 logging events 285 supporting authentication settings 254 error codes ICAP 226 error report 295 Error Reporting Tool 295 ESMTP 136, 138 extensions 136 Ethereal 295 evaluating McAfee products, download website 16 events 284 codes 284 severity 284 examples alert message 46, 192 CEO 151 content rules 151 DKIM signature 133 DNS text record 135 domain name 38 load sharing 245 network address 38 policy 81 schedule in policy 60 spam score 107 SPF record 130 exceptions 49 transparent bridge mode 49 transparent router mode 49 executables 218 explicit proxy mode 18 IP addresses 35 streaming media 201 external networks 21 extra rules 112, 289 ExtraDAT files 241 definition 240 F facilities, syslog 285 failed delivery address 140 333

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Index Fail-Open Unit 34 fallback relays 87 FAQs 44, 297 features 8, 10 fiber card 9 field delimiters 149 file format 124 file type filtering adding a rule 124 files, removing old 261 filters see also data loss prevention 117, 190 content 277 enhanced URL 9 file 123 HTTPS 196 mail size 81, 165 reputation 128 URL 182 URL on ICAP 219 URL, reports 278 fingerprints 114 partial detection 115 Firefox, authentication 178 firewalls, with appliance 19 fishing, see phishing Flash (MacroMedia) 125, 182 Flash (MacroMedia, Adobe) 218 flooding, email attack 136 flow control 113 forging 130 forward only 39 FQDN, fully qualified domain name frequently asked questions 44, 297 'From' email address 140 from inside 168, 230 from outside 168, 230 FTP 230 235 definition 230 over HTTP 196 port number 48, 49, 50 problems 303 protocol support 19 full duplex 36 G gateway 33 default IP address 33 generic POP3 proxy 166 GLBA 117 global policies 56 definition 55 definition of 55 icon 68 GMT, see Coordinated Universal Time 40 GPO 202 Graham-Leach Bliley Act 117 Greenwich, see Coordinated Universal Time 40 groups of appliances 250 GUI, see interface 43 H half duplex 36 handoff host FTP 234 HTTP 196 hardware card 265 options 9 hardware supported 9 header blocking and modification HTTP ICAP 222 header sender address 129 headers non-spam 110 received 142 spam headers 110 Health Insurance Portability and Accountability Act (HIPAA) 117 Hebrew character set, not supported 122 HELO command 142 heuristic analysis 237 HIPAA 117 hoaxes 104 home page 41 host name, of appliance 26 HotFix and Patch releases 303 for products and security vulnerabilities 16 HTML content scanning 125 error pages configuration 205 settings 218 HTTP 125, 182, 218 HTTP 17, 20, 168 208 blocking HTML elements 125, 182 body data, response body 212 check for client 207 client alert messages 191 client download status message 192 content policies 182 enhanced scanning 10 internal information pages 199 maximum requests per connection 198 protocol policies 190 protocol support 19 request modification 210 request schemes 199, 223 response modification 210 scanning 223 bodies 200 headers 200 server internal information pages 199 verbs 199 HTTP 1.0 199 HTTP posting 113 defined 117 HTTP requests redirecting 177 user authentication 171 HTTPS 17, 20 I IAC (Internet Access Control), see also URL filtering 183 ICAP 209 229 adaptation 209 definition of 209 forum 209 how it works 213 port number 49, 50 protocol support 19 rejects REQMOD 218 restart protocol 226 scanning 218, 223 service not found 226 services 210, 224 status codes 226 troubleshooting 226 ICAP support 10 transparent authentication 227 ICAP verbs 211 icons 68, 72 global policy 68 non-global policy 68 rule groups 68 334

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Index identities (virus), see DAT files 21 IDEs, see DAT files 21 images, stopping offensive 108 import certificates 97, 100 from CSV files 46 DKIM signing keys 102 example of lists 45 keytab 174, 254 LDAP directory information 62, 65 network information 38 rule groups 69, 72 URLs 188 inbound email, decryption 157 inheritance 59 inherited by 70 inherited from 71 inside networks 21 resolving conflicts 37 using.csv files 38 what is in the list of 37 installation SmartReporter 205 Installation Wizard 28 instant messaging 197, 222 logged 264 insult 147 Integrated Windows Authentication 171 intercept ports, SMTP 48 interface 43 44, 72 changing pane size 44 details pane 69 printing 44 right-click options 68 tree pane 68 internal networks 21 Internet Access Control, see also URL filtering 183 Internet Explorer, authentication 178 IP addresses 35 36 for appliance 36 appliance default 26 gateway 33 ISO-8859-8-I 122 ISP acronym for Internet Service Provider fallback relays 87 J Japanese (ISO-2022-JP) not-supported in prefix 110, 162 Java applets 125, 182 Java Runtime Environment (JRE) 26 requirements 26 JavaScript 26, 125, 182 junk mail 104 K Kerberos configuring authentication 174 user authentication 170, 171 key expiry, DKIM 132 keytab file 173 KnowledgeBase search 16 ktpass 173 L language, operational 40 LDAP 58, 63, 65, 169, 171 acronym for Lightweight Directory Access Protocol 169 configuring authentication 176 fixing errors 180 importing directory information 66 servers list 65 testing servers 179 user authentication 170, 171 LDAPS, secure LDAP 177 lexicons, compliancy 118, 190 liability, limiting 122 license agreements, problems with 237 Links bar 24, 43, 44 listeners 51 changing value of 297 load sharing 244 listening ports 50 SMTP 50 lists building 45 importing information into 45, 46 ordering information in 45 load sharing 23, 40, 242 accept requests 40 appliance 23, 242 connections 244 controlling appliance 23, 242 definition 23 examples 242, 245 listeners 244 load-sharing appliance 23, 242 make requests 40 number of scans 244 total number of scans 244 local part, email address 141 locations 114 log on, failed 284 logging 23, 268, 274 detail 284 distribution 284 keeping and purging 285 keeping the XML log 285 logging and alerting configuring 284 overview 251 restricting the number 261 logging and alerting 268, 274 logging and reporting, user authentication 202 logging on 26 Logoff 44 logon attempts, failed 251 logs 251 controlling size of 303 viewing 268 Lotus Domino 309 lpt files, see DAT files 21 M macro viruses 237 MacroMedia Flash 125 MacroTrap, see macro viruses 237 mail bombing 88 mail clients 307 Mail Transfer Agent 128 main panel, of interface 43 malware 236 management back up 251 computer, configure 26 initial configuration 27 managing components 247 restore settings 251 this appliance 247 view configuration 249 man-in-the-middle attack 98 mask, subnet 35 maximum number of hops 142 Maximum Transmission Unit (MTU) size 36 Media Access Control (MAC) address 265 Melissa virus 240 memory, changing value of 297 menus 324 MER Tool, see Minimum Escalation Report 335

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Index messages alert 123 client alert 221 client download status 192 email alert 123 email welcome 141 example of spam 107 HTTP client alert 191 queues 153 SMTP email 87 spam prefix to email 107 welcome 141 MIB 24, 261, 285 Microsoft Outlook 308 MIME 126, 150 8BITMIME 136 Minimum Escalation Report 294, 295 monitoring 262 alerts 23 charts 269 CPU usage 265 ICAP status codes 226 logging 23 notifications 23 performance 266 status pages 23 view configuration 249 Mozilla Firefox, see Firefox 178 MPEGs 151 MTA 128 MX, mail exchange record 142 MX, mail-domain record limiting 142 N name, of appliance 33 National Insurance Number 117 navigation bar, in interface 43 navigation, see menu index 324 NDS 171 nesting, depth of 119 network inside 21 interface settings 35 load 151 mask 35 outside 21 Network Interface Card (NIC) 36 MTU size 36 settings 36 network sources, issues with HTTP scanning in Explicit Proxy mode 64 Network Time Protocol (NTP) 41, 175, 249 network traffic, capturing 295 new features 11 NIC, Network Interface Card 36 non-compliant characters in email address 141 non-compliant POST requests 198 non-global policies see also policies definition 55 non-rfc characters in email address 141 non-spam learning 94 queue 153 NOOP command 136 notification text, SMTP 141 NT domain 171, 172 NTLM acronym for NT LAN Manager 169 authentication, configuration 175 failure pages 198 Windows Active Directory 170 Windows Active Directory, user authentication 170, 171 NTP 41, 175, 249 nuisance email 152 O OCC 113 off-box logging 251 offensive words 152 official pattern release, see DAT files 21 Open Shortest Path First (OSPF) 39 OpenPGP 158 operational language 40 operational modes 18, 33 OPR, see DAT files 21 OPTIONS 199 HTTP 199 ordering policies 59 OSPF 39 Outbound Content Compliance (OCC) 113 Outlook 308 out-of-band management 29 outside networks 21 resolving conflicts 37 using.csv files 38 what to include in 37 overview 8 P packers 237 pane size 44 parsing options, email 141 password-protected data 120 passwords 40 for appliance 40 changing 247, 248 default is scmchangeme 298 for appliance 28 path cost 33 pattern files, see DAT files 21 PEM format 100 percent sign (%) 310 performance 306 monitoring 266 permit domains 88 permitted recipients 136 PGP 158 PGP/MIME 158 phishing 10 definition of 112 rules against 106 ping test 291 pkcs7 158 PKZip 237 policies 55 82 access policy menus 67 actions 73 add settings 71 anti-spam 104, 162 content rules. See content rules definition of 23, 55, 56 disabled icon 69 edit settings 71 explained 23, 55 FTP policies 233, 235 guidelines 72 HTTP 182 HTTP policies 182, 190, 201 icons 68, 69, 70, 71 inheritance 59, 70 multiple policies, email recipients 138 non-global 55, 59, 60, 61, 62 overview 55 policy groups. See policy groups policy name 58 POP3 160, 161 protocol policies 220, 221 SMTP 103, 127 rule groups. See rule groups SMTP policies 103, 127, 143, 166 336

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Index policy groups 56 creating 62 defining membership of 58 definition 56 deleting 64 managing 62 modifying 64 policy level user authentication 170 policy selection criteria URL filtering 203 policy-based control URL log events 204 policy-based relays 87 polymorphic viruses 237 POP3 160 authenticated (APOP) 160 connection time-outs 167 dedicated proxy 160 definition 160 generic proxy 166 policies 160, 161 port number 49, 50 default port 110 48 problems 302 protocol support 19 port numbers 199 changing SMTP 142 HTTP 49, 50, 199, 223 default port 80 48 ICAP 223 ICAP, HTTP 223 POP3 160 SMTP 142 default port 25 48 specifying ranges 223 SSL 199, 223 streaming media 201 ports 35, 48, 50 autonegotiation 36 autonegotiation state 36 default numbers 48 duplex state 36 intercept port numbers 49 intercept ports 48 listening port numbers 50 listening ports 50 POP3 302 POST requests non-compliant 198 posting, HTTP 113 Postini, see PTIN 128 postmaster 88 PRA, Purported Responsible Address 131 prefix to identify spam messages 107 pre-requisites, for appliance 25 Pretty Good Privacy (PGP) 158 preview option 214 definition 214 service settings 224 size of 214 primary IP addresses 35 printing 44 Privacy lexicon 117 privacy, see also compliancy 113 problem solving 24 processor usage 265 see CPU usage 293 product information, finding 15 product upgrades 16 professional services, McAfee resources 16 protected content 120 protocol policies 57, 220, 221 client alert messages 221 FTP 233 HTTP 190 ICAP HTTP header blocking 222 request permissions 223 scanning HTTP messages 223 service settings 224 SMTP 103, 127, 166 streaming media 225 URL blocking 221 URL character blocking 221 protocol support 19 disabling 19, 21, 34 enabling 19, 21, 34 FTP 230 OSPF 39 RIP 39 SIG 19 SMG 19 SWG 19 protocols basic configuration 52 configuring 52 enabling 52 selecting 34 supported by appliance 19 proxying requests web browsers 207 PTIN acronym for Postini Threat Identification Network see reputation service 128 ptn files, see DAT files 21 public key cryptography 97 Purported Responsible Address (PRA) 131 Q qmail, directory harvesting 299 quarantine 56, 151, 295 content 153 daily maintenance 155 data loss 153 save quarantined files 295 spam 153 virus detections 153 quarantine digests 10 quarantine management 10 digests 10 managing SMTP queues 153 non-spam learning queue 153 release queue 153 Quarantine Manager 9, 10, 95, 295 queues deferred 295 digest 92 managing SMTP 153 message 153 quarantine 295 spam 295 Quick Help 43, 44 R RAID 265 RBL servers list 129 real time block lists 129 Real-time Blackhole List 127 rebooting the appliance 248 received headers 138 recipient address rejected directory harvest attack 300 recipient address, setting up 140 recode, character set translator 234 redirect pages configuration 205 redirection, HTTP requests 177 Redundant Arrays of Independent Disks (RAID) 265 referers 195 relaying email 87 relays, policy-based 87 release queue 153 quarantine digests 92 Remote Access card 9, 10, 296 337

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Index reports 268, 274 configuration 205 data loss 287 epolicy Orchestrator 276 SmartReporter 205 reputation service 128 reputation-based filters 101, 127, 128, 157 REQMOD 210, 211, 213 request permissions 223 request rejected 218 URL blocking 221 URL character blocking 221 request permissions 223 request schemes 199, 223 reset, using HELO 142 resolving host names, anti-relay 89 resources exhausted 284 resources, for product information 15 RESPMOD 210, 211, 214 streaming media 225 response body, ICAP 212 response header, ICAP 212 response, anti-relay 89 restarting appliance 248 protocols 226 restore data 251 resource allocation settings 51 settings 251 restore, appliance data 251 retryer 90 settings 90 return-path 129 reverse DNS lookup 51 reverse lookup 51 RFCs 1305 (NTP) 249 2616 (HTTP) 2821 (SMTP) 3507 (ICAP) right-click options 68 content rules 71 policies 71 RIP 39 root bridge 33, 34 routing characters 88, 89, 143 information 39, 291, 292 OSPF 39 RIP 39 information for appliance 291 routing information 291 Routing Information Protocol (RIP) 39 rude words 152 rule groups 66, 71, 146 assigning 71 icons 68 rules 151 description 147 extra rules 105 file type filtering (SMTP) 124 name 147 problems with complex 150 S samaccountname 176, 179 samples, viruses 44 Sarbanes-Oxley Act 117 scan order, for email 84 scanning 218, 223 affect on performance 238 for viruses in ICAP 218 options 239 resource allocation 51 schedules anti-virus 241 DAT files 21 example 60 quarantine digest 93 quarantine maintenance 155 SmartReporter reports 281 update packages 257 viewing updates 260, 271 virus definition files 21 scmchangeme 28 score, see spam scores 107 scripts 218 secrets, see also compliancy 113 Secure Sockets Layer (SSL) 17, 98 security how secure is the appliance? 17 Security Headquarters (See Avert Labs) security updates, DAT files and engine 16 security vulnerabilities, releases for 16 selector, DKIM 132 Sender ID 127, 130 Sender Policy Framework 127 sensitive data, protecting 113 separators, for words 149 server for internal information pages 199 server verification Transport Layer Security 98 service ICAP policies 210 service not found 226 settings 224 ServicePortal, technical support 16 Setup Wizard 27, 52 using 32 SIG 9 load sharing 242 protocol support 19 signature expiry, DKIM 132 signature files, see DAT files 21 signatures of viruses 237 signed-content 121 signing identity 132 sign-on, for user authentication 171 SiteAdvisor 184 SmartFilter, see enhanced URL filtering 9 SmartReporter 205, 207 configuration 206 user authentication 202 SMG 9 load sharing 242 protocol support 19 S/MIME 158 SMTP 87 actions 138 additional scanning alerts 138 anti-spam, advanced settings 162 anti-spam, RBL servers list 129 anti-virus scanning 113 connection policies 143 time-outs 207 transport logging 144 domain relays 87 local domains 88 managing queues 153 permit domains 88 policies 103 problems 300 protocol policies 103, 127, 166 denial-of-service 138 DNS data limits 142 keep connection open 137 message processing 141 multiple policies 138 protocol support 19 transparency options 136 SNMP 285 MIB 24, 261 traps 285 Social Security Number 117 338

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Index software supported 9 SOX, Sarbanes-Oxley Act 117 ** spam ** prefix 107 spam 104 112 advanced settings 162 automatic updates 112, 289 definition of 104 disabling rules against 108 engine 112, 289 example message 107 extra rules against 105 header width 110 learning queue 153 maximum number of rules against 110, 162 modifying the subject line 107 non-spam learning 94 phrases 107 queue 153 RBL servers list 129 reporting on 109 rules against 106, 112, 289 scheduling updates against 112, 289 score, see spam scores 107 submitting a sample 24 tips for avoiding 104 updating protection 289 verbose reporting of 109 spam learning 94 spam scores changing 108 example of 107 indicator 107, 109 typical value of 5 107 Spamhaus 129 Spanning Tree Protocol (STP) 33 SPF 127 SPF/PRA, see also RFCs 4405-8 spoofing 130 spyware 10 Squid 206, 210 SSH enabling access 53 monitoring events 54 SSL 26, 199 CONNECT verb 199, 223 * domain 37 start of authority 293 static routes 39 status codes 226 ICAP 226 list of 226 status page 23, 192, 263 stopping the appliance 248 store and forward 90 email 90 retryer 90 setting up 141 STP, Spanning Tree Protocol 33 streaming media 200, 225 allow pass through 201 port number 201 submit a sample, Avert Labs WebImmune 16 subnet mask 35 substitution variables 56, 119, 310, 310 313 support matrix 9 SurfControl, see enhanced URL filtering 9 SWG 9 load sharing 242 protocol support 19 symbols, see icons 72 syslog 285 off-box logging 251 system configuration tests 293, 294 system date and time for appliance 40 system load on appliance 293 system logs 251 system name 26 system settings, restoring 252 T tags, see fingerprints 114 TCP/IP 48 tcpdump capture file 295 technical support 44, 306 Error Reporting Tool 295 Minimum Escalation Report 294 technical support, contacting 16 temps universel coordonné 40 terms, for ICAP 228 tests ping 291 routing information 291 system configuration 293, 294 system load 293 third-party relaying 89 Threat Center (See Avert Labs) threat explorer, see Virus Information Library 24 threat library 16 threat response 112 see reputation service 128 time restrictions adding 61 non-global policies 60 time zone settings 40 time-outs FTP connection 235 HTTP 207 POP3 167 SMTP connection 143, 207 TLS 97 'To' email address 139 tokens 310 see substitution variables 56 toolbars, in interface 72 top command, Linux 293 topologies 19 TRACE 199 HTTP 199 traffic capture 295 traffic flow 168, 230 traffic scanning 21 traffic, protocols handled 19 training, McAfee resources 16 transparency options 136 transparent authentication epolicy Orchestrator 254 ICAP support 227 transparent bridge mode 18 exceptions 49 IP addresses 35 streaming media 201 transparent router mode 18 exceptions 49 IP addresses 35 streaming media 201 Transport Layer Security 97 101 also known as TLS 97 encryption 97 transport logging 144 trap, SNMP 285 tree pane, in interface 68 triplet, greylisting 101 troubleshooting 24, 290 306 ICAP 226 TRU, see threat response 112 TSV (Tab Separated Values) 269 U UBE (Unsolicited Bulk Email), or spam 104 UDP 48 UI, see interface 43 unacceptable words 152 Unicode 314 unsolicited email 104 339

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Index updates 271 for appliance 288 289 upgrade website 16 URL blocking 191, 221 character blocking 221 enhanced filtering 10 filtering 9, 10, 183 filtering using ICAP REQMOD 210 website address 129 URL filtering HTTP 183 policy selection criteria 203 reports 170 URL log events policy-based control 204 user authentication 169 configuring 174 logging and reporting 202 SmartReporter 202 where it is used 170 user interface, see interface 43 user name 28 appliance 252 POP3 account 166 user name formats authentication services 203 userprincipalname 179 using this guide 14 audience 14 typeface conventions and symbols 14 UTC 40, 313 uuencoded 125 V VBScript, Visual Basic script 125, 182 verbose reporting 109 verbs HTTP 199 ICAP 211 via headers, HTTP 222 video, streaming media 200 virus definition (DAT) files 21 virus identities, see DAT files 21 Virus Information Library 24, 306 Virus Information Library (See Avert Labs Threat Library) virus pattern files, see DAT files 21 virus scanning, problems 37 virus signatures 237 viruses hoaxes 104 information about 44 macro 237 polymorphic 237 quarantined 153 sample 306 scanning 21, 240 across appliances 23 DAT files 21 engine 21, 240 in ICAP 218 overview 21 problems 301 send a sample 44 VBS/Bubbleboy@MM 240 W97M/Melissa@MM 240 vulgar words 152 W warnings all attachments removed not just one 125 characters missing from disclaimer 122 complex rules 150 disclaimer 122 MIME content advanced settings 126, 166 web browsers managing the appliance via 20 proxying requests 207 web posting 113 web-based email, scanning 117 WebImmune, Avert Labs Threat Center 16 welcome message SMTP message processing 141 SMTP, transparency options 137 wildcards 38, 148 word delimiters 149 word separators 314 322 word, definition of a 149 X X-EXPS, X-LINKSTATE, XEXCH50 137 X-headers 211, 212 XML, how long are logs kept 261 Z ZIP 237 zombies 101 zulu, see Coordinated Universal Time 40, 313 340