Symantec 10547829 - Mail Security For Smtp 5.0 Smb, Mail Security Appliance Installation Manual
Page 1
Symantec Mail Security
Appliance Installation Guide
Symantec Information Foundation
Page 2
Symantec Mail Security Appliance Installation Guide
The softwaredescribed in this book is furnished under a license agreement and may be used
only in accordance with the terms of the agreement.
PN: 10747600
Legal Notice
Copyright © 2007 Symantec Corporation.
All rights reserved.
Symantec, the Symantec Logo, and LiveUpdate are trademarks or registered trademarks of
Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use,
copying, distribution, and decompilation/reverse engineering. No part of this document
may be reproduced in any form by any means without prior written authorization of
Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,
ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO
BE LEGALLYINVALID. SYMANTEC CORPORATIONSHALL NOT BE LIABLE FOR INCIDENTAL
OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED
IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software
as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19
"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in
Commercial Computer Software or Commercial Computer Software Documentation", as
applicable, and any successor regulations. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation by the U.S.
Government shall be solely in accordance with the terms of this Agreement.
Page 3
Symantec Corporation
20330 Stevens Creek Blvd.
Cupertino, CA 95014
http://www.symantec.com
Page 4
Technical Support
Symantec Technical Support maintains support centers globally. Technical
Support’s primary role is to respond to specific queries about product feature and
function, installation, and configuration. The Technical Support group also authors
content for our online Knowledge Base. The Technical Support group works
collaboratively with the other functional areas within Symantec to answer your
questions in a timely fashion. For example, the Technical Support group works
with Product Engineering and Symantec Security Response to provide alerting
services and virus definition updates.
Symantec’s maintenance offerings include the following:
■ A range of support options that give you the flexibility to select the right
amount of service for any size organization
■ A telephone and web-based support that provides rapid response and
up-to-the-minute information
■ Upgrade insurance that delivers automatic software upgrade protection
■ Global support that is available 24 hours a day, 7 days a week worldwide.
Support is provided in a variety of languages for those customers that are
enrolled in the Platinum Support program
■ Advanced features, including Technical Account Management
For information about Symantec’s Maintenance Programs, you can visit our Web
site at the following URL:
www.symantec.com/techsupp/
Select your country or language under Global Support. The specific features that
are available may vary based on the level of maintenance that was purchased and
the specific product that you are using.
Contacting Technical Support
Customers with a current maintenance agreement may access Technical Support
information at the following URL:
www.symantec.com/techsupp/
Select your region or language under Global Support.
Before contacting Technical Support, make sure you have satisfied the system
requirements that are listed in your product documentation. Also, you should be
at the computer on which the problem occurred, in case it is necessary to recreate
the problem.
Page 5
When you contact Technical Support, please have the following information
available:
■ Product release level
■ Hardware information
■ Available memory, disk space, and NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description:
■ Error messages and log files
■ Troubleshooting that was performed before contacting Symantec
■ Recent software configuration changes and network changes
Licensing and registration
If your Symantec product requires registration or a license key, access our technical
support Web page at the following URL:
www.symantec.com/techsupp/
Select your region or language under Global Support, and then select the Licensing
and Registration page.
Customer service
Customer service information is available at the following URL:
www.symantec.com/techsupp/
Select your country or language under Global Support.
Customer Service is available to assist with the following types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information about product updates and upgrades
■ Information about upgrade insurance and maintenance contracts
■ Information about the Symantec Value License Program
Page 6
■ Advice about Symantec's technical support options
■ Nontechnical presales questions
■ Issues that are related to CD-ROMs or manuals
Maintenance agreement resources
If you want to contact Symantec regarding an existing maintenance agreement,
please contact the maintenance agreement administration team for your region
as follows:
■ Asia-Pacific and Japan: contractsadmin@symantec.com
■ Europe, Middle-East, and Africa: semea@symantec.com
■ North America and Latin America: supportsolutions@symantec.com
Additional Enterprise services
Symantec offers a comprehensive set of services that allow you to maximize your
investment in Symantec products and to develop your knowledge, expertise, and
global insight, which enable you to manage your business risks proactively.
Enterprise services that are available include the following:
These solutions provide early warning of cyber
attacks, comprehensive threat analysis, and
countermeasuresto prevent attacks beforethey occur.
Symantec EarlyWarningSolutions
These services remove the burden of managing and
monitoring security devices and events, ensuring
rapid response to real threats.
Managed Security Services
Symantec Consulting Services provide on-site
technical expertise from Symantec and its trusted
partners. Symantec Consulting Services offer a variety
of prepackaged and customizableoptions that include
assessment, design, implementation, monitoring and
management capabilities,each focusedon establishing
and maintaining the integrity and availability of your
IT resources.
Consulting Services
Educational Services provide a full array of technical
training, security education, security certification,
and awareness communication programs.
Educational Services
Page 7
To access more information about Enterprise services, please visit our Web site
at the following URL:
www.symantec.com
Select your country or language from the site index.
Page 8
Page 9
Technical Support
Chapter 1 Planning your deployment
General deployment considerations . .. ..... . ..... .. .. ..... .. ..... . ..... .. .. ..... .. . 11
MTA usage ..... ..... . ..... .. .. ..... .. .. ..... .. ..... . ..... .. .. ..... .. .. ..... .. .. ..... .. 11
Configuring Scanners .. .. ..... . ..... .. .. ..... .. ...... ..... .. .. ..... .. .. ..... .. .. ... 11
Positioning with other filtering products ... . ..... .. .. ..... .. .. ..... .. ...... . 12
Filtering internal deliveries .. ..... . ..... .. .. ..... .. .. ..... .. ...... ..... .. .. ..... 12
LDAP services .... .. ..... .. .. ..... .. .. ..... .. .. ..... .. ...... ..... .. .. ..... .. .. ..... .. . 12
Load balancing . .. .. ..... .. .. ..... .. ..... . ..... .. .. ..... .. .. ..... .. .. ..... .. ..... . ... 13
Adjusting MX records . ..... .. ..... . ..... .. .. ..... .. .. ..... .. .. ..... .. ..... . ..... .. . 13
Deployment models ... .. ..... .. .. ..... .. .. ..... .. .. ..... .. .. ..... .. ..... . ..... .. .. ..... .. 14
Basic gateway deployment .. .. ..... . ..... .. .. ..... .. ..... . ..... .. .. ..... .. .. ..... 14
Multi-tier gateway deployment .... .. .. ..... .. .. ..... .. .. ..... .. ..... . ..... .. .. 15
Post-gateway deployment .... ..... .. .. ..... .. .. ..... .. .. ..... .. ...... ..... .. .. ... 17
Chapter 2 Understanding system requirements
Factors that affect performance . .. ..... .. .. ..... .. .. ..... .. .. ..... .. ..... . ..... .. .. .. 19
Environmental factors that affect performance . ..... . ..... .. ...... ..... .. . 19
Settings that affect performance .... .. .. ..... .. ...... ..... .. .. ..... .. .. ..... .. . 20
Ports used by Symantec Mail Security .... .. ..... .. .. ..... .. .. ..... .. .. ..... .. ..... 21
Configuring your firewall for connections to public IM network
servers . ..... . ..... .. ..... . ..... .. .. ..... .. .. ..... .. .. ..... .. ..... . ..... .. .. ..... . 24
Chapter 3 Setting up the Symantec Mail Security Appliance
Before you set up your appliance .. .. ..... . ..... .. .. ..... .. .. ..... .. ...... ..... .. .. ... 25
Compatible browsers .... ..... . ..... .. ..... . ..... .. .. ..... .. .. ..... .. .. ..... .. ..... . 26
Configuring SSH clients to log into an appliance .. .. ..... .. .. ..... .. ...... 26
Configuring your DNS for IM filtering ..... .. ..... .. .. ..... .. .. ..... .. .. ..... . 27
How to set up the appliance . ..... . ..... .. .. ..... .. .. ..... .. ..... . ..... .. .. ..... .. .. .... 28
Configuring your network to include the new appliance .. .. ..... .. ..... . 29
Understanding key indicators and controls for rack-mounted
appliances .... .. ..... .. .. ..... .. .. ..... .. .. ..... .. ..... . ..... .. .. ..... .. .. ..... . 29
Initialize your new appliance ..... .. ..... . ..... .. .. ..... .. ..... . ..... .. .. ..... .. . 30
Contents
Page 10
Registering your system . .. .. ..... .. .. ..... .. .. ..... .. .. ..... .. ..... . ..... .. .. .... 33
Updating a new appliance to the latest software ..... ..... . ..... .. .. ..... .. 35
Setting up a Control Center with optional Scanner ... ..... .. .. ..... .. .. ... 35
Setting up a Scanner .. ..... . ..... .. ...... ..... .. .. ..... .. .. ..... .. .. ..... .. ...... .. 40
Completing setup . . ..... .. ..... . ..... .. .. ..... .. .. ..... .. .. ..... .. ..... . ..... .. .. ... 44
Logging in and logging out ..... .. ..... . ..... .. .. ..... .. .. ..... .. .. ..... .. ..... . ..... .. . 45
Having trouble logging in or out? .... .. ..... .. .. ..... .. .. ..... .. .. ..... .. ...... 49
Migrating to Symantec Mail Security 7.5 . . ..... .. ...... ..... .. .. ..... .. .. ..... .. .. . 49
Migration considerations ... .. ..... .. .. ..... .. .. ..... .. ..... . ..... .. .. ..... .. .. ... 49
Backing up existing Control Center data ..... .. .. ..... .. .. ..... .. .. ..... .. ... 51
Running software update .. .. ..... .. ...... ..... .. .. ..... .. .. ..... .. .. ..... .. ...... 52
Index
Contents10
Page 11
Planning your deployment
This chapter includes the following topics:
■ General deployment considerations
■ Deployment models
General deployment considerations
This section provides information about integrating Symantec Mail Security into
your network.
Note: Multiple Scanner scenarios are common for organizations with system
failover needs or high mail scanning throughput requirements.
MTA usage
Symantec Mail Security contains a Message Transfer Agent (MTA), which processes
and relays messages to support filtering activities.
Note: Symantec Mail Security provides neither mailbox access for end users nor
message storage. You must provide an MTA for use in your email infrastructure.
Configuring Scanners
During installation, you can use a wizard to add a Scanner. Depending on your
filtering requirements and messaging environment, you may want to deploy
multiple Scanners. In such cases, you can dedicate Scanners to specific functions.
For example, you might want one Scanner to filter inbound mail, another to filter
outbound mail, and another to filter instant messages.
1
Chapter
Page 12
Positioning with other filtering products
In order for Symantec Mail Security's spam and Content Compliance filters to
function properly, you should avoid placing the product behind other filtering
products (such as content filters) or MTAs that alter or remove pre-existing
message headers or modify the message body.
Filtering internal deliveries
You can force internal mail through Symantec Mail Security to avoid propagation
of viruses and spam generated by email mass-mailing worms that may have been
picked up by individuals via Web browsing or downloading.
LDAP services
LDAP (Lightweight Directory Access Protocol) is a directory name service that
allows organizations to structure email directory data according to the
organization's own structure, whether by location, business unit, department, or
other criteria. Organizations with multiple internal mail hosts rely on centralized
LDAP servers to synchronize changes made to email directories across the
organization. Symantec Mail Security supports LDAP services to authenticate
user access to Spam Quarantine and to synchronize email directory information
stored in the Control Center with LDAP directories. These services synchronize
LDAP user, alias, and group directory data with the Control Center's own directory
data stores for subsequent replication to attached and enabled Scanners. They
convert the data to formats compatible with Spam Quarantine, Scanner, and
Control Center data stores while minimizing impact on directory infrastructure.
If your organization uses an LDAP server, Symantec Mail Security must be
configured so that it can access LDAP directories and update the Control Center's
data stores.
The Control Center can use directory information from LDAP servers at your site
for any of the following purposes:
The Control Center can use data from your LDAP server to
determine whether users are allowed access to Quarantine.
The Control Center authenticates users by checking their
user-name and password data directly against the LDAP source.
Authentication
Planning your deployment
General deployment considerations
12
Page 13
The Control Center can synchronize user and group email
address data from your LDAP server and replicate it to
Scanners. This data is then used to validate message recipients,
apply policies to groups, recognize directory harvest attacks,
and expand distribution lists (aliases). LDAP-authenticated
user and group email address data are cached in the Control
Center for subsequent replication to Scanners but are not
written back to the LDAP source.
Synchronization
The Control Center uses LDAP user and password data to route
email messages based on alias and/or transport specification
to specified domains.
Routing
Symantec Mail Security supports the following LDAP directory types:
■ Windows 2000 Active Directory
■ Windows 2003 Active Directory
■ Sun Directory Server 5.2 (formerly known as the iPlanet Directory Server)
Note: If you are using Sun Directory Server 5.2, you must update to patch 4 to
address some changelog issues that arose in patch 3.
■ Exchange 5.5
■ Lotus Domino LDAP Server 6.5
Load balancing
Symantec Mail Security is not intended to be used for load balancing.
Administrators can associate only one host name or IP address as the MTA to
which email is relayed. You must implement multiple Scanners to perform load
balancing.
Adjusting MX records
When you implement Symantec Mail Security in front of a separate MTA that
receives inbound messages, you must to change the DNS mail exchange (MX)
records. The records must point incoming messages to the system. Symantec Mail
Security should have a higher priority than the existing MTA.
However, if you simply list Symantec Mail Security as a higher-weighted MX
record in addition to the existing MX record, spammers can look up the previous
MTA's MX record. This allows them to send spam directly to the old server,
13Planning your deployment
General deployment considerations
Page 14
bypassing your spam filtering. To prevent spammers from circumventing the new
spam-filtering servers, you should do one of the following:
■ The MX record should point at your Symantec Mail Security. Do not point the
MX record at downstream MTAs.
■ Remove the previous MTA's MX record from DNS.
Block off the MTA from the Internet using a firewall.
■ Modify the firewall's network address translation (NAT) tables to route external
IP addresses to internal non-routable IP addresses. You can then map from
the old server to Symantec Mail Security.
■ When naming Symantec Mail Security, ensure that the name you choose does
not imply its function. For example, antispam.yourdomain.com,
symantec.yourdomain.com,or antivirus.yourdomain.com are not good choices.
■ If you want to send mail to a downstream MTA, you can use a load balancer.
Deployment models
You can deploy Symantec Mail Security in the following ways:
■ Basic gateway deployment
■ Multi-tier gateway deployment
■ Post-gateway deployment
Basic gateway deployment
This is the simplest deployment model. Symantec Mail Security resides at the
outermost gateway layer inside the enterprise firewall. It provides Secure Email
Services by relaying inbound mail to other relay layers or to the user-facing mail
server layer. Symnatec Mail Security routes outbound mail through local relay
for delivery to local domain addresses or through the firewall to the Internet.
Inbound and outbound mail are both processed on one Ethernet NIC through a
single IP address. Inbound and outbound traffic can be logically separated by
assigning one to the physical IP and the other to a virtual IP address or by assigning
inbound and outbound traffic to separate ports (such as 25 and 26).
On all configured server computers, port 443 must be configured to permit
outbound connections to Symantec to download content updates.
Figure 1-1 shows Symantec Mail Security deployed at the gateway, behind a
firewall.
Planning your deployment
Deployment models
14
Page 15
Figure 1-1
Basic gateway deployment
Advantages
The basic gateway deployment takes advantage of Symantec Mail Security's
proximity to the Internet.
■ Because spam emanates from the outside world, the gateway is the logical and
effective place to deploy Symantec Mail Security.
■ When you deploy the system closer to the gateway, you can minimize mail
processing and storage requirements as well as network bandwidth via Email
Firewall filtering.
Considerations
Administrators considering the basic gateway deployment should take into account
the following factors:
■ Some organizations prefer to have secure gateways with no other services
running. In these environments, all other services run behind the first gateway
layer.
■ Some smaller organizations do not have dedicated gateway servers or a gateway
layer. Instead, they deploy gateway servers and internal mail servers on the
same computers.
Multi-tier gateway deployment
Note: This model may be implemented with one or more Scanner hosts.
Figure 1-2 shows Symantec Mail Security in a multi-tier gateway deployment,
with multiple Scanners in the DMZ and a Control Center behind a second firewall.
15Planning your deployment
Deployment models
Page 16
Figure 1-2
Multi-tier gateway deployment
Advantages
A multi-tier gateway deployment maximizes Symantec Mail Security's network
administration capacities.
■ This configuration meets a common security audit requirement in that all data
stores are in the second tier, including the Control Center and Spam Quarantine
databases.
■ Inbound traffic may be load balanced across multiple scanners with this model.
■ Compared with basic gateway deployment, this configuration eliminates a
single point of failure for message scanning.
■ This model allows administrators to take individual Scanners offline for
maintenance without incurring downtime.
■ This scenario enables load balancing of filtered mail across multiple
downstream MTAs.
Considerations
With its greater administrative controls, a multi-tier deployment requires higher
administrative and maintenance overhead.
■ This approachrequires more administrative overhead and complex networking
than a basic gateway deployment.
■ With increased hardware and maintenance costs, this model could require a
higher total cost of operation.
Planning your deployment
Deployment models
16
Page 17
Post-gateway deployment
Note: This model may be implemented with one or more SMTP gateway MTAs
and one or more Scanner hosts.
Figure 1-3 shows Symantec Mail Security deployed after MTAs at the firewall.
Figure 1-3
Post-Gateway deployment
MTAs at the gateway layer accept unfiltered mail from the Internet then relay it
to Symantec Mail Security. The system filters mail from the gateway layer and
relays mail to other MTAs downstream.
Advantages
Your network configuration may require that you place your Scanner hosts with
your SMTP gateway MTA in a "demilitarized zone" between two firewalls.
■ If you have a customized MTA or specific business needs, then running this
configuration may outweigh the extra overhead and loss of functionality.
Considerations
Post-gateway deployment limits the functionality of Scanners and may decrease
system throughput.
■ This configuration limits Scanner functionality as IP-based defenses are
nullified.
■ Unless the SMTP Gateway is performing filtering, all email is processed by
the gateway (read, stored, and forwarded) then sent to the system, which must
17Planning your deployment
Deployment models
Page 18
then read, filter, and take some action based on the verdict. Such redundancy
may add overhead, thereby decreasing throughput.
Planning your deployment
Deployment models
18
Page 19
Understanding system
requirements
This chapter includes the following topics:
■ Factors that affect performance
■ Ports used by Symantec Mail Security
Factors that affect performance
The performance of Symantec Mail Security appliances can be affected by many
factors. This section provides guidelines regarding those factors, and suggestions
that may improve performance.
Overall performance involvesseveral factors, some depending on the configuration
and deployment options you choose, and others depending on external factors,
such as the percentage of your organization’s email that is spam.
Environmental factors that affect performance
Environmental factors, including historical usage patterns of your particular
deployment, will affect system performance. Prior to installation, collect
information about your environment to understand typical usage patterns:
■ Outgoing SMTP connections. This can cause additional overhead by swelling
disk queues with email destined for remote email servers which may not be
immediately accepting new email. Larger queues on disk result in reduced
MTA performance. Ideally, inbound and outbound mail streams should be
configured to work on separate appliances.
2
Chapter
Page 20
■ External MTA performance. If appropriate, determine the performance of the
MTA sending incoming email to your MTA, and the performance of your
gateway MTAs and message store.
The characteristics of messages sent and received can impact performance. Key
parameters to identify are:
■ Average message size
■ Number of messages with attachments
■ Average attachment size
■ Types of attachments
■ Percentage of virus-infected messages in the email traffic
■ Types of end-users (ISP or enterprise)
Settings that affect performance
The choices you make when configuring Symantec Mail Security appliances affect
their performance.
Filtering performance considerations
If a message has more than one recipient, each with different group policies, then
the Scanner may need to bifurcatethe message (split it into one or more messages)
for modificationprior to delivery. Bifurcatedmessages resulting from many group
policies may degrade performance. Use group policies as necessary but be aware
that using a large number of policies can affect performance.
Control Center performance considerations
The Control Center is used to start and stop servers; view logs and reports; set
configuration options; backup, restore, and reset system software; and consolidate
statistics, report data, and logs. Consider the following regardingits configuration:
■ Number of Scanners - The number of Scanners a Control Center collectslogging
and statistics from can impact the Control Center's performance. As you add
Scanners to a Control Center, monitor the Control Center's performance to
ensure that it does not degrade to unacceptable levels.
■ Log level - The higher the log levels, the more data the Control Center must
consolidate over the network. Consider keeping log levels relatively low unless
you are troubleshooting. You can also set logs to be expunged more frequently.
■ Scheduled reports - Schedule reports for times when utilization is low.
Understanding system requirements
Factors that affect performance
20
Page 21
■ Role of Control Center host - In cases where the Control Center host is also a
busy Scanner host, the Scanner and Control Center must share the resources
of a single appliance machine, which may affect performance.
Quarantine and LDAP performance considerations
Consider the following Quarantine and LDAP performance implications.
■ Number of messages expected per day into Quarantine - The more messages
placed in the Quarantine, the larger the database, and the more processing
required. Reduce the maximum size of the Quarantine database by deleting
spam, or by reducing spam retention time.
■ Number of end users logging into the Quarantine interface - More connections
to end users results in more overhead for the system.
■ LDAP server throughput - LDAP lookups for message recipients against a
limited capacity LDAP server will severely impair Quarantine performance.
Ensure you have adequate capacity on your LDAP server.
■ Message queues - Because the Quarantine database is stored on the Control
Center appliance, Quarantine's SMTP server may slow down, causing the
Scanner’s delivery MTA to back up when the destination MTA is accepting
messages either slowly or not at all. If this occurs, some legitimate mail
messages may be delayed.
■ HTTPS use - Secure HTTP connections are encrypted. Encrypting and
decrypting the data in both directions, per connection, is secure but is also
more CPU intensive than HTTP. Also, the larger your HTTPS key size, the
more CPU cycles it may consume.
Ports used by Symantec Mail Security
The following tables list ports reserved for Symantec Mail Security for SMTP
components and functions. These assignments may differ slightly depending on
your environment and filtering types (inbound, outbound, or both).
Table 2-1
Reserved ports for the Symantec Mail Security Appliance
DescriptionToFromProtocolPort
Rapid responseantivirus updatesInternetApplianceTCP21
SSH connectivity to the
appliance (CLI)
Internal Appliance
Addresses
Management
hosts
TCP22
Inbound internet mail trafficApplianceInternetTCP25
21Understanding system requirements
Ports used by Symantec Mail Security
Page 22
Table 2-1
Reserved ports for the Symantec Mail Security Appliance (continued)
DescriptionToFromProtocolPort
Inbound internal mail trafficInternal mail serversApplianceTCP25
Outbound internal mail trafficApplianceInternal mail
servers
TCP25
Outbound internet mail trafficInternet mail hostsApplianceTCP25
Recursive DNS lookupsApplianceInternetTCP53
Default automatic antivirus
updates
InternetApplianceTCP80
Appliance time sync server
sources
Internal NTP Servers
or Internet
ApplianceUDP123
LDAP server access to
synchronize users/groups/d-lists
LDAP serversApplianceTCP389
Rule updates, software updates
and license registration
InternetApplianceTCP443
MSN MessengerTCP1863
1866
LDAP server access to
synchronize users/groups/d-lists
(Global Catalog Access)
LDAP serversApplianceTCP3268
MySQL database connectionMySQL database
server
Control CenterTCP3306
Relay HubTCP5001
Yahoo Messenger5050,
5055,
5056,
80
AOL Instant Messenger (AIM)TCP5190
5194
Google TalkTCP5222
Understanding system requirements
Ports used by Symantec Mail Security
22
Page 23
Table 2-1
Reserved ports for the Symantec Mail Security Appliance (continued)
DescriptionToFromProtocolPort
IM remote command
Note: IMRelay will only accept
connections from 127.0.0.1 on
this port.
7007
SESA agent8086
LDAP synchronizationLDAP serversApplianceTCP11011
11013
LDAP synchronizationLDAP serversApplianceTCP11011
11013
BMI client41000
Communication between the
Control Center and Scanners
ScannersControl CenterTCP41002
Communication between the
Control Center and Scanners
Control CenterScannersTCP41002
Filter Hub deferred processing41015
41017
To send quarantined messages
to the Control Center
Control CenterScannersTCP41025
Disabled by defaultControl CenterManagement
hosts
TCP41080
Web management port forthe UIControl CenterManagement
hosts
TCP41443
Symantec Mail Security also uses the following Web addresses:
DescriptionPortProtocolURL
Used to retrieve new build versions443TCPswupdate.brightmail.com
Used to register the appliance443TCPregister.brightmail.com
Used to retrieve rules443TCPaztec.brightmail.com
23Understanding system requirements
Ports used by Symantec Mail Security
Page 24
DescriptionPortProtocolURL
Used for the appliance to sync time123UDPpool.ntp.org
Used for the appliance to sync time123UDPclock.isc.org
Used for the appliance to sync time123UDPtime.nist.gov
Default automatic antivirus
updates
80TCPliveupdate.symantecliveupdate
.symantec.com
Default automatic antivirus
updates
80TCPliveupdate.symantec.com
Rapid response antivirus21TCPupdate.symantec.com
Configuring your firewall for connections to public IM network servers
To enable IM filtering, you must configure your firewall to allow port connections
from your IM-filtering Scanner to the public IM network servers that you use.
Port connections to these servers from all other servers within your corporate
network should be blocked.
Table 2-2 lists the ports for which you must configure your firewall to allow
outbound connections to the Internet.
Table 2-2
Firewall port connection requirements
PortsIM Network
5190AIM
1863MSN Messenger
5050, 80Yahoo! Messenger
5222Google Talk
In addition to these firewall changes, changes to your DNS configuration are also
required to enable IM filtering.
See “Configuring your DNS for IM filtering” on page 27.
Understanding system requirements
Ports used by Symantec Mail Security
24
Page 25
Setting up the Symantec
Mail Security Appliance
This chapter includes the following topics:
■ Before you set up your appliance
■ How to set up the appliance
■ Logging in and logging out
■ Migrating to Symantec Mail Security 7.5
Before you set up your appliance
Each appliance can be used to perform a variety of functions in your system. For
smaller installations, the same appliance can be used to perform all needed
functions. Contact a sales representative for additional help with performance
sizing.
The available functions are:
3
Chapter
Page 26
Deployed as a Control Center, a Symantec Mail Security host
allows you to configure and manage email filtering, SMTP
routing, system settings, and all other functions from a
Web-based interface. Multiple Scanners can be configured
and monitored from your enterprise-wide deployment of
Symantec Mail Security, but only one Control Center can
be deployed to administer all the Scanner hosts. The Control
Center provides information on the status of all Symantec
Mail Security hosts in your system, including system logs
and extensive customizable reports. Use the Control Center
to configure both system-wide and host-specific details. The
Control Center provides the Setup Wizard, for initial
configuration of all Symantec Mail Security instances at
your site, and also the Add Scanner Wizard, for adding new
Scanners. The Control Centrer also hosts the Spam and
Suspect Virus Quarantines to isolate and store spam and
virus messages, respectively.
Control Center
Deployed as a Scanner, a Symantec Mail Security host filters
email for viruses, spam, and noncompliant messages.
Scanner
Performs both functions. Suitable for smaller installations.Control Center and Scanner
During initial setup, you will be asked to choose the function that this appliance
will perform. Before setting up the appliance, decide which function or set of
functions you will choose from the list above.
Compatible browsers
The appliance works with the following browsers:
■ Microsoft Internet Explorer 6.0 and 7.0
■ Firefox 2.0
Configuring SSH clients to log into an appliance
If you want to access the command line interface on an appliance, use an SSH
client to log into the appliance. Some SSH clients require special configuration
to log in to the appliance SSH server when using the SSH v2 protocol. If your SSH
client does not connect to your appliance, try configuring the client to use the
standard SSH server. If your client does not support that configuration option
and does not automatically detect it, configure the SSH client to use the SSH v1
protocol.
Setting up the Symantec Mail Security Appliance
Before you set up your appliance
26
Page 27
Configuring your DNS for IM filtering
If you want to use your Symantec Mail Security Appliance to filter IM traffic, two
differently configured types of DNS servers are required:
■ DNS accessed by internal hosts that routes internal IM traffic to a Scanner for
filtering
■ DNS accessed by Scanners that routes outgoing IM trafficto public IM networks
on the Internet
Changes to your firewall are also required for IM filtering.
See “Configuring your firewall for connections to public IM network servers”
on page 24.
Configuring DNS to route internal IM traffic to a Scanner
Your organization most likely has an internal DNS configured to direct your IM
client traffic directly to the Internet. If you want to use your Symantec Mail
Security Appliance to filter IM traffic, you must reconfigure your DNS to direct
your IM client traffic to your IM-filtering Scanner instead. You can do this by
either reconfiguring the existing forward lookup zones or creating new ones in
your DNS records for each public IM network that your organization uses, and
then assigning the IM-filtering Scanner's IP address as its host.
Table 3-1 lists the host names of each public IM network for whichyou must create
a forward lookup zone.
Configuring DNS to route outgoing IM traffic to public IM
networks
After filtering your IM messages, the Scanner directs your IM clients to their
public IM network servers.It does this by using an additional DNS that you specify
when you install Symantec Mail Security Appliance. This DNS can be one or both
of the following:
■ Internet Root DNS
This is a DNS that resides on the Internet. If you use this DNS, you must allow
a connection from your firewall to the Internet over port 53.
■ An internal corporate DNS
This is a DNS that resides within your corporate network, and is able to resolve
the server names of the public IM networks that you use.
27Setting up the Symantec Mail Security Appliance
Before you set up your appliance
Page 28
Caution: This DNS cannot be the same internal DNS that you use to direct your
IM clients to the Scanner. If it is, a loopback condition occurs where IM
messages are directed back to the Scanner instead of to the Internet.
Table 3-1 lists the public IM network server names that this DNS must be able
to resolve.
Table 3-1
Public IM network server names
Server/Host NamesIM Network
■ login.oscar.aol.com
■ toc.oscar.aol.com
■ ats.byoa.aol.com
■ slogin.oscar.aol.com
AIM
■ messenger.hotmail.comMSN Messenger
■ scs.msg.yahoo.com
■ scsa.msg.yahoo.com
■ scsb.msg.yahoo.com
■ scsc.msg.yahoo.com
■ scsd.msg.yahoo.com
■ scse.msg.yahoo.com
■ scsf.msg.yahoo.com
■ scsg.msg.yahoo.com
■ scsh.msg.yahoo.com
Yahoo! Messenger
■ talk.google.com
■ talkx.l.google.com
Google Talk
How to set up the appliance
Setting up your appliance involves the following tasks:
■ Configuring your network to include the new appliance
■ Initialize your new appliance
■ Setting up a Control Center with optional Scanner
■ See “Setting up a Scanner” on page 40.
After performing the above tasks, you can continue to add additional Scanners if
desired. Then proceed to the next chapter to complete system setup.
Setting up the Symantec Mail Security Appliance
How to set up the appliance
28
Page 29
Configuring your network to include the new appliance
For each appliance you set up, you will need a valid static IP address and a fully
qualified hostname. Before setting up your appliances, obtain the IP addresses
you will need. Perform whatever other tasks are necessary in your environment
to be able to include the new appliance in your network.
For Scanners also, ensure that your network is configured to permit outbound
connections to Symantec on port 443. For registration and ongoing operations,
Symantec appliances communicate with Symantec Security Response over a
secure connection.
Understanding key indicators and controls for rack-mounted appliances
This section applies to rack-mountable appliance models only.
Most of the controls on your appliance are not needed for normal, everyday use.
Of the connectors on the back panel, pay special attention to the labels for the
Ethernet jacks.
When you initialize your appliance, you will need to configure separately each
Ethernet jack you used, depending on your appliance model.
Front panel indicators
The two system identification buttons on the front and back panels can be used
to locate a particular system within a rack. When one of these buttons is pushed,
the blue system status indicators on the front and back of the system blink. To
stop the indicator from blinking, press one of the buttons a second time.
Table 3-2 describes the indicators on the system front panel.
Table 3-2
Front Panel Indicators
DescriptionLED Indicator
The blue systemstatus indicator lights up during normal system
operation.
The amber system status indicator flashes when the system
needs attention due to a system problem.
Blue/amber system
status indicator
The indicators for the two Ethernet jacks light if network
connections are active.
NIC1 corresponds to Ethernet jack 1.
NIC2 corresponds to Ethernet jack 2.
NIC1 and NIC2 link
indicators
29Setting up the Symantec Mail Security Appliance
How to set up the appliance
Page 30
Table 3-2
Front Panel Indicators (continued)
DescriptionLED Indicator
The green indicator in the center of the power button flashes if
AC power is available to the system, but the system is not
powered on.
The green indicator is on when the system is powered on.
If the system is not connected to AC power, the green indicator
is off.
Power indicator
Initialize your new appliance
Each deployment can have multiple Scanner appliances, but must have exactly
one Control Center appliance. Set up your Control Center appliance first, then set
up your Scanner appliances. If you are using the same appliance for both of these
functions, you will be asked questions regarding both the Control Center setup
and the Scanner setup.
To begin initialization
1
Unpack the appliance and either rackmount it or place it on a level surface,
and plug in AC power.
2
Connect the appliance using one of the following methods:
■ Connect a keyboard and VGA monitor to the appliance.
■ Connect another computer to the appliance via the serial port. Use a null
modem cable with a DB9 connector, and settings of 9600 bps, 8/N/1.
3
Connect an Ethernet cable to the Ethernet jack labeled 1 on the back panel,
which corresponds to eth0.
You can optionally also connect to the Ethernet jack labeled 2, which
correspondsto eth1, if you intend to use the second ethernet port for outbound
traffic.
4
Switch on the power.
When you first boot up the appliance, you are asked to log in, and then change
your password.
5
Log in using the login name admin and the password symantec.
Setting up the Symantec Mail Security Appliance
How to set up the appliance
30
Page 31
6
Type your new password twice when prompted.
Create your password wisely. Do not use something found in a dictionary (in
any language or jargon). Do not use a name (including that of a spouse, parent,
child, pet, fantasy character, famous person, and location) or any variation
of your personal or account name. Do not use accessible information about
you (such as your phone number, license plate, or social security number) or
your environment. Do not use a birthday or a simple pattern (such as
backwards, followed by a digit, or preceded by a digit. Instead, use a mixture
of upper and lower case letters, as well as digits or punctuation. When
choosing a new password, make sure it is unrelated to any previous password.
Use long passwords (8 characters or longer). You might use a pair of words
with punctuation inserted, a passphrase (an understandable sequence of
words), or the first letter of each word in a passphrase.
You are next asked for the host name.
7
Type a fully qualified DNS name for this host.
To avoid problems with message routing, this DNS name should not be your
mail domain.
For example:
mhost6.example.com
8
Choose a time zone when prompted, by entering the correct number.
You can type ? to see a list of time zones and corresponding numbers.
Continue with To specify Ethernet interfaces below.
To specify Ethernet interfaces
1
When prompted, type the IP address for the Ethernet interface labeled 1 on
the back of the appliance.
For example:
192.168.0.1
2
When prompted, type the netmask for Ethernet interface 1.
For example:
255.255.255.0
You are next asked if you want to use the second Ethernet interface, interface
2.
31Setting up the Symantec Mail Security Appliance
How to set up the appliance
Page 32
3
Type YES if you want to use interface 2.
Otherwise, skip to step 6.
4
When prompted, type the IP address for Ethernet interface 2.
For example:
192.168.12.3
5
When prompted, type the netmask for Ethernet interface 2.
For example:
255.255.255.0
6
When prompted, type the IP address of the default gateway (default router).
Continue with To specify DNS settings below.
To specify DNS settings
1
Type YES to use the Internet’s root DNS servers, or type NO and skip to step
3.
If you answered YES, you are asked if you also want to use your own DNS
servers.
2
Type YES to also use your own DNS servers, or type NO and follow the steps
in To specify the role of the appliance below.
3
When prompted, type the IP addresses of up to two DNS servers, then continue
with To specify the role of the appliance below.
If you plan to enable IM filtering, you will need a separate DNS for other hosts in
your network that routes IM traffic to a Scanner.
See “Configuring your DNS for IM filtering” on page 27.
To specify the role of the appliance
1
When prompted, choose a role for this appliance: Control Center, Scanner or
Scanner and Control Center.
See “Before you set up your appliance” on page 25.
2
If you chose Scanner only as the role for this appliance, specify when
prompted the IP address of the Control Center.
Setting up the Symantec Mail Security Appliance
How to set up the appliance
32
Page 33
3
If the summary information is correct, type YES; if not type NO and make
changes.
4
Continue with the next section.
The appliance will reboot. Once it has finished, continue with the next
procedure, registration.
Registering your system
After you complete the initialization process, you can access the appliance from
any computer that can connect with the appliance using a browser. Log in to the
Control Center as user admin, using the password you set during initialization in
order to register the appliance.
Note: For your Scanners, ensure that your network is configured to permit
outbound connections to Symantec on port 443. For registration and ongoing
operations, the appliances communicate with Symantec Security Response over
a secure connection.
To complete registration, you need the license file (.slf file) provided to you by
Symantec. Place this file on the computer from which you are accessing the Control
Center. Each time you add a Scanner, you must confirm your licenses or register
again. However, you can use the same .slf files for each Scanner.
Note: Licenses from other Symantec products, such as Symantec Brightmail
AntiSpam, will not work with Symantec Mail Security Appliances.
33Setting up the Symantec Mail Security Appliance
How to set up the appliance
Page 34
To register your first appliance
1
From a computer that can access the new appliance, locate the appliance in
a browser.
The default login address is:
https://<hostname>:41443
where <hostname> is the hostname you designated for your appliance during
initialization using the Control Center. Or, you can use the IP address in place
of <hostname>.
Port 41443 provides SSL access to the Control Center. HTTP access is disabled
by default. To use HTTP, you must enable HTTP via the command line
interface and specify port 41080.
See the Symantec Mail Security Appliance Administration Guide for
information on the http command.
You will see a security alert message.
2
Accept the self-signed certificate to continue.
The Control Center log in page is displayed.
3
Log in as user admin, using the password you set during initialization.
The License Registration page is displayed, showing the license status of each
feature.
4
On the License Registration page, click Browse to find your .slf file.
5
Select your .slf file and click Open to return to the License Registration page.
If you are registering a Premium feature such as Premium Content Compliance
(PCC) and you have a separate license for the PCC, register your license for
the feature on each Scanner that will be using the feature.
6
If your Scanner will be using a proxy server for communications with
Symantec, complete the proxy configuration fields.
7
Click Register.
If registration was successful, the License Registration page returns. If there
was an error, you will see error text at the top of the page.
For registration and ongoing operations, the appliance communicates with
Symantec Security Response over a secure connection. If registration has
failed, ensure that your network is configuredto permit outbound connections
to Symantec on port 443.
Setting up the Symantec Mail Security Appliance
How to set up the appliance
34
Page 35
8
If you have another .slf file for a different feature, repeat steps 4, 5 , and 7.
9
When all your .slf files are successfully registered, click Next.
Updating a new appliance to the latest software
If your software is up-to-date, the Setup Wizard is displayed. Skip to the next
section.
If a software update is available, the Software Update page is displayed. Symantec
strongly recommends that you apply all available updates.
On the Software Update page you can:
■ Click Skip to update your software later.
■ Click Update to update your software now. After the update, the Setup Wizard
is displayed.
Note: When you have finished updating the Control Center appliance, either
click your browser's refresh buttonor close and re-open it to ensure that cached
versions of graphics are redisplayed correctly.
Updating an appliance that is running a previous version of Symantec Mail Security
is described in a separate section.
See “Migrating to Symantec Mail Security 7.5” on page 49.
Setting up a Control Center with optional Scanner
Setting up your appliances involves setting up the Control Center and then using
the Setup Wizard on the Control Center to configure all of your site-wide settings.
Depending on how you plan to use this appliance, perform the remaining setup
tasks as follows:
■ If you plan to use this appliance as your Control Center only, or as both your
Control Center and as a Scanner, continue with the procedures in this section.
■ If you plan to use this appliance as a Scanner only, follow the Scanner setup
procedure.
See “Setting up a Scanner” on page 40.
Many of the site-wide settings that you will specify as you use the Setup Wizard
are actually site defaults that you can later vary for each Scanner you add.
35Setting up the Symantec Mail Security Appliance
How to set up the appliance
Page 36
Note: None of the settings you specify using the wizard are final until you click
Finish at the end of the wizard. If you step through all the panels of the wizard
and do not click Finish, configuration settings will be unchanged.
To specify administrator, time, local domain, and locale settings
1
On the Administrator Settings panel, specify an email address for the
administrator.
The system sends alerts to this address if alert notifications are enabled. You
can configure additional administrators in the Control Center later.
2
On the Time Settings panel, specify your system-wide time settings.
You can specify up to three NTP servers, set the time manually, or choose
not to change the time.
3
On the Local Domains panel, add the domains for which you accept incoming
mail.
You can also add specific email addresses.
To delete a domain from the list, check it and click Delete.
4
For each domain or email address you add, optionally specify that messages
should be routed through a specific host and port.
You can optionally check Enable MX Lookup. You can also import a list of
local domains.
5
On the System Locale panel, specify the locale that the appliance should use
for formatting numbers, dates, and times, and then click Next.
Do one of the following:
■ If you are setting up a Control Center-only appliance, review the information
on the Setup Wizard Summary panel.
See “To review and finalize settings” on page 40.
You must set up a Scanner on another appliance before you can filter mail.
See “Setting up a Scanner” on page 40.
■ If you are setting up a Control Center and a Scanner on this appliance, continue
with the Setup Wizard.
See “To specify the Scanner role” on page 37.
Note: If you plan to use one appliance as both a Control Center and a Scanner,
add the Scanner on that appliance before adding other Scanners.
Setting up the Symantec Mail Security Appliance
How to set up the appliance
36
Page 37
To specify the Scanner role
1
On the Scanner Role panel, specify how you will use this Scanner.
You can choose to filter inbound mail, outbound mail, or both inbound and
outbound mail, and instant messaging filtering. Depending on your choice,
do the following:
■ If you select both inbound and outbound and you have only specified one
physical port, you will see the Create Virtual IP Address panel next. Proceed
with step 2.
■ If you select both inbound and outbound and you have specified two
physical ports, you will see the Create Optional Virtual IP Address panel
next. Proceed with step 2.
■ If the above does not apply:
■ If you chose to filter inbound mail, you will see the Inbound Mail
Filtering panel. Proceed with step 4.
■ If you chose to filter outbound mail only, you will see the Outbound
Mail Filtering panel.
See “To specify outbound mail filtering settings” on page 38.
2
On the Create Optional Virtual IP Address panel, read the instructions and
click Yes or No.
If you click Yes you will see the Create Virtual IP Address panel next. Proceed
with step 3. If not, you will see the Inbound Mail Filtering panel. Skip to step
4.
3
On the Create Virtual IP Address, specify the IP address and netmask to
associate with the specified port.
4
On the Inbound Mail Filtering panel, choose the IP address to use for inbound
mail.
5
If desired, change the port specification for inbound mail.
6
On the Inbound Mail Filtering - Connections panel specify the mail servers
from which this Scanner will accept inbound mail.
You can choose All IP addresses or specify IP addresses or hostnames. A
typical choice would be All IP addresses,thus allowing the appliance to accept
mail from any MTA on the Internet.
37Setting up the Symantec Mail Security Appliance
How to set up the appliance
Page 38
7
On the Inbound Mail Filtering - Local Relay panel, specify the internal host
to which this Scanner will relay inbound mail after filtering is complete.
You can select a host from the list or define a new host. A typical value is a
downstream mail server such as your corporate mail server.
You can also specify a port. If you check Enable MX lookup for this host, you
must specify a host name (not an IP address) for that server.
8
If you chose to filter inbound and outbound mail, the Outbound Mail Filtering
panel is displayed.
See “To specify outbound mail filtering settings” on page 38.
If you chose to filter only inbound mail as well as IM filtering, the Configure
IM interfaces panel is displayed.
See “To specify IM settings” on page 39.
If you chose to filter only inbound mail, the Setup Summary panel is displayed.
See “To review and finalize settings” on page 40.
To specify outbound mail filtering settings
1
On the Outbound Mail Filtering panel, choose the IP address to use for
outbound mail.
2
If desired, change the port specification for outbound mail.
In most cases this should be left as port 25.
3
On the Outbound Mail Filtering - Connections panel specify by IP address the
internal mail servers from which this Scanner will accept outbound mail.
Typically you would limit this to your corporate outbound mail server. It is
important to restrict to sources you trust the parties that can send outbound
mail through this host.
If you chose to filter only outbound mail, you will see the Outbound Mail
Filtering - Local Relay panel next. Proceed to step 4. If not, skip to step 5.
4
On the Outbound Mail Filtering - Local Relay panel, specify the internal host
to which this Scanner will relay outbound mail after filtering is complete.
You can select a host from the list or define a new host. A typical value is a
downstream mail server such as your corporate mail server.
You can also specify a port. If you check Enable MX lookup for this host, you
must specify a host name (not an IP address) for that server.
Setting up the Symantec Mail Security Appliance
How to set up the appliance
38
Page 39
5
On the Outbound Mail Filtering - Nonlocal Relay panel, specify how you want
to relay outbound mail after filtering is complete.
You can use default MX lookup, select a host from the list, or define a new
host.
You can also specify a port. If you check Enable MX lookup for this host, you
must specify a host name (not an IP address) for that server.
Foroutbound mail addressed to a non-local domain, there is typically no relay
host to specify. If you choose Use default MX lookup, the appliance will use
Internet MX records to deliver the mail.
6
If you chose to filter instant messages, the Configure IM interfaces panel is
displayed.
See “To specify IM settings” on page 39.
If you did not choose to filter instant messages, the Setup Summary panel is
displayed.
See “To review and finalize settings” on page 40.
To specify IM settings
1
On the Configure IM interfaces panel, under Internal IM Interface, choose
the Ethernet network for internal IM filtering.
2
Choose a Primary IM IP address.
The primary IM IP address is for routing internal IM traffic.
3
Choose a Secondary IM IP address.
The secondary IM IP address supports extended IM client features such as
file transfer.
Primary and Secondary IM IP addresses are required.
4
Under External IM Interface, choose the Ethernet network for external IM
filtering.
You can use the same Ethernet network as the internal IM interface or a
different one.
5
Choose an External IP address.
This IP address is for routing IM traffic to the public IM network servers.
6
The Setup Summary panel is displayed.
See “To review and finalize settings” on page 40.
39Setting up the Symantec Mail Security Appliance
How to set up the appliance
Page 40
To review and finalize settings
1
On the Setup Wizard Summary panel, review the settings shown.
2
If you are satisfied with the settings, click Finish to save them.
If not, click Back to revise your settings, or Cancel to end without saving any
changes. If you cancel, you won't be able to use the appliance until you
complete the setup.
Setting up a Scanner
If you are adding a Scanner on the same appliance as your Control Center, see
Setting up a Control Center with optional Scanner. The instructions in this section
only apply to adding a Scanner on a different appliance than the appliance hosting
your Control Center.
Note: If you plan to use one appliance as both a Control Center and a Scanner, add
the Scanner on that appliance before adding other Scanners.
Add a Scanner
Use the Add Scanner Wizard to set up a Scanner appliance. You run the Add
Scanner Wizard from a Control Center that you previously set up.
Note: None of the settings you specify using the wizard are final until you click
Finish at the end of the wizard. If you step through all the panels of the wizard
and do not click Finish, you will not make any changes to configuration settings.
To configure host IP settings
1
Log into the Control Center.
See “Logging in and logging out” on page 45.
2
From the Control Center, click Administration > Hosts > Configuration.
3
If you are adding your first Scanner, you will now see the Add Scanner Wizard.
Otherwise click Add on the Host Configuration page.
4
On the Scanner Host Settings panel, identify your new Scanner by typing a
description and a host name or IP address.
Continue completing the Add Scanner Wizard.
See “To register the Scanner and specify time settings ” on page 41.
Setting up the Symantec Mail Security Appliance
How to set up the appliance
40
Page 41
To register the Scanner and specify time settings
1
On the License Registration Information panel, click Browse to find your .slf
file.
2
Select your .slf file and click Open to return to the License Registration
Information panel.
3
If your network requires a proxy to access the Internet, specify proxy
information.
4
Click Register.
If registration was successful, the License Registration page returns. If there
was an error, you will see error text at the top of the page.
If you are registering a Premium feature such as Premium Content
Compliance, register your license for the feature on each Scanner that will
be using the feature.
5
If you have another .slf file for a different feature, repeat steps 1, 2, and 4.
6
When all your .slf files are successfully registered, click Next.
7
If your software needs to be updated, the Software Update page is displayed.
On the Software Update page you can:
■ Click Skip to update your software later.
■ Click Update to update your software now. Note that if you updated your
Control Center, it's recommended that you update each Scanner.
8
On the Time Settings panel, choose a time settting for this Scanner and click
Next.
You can specify up to three NTP servers, set the time manually, or choose
not to change the time.
Continue completing the Add Scanner Wizard.
See “To specify the Scanner role” on page 41.
To specify the Scanner role
1
On the Scanner Role panel, choose the role for this Scanner.
You can choose to filter inbound mail, outbound mail, both inbound and
outbound mail, and IM filtering. Depending on your choice, do the following:
■ If you select both inbound and outbound and you have only specified one
physical port, you will see the Create Virtual IP Address panel next. Proceed
with step 3.
41Setting up the Symantec Mail Security Appliance
How to set up the appliance
Page 42
■ If you select both inbound and outbound and you have specified two
physical ports, you will see the Create Optional Virtual IP Address panel
next. Proceed with step 2.
■ If the above does not apply:
■ If you chose to filter inbound mail, you will see the Inbound Mail
Filtering panel. Proceed with step 4.
■ If you chose to filter outbound mail only, you will see the Outbound
Mail Filtering panel.
See “To specify outbound mail filtering settings” on page 43.
2
On the Create Optional Virtual IP Address panel, read the instructions and
click Yes or No.
If you click Yes you will see the Create Virtual IP Address panel next. Proceed
with step 3. If not, you will see the Inbound Mail Filtering panel. Skip to step
4.
3
On the Create Virtual IP Address panel, specify the IP address and netmask
to associate with the specified port.
4
On the Inbound Mail Filtering panel, choose the IP address to use for inbound
mail.
5
If desired, change the port specification for inbound mail.
6
On the Inbound Mail Filtering - Connections panel, specify the mail servers
from which this Scanner will accept inbound mail.
You can choose All IP addresses or specify IP addresses. A typical choice
would be All IP addresses, thus allowing the appliance to accept mail from
any MTA on the Internet.
7
On the Inbound Mail Filtering - Local Relay panel, specify the internal host
to which this Scanner will relay inbound mail after filtering is complete.
You can select a host from the list or define a new host. A typical value is a
downstream mail server such as your corporate mail server.
You can also specify a port. If you check Enable MX lookup for this host, you
must specify a host name (not an IP address) for that server.
If you chose to filter only inbound mail without IM filtering, the Setup Summary
panel is displayed.
See “To review and finalize settings” on page 44.
If you chose to filter inbound and outbound mail, continue completing the Add
Scanner Wizard.
See “To specify outbound mail filtering settings” on page 43.
Setting up the Symantec Mail Security Appliance
How to set up the appliance
42
Page 43
To specify outbound mail filtering settings
1
On the Outbound Mail Filtering panel, choose the IP address to use for
outbound mail.
2
If desired, change the port specification for outbound mail.
3
On the Outbound Mail Filtering - Connections panel specify by IP address the
internal mail servers from which this Scanner will accept outbound mail.
Typically you would limit this to your corporate outbound mail server. It is
important to restrict the parties that can send outbound mail through this
host to sources that you trust.
If you chose to filter only outbound mail, you will see the Outbound Mail
Filtering - Local Relay panel next. Proceed to step 4. If not, skip to step 5.
4
On the Outbound Mail Filtering - Local Relay panel, specify the internal host
to which this Scanner will relay outbound mail after filtering is complete.
You can select a host from the list or define a new host. A typical value is a
downstream mail server such as your corporate mail server.
You can also specify a port. If you check Enable MX lookup for this host, you
must specify a host name (not an IP address) for that server.
5
On the Outbound Mail Filtering - Nonlocal Relay panel, specify how you want
to relay outbound mail after filtering is complete.
You can use default MX lookup, select a host from the list, or define a new
host.
You can also specify a port. If you check Enable MX lookup for this host, you
must specify a host name (not an IP address) for that server.
Foroutbound mail addressed to a non-local domain, there is typically no relay
host to specify. If you choose Use default MX lookup, the appliance will use
Internet MX records to deliver the mail.
If you did not enable IM filtering, the Setup Summary panel is displayed.
See “To review and finalize settings” on page 44.
If you did enable IM filtering, continue completing the Add Scanner Wizard.
See “To specify IM settings” on page 43.
To specify IM settings
1
On the Instant Messaging IP Addresses panel, specify which IP addresses
your IM clients use.
2
Under Internal IM Interface, select the Ethernet network interface that IM
clients use to communicate internally from the Ethernet: drop-down list.
43Setting up the Symantec Mail Security Appliance
How to set up the appliance
Page 44
3
Select primary and secondary internal IP addresses from the Primary IM IP
address and Secondary IM IP address drop-down lists.
The primary IP address listens for incoming instant messages. The secondary
IP address routes file transfers through the Scanner and must be a different
IP address from the primary IP address.
4
Under External IM Interface, select the Ethernet network that IM clients use
to communicate with public servers from the Ethernet: drop-down list.
The external Ethernet network interface may be the same as the internal
interface.
5
Select the external IP address from the External IP: drop-down list.
If you are using different interface cards for incoming and outgoing traffic,
assign differentIP addresses to the primary internal address and the external
address.
The external IP address may be the same as the primary internal IP address.
If you have more than one network, the primary internal IP address and
external IP address are probably going to be different. The primary IP address
would then be dedicated to listening for IM messages and the external IP
address dedicated to outgoing IM.
The Setup Summary panel is displayed.
See “To review and finalize settings” on page 44.
To review and finalize settings
1
On the Setup Wizard Summary panel, review the settings shown.
2
If you are satisfied with the settings, click Finish to save them.
If not, click Back to revise your settings, or Cancel to end without saving any
changes. If you cancel, you won't be able to use the appliance until you
complete the setup.
Completing setup
Your appliance is now nearly ready to use, with a set of default policies designed
for most enterprise installations. Review the sections below to determine what
additional setup tasks you need to perform.
Adding more Scanners
Repeat the steps in the section called “Setting up a Scanner” if you are adding
additional Scanners.
Setting up the Symantec Mail Security Appliance
How to set up the appliance
44
Page 45
Setting mail filtering policies
When you set up Symantec Mail Security, a set of ready-made default message
filtering policies are in place. You can use these policies or customize them.
The initial default policies are as follows:
■ The default group policy includes all users, and specifies use of default filtering
policies for spam, suspected spam, virus, content compliance, and end user
settings.
■ The default spam policy is to modify the subject line by prepending [Spam]
and deliver the message to the inbox.
■ The default suspected spam policy is to modify the subject line by prepending
[Suspected Spam] and deliver the message to the inbox.
■ The suspected spam threshold is set to 72 (see the Symantec Mail Security
Appliance Administration Guide for more information).
■ The default virus policy is to clean the message.
■ The default worm policy is to delete the message.
■ No default content compliance policies are in place.
■ No end user configuration capabilities are in place.
For more information on these policies and instructions on adjusting them to
meet your needs, see the Symantec Mail Security Appliance AdministrationGuide.
Testing Scanners
For instructions on testing Scanners, see the Symantec Mail Security Appliance
Administration Guide.
Changing Host IP addresses
If you change the IP address for the Control Center or any Scanner after initial
setup, see the Symantec Mail Security Appliance Administration Guide.
Logging in and logging out
Follow these instructions to begin using the Control Center.
45Setting up the Symantec Mail Security Appliance
Logging in and logging out
Page 46
Note: Do not create an account for an administrator that is identical to a user
account name. Do not create an end user account that is identical to an
administrator account name. If a naming conflict occurs, the administrator will
take precedence and the end user will be denied access to their account. In the
unlikely event that both the username and the password for an administrator and
an end user are identical, the end user will be granted access to the administrator
account.
To log in as an administrator
1
Access your Control Center from a browser.
The default login address is:
https://<hostname>:41443
where <hostname> is the hostname you designated for your appliance during
initialization. Or, you can use the IP address in place of <hostname>.
You may see a security alert message.
2
If you see a security alert message, accept the self-signed certificate to
continue.
The Control Center log in page is displayed.
3
You may choose the language in which you want to operate the Quarantine
and end user views of the Control Center.
Below the text entry fields you will see a list of languages. The language
currentlyin use is displayed in normal text. The other languages are displayed
underlined and highlighted. Click on another language to use that language
instead.
4
In the User name box, type the user name given to you by your system
administrator.
If you are the first administrator to use this appliance, type: admin
5
In the Password box, type your administrative password.
Contact your system administrator if you do not know the password.
6
Click Login.
To log in as an end user with an iPlanet or Sun ONE Directory Server
Note: To do this, LDAP authentication must be enabled.
Setting up the Symantec Mail Security Appliance
Logging in and logging out
46
Page 47
1
Access your Control Center from a browser.
The default login address is:
https://<hostname>:41443
where <hostname> is the hostname you designated for your appliance during
initialization. Or, you can use the IP address in place of <hostname>.
You may see a security alert message.
2
If you see a security alert message, accept the self-signed certificate to
continue.
The Control Center log in page is displayed.
3
If necessary, choose the language in which you want to operate the Control
Center.
Below the text entry fields you will see a list of names of languages. The name
of the language currently in use is displayed in normal text. The names of
other languages are displayed underlined and highlighted. Click on the name
of another language to use that language instead.
4
In the User name box, type your full email address (for example,
kris@example.com).
5
In the Password box, type the password you normally use to log in to your
system.
6
Click Login.
To log in as an end user with an Active Directory account
1
Access your Control Center from a browser.
The default login address is:
https://<hostname>:41443
where <hostname> is the hostname you designated for your appliance during
initialization. Or, you can use the IP address in place of <hostname>.
You may see a security alert message.
2
If you see a security alert message, accept the self-signed certificate to
continue.
The Control Center log in page is displayed.
47Setting up the Symantec Mail Security Appliance
Logging in and logging out
Page 48
3
If necessary, choose the language in which you want to operate the Control
Center.
Below the text entry fields you will see a list of names of languages. The name
of the language currently in use is displayed in normal text. The names of
other languages are displayed underlined and highlighted. Click on the name
of another language to use that language instead.
4
In the User name box, type your user name (for example, kris).
5
In the Password box, type the password you normally use to log in to your
system.
6
Select the LDAP server you use to verify your credentials (not shown).
7
Click Login.
To log in as an end user with an Exchange 5.5 account
1
Access your Control Center from a browser.
The default login address is:
https://<hostname>:41443
where <hostname> is the hostname you designated for your appliance during
initialization. Or, you can use the IP address in place of <hostname>.
You may see a security alert message.
2
If you see a security alert message, accept the self-signed certificate to
continue.
The Control Center log in page is displayed.
3
If necessary, choose the language in which you want to operate the Control
Center.
Below the text entry fields you will see a list of names of languages. The name
of the language currently in use is displayed in normal text. The names of
other languages are displayed underlined and highlighted. Click on the name
of another language to use that language instead.
4
In the User name box, type your full primary email address (for example,
kris@example.com).
5
In the Password box, type the password you normally use to log in to your
Windows system.
6
Click Login.
Setting up the Symantec Mail Security Appliance
Logging in and logging out
48
Page 49
To determine your primary email address for Exchange 5.5, check the following in
Outlook 2000 or Outlook 2003
1
Click Tools, click Address Book.
2
Type your name in the Type Name or Select from List box.
3
Double-click your name in the list displayed, and then click E-mail Addresses.
The mail address on the line starting with SMTP: in capitals is your primary
email address.
To log out
1
Click the Log Out icon in the upper right corner of the current page.
2
For security purposes, close your browser window to clear your browser’s
memory.
Having trouble logging in or out?
If you are having trouble logging in or logging out, consider the following:
■ When logging in, make sure you type your user name and password in the
correct case. Note the difference between kris, Kris, and KRIS.
■ You are automatically logged out if you don’t use the Control Center for 30
minutes. If it happens, log in again.
Migrating to Symantec Mail Security 7.5
This section is intended for customers who have a version of Symantec Mail
Security previous to version 7.5.
Migration considerations
Before running software update, review this information.
Vital considerations
The two most important migration considerations are:
■ Back up your existing data before running software update.
See “Backing up existing Control Center data” on page 51.
■ Do not reboot while software update is in process.
The softwareupdate process may take several hours to complete. A notification
displays in the Control Center when the software update process is complete.
If you reboot before the process is complete, data corruption is likely. If data
49Setting up the Symantec Mail Security Appliance
Migrating to Symantec Mail Security 7.5
Page 50
corruption occurs the appliance must be re-installed with a factory image with
assistance from Symantec Technical Support.
Changes to expect in Symantec Mail Security 7.5
Refer to the Symantec Mail Security ApplianceAdministration Guide for a complete
list of changes in Symantec Mail Security 7.5.
The major changes for Symantec Mail Security 7.5 include:
■ Some of the tabs in the Control Center have changed and the locations of pages
have changed.
■ Email can now have multiple dispositions.
■ New content filtering settings are available.
■ Instant messages can be filtered for viruses and spim.
IM filtering is disabled by default. To employ IM filtering,configure and enable
it after migration.
What happens to my existing data and settings?
Existing data and settings are migrated as follows:
■ Existing settings will migrate to Symantec Mail Security 7.5 unchanged.
■ Data such as Spam Quarantine, logs, and report data will migrate to Symantec
Mail Security 7.5 unchanged.
■ Policies may be changed slightly and the behavior of the policies may be
different because multiple dispositions are now supported.
Supported previous versions
You can update to Symantec Mail Security 7.5 from all previous versions of
Symantec Mail Security. No intermediate updates are necessary. When the software
update process is complete, the appliance will be updated to Symantec Mail
Security 7.5.
Migration planning
Consider these details before proceeding with migration.
■ There is no option to update a Control Center and multiple Scanners at once.
Each appliance must be updated individually.
■ If you have one or more individual Scanners, it's best to update Scanners before
updating the Control Center. However, updating the Control Center first is
also supported.
Setting up the Symantec Mail Security Appliance
Migrating to Symantec Mail Security 7.5
50
Page 51
■ If you have one or more individual Scanners, you do not have to update all of
your Scanners at the same time. For example, you can update some Scanners
to version 7.5 and leave some with the older version so that some Scanners
continue to protect your site while you migrate others. However, a Symantec
Mail Security 7.5 Control Center cannot make configuration changes to a
pre-version 7.5 Scanner. A pre-version 7.5 Control Center cannot make
configuration changes to a version 7.5 Scanner. But in both of these cases, a
Scanner that was previously working will continue to work as before. However,
no log or report data will be forwarded to the Control Center.
Backing up existing Control Center data
It's recommended to back up your existing data to a separate computer in case a
problem occurs during migration. Follow this procedure on your existing Control
Center to back up your existing data before migration. You can also back up your
data using the db-backup on the command line interface.
To back up your existing data
1
It's a good idea to reduce the amount of data to be backed up. For example,
these measures can reduce the amount of data backed up:
■ Reduce the maximum log size or reduce the length of time that log data
is stored.
■ Clear all report data or reduce the length of time that report data is stored.
■ Delete old messages in Spam Quarantine or reduce the number of days to
store Spam Quarantine messages.
If you reduce the length of time that log, report, or Spam Quarantine data is
stored or reduce the maximum log size, you must wait for the applicable
Expunger process to run to delete the extra data.
2
In the Control Center, click Administration > Backup.
3
Back up your existing data to a remote location using FTP.
For detailed instructions, refer to the online help or Symantec Mail Security
Implementation or Administration Guide for your product version.
4
If your backup completes successfully, proceed with migration.
If your backup fails, attempt to further reduce the amount of data backed up
as described in step 1.
51Setting up the Symantec Mail Security Appliance
Migrating to Symantec Mail Security 7.5
Page 52
Running software update
This procedure describes how to migrate to the current release using the Control
Center. The procedure for updating using the command line interface is not
described, but it is supported.
To run software update
1
If you're updating a Control Center, ensure that you've backed up your existing
data.
See “Backing up existing Control Center data” on page 51.
2
In the Control Center, click Administration > Software Updates.
If you already updated the Control Center to Symantec Mail Security 7.5 and
are updating Scanners, click Administration > Hosts > Version and then
click the Updates tab.
3
Select a Control Center or Scanner host.
See “Migration planning ” on page 50.
4
Click the 7.5.x version and then click update.
Wait for the update process to complete, which may take several hours. Do
not reboot the appliance you're updating during this process.
5
A message is displayed when the software update is complete.
If you've updated the Control Center, either click your browser's refresh
button or close and re-open it to ensure that cached versions of graphics are
redisplayed correctly.
Setting up the Symantec Mail Security Appliance
Migrating to Symantec Mail Security 7.5
52
Page 53
Numerics
14
A
administrator
email address for alerts 36
alerts
address to send to 36
B
balance
load 13
basic gateway deployment 14
browsers
compatible 26
buttons
front panel 29
C
compatibility.. See software compatibility or
hardware compatibility
Control Center
initialize 30
logging in and out 45
performance considerations 20
registration
initial 33
set up 35
D
deployment
considerations 11
gateway 14–15
models 14
multi-tier gateway 16
post-gateway 17
DNS settings 31
E
Environmental factors that affect performance 19
Ethernet
interfaces 31
jacks 29
F
Factors that affect performance 19
Filtering
performance considerations 20
filtering
intra-enterprise 12
filters
instant messaging 43
settings 37
default 45
outbound 38
outbound Scanner 43
Scanner 41
firewall
port 443 access 29
G
gateway deployment
advantages 15
basic 14
considerations 15
multi-tier 15
general deployment considerations 11
I
instant messaging
filters 43
IP addresses 43
interfaces
Ethernet 31
L
LDAP
compatibility 12
Index
Page 54
LDAP (continued)
performance considerations 21
lights
front panel 29
load balancing 13
local domains
initial settings 36
log in 45
Logs
performance impact 20
M
mail filters.. See filters
message filtering
intra-enterprise 12
MTAs
using additional 11
multi-tier gateway deployment 15
advantages 16
considerations 16
MX records
adjusting 13
O
outbound
filters
settings 38
P
password 45
Performance
Control Center 20
environmental factors 19
factors affecting 19
filtering 20
LDAP 21
log levels 20
Quarantine 21
settings 20
port 443
access requirement for 29
ports
reserved 21
positioning with other filtering products 12
post-gateway deployment 17
advantages 17
considerations 17
Q
Quarantine performance considerations 21
R
registration
initial 33
Scanners 41
Requirements
system 19
reserved ports 21
role of appliance
choices 25
S
Scanners
Add Scanner Wizard 40
configuring 11
registration
initial 41
set up 40
set up
registration 33
Scanners. See initial
settings
alert address for administrator 36
default filters 45
filters 37
outbound 38
outbound Scanner 43
Scanner 41
local domain 36
time 36
Settings that affect performance 20
site set up 35
software compatibility
browsers 26
SSH settings 26
SSH settings
compatible 26
System requirements 19
T
time
settings 36
U
user name 45
Index54
Loading...