eprism Enterprise Tech Notes



Similar documents
Training Guide eprism Security Appliance 4.0

F-Secure Messaging Security Gateway. Deployment Guide

escan SBS 2008 Installation Guide

Implementing MDaemon as an Security Gateway to Exchange Server

Upgrading User-ID. Tech Note PAN-OS , Palo Alto Networks, Inc.

Sophos for Microsoft SharePoint startup guide

1 Accessing accounts on the Axxess Mail Server

D3 TECHNOLOGIES SPAM FILTER

Migration Manual (For Outlook 2010)

CHARTER BUSINESS custom hosting faqs 2010 INTERNET. Q. How do I access my ? Q. How do I change or reset a password for an account?

M1000, M2000, M3000. eprism User Guide

Technical Note. Configuring Outlook Web Access with Secure WebMail Proxy for eprism

F-SECURE MESSAGING SECURITY GATEWAY

Configuring Sponsor Authentication

Quick Scan Features Setup Guide. Scan to Setup. See also: System Administration Guide: Contains details about setup.

1 You will need the following items to get started:

BlackShield ID. QUICKStart Guide. Integrating Active Directory Lightweight Services

Managing Identities and Admin Access

PineApp Surf-SeCure Quick

Integration Guide. SafeNet Authentication Service. Integrating Active Directory Lightweight Services

eprism Security Appliance 6.0 Release Notes What's New in 6.0

Cloud & Web Security. Administrator Quick Start Guide

Configuration Guide. BES12 Cloud

Sophos UTM Web Application Firewall for Microsoft Exchange connectivity

Migration Manual (For Outlook Express 6)

A D M I N I S T R A T O R V 1. 0

MailFoundry Users Manual. MailFoundry User Manual Revision: MF Copyright 2005, Solinus Inc. All Rights Reserved

Important Information

How To Authenticate An Ssl Vpn With Libap On A Safeprocess On A Libp Server On A Fortigate On A Pc Or Ipad On A Ipad Or Ipa On A Macbook Or Ipod On A Network

Administrator Quick Start Guide

LDAP User Guide PowerSchool Premier 5.1 Student Information System

NSi Mobile Installation Guide. Version 6.2

Content Filtering Client Policy & Reporting Administrator s Guide

HOW WILL I KNOW THAT I SHOULD USE THE IAS CONTINUITY SERVICE?

Green House Data Spam Firewall Administrator Guide

Guardian Digital Secure Mail Suite Quick Start Guide

Frequently Asked Questions

Configuring MailArchiva with Insight Server

Configuration Information

eprism Security Suite

Configuration Guide for Exchange 2003, 2007 and 2010

Troubleshooting IMAP Clients and ViewMail for Outlook in Cisco Unity Connection 8.x

Summary. How-To: Active Directory Integration. April, 2006

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

LDaemon. This document is provided as a step by step procedure for setting up LDaemon and common LDaemon clients.

Click Studios. Passwordstate. Installation Instructions

Mondopad v1.6. Quick Start

Setting up Sharp MX-Color Imagers for Inbound Fax Routing to or Network Folder

OneLogin Integration User Guide

Installing Policy Patrol on a separate machine

Deployment Guide: Transparent Mode

Parallels Plesk Panel

Siteminder Integration Guide

Basic Exchange Setup Guide

Using MailStore to Archive MDaemon

Integrating LANGuardian with Active Directory

Merak Outlook Connector User Guide

Getting Started with Clearlogin A Guide for Administrators V1.01

Installing GFI MailSecurity

Quick Scan Features Setup Guide

Kaseya 2. Installation guide. Version 7.0. English

Configuration Guide BES12. Version 12.3

Immotec Systems, Inc. SQL Server 2005 Installation Document

Comprehensive Anti-Spam Service

Configuration Guide BES12. Version 12.2

NETASQ ACTIVE DIRECTORY INTEGRATION

Using Avaya Aura Messaging

Icebox - Sendio SPAM Filter

Borderware MXtreme. Secure Gateway QuickStart Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

Icebox - Sendio SPAM Filter

Kaseya Server Instal ation User Guide June 6, 2008

Steps for Basic Configuration

How to Logon with Domain Credentials to a Server in a Workgroup

Configuring Trend Micro Content Security

CYAN SECURE WEB HOWTO. NTLM Authentication

PORTLANDDIOCESE.ORG - How to Connect Table of Contents

Configuring User Identification via Active Directory

Introduction to Directory Services

How does the Excalibur Technology SPAM & Virus Protection System work?

CipherMail Gateway Quick Setup Guide

Deploying F5 with Microsoft Active Directory Federation Services

GFI Product Manual. Administration and Configuration Manual

AusCERT Remote Monitoring Service (ARMS) User Guide for AusCERT Members

Set Up Setup with Microsoft Outlook 2007 using POP3

Plesk for Windows Copyright Notice

Configuring MDaemon for Centralized Spam Blocking and Filtering

Configuration Information

Basic Exchange Setup Guide

Intercept Anti-Spam Quick Start Guide

AXIGEN Mail Server. Quick Installation and Configuration Guide. Product version: 6.1 Document version: 1.0

User Guide. Version 3.2. Copyright Snow Software AB. All rights reserved.

Barracuda Spam Firewall User s Guide

Chapter 8 Router and Network Management

System Compatibility. Enhancements. Operating Systems. Hardware Requirements. Security

Installing and Configuring vcloud Connector

Pentagon Message Exchange Setup Guide: All Devices

Setting Up Scan to SMB on TaskALFA series MFP s.

Enterprise Toolbar User s Guide. Revised March 2015

GREEN HOUSE DATA. Services Guide. Built right. Just for you. greenhousedata.com. Green House Data 340 Progress Circle Cheyenne, WY 82007

Transcription:

eprism Enterprise Tech Notes Utilizing Microsoft Active Directory for eprism s Directory Services Context eprism can integrate with an existing LDAP (Lightweight Directory Access Protocol) directory for user and group information. This tech note will explain how to utilize Active Directory (AD) for personal whitelists, user spam quarantine, policy management, directory authentication and to reject incoming emails with non-existent recipients in AD. Requirements eprism model M1000 or higher eprism version 5.0 Microsoft Active Directory or ADAM (Active Directory Application Mode) Prerequisite Results Limit Active Directory has a default limit of 1000 entries that can be returned from a single LDAP query. With large queries, the results may be truncated. It is recommended that you modify the default maximum page size to ensure that LDAP group and user imports will work successfully. For more information, please read the LDAP Overview section on Chapter 4 of the eprism User Guide. Use the following procedures to modify the default maximum page size limit in Active Directory: 1. Log in to the Active Directory server as an administrator. 2. Open a command prompt window by going to Start -> Run, typing cmd and clicking OK. 3. Enter the following commands (in bold text): C:\>ntdsutil.exe ntdsutil: Ldap policies ldap policy: connections server connections: connect to server localhost Binding to localhost Connected to localhost using credentials of locally logged on user server connections: quit ldap policy: set MaxPageSize to 50000 ldap policy: commit changes ldap policy: quit ntdsutil: quit 4. Close the command prompt window by typing exit and pressing Enter. Configuration Directory Servers Any directory service feature on the eprism requires at least one directory server entry. Follow the instructions below for creating an entry under the directory server page. 1. Go to Basic Config -> Directory Services -> Directory Servers. 2. Click Add. 3. Enter the appropriate information for your Active Directory. For an example, see screenshot below.

4. Click Apply when finished. Your directory server entry should now be displayed on the page. 5. To test your settings, click the Edit button next to the entry. 6. Click Test to bring up the LDAP query test page. 7. Use the same Bind DN and Password as your directory server entry and click Submit LDAP Query. The results should look something like the example below. If not, please see the FAQ section at the end of this tech note. # extended LDIF # # LDAPv3 # base with scope sub # filter: (objectclass=*) # requesting: ALL # domain.com dn: DC=domain,DC=com objectclass: top objectclass: domain objectclass: domaindns distinguishedname: DC=domain,DC=com instancetype: 5 whencreated: 20050407144103.0Z whenchanged: 20050408220338.0Z subrefs: DC=ForestDnsZones,DC= domain,dc=com subrefs: DC=DomainDnsZones,DC= domain,dc=com subrefs: CN=Configuration,DC= domain,dc=com usncreated: 4098 usnchanged: 61517 name: domain objectguid:: McgtHFiZCEWw1+xucWw5nQ==

creationtime: 127573586720324656 forcelogoff: -9223372036854775808 lockoutduration: -18000000000 lockoutobservationwindow: -18000000000 lockoutthreshold: 0 maxpwdage: -37108517437440 minpwdage: -864000000000 minpwdlength: 7 modifiedcountatlastprom: 0 nextrid: 1003 pwdproperties: 1 pwdhistorylength: 24 objectsid:: AQQAAAAAAAUVAAAA/6vP6b2KZf1EEYC+ serverstate: 1 uascompat: 1 modifiedcount: 227 8. Click Done and Cancel when finished testing. Directory Users Once you have the directory server configured, you can import the user and group information from Active Directory. For importing user information, you will need to create an entry under the directory user page using the instructions below. 1. Go to Basic Config -> Directory Services -> Directory Users. 2. Click Add. 3. Select the directory server entry that you have configured in the previous section. 4. The default values should work with most implementations of AD. When finished reviewing the values, click Apply.

5. Your directory user entry should now appear on the page along with some new buttons. These buttons will allow eprism to import the user information from AD. 6. Click the Import Settings button. 7. Enable the checkbox next to Import User Data to allow automatic scheduling of the import process. 8. Modify the frequency and start time to suit your needs. If you frequently make changes to the user information, select a quicker frequency setting such as hourly. 9. If you are going to utilize the user spam quarantine feature, enable the Mirror Accounts checkbox as well. 10. Click Apply to save the changes and get back to the previous page. 11. Then click Import Now to perform an initial import of the user data. Directory Groups Directory groups are used in conjunction with policy-based controls. It allows the importing of groups from an AD server to determine group memberships for the policies. If you are not using policy management, please skip this section. 1. Go to Basic Config -> Directory Services -> Directory Groups. 2. Click Add. 3. Select your directory server entry from the drop-down list. The default values will work in most Active Directory implementations.

4. Click Apply. 5. Just like with directory users, eprism will need to import the group information from your directory. Click the Import Settings button. 6. Enable the Import Group Data checkbox and specify a frequency and start time. 7. Click Apply when done. 8. Then click Import Now to perform an initial import of the group data. Reject on Unknown Recipient eprism has the ability to verify the existence of the intended recipients on inbound emails prior to delivering the emails to the mail server. Reject on Unknown Recipient utilizes the imported data from directory users to determine if the recipient addresses are valid. To utilize the Reject on Unknown Recipient feature, follow the instructions below: 1. Ensure that you have imported the user data from Active Directory either by manually clicking on the Import Now button under Basic Config -> Directory Services -> Directory Users or waiting until the automatic schedule had a chance to run the import process. 2. Then go to Mail Delivery -> Anti-Spam -> Anti-Spam. 3. Enable the checkbox next to Reject on unknown recipient and click Apply.

4. Go to the Activity page and stop then restart the mail process. Remote Authentication Remote authentication allows users to log in to the eprism without having a local account. eprism can utilize the existing account information on your Active Directory to allow authentication for the trusted sender feature, user spam quarantine and even for the Outlook Web Access proxy. 1. Go to User Accounts -> Remote Auth. 2. Under the LDAP Sources section, click New. 3. Select your directory server entry from the drop-down list and click Apply. 4. While still on the User Accounts -> Remote Auth page, scroll down to the Default LDAP/RADIUS User Profile section and make sure that the checkbox for This eprism Email Security Appliance is enabled. This will allow remote authentication to work properly with the trusted sender feature and spam quarantine.

5. Click Apply when finished. 6. Then go to Basic Config -> Network. 7. Scroll down to the network interface sections. 8. Enable the eprism mail client checkbox under the network interface that the users will be connecting to for their trusted sender list or spam quarantine. 9. Click Apply when completed. Any changes to this page will require a reboot. Trusted Senders The trusted sender feature allows users to create their own personal whitelists based on the sender s email address. For more information, please read the Trusted Senders section on Chapter 6 of the eprism User Guide. To use directory services with trusted senders: 1. Configure directory users as specified in the previous sections. 2. Enable the remote authentication. 3. Go to Mail Delivery -> Anti-Spam -> Trusted Senders. 4. Click the Enable checkbox. 5. Type in the email domain name and click Apply. The email domain is the part after the @ symbol (ex: domain.com for user@domain.com).

6. Then go to User Accounts -> Secure WebMail. 7. Under the Access Types section, enable the checkbox next to Trusted Senders. 8. Click Apply. To add entries to the trusted sender list, users must log in to the eprism secure webmail using the instructions below: 1. Open a browser and bring up the eprism login page by entering https://ipaddress_of_your_eprism (ex: https://192.168.xxx.yyy). 2. Enter the user s Windows account name and password and then click Login. 3. Use the navigation icons on the left and click Trusted Senders. 4. To whitelist an email, enter an email address in the textbox and click Add. 5. Click Logout when finished.

User Spam Quarantine The user spam quarantine is used to redirect spam mail into a local storage area for each individual user. Users will be able to log in to the eprism and manage their own quarantined spam. Those quarantined messages can then be released, deleted or even added to their trusted sender list. To configure user spam quarantine with Active Directory: 1. Ensure that the LDAP users are imported and mirrored properly by going to User Accounts -> Mirror Accounts. 2. Then go to Mail Delivery -> Anti-Spam -> Spam Quarantine. 3. Click the Enable Spam Quarantine checkbox. The default settings should suffice but you can modify them as necessary. 4. Click Apply when done. 5. Go to User Accounts -> Secure WebMail. 6. Under the Access Types section, enable the checkbox for Personal Quarantine Controls and click Apply.

Once the user spam quarantine has been set up, the anti-spam controls will have to be configured to utilize the spam quarantine. Use the following instructions to have each anti-spam control move the spam mail into the individual quarantine areas: 1. For Pattern Based Message Filtering, go to Mail Delivery -> Anti-Spam -> PBMF. 2. Click Preferences. 3. Change the action to Redirect to and type in the eprism s fully-qualified domain name (FQDN) in the action data textbox. If you do not know the FQDN, use the hostname and domain name under Basic Config -> Network (ex: myeprism.domain.com). 4. Click Apply on the PBMF preference page to save your changes. Any PBMF entry with an action of spam will now be moved to the user spam quarantine. 5. For the Real-Time Blackhole List, go to Mail Delivery -> Anti-Spam -> RBL. 6. Change the action to Redirect to 7. On the action data textbox, enter the same FQDN as before and click Apply. 8. For the Distributed Checksum Clearinghouse, go to Mail Delivery -> Anti-Spam -> DCC. 9. Use the Redirect to action along with eprism s FQDN and click Apply. 10. For the Statistical Token Analysis, go to Mail Delivery -> Anti-Spam -> STA 11. On the upper threshold, change the action to Redirect to and enter eprism s FQDN in the action data. The STA mode needs to be set to Scanning and Training for the upper threshold to quarantine spam properly. However, make sure that you have at least a week s worth of emails before switching the STA mode from Training Only. 12. Click Apply when finished. Spam mail will now be redirected to the individual spam quarantine. To view the quarantined spam: 1. Open a browser and bring up the eprism login page by entering https://ipaddress_of_your_eprism (ex: https://192.168.xxx.yyy). 2. Enter the user s Windows account name and password and then click Login. 3. Use the navigation icons on the left and click Spam Quarantine. You will be then be able to view, delete, release or whitelist any quarantined spam from this screen. 4. Click Logout when finished.

Policy Management eprism s policy controls allow different settings to be applied to users based on their group membership. Policy management can integrate with LDAP to use your existing AD security and distribution groups. The settings that can be customized include: Annotations Inbound Attachment Control Outbound Attachment Control Anti-Virus Distributed Checksum Clearinghouse (DCC) Statistical Token Analysis (STA) To integrate policy management with LDAP, follow the procedures below: 1. Ensure that you have imported the group information from Active Directory either by manually clicking on the Import Now button under Basic Config -> Directory Services -> Directory Groups or waiting until the automatic schedule had a chance to run the import process. 2. Go to Mail Delivery -> Policy. 3. Click the Default Policy entry from the list to configure the default settings first. 4. Click Apply when finished. 5. Click the Add Groups button. 6. Select the group(s) that you would like to have customized policy settings and click Add. Each group that you selected should now have an entry listed on the page. 7. Go through each entry and customize the settings for your group(s) as shown from the example below. 8. Click Apply when finished. 9. After each group has been customized, enable the policy management feature by clicking on the Enable Policy button from the Mail Delivery -> Policy page.

FAQs Question 1: What is ADAM? Answer 1: Microsoft ADAM or Active Directory Application Mode is a LDAP directory that runs as a user service rather than a system service. ADAM uses the same core Microsoft directory technologies as Active Directory but does not require domain controllers, forests, domains, etc. You can also run multiple instances of ADAM on the same system and even install it on non-server operating systems like Windows XP. For more information about ADAM, please see http://www.microsoft.com/windowsserver2003/adam/default.mspx. Question 2: When I run the LDAP query test, I get an error: Could not create LDAP session handle (5): Compare False Answer 2: Your URI entry is incorrectly formatted. It should look like ldap://ipaddressorhostname or ldaps://ipaddressorhostname for LDAP over SSL (LDAPS). Do not capitalize the ldap:// portion as it is casesensitive. Question 3: The URI is properly formatted but now I get the following error message when running the LDAP query test: ldap_bind: Can t contact LDAP server (81) Answer 3: Verify that eprism can query your AD server properly by checking the following items: Check if the IP address or hostname for the AD server is correct. You can test if the hostname is resolving to the proper IP address by going to Status/Reporting -> Status & Utility -> Hostname Lookup. Make sure that eprism can actually connect to your AD server. Try pinging the server from Status/Reporting -> Status & Utility -> Ping menu. If the pings are failing, check if ICMP echo requests and echo replies are allowed or if there are any network routing or connectivity issues. LDAP uses port 389/TCP for client-to-server communications. Check for any firewalls, filtering devices, or IPSEC policies preventing the eprism from connecting to port 389/TCP (or 636/TCP for LDAPS) on the AD server. If there is a NAT device between the eprism and the AD server, ensure that the source and destination addresses are getting translated correctly. Question 4: Importing the directory user or group information keeps failing. I tried using the LDAP query test to verify my configuration when I got this error message: ldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece Answer 4: Invalid credential messages indicate that either the bind DN or the bind password is incorrect. Verify that both the password and the bind DN are correct. If you are unsure on what exactly the bind DN should be, use any LDAP utility like LDP from the Windows 2000 Support Tools to verify your entry. For more

information on using LDP, please see Microsoft KB article 255602 at http://support.microsoft.com/default.aspx?scid=kb;en-us;255602. Question 5: How do I use the new LDAP recipient feature with Reject on Unknown Recipient? Answer 5: The LDAP recipient feature currently requires Active Directory to allow anonymous binds and that all the user accounts be placed in one container. These limitations are removed in the next update so we recommend not using it until the update has been released. Reject on Unknown Recipient can still use the locally-cached data that was imported from directory users regardless of the LDAP recipient feature. Question 6: We have more than one email domain for our organization. How do I enter additional internal domains for trusted senders? Answer 6: The trusted sender feature currently supports only one internal email domain. Question 7: Is there a way to whitelist an entire domain under trusted senders? Answer 7: Only full email addresses can be whitelisted under the trusted sender list. To whitelist an entire domain, use PBMF filters located under Mail Delivery -> Anti-Spam -> PBMF. Please refer to Chapter 6 of the eprism User Guide for more information on PBMF. Question 8: Can I use Outlook to retrieve my quarantined spam messages? Answer 8: Yes. eprism supports IMAP and IMAPS for accessing the user spam quarantine. To enable and configure IMAP/IMAPS access, please refer to Chapter 7 of the User Guide. Question 9: We have multiple domains in our Active Directory forest. How can I configure eprism to query the global catalog server? Answer 9: Global catalog servers contain the AD information for objects within its own domain plus a replica of the AD information for objects in other domains in the forest. In order to perform queries against the global catalog server, modify your directory server entry to point to the global catalog server and use TCP port 3268 instead (ex. ldap://192.168.1.10:3268). For secured LDAP queries over SSL, use ldaps:// in the URI and TCP port 3269 (ex. ldaps://192.168.1.10:3269). Contact Information Technical Support - USA, Canada, Pacific Rim and Latin America: Hours of Support - Pacific Time 7:00 am 4:00 pm, Excluding Holidays Tel: 1-858-676-5050 Fax: 1-858-676-5055 Email: eprism-support@stbernard.com Technical Support - Europe, Middle East, Africa: Hours of Support - UTC 08:30 17:30, Excluding Holidays Tel: +44-1276-401642 Fax: +44-1276-684479 Email: support@uk.stbernard.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information