Symantec 10547829 - Mail Security For Smtp 5.0 Smb, Mail Security Appliance Installation Manual

Page 1
Symantec Mail Security Appliance Installation Guide
Symantec Information Foundation
Page 2
Symantec Mail Security Appliance Installation Guide
The softwaredescribed in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Legal Notice
Copyright © 2007 Symantec Corporation.
All rights reserved.
Symantec, the Symantec Logo, and LiveUpdate are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLYINVALID. SYMANTEC CORPORATIONSHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.
Page 3
Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014
http://www.symantec.com
Page 4
Technical Support
Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates.
Symantec’s maintenance offerings include the following:
A range of support options that give you the flexibility to select the right
amount of service for any size organization
A telephone and web-based support that provides rapid response and
up-to-the-minute information
Upgrade insurance that delivers automatic software upgrade protection
Global support that is available 24 hours a day, 7 days a week worldwide.
Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program
Advanced features, including Technical Account Management
For information about Symantec’s Maintenance Programs, you can visit our Web site at the following URL:
www.symantec.com/techsupp/
Select your country or language under Global Support. The specific features that are available may vary based on the level of maintenance that was purchased and the specific product that you are using.
Contacting Technical Support
Customers with a current maintenance agreement may access Technical Support information at the following URL:
www.symantec.com/techsupp/
Select your region or language under Global Support.
Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem.
Page 5
When you contact Technical Support, please have the following information available:
Product release level
Hardware information
Available memory, disk space, and NIC information
Operating system
Version and patch level
Network topology
Router, gateway, and IP address information
Problem description:
Error messages and log files
Troubleshooting that was performed before contacting Symantec
Recent software configuration changes and network changes
Licensing and registration
If your Symantec product requires registration or a license key, access our technical support Web page at the following URL:
www.symantec.com/techsupp/
Select your region or language under Global Support, and then select the Licensing and Registration page.
Customer service
Customer service information is available at the following URL:
www.symantec.com/techsupp/
Select your country or language under Global Support.
Customer Service is available to assist with the following types of issues:
Questions regarding product licensing or serialization
Product registration updates such as address or name changes
General product information (features, language availability, local dealers)
Latest information about product updates and upgrades
Information about upgrade insurance and maintenance contracts
Information about the Symantec Value License Program
Page 6
Advice about Symantec's technical support options
Nontechnical presales questions
Issues that are related to CD-ROMs or manuals
Maintenance agreement resources
If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows:
Asia-Pacific and Japan: contractsadmin@symantec.com
Europe, Middle-East, and Africa: semea@symantec.com
North America and Latin America: supportsolutions@symantec.com
Additional Enterprise services
Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following:
These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasuresto prevent attacks beforethey occur.
Symantec EarlyWarningSolutions
These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats.
Managed Security Services
Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizableoptions that include assessment, design, implementation, monitoring and management capabilities,each focusedon establishing and maintaining the integrity and availability of your IT resources.
Consulting Services
Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs.
Educational Services
Page 7
To access more information about Enterprise services, please visit our Web site at the following URL:
www.symantec.com
Select your country or language from the site index.
Page 8
Page 9
Technical Support
Chapter 1 Planning your deployment
General deployment considerations . .. ..... . ..... .. .. ..... .. ..... . ..... .. .. ..... .. . 11
MTA usage ..... ..... . ..... .. .. ..... .. .. ..... .. ..... . ..... .. .. ..... .. .. ..... .. .. ..... .. 11
Configuring Scanners .. .. ..... . ..... .. .. ..... .. ...... ..... .. .. ..... .. .. ..... .. .. ... 11
Positioning with other filtering products ... . ..... .. .. ..... .. .. ..... .. ...... . 12
Filtering internal deliveries .. ..... . ..... .. .. ..... .. .. ..... .. ...... ..... .. .. ..... 12
LDAP services .... .. ..... .. .. ..... .. .. ..... .. .. ..... .. ...... ..... .. .. ..... .. .. ..... .. . 12
Load balancing . .. .. ..... .. .. ..... .. ..... . ..... .. .. ..... .. .. ..... .. .. ..... .. ..... . ... 13
Adjusting MX records . ..... .. ..... . ..... .. .. ..... .. .. ..... .. .. ..... .. ..... . ..... .. . 13
Deployment models ... .. ..... .. .. ..... .. .. ..... .. .. ..... .. .. ..... .. ..... . ..... .. .. ..... .. 14
Basic gateway deployment .. .. ..... . ..... .. .. ..... .. ..... . ..... .. .. ..... .. .. ..... 14
Multi-tier gateway deployment .... .. .. ..... .. .. ..... .. .. ..... .. ..... . ..... .. .. 15
Post-gateway deployment .... ..... .. .. ..... .. .. ..... .. .. ..... .. ...... ..... .. .. ... 17
Chapter 2 Understanding system requirements
Factors that affect performance . .. ..... .. .. ..... .. .. ..... .. .. ..... .. ..... . ..... .. .. .. 19
Environmental factors that affect performance . ..... . ..... .. ...... ..... .. . 19
Settings that affect performance .... .. .. ..... .. ...... ..... .. .. ..... .. .. ..... .. . 20
Ports used by Symantec Mail Security .... .. ..... .. .. ..... .. .. ..... .. .. ..... .. ..... 21
Configuring your firewall for connections to public IM network
servers . ..... . ..... .. ..... . ..... .. .. ..... .. .. ..... .. .. ..... .. ..... . ..... .. .. ..... . 24
Chapter 3 Setting up the Symantec Mail Security Appliance
Before you set up your appliance .. .. ..... . ..... .. .. ..... .. .. ..... .. ...... ..... .. .. ... 25
Compatible browsers .... ..... . ..... .. ..... . ..... .. .. ..... .. .. ..... .. .. ..... .. ..... . 26
Configuring SSH clients to log into an appliance .. .. ..... .. .. ..... .. ...... 26
Configuring your DNS for IM filtering ..... .. ..... .. .. ..... .. .. ..... .. .. ..... . 27
How to set up the appliance . ..... . ..... .. .. ..... .. .. ..... .. ..... . ..... .. .. ..... .. .. .... 28
Configuring your network to include the new appliance .. .. ..... .. ..... . 29
Understanding key indicators and controls for rack-mounted
appliances .... .. ..... .. .. ..... .. .. ..... .. .. ..... .. ..... . ..... .. .. ..... .. .. ..... . 29
Initialize your new appliance ..... .. ..... . ..... .. .. ..... .. ..... . ..... .. .. ..... .. . 30
Contents
Page 10
Registering your system . .. .. ..... .. .. ..... .. .. ..... .. .. ..... .. ..... . ..... .. .. .... 33
Updating a new appliance to the latest software ..... ..... . ..... .. .. ..... .. 35
Setting up a Control Center with optional Scanner ... ..... .. .. ..... .. .. ... 35
Setting up a Scanner .. ..... . ..... .. ...... ..... .. .. ..... .. .. ..... .. .. ..... .. ...... .. 40
Completing setup . . ..... .. ..... . ..... .. .. ..... .. .. ..... .. .. ..... .. ..... . ..... .. .. ... 44
Logging in and logging out ..... .. ..... . ..... .. .. ..... .. .. ..... .. .. ..... .. ..... . ..... .. . 45
Having trouble logging in or out? .... .. ..... .. .. ..... .. .. ..... .. .. ..... .. ...... 49
Migrating to Symantec Mail Security 7.5 . . ..... .. ...... ..... .. .. ..... .. .. ..... .. .. . 49
Migration considerations ... .. ..... .. .. ..... .. .. ..... .. ..... . ..... .. .. ..... .. .. ... 49
Backing up existing Control Center data ..... .. .. ..... .. .. ..... .. .. ..... .. ... 51
Running software update .. .. ..... .. ...... ..... .. .. ..... .. .. ..... .. .. ..... .. ...... 52
Index
Contents10
Page 11
Planning your deployment
This chapter includes the following topics:
General deployment considerations
Deployment models
General deployment considerations
This section provides information about integrating Symantec Mail Security into your network.
Note: Multiple Scanner scenarios are common for organizations with system failover needs or high mail scanning throughput requirements.
MTA usage
Symantec Mail Security contains a Message Transfer Agent (MTA), which processes and relays messages to support filtering activities.
Note: Symantec Mail Security provides neither mailbox access for end users nor message storage. You must provide an MTA for use in your email infrastructure.
Configuring Scanners
During installation, you can use a wizard to add a Scanner. Depending on your filtering requirements and messaging environment, you may want to deploy multiple Scanners. In such cases, you can dedicate Scanners to specific functions. For example, you might want one Scanner to filter inbound mail, another to filter outbound mail, and another to filter instant messages.
1
Chapter
Page 12
Positioning with other filtering products
In order for Symantec Mail Security's spam and Content Compliance filters to function properly, you should avoid placing the product behind other filtering products (such as content filters) or MTAs that alter or remove pre-existing message headers or modify the message body.
Filtering internal deliveries
You can force internal mail through Symantec Mail Security to avoid propagation of viruses and spam generated by email mass-mailing worms that may have been picked up by individuals via Web browsing or downloading.
LDAP services
LDAP (Lightweight Directory Access Protocol) is a directory name service that allows organizations to structure email directory data according to the organization's own structure, whether by location, business unit, department, or other criteria. Organizations with multiple internal mail hosts rely on centralized LDAP servers to synchronize changes made to email directories across the organization. Symantec Mail Security supports LDAP services to authenticate user access to Spam Quarantine and to synchronize email directory information stored in the Control Center with LDAP directories. These services synchronize LDAP user, alias, and group directory data with the Control Center's own directory data stores for subsequent replication to attached and enabled Scanners. They convert the data to formats compatible with Spam Quarantine, Scanner, and Control Center data stores while minimizing impact on directory infrastructure. If your organization uses an LDAP server, Symantec Mail Security must be configured so that it can access LDAP directories and update the Control Center's data stores.
The Control Center can use directory information from LDAP servers at your site for any of the following purposes:
The Control Center can use data from your LDAP server to determine whether users are allowed access to Quarantine. The Control Center authenticates users by checking their user-name and password data directly against the LDAP source.
Authentication
Planning your deployment
General deployment considerations
12
Page 13
The Control Center can synchronize user and group email address data from your LDAP server and replicate it to Scanners. This data is then used to validate message recipients, apply policies to groups, recognize directory harvest attacks, and expand distribution lists (aliases). LDAP-authenticated user and group email address data are cached in the Control Center for subsequent replication to Scanners but are not written back to the LDAP source.
Synchronization
The Control Center uses LDAP user and password data to route email messages based on alias and/or transport specification to specified domains.
Routing
Symantec Mail Security supports the following LDAP directory types:
Windows 2000 Active Directory
Windows 2003 Active Directory
Sun Directory Server 5.2 (formerly known as the iPlanet Directory Server)
Note: If you are using Sun Directory Server 5.2, you must update to patch 4 to address some changelog issues that arose in patch 3.
Exchange 5.5
Lotus Domino LDAP Server 6.5
Load balancing
Symantec Mail Security is not intended to be used for load balancing. Administrators can associate only one host name or IP address as the MTA to which email is relayed. You must implement multiple Scanners to perform load balancing.
Adjusting MX records
When you implement Symantec Mail Security in front of a separate MTA that receives inbound messages, you must to change the DNS mail exchange (MX) records. The records must point incoming messages to the system. Symantec Mail Security should have a higher priority than the existing MTA.
However, if you simply list Symantec Mail Security as a higher-weighted MX record in addition to the existing MX record, spammers can look up the previous MTA's MX record. This allows them to send spam directly to the old server,
13Planning your deployment
General deployment considerations
Page 14
bypassing your spam filtering. To prevent spammers from circumventing the new spam-filtering servers, you should do one of the following:
The MX record should point at your Symantec Mail Security. Do not point the
MX record at downstream MTAs.
Remove the previous MTA's MX record from DNS.
Block off the MTA from the Internet using a firewall.
Modify the firewall's network address translation (NAT) tables to route external
IP addresses to internal non-routable IP addresses. You can then map from the old server to Symantec Mail Security.
When naming Symantec Mail Security, ensure that the name you choose does
not imply its function. For example, antispam.yourdomain.com, symantec.yourdomain.com,or antivirus.yourdomain.com are not good choices.
If you want to send mail to a downstream MTA, you can use a load balancer.
Deployment models
You can deploy Symantec Mail Security in the following ways:
Basic gateway deployment
Multi-tier gateway deployment
Post-gateway deployment
Basic gateway deployment
This is the simplest deployment model. Symantec Mail Security resides at the outermost gateway layer inside the enterprise firewall. It provides Secure Email Services by relaying inbound mail to other relay layers or to the user-facing mail server layer. Symnatec Mail Security routes outbound mail through local relay for delivery to local domain addresses or through the firewall to the Internet. Inbound and outbound mail are both processed on one Ethernet NIC through a single IP address. Inbound and outbound traffic can be logically separated by assigning one to the physical IP and the other to a virtual IP address or by assigning inbound and outbound traffic to separate ports (such as 25 and 26).
On all configured server computers, port 443 must be configured to permit outbound connections to Symantec to download content updates.
Figure 1-1 shows Symantec Mail Security deployed at the gateway, behind a
firewall.
Planning your deployment
Deployment models
14
Page 15
Figure 1-1
Basic gateway deployment
Advantages
The basic gateway deployment takes advantage of Symantec Mail Security's proximity to the Internet.
Because spam emanates from the outside world, the gateway is the logical and
effective place to deploy Symantec Mail Security.
When you deploy the system closer to the gateway, you can minimize mail
processing and storage requirements as well as network bandwidth via Email Firewall filtering.
Considerations
Administrators considering the basic gateway deployment should take into account the following factors:
Some organizations prefer to have secure gateways with no other services
running. In these environments, all other services run behind the first gateway layer.
Some smaller organizations do not have dedicated gateway servers or a gateway
layer. Instead, they deploy gateway servers and internal mail servers on the same computers.
Multi-tier gateway deployment
Note: This model may be implemented with one or more Scanner hosts.
Figure 1-2 shows Symantec Mail Security in a multi-tier gateway deployment,
with multiple Scanners in the DMZ and a Control Center behind a second firewall.
15Planning your deployment
Deployment models
Page 16
Figure 1-2
Multi-tier gateway deployment
Advantages
A multi-tier gateway deployment maximizes Symantec Mail Security's network administration capacities.
This configuration meets a common security audit requirement in that all data
stores are in the second tier, including the Control Center and Spam Quarantine databases.
Inbound traffic may be load balanced across multiple scanners with this model.
Compared with basic gateway deployment, this configuration eliminates a
single point of failure for message scanning.
This model allows administrators to take individual Scanners offline for
maintenance without incurring downtime.
This scenario enables load balancing of filtered mail across multiple
downstream MTAs.
Considerations
With its greater administrative controls, a multi-tier deployment requires higher administrative and maintenance overhead.
This approachrequires more administrative overhead and complex networking
than a basic gateway deployment.
With increased hardware and maintenance costs, this model could require a
higher total cost of operation.
Planning your deployment
Deployment models
16
Page 17
Post-gateway deployment
Note: This model may be implemented with one or more SMTP gateway MTAs and one or more Scanner hosts.
Figure 1-3 shows Symantec Mail Security deployed after MTAs at the firewall.
Figure 1-3
Post-Gateway deployment
MTAs at the gateway layer accept unfiltered mail from the Internet then relay it to Symantec Mail Security. The system filters mail from the gateway layer and relays mail to other MTAs downstream.
Advantages
Your network configuration may require that you place your Scanner hosts with your SMTP gateway MTA in a "demilitarized zone" between two firewalls.
If you have a customized MTA or specific business needs, then running this
configuration may outweigh the extra overhead and loss of functionality.
Considerations
Post-gateway deployment limits the functionality of Scanners and may decrease system throughput.
This configuration limits Scanner functionality as IP-based defenses are
nullified.
Unless the SMTP Gateway is performing filtering, all email is processed by
the gateway (read, stored, and forwarded) then sent to the system, which must
17Planning your deployment
Deployment models
Page 18
then read, filter, and take some action based on the verdict. Such redundancy may add overhead, thereby decreasing throughput.
Planning your deployment
Deployment models
18
Page 19
Understanding system requirements
This chapter includes the following topics:
Factors that affect performance
Ports used by Symantec Mail Security
Factors that affect performance
The performance of Symantec Mail Security appliances can be affected by many factors. This section provides guidelines regarding those factors, and suggestions that may improve performance.
Overall performance involvesseveral factors, some depending on the configuration and deployment options you choose, and others depending on external factors, such as the percentage of your organization’s email that is spam.
Environmental factors that affect performance
Environmental factors, including historical usage patterns of your particular deployment, will affect system performance. Prior to installation, collect information about your environment to understand typical usage patterns:
Outgoing SMTP connections. This can cause additional overhead by swelling
disk queues with email destined for remote email servers which may not be immediately accepting new email. Larger queues on disk result in reduced MTA performance. Ideally, inbound and outbound mail streams should be configured to work on separate appliances.
2
Chapter
Page 20
External MTA performance. If appropriate, determine the performance of the
MTA sending incoming email to your MTA, and the performance of your gateway MTAs and message store.
The characteristics of messages sent and received can impact performance. Key parameters to identify are:
Average message size
Number of messages with attachments
Average attachment size
Types of attachments
Percentage of virus-infected messages in the email traffic
Types of end-users (ISP or enterprise)
Settings that affect performance
The choices you make when configuring Symantec Mail Security appliances affect their performance.
Filtering performance considerations
If a message has more than one recipient, each with different group policies, then the Scanner may need to bifurcatethe message (split it into one or more messages) for modificationprior to delivery. Bifurcatedmessages resulting from many group policies may degrade performance. Use group policies as necessary but be aware that using a large number of policies can affect performance.
Control Center performance considerations
The Control Center is used to start and stop servers; view logs and reports; set configuration options; backup, restore, and reset system software; and consolidate statistics, report data, and logs. Consider the following regardingits configuration:
Number of Scanners - The number of Scanners a Control Center collectslogging
and statistics from can impact the Control Center's performance. As you add Scanners to a Control Center, monitor the Control Center's performance to ensure that it does not degrade to unacceptable levels.
Log level - The higher the log levels, the more data the Control Center must
consolidate over the network. Consider keeping log levels relatively low unless you are troubleshooting. You can also set logs to be expunged more frequently.
Scheduled reports - Schedule reports for times when utilization is low.
Understanding system requirements
Factors that affect performance
20
Page 21
Role of Control Center host - In cases where the Control Center host is also a
busy Scanner host, the Scanner and Control Center must share the resources of a single appliance machine, which may affect performance.
Quarantine and LDAP performance considerations
Consider the following Quarantine and LDAP performance implications.
Number of messages expected per day into Quarantine - The more messages
placed in the Quarantine, the larger the database, and the more processing required. Reduce the maximum size of the Quarantine database by deleting spam, or by reducing spam retention time.
Number of end users logging into the Quarantine interface - More connections
to end users results in more overhead for the system.
LDAP server throughput - LDAP lookups for message recipients against a
limited capacity LDAP server will severely impair Quarantine performance. Ensure you have adequate capacity on your LDAP server.
Message queues - Because the Quarantine database is stored on the Control
Center appliance, Quarantine's SMTP server may slow down, causing the Scanner’s delivery MTA to back up when the destination MTA is accepting messages either slowly or not at all. If this occurs, some legitimate mail messages may be delayed.
HTTPS use - Secure HTTP connections are encrypted. Encrypting and
decrypting the data in both directions, per connection, is secure but is also more CPU intensive than HTTP. Also, the larger your HTTPS key size, the more CPU cycles it may consume.
Ports used by Symantec Mail Security
The following tables list ports reserved for Symantec Mail Security for SMTP components and functions. These assignments may differ slightly depending on your environment and filtering types (inbound, outbound, or both).
Table 2-1
Reserved ports for the Symantec Mail Security Appliance
DescriptionToFromProtocolPort
Rapid responseantivirus updatesInternetApplianceTCP21
SSH connectivity to the appliance (CLI)
Internal Appliance Addresses
Management hosts
TCP22
Inbound internet mail trafficApplianceInternetTCP25
21Understanding system requirements
Ports used by Symantec Mail Security
Page 22
Table 2-1
Reserved ports for the Symantec Mail Security Appliance (continued)
DescriptionToFromProtocolPort
Inbound internal mail trafficInternal mail serversApplianceTCP25
Outbound internal mail trafficApplianceInternal mail
servers
TCP25
Outbound internet mail trafficInternet mail hostsApplianceTCP25
Recursive DNS lookupsApplianceInternetTCP53
Default automatic antivirus updates
InternetApplianceTCP80
Appliance time sync server sources
Internal NTP Servers or Internet
ApplianceUDP123
LDAP server access to synchronize users/groups/d-lists
LDAP serversApplianceTCP389
Rule updates, software updates and license registration
InternetApplianceTCP443
MSN MessengerTCP1863
­1866
LDAP server access to synchronize users/groups/d-lists (Global Catalog Access)
LDAP serversApplianceTCP3268
MySQL database connectionMySQL database
server
Control CenterTCP3306
Relay HubTCP5001
Yahoo Messenger5050, 5055, 5056, 80
AOL Instant Messenger (AIM)TCP5190
­5194
Google TalkTCP5222
Understanding system requirements
Ports used by Symantec Mail Security
22
Page 23
Table 2-1
Reserved ports for the Symantec Mail Security Appliance (continued)
DescriptionToFromProtocolPort
IM remote command
Note: IMRelay will only accept
connections from 127.0.0.1 on this port.
7007
SESA agent8086
LDAP synchronizationLDAP serversApplianceTCP11011
­11013
LDAP synchronizationLDAP serversApplianceTCP11011
­11013
BMI client41000
Communication between the Control Center and Scanners
ScannersControl CenterTCP41002
Communication between the Control Center and Scanners
Control CenterScannersTCP41002
Filter Hub deferred processing41015
­41017
To send quarantined messages to the Control Center
Control CenterScannersTCP41025
Disabled by defaultControl CenterManagement
hosts
TCP41080
Web management port forthe UIControl CenterManagement
hosts
TCP41443
Symantec Mail Security also uses the following Web addresses:
DescriptionPortProtocolURL
Used to retrieve new build versions443TCPswupdate.brightmail.com
Used to register the appliance443TCPregister.brightmail.com
Used to retrieve rules443TCPaztec.brightmail.com
23Understanding system requirements
Ports used by Symantec Mail Security
Page 24
DescriptionPortProtocolURL
Used for the appliance to sync time123UDPpool.ntp.org
Used for the appliance to sync time123UDPclock.isc.org
Used for the appliance to sync time123UDPtime.nist.gov
Default automatic antivirus updates
80TCPliveupdate.symantecliveupdate
.symantec.com
Default automatic antivirus updates
80TCPliveupdate.symantec.com
Rapid response antivirus21TCPupdate.symantec.com
Configuring your firewall for connections to public IM network servers
To enable IM filtering, you must configure your firewall to allow port connections from your IM-filtering Scanner to the public IM network servers that you use. Port connections to these servers from all other servers within your corporate network should be blocked.
Table 2-2 lists the ports for which you must configure your firewall to allow
outbound connections to the Internet.
Table 2-2
Firewall port connection requirements
PortsIM Network
5190AIM
1863MSN Messenger
5050, 80Yahoo! Messenger
5222Google Talk
In addition to these firewall changes, changes to your DNS configuration are also required to enable IM filtering.
See “Configuring your DNS for IM filtering” on page 27.
Understanding system requirements
Ports used by Symantec Mail Security
24
Page 25
Setting up the Symantec Mail Security Appliance
This chapter includes the following topics:
Before you set up your appliance
How to set up the appliance
Logging in and logging out
Migrating to Symantec Mail Security 7.5
Before you set up your appliance
Each appliance can be used to perform a variety of functions in your system. For smaller installations, the same appliance can be used to perform all needed functions. Contact a sales representative for additional help with performance sizing.
The available functions are:
3
Chapter
Page 26
Deployed as a Control Center, a Symantec Mail Security host allows you to configure and manage email filtering, SMTP routing, system settings, and all other functions from a Web-based interface. Multiple Scanners can be configured and monitored from your enterprise-wide deployment of Symantec Mail Security, but only one Control Center can be deployed to administer all the Scanner hosts. The Control Center provides information on the status of all Symantec Mail Security hosts in your system, including system logs and extensive customizable reports. Use the Control Center to configure both system-wide and host-specific details. The Control Center provides the Setup Wizard, for initial configuration of all Symantec Mail Security instances at your site, and also the Add Scanner Wizard, for adding new Scanners. The Control Centrer also hosts the Spam and Suspect Virus Quarantines to isolate and store spam and virus messages, respectively.
Control Center
Deployed as a Scanner, a Symantec Mail Security host filters email for viruses, spam, and noncompliant messages.
Scanner
Performs both functions. Suitable for smaller installations.Control Center and Scanner
During initial setup, you will be asked to choose the function that this appliance will perform. Before setting up the appliance, decide which function or set of functions you will choose from the list above.
Compatible browsers
The appliance works with the following browsers:
Microsoft Internet Explorer 6.0 and 7.0
Firefox 2.0
Configuring SSH clients to log into an appliance
If you want to access the command line interface on an appliance, use an SSH client to log into the appliance. Some SSH clients require special configuration to log in to the appliance SSH server when using the SSH v2 protocol. If your SSH client does not connect to your appliance, try configuring the client to use the standard SSH server. If your client does not support that configuration option and does not automatically detect it, configure the SSH client to use the SSH v1 protocol.
Setting up the Symantec Mail Security Appliance
Before you set up your appliance
26
Page 27
Configuring your DNS for IM filtering
If you want to use your Symantec Mail Security Appliance to filter IM traffic, two differently configured types of DNS servers are required:
DNS accessed by internal hosts that routes internal IM traffic to a Scanner for
filtering
DNS accessed by Scanners that routes outgoing IM trafficto public IM networks
on the Internet
Changes to your firewall are also required for IM filtering.
See “Configuring your firewall for connections to public IM network servers” on page 24.
Configuring DNS to route internal IM traffic to a Scanner
Your organization most likely has an internal DNS configured to direct your IM client traffic directly to the Internet. If you want to use your Symantec Mail Security Appliance to filter IM traffic, you must reconfigure your DNS to direct your IM client traffic to your IM-filtering Scanner instead. You can do this by either reconfiguring the existing forward lookup zones or creating new ones in your DNS records for each public IM network that your organization uses, and then assigning the IM-filtering Scanner's IP address as its host.
Table 3-1 lists the host names of each public IM network for whichyou must create
a forward lookup zone.
Configuring DNS to route outgoing IM traffic to public IM networks
After filtering your IM messages, the Scanner directs your IM clients to their public IM network servers.It does this by using an additional DNS that you specify when you install Symantec Mail Security Appliance. This DNS can be one or both of the following:
Internet Root DNS
This is a DNS that resides on the Internet. If you use this DNS, you must allow a connection from your firewall to the Internet over port 53.
An internal corporate DNS
This is a DNS that resides within your corporate network, and is able to resolve the server names of the public IM networks that you use.
27Setting up the Symantec Mail Security Appliance
Before you set up your appliance
Page 28
Caution: This DNS cannot be the same internal DNS that you use to direct your IM clients to the Scanner. If it is, a loopback condition occurs where IM messages are directed back to the Scanner instead of to the Internet.
Table 3-1 lists the public IM network server names that this DNS must be able
to resolve.
Table 3-1
Public IM network server names
Server/Host NamesIM Network
login.oscar.aol.com
toc.oscar.aol.com
ats.byoa.aol.com
slogin.oscar.aol.com
AIM
messenger.hotmail.comMSN Messenger
scs.msg.yahoo.com
scsa.msg.yahoo.com
scsb.msg.yahoo.com
scsc.msg.yahoo.com
scsd.msg.yahoo.com
scse.msg.yahoo.com
scsf.msg.yahoo.com
scsg.msg.yahoo.com
scsh.msg.yahoo.com
Yahoo! Messenger
talk.google.com
talkx.l.google.com
Google Talk
How to set up the appliance
Setting up your appliance involves the following tasks:
Configuring your network to include the new appliance
Initialize your new appliance
Setting up a Control Center with optional Scanner
See “Setting up a Scanner” on page 40.
After performing the above tasks, you can continue to add additional Scanners if desired. Then proceed to the next chapter to complete system setup.
Setting up the Symantec Mail Security Appliance
How to set up the appliance
28
Page 29
Configuring your network to include the new appliance
For each appliance you set up, you will need a valid static IP address and a fully qualified hostname. Before setting up your appliances, obtain the IP addresses you will need. Perform whatever other tasks are necessary in your environment to be able to include the new appliance in your network.
For Scanners also, ensure that your network is configured to permit outbound connections to Symantec on port 443. For registration and ongoing operations, Symantec appliances communicate with Symantec Security Response over a secure connection.
Understanding key indicators and controls for rack-mounted appliances
This section applies to rack-mountable appliance models only.
Most of the controls on your appliance are not needed for normal, everyday use. Of the connectors on the back panel, pay special attention to the labels for the Ethernet jacks.
When you initialize your appliance, you will need to configure separately each Ethernet jack you used, depending on your appliance model.
Front panel indicators
The two system identification buttons on the front and back panels can be used to locate a particular system within a rack. When one of these buttons is pushed, the blue system status indicators on the front and back of the system blink. To stop the indicator from blinking, press one of the buttons a second time.
Table 3-2 describes the indicators on the system front panel.
Table 3-2
Front Panel Indicators
DescriptionLED Indicator
The blue systemstatus indicator lights up during normal system operation.
The amber system status indicator flashes when the system needs attention due to a system problem.
Blue/amber system status indicator
The indicators for the two Ethernet jacks light if network connections are active.
NIC1 corresponds to Ethernet jack 1.
NIC2 corresponds to Ethernet jack 2.
NIC1 and NIC2 link indicators
29Setting up the Symantec Mail Security Appliance
How to set up the appliance
Page 30
Table 3-2
Front Panel Indicators (continued)
DescriptionLED Indicator
The green indicator in the center of the power button flashes if AC power is available to the system, but the system is not powered on.
The green indicator is on when the system is powered on.
If the system is not connected to AC power, the green indicator is off.
Power indicator
Initialize your new appliance
Each deployment can have multiple Scanner appliances, but must have exactly one Control Center appliance. Set up your Control Center appliance first, then set up your Scanner appliances. If you are using the same appliance for both of these functions, you will be asked questions regarding both the Control Center setup and the Scanner setup.
To begin initialization
1
Unpack the appliance and either rackmount it or place it on a level surface, and plug in AC power.
2
Connect the appliance using one of the following methods:
Connect a keyboard and VGA monitor to the appliance.
Connect another computer to the appliance via the serial port. Use a null
modem cable with a DB9 connector, and settings of 9600 bps, 8/N/1.
3
Connect an Ethernet cable to the Ethernet jack labeled 1 on the back panel, which corresponds to eth0.
You can optionally also connect to the Ethernet jack labeled 2, which correspondsto eth1, if you intend to use the second ethernet port for outbound traffic.
4
Switch on the power.
When you first boot up the appliance, you are asked to log in, and then change your password.
5
Log in using the login name admin and the password symantec.
Setting up the Symantec Mail Security Appliance
How to set up the appliance
30
Page 31
6
Type your new password twice when prompted.
Create your password wisely. Do not use something found in a dictionary (in any language or jargon). Do not use a name (including that of a spouse, parent, child, pet, fantasy character, famous person, and location) or any variation of your personal or account name. Do not use accessible information about you (such as your phone number, license plate, or social security number) or your environment. Do not use a birthday or a simple pattern (such as backwards, followed by a digit, or preceded by a digit. Instead, use a mixture of upper and lower case letters, as well as digits or punctuation. When choosing a new password, make sure it is unrelated to any previous password. Use long passwords (8 characters or longer). You might use a pair of words with punctuation inserted, a passphrase (an understandable sequence of words), or the first letter of each word in a passphrase.
You are next asked for the host name.
7
Type a fully qualified DNS name for this host.
To avoid problems with message routing, this DNS name should not be your mail domain.
For example:
mhost6.example.com
8
Choose a time zone when prompted, by entering the correct number.
You can type ? to see a list of time zones and corresponding numbers.
Continue with To specify Ethernet interfaces below.
To specify Ethernet interfaces
1
When prompted, type the IP address for the Ethernet interface labeled 1 on the back of the appliance.
For example:
192.168.0.1
2
When prompted, type the netmask for Ethernet interface 1.
For example:
255.255.255.0
You are next asked if you want to use the second Ethernet interface, interface
2.
31Setting up the Symantec Mail Security Appliance
How to set up the appliance
Page 32
3
Type YES if you want to use interface 2.
Otherwise, skip to step 6.
4
When prompted, type the IP address for Ethernet interface 2.
For example:
192.168.12.3
5
When prompted, type the netmask for Ethernet interface 2.
For example:
255.255.255.0
6
When prompted, type the IP address of the default gateway (default router).
Continue with To specify DNS settings below.
To specify DNS settings
1
Type YES to use the Internet’s root DNS servers, or type NO and skip to step
3.
If you answered YES, you are asked if you also want to use your own DNS servers.
2
Type YES to also use your own DNS servers, or type NO and follow the steps in To specify the role of the appliance below.
3
When prompted, type the IP addresses of up to two DNS servers, then continue with To specify the role of the appliance below.
If you plan to enable IM filtering, you will need a separate DNS for other hosts in your network that routes IM traffic to a Scanner.
See “Configuring your DNS for IM filtering” on page 27.
To specify the role of the appliance
1
When prompted, choose a role for this appliance: Control Center, Scanner or Scanner and Control Center.
See “Before you set up your appliance” on page 25.
2
If you chose Scanner only as the role for this appliance, specify when prompted the IP address of the Control Center.
Setting up the Symantec Mail Security Appliance
How to set up the appliance
32
Page 33
3
If the summary information is correct, type YES; if not type NO and make changes.
4
Continue with the next section.
The appliance will reboot. Once it has finished, continue with the next procedure, registration.
Registering your system
After you complete the initialization process, you can access the appliance from any computer that can connect with the appliance using a browser. Log in to the Control Center as user admin, using the password you set during initialization in order to register the appliance.
Note: For your Scanners, ensure that your network is configured to permit outbound connections to Symantec on port 443. For registration and ongoing operations, the appliances communicate with Symantec Security Response over a secure connection.
To complete registration, you need the license file (.slf file) provided to you by Symantec. Place this file on the computer from which you are accessing the Control Center. Each time you add a Scanner, you must confirm your licenses or register again. However, you can use the same .slf files for each Scanner.
Note: Licenses from other Symantec products, such as Symantec Brightmail AntiSpam, will not work with Symantec Mail Security Appliances.
33Setting up the Symantec Mail Security Appliance
How to set up the appliance
Page 34
To register your first appliance
1
From a computer that can access the new appliance, locate the appliance in a browser.
The default login address is:
https://<hostname>:41443
where <hostname> is the hostname you designated for your appliance during initialization using the Control Center. Or, you can use the IP address in place of <hostname>.
Port 41443 provides SSL access to the Control Center. HTTP access is disabled by default. To use HTTP, you must enable HTTP via the command line interface and specify port 41080.
See the Symantec Mail Security Appliance Administration Guide for information on the http command.
You will see a security alert message.
2
Accept the self-signed certificate to continue.
The Control Center log in page is displayed.
3
Log in as user admin, using the password you set during initialization.
The License Registration page is displayed, showing the license status of each feature.
4
On the License Registration page, click Browse to find your .slf file.
5
Select your .slf file and click Open to return to the License Registration page.
If you are registering a Premium feature such as Premium Content Compliance (PCC) and you have a separate license for the PCC, register your license for the feature on each Scanner that will be using the feature.
6
If your Scanner will be using a proxy server for communications with Symantec, complete the proxy configuration fields.
7
Click Register.
If registration was successful, the License Registration page returns. If there was an error, you will see error text at the top of the page.
For registration and ongoing operations, the appliance communicates with Symantec Security Response over a secure connection. If registration has failed, ensure that your network is configuredto permit outbound connections to Symantec on port 443.
Setting up the Symantec Mail Security Appliance
How to set up the appliance
34
Page 35
8
If you have another .slf file for a different feature, repeat steps 4, 5 , and 7.
9
When all your .slf files are successfully registered, click Next.
Updating a new appliance to the latest software
If your software is up-to-date, the Setup Wizard is displayed. Skip to the next section.
If a software update is available, the Software Update page is displayed. Symantec strongly recommends that you apply all available updates.
On the Software Update page you can:
Click Skip to update your software later.
Click Update to update your software now. After the update, the Setup Wizard
is displayed.
Note: When you have finished updating the Control Center appliance, either click your browser's refresh buttonor close and re-open it to ensure that cached versions of graphics are redisplayed correctly.
Updating an appliance that is running a previous version of Symantec Mail Security is described in a separate section.
See “Migrating to Symantec Mail Security 7.5” on page 49.
Setting up a Control Center with optional Scanner
Setting up your appliances involves setting up the Control Center and then using the Setup Wizard on the Control Center to configure all of your site-wide settings. Depending on how you plan to use this appliance, perform the remaining setup tasks as follows:
If you plan to use this appliance as your Control Center only, or as both your
Control Center and as a Scanner, continue with the procedures in this section.
If you plan to use this appliance as a Scanner only, follow the Scanner setup
procedure. See “Setting up a Scanner” on page 40.
Many of the site-wide settings that you will specify as you use the Setup Wizard are actually site defaults that you can later vary for each Scanner you add.
35Setting up the Symantec Mail Security Appliance
How to set up the appliance
Page 36
Note: None of the settings you specify using the wizard are final until you click Finish at the end of the wizard. If you step through all the panels of the wizard and do not click Finish, configuration settings will be unchanged.
To specify administrator, time, local domain, and locale settings
1
On the Administrator Settings panel, specify an email address for the administrator.
The system sends alerts to this address if alert notifications are enabled. You can configure additional administrators in the Control Center later.
2
On the Time Settings panel, specify your system-wide time settings.
You can specify up to three NTP servers, set the time manually, or choose not to change the time.
3
On the Local Domains panel, add the domains for which you accept incoming mail.
You can also add specific email addresses.
To delete a domain from the list, check it and click Delete.
4
For each domain or email address you add, optionally specify that messages should be routed through a specific host and port.
You can optionally check Enable MX Lookup. You can also import a list of local domains.
5
On the System Locale panel, specify the locale that the appliance should use for formatting numbers, dates, and times, and then click Next.
Do one of the following:
If you are setting up a Control Center-only appliance, review the information
on the Setup Wizard Summary panel. See “To review and finalize settings” on page 40. You must set up a Scanner on another appliance before you can filter mail. See “Setting up a Scanner” on page 40.
If you are setting up a Control Center and a Scanner on this appliance, continue
with the Setup Wizard. See “To specify the Scanner role” on page 37.
Note: If you plan to use one appliance as both a Control Center and a Scanner, add the Scanner on that appliance before adding other Scanners.
Setting up the Symantec Mail Security Appliance
How to set up the appliance
36
Page 37
To specify the Scanner role
1
On the Scanner Role panel, specify how you will use this Scanner.
You can choose to filter inbound mail, outbound mail, or both inbound and outbound mail, and instant messaging filtering. Depending on your choice, do the following:
If you select both inbound and outbound and you have only specified one
physical port, you will see the Create Virtual IP Address panel next. Proceed with step 2.
If you select both inbound and outbound and you have specified two
physical ports, you will see the Create Optional Virtual IP Address panel next. Proceed with step 2.
If the above does not apply:
If you chose to filter inbound mail, you will see the Inbound Mail
Filtering panel. Proceed with step 4.
If you chose to filter outbound mail only, you will see the Outbound
Mail Filtering panel. See “To specify outbound mail filtering settings” on page 38.
2
On the Create Optional Virtual IP Address panel, read the instructions and click Yes or No.
If you click Yes you will see the Create Virtual IP Address panel next. Proceed with step 3. If not, you will see the Inbound Mail Filtering panel. Skip to step
4.
3
On the Create Virtual IP Address, specify the IP address and netmask to associate with the specified port.
4
On the Inbound Mail Filtering panel, choose the IP address to use for inbound mail.
5
If desired, change the port specification for inbound mail.
6
On the Inbound Mail Filtering - Connections panel specify the mail servers from which this Scanner will accept inbound mail.
You can choose All IP addresses or specify IP addresses or hostnames. A typical choice would be All IP addresses,thus allowing the appliance to accept mail from any MTA on the Internet.
37Setting up the Symantec Mail Security Appliance
How to set up the appliance
Page 38
7
On the Inbound Mail Filtering - Local Relay panel, specify the internal host to which this Scanner will relay inbound mail after filtering is complete.
You can select a host from the list or define a new host. A typical value is a downstream mail server such as your corporate mail server.
You can also specify a port. If you check Enable MX lookup for this host, you must specify a host name (not an IP address) for that server.
8
If you chose to filter inbound and outbound mail, the Outbound Mail Filtering panel is displayed.
See “To specify outbound mail filtering settings” on page 38.
If you chose to filter only inbound mail as well as IM filtering, the Configure IM interfaces panel is displayed.
See “To specify IM settings” on page 39.
If you chose to filter only inbound mail, the Setup Summary panel is displayed.
See “To review and finalize settings” on page 40.
To specify outbound mail filtering settings
1
On the Outbound Mail Filtering panel, choose the IP address to use for outbound mail.
2
If desired, change the port specification for outbound mail.
In most cases this should be left as port 25.
3
On the Outbound Mail Filtering - Connections panel specify by IP address the internal mail servers from which this Scanner will accept outbound mail.
Typically you would limit this to your corporate outbound mail server. It is important to restrict to sources you trust the parties that can send outbound mail through this host.
If you chose to filter only outbound mail, you will see the Outbound Mail Filtering - Local Relay panel next. Proceed to step 4. If not, skip to step 5.
4
On the Outbound Mail Filtering - Local Relay panel, specify the internal host to which this Scanner will relay outbound mail after filtering is complete.
You can select a host from the list or define a new host. A typical value is a downstream mail server such as your corporate mail server.
You can also specify a port. If you check Enable MX lookup for this host, you must specify a host name (not an IP address) for that server.
Setting up the Symantec Mail Security Appliance
How to set up the appliance
38
Page 39
5
On the Outbound Mail Filtering - Nonlocal Relay panel, specify how you want to relay outbound mail after filtering is complete.
You can use default MX lookup, select a host from the list, or define a new host.
You can also specify a port. If you check Enable MX lookup for this host, you must specify a host name (not an IP address) for that server.
Foroutbound mail addressed to a non-local domain, there is typically no relay host to specify. If you choose Use default MX lookup, the appliance will use Internet MX records to deliver the mail.
6
If you chose to filter instant messages, the Configure IM interfaces panel is displayed.
See “To specify IM settings” on page 39.
If you did not choose to filter instant messages, the Setup Summary panel is displayed.
See “To review and finalize settings” on page 40.
To specify IM settings
1
On the Configure IM interfaces panel, under Internal IM Interface, choose the Ethernet network for internal IM filtering.
2
Choose a Primary IM IP address.
The primary IM IP address is for routing internal IM traffic.
3
Choose a Secondary IM IP address.
The secondary IM IP address supports extended IM client features such as file transfer.
Primary and Secondary IM IP addresses are required.
4
Under External IM Interface, choose the Ethernet network for external IM filtering.
You can use the same Ethernet network as the internal IM interface or a different one.
5
Choose an External IP address.
This IP address is for routing IM traffic to the public IM network servers.
6
The Setup Summary panel is displayed.
See “To review and finalize settings” on page 40.
39Setting up the Symantec Mail Security Appliance
How to set up the appliance
Page 40
To review and finalize settings
1
On the Setup Wizard Summary panel, review the settings shown.
2
If you are satisfied with the settings, click Finish to save them.
If not, click Back to revise your settings, or Cancel to end without saving any changes. If you cancel, you won't be able to use the appliance until you complete the setup.
Setting up a Scanner
If you are adding a Scanner on the same appliance as your Control Center, see
Setting up a Control Center with optional Scanner. The instructions in this section
only apply to adding a Scanner on a different appliance than the appliance hosting your Control Center.
Note: If you plan to use one appliance as both a Control Center and a Scanner, add the Scanner on that appliance before adding other Scanners.
Add a Scanner
Use the Add Scanner Wizard to set up a Scanner appliance. You run the Add Scanner Wizard from a Control Center that you previously set up.
Note: None of the settings you specify using the wizard are final until you click Finish at the end of the wizard. If you step through all the panels of the wizard and do not click Finish, you will not make any changes to configuration settings.
To configure host IP settings
1
Log into the Control Center.
See “Logging in and logging out” on page 45.
2
From the Control Center, click Administration > Hosts > Configuration.
3
If you are adding your first Scanner, you will now see the Add Scanner Wizard. Otherwise click Add on the Host Configuration page.
4
On the Scanner Host Settings panel, identify your new Scanner by typing a description and a host name or IP address.
Continue completing the Add Scanner Wizard.
See “To register the Scanner and specify time settings ” on page 41.
Setting up the Symantec Mail Security Appliance
How to set up the appliance
40
Page 41
To register the Scanner and specify time settings
1
On the License Registration Information panel, click Browse to find your .slf file.
2
Select your .slf file and click Open to return to the License Registration Information panel.
3
If your network requires a proxy to access the Internet, specify proxy information.
4
Click Register.
If registration was successful, the License Registration page returns. If there was an error, you will see error text at the top of the page.
If you are registering a Premium feature such as Premium Content Compliance, register your license for the feature on each Scanner that will be using the feature.
5
If you have another .slf file for a different feature, repeat steps 1, 2, and 4.
6
When all your .slf files are successfully registered, click Next.
7
If your software needs to be updated, the Software Update page is displayed. On the Software Update page you can:
Click Skip to update your software later.
Click Update to update your software now. Note that if you updated your
Control Center, it's recommended that you update each Scanner.
8
On the Time Settings panel, choose a time settting for this Scanner and click Next.
You can specify up to three NTP servers, set the time manually, or choose not to change the time.
Continue completing the Add Scanner Wizard.
See “To specify the Scanner role” on page 41.
To specify the Scanner role
1
On the Scanner Role panel, choose the role for this Scanner.
You can choose to filter inbound mail, outbound mail, both inbound and outbound mail, and IM filtering. Depending on your choice, do the following:
If you select both inbound and outbound and you have only specified one
physical port, you will see the Create Virtual IP Address panel next. Proceed with step 3.
41Setting up the Symantec Mail Security Appliance
How to set up the appliance
Page 42
If you select both inbound and outbound and you have specified two
physical ports, you will see the Create Optional Virtual IP Address panel next. Proceed with step 2.
If the above does not apply:
If you chose to filter inbound mail, you will see the Inbound Mail
Filtering panel. Proceed with step 4.
If you chose to filter outbound mail only, you will see the Outbound
Mail Filtering panel. See “To specify outbound mail filtering settings” on page 43.
2
On the Create Optional Virtual IP Address panel, read the instructions and click Yes or No.
If you click Yes you will see the Create Virtual IP Address panel next. Proceed with step 3. If not, you will see the Inbound Mail Filtering panel. Skip to step
4.
3
On the Create Virtual IP Address panel, specify the IP address and netmask to associate with the specified port.
4
On the Inbound Mail Filtering panel, choose the IP address to use for inbound mail.
5
If desired, change the port specification for inbound mail.
6
On the Inbound Mail Filtering - Connections panel, specify the mail servers from which this Scanner will accept inbound mail.
You can choose All IP addresses or specify IP addresses. A typical choice would be All IP addresses, thus allowing the appliance to accept mail from any MTA on the Internet.
7
On the Inbound Mail Filtering - Local Relay panel, specify the internal host to which this Scanner will relay inbound mail after filtering is complete.
You can select a host from the list or define a new host. A typical value is a downstream mail server such as your corporate mail server.
You can also specify a port. If you check Enable MX lookup for this host, you must specify a host name (not an IP address) for that server.
If you chose to filter only inbound mail without IM filtering, the Setup Summary panel is displayed.
See “To review and finalize settings” on page 44.
If you chose to filter inbound and outbound mail, continue completing the Add Scanner Wizard.
See “To specify outbound mail filtering settings” on page 43.
Setting up the Symantec Mail Security Appliance
How to set up the appliance
42
Page 43
To specify outbound mail filtering settings
1
On the Outbound Mail Filtering panel, choose the IP address to use for outbound mail.
2
If desired, change the port specification for outbound mail.
3
On the Outbound Mail Filtering - Connections panel specify by IP address the internal mail servers from which this Scanner will accept outbound mail.
Typically you would limit this to your corporate outbound mail server. It is important to restrict the parties that can send outbound mail through this host to sources that you trust.
If you chose to filter only outbound mail, you will see the Outbound Mail Filtering - Local Relay panel next. Proceed to step 4. If not, skip to step 5.
4
On the Outbound Mail Filtering - Local Relay panel, specify the internal host to which this Scanner will relay outbound mail after filtering is complete.
You can select a host from the list or define a new host. A typical value is a downstream mail server such as your corporate mail server.
You can also specify a port. If you check Enable MX lookup for this host, you must specify a host name (not an IP address) for that server.
5
On the Outbound Mail Filtering - Nonlocal Relay panel, specify how you want to relay outbound mail after filtering is complete.
You can use default MX lookup, select a host from the list, or define a new host.
You can also specify a port. If you check Enable MX lookup for this host, you must specify a host name (not an IP address) for that server.
Foroutbound mail addressed to a non-local domain, there is typically no relay host to specify. If you choose Use default MX lookup, the appliance will use Internet MX records to deliver the mail.
If you did not enable IM filtering, the Setup Summary panel is displayed.
See “To review and finalize settings” on page 44.
If you did enable IM filtering, continue completing the Add Scanner Wizard.
See “To specify IM settings” on page 43.
To specify IM settings
1
On the Instant Messaging IP Addresses panel, specify which IP addresses your IM clients use.
2
Under Internal IM Interface, select the Ethernet network interface that IM clients use to communicate internally from the Ethernet: drop-down list.
43Setting up the Symantec Mail Security Appliance
How to set up the appliance
Page 44
3
Select primary and secondary internal IP addresses from the Primary IM IP address and Secondary IM IP address drop-down lists.
The primary IP address listens for incoming instant messages. The secondary IP address routes file transfers through the Scanner and must be a different IP address from the primary IP address.
4
Under External IM Interface, select the Ethernet network that IM clients use to communicate with public servers from the Ethernet: drop-down list.
The external Ethernet network interface may be the same as the internal interface.
5
Select the external IP address from the External IP: drop-down list.
If you are using different interface cards for incoming and outgoing traffic, assign differentIP addresses to the primary internal address and the external address.
The external IP address may be the same as the primary internal IP address. If you have more than one network, the primary internal IP address and external IP address are probably going to be different. The primary IP address would then be dedicated to listening for IM messages and the external IP address dedicated to outgoing IM.
The Setup Summary panel is displayed.
See “To review and finalize settings” on page 44.
To review and finalize settings
1
On the Setup Wizard Summary panel, review the settings shown.
2
If you are satisfied with the settings, click Finish to save them.
If not, click Back to revise your settings, or Cancel to end without saving any changes. If you cancel, you won't be able to use the appliance until you complete the setup.
Completing setup
Your appliance is now nearly ready to use, with a set of default policies designed for most enterprise installations. Review the sections below to determine what additional setup tasks you need to perform.
Adding more Scanners
Repeat the steps in the section called “Setting up a Scanner” if you are adding additional Scanners.
Setting up the Symantec Mail Security Appliance
How to set up the appliance
44
Page 45
Setting mail filtering policies
When you set up Symantec Mail Security, a set of ready-made default message filtering policies are in place. You can use these policies or customize them.
The initial default policies are as follows:
The default group policy includes all users, and specifies use of default filtering
policies for spam, suspected spam, virus, content compliance, and end user settings.
The default spam policy is to modify the subject line by prepending [Spam]
and deliver the message to the inbox.
The default suspected spam policy is to modify the subject line by prepending
[Suspected Spam] and deliver the message to the inbox.
The suspected spam threshold is set to 72 (see the Symantec Mail Security
Appliance Administration Guide for more information).
The default virus policy is to clean the message.
The default worm policy is to delete the message.
No default content compliance policies are in place.
No end user configuration capabilities are in place.
For more information on these policies and instructions on adjusting them to meet your needs, see the Symantec Mail Security Appliance AdministrationGuide.
Testing Scanners
For instructions on testing Scanners, see the Symantec Mail Security Appliance Administration Guide.
Changing Host IP addresses
If you change the IP address for the Control Center or any Scanner after initial setup, see the Symantec Mail Security Appliance Administration Guide.
Logging in and logging out
Follow these instructions to begin using the Control Center.
45Setting up the Symantec Mail Security Appliance
Logging in and logging out
Page 46
Note: Do not create an account for an administrator that is identical to a user account name. Do not create an end user account that is identical to an administrator account name. If a naming conflict occurs, the administrator will take precedence and the end user will be denied access to their account. In the unlikely event that both the username and the password for an administrator and an end user are identical, the end user will be granted access to the administrator account.
To log in as an administrator
1
Access your Control Center from a browser.
The default login address is:
https://<hostname>:41443
where <hostname> is the hostname you designated for your appliance during initialization. Or, you can use the IP address in place of <hostname>.
You may see a security alert message.
2
If you see a security alert message, accept the self-signed certificate to continue.
The Control Center log in page is displayed.
3
You may choose the language in which you want to operate the Quarantine and end user views of the Control Center.
Below the text entry fields you will see a list of languages. The language currentlyin use is displayed in normal text. The other languages are displayed underlined and highlighted. Click on another language to use that language instead.
4
In the User name box, type the user name given to you by your system administrator.
If you are the first administrator to use this appliance, type: admin
5
In the Password box, type your administrative password.
Contact your system administrator if you do not know the password.
6
Click Login.
To log in as an end user with an iPlanet or Sun ONE Directory Server
Note: To do this, LDAP authentication must be enabled.
Setting up the Symantec Mail Security Appliance
Logging in and logging out
46
Page 47
1
Access your Control Center from a browser.
The default login address is:
https://<hostname>:41443
where <hostname> is the hostname you designated for your appliance during initialization. Or, you can use the IP address in place of <hostname>.
You may see a security alert message.
2
If you see a security alert message, accept the self-signed certificate to continue.
The Control Center log in page is displayed.
3
If necessary, choose the language in which you want to operate the Control Center.
Below the text entry fields you will see a list of names of languages. The name of the language currently in use is displayed in normal text. The names of other languages are displayed underlined and highlighted. Click on the name of another language to use that language instead.
4
In the User name box, type your full email address (for example, kris@example.com).
5
In the Password box, type the password you normally use to log in to your system.
6
Click Login.
To log in as an end user with an Active Directory account
1
Access your Control Center from a browser.
The default login address is:
https://<hostname>:41443
where <hostname> is the hostname you designated for your appliance during initialization. Or, you can use the IP address in place of <hostname>.
You may see a security alert message.
2
If you see a security alert message, accept the self-signed certificate to continue.
The Control Center log in page is displayed.
47Setting up the Symantec Mail Security Appliance
Logging in and logging out
Page 48
3
If necessary, choose the language in which you want to operate the Control Center.
Below the text entry fields you will see a list of names of languages. The name of the language currently in use is displayed in normal text. The names of other languages are displayed underlined and highlighted. Click on the name of another language to use that language instead.
4
In the User name box, type your user name (for example, kris).
5
In the Password box, type the password you normally use to log in to your system.
6
Select the LDAP server you use to verify your credentials (not shown).
7
Click Login.
To log in as an end user with an Exchange 5.5 account
1
Access your Control Center from a browser.
The default login address is:
https://<hostname>:41443
where <hostname> is the hostname you designated for your appliance during initialization. Or, you can use the IP address in place of <hostname>.
You may see a security alert message.
2
If you see a security alert message, accept the self-signed certificate to continue.
The Control Center log in page is displayed.
3
If necessary, choose the language in which you want to operate the Control Center.
Below the text entry fields you will see a list of names of languages. The name of the language currently in use is displayed in normal text. The names of other languages are displayed underlined and highlighted. Click on the name of another language to use that language instead.
4
In the User name box, type your full primary email address (for example, kris@example.com).
5
In the Password box, type the password you normally use to log in to your Windows system.
6
Click Login.
Setting up the Symantec Mail Security Appliance
Logging in and logging out
48
Page 49
To determine your primary email address for Exchange 5.5, check the following in Outlook 2000 or Outlook 2003
1
Click Tools, click Address Book.
2
Type your name in the Type Name or Select from List box.
3
Double-click your name in the list displayed, and then click E-mail Addresses.
The mail address on the line starting with SMTP: in capitals is your primary email address.
To log out
1
Click the Log Out icon in the upper right corner of the current page.
2
For security purposes, close your browser window to clear your browser’s memory.
Having trouble logging in or out?
If you are having trouble logging in or logging out, consider the following:
When logging in, make sure you type your user name and password in the
correct case. Note the difference between kris, Kris, and KRIS.
You are automatically logged out if you don’t use the Control Center for 30
minutes. If it happens, log in again.
Migrating to Symantec Mail Security 7.5
This section is intended for customers who have a version of Symantec Mail Security previous to version 7.5.
Migration considerations
Before running software update, review this information.
Vital considerations
The two most important migration considerations are:
Back up your existing data before running software update.
See “Backing up existing Control Center data” on page 51.
Do not reboot while software update is in process.
The softwareupdate process may take several hours to complete. A notification displays in the Control Center when the software update process is complete. If you reboot before the process is complete, data corruption is likely. If data
49Setting up the Symantec Mail Security Appliance
Migrating to Symantec Mail Security 7.5
Page 50
corruption occurs the appliance must be re-installed with a factory image with assistance from Symantec Technical Support.
Changes to expect in Symantec Mail Security 7.5
Refer to the Symantec Mail Security ApplianceAdministration Guide for a complete list of changes in Symantec Mail Security 7.5.
The major changes for Symantec Mail Security 7.5 include:
Some of the tabs in the Control Center have changed and the locations of pages
have changed.
Email can now have multiple dispositions.
New content filtering settings are available.
Instant messages can be filtered for viruses and spim.
IM filtering is disabled by default. To employ IM filtering,configure and enable it after migration.
What happens to my existing data and settings?
Existing data and settings are migrated as follows:
Existing settings will migrate to Symantec Mail Security 7.5 unchanged.
Data such as Spam Quarantine, logs, and report data will migrate to Symantec
Mail Security 7.5 unchanged.
Policies may be changed slightly and the behavior of the policies may be
different because multiple dispositions are now supported.
Supported previous versions
You can update to Symantec Mail Security 7.5 from all previous versions of Symantec Mail Security. No intermediate updates are necessary. When the software update process is complete, the appliance will be updated to Symantec Mail Security 7.5.
Migration planning
Consider these details before proceeding with migration.
There is no option to update a Control Center and multiple Scanners at once.
Each appliance must be updated individually.
If you have one or more individual Scanners, it's best to update Scanners before
updating the Control Center. However, updating the Control Center first is also supported.
Setting up the Symantec Mail Security Appliance
Migrating to Symantec Mail Security 7.5
50
Page 51
If you have one or more individual Scanners, you do not have to update all of
your Scanners at the same time. For example, you can update some Scanners to version 7.5 and leave some with the older version so that some Scanners continue to protect your site while you migrate others. However, a Symantec Mail Security 7.5 Control Center cannot make configuration changes to a pre-version 7.5 Scanner. A pre-version 7.5 Control Center cannot make configuration changes to a version 7.5 Scanner. But in both of these cases, a Scanner that was previously working will continue to work as before. However, no log or report data will be forwarded to the Control Center.
Backing up existing Control Center data
It's recommended to back up your existing data to a separate computer in case a problem occurs during migration. Follow this procedure on your existing Control Center to back up your existing data before migration. You can also back up your data using the db-backup on the command line interface.
To back up your existing data
1
It's a good idea to reduce the amount of data to be backed up. For example, these measures can reduce the amount of data backed up:
Reduce the maximum log size or reduce the length of time that log data
is stored.
Clear all report data or reduce the length of time that report data is stored.
Delete old messages in Spam Quarantine or reduce the number of days to
store Spam Quarantine messages.
If you reduce the length of time that log, report, or Spam Quarantine data is stored or reduce the maximum log size, you must wait for the applicable Expunger process to run to delete the extra data.
2
In the Control Center, click Administration > Backup.
3
Back up your existing data to a remote location using FTP.
For detailed instructions, refer to the online help or Symantec Mail Security Implementation or Administration Guide for your product version.
4
If your backup completes successfully, proceed with migration.
If your backup fails, attempt to further reduce the amount of data backed up as described in step 1.
51Setting up the Symantec Mail Security Appliance
Migrating to Symantec Mail Security 7.5
Page 52
Running software update
This procedure describes how to migrate to the current release using the Control Center. The procedure for updating using the command line interface is not described, but it is supported.
To run software update
1
If you're updating a Control Center, ensure that you've backed up your existing data.
See “Backing up existing Control Center data” on page 51.
2
In the Control Center, click Administration > Software Updates.
If you already updated the Control Center to Symantec Mail Security 7.5 and are updating Scanners, click Administration > Hosts > Version and then click the Updates tab.
3
Select a Control Center or Scanner host.
See “Migration planning ” on page 50.
4
Click the 7.5.x version and then click update.
Wait for the update process to complete, which may take several hours. Do not reboot the appliance you're updating during this process.
5
A message is displayed when the software update is complete.
If you've updated the Control Center, either click your browser's refresh button or close and re-open it to ensure that cached versions of graphics are redisplayed correctly.
Setting up the Symantec Mail Security Appliance
Migrating to Symantec Mail Security 7.5
52
Page 53
Numerics
14
A
administrator
email address for alerts 36
alerts
address to send to 36
B
balance
load 13 basic gateway deployment 14 browsers
compatible 26 buttons
front panel 29
C
compatibility.. See software compatibility or
hardware compatibility
Control Center
initialize 30
logging in and out 45
performance considerations 20
registration
initial 33
set up 35
D
deployment
considerations 11
gateway 14–15
models 14
multi-tier gateway 16
post-gateway 17 DNS settings 31
E
Environmental factors that affect performance 19 Ethernet
interfaces 31 jacks 29
F
Factors that affect performance 19 Filtering
performance considerations 20
filtering
intra-enterprise 12
filters
instant messaging 43 settings 37
default 45 outbound 38 outbound Scanner 43 Scanner 41
firewall
port 443 access 29
G
gateway deployment
advantages 15 basic 14 considerations 15 multi-tier 15
general deployment considerations 11
I
instant messaging
filters 43 IP addresses 43
interfaces
Ethernet 31
L
LDAP
compatibility 12
Index
Page 54
LDAP (continued)
performance considerations 21
lights
front panel 29
load balancing 13 local domains
initial settings 36
log in 45 Logs
performance impact 20
M
mail filters.. See filters message filtering
intra-enterprise 12
MTAs
using additional 11
multi-tier gateway deployment 15
advantages 16 considerations 16
MX records
adjusting 13
O
outbound
filters
settings 38
P
password 45 Performance
Control Center 20 environmental factors 19 factors affecting 19 filtering 20 LDAP 21 log levels 20 Quarantine 21 settings 20
port 443
access requirement for 29
ports
reserved 21
positioning with other filtering products 12 post-gateway deployment 17
advantages 17 considerations 17
Q
Quarantine performance considerations 21
R
registration
initial 33
Scanners 41
Requirements
system 19 reserved ports 21 role of appliance
choices 25
S
Scanners
Add Scanner Wizard 40
configuring 11
registration
initial 41
set up 40 set up
registration 33
Scanners. See initial
settings
alert address for administrator 36
default filters 45
filters 37
outbound 38 outbound Scanner 43
Scanner 41 local domain 36 time 36
Settings that affect performance 20 site set up 35 software compatibility
browsers 26 SSH settings 26
SSH settings
compatible 26
System requirements 19
T
time
settings 36
U
user name 45
Index54
Loading...