McAfee MFO-3400-SWGA, Email and Web Security Appliance 5.1 Installation Manual
McAfee Email and Web Security
Appliance 5.1
Installation Guide
COPYRIGHT
Copyright © 2009 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form
or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FLASHBOX, FOUNDSTONE, GROUPSHIELD, HERCULES, INTRUSHIELD, INTRUSION INTELLIGENCE,
LINUXSHIELD, MANAGED MAIL PROTECTION, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, MCAFEE.COM, NETSHIELD,
PORTALSHIELD, PREVENTSYS, PROTECTION-IN-DEPTH STRATEGY, PROTECTIONPILOT, SECURE MESSAGING SERVICE, SECURITYALLIANCE,
SITEADVISOR, THREATSCAN, TOTAL PROTECTION, VIREX, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc.
and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other
registered and unregistered trademarks herein are the sole property of their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,
WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH
TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS
THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,
A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU
DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN
THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
Refer to the product Release Notes.
McAfee Email and Web Security Appliance 5.1 Installation Guide2
Contents
Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Pre-installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Using this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Graphical conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
What’s in the box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Plan the installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Inappropriate use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Operating conditions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Positioning the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Considerations about Network Modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Transparent bridge mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Transparent router mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Explicit proxy mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Deployment Strategies for Using the Appliance in a DMZ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
SMTP configuration in a DMZ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Connecting and Configuring the Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Installation quick reference table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Ports and Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3000, 3100 panel layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3200 panel layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3300 and 3400 panel layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Panel components: 3000, 3100, 3200, 3300, 3400. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Physically installing the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Connect to the network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Port numbers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Using Copper LAN connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Using Fiber LAN connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Monitor and keyboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Supplying power to the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3McAfee Email and Web Security Appliance 5.1 Installation Guide
Contents
Installing the software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Using the Configuration Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Configurable settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Configuring the appliance using the Setup Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Logging on to the Setup Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Welcome page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Performing a standard installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Performing a custom setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Using the Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Updates and HotFixes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
After installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Testing the Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Introducing the user interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Testing the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Exploring the Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Generating reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Further report information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Using policies to manage message scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Creating an anti-virus scanning policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Creating an anti-spam scanning policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Creating an email compliance policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Creating a content filtering policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
General problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
The appliance is not receiving power. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
The appliance is not receiving traffic from the network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
FAQ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
General issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Interface problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Mail issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Delivery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Email attachments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
POP3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Physical configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
System configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
System maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Anti-virus automatic updating. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
McAfee Email and Web Security Appliance 5.1 Installation Guide4
Contents
Anti-spam. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Getting more help — the links bar. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
5McAfee Email and Web Security Appliance 5.1 Installation Guide
Preface
This guide provides the necessary information for installing the McAfee®Email and Web Security
Appliance 5.1. It provides steps and verification of the installation process.
This guide demonstrates how to configure Email and Web Security software and when completed
the user will have a fully functional appliance.
Contents
Using this guide
Audience
Graphical conventions
Documentation
Using this guide
This guide helps you to:
• Understand the appliance features and functions.
• Plan and perform the appliance installation and deployment.
• Begin to use the appliance.
• Test the appliance in a laboratory environment (optional).
You can find additional information about McAfee Email and Web Security Appliance scanning
features in the online help. This includes information about:
• Basic concepts
• Policies
• Protocols (SMTP, POP3, FTP, HTTP and ICAP)
• Maintenance
• Monitoring
Audience
The information in this guide is intended primarily for network administrators who are responsible
for their company’s anti-virus and security program.
McAfee Email and Web Security Appliance 5.1 Installation Guide6
Preface
Graphical conventions
Graphical conventions
Figures in this guide use the following symbols.
InternetAppliance
Documentation
This Installation Guide is included with your appliance. Additional information is available in the
online help, and other documentation available from the documentation CD.
Mail server
VLAN)
Other server (such as DNS
server)
RouterUser or client computer
FirewallSwitch
NetworkNetwork zone (DMZ or
Perceived data pathActual data path
7McAfee Email and Web Security Appliance 5.1 Installation Guide
Pre-installation
To ensure the safe operation of the Email and Web Security Appliance, consider the following
before you begin the installation.
• Familiarize yourself with its operational modes and capabilities. It is important that you
choose a valid configuration.
• Decide how to integrate the appliance into your network and determine what information
you need before you start. For example, the name and IP address for the appliance.
• Unpack the appliance as close to its intended location as possible.
• Remove the appliance from any protective packaging and place it on a flat surface.
• Observe all provided safety warnings.
CAUTION: Review and be familiar with all safety information provided.
Contents
What’s in the box
Plan the installation
Inappropriate use
Operating conditions
Positioning the appliance
What’s in the box
To check that all appliance components were delivered, refer to the packing list supplied with
your appliance.
Generally, you should have:
• An appliance
• Power cords
• Network cables
• Secure Messaging Gateway v5.0 installation and recovery CD
• Linux source code CD
• Quarantine Manager v5.0 CD
• Documentation CD
If an item is missing or damaged, contact your supplier.
McAfee Email and Web Security Appliance 5.1 Installation Guide8
Pre-installation
Plan the installation
Plan the installation
Before unpacking your appliance, it is important to plan the installation and deployment.
Consider the following:
• How you need to prepare your site.
• Environmental requirements.
• Power requirements and considerations.
• Hardware specifications and requirements.
• Configuration scenarios.
• Preparing for installation.
Inappropriate use
The appliance is:
• Not a firewall.
You must use it within your organization behind a correctly configured firewall.
• Not a server for storing extra software and files.
Do not install any software on the appliance or add any extra files to it unless instructed by
the product documentation or your support representative. The appliance cannot handle all
types of traffic. If you use explicit proxy mode, only protocols that are to be scanned should
be sent to the appliance.
Operating conditions
Relative humidity
Maximum shock
Positioning the appliance
10 to 35°C (50 to 95°F).Temperature
20% to 80% (non-condensing) with a maximum humidity
gradient of 10% per hour.
0.25 G at 3–200 Hz for 15 minutes.Maximum vibration
One shock pulse in the positive z axis (one pulse on each
side of the unit) of 31 G for up to 2.6 ms.
-16 to 3,048 m (-50 to 10,000 ft.).Altitude
Install the appliance so that you can control physical access to the unit and access the ports
and connections.
A rack-mounting kit is supplied with the appliance, allowing you to install the appliance in a
19-inch rack — see Mounting the appliance in a rack.
9McAfee Email and Web Security Appliance 5.1 Installation Guide
Pre-installation
Considerations about Network Modes
Considerations about Network Modes
Before you install and configure your appliance, you must decide which network mode to use.
The mode you choose determines how you physically connect your appliance to your network.
You can choose from the following network modes.
• Transparent bridge mode
the appliance acts as an Ethernet bridge.
• Transparent router mode
the appliance acts as a router.
• Explicit proxy mode
the appliance acts as a proxy server and a mail relay.
If you are still unsure about the mode to use after reading this and the following sections,
consult your network expert.
Architectural considerations about network modes
The main considerations regarding the network modes are:
• Whether communicating devices are aware of the existence of the appliance. That is, if the
appliance is operating in one of the transparent modes.
• How the appliance physically connects to your network.
• The configuration needed to incorporate the appliance into your network.
• Where the configuration takes place in the network.
Considerations before changing network modes
In explicit proxy and transparent router modes, you can set up the appliance to sit on more
than one network by setting up multiple IP addresses for the LAN1 and LAN2 ports.
If you change to transparent bridge mode from explicit proxy or transparent router mode, only
the enabled IP addresses for each port are carried over.
TIP: After you select an operational mode, McAfee recommends not changing it unless you
move the appliance or restructure your network.
Contents
Transparent bridge mode
Transparent router mode
Explicit proxy mode
McAfee Email and Web Security Appliance 5.1 Installation Guide10
Pre-installation
Considerations about Network Modes
Transparent bridge mode
In transparent bridge mode, the communicating devices are unaware of the appliance — the
appliance’s operation is transparent to the devices.
Figure 1: Transparent communication
In Figure 1: Transparent communication, the external mail server (A) sends email messages
to the internal mail server (C). The external mail server is unaware that the email message is
intercepted and scanned by the appliance (B).
The external mail server seems to communicate directly with the internal mail server — the
path is shown as a dotted line. In reality, traffic might pass through several network devices
and be intercepted and scanned by the appliance before reaching the internal mail server.
What the appliance does
In transparent bridge mode, the appliance connects to your network using the LAN1 and LAN2
ports. The appliance scans the traffic it receives, and acts as a bridge connecting two separate
physical networks, but treats them as a single logical network.
Configuration
Transparent bridge mode requires less configuration than transparent router and explicit proxy
modes. You do not need to reconfigure all your clients, default gateway, MX records, Firewall
NAT or mail servers to send traffic to the appliance. Because the appliance is not a router in
this mode, you do not need to update a routing table.
Where to place the appliance
For security reasons, you must use the appliance inside your organization, behind a firewall.
Figure 2: Single logical network
TIP: In transparent bridge mode, position the appliance between the firewall and your router,
as shown in Figure 2: Single logical network.
In this mode, you physically connect two network segments to the appliance, and the appliance
treats them as one logical network. Because the devices — firewall, appliance, and router —
are on the same logical network, they must all have compatible IP addresses on the same
subnet.
Devices on one side of the bridge (such as a router) that communicate with devices on the
other side of the bridge (such as a firewall) are unaware of the bridge. They are unaware that
11McAfee Email and Web Security Appliance 5.1 Installation Guide
Pre-installation
Considerations about Network Modes
traffic is intercepted and scanned, therefore the appliance is said to operate as a transparent
bridge.
Figure 3: Transparent bridge mode
Transparent router mode
In transparent router mode, the appliance scans email traffic between two networks. The
appliance has one IP address for outgoing scanned traffic, and must have one IP address for
incoming traffic.
The communicating network devices are unaware of the intervention of the appliance — the
appliance’s operation is
What the appliance does
In transparent router mode, the appliance connects to your networks using the LAN1 and LAN2
ports. The appliance scans the traffic it receives on one network, and forwards it to the next
network device on a different network. The appliance acts as a router, routing the traffic between
networks, based on the information held in its routing tables.
Configuration
Using transparent router mode, you do not need to explicitly reconfigure your network devices
to send traffic to the appliance. You need only configure the routing table for the appliance,
and modify some routing information for the network devices on either side of it (the devices
connected to its LAN1 and LAN2 ports). For example, you might need to make the appliance
your default gateway.
In transparent router mode, the appliance must join two networks. The appliance must be
positioned inside your organization, behind a firewall.
transparent
to the devices.
NOTE: Transparent router mode does not support Multicast IP traffic or non-IP protocols, such
as NETBEUI and IPX.
McAfee Email and Web Security Appliance 5.1 Installation Guide12
Pre-installation
Considerations about Network Modes
Where to place the appliance
Use the appliance in transparent router mode to replace an existing router on your network.
TIP: If you use transparent router mode and you do not replace an existing router, you must
reconfigure part of your network to route traffic correctly through the appliance.
Figure 4: Transparent router mode configuration
You need to:
• Configure your client devices to point to the default gateway.
• Configure the appliance to use the Internet gateway as its default gateway.
• Ensure your client devices can deliver email messages to the mail servers within your
organization.
Explicit proxy mode
In explicit proxy mode, some network devices must be set up explicitly to send traffic to the
appliance. The appliance then works as a proxy or relay, processing traffic on behalf of the
devices.
Explicit proxy mode is best suited to networks where client devices connect to the appliance
through a single upstream and downstream device.
TIP: This might not be the best option if several network devices must be reconfigured to send
traffic to the appliance.
Network and device configuration
If the appliance is set to explicit proxy mode, you must explicitly configure your internal mail
server to relay email traffic to the appliance. The appliance scans the email traffic before
forwarding it, on behalf of the sender, to the external mail server. The external mail server then
forwards the email message to the recipient.
13McAfee Email and Web Security Appliance 5.1 Installation Guide
Pre-installation
Considerations about Network Modes
In a similar way, the network must be configured so that incoming email messages from the
Internet are delivered to the appliance, not the internal mail server.
Figure 5: Relaying email traffic
The appliance scans the traffic before forwarding it, on behalf of the sender, to the internal
mail server for delivery, as shown in Figure 5: Relaying email traffic.
For example, an external mail server can communicate directly with the appliance, although
traffic might pass through several network devices before reaching the appliance. The perceived
path is from the external mail server to the appliance.
Protocols
To scan a supported protocol, you must configure your other network devices or client computers
to route that protocol through the appliance, so that no traffic bypasses the appliance.
Firewall rules
Explicit proxy mode invalidates any firewall rules set up for client access to the Internet. The
firewall sees only the IP address information for the appliance, not the IP addresses of the
clients, so the firewall cannot apply its Internet access rules to the clients.
Where to place the appliance
Configure the network devices so that traffic needing to be scanned is sent to the appliance.
This is more important than the location of the appliance.
The router must allow all users to connect to the appliance.
Figure 6: Explicit proxy configuration
The appliance must be positioned inside your organization, behind a firewall, as shown in Figure
6: Explicit proxy configuration.
Typically, the firewall is configured to block traffic that does not come directly from the appliance.
If you are unsure about your network’s topology and how to integrate the appliance, consult
your network expert.
McAfee Email and Web Security Appliance 5.1 Installation Guide14
Pre-installation
Deployment Strategies for Using the Appliance in a DMZ
Use this configuration if:
• The appliance is operating in explicit proxy mode.
• You are using email (SMTP).
For this configuration, you must:
• Configure the external Domain Name System (DNS) servers or Network Address Translation
(NAT) on the firewall so that the external mail server delivers mail to the appliance, not to
the internal mail server.
• Configure the internal mail servers to send email messages to the appliance. That is, the
internal mail servers must use the appliance as a smart host. Ensure that your client devices
can deliver email messages to the mail servers within your organization.
• Ensure that your firewall rules are updated. The firewall must accept traffic from the
appliance, but must not accept traffic that comes directly from the client devices. Set up
rules to prevent unwanted traffic entering your organization.
Deployment Strategies for Using the Appliance in
a DMZ
A demilitarized zone (DMZ) is a network separated by a firewall from all other networks, including
the Internet and other internal networks. The typical goal behind the implementation of a DMZ
is to lock down access to servers that provide services to the Internet, such as email.
Hackers often gain access to networks by identifying the TCP/UDP ports on which applications
are listening for requests, then exploiting known vulnerabilities in applications. Firewalls
dramatically reduce the risk of such exploits by controlling access to specific ports on specific
servers.
The appliance can be added easily to a DMZ configuration. The way you use the appliance in
a DMZ depends on the protocols you intend to scan.
Contents
SMTP configuration in a DMZ
SMTP configuration in a DMZ
The DMZ is a good location for encrypting mail. By the time the mail traffic reaches the firewall
for the second time (on its way from the DMZ to the internal network), it has been encrypted.
Appliances which scan SMTP traffic in a DMZ are usually configured in explicit proxy mode.
Configuration changes need only be made to the MX records for the mail servers.
NOTE: You can use transparent bridge mode when scanning SMTP within a DMZ. However, if
you do not control the flow of traffic correctly, the appliance scans every message twice, once
in each direction. For this reason, explicit proxy mode is usually used for SMTP scanning.
15McAfee Email and Web Security Appliance 5.1 Installation Guide
Loading...