McAfee Email and Web Security
Appliance 5.5
Installation Guide
COPYRIGHT
Copyright © 2009 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form
or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FLASHBOX, FOUNDSTONE, GROUPSHIELD, HERCULES, INTRUSHIELD, INTRUSION INTELLIGENCE,
LINUXSHIELD, MANAGED MAIL PROTECTION, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, MCAFEE.COM, NETSHIELD,
PORTALSHIELD, PREVENTSYS, PROTECTION-IN-DEPTH STRATEGY, PROTECTIONPILOT, SECURE MESSAGING SERVICE, SECURITYALLIANCE,
SITEADVISOR, THREATSCAN, TOTAL PROTECTION, VIREX, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc.
and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other
registered and unregistered trademarks herein are the sole property of their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,
WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH
TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS
THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,
A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU
DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN
THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
Refer to the product Release Notes.
McAfee Email and Web Security Appliance 5.5 Installation Guide2
Contents
Introducing McAfee Email and Web Security Appliances. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Pre-installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
How to use this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Who should read this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Definition of terms used in this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Graphical conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Available resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
What’s in the box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Plan the installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Inappropriate use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Operating conditions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Positioning the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Considerations about Network Modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Transparent bridge mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Transparent router mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Explicit proxy mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Deployment Strategies for Using the device in a DMZ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
SMTP configuration in a DMZ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Workload management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Connecting and configuring the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Installation quick reference table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Ports and connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3000, 3100 panel layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3200 panel layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3300 panel layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3400 panel layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Panel components: 3000, 3100, 3200, 3300, 3400. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Physically installing the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Mounting the appliance in a rack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Connect to the network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3McAfee Email and Web Security Appliance 5.5 Installation Guide
Contents
Port numbers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Using Copper LAN connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Using Fiber LAN connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Monitor and keyboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Supplying power to the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Installing the software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Using the Configuration Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Welcome page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Performing a standard installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Performing a custom setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Restoring from a file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Testing the Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Introducing the user interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Testing the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Using the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Updates and HotFixes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
After installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Exploring the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Generating reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Using policies to manage message scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Creating an anti-virus scanning policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Creating an anti-spam scanning policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Creating an email compliance policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Creating a content filtering policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
About Virtual host management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
General problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
The appliance is not receiving power. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
The appliance is not receiving traffic from the network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
FAQ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Interface problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Mail issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Delivery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Email attachments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
POP3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Physical configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
System configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
McAfee Email and Web Security Appliance 5.5 Installation Guide4
Contents
System maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Anti-virus automatic updating. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Anti-spam. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Getting more help — the links bar. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5McAfee Email and Web Security Appliance 5.5 Installation Guide
Introducing McAfee Email and Web Security
Appliances
This guide provides the necessary information for installing the McAfee®Email and Web Security
Appliance 5.5. It provides steps and verification of the installation process.
This guide demonstrates how to configure Email and Web Security software and when completed
the user will have a fully functional appliance.
Contents
How to use this guide
Definition of terms used in this guide
Graphical conventions
Documentation
Available resources
How to use this guide
This guide helps you to:
• Plan and perform your installation.
• Become familiar with the interface.
• Test that the product functions correctly.
• Apply the latest detection definition files.
• Explore some scanning policies, create reports, and get status information.
• Troubleshoot basic issues.
You can find additional information about the product's scanning features in the online help.
Who should read this guide
The information in this guide is intended primarily for network administrators who are responsible
for their company's anti-virus and security program.
Definition of terms used in this guide
This information defines some key terms used in this guide.
McAfee Email and Web Security Appliance 5.5 Installation Guide6
Introducing McAfee Email and Web Security Appliances
Definition of terms used in this guide
DefinitionTerm
demilitarized zone (DMZ)
DAT files
operational mode
policy
Reputation Service check
A computer host or small network inserted as a buffer
between a private network and the outside public network
to prevent direct access from outside users to resources
on the private network.
Detection definition (DAT) files, also called signature files,
containing the definitions that identify, detect, and repair
viruses, Trojan horses, spyware, adware, and other
potentially unwanted programs (PUPs).
Three operating modes for the product: explicit proxy
mode, transparent bridge mode, and transparent router
mode.
A collection of security criteria, such as configuration
settings, benchmarks, and network access specifications,
that defines the level of compliance required for users,
devices, and systems that can be assessed or enforced by
a McAfee security application.
Part of sender authentication. If a sender fails the
Reputation Service check, the appliance is set to close the
connection and deny the message. The sender's IP address
is added to a list of blocked connections and is
automatically blocked in future at the kernel level.
7McAfee Email and Web Security Appliance 5.5 Installation Guide
Introducing McAfee Email and Web Security Appliances
Graphical conventions
Graphical conventions
Figures in this guide use the following symbols.
InternetAppliance
Documentation
This Installation Guide is included with your product. Additional information is available in the
online help included with the product, and other documentation available from the
http://mysupport.mcafee.com website.
Mail server
VLAN)
Other server (such as DNS
server)
RouterUser or client computer
FirewallSwitch
NetworkNetwork zone (DMZ or
Perceived data pathActual data path
Available resources
This information describes where to get more information and assistance.
McAfee products
Product Guide
Online help
McAfee Email and Web Security Appliance 5.5 Installation Guide8
McAfee KnowledgeBase. Go to
https://mysupport.mcafee.com/eservice/Default.aspx
and click Search the KnowledgeBase. From
the Product list, select Email and Web
Security Appliance Software.
McAfee download site. Includes information
about basic concepts, policies, protocols
(SMTP, POP3, FTP, HTTP, and ICAP),
maintenance, and monitoring. You will need
your Grant ID number.
Product interface. Includes information about
basic concepts, policies, protocols (SMTP,
Introducing McAfee Email and Web Security Appliances
Available resources
POP3, FTP, HTTP, and ICAP), maintenance,
and monitoring.
9McAfee Email and Web Security Appliance 5.5 Installation Guide
Pre-installation
To ensure the safe operation of the product, consider the following before you begin the
installation.
• Familiarize yourself with its operational modes and capabilities. It is important that you
choose a valid configuration.
• Decide how to integrate the appliance into your network and determine what information
you need before you start. For example, the name and IP address for the appliance.
• Unpack the product as close to its intended location as possible.
• Remove the product from any protective packaging and place it on a flat surface.
• Observe all provided safety warnings.
CAUTION: Review and be familiar with all provided safety information.
Contents
What’s in the box
Plan the installation
Inappropriate use
Operating conditions
Positioning the appliance
What’s in the box
To check that all components are present, refer to the packing list supplied with your product.
Generally, you should have:
• An appliance
• Power cords
• Network cables
• Email and Web Security v5.5 installation and recovery CD
• Linux source code CD
If an item is missing or damaged, contact your supplier.
Pre-installation
Plan the installation
Before unpacking your blade server, it is important to plan the installation and deployment.
Consider the following:
McAfee Email and Web Security Appliance 5.5 Installation Guide10
Pre-installation
Inappropriate use
• Environmental requirements
Information on environmental site requirements, including temperature, airflow, and space
requirements.
• Power requirements and considerations
Power requirements and electrical factors that must be considered before installation.
• Hardware specifications and requirements
• Configuration scenarios
• Preparing for installation.
Pre-installation
Inappropriate use
The product is:
• Not a firewall. — You must use it within your organization behind a correctly configured
firewall.
• Not a server for storing extra software and files. — Do not install any software on
the device or add any extra files to it unless instructed by the product documentation or
your support representative. The device cannot handle all types of traffic. If you use explicit
proxy mode, only protocols that are to be scanned should be sent to the device.
Pre-installation
Operating conditions
Relative humidity
Maximum shock
Positioning the appliance
Install the appliance so that you can control physical access to the unit and access the ports
and connections.
A rack-mounting kit is supplied with the appliance, allowing you to install the appliance in a
19-inch rack — see Mounting the appliance in a rack.
10 to 35°C (50 to 95°F).Temperature
20% to 80% (non-condensing) with a maximum humidity
gradient of 10% per hour.
0.25 G at 3–200 Hz for 15 minutes.Maximum vibration
One shock pulse in the positive z axis (one pulse on each
side of the unit) of 31 G for up to 2.6 ms.
-16 to 3,048 m (-50 to 10,000 ft.).Altitude
11McAfee Email and Web Security Appliance 5.5 Installation Guide
Pre-installation
Considerations about Network Modes
Considerations about Network Modes
Before you install and configure your Email and Web Security Appliance, you must decide which
network mode to use. The mode you choose determines how you physically connect your
appliance to your network.
You can choose from the following network modes.
• Transparent bridge mode — the device acts as an Ethernet bridge.
• Transparent router mode — the device acts as a router.
• Explicit proxy mode — the device acts as a proxy server and a mail relay.
If you are still unsure about the mode to use after reading this and the following sections,
consult your network expert.
CAUTION: If you plan on deploying one or more scanning blades running McAfee Web Gateway
(formally WebWasher) software, you must configure your blade server in Explicit Proxy mode.
Architectural considerations about network modes
The main considerations regarding the network modes are:
• Whether communicating devices are aware of the existence of the device. That is, if the
device is operating in one of the transparent modes.
• How the device physically connects to your network.
• The configuration needed to incorporate the device into your network.
• Where the configuration takes place in the network.
Considerations before changing network modes
In explicit proxy and transparent router modes, you can set up the device to sit on more than
one network by setting up multiple IP addresses for the LAN1 and LAN2 ports.
If you change to transparent bridge mode from explicit proxy or transparent router mode, only
the enabled IP addresses for each port are carried over.
TIP: After you select an operational mode, McAfee recommends not changing it unless you
move the device or restructure your network.
Contents
Pre-installation
Transparent bridge mode
Transparent router mode
Explicit proxy mode
McAfee Email and Web Security Appliance 5.5 Installation Guide12
Pre-installation
Considerations about Network Modes
Transparent bridge mode
In transparent bridge mode, the communicating servers are unaware of the device — the
device’s operation is transparent to the servers.
Figure 1: Transparent communication
In Figure 1: Transparent communication, the external mail server (A) sends email messages
to the internal mail server (C). The external mail server is unaware that the email message is
intercepted and scanned by the device (B).
The external mail server seems to communicate directly with the internal mail server — the
path is shown as a dotted line. In reality, traffic might pass through several network devices
and be intercepted and scanned by the device before reaching the internal mail server.
What the device does
In transparent bridge mode, the device connects to your network using the LAN1 and LAN2
ports. The device scans the traffic it receives, and acts as a bridge connecting two separate
physical networks, but treats them as a single logical network.
Configuration
Transparent bridge mode requires less configuration than transparent router and explicit proxy
modes. You do not need to reconfigure all your clients, default gateway, MX records, Firewall
NAT or mail servers to send traffic to the device. Because the device is not a router in this
mode, you do not need to update a routing table.
Where to place the device
For security reasons, you must use the device inside your organization, behind a firewall.
Figure 2: Single logical network
TIP: In transparent bridge mode, position the device between the firewall and your router, as
shown in Figure 2: Single logical network.
In this mode, you physically connect two network segments to the device, and the device treats
them as one logical network. Because the devices — firewall, device, and router — are on the
same logical network, they must all have compatible IP addresses on the same subnet.
Devices on one side of the bridge (such as a router) that communicate with devices on the
other side of the bridge (such as a firewall) are unaware of the bridge. They are unaware that
13McAfee Email and Web Security Appliance 5.5 Installation Guide
Pre-installation
Considerations about Network Modes
traffic is intercepted and scanned, therefore the device is said to operate as a transparent
bridge.
Figure 3: Transparent bridge mode
Transparent router mode
In transparent router mode, the device scans email traffic between two networks. The device
has one IP address for outgoing scanned traffic, and must have one IP address for incoming
traffic.
The communicating network servers are unaware of the intervention of the device — the device’s
operation is
What the device does
In transparent router mode, the device connects to your networks using the LAN1 and LAN2
ports. The device scans the traffic it receives on one network, and forwards it to the next
network device on a different network. The device acts as a router, routing the traffic between
networks, based on the information held in its routing tables.
Configuration
Using transparent router mode, you do not need to explicitly reconfigure your network devices
to send traffic to the device. You need only configure the routing table for the device, and
modify some routing information for the network devices on either side of it (the devices
connected to its LAN1 and LAN2 ports). For example, you might need to make the device your
default gateway.
transparent
to the devices.
McAfee Email and Web Security Appliance 5.5 Installation Guide14
Pre-installation
Considerations about Network Modes
In transparent router mode, the device must join two networks. The device must be positioned
inside your organization, behind a firewall.
NOTE: Transparent router mode does not support Multicast IP traffic or non-IP protocols, such
as NETBEUI and IPX.
Where to place the device
Use the device in transparent router mode to replace an existing router on your network.
TIP: If you use transparent router mode and you do not replace an existing router, you must
reconfigure part of your network to route traffic correctly through the device.
Figure 4: Transparent router mode configuration
You need to:
• Configure your client devices to point to the default gateway.
• Configure the device to use the Internet gateway as its default gateway.
• Ensure your client devices can deliver email messages to the mail servers within your
organization.
Explicit proxy mode
In explicit proxy mode, some network devices must be set up explicitly to send traffic to the
device. The device then works as a proxy or relay, processing traffic on behalf of the devices.
Explicit proxy mode is best suited to networks where client devices connect to the device through
a single upstream and downstream device.
TIP: This might not be the best option if several network devices must be reconfigured to send
traffic to the device.
15McAfee Email and Web Security Appliance 5.5 Installation Guide
Pre-installation
Considerations about Network Modes
Network and device configuration
If the device is set to explicit proxy mode, you must explicitly configure your internal mail server
to relay email traffic to the device. The device scans the email traffic before forwarding it, on
behalf of the sender, to the external mail server. The external mail server then forwards the
email message to the recipient.
In a similar way, the network must be configured so that incoming email messages from the
Internet are delivered to the device, not the internal mail server.
Figure 5: Relaying email traffic
The device scans the traffic before forwarding it, on behalf of the sender, to the internal mail
server for delivery, as shown in Figure 5: Relaying email traffic.
For example, an external mail server can communicate directly with the device, although traffic
might pass through several network servers before reaching the device. The perceived path is
from the external mail server to the device.
Protocols
To scan a supported protocol, you must configure your other network servers or client computers
to route that protocol through the device, so that no traffic bypasses the device.
Firewall rules
Explicit proxy mode invalidates any firewall rules set up for client access to the Internet. The
firewall sees only the IP address information for the device, not the IP addresses of the clients,
so the firewall cannot apply its Internet access rules to the clients.
Where to place the device
Configure the network devices so that traffic needing to be scanned is sent to the device. This
is more important than the location of the device.
McAfee Email and Web Security Appliance 5.5 Installation Guide16
Pre-installation
Deployment Strategies for Using the device in a DMZ
The router must allow all users to connect to the device.
Figure 6: Explicit proxy configuration
The device must be positioned inside your organization, behind a firewall, as shown in Figure
6: Explicit proxy configuration.
Typically, the firewall is configured to block traffic that does not come directly from the device.
If you are unsure about your network’s topology and how to integrate the device, consult your
network expert.
Use this configuration if:
• The device is operating in explicit proxy mode.
• You are using email (SMTP).
For this configuration, you must:
• Configure the external Domain Name System (DNS) servers or Network Address Translation
(NAT) on the firewall so that the external mail server delivers mail to the device, not to the
internal mail server.
• Configure the internal mail servers to send email messages to the device. That is, the internal
mail servers must use the device as a smart host. Ensure that your client devices can deliver
email messages to the mail servers within your organization.
• Ensure that your firewall rules are updated. The firewall must accept traffic from the device,
but must not accept traffic that comes directly from the client devices. Set up rules to prevent
unwanted traffic entering your organization.
Deployment Strategies for Using the device in a
DMZ
A demilitarized zone (DMZ) is a network separated by a firewall from all other networks, including
the Internet and other internal networks. The typical goal behind the implementation of a DMZ
is to lock down access to servers that provide services to the Internet, such as email.
Hackers often gain access to networks by identifying the TCP/UDP ports on which applications
are listening for requests, then exploiting known vulnerabilities in applications. Firewalls
dramatically reduce the risk of such exploits by controlling access to specific ports on specific
servers.
17McAfee Email and Web Security Appliance 5.5 Installation Guide
Pre-installation
Deployment Strategies for Using the device in a DMZ
The device can be added easily to a DMZ configuration. The way you use the device in a DMZ
depends on the protocols you intend to scan.
Contents
Pre-installation
SMTP configuration in a DMZ
SMTP configuration in a DMZ
The DMZ is a good location for encrypting mail. By the time the mail traffic reaches the firewall
for the second time (on its way from the DMZ to the internal network), it has been encrypted.
Devices which scan SMTP traffic in a DMZ are usually configured in explicit proxy mode.
Configuration changes need only be made to the MX records for the mail servers.
NOTE: You can use transparent bridge mode when scanning SMTP within a DMZ. However, if
you do not control the flow of traffic correctly, the device scans every message twice, once in
each direction. For this reason, explicit proxy mode is usually used for SMTP scanning.
Mail relay
Figure 7: Device in explicit proxy configuration in a DMZ
If you have a mail relay already set up in your DMZ, you can replace the relay with the device.
To use your existing firewall policies, give the device the same IP address as the mail relay.
Mail gateway
SMTP does not provide methods to encrypt mail messages — you can use Transport Layer
Security (TLS) to encrypt the link, but not the mail messages. As a result, some companies do
not allow such traffic on their internal network. To overcome this, they often use a proprietary
mail gateway, such as Lotus Notes®or Microsoft®Exchange, to encrypt the mail traffic before
it reaches the internal network.
McAfee Email and Web Security Appliance 5.5 Installation Guide18
Loading...