Subido por Jorge Sleiman

McAfee® Email Gateway 7.6.0 Appliances Administrators Guide

Anuncio
Administrators Guide
Revision A
McAfee® Email Gateway 7.6.0 Appliances
COPYRIGHT
Copyright © 2013 McAfee, Inc. Do not copy without permission.
TRADEMARK ATTRIBUTIONS
McAfee, the McAfee logo, McAfee Active Protection, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundscore,
Foundstone, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total
Protection, TrustedSource, VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and
other countries. Other names and brands may be claimed as the property of others.
Product and feature names and descriptions are subject to change without notice. Please visit mcafee.com for the most current products and features.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
2
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Contents
Preface
9
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
What's in this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1
Working with your McAfee Email Gateway
11
How McAfee Email Gateway processes mail traffic through your network . . . . . . . . . . .
The interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Make changes to the appliance's configuration . . . . . . . . . . . . . . . . . . .
Using lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Import and export information . . . . . . . . . . . . . . . . . . . . . . . . .
Ports used by McAfee Email Gateway . . . . . . . . . . . . . . . . . . . . . . . . .
Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Top Frequently Asked Questions (FAQs) . . . . . . . . . . . . . . . . . . . . . . . . .
Using the McAfee Email Gateway 7.x troubleshooting tree . . . . . . . . . . . . . . . . .
Upgrading McAfee Email Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . .
Benefits of upgrading from previous versions of the product . . . . . . . . . . . . .
Migrate settings from McAfee Email Gateway Appliance 7.0.3 or McAfee Email Gateway Blade
Server 7.0.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Task — Migrate settings from McAfee Email Gateway Virtual Appliance 7.0.3 . . . . . . .
Task — Upgrade from McAfee Email Gateway 7.0.3 appliances managed by McAfee ePolicy
Orchestrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Working with FIPS 140-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2
Overview of Dashboard features
11
13
15
15
17
18
21
22
23
23
23
23
24
26
27
28
31
The Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Benefits of using the Dashboard . . . . . . . . . . . . . . . . . . . . . . . .
Dashboard portlets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configurable thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Task — Setting System Summary thresholds . . . . . . . . . . . . . . . . . . . .
Task — Setting Services thresholds . . . . . . . . . . . . . . . . . . . . . . .
Option definitions — Inbound Mail Summary portlet . . . . . . . . . . . . . . . . . . . .
Option definitions — Outbound Mail Summary portlet . . . . . . . . . . . . . . . . . . .
31
32
33
33
34
35
35
38
Option
Option
Option
Option
Option
Option
Option
Option
40
43
44
44
46
47
49
51
definitions
definitions
definitions
definitions
definitions
definitions
definitions
definitions
—
—
—
—
—
—
—
—
SMTP Detections portlet . . . . . . . . . . . . . . . . . . . . . .
POP3 Detections portlet . . . . . . . . . . . . . . . . . . . . . .
System Summary portlet . . . . . . . . . . . . . . . . . . . . . .
Hardware Summary portlet . . . . . . . . . . . . . . . . . . . . .
Network Summary portlet . . . . . . . . . . . . . . . . . . . . . .
Services portlet . . . . . . . . . . . . . . . . . . . . . . . . . .
Clustering portlet . . . . . . . . . . . . . . . . . . . . . . . . .
Tasks portlet . . . . . . . . . . . . . . . . . . . . . . . . . . .
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
3
Contents
3
Overview of Reports features
53
Types of reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Message Search overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Benefits of using Message Search . . . . . . . . . . . . . . . . . . . . . . . .
Message Search parameters . . . . . . . . . . . . . . . . . . . . . . . . . .
Message Search results . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Message Search icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Task — Identify quarantined email messages . . . . . . . . . . . . . . . . . . .
Task — Find out which email messages are queued . . . . . . . . . . . . . . . . .
Task — Find out which email messages are being blocked . . . . . . . . . . . . . .
Task — Find the emails that were successfully delivered . . . . . . . . . . . . . . .
Task — A user has requested that I release one of their quarantined email messages . . .
Task — Export a message search report . . . . . . . . . . . . . . . . . . . . .
Task — Find a message containing a named attachment . . . . . . . . . . . . . . .
Scheduled Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Benefits of creating Scheduled Reports . . . . . . . . . . . . . . . . . . . . . .
Option definitions — Scheduled Reports . . . . . . . . . . . . . . . . . . . . . .
Task — See the number of detections by protocol and threat type over the last week . . .
Task — Send your manager an email activity report in PDF format every Monday at 10.00am
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Task — Download a report in .csv format for further processing . . . . . . . . . . . .
Task — Send the email administrator a report that shows virus detections in email messages
over the last week . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Scheduled Reports — New Report dialog box . . . . . . . . . . . . . . . . . . . . . .
Scheduled Reports — Edit Report dialog box . . . . . . . . . . . . . . . . . . . . . . .
Email Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introduction to the Email Reports page . . . . . . . . . . . . . . . . . . . . . .
Benefits of using email reports . . . . . . . . . . . . . . . . . . . . . . . . .
Types of Email reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Types of Email report views . . . . . . . . . . . . . . . . . . . . . . . . . .
Types of Email report filters . . . . . . . . . . . . . . . . . . . . . . . . . .
Favorite reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Task — Generate an email activity overview for a particular sender . . . . . . . . . . .
Task — Show me the total viruses detected over the previous week . . . . . . . . . .
System Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introduction to the System Reports page . . . . . . . . . . . . . . . . . . . . .
Benefits of using system reports . . . . . . . . . . . . . . . . . . . . . . . .
Types of System reports . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Types of System report views . . . . . . . . . . . . . . . . . . . . . . . . .
Types of System report filters . . . . . . . . . . . . . . . . . . . . . . . . .
Favorite reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Task — Generate a report that shows all threat detection updates . . . . . . . . . . .
4
Overview of Email menu
53
54
55
56
59
61
62
64
65
65
65
66
66
67
67
70
70
71
71
71
72
72
73
73
74
74
76
77
79
79
80
81
81
81
81
82
82
83
83
85
Life of an email message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Email Configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Protocol Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . .
88
Option definitions — Protocol Presets dialog box . . . . . . . . . . . . . . . . . . 101
Option definition - New Protocol Preset . . . . . . . . . . . . . . . . . . . . . 101
Receiving Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
102
Sending Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Sending Email — Add Relay List dialog box and Add MX Lookup dialog box . . . . . . . 120
Anti-Relay Settings — Add Relay Domain dialog box and Add MX Lookup dialog box . . . 121
Email Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
121
Introduction to policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Policy exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
4
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Contents
Custom Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Email Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Task — Re-write the Subject of all messages matching a policy . . . . . . . . . . . .
Task — Modify the headers of all messages matching a policy . . . . . . . . . . . .
Scanning Policies - Add Policy... . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions — Add Rule dialog box and Edit Rule dialog box . . . . . . . . . .
Option Definitions — Scanning Policies — New Policy Exception . . . . . . . . . . . .
Option definitions — Scanning Policies | New Policy | Add user group . . . . . . . . .
Option definitions — Scanning Policies | New Policy | Add network group . . . . . . .
Option definitions — Subject Templates . . . . . . . . . . . . . . . . . . . . .
Option definitions — Notification Templates . . . . . . . . . . . . . . . . . . . .
Option definitions — Add/Edit Notification Template . . . . . . . . . . . . . . . .
Anti-Virus policy settings . . . . . . . . . . . . . . . . . . . . . . . . . . .
Anti-Spam policy settings . . . . . . . . . . . . . . . . . . . . . . . . . .
Compliance policy settings . . . . . . . . . . . . . . . . . . . . . . . . . .
Policy Options settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DLP and Dictionaries overview . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Registered Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Compliance Dictionaries . . . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions — Add Dictionary Details . . . . . . . . . . . . . . . . . . .
Option definitions — Applicable File Formats . . . . . . . . . . . . . . . . . . .
Option definitions — OR Condition . . . . . . . . . . . . . . . . . . . . . . .
Option definitions — AND Condition . . . . . . . . . . . . . . . . . . . . . .
Option definitions — Edit Regular Expression . . . . . . . . . . . . . . . . . . .
Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Types of Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Secure Web Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
S/MIME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PGP encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Secure Web Mail Branding . . . . . . . . . . . . . . . . . . . . . . . . . .
Task — Encrypt all email that triggers against the HIPAA compliance dictionaries . . . .
Task — Use S/MIME to encrypt all email to a specific target domain . . . . . . . . . .
Task — Deliver all email from a specific customer using S/MIME encryption . . . . . . .
Task — Use PGP to encrypt all email messages . . . . . . . . . . . . . . . . . .
Task — Deliver all email from a specific customer using PGP encryption . . . . . . . .
Certificate Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions — Certificate Details dialog box . . . . . . . . . . . . . . . . .
Certificate Revocation Lists (CRLs) . . . . . . . . . . . . . . . . . . . . . . .
Hybrid configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Benefits of using hybrid email scanning . . . . . . . . . . . . . . . . . . . . .
About the hybrid email registration and configuration process . . . . . . . . . . . .
Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Domain Management . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Group Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Directory Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions — Add Network Group . . . . . . . . . . . . . . . . . . . .
Option definitions — Add Rule . . . . . . . . . . . . . . . . . . . . . . . . .
Email Senders and Recipients . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions — Add User Group . . . . . . . . . . . . . . . . . . . . . .
Task — Add a user group . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add Directory Service wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Benefits of adding LDAP directory services . . . . . . . . . . . . . . . . . . . .
Option definitions — Directory Service Details page . . . . . . . . . . . . . . . .
McAfee® Email Gateway 7.6.0 Appliances
130
132
137
140
142
145
148
149
150
150
151
151
153
176
198
244
281
281
286
294
294
295
295
295
296
296
297
307
309
311
313
316
317
318
318
319
320
320
325
325
327
327
329
329
332
335
335
338
338
339
339
340
340
341
341
342
Administrators Guide
5
Contents
Option definitions — Directory Service Queries page . . . . . . . . . . . . . . . .
Option definitions — Directory Service Query page . . . . . . . . . . . . . . . . .
Option Definitions — Test Directory Service Query page . . . . . . . . . . . . . . .
Task — Set up the appliance to use a Microsoft Exchange Server as an LDAP server . . .
Task — Create a sample LDAP query . . . . . . . . . . . . . . . . . . . . . .
Quarantine Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Quarantine Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Quarantine Digest Options . . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions — Digest Message Content . . . . . . . . . . . . . . . . . .
Quarantine Queue Settings . . . . . . . . . . . . . . . . . . . . . . . . . .
5
Overview of System menu
355
Appliance Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Interfaces Wizard . . . . . . . . . . . . . . . . . . . . . . . . . .
DNS and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Time and Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Email Gateway Certificate . . . . . . . . . . . . . . . . . . . . . . . . . .
Certificate and Key Export wizard . . . . . . . . . . . . . . . . . . . . . . .
UPS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add UPS Device Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Default Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration Push . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cluster Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions — MAC Addresses . . . . . . . . . . . . . . . . . . . . . .
Resilient Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure Automatic Configuration Backups wizard . . . . . . . . . . . . . . . .
Database Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rescue Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Users and Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions — New Role dialog box . . . . . . . . . . . . . . . . . . . .
Option definitions — Role Details dialog box . . . . . . . . . . . . . . . . . . .
Password Management . . . . . . . . . . . . . . . . . . . . . . . . . . .
Login Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add Login Services wizard . . . . . . . . . . . . . . . . . . . . . . . . . .
Session Management . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DoD CAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions — CAC Certificate Attribute Mapping . . . . . . . . . . . . . . .
Option definitions — Custom Text dialog box . . . . . . . . . . . . . . . . . . .
Option definitions — User Details . . . . . . . . . . . . . . . . . . . . . . .
Virtual Hosting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Virtual Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Virtual Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions - Edit Virtual Network . . . . . . . . . . . . . . . . . . . . .
Add Virtual Host wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions — New Scanning Policy . . . . . . . . . . . . . . . . . . . .
Option definition - New Protocol Preset . . . . . . . . . . . . . . . . . . . . .
Logging, Alerting and SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Email Alerting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SNMP Alert Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SNMP Monitor Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6
McAfee® Email Gateway 7.6.0 Appliances
343
344
344
345
345
346
346
348
350
350
355
355
356
361
363
364
370
371
371
374
375
377
378
380
382
386
387
388
390
393
397
399
399
401
401
401
403
404
406
406
408
408
408
409
409
412
413
413
417
417
418
418
425
426
Administrators Guide
Contents
System Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Logging Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Logging Configuration — Override events dialog boxes . . . . . . . . . . . . . . .
Configure System Log Archive wizard . . . . . . . . . . . . . . . . . . . . . .
Component Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Update Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Package Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ePO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Anti-virus engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure Anti-Virus Updates wizard . . . . . . . . . . . . . . . . . . . . . .
Configure Anti-Spam Updates wizard . . . . . . . . . . . . . . . . . . . . . .
Configure Automatic Package Updates . . . . . . . . . . . . . . . . . . . . .
Edit Preferences (Warning Thresholds) . . . . . . . . . . . . . . . . . . . . .
Setup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Standard Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Custom Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Interfaces Wizard . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Interface Layout . . . . . . . . . . . . . . . . . . . . . . . . . .
Restore from a file Setup . . . . . . . . . . . . . . . . . . . . . . . . . . .
ePO Managed Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Encryption Only Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6
Overview of Troubleshoot features
489
Troubleshooting Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Ping and Trace Route . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Generate Test Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Route Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disk Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hardware Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
FIPS Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Troubleshooting Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Minimum Escalation Report . . . . . . . . . . . . . . . . . . . . . . . . . .
Capture Network Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . .
Save Email Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Save Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Error Reporting Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions — System Tests . . . . . . . . . . . . . . . . . . . . . . .
7
426
434
436
437
438
439
442
443
446
447
448
450
452
452
452
454
457
466
470
470
476
482
Overview of Email Gateway appliances and ePolicy Orchestrator Integration
489
490
490
490
491
492
493
493
494
494
495
496
496
497
498
498
501
How appliances work with ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . . . 501
Differences in Email Gateway appliance administration under ePolicy Orchestrator . . . . . . . 502
Configuring your appliance for ePolicy Orchestrator management . . . . . . . . . . . . .
505
Removing the ePolicy Orchestrator extension . . . . . . . . . . . . . . . . . . . 506
Managing your appliances from within ePolicy Orchestrator . . . . . . . . . . . . . . . . 506
Task — Upgrade from McAfee Email Gateway 7.0.3 appliances managed by McAfee ePolicy Orchestrator
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
506
8
Overview of McAfee Quarantine Manager Integration
509
About McAfee Quarantine Manager . . . . . . . . . . . . . . . . . . . . . . . . . .
How appliances work with McAfee Quarantine Manager . . . . . . . . . . . . . . . . . .
The relationship between quarantine categories displayed in Message Search and MQM . .
Custom quarantine queues in McAfee Quarantine Manager . . . . . . . . . . . . .
McAfee® Email Gateway 7.6.0 Appliances
509
509
510
510
Administrators Guide
7
Contents
Index
8
McAfee® Email Gateway 7.6.0 Appliances
513
Administrators Guide
Preface
Contents
About this guide
Find product documentation
About this guide
This information describes the guide's target audience, the typographical conventions and icons used
in this guide, and how the guide is organized.
Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
•
Administrators — People who implement and enforce the company's security program.
Conventions
This guide uses these typographical conventions and icons.
Book title, term,
emphasis
Title of a book, chapter, or topic; a new term; emphasis.
Bold
Text that is strongly emphasized.
User input, code,
message
Commands and other text that the user types; a code sample; a displayed
message.
Interface text
Words from the product interface like options, menus, buttons, and dialog
boxes.
Hypertext blue
A link to a topic or to an external website.
Note: Additional information, like an alternate method of accessing an
option.
Tip: Suggestions and recommendations.
Important/Caution: Valuable advice to protect your computer system,
software installation, network, business, or data.
Warning: Critical advice to prevent bodily harm when using a hardware
product.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
9
Preface
Find product documentation
What's in this guide
Find product documentation
McAfee provides the information you need during each phase of product implementation, from
installation to daily use and troubleshooting. After a product is released, information about the product
is entered into the McAfee online KnowledgeBase.
Task
1
Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.
2
Under Self Service, access the type of information you need:
To access...
Do this...
User documentation
1 Click Product Documentation.
2 Select a product, then select a version.
3 Select a product document.
KnowledgeBase
• Click Search the KnowledgeBase for answers to your product questions.
• Click Browse the KnowledgeBase for articles listed by product and version.
10
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
1
Working with your McAfee Email
Gateway
McAfee Email Gateway protects your network from viruses, undesirable content, spam, and other
threats. Understand these concepts to help you configure your McAfee® Email Gateway.
Contents
How McAfee Email Gateway processes mail traffic through your network
The interface
Ports used by McAfee Email Gateway
Resources
Top Frequently Asked Questions (FAQs)
Using the McAfee Email Gateway 7.x troubleshooting tree
Upgrading McAfee Email Gateway
About timeouts
Working with FIPS 140-2
How McAfee Email Gateway processes mail traffic through your
network
This information describes how McAfee Email Gateway processes mail traffic through your internal and
external networks.
Mail traffic flow
Within McAfee Email Gateway, all email messages originating from outside of your organization are
considered Inbound, and all messages leaving your organization and considered to be Outbound.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
11
1
Working with your McAfee Email Gateway
How McAfee Email Gateway processes mail traffic through your network
12
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Working with your McAfee Email Gateway
The interface
1
The interface
The user interface provides you with an intuitive way of finding information and configuring options for
your McAfee Email Gateway.
The interface you see might look slightly different from that shown here, because it can vary depending
on the appliance's hardware platform, software version, and language.
Figure 1-1 Areas of the user interface
A — Navigation area
The navigation area contains four areas: user information, section icons, tab bar, and support controls.
B — User information bar
C — Section icons
The icons include the following:
Icon
Menu
Features
Dashboard
Use this page to see a summary of the appliance. From this page you can
access most of the pages that control the appliance.
Reports
Use the Reports pages to view events recorded on the appliance, such as
viruses detected in email messages, and system activities such as details of
recent updates and logins.
Email
Use the Email pages to manage threats to email messages, quarantine of
infected email, and other aspects of email configuration.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
13
1
Working with your McAfee Email Gateway
The interface
Icon
Menu
Features
System
Use the System pages to configure various features on the appliance.
Troubleshoot Use the Troubleshoot pages to diagnose any problems with the appliance.
D — Tab bar
The contents of the tab bar are controlled by the selected section icon. The selected tab dictates what
is displayed in the content area.
E — Support control buttons
The support control buttons are actions that apply to the content area.
Icon Description
Refreshes or updates the content.
Returns you to the previously viewed page. We recommend that you click this button, rather
than your browser's Back button.
Appears when you configure something to allow you to apply your changes.
Appears when you configure something to allow you to cancel your changes.
Opens a window of Help information. Much of the information in this window also appears in
the Product Guide.
F — View control
The view control button shows or hides a status window.
The status window, which appears in the bottom right of the interface, shows recent activity. New
messages are added at the top of the window. If a message is blue and underlined, you can click the
link to visit another page. You can also manage the window with its own Clear and Close links.
G — Content area
The content area contains the currently active content and is where most of your interaction will be.
The changes that you make take effect after you click the green checkmark.
Contents
Make changes to the appliance's configuration
Using lists
Import and export information
14
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
1
Working with your McAfee Email Gateway
The interface
Make changes to the appliance's configuration
Use this task to make changes to the operation of the appliance.
Task
1
In the navigation bar, click an icon. The blue tabs below the icons change to show the available
features.
2
Click the tabs until you reach the page you need.
To locate any page, examine the tabs, or locate the subject in the Help index. The location of the
page is often described at the top of the Help page. Example:
System | System Administration | Database Maintenance.
3
On the page, select the options. Click the Help button (?) for information about each option.
4
Navigate to other pages as needed.
5
To save your configuration changes, click the green checkmark icon at the top right of the window.
6
In the Configuration change comment window, type a comment to describe your changes, then click OK.
Wait a few minutes while the configuration is updated.
7
To see all your comments, select Review Configuration Changes in System | System Administration | Configuration
Management.
Using lists
Within the McAfee Email Gateway user interface, lists are used in many places to help define
information.
Contents
Make and view lists
Add information to a list
Remove single items from a list
Remove many items from a list
Change information in a list
View information in a long list
Order information in a list by priority
Order information alphabetically in a list
Make and view lists
Lists specify information such as domains, addresses and port numbers on many pages in the
interface. You can add new items to a list, and delete existing items.
Although the number of rows and columns might vary, all lists behave in similar ways. In some lists,
you can also import items from a prepared file, and change the order of the items. Not all lists have
these actions. This section describes all the actions that are available in the interface.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
15
1
Working with your McAfee Email Gateway
The interface
Add information to a list
Add information into a list within the user interface.
Task
1
Click Add below the list.
A new row appears in the table. If this is your first item, a column of checkboxes appears on the
left of the table. You might also see a Move column on the right of the table.
2
Type the details in the new row. Press Tab to move between fields.
3
For help with typing the correct information, move your cursor over the table cell, and wait for a
pop-up to appear. For more information, click
4
.
.
To save the new items immediately, click the green checkmark:
Remove single items from a list
Some lists take a long time to create, and therefore you can delete only one entry at a time to prevent
the accidental deletion of a lot of information.
If the item cannot be deleted, the trashcan icon is unavailable:
.
Task
1
Click the item to select it. The row turns pale blue.
2
Click the trashcan icon
, or click Delete at the bottom of the list.
Remove many items from a list
On some long lists, you can remove many items quickly.
Task
1
In the column of checkboxes on the left of the table, select each required item. To select many
items, select the checkbox in the table's heading row to select all the items, then deselect those
that you want to keep.
2
Click Delete at the bottom of the list.
3
To save the new changes immediately, click the green checkmark:
.
Change information in a list
Change information contained within a list within the user interface.
If an item cannot be changed, the icon is unavailable:
.
Task
16
1
Click the edit icon
2
Click on the text, then delete or retype it.
.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Working with your McAfee Email Gateway
The interface
3
4
1
To save the new changes immediately, click the green checkmark:
To cancel any recent changes, click the close button at the top right of the window:
View information in a long list
If the list has many items, you might not be able to see them all at the same time.
Task
1
To determine the position of an item in the list or the size of the list, view the text at the bottom of
the list, such as Items 20 to 29 of 40.
2
To move through the list or to move quickly to either end of the list, click the arrows at the bottom
right of the list. (
).
Order information in a list by priority
Some lists display items in priority order. The first item in the list is the highest priority, the last item
is the lowest priority. To change an item's priority:
Task
1
Find the row that contains the item.
2
In the Move column (on the right of the table), click the upward or downward arrow:
Order information alphabetically in a list
When information is given in a list, you can sort the list alphabetically.
Task
•
To change the order:
•
To force items in a column into alphabetical order, click the column heading. Items in other
columns are automatically sorted accordingly. An icon appears in the column heading to indicate
that this column is sorted:
•
To sort the information differently, click the other column headings.
•
To reverse and restore the alphabetical order of the information within a single column, click the
icons in the column heading:
Import and export information
Find out how to import information to, and export information from the McAfee Email Gateway.
Contents
Import prepared information
Export prepared information
Import prepared information
From some pages, you can import information from other devices, appliances, or software for use on
the appliance, such as from a previously prepared comma-separated value (.csv) file, or a certificate
needed to verify identity of your appliance or other devices.
Imported information normally overwrites the original information.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
17
1
Working with your McAfee Email Gateway
Ports used by McAfee Email Gateway
Task
1
Click Import.
2
In the Import window, browse to the file.
The contents of the Import dialog box change according to the requirements of the type of file or
information you are importing. If further options are displayed in the dialog box, make the relevant
choices based on that information.
3
Click Open to import the information from the file.
Table 1-1 Some formats for comma-separated value (.csv) files
Type of information
Format
Example
Domain
D, domain, IP address
D, www.example.com, 192.168.254.200
Network address
N, IP address, IP subnet mask
N, 192.168.254.200, 255.255.255.0
Email address
E, email-address
E, network_user@example.com
Each item in the file is on a single line.
Export prepared information
From some pages, you can export or download information from the appliance for use on other
devices, appliances, software, or to read.
The information is generated in various forms, such as a .zip file, a .pdf, or a .csv file.
Table 1-2 Some formats for comma-separated value (.csv) files
Type of information
Format
Example
Domain
D, domain, IP address
D, www.example.com, 192.168.254.200
Network address
N, IP address, IP subnet mask
N, 192.168.254.200, 255.255.255.0
Email address
E, email-address
E, network_user@example.com
Each item in the file is on a single line.
Task
1
Click Export or Download.
2
In the Export or Download window, follow the instructions to create the file.
Ports used by McAfee Email Gateway
The appliance uses various ports to communicate with your network and other devices.
Table 1-3
18
Ports used by McAfee Email Gateway
Use
Protocol
Port Number
Software updates
FTP
21
Anti-virus DAT updates
HTTP
80
FTP
21
McAfee Global Threat Intelligence file reputation
DNS
53
Anti-spam rules and streaming updates
HTTP
80
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
1
Working with your McAfee Email Gateway
Ports used by McAfee Email Gateway
Table 1-3
Ports used by McAfee Email Gateway (continued)
Use
Protocol
Port Number
Anti-spam engine updates
FTP
21
McAfee Global Threat Intelligence message reputation
SSL
443
URL reputation lookup
SSL
443
Secure Web Mail Client Encryption
SSL
443
Management Port for the User Interface
SSL
10443
URL reputation database update
HTTP
80
Domain Name System (DNS)
DNS
53
McAfee Quarantine Manager
HTTP
80
HTTPS
443
Active directory
389
McAfee Global Threat Intelligence feedback
SSL
443
Intercept ports
When operating in either of the transparent modes — transparent bridge mode or transparent router
mode — the appliance uses the following intercept ports to intercept traffic to be scanned.
Table 1-4 Intercept ports
Protocol
Port number
POP3
110
SMTP
25
Listening ports
The appliance typically uses the following ports to listen for traffic on each protocol. The appliance
listens for traffic arriving on the designated ports. You can set up one or more listening ports for each
type of traffic being scanned by your appliance.
Table 1-5 Typical listening ports
Protocol
Port number
POP3
110
SMTP
25
Ports used for ePolicy Orchestrator communication
When you configure your McAfee Email Gateway to be managed by ePolicy Orchestrator®, or when you
set ePolicy Orchestrator to monitor and report on your appliances, the following ports are used by
default for communication between ePolicy Orchestrator and your appliances.
Table 1-6 ePolicy Orchestrator communication ports
Port usage
Port number
Agent-to-server communication port
80
Agent-to-server communication secure port
443 (when enabled)
Agent wake-up communication port
8081 (default)
Agent broadcast communication port
8082 (default)
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
19
1
Working with your McAfee Email Gateway
Ports used by McAfee Email Gateway
Table 1-6 ePolicy Orchestrator communication ports (continued)
Port usage
Port number
Console-to-application server communication port
8443
Client-to-server authenticated communication port
8444
Ports used for Email Hybrid communication
When you configure your McAfee Email Gateway for hybrid scanning with the McAfee Email Protection
(Hybrid), the following ports are used by default for communication between McAfee Email Gateway
and McAfee Email Protection (Hybrid).
Table 1-7 Email Hybrid communication ports
Use
Protocol
Port Number
SaaS Control Console to appliance for inbound email
TCP
25
Appliance to the SaaS API web service URLs (hybridapi.mxlogic.com)
TCP
443
IP addresses needed for communication between McAfee Email Gateway and the
McAfee Email Protection (Hybrid)
To allow communication between McAfee Email Gateway and the McAfee Email Protection (Hybrid),
you must ensure that relevant IP addresses for the McAfee Email Protection (Hybrid) can be accessed
from your McAfee Email Gateway appliances.
Preferred Setting
If your hardware firewall solution accepts CIDR notation and supports Class 8 C notation, please
include the following:
CIDR
Starting IP
Ending IP
208.65.144.0/21
208.65.144.0
208.65.151.255
208.81.64.0/21
208.81.64.0
208.81.71.255
Alternative settings
If your hardware firewall solution accepts CIDR notation but supports only Class 1 C notation, you
need to include the following entries for the entire subnet:
20
CIDR
Starting IP
Ending IP
208.65.144.0/24
208.65.144.0
208.65.144.255
208.65.145.0/24
208.65.145.0
208.65.145.255
208.65.146.0/24
208.65.146.0
208.65.146.255
208.65.147.0/24
208.65.147.0
208.65.147.255
208.65.148.0/24
208.65.148.0
208.65.148.255
208.65.149.0/24
208.65.149.0
208.65.149.255
208.65.150.0/24
208.65.150.0
208.65.150.255
208.65.151.0/24
208.65.151.0
208.65.151.255
208.81.64.0/24
208.81.64.0
208.81.64.255
208.81.65.0/24
208.81.65.0
208.81.65.255
208.81.66.0/24
208.81.66.0
208.81.66.255
208.81.67.0/24
208.81.67.0
208.81.67.255
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
1
Working with your McAfee Email Gateway
Resources
CIDR
Starting IP
Ending IP
208.81.68.0/24
208.81.68.0
208.81.68.255
208.81.69.0/24
208.81.69.0
208.81.69.255
208.81.70.0/24
208.81.70.0
208.81.70.255
208.81.71.0/24
208.81.71.0
208.81.71.255
Further alternate setting
If your hardware firewall solution does not accept CIDR notation, you need to include the starting and
ending IP address for either the Class 8 C addresses or the Class 1 C addresses, which are included
above.
Least desirable setting
If your hardware firewall does not accept CIDR notation or ranges of starting and ending IP addresses,
you can download a complete listing of affected IP addresses at: http://co.mcafeesaas.com/configtest/
validiplist.txt.
You can make any of the above changes by creating a firewall rule or restricting access at the server
level. We highly recommend that you lock down these subnets at your firewall as the priority
preference. Please consult with your network administrator before making any changes. For additional
information regarding the restriction of IP addresses, please refer to instructions for setting up your
firewall or guidelines from your firewall provider.
Resources
The information, links, and supporting files that you can find from the Resources dialog box.
Click Resources from the black information bar at the top of the McAfee Email Gateway user interface.
The Resources dialog box contains links to different areas or to files that you might need when setting
up your appliance.
Link name
Description
Technical
Support
Clicking this link takes you to the McAfee Technical Support ServicePortal login page
(https://mysupport.mcafee.com/Eservice/Default.aspx).
From this page, you can search the KnowledgeBase, view product documentation and
video tutorials, as well as access other technical support services.
Submit a sample
If you have a file that you believe to be malicious, but that your McAfee systems are
not detecting, you can safely submit it to McAfee for further analysis.
Follow the Submit a sample link and either log on or register as a new user to access the
McAfee Labs Tool to submit suspicious files.
Virus Information Viruses are continually evolving, with new malicious files being developed daily. To
Library
find out more about particular viruses or other threats, follow the link to the McAfee
Threat Center.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
21
1
Working with your McAfee Email Gateway
Top Frequently Asked Questions (FAQs)
Link name
Description
McAfee
This free tool integrates into Microsoft Outlook and allows users to submit missed
Customer
spam samples and email that was wrongly categorized as spam to McAfee Labs.
Submission Tool McAfee Customer Submission Tool version 2.3 can also be used with McAfee Email
Gateway and McAfee Quarantine Manager.
The tool supports automated blacklisting and whitelisting, and has an installer that
supports automated script-based installations.
The latest McAfee Customer Submission Tool and documents can also be downloaded
from the following location:
http://www.mcafee.com/us/downloads/free-tools/customer-submission-tool.aspx
ePO Extensions
Download the McAfee® ePolicy Orchestrator® extensions for Email and Web Security
Appliances.
This file contains both the EWG and the EWS extensions.
The EWG extension allows reporting from within McAfee ePolicy Orchestrator for the
following products:
• McAfee Email and Web Security Appliances version 5.5
• McAfee Email and Web Security Appliances version 5.6
• McAfee Web Gateway
• McAfee Email Gateway
The EWS extension provides full McAfee ePolicy Orchestrator management for McAfee
Email and Web Security Appliances version 5.6.
For you to use McAfee ePolicy Orchestrator for either reporting or management, the
ePO extensions need to be installed on your McAfee ePolicy Orchestrator server.
ePO Help
Extensions
Download the McAfee ePolicy Orchestrator Help extensions for the ePO extensions
listed above.
This file installs the Help extensions relating to the McAfee ePolicy Orchestrator
extensions for Email and Web Security Appliances onto your McAfee ePolicy
Orchestrator server.
SMI File
Download the Structure of Managed Information (SMI) file for use with the Simple
Network Management Protocol (SNMP).
This file provides information about the syntax used by the SNMP Management
Information Base (MIB) file.
MIB File
Download the MIB file for use with SNMP.
This file is used to define the information that your McAfee Email Gateway can
transmit using SNMP.
HP OpenView
NNM Smart
Plug-in Installer
Download the HP OpenView installer file to enable you to configure your McAfee Email
Gateway to communicate with HP OpenView.
Top Frequently Asked Questions (FAQs)
To view a selection of frequently asked questions that have been submitted by other customers, and
learn the answers provided by McAfee Technical Support, refer to KnowledgeBase article KB76144.
22
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
1
Working with your McAfee Email Gateway
Using the McAfee Email Gateway 7.x troubleshooting tree
Using the McAfee Email Gateway 7.x troubleshooting tree
McAfee support has published a troubleshooting tree to assist you in resolving issues that you might
experience with your McAfee Email Gateway.
Download the McAfee Email Gateway 7.x troubleshooting tree from KnowledgeBase article PD23748.
Upgrading McAfee Email Gateway
You can upgrade McAfee Email Gateway physical appliances, virtual appliances, or blade servers to the
latest version of the McAfee Email Gateway software. You can select how much of the previous
configuration to apply to the upgraded software. Upgrades can be applied with a CD or remotely.
Upgrading or migrating settings from previous product versions restores all protocol, policy, and
system settings for you using the McAfee Email Gateway inbuilt migration tools ensuring your previous
level of protection is maintained in all areas.
Upgrading your appliance refers to installing the latest version of the McAfee Email Gateway software
onto your existing hardware or virtual appliances. Migrating refers to you setting up new hardware or
virtual appliances with the latest version of the McAfee Email Gateway software, and then using the
in-built migration tools to restore the protocol, policy and systems settings from your existing McAfee
Email Gateway system.
Benefits of upgrading from previous versions of the product
Learn how easy it is to upgrade from McAfee Email Gateway Appliance 7.0.3 or McAfee Email Gateway
Blade Server 7.0.3.
Upgrading or migrating settings from previous product versions restores all protocol, policy, and
system settings for you using the McAfee Email Gateway inbuilt migration tools ensuring your previous
level of protection is maintained in all areas.
Features associated with LDAP and role-based access control include enhanced protection options in
McAfee Email Gateway.
There are several supported methods that you can choose from to manage the process in the way that
is best suited to your organization:
•
From a McAfee Email Gateway installation CD, perform a new installation and restore a
configuration file from a previous version
•
From a McAfee Email Gateway installation CD, perform an upgrade from a previous version
retaining configuration and log files
•
To perform the upgrade from another location, obtain the latest McAfee Email Gateway ISO image
and upload it on to an McAfee Email Gateway appliance using the Rescue Image feature (System |
System Administration | Rescue Image.
Migrate settings from McAfee Email Gateway Appliance 7.0.3 or
McAfee Email Gateway Blade Server 7.0.3
This task describes how to migrate settings from McAfee Email Gateway Appliance 7.0.3 or McAfee
Email Gateway Blade Server 7.0.3 to the latest version of McAfee Email Gateway.
Before you begin
Before performing any upgrade, back up the McAfee Email Gateway configuration (System |
Cluster Management | Backup and Restore Configuration).
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
23
1
Working with your McAfee Email Gateway
Upgrading McAfee Email Gateway
If installing on an McAfee Email Gateway Appliance cluster the steps must be carried out on all
appliances in the cluster, starting with the Failover Management appliance, then the Management
appliance, then the remainder.
If installing on a McAfee Email Gateway Blade Server, go first to the Failover Management blade server
to perform the upgrade, then repeat on the Management blade server, then the scanning blades.
Task
1
Turn on the appliance or blade server, and agree to the license agreement.
2
When the installation options menu appears, choose one of the following installation options:
a
To upgrade from the appliance itself:
•
Choose option a to perform a new installation, then restore the McAfee Email Gateway Blade
Server configuration from a previously backed up configuration file.
•
Choose option c to back up the configuration, policies, log files, and email messages and
restore them automatically when you install the latest version of McAfee Email Gateway.
•
Choose option d to restore only the network configuration settings.
•
Choose option e to restore policy settings, but no log files or email messages.
To get a description of the installation options, press the RETURN key on the installation
options menu appears. Press the RETURN key to continue through the descriptions until you
return to the installation options menu.
3
b
Use the installation options menu to define any further installation options such as the action
you want to take when the installation finishes, and press the ENTER key.
c
Select option a to perform the upgrade, then press the ENTER key to confirm the installation
option you chose.
d
Press the RETURN key to complete the installation, and wait while the computer restarts.
Open a web browser, and connect to the appliance's IP address.
If you chose option a, select Restore from a File to reinstate the previous configuration settings.
Depending on the installation option you chose, all protocol, email policy, and system settings from
McAfee Email Gateway 7.0.3 are migrated for you to ensure your previous level of protection is
maintained.
To change any network settings after installation, select System | Appliance Management | General and click
Change Network Settings.
Task — Migrate settings from McAfee Email Gateway Virtual
Appliance 7.0.3
Use this task to upgrade to the latest version of McAfee Email Gateway Virtual Appliance from McAfee
Email Gateway Virtual Appliance 7.0.3. using the software .ISO image.
Before you begin
You must have McAfee Email Gateway Virtual Appliance 7.0.3 installed already.
After an operating system is installed on a virtual appliance, the virtual machine always starts from
the hard disk first. To work around this feature, you have to shut down the virtual machine and
configure a power-on-boot delay so that you have enough time to access the Boot menu and tell it to
start from the installation CD instead.
24
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
1
Working with your McAfee Email Gateway
Upgrading McAfee Email Gateway
Task
1
Download the McAfee Email Gateway Virtual Appliance .ISO upgrade file from the McAfee download
site and extract it.
2
Shut down the virtual appliance:
a
Log on to the virtual appliance user interface and go to System | System Administration | System
Commands
b
Enter the password.
c
Select Shutdown Appliance.
3
Log on to VMware ESX Server or use the VMware Infrastructure Client, or the VMware vSphere
Client to log on to VMware Virtual Center Server.
4
Enable a Power-on-Boot delay to get enough time to force the virtual machine to boot from CD:
a
Select the virtual appliance in the Inventory list and click Summary.
b
Select Edit Settings | Options | Boot Options.
c
In Power-on-Boot delay, type 10,000 in the text box, and click OK.
5
Turn on the virtual appliance.
6
Make sure the cursor focus is on the virtual appliance console. Then press the ESC key to open the
Boot Menu.
Do not select any options yet.
7
Release the cursor from the console and select Connect CD/DVD1.
8
Browse to the folder where you downloaded the McAfee Email Gateway Virtual Appliance .ISO file
and double-click <McAfee-MEG 7.5-<build-number>.VMbuy.iso>.
9
When the .ISO file is connected, click back on to the console screen. Select CD-ROM Drive and press
the ENTER key.
The virtual appliance starts from the .ISO file.
10 Press y to agree to the terms of the license agreement.
11 Select the upgrade option that you want, and press the ENTER key to perform the upgrade.
12 Type y to confirm that you want to continue.
Depending on the installation option you chose, all protocol, email policy, and system settings from
McAfee Email Gateway Virtual Appliance 7.0.3 are migrated for you to ensure your previous level of
protection is maintained.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
25
1
Working with your McAfee Email Gateway
Upgrading McAfee Email Gateway
Task — Upgrade from McAfee Email Gateway 7.0.3 appliances
managed by McAfee ePolicy Orchestrator
Use this task to upgrade to the latest version of McAfee Email Gateway from McAfee Email Gateway
7.0.3 appliances managed by McAfee® ePolicy Orchestrator (McAfee ePO).
Before you begin
Before you can upgrade to the latest version of McAfee Email Gateway, your existing
appliance must be running McAfee Email Gateway version 7.0.3 and be correctly configured
and running.
This upgrade process automatically disconnects the appliance from being managed by
McAfee ePO.
The inbuilt McAfee Email Gateway migration tools migrate many of your McAfee Email Gateway 7.0.3
settings for you. However, some settings may need to be recreated.
Task
1
In McAfee ePO, click Policy Catalog and select the McAfee Email Gateway 7.0.3 product.
2
Click Export to export the product policies.
3
Right-click the Policies_for_McAfee_Email_Gateway_7.0.xml link, and save the file.
4
Go to your McAfee Email Gateway appliance.
5
Go to System | Component Management | ePO.
6
Select Migrate ePO Configuration.
7
Import the Policies_for_McAfee_Email_Gateway_7.0.xml file you just created.
The import process can take a few minutes to complete.
8
Select the epo_config_<date_stamp>.xml file produced at the end of this process, and save the file.
9
From the McAfee Email Gateway Resources link, download the ePO Extensions and ePO Help Extensions
files.
10 From McAfee ePO, install the ePO Extensions and ePO Help Extensions files.
11 In McAfee ePO, click Policy Catalog and select the McAfee Email Gateway product.
12 Click Import, and import the epo_config_<date_stamp>.xml you saved in step 8.
The policies and settings within the configuration file are migrated across to your McAfee ePO
server.
After you have imported the settings into McAfee Email Gateway managed by McAfee ePO, you
need to re-assign the migrated policies to the correct groups in the System Tree in McAfee ePO.
13 On McAfee ePO, navigate to Menu | Gateway Protection | Email and Web Gateway.
14 From Actions, select Export Connection Settings. Save the epoConfig<xxxxxxx>.zip file.
15 On your McAfee Email Gateway, navigate to System | Component Management | ePO, click Import ePO
connection settings. Browse to the epoConfig<xxxxxxx>.zip file, and click OK.
Your McAfee ePO configuration settings are imported into your McAfee Email Gateway appliance.
26
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Working with your McAfee Email Gateway
About timeouts
1
16 Select both Enable ePO management, and Allow configuration to be applied from ePO.
17 Apply changes within your McAfee Email Gateway.
Your upgraded appliance is again under McAfee ePO control.
If you had documents registered for Data Loss Prevention in your McAfee Email Gateway 7.0.3
appliance, the document fingerprints for these are copied to your new McAfee Email Gateway McAfee
ePO installation.
If you chose to create a scheduled task to push your McAfee Email Gateway 7.0.3 DLP database to the
new McAfee Email Gateway version, you will need to create an equivalent scheduled task to push the
new McAfee Email Gateway DLP database to your appliance.
About timeouts
Learn about the timeouts that occur between the appliance receiving a message, scanning it, and
delivering it.
When the appliance receives an email message, the SMTP conversation and corresponding timeouts
occur as follows:
Where T equals "Time".
•
T0 — The time the appliance receives the connection (where time = zero)
•
T1 — The time taken between commands (EHLO, MAIL FRIM, RCPT TO, DATA (but not the dot that
signifies the end of DATA), RSET) defined in Email | Email Configuration | Protocol Configuration | Connection
Settings (SMTP) | Timeouts
•
T2 — The time taken between receiving the chunks of data during DATA transfer
•
T3 — The time taken for the whole conversation to occur, that is, to receive a message, scan it,
and deliver it
•
T4 — The total time taken to scan the message, that is, when the appliance has received all the
data
•
T5 — The appliance has received all the data
As an email message passes through the appliance, the following timeouts are applied.
•
•
Client: Connection
Appliance: 220 banner
•
The appliance waits T1 seconds to receive the next command
•
Client: EHLO
•
Appliance: 250 OK
•
The appliance waits T1 seconds to receive the next command
•
Client: MAIL FROM: from @.bc
•
Appliance: 220 OK
•
•
The appliance waits T1 seconds to receive the next command
Client: RCPT TO: rcpt@e.f
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
27
1
Working with your McAfee Email Gateway
Working with FIPS 140-2
•
Appliance 220 OK
•
The appliance waits T1 seconds to receive the next command
•
Client: DATA
•
Appliance: 354 Enter mail, end with "dot" on a line by itself
•
•
The appliance waits T2 seconds to receive each chunk of data
Client:
•
Subject: 1234
•
Hello there
•
.
•
The appliance scans the data
•
•
•
The appliance waits T4 seconds to scan the data
The appliance delivers the message and makes an onward connection. It has taken T3 — T5 —
T0 to deliver the message. In other words, if the overall time to process a message is six
minutes, (T3), and receiving the message and scanning has taken four minutes, the appliance
has two minutes to deliver the message. If this limit is exceeded, the email is queued for
delivery later.
Appliance: 250 OK
Working with FIPS 140-2
Describes how to configure the appliance in FIPS 140-2 mode.
FIPs mode is enabled during installation. When the appliance is installed with FIPS mode enabled, the
Email Gateway installation menu (available locally, serial, ssh) is available. By default, it does not
include "Shell access"
To enable FIPS, select Option k – Enable FIPS 140-2 level 1 compliant installation in the configuration console, then
select Option a - Perform installation.
In the Email Gateway Configuration Menu, a FIPS option is available. Select it to access the following options:
Table 1-8 Option definitions
Option Definition
Shell
Enable or disable shell access (disabled by default)
This option makes the appliance non FIPS compliant.
Failure
Configure how to handle FIPS validation failure:
• Ignore the failure and continue booting.
• Prompt for cryptographic officer password (Default).
This privilege is available to an administrator role with Access system administration privileges.
SSLFIPS Enable or disable the OpenSSL FIPS checking (enabled by default) — All applications on the
appliance that use the OpenSSL library perform the OpenSSL FIPS validity check when they
start. If it causes compatibility issues with other devices, it can be disabled
Validate
28
Re-run FIPS validity tests — The ability to re-run the tests and view the output in the console.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
1
Working with your McAfee Email Gateway
Working with FIPS 140-2
To check that the appliance is running in FIPS mode, click About the Appliance in the menu bar. The FIPS
140-2 Compliant status shows Yes, No, or Partial.
A Partial status is given in the following situations:
•
The Shell is enabled.
•
FIPS validation failures occurred, where the failure handling has been modified from the
default setting Prompt for cryptographic officer password.
•
OpenSSL checking is disabled.
Go to Reports | System Reports in the user interface to get more information about the FIPS
status.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
29
1
Working with your McAfee Email Gateway
Working with FIPS 140-2
30
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
2
Overview of Dashboard features
When you first open the browser, you see the Dashboard, which gives a summary of the activity of the
appliance.
Dashboard
From this page you can access most of the pages that control the appliance.
Contents
The Dashboard
Option definitions
Option definitions
Option definitions
Option definitions
Option definitions
Option definitions
Option definitions
Option definitions
Option definitions
Option definitions
—
—
—
—
—
—
—
—
—
—
Inbound Mail Summary portlet
Outbound Mail Summary portlet
SMTP Detections portlet
POP3 Detections portlet
System Summary portlet
Hardware Summary portlet
Network Summary portlet
Services portlet
Clustering portlet
Tasks portlet
The Dashboard
The Dashboard provides a summary of the activity of the appliance.
Dashboard
On a cluster master appliance, use this page also to see a summary of activity on the cluster of
appliances.
On a McAfee Email Gateway Blade Server master blade, use this page also to see a summary of all
activity on the scanning blades within the McAfee Email Gateway Blade Server.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
31
2
Overview of Dashboard features
The Dashboard
Benefits of using the Dashboard
The Dashboard provides a single location for you to view summaries of the activities of the appliance
through a series of portlets.
Figure 2-1 Dashboard portlets
Some portlets display graphs that show appliance activity over the following periods of time:
•
1 hour
•
2 weeks
•
1 day (the default)
•
4 weeks
•
1 week
Within the Dashboard, you can make some changes to the information and graphs displayed:
•
Expand and collapse the portlet data using the
corner.
•
Drill down to specific data using the
•
See a status indicator that shows whether the item needs attention:
•
•
•
•
•
•
32
and
and
buttons in the portlet's top right-hand
buttons.
Healthy — The reported items are functioning normally.
Requires Attention — A warning threshold has been exceeded.
Requires Immediate Attention — A critical threshold has been exceeded.
Disabled — A service is not enabled.
Use
and
to zoom in and zoom out of a timeline of information. There is a short delay while
the view is updated. By default, the Dashboard shows data relating to the previous one day.
Move a portlet to another location on the Dashboard.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
2
Overview of Dashboard features
The Dashboard
•
Double-click the top bar of a portlet to expand it across the top of the Dashboard.
•
Set your own alert and warning thresholds to trigger events. To do so, highlight the item and click
it, edit the alert and warning threshold fields, and click Save. When the item exceeds the threshold
you set, an event is triggered.
Depending on the browser used to view the McAfee Email Gateway user interface, the Dashboard
"remembers" the current state of each portlet (whether it is expanded or collapsed, and if you have
drilled down to view specific data), and attempts to re-create that view if you navigate to another page
within the user interface and then return to the Dashboard within the same browsing session.
Dashboard portlets
The McAfee Email Gateway Dashboard portlets provide information about the state of email traffic,
recent detections and the current status of your McAfee Email Gateway.
Option
Definition
Inbound Mail
Summary
Displays the delivery and status information about messages sent to your
organization.
Outbound Mail
Summary
Displays the delivery and status information about messages sent from your
organization.
SMTP Detections
Displays the total number of messages that triggered a detection based on the
sender or connection, the recipient, or the content, and to view data specific to
either inbound or outbound SMTP traffic.
POP3 Detections
Displays how many messages triggered a detection based on threats such as
viruses, packers, or potentially inappropriate images.
System Summary
Displays information about load balancing, the disk space used for each partition,
total CPU usage, used and available memory, and swap details.
Hardware Summary
Status indicators to show the status of network interfaces, UPS servers, bridge
mode (if enabled), and RAID status.
Network Summary
Provides information about the status of your connections, network throughput
and counters relating to Kernel Mode Blocking
Services
Displays update and service status statistics based on protocol and external
servers used by the appliance.
Clustering
Provides information about the entire cluster when appliance is part of a cluster or
you are using the blade server hardware.
Tasks
Links directly to the areas of the user interface that search the message queue,
view reports, manage policies, configure mail protocol settings and network and
system settings, and access troubleshooting features.
Configurable thresholds
You can configure user-defined warning thresholds and critical thresholds for some status indicators.
When set, McAfee Email Gateway then provides the relevant level of warnings when these
user-defined values are exceeded.
For the System Summary portlet, you can configure the threshold values for the following parameters:
Swap | Used
Disk Space | /deferred | Inodes used
Disk Space | /deferred | Disk used
Disk Space | /encryption | Inodes used
Disk Space | /encryption | Disk used
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
33
2
Overview of Dashboard features
The Dashboard
Disk Space | /logs | Inodes used
Disk Space | /logs | Disk used
Disk Space | /quarantine | Inodes used
Disk Space | /quarantine | Disk used
Disk Space | /scandir | Inodes used
Disk Space | /scandir | Disk used
Disk Space | /var | Inodes used
Disk Space | /var | Disk used
Disk Space | /wk | Inodes used
Disk Space | /wk | Disk used
Message Queue | Inbound
Message Queue | Outbound
Message Queue | Total
For the Services portlet, you can configure the threshold values for the following parameters:
External | McAfee ePO | Event reports
External | McAfee ePO | Communication Attempts
External | McAfee ePO | Configuration Integrity
External | McAfee ePO | Policy Enforcement
External | McAfee ePO | DLP DB Update
Task — Setting System Summary thresholds
Within the System Summary portlet, you can specify thresholds for some of the status indicators.
These thresholds are the points at which the status indicators change color and at which the appliance
logs an event, indicating a potential issue with your McAfee Email Gateway.
Task
1
Expand the Dashboard | System Summary portlet.
2
Drill down to an area that allows user-defined thresholds to be set.
3
Click the status indicator (the red, yellow or green circle) for the area on which to set the
threshold.
The parameter name is replaced as shown:
4
5
34
Adjust the threshold values for the
fields.
Click
Requires Attention and
Requires Immediate Attention threshold
to save the changed thresholds.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Dashboard features
Option definitions — Inbound Mail Summary portlet
2
When the values for the dashboard information reaches the new threshold, the status indicator
changes to the appropriate color and an event is logged.
Events will not be logged until after the thresholds have been saved, the next Dashboard refresh has
taken place and the threshold has been hit or exceeded.
Task — Setting Services thresholds
Within the Services portlet, you can specify thresholds related to McAfee ePolicy Orchestrator status
indicators.
You can set alerts and warnings for the McAfee ePolicy Orchestrator-related status indicators.
You can set thresholds for warnings, alerts or both. The warning threshold must be equal to or less than
the alert threshold.
Task
1
Expand the Dashboard | Services portlet.
2
Click the status icon beside the area to have thresholds set.
The parameter name is replaced as shown:
3
4
Adjust the threshold values for the
fields.
Click
Requires Attention and
Requires Immediate Attention threshold
to save the changed thresholds.
When the values for the dashboard information reaches the new threshold, the status indicator
changes to the appropriate color and an event is logged.
Events will not be logged until after the thresholds have been saved, the next Dashboard refresh has
taken place and the threshold has been hit or exceeded.
Option definitions — Inbound Mail Summary portlet
Use this portlet to get the delivery and status information about messages sent to your organization.
The information in this portlet relates to data from the SMTP Detections | Inbound portlet. Data is shown in
bar chart format.
Each incoming message is categorized as either:
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
35
2
Overview of Dashboard features
Option definitions — Inbound Mail Summary portlet
•
Delivered
•
Scanning Skipped
•
Blocked
•
Queued
•
Bounced
•
Quarantined
Counter
Definition
Total Inbound
Messages
A top level counter which increments for each email that passes the MAIL FROM stage
of the SMTP conversation.
If multiple messages are sent down one connection, this counter will increment. You
can drill down to see how the email connection was received:
• TLS — The email was received over a TLS connection.
• Non TLS — The email was received over a standard non TLS connection.
Delivered
A top level counter which increments for each email that is delivered. You can drill down
to see how the email was delivered:
• Plain — The email was delivered as a standard plain message.
• Encrypted — The email was delivered encrypted by:
• TLS — The email was delivered over a TLS connection:
• Secure Web Mail — The content was encrypted using one of the following methods:
• Push
• Pull
• Push/Pull
• S/Mime — The content was encrypted by S/MIME.
• PGP — The content was encrypted by PGP.
• Plain — The content was a standard plain message.
• Non TLS — The email was delivered over a standard non TLS connection:
• Secure Web Mail — The content was encrypted by one of the following methods:
• Push
• Pull
• Push/Pull
• S/Mime — The content was encrypted by S/MIME.
• PGP — The content was encrypted by PGP.
36
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Dashboard features
Option definitions — Inbound Mail Summary portlet
2
Counter
Definition
Blocked
A top level counter which increments for each email that is blocked. You can expand the
counter to see the number of messages blocked by sender or connection, recipient, and
content:
• Sender/Connection — provides a breakdown of the scanner that blocked the email,
either:
• Deny Sender
• BATV
• RBL (Real-time blackhole lists)
• SPF (Sender Policy Framework).
• FCrDNS
• Recipient — provides a breakdown of the scanner that blocked the email, either:
• Anti-Relay
• LDAP Recipient
• Grey Listing
• Directory Harvesting
• Rejected Recipient
• Content — provides a breakdown of the scanner that blocked the email, either:
• GTI Message Reputation
• Compliance
• Sender ID
• Image Filtering
• DKIM
• Mail URL Reputation
• Spam
• Mail URL Reputation DoS
• Phish
• DLP
• Mail Filtering
• Virus
• Mail Size Filtering
• PUPs
• File Filtering
• Packers
• Denial of Service
Bounced
The total number of inbound messages that were refused.
Scanning
Skipped
The total number of inbound messages that resulted in a policy-based action that did
not require scanning to be carried out.
Quarantined
A top level counter which increments for each message that is quarantined.
• The total number of messages in all of the quarantine queues.
• The total number of messages requested for release by users by quarantine digests.
From within the Quarantined area, you can also drill-down into the number of email
messages quarantined in each quarantine category.
A single message may be quarantined to more than one category. Summing the total
number of messages in all categories will not necessarily generate the total quarantined
messages.
Sender and
Recipient
Type the name of a particular sender or recipient for whom you wish to locate a
message, and click Search to go to the Message Search page.
Search
Click Search to go to the Message Search feature where you can look for messages based
on their status; either blocked, bounced, delivered, quarantined, or queued.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
37
2
Overview of Dashboard features
Option definitions — Outbound Mail Summary portlet
Option definitions — Outbound Mail Summary portlet
Use this portlet to get the delivery and status information about messages sent from your
organization.
The information in this portlet relates to data from the SMTP Detections | Outbound portlet. Each incoming
message is categorized as either:
•
Delivered
•
Scanning Skipped
•
Blocked
•
Queued
•
Bounced
•
Quarantined
If you are using the quarantine features, messages may also summarized in the quarantined list.
Counter
Definition
Total Outbound A top level counter which increments for each email that passes the MAIL TO stage of
Messages
the SMTP conversation.
If multiple messages are sent down one connection, this counter will increment. You
can drill down to see how the email connection was received:
• TLS — The email was received over a TLS connection.
• Non TLS — The email was received over a standard non TLS connection.
Delivered
A top level counter which increments for each email that is delivered. You can drill down
to see how the email was delivered:
• Plain — The email was delivered as a standard plain message
• Encrypted — The email was delivered encrypted by:
• TLS — The email was delivered over a TLS connection:
• Secure Web Mail — the content was encrypted using one of the following methods:
• Push
• Pull
• Push/Pull
• S/Mime — The content was encrypted by S/MIME.
• PGP — The content was encrypted by PGP.
• Plain — The content was a standard plain message.
• Non TLS — The email was delivered over a standard non TLS connection:
• Secure Web Mail — The content was encrypted by one of the following methods:
• Push
• Pull
• Push/Pull
• S/Mime — The content was encrypted by S/MIME.
• PGP — The content was encrypted by PGP.
38
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
2
Overview of Dashboard features
Option definitions — Outbound Mail Summary portlet
Counter
Definition
Blocked
A top level counter which increments for each email that is blocked. You can expand the
counter to see the number of messages blocked by sender or connection, recipient, and
content:
• Sender/Connection — Provides a breakdown of the scanner that blocked the email, either:
• Deny Sender
• BATV
• RBL (Real-time blackhole lists)
• SPF (Sender Policy Framework).
• FCrDNS
• Recipient — Provides a breakdown of the scanner that blocked the email, either:
• Anti-Relay
• LDAP Recipient
• Grey Listing
• Directory Harvesting
• Rejected Recipient
• Content — Provides a breakdown of the scanner that blocked the email, either:
• GTI Message Reputation
• Compliance
• Sender ID
• Image Filtering
• DKIM
• Mail URL Reputation
• Spam
• Mail URL Reputation DoS
• Phish
• DLP
• Mail Filtering
• Virus
• Mail Size Filtering
• PUPs
• File Filtering
• Packers
• Denial of Service
Bounced
The total number of outbound messages that were refused.
Scanning
Skipped
The total number of outbound messages that resulted in a policy-based action that did
not require scanning to be carried out.
Queued
The total number of outbound messages that are queued awaiting delivery.
Quarantined
A top level counter which increments for each message that is quarantined.
• The total number of messages in all of the quarantine queues.
• The total number of messages requested for release by users by quarantine digests.
A single message may be quarantined to more than one category. Summing the total
number of messages in all categories will not necessarily generate the total quarantined
messages.
Search
Click Search to go to the Message Search feature where you can look for messages based on
their status; either blocked, bounced, delivered, quarantined, or queued.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
39
2
Overview of Dashboard features
Option definitions — SMTP Detections portlet
Option definitions — SMTP Detections portlet
Use this portlet to find out the total number of messages that triggered a detection based on the
sender or connection, the recipient, or the content, and to view data specific to either inbound or
outbound SMTP traffic.
The counters that appear in this portlet work differently to those in the Inbound and Outbound
Summary portlets where each message represents a single counter. In the Detections portlets, one
message can increment several counters, depending on the number of checks it fails.
40
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Dashboard features
Option definitions — SMTP Detections portlet
2
Option Definition
Total
Shows the total number of inbound and outbound messages that triggered a detection, and
expands the statistics further to see the number of messages based on the following
criteria:
• Sender/Connection — Provides a breakdown of the scanner that triggered a detection, either:
• Deny Sender
• BATV
• RBL (Real-time blackhole lists)
• SPF (Sender Policy Framework)
• FCrDNS
• Recipient — Provides a breakdown of the scanner that triggered a detection, either:
• Anti-Relay
• LDAP Recipient
• Grey Listing
• Directory Harvesting
• Rejected Recipient
• Policy Based Action — Provides a count of the actions taken based on policy rather than a
scanning trigger.
• Content — Provides a breakdown of the scanner that triggered a detection, either:
• GTI Message Reputation
• Sender ID
• DKIM
• Spam
• Phish
• Mail Filtering
• Mail Size Filtering
• File Filtering
• Denial of Service
• Compliance
• Image Filtering
• Mail URL Reputation
• Mail URL Reputation DoS
• DLP
• Virus — By either the McAfee or the Commtouch
®
Command scanner
• PUPs — By either the McAfee or the Commtouch
®
Command scanner
• Packers — By either the McAfee or the Commtouch
Inbound
®
Command scanner
Shows the total number of inbound messages that triggered a detection, and expands the
statistics further to see the number of messages based on the following criteria:
• Sender/Connection — Provides a breakdown of the scanner that triggered a detection, either:
• Deny Sender
• BATV
• RBL (Real-time blackhole lists)
• SPF (Sender Policy Framework)
• FCrDNS
• Recipient — Provides a breakdown of the scanner that triggered a detection, either:
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
41
2
Overview of Dashboard features
Option definitions — SMTP Detections portlet
Option Definition
• Anti-Relay
• LDAP Recipient
• Grey Listing
• Directory Harvesting
• Rejected Recipient
• Policy Based Action — Provides a count of the actions taken based on policy rather than a
scanning trigger.
• Content — Provides a breakdown of the scanner that triggered a detection, either:
• GTI Message Reputation
• Sender ID
• DKIM
• Spam
• Phish
• Mail Filtering
• Mail Size Filtering
• File Filtering
• Denial of Service
• Compliance
• Image Filtering
• Mail URL Reputation
• Mail URL Reputation DoS
• DLP
• Virus — By either the McAfee or the Commtouch
®
Command scanner
• PUPs — By either the McAfee or the Commtouch
®
Command scanner
• Packers — By either the McAfee or the Commtouch
®
Command scanner
Outbound Shows the total number of inbound messages that triggered a detection, and expands the
statistics further to see the number of messages based on the following criteria:
• Sender/Connection — Provides a breakdown of the scanner that triggered a detection, either:
• Deny Sender
• BATV
• RBL (Real-time blackhole lists)
• SPF (Sender Policy Framework)
• FCrDNS
• Recipient — Provides a breakdown of the scanner that triggered a detection, either:
• Anti-Relay
• LDAP Recipient
• Grey Listing
• Directory Harvesting
• Rejected Recipient
• Policy Based Action — Provides a count of the actions taken based on policy rather than a
scanning trigger.
• Content — Provides a breakdown of the scanner that triggered a detection, either:
• GTI Message Reputation
42
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Dashboard features
Option definitions — POP3 Detections portlet
2
Option Definition
• Sender ID
• DKIM
• Spam
• Phish
• Mail Filtering
• Mail Size Filtering
• File Filtering
• Denial of Service
• Compliance
• Image Filtering
• Mail URL Reputation
• Mail URL Reputation DoS
• DLP
• Virus — By either the McAfee or the Commtouch
®
Command scanner
• PUPs — By either the McAfee or the Commtouch
®
Command scanner
• Packers — By either the McAfee or the Commtouch
®
Command scanner
Option definitions — POP3 Detections portlet
This information describes the data available from the POP3 Detections portlet. From here, find out
how many messages triggered a detection based on threats such as viruses, packers, or potentially
inappropriate images.
The counters that appear in this portlet work differently to those in the Inbound and Outbound
Summary portlets where each message represents a single counter incrementation. In the Detections
portlets, one message can increment several counters, depending on the number of checks it fails.
Option
Definition
Spam
Messages that could originate from a spammer.
Phish
Messages that could contain a phish attack.
Mail Size Filtering
Messages filtered because of their size.
Image Filtering
Messages that could contain inappropriate or pornographic images.
Virus
Messages that exhibit virus-like behavior or content.
PUPs
Messages that contain potentially unwanted programs.
Packers
Messages that could contain packers.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
43
2
Overview of Dashboard features
Option definitions — System Summary portlet
Option definitions — System Summary portlet
The System Summary portlet displays information about load balancing, the disk space used for each
partition, total CPU usage, used and available memory, and swap details.
Option
Definition
Uptime
Displays the amount of time the appliance has been running since it was last started
Load Average
Displays the five second load average
Processor
Displays the total usage for all processors
Memory
Displays:
• Memory used — includes used and buffered memory
• Free memory — includes free and cached memory
Displays:
Swap
• Used — Percentage used of swap (the area on the hard disk that is part of the
appliance's virtual memory which temporarily stores inactive memory pages if there
is insufficient physical memory available to do so.)
• Rate — A high swap-rate indicates the system is in some form of overload.
Disk Space
Displays the percentage of Inodes and disk space used for each partition
Message Queue Displays the current status of the message queue.
Option definitions — Hardware Summary portlet
The Hardware Summary portlet uses status indicators to show the status of network interfaces, UPS
servers, bridge mode (if enabled), and RAID status.
Information states
On the Hardware Summary portlet, there are the following status indicators available:
•
•
•
•
functioning normally
a warning threshold has been exceeded
a critical threshold has been exceeded
the service is not enabled.
Further descriptions of a red status indicator for external services are given in the definition table.
44
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Dashboard features
Option definitions — Hardware Summary portlet
Option
Definition
Network
Interface
Shows the following for LAN1 and LAN2:
2
• Received — Data received over the network interface
• Transmitted — Data sent over the network interface
• Speed — Speed of the network interface in bits per second
A red status indicator against any Network Interface indicates that urgent attention is
required.
You may need to:
• Review your network configuration and check it is correct.
• Check that the switch is functioning correctly.
• Check that the switch configuration is correct.
• Check the cabling to and from the appliance. (Not necessary for the Content
Security Blade Server).
• In virtual appliance installations, check the virtual switch configuration.
Hardware
Modules
Shows a summary status indicator about the following hardware modules:
• Temperature
• Cooling Device
• Voltage
• Memory
• Fan
• Module Board
• Current
• Cable Interconnect
• Physical Security
• Management subsystem
• Power Supply
Any module that is not installed is categorized as Not Applicable. Any module that shows as
red or amber contains links to Troubleshoot | Tools | Hardware Status where you can get more
detailed information.
UPS
When enabled, the following status indicators are available:
•
•
Healthy — The UPS is online with the mains power working
Requires Attention — Due to one of the following potential reasons:
• Using battery power (that is, not
mains power)
• The UPS is overloaded
• The battery is discharging
• The UPS is trimming or boosting
incoming voltage
• No battery protection is available
•
•
Requires Immediate Attention — The UPS is offline
Critical — The battery is low
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
45
2
Overview of Dashboard features
Option definitions — Network Summary portlet
Option
Definition
Bridge
A red status indicates that McAfee Email Gateway is running in bridge mode, and is not
forwarding the network data.
RAID
Depending on the type of RAID controller and hard disk drives installed on your appliance
or blade server, the overall status of the RAID system is displayed:
•
•
•
Healthy — The RAID system is functioning correctly.
Requires attention — The RAID system is functioning, but one or more of the hard disk
drives are reporting that a predictive failure is imminent.
Critical — One or more hard disk drives have failed.
In addition, where this information is reported to McAfee Email Gateway, the status of
each hard disk drive within the RAID array is reported. The possible statuses for these
drives are:
•
•
•
Healthy — The hard disk drive is functioning correctly.
Operational but requires attention — The diagnostics within the hard disk drive is reporting
that failure of the drive is possible. This indicates that the drive needs to be replaced.
Requires immediate attention — The hard disk drive has failed and needs to be replaced
immediately.
Option definitions — Network Summary portlet
This information describes the data available from the Network Summary portlet.
Option
Definition
Connections
A top level counter which increments to show the total number of TCP connections
made to the SMTP port on the appliance
Throughput
A top level counter which increments to show the average throughput of data for all
TCP connections made to the SMTP port on the appliance
Kernel Mode
Blocking
A top level counter which increments to show the total number of SYN packets
blocked from an IP address that has triggered a Reject, close and deny (Block) action. The
GTI message reputation lookup feature is configured to perform this action by default
for the next ten minutes.
Within the Kernel Mode Blocking counter, you can also drill down to view information
about the number of Blocked Hosts.
The information given by the Kernel Mode Blocking counter are the number of blocked
packets for the currently selected time frame. The information given by the Blocked Hosts
counter are the number of hosts currently being blocked.
46
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Dashboard features
Option definitions — Services portlet
2
Option definitions — Services portlet
The Services portlet displays update and service status statistics based on protocol and external servers
used by the appliance.
Information states
On the Services portlet, the following status indicators are available:
•
•
•
•
Functioning normally.
A warning threshold has been exceeded.
A critical threshold has been exceeded.
The service is not enabled.
Further descriptions of a red status indicator for external services are given in the definition table.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
47
2
Overview of Dashboard features
Option definitions — Services portlet
Option Definition
Updates
• Anti-Virus — Shows the anti-virus DAT and engine update status. Any older than three days
are shown in red.
®
If you have activated the additional Commtouch Command anti-virus engine, information
specific to this engine is also shown.
• Anti-Spam — Shows the anti-spam definition and engine update status. Any older than 30
minutes are shown in red.
Status
• Configuration — Shows any configuration alerts, such as the appliance operating as an open
relay.
• FIPS 140-2 Compliance — When installed in FIPS-compliant mode, shows the current FIPS
status for the McAfee Email Gateway. More details information on the FIPS status can be
found at Troubleshoot | Tools | FIPS Status.
• SMTP Service — Shows whether the SMTP service is functioning correctly.
• POP3 Service — Shows whether the POP3 service is functioning correctly.
• Encryption Service — Shows whether the encryption service is functioning correctly.
External
• McAfee ePO — Shows the state of the communication between McAfee Email Gateway and
McAfee ePolicy Orchestrator.
The following are reported:
• Event Reports — Events are regularly sent from the appliance to the ePolicy Orchestrator
server for to be used to generate reports. If event files are not successfully uploaded,
this indicator turns red. (The default threshold is 25 files that failed to upload.)
• Communication Attempts —The appliance communicates with the McAfee ePO server at
regular intervals. Failures with these communication attempts are shown here.
• Configuration Integrity — The appliance checks that the configuration that has been pushed
by the ePolicy Orchestrator server does not contain any inconsistencies. Inconsistencies
could be a policy that refers to a Policy group or Directory service that might no longer
exist. The status is either Healthy, or Operational, but requires attention.
This issue can occur if incorrect McAfee ePO policies are assigned within the McAfee ePO
System tree.
• Policy Enforcement — Confirmation that the policy has been correctly enforced on the
appliance.
• DLP DB Updates — Confirmation that the Data Loss Prevention database has been correctly
updated.
• MQM — Shows the state of the communication between McAfee Email Gateway and McAfee
Quarantine Manager (MQM).
A red status indicates that communication between McAfee Email Gateway and MQM is
broken.
• GTI Message Reputation — Shows the state of the communication between McAfee Email
Gateway and the McAfee Global Threat Intelligence (McAfee GTI) message reputation
server.
A red status indicates that communication between McAfee Email Gateway and the McAfee
GTI message reputation server is broken.
• GTI Feedback — Shows the state of the communication between McAfee Email Gateway and
the McAfee Global Threat Intelligence feedback server.
48
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Dashboard features
Option definitions — Clustering portlet
2
Option Definition
A red status indicates that communication between McAfee Email Gateway and the McAfee
GTI feedback server is broken.
• GTI File Reputation — Shows the state of the communication between McAfee Email Gateway
and the McAfee GTI file reputation server.
A red status indicates that a DNS query of a sample <Artemis> query did not respond
with the expected answer.
• RBL — Shows the state of the communication between McAfee Email Gateway and any RBL
(Real-time Blackhole List) servers that are configured.
A red status indicates that communication between McAfee Email Gateway and RBL
servers is broken, or gray status can indicate that there are no servers to monitor.
• Syslog — Shows the state of the communication between McAfee Email Gateway and any
off-box system log servers that are configured.
A red status indicates that communication between McAfee Email Gateway and the system
log servers is broken, or a gray status can indicate that there are no servers to monitor.
• LDAP — Shows the state of the communication between McAfee Email Gateway and any
LDAP servers that are configured.
A red status indicates that a test query did not respond with the expected response, or
gray status can indicate that there are no servers to monitor.
• SNMP — Shows whether the SNMP service is functioning correctly.
A red status indicates that the SNMPD agent is not running or functioning correctly.
• DNS — Shows the state of the communication between McAfee Email Gateway and any
DNS servers that are configured.
A red status indicates that communication between McAfee Email Gateway and the DNS
servers is broken, or gray status can indicate that there are no servers to monitor.
• NTP — Shows the state of the communication between McAfee Email Gateway and active
NTP (Network Time Protocol) servers that are configured.
A red status indicates that the time synchronization is not up to date with the active NTP
server.
Option definitions — Clustering portlet
This topic discusses the Clustering portlet found on the dashboard when you have configured your
appliance as part of a cluster, or if you are using the blade server hardware to run your Email
Gateway.
This section is available only on a cluster master appliance or management blade (on a blade
server).
Option
Definition
Email
When clicked, the meter displays Message per hour.
Message per hour
Displays the average throughput of the cluster, based on measurements taken every
few minutes. If the cluster has twice as many scanning appliances, its throughput
almost doubles too. Extra management activity consumes some of the processing
power
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
49
2
Overview of Dashboard features
Option definitions — Clustering portlet
Option
Definition
Status
Displays the status of the device:
— Operating normally
— Needs attention
— Needs immediate attention
Scanning Device
Type
Displays the type of scanning device:
— Cluster Master
— Cluster Failover
— Email Gateway Appliance
Name
Displays the name of the appliance as configured
State
Displays the current state of each appliance:
Network — Connected to the network
Redundant — The Cluster Failover device is not currently running but will take over if
the master cluster appliance fails
Install — Installing software
Synchronizing — Synchronizing with the cluster master
Boot — Booting
Shutdown — Shutting down
Malconfigured — Configuration file is faulty
Unconfigured — Not configured for load balancing
Disabled — Disabled by the user
Failed — No longer on the network. No heartbeat was detected
Fault — A fault has been detected on this appliance
Legacy — Not compatible for load balancing
Load
Displays the average system load over a period of five minutes
Active
Displays the number of active connections for each appliance. The row for the
cluster master shows the total for all appliance
Connections
Displays the number of connections handled by each appliance since the counters
were last reset
Component version Displays the versions of anti-spam and anti-virus DAT files. The version numbers are
information
the same if the appliances are up-to-date. During updating, the values might be
different. To see more information, move the cursor over the text and wait for a
yellow box to appear
50
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Dashboard features
Option definitions — Tasks portlet
2
Option definitions — Tasks portlet
Use the Tasks portlet to link directly to the areas of the user interface that search the message queue,
view reports, manage policies, configure mail protocol settings and network and system settings, and
access troubleshooting features.
Option
Definition
View Message
Queue and
Reports
• Search the Message Queue — Search for messages blocked, bounced, delivered,
quarantined, and queued by sender, recipient, and subject.
• View Favorite Reports — Display your most popular email reports in a variety of view
types.
• Manage Scheduled Reports — Create schedules for available report documents, such as
email activity.
Create Policy
• Manage Policy (SMTP) — Go to the Email Policies settings for the SMTP protocol where you
can create and edit policies for anti-virus and anti-spam protection, and compliance
settings.
• Manage Policy (POP3) — Go to the Email Policies settings for the POP3 protocol where you
can create and edit policies for anti-virus and anti-spam protection, and compliance
settings.
• Manage Compliance Dictionaries — Choose from a library of predefined rules, or create your
own rules and dictionaries specific to your organization. Compliance rules can vary in
complexity from a straightforward trigger when an individual term within a dictionary
is detected, to building on and combining score-based dictionaries which will only
trigger when a certain threshold is reached. Using the advanced features of
compliance rules, dictionaries can be combined using logical operations.
• Register DLP Documents — Restrict the flow of sensitive information sent by email
through the appliance. for example, block the transmission of a sensitive document
such as a financial report that is to be sent outside of your organization.
Configure Mail
Protocol
• Configure Email Relay Domains — Build a list of IP addresses, networks, and users who
can, or cannot connect to the appliance.
• Configure Domain Routing — Set up the network hosts that you want the appliance to use
to route mail traffic to specific domains.
• Configure Encryption — Enable the appliance to use supported encryption methods to
securely deliver your email messages.
• Manage Certificates — Use digitally signed certificates for tasks such as securely
transferring email using TLS, or using S/MIME certificates.
Configure
Network
• Manage Network Settings — View and edit basic settings for the appliance such as its
domain name, and the network interfaces settings.
• Manage a Cluster — Specify the appliance's load balancing requirements when it acts as
part of a cluster.
• Manage Virtual Hosting — Specify the addresses where the appliance receives or
intercepts mail traffic on the Inbound Address Pool.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
51
2
Overview of Dashboard features
Option definitions — Tasks portlet
Option
Definition
Configure
System
• Configure ePO Management — Set up the appliance to be managed by epolicy
Orchestrator.
• Configure Quarantine Options — Tell the appliane to store quarantined messages itself, or
to store them using the McAfee Quarantine Manager (MQM) service.
• Generate Syslog Reports — Set up and view system logs for a variety of events.
• Define Directory Services — Configure the appliance to work with your LDAP servers.
• Configure SNMP — Send alerts to the trap manager for a variety of events.
• Configure DNS and Routing — Create a list of DNS servers and sort them in order of
priority, and set up routes.
Troubleshoot
• Generate a Minimum Escalation Reports — Create a report that contains the minimum
information needed by support to help them diagnose a problem with the appliance.
• Run System Tests — Perform a series of tests on the appliance to ensure that key areas
are functioning correctly.
• Back up and Restore Configuration — Configure the appliance to back up the configuration,
or create a backup schedule, and restore the configuration if necessary.
52
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
3
Overview of Reports features
This topic provides an overview of the features within Email Gateway that relate to reporting the
activities of the appliance.
Reports
Contents
Types of reports
Message Search overview
Scheduled Reports
Scheduled Reports — New Report dialog box
Scheduled Reports — Edit Report dialog box
Email Reports
System Reports
Types of reports
You can generate reports either on your appliance, your ePolicy Orchestrator server, or externally.
System | Logging, Alerting and SNMP
Reports
Use the external methods to keep the reported events over a longer period of time than that offered
by the reporting options on the appliance itself. Use features available from System | Logging, Alerting and
SNMP, or McAfee ePolicy Orchestrator to send data to generate reports externally.
Table 3-1 External reporting options
External report
generation option
Definition
System log
System | Logging, Alerting and SNMP. Supports the common event formats for
Splunk and ArcSight.
SNMP
System | Logging, Alerting and SNMP. Supports the SNMP Alert Settings and SNMP
Monitor Settings options. The MIB file can be downloaded from the Resources tab
available from the appliances toolbar.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
53
3
Overview of Reports features
Message Search overview
Table 3-1 External reporting options (continued)
External report
generation option
Definition
Email Alerting
System | Logging, Alerting and SNMP | Email Alerting. You can configure Email
Alerting to alert specified people about different events that occur on your
appliance.
McAfee ePolicy
Orchestrator
Use ePolicy Orchestrator to generate reports about multiple appliances and
security software within your organization, such as information about the
total number of viruses detected within your organization.
McAfee Web Reporter
System | Logging, Alerting and SNMP. Generates reports about Uniform Resource
Locator (URL) filtering activities. See the McAfee Web Reporter Product
Guide, available from the McAfee download site.
Use the appliance Dashboard to see high-level event statistics. Use the options in Reports to produce
regular and real-time reports on the following types of events on the appliance.
Table 3-2 Reporting options on the appliance
Report type
Definition
Scheduled reports Reports — Set up regular activity overview (by protocol, threat type, and
detection), email detections, web detections, and system event reports and send
them to other administrators.
Email reports
Reports — Create and view information about threats detected in the email passing
through your appliance, and the subsequent actions taken by the appliance.
System reports
Reports — Create and view information about threat detection updates, and
system events.
Message Search overview
Use this feature to search for email messages that have passed to the DATA phase on your appliance.
This feature is also available from within McAfee ePolicy Orchestrator.
Reports | Message search
Message Search provides you with a convenient method to locate email messages on your appliance.
If the appliance has not received the message body, the message cannot be found in Message Search. For
example, if an email message is blocked by the Real-time Blackhole Lists (RBLs), the appliance will not have
received the message body. In this situation, use Reports | Email Reports from the McAfee Email Gateway to
find further information about this email message.
Contents
Benefits of using Message Search
Message Search parameters
Message Search results
Message Search icons
Task — Identify quarantined email messages
Task — Find out which email messages are queued
Task — Find out which email messages are being blocked
Task — Find the emails that were successfully delivered
Task — A user has requested that I release one of their quarantined email messages
54
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Reports features
Message Search overview
3
Task — Export a message search report
Task — Find a message containing a named attachment
Benefits of using Message Search
Message Search enables you to search for email messages that have passed to the DATA phase on
your Email Gateway appliance.
A common request from users is "What happened to the email message I sent yesterday?", or "My
supplier emailed me on Monday, why haven't I received his message yet?"
From a single location within the user interface, Message Search allows you to confirm the status of
email messages that have passed through the appliance. It provides you with information about the
email, including:
•
Was it delivered?
•
Was the message quarantined?
•
Was it blocked?
•
Is the message queued pending further
action?
•
Did the message bounce?
You can use a wide range of different criteria to search on, including:
•
The Message status
•
Source IP
•
Sender, Recipient or Subject information
•
Email disposition
•
Category
•
If the Email has been modified or not
•
Date range
•
The Virtual host used
•
Audit ID
If you have configured Sender address masquerading or Recipient address aliasing, Message Search shows the
masqueraded or aliased email addresses.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
55
3
Overview of Reports features
Message Search overview
Message Search parameters
This topic provides you with information about each of the parameters that are available to you with
the Message Search feature.
Option
Definition
Message status
You can choose to search All email messages. If you suspect that a message is in a
certain state, you can also search only for messages that are:
• Blocked
• Bounced
• Delivered
• Quarantined
This includes quarantined items that have pending release requests.
• Queued
You can multi-select to search for messages in more than one status.
Sender,
You can search for emails containing particular sender, recipient, or subject text.
Recipient, Subject The appliance can modify the subject of some emails, typically by adding a [spam] or
[phish] prefix to the subject line. However, the subject displayed on the Message Search
page is the original subject line of the email message before the appliance makes
any changes.
You can use the * and ? wildcard characters in your searches.
To search for a literal *, ?, or \ character within these fields, use the backslash (\)
character before the search term. For example, use \* to search for the asterisk
character.
56
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Reports features
Message Search overview
3
Option
Definition
Category
When you search on Blocked or Quarantined items, you can further refine your search by
selecting the Category that the appliance used to block or quarantine the message.
When viewing messages that have been Blocked, the following Category options are
available:
• Anti-Phish
• Anti-Spam
• Anti-Virus
®
If you have enabled the additional Commtouch Command anti-virus engine, you
will see anti-virus detections listed by detection engine.
• Anti-Virus (Packer)
• Anti-Virus (PUP)
• Compliance
• Corrupt Content
• Data Loss Prevention
• Directory Harvesting
• DKIM
• Encrypted Content
• File Filtering
• Image Filtering
• Mail Filtering
• Mail Size
• Message Reputation
• Sender Authentication Threshold
• SenderID
• Signed Content
For messages that were Quarantined by the appliance, the following Category options are
available:
• Anti-Phish
• Anti-Spam
• Anti-Virus
®
If you have enabled the additional Commtouch Command anti-virus engine, you
will see anti-virus detections listed by detection engine.
• Anti-Virus (Packer)
• Anti-Virus (PUP)
• Compliance
• Corrupt Content
• Data Loss Prevention
• Directory Harvesting
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
57
3
Overview of Reports features
Message Search overview
Option
Definition
• Encrypted Content
• File Filtering
• Image Filtering
• Mail Filtering
• Mail Size
• Signed Content
You can multi-select to search for messages in more than one category. See
Quarantine Options to find out how the categories relate to those reported in McAfee
Quarantine Manager.
Quarantined to:
For messages that were quarantined, you can search all quarantine queues, or select
one or more from the list of configured queues. The queues are:
• Viruses
• Other
• PUPs
• Phish
• Compliance
• Spam
A single message may be quarantined to more than one category. Summing the total
number of messages in all categories will not necessarily generate the total
quarantined messages.
All Dates / Date
Range
You can search on All Dates , or you can specify a Date Range, using From and To dates
and times.
Audit ID
When an email message passes through the appliance, a received header —
containing audit ID information — is added to the message header.
The received header will look similar to the following:
Received: from (mta1.example.com [192.168.254.200]) by
meg_appliance1.example.com with smtp
id 1448_0004_4d37a0e8_93e1_11df_b43f_00114336c271
Tue, 20 Jul 2011 09:29:31 +0000
This audit ID information can be used to track the message as it passes through the
appliance.
Source IP
This is the source IP address of the originating email server. If your appliance is
configured behind one or more Mail Transfer Agents (MTAs), the email headers are
used to obtain the correct source IP address.
If you know the IP address that is sending email messages to you, you can search
using this address.
You can use either a single address (for example, 192.168.0.1) or a network
address/netmask (for example, 192.168.0.0/255.255.255.0).
Disposition
Allows you to select All or One or more of Inbound, Outbound and Internal messages in your
search.
Type
When dealing with quarantined email messages, this allows you to search for the all,
messages, original email or for messages that have been modified by the appliance.
It also allows you to search for messages that have their Release requested by your
users.
58
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Reports features
Message Search overview
3
Option
Definition
Virtual host
If you have enabled the use of virtual hosts on your appliance, you can track or view
email messages that are processed by an individual virtual host on the appliance.
To do this, select the relevant host name from the Virtual host drop-down list.
Attachment
(only visible
when
Attachment
identification
is enabled)
To find specific attachments within email messages, enter a full or partial attachment
name. You can also use wildcard characters.
View recipients
Clicking on any of the highlighted links in the View recipients area shows you either All
messages, or a list of recipients and the number of items against each recipient
beginning with the selected character. For example, it might show that one recipient
currently has four queued messages, one quarantined message and three delivered
messages.
By clicking on a particular recipient, you can then view all relevant items for that
recipient.
To revert to the total view of messages, click Close.
Search/Refresh
Click to search the appliance for email messages that match your search parameters,
or to refresh the list if you have changed any of the parameters.
Clear Parameters
Resets all search parameters to their default states.
Message Search results
Within the Message Search, the following results may be displayed.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
59
3
Overview of Reports features
Message Search overview
Option
Definition
Options
When you have searched for your required email types, you can perform actions
based on the type of message. These actions include:
Message status is All:
• Delete selected
• Release selected — Only available if all selected messages are quarantined
"on-the-box", and do not contain viral content.
• Retry selected
• Forward selected — Only available if all selected messages are either queued or
quarantined.
• Find related
• Submit false positive — Submit the selected messages to McAfee for analysis, to help
reduce false positive detections.
• Delete all
Message status is Quarantined :
• Delete selected
• Release selected — Only available if all selected messages are quarantined
"on-the-box", and do not contain viral content.
• Retry selected
• Forward selected — Only available if all selected messages are either queued or
quarantined.
• Find related
• Submit false positive — Submit the selected messages to McAfee for analysis, to help
reduce false positive detections.
• Delete all
• Release all
Message status is Queued:
• Delete selected
• Release selected — Only available if all selected messages are quarantined
"on-the-box", and do not contain viral content.
• Retry selected
• Forward selected — Only available if all selected messages are either queued or
quarantined.
• Find related
• Submit false positive — Submit the selected messages to McAfee for analysis, to help
reduce false positive detections.
• Delete all
• Retry all
If you have configured your appliance to perform off-box quarantining using McAfee
Quarantine Manager, you cannot make release requests from within Message Search.
Real-Time retry
To retry the delivery of a queued item and to then show the results of the SMTP
conversation with the target MTA, click Real-Time Retry .
You can only use Real-Time Retry by selecting a single queued message.
60
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Reports features
Message Search overview
Option
Definition
View Message
If the message is still available to the appliance (for example, if the email message
has been queued or quarantined on the appliance) you can view the selected
message.
3
From within the message view, you can:
• Delete the message from the appliance.
• Release the message from the appliance. (Quarantined messages only.)
• Retry to deliver the message from the appliance. (Queued messages only.)
• Forward the message to another email address.
• Download the message to your local file system in .eml format.
You can also use Show headers to view the information contained within the email
header.
View
When SMTP conversation logging is enabled (from Email | Email Configuration | Protocol
Conversation Log Configuration | Connection Settings (SMTP) | SMTP conversation logging) on your appliance, select
an email message and click View Conversation Log to see the conversation details for the
selected message through the different stages of the SMTP conversation.
Download
Message
Downloads the selected queued or quarantined message to your local file system
in .eml format.
Show Report
View information about the selected email message.
Hide and
unhide
columns
You can hide and unhide columns in the Message Search results area.
•
— Click the left-arrow to hide the selected column.
•
— Click the down-arrow to display options to sort or hide a column.
•
— Click the right-arrow to re-display information in the hidden column.
Export
Click to export a report based on your message search results.
Maintenance
options
Click to go to the Database Maintenance area where you can define the number of
items identified using Message Search that are retained in the database.
Message Search icons
Understand the meaning of the icons that are used within the message search page.
Option Definition
Email message is Inbound.
Email message is Outbound.
Email message was composed within the Secure Web Mail Client.
Email message is Internal.
Internal email messages are Alert messages and Quarantine Digest messages.
This is the original version of the quarantined message.
This is the version of the quarantined message that has been modified by the appliance.
This email message is currently held in a queue, but the appliance is not actively trying to
deliver the message.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
61
3
Overview of Reports features
Message Search overview
Option Definition
The appliance is trying to deliver this message.
The appliance has a release request pending for this message.
Queued for delivery to your McAfee Quarantine Manager server.
Email message is secured using the Encryption policy settings.
Email message was received or delivered using TLS.
Access to the quarantined email message is restricted. You do not have sufficient privileges
to view or download the message, or perform any actions (delete, release, forward) on the
message.
Task — Identify quarantined email messages
Use this task to discover which email messages have been quarantined by your McAfee Email Gateway
Appliance.
To view a list of all messages that have been quarantined:
Task
1
Click Reports | Message Search.
2
Select Quarantined from the Message status drop-down list.
3
Click Search/Refresh.
All messages that have been quarantined are displayed in the lower part of the page.
Task — Refine the search
You can further refine your search for quarantined email messages to show only those that have been
quarantined due to specific triggers. In this example, to find those email messages quarantined due to
compliance issues:
Task
1
Complete the steps in Task — Find out which email messages are quarantined.
2
Select Compliance from the Category drop-down list.
3
Click Search/Refresh.
The lower part of the screen is refreshed to show only the messages that have been quarantined due
to compliance issues.
Task — View a specific email message
You can view the content of a quarantined email message.
Task
1
Complete the steps in Task — Refine the search.
2
Select the relevant quarantined message using the checkbox to the left of the page.
3
Click View Message.
The selected message is displayed in a new window. From this window, you can view the content of
the email message. You can also choose to view the detailed email header information. After you have
62
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Reports features
Message Search overview
3
viewed the message, by clicking the relevant buttons, you can choose further actions to perform on
the email message.
Task — Release a quarantined email message
After viewing the email message that has been quarantined, you may want to release the message
from Quarantine. This task allows you to do this.
To release a selected message from quarantine:
Task
1
Complete the steps in Task — View a specific email message.
2
Click Release Selected.
The selected email message is released from quarantine.
Email messages that contain viral content cannot be released from quarantine, as to do so would risk
causing damage to your systems.
Task — Submit a false positive sample to McAfee
Submit email messages that have been incorrectly detected as spam or phishing messages to McAfee,
to help reduce false positive detections in the future.
Before you begin
You can only submit messages that have been detected as either spam or phishing email
messages, and that have then been quarantined by McAfee® Email Gateway.
By investigating samples of genuine email messages that have been incorrectly detected as either
spam or phishing email messages (false positive detections), McAfee can improve the accuracy of the
spam and phishing message detections.
Task
1
Select Reports | Message search.
2
Select Quarantined from the Message status drop-down list.
3
Click Search/Refresh.
4
Select the email messages that have been incorrectly identified as either spam or phishing
messages.
5
Select Submit false positive from Options.
6
Click Go.
The selected incorrectly-identified spam or phishing messages are submitted to a secure McAfee site
where they can be analyzed and the results used to improve spam and phishing email message
detections.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
63
3
Overview of Reports features
Message Search overview
Task — Find out which email messages are queued
Use this task to find out which email messages are currently queued pending delivery on your Email
Gateway appliance.
To view a list of all messages that have been queued on the appliance:
Task
1
Click Reports | Message Search.
2
Select Queued from the Message status drop-down list.
3
Click Search/Refresh.
All messages that have been queued are displayed in the lower part of the page.
Task — Find out which email messages are queued for inbound delivery
Use this task to refine your search for messages queued for inbound delivery.
You can further refine your search for queued email messages to show only those messages that have
been queued for inbound or outbound delivery. To view the queued messages awaiting inbound
delivery:
Task
1
Complete the steps in Task — Find out which email messages are queued.
2
Select Inbound from the Disposition drop-down list.
3
Click Search/Refresh.
All messages that have been queued for inbound delivery are displayed in the lower part of the page.
Task — Delivering the queued email message
Use this task to deliver the email message that are currently queued on your Email Gateway
appliance.
Having found the queued email messages, and investigated the reason for the messages to be
queued, you then need to force the appliance to try again to deliver the messages:
Task
1
Complete the steps in Task — Find out which email messages are queued for inbound delivery.
2
Select the relevant queued messages using the check-boxes to the left of the page.
3
Choose one of the following:
•
From the Options drop-down list, select Retry selected.
•
For a single message, click View Message, and then select the Retry button.
•
To retry the sending of the messages and then see the results within the page, click Real-Time
Retry.
Your Email Gateway appliance attempts delivery of the queued messages.
64
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Reports features
Message Search overview
3
Task — Find out which email messages are being blocked
Use this task to find email messages that have been blocked by your Email Gateway appliance.
To view a list of all messages that have been blocked on the appliance:
Task
1
Click Reports | Message Search.
2
Select Blocked from the Message status drop-down list.
3
Click Search/Refresh.
All messages that have been blocked are displayed in the lower part of the page. Email messages can
be blocked for a variety of reasons, and the table showing all blocked messages includes the reason
that each message was blocked within the Status/Category column.
Task — Find the emails that were successfully delivered
Use this task to find all emails that were successfully delivered by your Email Gateway appliance.
You may have a request from your users to verify that an email message has been successfully
delivered to its intended recipient. To verify this:
Task
1
Click Reports | Message Search.
2
Select Delivered from the Message status drop-down list.
3
Click Search/Refresh.
All messages that have been successfully delivered by the appliance are listed in the lower part of the
page.
Task — A user has requested that I release one of their
quarantined email messages
Use this task to release a quarantined email.
When an email message is quarantined, your users may receive a digest message, giving them
options relating to the messages in quarantine. To view and then release an email message that a user
has requested be released:
Task
1
Click Reports | Message Search.
2
Select Quarantined from the Message status drop-down list.
3
Select Release requested from the Type drop-down list.
4
Click Search/Refresh.
5
Select the email message (or messages) to be released.
6
Click View Message.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
65
3
Overview of Reports features
Message Search overview
7
If you are happy that the selected message is safe to release, select Release selected from the Options
drop-down list.
8
Click Go.
In the Dashboard | Email Queues area, you can see how many quarantine release requests have been made
by your users. Clicking the link on this page opens the Message Search page, and auto-populates the fields
required to release these messages.
Task — Export a message search report
When you have run a message search, you have the option of exporting a report of the results in .csv
format.
Before you begin
Before you can export the report, you must run a message search that did not return 0
results.
Task
1
Navigate to the Message Search window.
You can navigate using Reports | Message search, or using the Task portlet on the Dashboard (Dashboard |
Tasks | Message Search & Reports | Search the Message Queue).
The Message Search window opens.
2
Select your desired parameters and perform a message search.
Your search results display.
The report you create will contain the entire results from your search.
3
Click the Export link at the bottom of the results window.
A message displays, providing a link to the exported .csv file.
4
Click the link to access the .csv file.
The report displays. The format is essentially the same as the Message Search results table, with a
few differences:
•
The audit ID displays.
•
The time displays both as seconds for sorting, and as a human-readable local time string.
•
The reason value for quarantined items displays.
•
The Properties column shows as three columns: Disposition, Type, and Encryption Type.
Task — Find a message containing a named attachment
Search for messages that contain named attachments
Before you begin
Before you can find messages that contain attachments, you must Enable attachment
identification from Email | Email Configuration | Protocol Configuration | Connection Settings (SMTP) |
Attachment identification.
66
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Reports features
Scheduled Reports
3
Task
1
Navigate to the Message Search window. You can navigate using Reports | Message search, or using the
Task portlet on the Dashboard ( Dashboard | Tasks | Message Search & Reports | Search the Message Queue).
The Message Search window opens.
2
Choose the search parameters to use.
3
Click Search / Refresh.
4
Use the Attachments column to identify messages containing the relevant attachment.
You can also search for specific attachment names by using the Attachment field. This field accepts
either complete attachment names or partial names with wildcard characters.
5
Use the available controls to take appropriate actions on the selected messages.
Scheduled Reports
Use this page to see a list of the available reports about threats that the appliance has detected.
Reports | Scheduled Reports
You can view the reports, send reports immediately to other people, or schedule reports to be sent at
regular intervals.
Benefits of creating Scheduled Reports
Use this information to understand the benefits of creating and using scheduled reports.
Keeping up-to-date with threat detection statistics and system activity, and sharing that information is
vital. The Scheduled Reports option has some default report types already set up for you, or you can
customize their content or frequency, or even create new report types as necessary. The resulting
reports can be sent by email immediately, or at regular intervals to other people in your organization
in a variety of formats, such as PDF, HTML, or text.
You must enable the default reports to run automatically. To do so, select the report type from the list of
available reports, and click Edit. On the Edit Report dialog box, click Enable scheduled delivery.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
67
3
Overview of Reports features
Scheduled Reports
Table 3-3 Report types
Option
Definition
Overview
Lists the number of detections by protocol, and type of threat, and provides details
about the types of detection made per protocol
Email
• Email security summary (inbound) shows the % and number of messages to internal users
that were delivered or blocked because a threat was detected
• Email security summary (outbound) shows the % and number of messages to external users
that were delivered or blocked because a threat was detected
• Email traffic flow provides information relating to the flow of messages in to, and out of
the organization
• Email security trend
• Email volume trends (inbound and outbound) provides information relating to the amount of
messages coming in to, and going out of the organization
• Email size trends (inbound and outbound) provides information relating to the size of the
messages coming in to, and going out of the organization
• Average number of emails displays the average number of messages sent in to, or out of
the organization for one day, or more
• Users activity lists internal or external users who send or receive the most blocked or
monitored messages
• Top detections lists top virus, potentially unwanted programs, and spam, or phish
detections, and sender authentication failures
System
• Disk utilization provides information relating to the used and available space on the disk
for items such as the log and quarantine partitions
• Disk utilization trends shows the % utilization of each partition in graph format
Favorite
68
Click Edit to choose from a list of pre-defined report types for email, web and system
reports, and optionally send the report to other people in your organization daily,
weekly, or monthly. Any new favorite reports that you created in the Email Interactive
Reports, or Web Interactive Reports section are available from here too.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Reports features
Scheduled Reports
3
Table 3-3 Report types (continued)
Option
Definition
Dashboard
The Dashboard report enables you to select information that is displayed in the
dashboard portlets.
Select the information to include:
• Inbound Mail lists all inbound mail activity, broken out into various categories, such as
plain text, encryption method used, information about messages quarantined,
bounced, queued and blocked, detection types triggered and information about the
senders, connections and email recipients.
• Outbound Mail lists all outbound mail activity, broken out into various categories, such
as plain text, encryption method used, information about messages quarantined,
bounced, queued and blocked, detection types triggered and information about the
senders, connections and email recipients.
• Services lists information about the software services provided.
• SMTP Detections lists information about SMTP detections made.
• POP3 Detections lists information about POP3 detections made.
• Network Summary shows network connections, kernal mode blocking statistics and total
throughput.
• System Summary Shows the status of the services, network and hardware.
• Hardware Summary provides information about your hardware, including information
about the mode of operation, the network interfaces, information relating to the
hardware modules, RAID and UPS status.
• Clustering provides information about your McAfee® Email Gateway cluster.
Inbound Mail
Inbound Mail lists all inbound mail activity, broken out into various categories, such as
plain text, encryption method used, information about messages quarantined,
bounced, queued and blocked, detection types triggered and information about the
senders, connections and email recipients.
Outbound Mail
Outbound Mail lists all outbound mail activity, broken out into various categories, such as
plain text, encryption method used, information about messages quarantined,
bounced, queued and blocked, detection types triggered and information about the
senders, connections and email recipients.
Services
Services lists information about the software services provided.
SMTP
Detections
SMTP Detections lists information about SMTP detections made.
POP3
Detections
POP3 Detections lists information about POP3 detections made.
Network
Summary
Network Summary shows network connections, kernal mode blocking statistics and total
throughput.
System
Summary
System Summary Shows the status of the services, network and hardware.
Hardware
Summary
Hardware Summary provides information about your hardware, including information about
the mode of operation, the network interfaces, information relating to the hardware
modules, RAID and UPS status.
Clustering
Clustering provides information about your McAfee® Email Gateway cluster.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
69
3
Overview of Reports features
Scheduled Reports
Option definitions — Scheduled Reports
Use this information to learn about the options available for the Scheduled Reports from within the
user interface.
Option
Definition
Name
Displays the name of the report. By default, the list includes some standard reports,
which you cannot delete.
The icon indicates the type of content in that report:
— Overview, such as numbers of overall detections.
— Email activity
— System activity such as disk usage.
— A choice of popular reports.
Description
Displays the title that appears on the first page of the report, the scheduling
information, and a list of the recipients.
Download
When clicked, generates the report, then allows you to download it for viewing in a
browser or saving as a file.
Email Now
When clicked, generates the report, then immediately sends it to the recipients. Any
regular schedule is not affected.
— If the icon is disabled, the schedule has not been set. Double-click the icon, then
specify the details under Delivery Schedule.
New report
When clicked, lets you create a new report, which is an exact copy of an existing
report. A dialog box prompts you for further information:
• Report name, which appears under the Name column on this page.
• Report title, which appears at the top of the report.
When you click OK, you return to the main page. There you can select the new report,
click the icon under Edit, and design your own report.
Edit
Delete
When the icon is clicked, enables you to change the schedule, content, format and
delivery information of the selected report.
When the icon is clicked, deletes the selected report.
Task — See the number of detections by protocol and threat
type over the last week
Use this task to create a scheduled report to see the number of detections by protocol and threat type
over the last week.
Task
70
1
Select Reports | Scheduled Reports.
2
From the list of report types, select Overview, and click Edit.
3
In the Edit Report dialog box, set the Reporting period to 1 week.
4
Click OK, and apply the changes to the appliance.
5
Click Download to generate the report.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
3
Overview of Reports features
Scheduled Reports
Task — Send your manager an email activity report in PDF
format every Monday at 10.00am
Use this task to send a PDF version of an email activity report at a specific time and day each week, to
a nominated person.
Task
1
Select Reports | Scheduled Reports.
2
From the list of report types, select Email, and click Edit.
3
In the Edit Report dialog box, click Enable scheduled delivery.
4
Set the Report sent option to Weekly and choose Monday from the drop-down menu.
5
Click New Recipient, type myboss@examplecompany.com.
6
Click OK, and apply the changes to the appliance.
Task — Download a report in .csv format for further processing
To enable further processing of information from your McAfee® Email Gateway, export your report
in .csv format.
Task
1
Select Reports | Scheduled Reports.
2
From the list of report types, select Favorite, and click Edit.
3
In Delivery schedule, ensure that Enable scheduled delivery is unselected.
4
In Report content, select the information that you want to appear in the .csv formatted file. For
example, select Email reports and Top Spam Senders (last 24h).
5
In Advanced options, select CSV as the Document format. Configure other options to suit your
requirements.
6
Click OK, and apply the changes.
7
Click Download.
8
Click on the link to download the file to your local computer.
Task — Send the email administrator a report that shows virus
detections in email messages over the last week
Use this task to send a report to a specific person showing all virus detections found within email
messages in the last week.
Task
1
Select Reports | Scheduled Reports.
2
From the list of report types, select Favorite, and click Edit.
3
In Sender and recipient details, type emailadministrator@examplecompany.com.
4
Select Report content, and select the Top Viruses report.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
71
3
Overview of Reports features
Scheduled Reports — New Report dialog box
5
Click OK, and apply the changes.
6
Click Email Now.
Scheduled Reports — New Report dialog box
Use this information to understand the options available when creating a new report.
Option
Definition
Name
Type a name for the new report that you are creating.
Title
Use the Title field to enter a descriptive title for the new report.
Use template
Select the template that you want to use as the basis of the new report.
Scheduled Reports — Edit Report dialog box
Use this information to understand the options available when editing the specification for an existing
report.
Table 3-4 Option definitions — Delivery schedule
Option
Definition
Enable scheduled delivery
Selecting this will cause this report to be delivered according to the options
set.
Report sent to At
Use Daily, Weekly, Monthly and At to specify how often, and at what time, you
want the scheduled report to be delivered.
Reporting period
Select the time period that you want covered by the report.
The available options are:
• Today (default option)
• 2 weeks
• Previous day
• 1 month
• 1 week
Use the postmaster address
as the sender
Select to use the already configured postmaster address as the sending
address for the scheduled reports.
Sender address
To configure your appliance to use a sender address that is different to the
already configured postmaster address, ensure that Use the postmaster address as
the sender is unselected, and enter the required Sender address.
Recipients
The list of email addresses to which the scheduled reports are to be sent.
Click New Recipient to specify new addresses.
Table 3-5 Option definitions — Report content
Option
Definition
Title
Specify the title for the scheduled report you are creating.
Include these reports Select the information to be included in the scheduled report. The available options
change depending on the type of report (Overview, Email, or System report.)
72
Header
Enter text that you want displayed on the header of the report.
Footer
Enter text that you want displayed on the footer of the report.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Reports features
Email Reports
3
Table 3-6 Option definitions — Advanced options
Option
Definition
Document format
Select your required format for the scheduled report. The options include:
• PDF
• HTML
• Text
• CSV
Select the paper size for the scheduled report. Select from:
Paper size
• A4 (210x297 mm)
• Letter (8.5x11 in)
Character set
Select the character set for the scheduled report. The options include:
• Unicode (UTF-8)
• Simplified Chinese (GBK)
• Unicode (UTF-7)
• Traditional Chinese (BIG-5)
• ASCII
• Japanese (SJIS)
• Latin Alphabet No. 1
(ISO-8859-1)
• Japanese (ISO-2022-JP)
• Windows Latin-1
(WINDOWS-1252)
• Korean (ISO-2022-KR)
Message subject
Enter the Subject line that you want to appear on the email containing the
scheduled report.
Message body text
Enter the body text for the email message containing the scheduled report.
Generate unique file names
Select this option to ensure that each scheduled report has a unique file
name.
Attachment file name
To specify the name of the attachment file containing the scheduled report,
unselect Generate unique file names and then enter the required file name.
Maximum number of items in a Specify the maximum number of items that you want to appear in each list.
list
Email Reports
Use this page to create and view real-time reports about threats detected in the email passing through
your Email Gateway, and the subsequent actions taken by the appliance.
Reports | Email Reports
You can generate a report based on a set of predefined filters, or edit the filters, test the results, and
save the report as a new report.
Introduction to the Email Reports page
This information introduces the Email Reports page, found in the Reporting section of Email Gateway.
Email Reports contains several sub-pages, accessed from the tabs beneath Email Interactive Reporting and
Selection.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
73
3
Overview of Reports features
Email Reports
The following tabs are shown beneath Email Interactive Reporting, each providing different views on a
report's results. See View types:
•
Total view
•
Time view
•
Itemized view
•
Detail view
There are two pages beneath Selection:
•
Favorites enables you to choose a report with pre-defined filters, and generate it immediately. See
Report types.
•
Filter enables you to further define the data in each Favorite report using standard and advanced
filter settings, and set the period of time for which you want to retrieve data. See Filter types.
Benefits of using email reports
This topic discusses the benefits of using the report features of Email Gateway to create and view
reports about email traffic.
To keep your email infrastructure running at optimal levels, you need access to up-to-date information
about threats detected in the email flowing through the appliance. Generate email reports to get
information such as:
•
Types of threats detected, such as viruses, or spam and phishing messages.
•
Messages that had to have an action taken upon them.
•
Messages that were prevented from entering or leaving your network.
•
Individual sender activity.
Additionally, use the Email Reports feature with the Scheduled Reports feature to create regular
reports, and send them immediately to other people, or at regular intervals.
You can compile a list of, for example, blocked email messages using the Message Search feature
(Reports | Message search). Message Search cannot locate messages if the appliance has not received the
message body, such as messages blocked by the Real-time Blackhole Lists (RBLs). In this situation, use
the Email Reports feature to find out about an individual message.
Types of Email reports
Information on the types of email reports that you can find within the Reports area of the user
interface are discussed.
The appliance comes with a set of reports with pre-defined filters available from the Favorites tab. You
can run these reports immediately, or edit them using standard and advanced settings and save as a
new favorite report to run again in the future, then make it available in the Scheduled Reports feature.
To see the default settings in each report, hold your mouse cursor to the left of a report name.
Table 3-7 Option definitions
74
Option
Definition
Email Overview
Displays results in Total view by default. Results show the number of legitimate,
monitored, modified, rerouted, or blocked messages processed over the previous
day.
Email Profile
Displays results in Itemized view by default. Results show the number of items detected
for each filter selection over the previous week.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Reports features
Email Reports
3
Table 3-7 Option definitions (continued)
Option
Definition
Top Spam Senders Displays results in Itemized view by default. Results are filtered using the Spam/
Phish category by default, and show the spam or phish (or both) messages by sender
over the previous 24 hours.
Top Viruses
Displays results in Itemized view by default. Results are filtered using the Viruses
category by default, and show the viruses detected over the previous week, or
results for a specific threat that you specify.
Legitimate
Displays results in Time view by default. Results show the number of messages
categorized as Legitimate (that is, delivered with no detection or modification) for all
threat categories over the previous 24 hours.
Monitored
Displays results in Time view by default. Results show the number of messages for all
threat categories over the previous 24 hours that triggered an event log but were
delivered with no modification.
Modified
Displays results in Time view by default. Results show the number of modified
messages (for example, cleaned or replaced with an alert message) for all threat
categories over the previous 24 hours.
Rerouted
Displays results in Time view by default. Results show the number of messages routed
to another server (for example, an encryption server) for all threat categories over
the previous 24 hours.
Blocked
Displays results in Time view by default. Results show the number of inbound or
outbound messages stopped by the appliance for all threat categories over the
previous 24 hours.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
75
3
Overview of Reports features
Email Reports
Types of Email report views
The Email Gateway reporting system uses different views of the available data, to enable you to select
the view best suited to your needs.
Each report that you generate can be presented in one of the following views:
Type of Definition
View
Total view
Reports | Email Reports | Email Interactive Reporting | Total View
The information is displayed in a horizontal bar chart. If you see no information, click Apply
on the Filter tab, or change the period and click Apply.
For information about the Filter or Favorites section on the right, click its tab, then click the Help
button (?).
• Action — Displays the list of actions taken by the appliance’s policies against each email
message or web access.
• Number of email messages — Displays the number of email messages or web accesses where
this action was applied.
Time view
Reports | Email Reports | Email Interactive Reporting | Time View
Displays results in a bar chart and table format over the time specified. Results are shown
in periods of ten minutes for hourly reports, by the hour for 24 hour reports, every six
hours for weekly reports, twelve hours for fortnightly reports, or daily for monthly reports.
The information is displayed in a vertical bar chart, and organized into small intervals. For
example, a weekly report shows activity in whole 6-hour portions of each day. If you see no
information, click Apply on the Filter tab, or change the period and click Apply.
You might not be able to view some older data, because the appliance’s log is regularly
purged.
For information about the Filter or Favorites section on the right, click its tab, then
click the Help button (?).
• Start — Displays the start of the period, such as on the hour.
• Legitimate to Blocked — Displays the numbers of email messages or web accesses
corresponding to each action in that period. If Action is not set to All, most columns have
values of 0.
76
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
3
Overview of Reports features
Email Reports
Type of Definition
View
Itemized
view
Reports | Email Reports | Email Interactive Reporting | Itemized View
The information is displayed in a pie chart and table format for each filter criteria, or for all
filters.
If you see no information, click Apply on the Filter tab, or change the period and click Apply.
For information about the Filter or Favorites section on the right, click its tab, then click the Help
button (?).
• Pie chart — Displays the percentage of all email or web accesses that match the criteria
selected in the Filter tab.
The orange portion of the pie shows the portion of the data that matches the criteria. The
green portion shows the remainder. If no filtering is set, the whole pie appears orange.
• Filter criteria — Displays the list of categories taken against the email message or web
access. Click any blue link for more information represented as a bar chart.
To return to the pie chart, click List all criteria. To examine the information further, click any
blue links.
As you click each link, values in the Filter tab are updated. Click Apply to display the pie
chart again.
• Number of distinct criteria items within the selection — Displays the number of email messages or
web accesses where each criteria applies.
Detail view
Reports | Email Reports | Email Interactive Reporting | Detail View
Displays all results in a table format. Results are shown for each detection in the report
results.
Information includes any threat in the email messages or IP addresses. The information is
displayed in a table.
If you see no information, click Apply on the Filter tab, or change the period and click Apply.
For information about the Filter or Favorites section on the right, click its tab, then click the Help
button (?).
• Date and other headings — Displays the details of each email message or web access.
To see all columns, move the horizontal scroll bar.
To sort the data in any column, click the column heading. The most recently sorted
column is indicated by a red arrow in the column heading.
• Data — Click the blue link to see further information about an email message — in a table
or as raw data (that is, in an XML-like format).
• To move through the list or to move quickly to either end of the list, click the arrows at
the bottom right of the list.
Types of Email report filters
To assist you finding the information you require, you can select filters to display more specific detail
within the Email reports.
Reports | Email Reports | Selection | Filter
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
77
3
Overview of Reports features
Email Reports
Each report allows you to filter the results by standard and advanced criteria. For example, you can
see information about viruses from all sources in the last month. Make your selections, then click
Apply. The new report might take a while to appear. You can save these selections to produce a similar
report at any time. or clear the selections you made.
Table 3-8 Option definitions — Email Reports filter options
Option
Definition
Period and Ending Displays information for a period from one hour to one month, based on the
selected start date.
When clicked, the Previous and Next buttons adjust the From date, for example,
moving it to next week or the previous day.
Protocol
Displays the protocols you want to view, such as SMTP.
Traffic
Displays traffic, whether inbound or outbound.
In a simple network, you might see reports on compliance for outbound traffic and
reports on spam for inbound traffic.
Sender
Displays information about one sender, such as user@example.com
When selected, the advanced options, Source domain and Source ID, further specify
the sender's domain or IP address, such as server1.example.com and
192.168.254.200.
Recipient
Displays information about one recipient, such as user@example.com
When selected, the advanced options, Destination domain and Destination ID,
further specify the recipient's domain or IP address, such as server1.example.com
and 192.168.254.200.
Action
Enables you to filter reports on specific actions, such as Legitimate or Blocked. Examples:
To view information about one sender or recipient, type:
<user@example.com>
The name is wrapped with chevron characters.
To view information about all senders' names that begin with b or B, type:
<b*
To view information about all senders' names that begin with b, B, e, or E, type:
<b*, <e*
Category
Displays information about a single type of detection, such as spam or virus. If the
selection is not All, you see further choices. For example, if you select Content, you
can further select Mail Size.
Extra categories appear here if you have installed any optional software.
Detection
Top Spam Senders report only. Choose whether the report should contain results for
spam senders, phish senders, or both.
Virus/PuPs
Top Viruses report only. Type the name of the virus or potentially unwanted program
to get detection results for that specific threat.
Show Advanced
When clicked, shows the options below.
To hide the options again, click Hide Advanced.
Source Domain
Filter traffic based on the domain that the messages are being sent from.
Source IP
Filter traffic based on the IP address that the messages are being sent from.
Destination Domain Filter traffic based on the domain that the messages are being sent to.
Destination IP
78
Filter traffic based on the IP address that the messages are being sent to.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Reports features
Email Reports
3
Table 3-8 Option definitions — Email Reports filter options (continued)
Option
Definition
Audit ID
As traffic passes through the appliance it can have an Audit ID assigned. Use this
field to filter traffic with a specific Audit ID.
Policy
Provides a selection of policies.
Favorite reports
Use this page to run an existing favorite report immediately, or build a list of links to reports that you
have already saved.
Reports | Email Reports | Selection | Favorites
Reports | System Reports | Selection | Favorites
Table 3-9 Option definitions
Option
Definition
Name
Displays the name of each report that you have saved.
Run report When clicked, opens the selected report and displays it to the left of the screen.
Edit
Opens the Filter page from where you can change the settings, test the report results, and
save the report criteria into a new favorite report.
Delete
Removes that Favorite report from the list, and from the reports available in Scheduled
Reports.
Task — Generate an email activity overview for a particular
sender
Use this task to create an overview of the email activity for a particular sender.
Use this task to:
•
Create a report that shows global email activity in the previous 24 hours
•
Filter those results to show the activity of a particular sender
•
Save the report as a new favorite report to be run again in the future
•
Set up a schedule to send the report regularly to the email administrator
Task — Run a standard email activity report
Create a report that shows global email activity in the previous 24 hours
Task
1
Click Reports | Email Reports.
2
From the Favorites list, select the Email Overview (last 24h) report.
3
Click Run report to generate a report for all users.
A report is created that shows the email traffic over the last 24 hours, for all users.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
79
3
Overview of Reports features
Email Reports
Task — Filter the data for a particular sender and save the report as a new
favorite report
Use this task to filter data produced from a global email report to refer to a particular sender.
Additionally, save the new report as a favorite.
Before you begin
Make sure that you have created the report detailed in Task — Run a standard email
activity report .
Task
1
Click Filter.
2
In Sender, type sender@examplecompany.com and click Apply to filter the data for that sender.
3
Click Save, type a name for the report, and click OK.
The report appears in the list of Favorites.
Task — Set up a schedule to send the report regularly to the email
administrator
Use this task to set up a schedule to regularly send a report to the email administrator.
Before you begin
Make sure that you have created the report detailed in Task — Filter the data for a
particular sender and save the report as a new favorite report .
Task
1
Click Reports | Scheduled Reports.
2
In the list of available report documents, select Favorite, and click Edit.
3
Select Enable scheduled delivery, and set the report to run Daily at 17:00 hours.
4
Type the email administrator address.
5
Click Report content.
6
In the list of favorite reports, select the report that you created, click OK, and apply the changes to
the appliance.
The selected report is send each day at 17:00 hours to the specified email administrator.
Task — Show me the total viruses detected over the previous
week
Use this task to show the total number of viruses detected in the previous week, and analyze the data
using different report views.
Task
80
1
Click Reports | Email Reports.
2
From the Favorites list, select the Top Viruses report, and click Filter.
3
Click Apply to run the report.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
3
Overview of Reports features
System Reports
4
Select Time view to see the action that was taken on each message broken down into eight hour
periods.
5
Select Detail view to see further information such as policy details, and the source IP address for each
message.
The required report, showing the total number of viruses detected in the previous week, is generated.
System Reports
Use this page to create and view real-time reports about threat detection updates, and system events.
Reports | System Reports
You can generate a report based on a set of pre-defined filters, or edit the filters, test the results, and
save the report as a new report.
Introduction to the System Reports page
This information introduces the System Reports page, found in the Reporting section of Email
Gateway.
System Reports contains several sub-pages, accessed from the tabs beneath System Interactive Reporting and
Selection.
Under System Interactive Reporting is a detailed view of the report results that tells you the type of update
made, when it ran, and whether it was successful. Data shows the update number so you can check
with the McAfee website that you're running the most up-to-date threat detection files available.
There are two pages beneath Selection:
•
Favorites enables you to choose a report with pre-defined filters, and generate it immediately. See
Report types.
•
Filter enables you to further define the data in each Favorite report, and set the period of time for
which you want to retrieve data. See Filter types.
Benefits of using system reports
This topic discusses the benefits of using the report features of Email Gateway to create and view
reports about system events.
Keeping up-to-date with McAfee threat detection updates is vital to the continued and successful
running of your organization. Generate system reports to get information about threat detection files
update status, user logon statistics, and network and hardware status .
Additionally, use the System Reports feature with the Scheduled Reports feature to create regular
reports, and send them immediately to other people, or at regular intervals.
Types of System reports
Information on the types of system reports that you can find within the Reports area of the user
interface are discussed.
The appliance comes with a set of reports with pre-defined filters available from the Favorites tab. You
can run these reports immediately, or edit them, and save as a new favorite report to run again in the
future, then make it available in the Scheduled Reports feature.
To see the default settings in each report, hold your mouse cursor to the left of a report name.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
81
3
Overview of Reports features
System Reports
Table 3-10 Option definitions
Option
Definition
Anti-Virus Updates (last
24h)
Displays results in Detail view by default. Results show the type of update
(anti-virus, spam rules, or URL filtering definitions), when it was made, the
results, and reference number associated with the update file
Anti-Virus Updates (last
week)
Displays results in Detail view by default. Results show the type of update
(anti-virus, spam rules, or URL filtering definitions), when it was made, the
results, and reference number associated with the update file
Types of System report views
Use this page to see the details of system updates or detection file updates.
Reports | System Reports | System Interactive Reporting | Detail View
If you see no information, click Apply on the Filter tab, or change the period and click Apply.
For information about the Filter or Favorites section on the right, click its tab, then click the Help button
(?).
Table 3-11 Option definitions
Option
Definition
Interactive
reporting — Detail
view
• Date — Displays the details of each email message or web access.
To see all columns, move the horizontal scroll bar.
To sort the data in any column, click the column heading. The most recently sorted
column is indicated by a red arrow in the column heading.
• Data — Click the blue link to see further information about an email message — in a
table or as raw data (that is, in an XML-like format).
• To move through the list or to move quickly to either end of the list, click the
arrows at the bottom right of the list.
Types of System report filters
To assist you finding the information you require, you can select filters to display more specific detail
within the System reports.
Reports | System Reports | Selection | Filter
Each report allows you to filter the results.
Table 3-12 Option definitions — System Reports filter options
Option
Definition
Period and Ending Displays information for a period from one hour to one month, based on the
selected start date.
When clicked, the Previous and Next buttons adjust the From date, for example,
moving it to next week or the previous day.
82
Event type
Displays reports about particular event types. For example, issues concerning the
Network.
Event
Select individual events based on the chosen Event type.
Reason
Select individual reasons based on the chosen Event.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Reports features
System Reports
3
Favorite reports
Use this page to run an existing favorite report immediately, or build a list of links to reports that you
have already saved.
Reports | Email Reports | Selection | Favorites
Reports | System Reports | Selection | Favorites
Table 3-13 Option definitions
Option
Definition
Name
Displays the name of each report that you have saved.
Run report When clicked, opens the selected report and displays it to the left of the screen.
Edit
Opens the Filter page from where you can change the settings, test the report results, and
save the report criteria into a new favorite report.
Delete
Removes that Favorite report from the list, and from the reports available in Scheduled
Reports.
Task — Generate a report that shows all threat detection
updates
Use this task to show all updates to the threat detection files on your Email Gateway.
Use this task to:
•
Run a report that shows all updates that took place in the last week
•
Filter the results to show only the URL filter updates that failed
•
Save the report as a new favorite report to be run again in the future
Task
1
Click Reports | System Reports.
2
From the Favorites list, select the Anti-Virus Updates (last week) report.
3
Click Run report to generate a report for all updates.
4
Click Filter.
5
In Event, select URL filter update failed, and click Apply to filter the data accordingly.
6
Click Save, type a name for the report, and click OK.
The report appears in the list of Favorites.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
83
3
Overview of Reports features
System Reports
84
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
This section of the online help topic provides an overview of the Email features and controls within
your Email Gateway appliances.
Email
Contents
Life of an email message
Email Configuration overview
Email Policies
DLP and Dictionaries overview
Encryption
Certificate Management
Hybrid configuration
Group Management
Add Directory Service wizard
Quarantine Configuration
Life of an email message
Use this topic to understand how the appliance processes the email messages that it receives.
The appliance handles an email message according to:
•
Who sent the email message.
•
Who will receive the email message.
•
The content of the email message.
On receiving an email message, the appliance processes it in the following order:
Email message
processing order
Kernel mode blocking
Permit and Deny Lists
CONNECT
Permit Sender [Connection]
Permit and Deny Lists
Deny Sender [Connection]
Permit and Deny Lists
Real-time Blackhole Lists
(RBL)
Sender Authentication Settings — RBL
Configuration
Permit Sender
Permit and Deny Lists
Deny Sender
Permit and Deny Lists
EHLO/MAIL
FROM
Bounce Address Tag Validation Bounce Address Tag Validation
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
85
4
Overview of Email menu
Life of an email message
RCPT TO
DATA
SPF (Sender Policy
Framework)
Sender Authentication Settings — SPF Sender ID
and DKIM
Address Masquerading
Address Masquerading (SMTP)
Anti-Relay
Anti-Relay Settings
Greylisting
Recipient Authentication
Address Aliasing
(Masquerading)
Address Masquerading (SMTP)
Permitted Recipient list
Recipient Authentication
LDAP recipient check
Recipient Authentication
Directory Harvest Prevention
Recipient Authentication
RBL
Sender Authentication Settings — RBL
Configuration
If behind an MTA.
SPF
Sender Authentication Settings — SPF Sender ID
and DKIM
If behind an MTA.
McAfee Global Threat
Intelligence message
reputation
Sender Authentication Settings — McAfee Global
Threat Intelligence message reputation
The McAfee Global Threat Intelligence message
reputation score is also passed to the
anti-Spam engine, where it is used to
supplement the spam scores for the email
message being scanned.
Sender ID
Sender Authentication Settings — SPF Sender ID
and DKIM
Domain Keys Identified Mail
(DKIM)
Sender Authentication Settings — SPF Sender ID
and DKIM
Anti-spam
Anti-Spam Settings - Basic Options
Scanning
Anti-Spam Settings - Advanced Options
Anti-Spam Settings - Blacklists and Whitelists
Anti-phish
Anti-Phish Settings
Mail size filter
Mail Size Filtering Settings - Message Size
Mail Size Filtering Settings - Attachment Size
Mail Size Filtering Settings - Attachment Count
86
Encrypted / Signed content
check
Signed or encrypted content Settings
Corrupt content
Content Handling Settings - Corrupt or Unreadable
Content
Encrypted content
Content Handling Settings - Corrupt or Unreadable
Content - Protected files
HTML check
Content Handling Settings - HTML Options
Compliance
Compliance Settings
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Email Configuration overview
Anti-virus [Including McAfee
Global Threat Intelligence file
reputation, PUPs, Packers]
4
Anti-Virus Settings - Basic Options
Anti-Virus Settings - McAfee Anti-Spyware
Anti-Virus Settings - Packers
Anti-Virus Settings - Custom Malware Options
DLP
Data Loss Prevention Settings
Image filtering
Image Filtering Settings
File filter
File Filtering Settings
Delivery
Proxy Mode
Domain Relay
DNS
Fallback relay
Transparent
Mode
When passing through the scanning stage, the next step that the email message takes depends on the
scanners that are triggered and the primary actions defined for each scanner.
Primary actions are prioritized as follows:
•
Deny connection
•
Replace
•
Refuse
•
Allow through
•
Accept and drop
For example, consider the following circumstances:
•
The appliance scans an email message and triggers against both a virus and spam. The anti-virus
scanner is configured to block on detection, whereas the anti-spam scanner is configured to block.
In this situation, the appliance will report the email message as containing viral content, as this is
the highest-priority primary action.
•
The appliance scans an email message and again triggers against both a virus and spam. However,
this time, both the anti-virus and the anti-spam scanners have their primary actions set to block.
In this case, the appliance will report the anti-spam trigger — anti-spam scanning occurs before
the anti-virus scanning — but, as both scanners are configured with the same priority primary
action, this will also be reported as containing viral material.
Email Configuration overview
Use these topics to understand the email protocol configuration, receiving email and sending email
pages within the Email Gateway user interface.
Email | Email Configuration
From the Email Configuration pages, you can configure features such as your protocol setting for SMTP
and POP3 email messages, Anti-relay settings, Recipient authentication, Permit and deny lists, as well
as other areas such as DKIM signing, delivering email domains and fallback relays.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
87
4
Overview of Email menu
Email Configuration overview
Contents
Protocol Configuration
Option definitions — Protocol Presets dialog box
Option definition - New Protocol Preset
Receiving Email
Sending Email
Sending Email — Add Relay List dialog box and Add MX Lookup dialog box
Anti-Relay Settings — Add Relay Domain dialog box and Add MX Lookup dialog box
Protocol Configuration
The Protocol Configuration tab within Email Configuration enables you to configure settings that are
protocol-dependant.
Email | Email Configuration | Protocol Configuration
Further tabs enable you to configure connection and protocol settings for both SMTP and POP3
protocols, as well as to configure address masquerading and transport layer security for your SMTP
protocol.
Contents
Connection Settings (SMTP)
Protocol Settings (SMTP)
Address Masquerading (SMTP)
Connection and Protocol Settings (POP3)
Connection Settings (SMTP)
The Connection Settings (SMTP) page links to configuration areas that set up settings for SMTP
connections on the appliance, such as ports, warning thresholds and timeouts.
Email | Email Configuration | Protocol Configuration | Connection Settings (SMTP)
Basic SMTP settings
Use this area to specify basic connection settings for the SMTP protocol, such as port numbers.
Email | Email Configuration | Protocol Configuration | Connection Settings (SMTP) | Basic SMTP settings
Changing these settings can affect scanning performance. If you are not sure about the impact of
making any changes, ask your network expert.
Table 4-2 Option definitions
Option
Definition
Enable the SMTP protocol
When deselected, ignores any SMTP traffic. Other traffic is not affected.
Listening ports
Specifies a port number.
The default value is 25.
88
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Email Configuration overview
4
Table 4-2 Option definitions (continued)
Option
Definition
Transparent interception ports Specifies a port number.
The default value is 25.
Secure ports
Specifies the type of port. The default value is 465.
SMTPS uses a secure port.
Click these icons and the port headings to reveal icons for managing the
port information:
Indicates the port number.
Indicates the traffic that will be intercepted.
Indicates a period when traffic is not scanned.
Enable reverse DNS lookups
When selected, enables the appliance to perform lookups. Default value is
Yes.
Take care if deselecting this setting. If you deny reverse DNS lookups, some
functions might fail.
Timeouts
Use this area to specify the timeouts that apply to the SMTP conversations.
These settings are configured by default to provide the best SMTP performance with most appliances
and network configurations. Changing these settings can affect performance. If you are not sure about
the impact of making any changes, ask your network expert.
Protocol preset
Select the required protocol preset, or create a new preset, using the drop-down list and button to the
right of the page.
Maximum wait times when receiving email
Specifies how long the appliance waits for responses from the mail server that sends the email
message.
Option
Definition
Between commands
The default value is 60 seconds.
Between receiving chunks of data
The default value is 180 seconds.
Acknowledgment of all the data
The default value is 360 seconds.
Maximum wait times when sending email
Specifies how long the appliance waits for responses from the mail server that receives the email
message.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
89
4
Overview of Email menu
Email Configuration overview
Option
Definition
Establishing a connection
The default value is 60 seconds.
Response to a MAIL command
The default value is 60 seconds.
Response to a RCPT command
The default value is 60 seconds.
Response to a DATA command
The default value is 60 seconds.
Between sending chunks of data
The default value is 180 seconds.
Acknowledgment of the final dot
The default value is 300 seconds.
SMTP conversation logging
Learn about enabling SMTP conversation logging.
Option
Definition
Enable SMTP conversation logging Select to produce a log of performed scans. These logs are available
from Reports | Message search.
Attachment identification
Enable attachment identification to use Message Search to find messages containing attachments.
Table 4-3 Option definitions
Option
Definition
Enable attachment identification Configure McAfee Email Gateway to carry out additional scanning of email
messages to identify attachments contained within the messages.
Once enabled, you can use Message Search to find email messages
containing specific attachments.
Unscannable content options
Some content can prevent scanners from completing their scan, potentially resulting in scans being
continuously retried and always failing.
Table 4-4 Option definitions
Option
Definition
Enable detection of unscannable content
To prevent unscannable content from tying up resources by
continually being rescanned, enable detection.
Maximum number of failed scan attempts
Configure the number of times that a scan is attempted before
the system marks the message as unscannable. The default is 5
attempts.
Period before content previously detected
as unscannable can be rescanned
Configure the time before another scan of the same email
message is attempted. The default is 24 hours.
Protocol Settings (SMTP)
The Protocol Settings (SMTP) page links to areas to allow you to configure settings for the SMTP
protocol on the appliance.
Email | Email Configuration | Protocol Configuration | Protocol Settings (SMTP)
90
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Email Configuration overview
4
Data command options
Use this area to specify how the appliance responds during the DATA phase when handling SMTP
email.
Table 4-5 Option definitions
Option
Definition
Maximum message data size
Specify the maximum size of message data in kilobytes. Setting this
option prevents excessively large email data from being processed by
the appliance. By default, no limit is set.
Maximum length of a single line
Specify the maximum length of a line within the message data. Setting
this option prevents data with excessively long line lengths from being
processed by the appliance. By default, no limit is set.
Maximum number of hops
Specifies the maximum number of hops allowed, that is, the maximum
number of Received lines allowed in the email header.
Default value is 100.
If these limits are exceeded
Specifies how the appliance responds. Default value is Close the connection.
Maximum line length before the
message is re-encoded
By default, no limit is set.
Denial of service protection
Use this area to specify how the appliance prevents possible denial-of-service attacks on your mail
server.
Table 4-6 Option definitions
Option
Definition
Minimum data throughput
Prevents an average data throughput that is too low. An attacker might
deliberately handle parts of the SMTP conversation slowly.
Default value is No lower limit.
Maximum number of trivial
commands
Prevents the appliance receiving too many trivial commands before a
successful DATA command. An attacker might repeatedly send commands
like HELO, EHLO, NOOP, VRFY, and EXPN.
Default value is 100.
Maximum number of AUTH
attempts
Prevents too many AUTH conversation attempts. (Transparent Bridge
mode only). The SMTP AUTH command is a request to the email server
for an authentication mechanism.
Default value is No limit.
Maximum command length
Prevents excessive command length. This might be a buffer-overflow
attack. According to RFC 2821, the maximum total length of a command
line including the command word and the CR-LF is 512 characters.
Default value is 999.
Maximum duration of an SMTP
conversation
Limits the time between opening the connection and receiving the final
dot (.) command.
Default value is No limit.
Allow null senders
Accepts an empty From address.
Default value is Yes.
Reject recipient if the domain is
not routable
Default value is No.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
91
4
Overview of Email menu
Email Configuration overview
Table 4-6 Option definitions (continued)
Option
Definition
Maximum number of recipients
Prevents an excessive number of recipients. During spam or
before a failure response is given directory-harvest attacks, the number of recipients often exceeds the
number who typically receive company-wide messages. When setting a
number here, consider that typical maximum, then add some more to
allow for possible increases. Consider changing this number if the
network is reconfigured or the typical maximum changes.
Default value is No limit.
Maximum number of recipients
before a delay is imposed
Prevents an excessive number of recipients.
Delay period
Specifies a period before connections may resume.
Default value is No limit.
Default value is Not set.
Specifies a delay to prevent an immediate reconnection.
Impose a lockout period
Default value is 600 seconds.
Generate non-delivery reports for Default value is Yes.
undeliverable email
Message processing
Use this area to configure message processing options within the SMTP protocol.
Table 4-7 Option definitions
Option
Definition
Welcome message
Specifies the text that is seen by a host when connecting to the appliance in
Explicit Proxy mode.
By default, this message is empty.
Store and forward email if
In proxy mode, messages which exceed the specified limits will always be
accepted and queued by the appliance before onward delivery is attempted.
Messages below the specified limits will have delivery attempted immediately
(whilst the client is still connected).
Default values:
• The message size exceeds — No limit
• The number of recipients exceeds — No limit
Maximum number of MX
records used
Specifies the response to messages that use MX (mail exchange) records
excessively.
Default value is 100.
Maximum number of A
records used
Specifies the response to messages that use A (address) records excessively.
Default value is 100.
Advanced options
Use this section to specify further settings for message processing. You do not normally need to
change the settings.
92
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Email Configuration overview
4
Table 4-8 Option definitions
Option
Definition
Port for SMTP communications
Specifies the usual port number.
The default port number is 25.
Maximum number of policies per email Limits the number of policies that can be applied to each email
message. A larger number can affect scanning performance.
Default number is 5.
Add the IP address of the connecting
server to the Received header
If you prefer that the IP address of your server is not made available,
deselect this feature.
Default value is Yes.
Add the domain name of the
connecting server to the Received
header
If you prefer that the domain address of your server is not made
available, deselect this feature.
A HELO command implies a reset
Forces the HELO command to automatically perform a reset (RSET
command). The RSET command clears the buffers that store data
such as the sender, recipients, and the email message.
Default value is No.
Default value is Yes.
A HELO or EHLO command is required Forces the use of the HELO or EHLO command in any SMTP
communication. Most SMTP conversations begin with these
commands. You need this feature only if the sender does not use the
command.
Default value is No.
Dump input email to disk
Provides information for troubleshooting. Select only if instructed to
do so. Otherwise performance will be affected.
Default value is No.
Dump output email to disk
Provides information for troubleshooting. Select only if instructed to
do so. Otherwise performance will be affected.
Default value is No.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
93
4
Overview of Email menu
Email Configuration overview
Transparency options (router and bridge mode only)
Use this area to configure options applicable only in the transparent operating modes — transparent
router or transparent bridge mode.
Table 4-9 Option definitions
Option
Definition
Use the welcome
message from the mail
server
Specifies the welcome message that appears when a host using SMTP connects
to an appliance operating in a transparent mode.
When selected, displays the welcome message of the mail server at the other
end of the connection. Prefixes extra text, if specified in the next option.
When not selected, displays the appliance's own welcome message (in the
Message processing section).
Default value is Yes.
Prepend the following
text
Specifies text for the message.
Send keepalives (NOOP
commands) during the
DATA phase and
Keepalive interval
Prevents the connection between the appliance and the onward email server
from timing-out when the appliance is scanning large email messages by
sending a keep-alive command to the destination server. This keeps the
connection alive until the DATA phase from the sending email server to the
appliance has completed. When the data has been transferred to the appliance,
the appliance stops sending the commands and starts the DATA phase between
the appliance and the destination email server. Default value is No.
Default value is to prefix no text.
Specify how often to send the keep-alive (NOOP) commands during the DATA
phase.
Default value of interval is 55 seconds
Advanced options
Use this section to specify further settings for transparency options. You do not normally need to
change these settings.
Table 4-10 Option definitions
Option
Definition
Allow the appliance to Generates additional scanning alerts to warn a network administrator or other
generate additional
users when specific events occur.
scanning alerts
Default value is Yes.
The actions that the appliance takes when one of these events occurs, depends on
which detection was triggered and how the policies have been set up for each
protocol. By default, most secondary actions are not available when the appliance
is operating in a transparent mode. Only the quarantine actions are available by
default.
Allow multiple
policies per email
Allows the use of multiple policies for email messages that have more than one
recipient.
Default value is No.
If an email message has more than one recipient, you can configure the appliance
to allow different policies to apply to each of the recipients. If you do not allow
multiple policies, the appliance applies only the highest priority policy, as defined
by the order of your policies.
Add a Received
header to email
94
Adds Received (RCPT) commands to the email headers.
Default value is Yes.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Email Configuration overview
4
Table 4-10 Option definitions (continued)
Option
Definition
Secure conversation
pass-through
Allows TLS or SSL-secured conversations to be passed through the McAfee Email
Gateway without being interrupted.
With this option selected, when the McAfee Email Gateway either receives the
STARTTLS command or a connection is received on a Secure Port (SMTPS), the
connection is passed through to the other email server, allowing a secure
server-to-server connection to be made directly between the client and server
without McAfee Email Gateway scanning or processing the data.
As the TLS or SSL connection is effectively direct between the two email servers,
McAfee Email Gateway cannot scan the secured traffic that is passed through it
using Secure conversation pass-through. Therefore, it is possible that malicious content
could pass undetected through your McAfee Email Gateway and into your network.
ESMTP extensions
Scans features of the Extended Simple Mail Transfer Protocol.
Default values:
• Enable ESMTP extensions — Yes
• DSN (Delivery Status Notification), 8BITMIME (8-bit data transfer), AUTH
(Authentication) — Yes
• SIZE — No
Microsoft Exchange
ESMTP extensions
Prevents scanning of some extensions.
Default values:
• X-EPS, X-LINK2STATE, XEXCH50, CHUNKING — No
If the appliance operates between two Microsoft Exchange servers, the appliance
must allow these email headers to be exchanged without scanning.
Address parsing options
Use this area to configure options relating to the parsing of email addresses.
You do not normally need to change these settings. Change the settings only if you understand the
possible effects, or you have consulted an expert.
An email address such as user@example.com has two parts:
•
The local part is before the @ character — user.
•
The domain part is after the @ character — example.com.
Table 4-11 Option definitions
Option
Definition
Maximum length of the local part
Specifies how many characters can be used in the local part.
The RFC limit is 64 characters.
Maximum length of the domain part
Specifies how many characters can be used in the domain part.
The RFC limit is 255 characters.
Allow non-RFC characters in the domain
part
McAfee® Email Gateway 7.6.0 Appliances
By default, characters outside the ASCII range are not allowed in
an email address.
Administrators Guide
95
4
Overview of Email menu
Email Configuration overview
McAfee Secure Web Mail
Enable policy support for McAfee Secure Web Mail.
Table 4-12 Option definitions
Option
Definition
Advertise McAfee Secure Web Mail When using this appliance to provide encryption services to other
policy support in the EHLO
McAfee Email Gateway appliances, you should enable this option.
response
Use the Protocol presets to ensure that the appliance only advertises
McAfee Secure Web Mail policy support when the connection is coming
from other McAfee Email Gateway appliances.
Address Masquerading (SMTP)
Use the sections on this page to convert the addresses in incoming or outgoing email messages.
Email | Email Configuration | Protocol Configuration | Address Masquerading (SMTP)
For example:
•
Send and receive email for general enquiries using an anonymous address such as
info@example.com, instead of one person’s specific address.
•
Redirect email for several people to one person.
•
Modify the email headers to hide information about your internal domains.
Make modifications to the From address and sender headers of outgoing email under Sender address
masquerading.
Make modifications to the To address of incoming email under Recipient address aliasing.
Address masquerading is based on protocol presets and can affect a large number of email messages.
When configuring your policies, consider whether you need the policy rules to apply to the email
addresses before or after they might be re-written.
Useful websites
Regular expressions: http://www.regular-expressions.info/reference.html
Option definitions — Sender address masquerading
Use this area to change the address from which email messages appear to have been sent.
Option
Definition
Type
States whether the sender address is a string replacement, or an LDAP lookup.
Search pattern
Specifies a search pattern that uses regular expressions to convert the original sender
email address to a masqueraded email address.
Take care with the use of ^ and $ in a regular expression. If the email headers contain
extra characters such as chevrons (< >), the regular expression will not replace the
email address, as expected.
96
Replacement
Displays the address you want to put in place of the original email address.
Move
The search for the pattern is done from the top to the bottom of the list. When a
pattern matches, it replaces using the replacement. In the case of LDAP lookups, it
uses the relevant LDAP query.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Email Configuration overview
Option
Definition
Add Entry
Adds a string replacement entry to the list.
4
Add LDAP entry Adds an LDAP lookup to the list.
Test
When clicked, opens a further window where you can test whether your regular
expression makes the correct replacement address. Type an email address as input,
click Check to see the resulting output address.
Export
When clicked, this link opens a dialog box you can use to export your list of
masquerade addresses as a text file. The list can be stored on the appliance, or on
your local computer.
The list is a text file in the following format:
• List, search pattern
• Replacement
• List, search pattern
• Replacement
Write down the file name and location in case you need to import it.
Import
When clicked, this link opens a dialog box you can use to navigate to a stored
(exported) address list and import it to your current Masquerade window. You can
overwrite existing addresses, or append to the existing list.
Sender mail headers to search (advanced)
Specify the email headers that McAfee Email Gateway will search when using Sender address masquerading
to replace email addresses.
Option
Definition
Sender mail headers Specifies the mail headers to search within outgoing email messages.
to search
You need only add new headers if your mail server attaches its own unique
headers, or extra headers are defined in new email specifications.
By default, the following email headers are searched when using Sender address
masquerading:
• return-path
• resent-sender
• from
• reply-to
• sender
• return
• resent-from
Option definitions — Recipient address aliasing
Use this area to change the address to which email messages appear to have been sent.
Option
Definition
Type
States whether the sender address is a string replacement, or an LDAP lookup.
Search pattern
Specifies a search pattern that uses regular expressions to convert the recipients email
address to an aliased email address.
Take care with the use of ^ and $ in a regular expression. If the email headers contain
extra characters such as chevrons (< >), the regular expression will not replace the
email address, as expected.
Replacement
Displays the address you want to put in place of the recipient email address.
Move
The search for the pattern is done from the top to the bottom of the list. When a
pattern matches, it replaces using the replacement. In the case of LDAP lookups, it
uses the relevant LDAP query.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
97
4
Overview of Email menu
Email Configuration overview
Option
Definition
Add Entry
Adds a string replacement entry to the list.
Add LDAP Entry Adds an LDAP lookup to the list.
Test
When clicked, opens a further window where you can test whether your regular
expression makes the correct replacement address. Type an email address as input,
click Check to see the resulting output address.
Export
When clicked, this link opens a dialog box you can use to export your list of virtual
addresses as a text file. The list can be stored on the appliance, or on your local
computer.
The list is a text file in the following format:
• List, search pattern
• Replacement
• List, search pattern
• Replacement
Write down the file name and location in case you need to import it.
When clicked, this link opens a dialog box you can use to navigate to a stored
(exported) address list and import it to your current Masquerade window. You can
overwrite existing addresses, or append to the existing list.
Import
Recipient mail headers to search (advanced)
Specify the email headers that McAfee Email Gateway will search when using Recipient address aliasing.
Option
Definition
Recipient mail headers to Specifies the email headers to search within incoming email messages.
search
You need only add new headers if your mail server attaches its own unique
headers, or if extra headers are defined in new email specifications.
Task — Masquerading all incoming email messages using an attribute in LDAP to
masquerade the sender
Use this task to masquerade all incoming or outgoing email messages using an attribute in LDAP.
Before you begin
Ensure that you have a valid connection to an LDAP server created with a functioning
Address Masquerading query.
You can follow these steps to masquerade a recipient by selecting Add LDAP Entry from the Recipient address
aliasing section of the page.
Task
1
Go to Email | Email Configuration | Protocol Configuration | Address Masquerading (SMTP)
2
In the Sender address masquerading section, click Add LDAP Entry.
3
Enter a search pattern such as .*@test.dom.
4
In Replacement, select the correct server and address masquerading query and click Test.
5
In Input email address, type the email address that you want to masquerade. and click Check.
The Pattern matched and Output email address fields are automatically populated.
6
98
Click Close.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Configuration overview
When the query is selected, any email that comes from, for example originalsender@test.dom, should
be replaced with the masqueraded email address such as <masqueraded sender>@test.dom.
Connection and Protocol Settings (POP3)
Use this area to specify settings for the POP3 protocol such as port numbers and time-outs.
Email | Email Configuration | Protocol Configuration | Connection and Protocol Settings (POP3)
Optionally specify periods when some parts of the network will not be scanned.
Before turning off scanning of any traffic, consider the security risks. The most secure option is to scan
all traffic. If an appliance is operating in a transparent mode, use this feature to exclude some parts of
the network from scanning traffic in a protocol during specific periods. You might need to do this if you
regularly move many large files through the appliance.
Changing these settings can affect scanning performance. If you are not sure about the impact of
making any changes, ask your network expert.
Basic POP3 settings
Use this area to configure the basic setting for using the POP3 protocol.
Table 4-13 Option definitions
Option
Definition
Enable the POP3 protocol
When deselected, ignores any POP3 traffic. Other traffic is not affected.
Listening ports
Specifies a port number. The default value is 110.
Transparent interception
ports
Specifies a port number. The default value is 110.
Dedicated POP3 proxy ports
Specifies connections to dedicated POP servers.
Specify a unique port number for each server. Choose port numbers in the
range 1024 to 65535, because numbers below 1024 are generally assigned
to other protocols. The server must have an FQDN, for example
pop3server.example.com.
Click these icons and the port headings to reveal icons for managing the port
information:
Indicates the port number.
Indicates the traffic that will be intercepted.
Indicates a period when traffic is not scanned.
Indicates a dedicated port.
Enable reverse DNS lookups. When selected, enables the appliance to perform lookups. Default value is
Yes.
Take care if deselecting this setting. If you deny reverse DNS lookups, some
functions might fail.
Timeouts
Use this area to specify time-out values for the POP3 protocol.
You do not need to change these values often.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
99
4
Overview of Email menu
Email Configuration overview
Table 4-14 Option definitions
Option
Definition
Maximum wait times when talking to Specifies how long the appliance waits for responses from the
a POP3 client
computer that sends the email message. Default values:
• Between commands — 600 seconds
• Completing data transfer — 60 seconds
Maximum wait times when talking to Specifies how long the appliance waits for responses from the mail
a POP3 server
server that receives the email message. Default values:
• Establishing a connection — 60 seconds
• Completing data transfer — 60 seconds
POP3 protocol settings
Use this section to specify settings that apply only to the POP3 protocol.
Table 4-15 Option definitions
Option
Definition
Enable server
keepalives
Specifies values to keep the server connection open. The appliance can repeatedly
send a POP3 command to prevent the connection between the appliance and the
mail server timing-out.
Default values:
• Enable server keepalives — No
• Keepalive interval — 60 seconds
• Keepalive command — Not set
Enable client
keepalives
Specifies values to keep the client connection open. The appliance can repeatedly
send a POP3 command to prevent the connection between the appliance and the
POP3 mail client timing-out. Default values:
• Enable client keepalives — No
• Keepalive interval — 60 seconds
Address delimiters
Specifies the characters that identify each part of an email address. For example:
[user name]#[host name]:[port number]. Default values:
• # — User delimiter
• : — Host delimiter
You need only change the delimiter characters if your POP3 provider uses different
characters.
Respond to CAPA
requests
Responds to a POP3 CAPA command, which returns a list of capabilities supported
by the POP3 server. Default value is No.
For more information, see RFC 2449.
100
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Configuration overview
Option definitions — Protocol Presets dialog box
Use this dialog box to re-order, create, and edit or remove existing protocol preset policies.
Option
Definition
Add network group
Click to open the Add Network Group dialog box to group together hosts or networks
that you want to be associated with each other.
Network groups can be used when defining rules for email policies and protocol
presets by selecting the source or destination network group rule type.
Add Policy
Click to open the New Preset dialog box.
Order
Shows the presets in the order in which you want them to be evaluated. The
default policy is always evaluated last.
Policy name /
Move / Delete
Lists the presets, and allows you to move them or edit them as appropriate.
The default policy cannot be modified or deleted.
Option definition - New Protocol Preset
Use this dialog box to create a protocol preset to apply to a policy.
Some of these options may not be available in all instances of creating a new protocol preset.
Option
Definition
Policy name
Type a name for the virtual host policy
Description
Optionally type a description for the policy to help you identify it.
Inherit settings
from
Select the protocol preset from which you want to inherit the settings, that is, any
settings that are not overridden by this protocol preset will be taken from the
protocol preset specified here.
Policy type
Select either:
• Physical — A standard policy that has rules available. A physical policy can be
triggered when its rules are matched and can also be used for inheritance.
• Virtual — A virtual policy can be considered to be a collection of settings available
for the purposes of inheritance. A virtual policy can never be triggered.
This option is only available when you create a protocol preset from Email | Email
Configuration when virtual hosting has been enabled on the appliance.
Match logic
Select either:
• Match one or more of the following rules — this policy triggers if any of the specified rules
are matched.
• Match all of the following rules — this policy triggers if all of the specified rules are
matched.
This option is only available when you create a protocol preset from Email | Email
Configuration.
Rule type /
Move / Edit
Lists the rules associated with the preset, and allows you to move or edit them as
appropriate.
This option is only available when you create a protocol preset from Email | Email
Configuration.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
101
4
Overview of Email menu
Email Configuration overview
Option
Definition
Add Rule
Click to specify the type of rule that you want to apply to the preset, and set its
Match and Value.
This option is only available when you create a protocol preset from Email | Email
Configuration.
Add network
group
Click to create a network group to associate with the preset.
This option is only available when you create a protocol preset from Email | Email
Configuration.
Receiving Email
The Receiving Email tab within Email Configuration enables you to configure settings that are
protocol-dependant.
Further tabs enable you to configure permit and deny lists and anti-relay settings as well as recipient
authentication and bounce address tag validation.
Contents
Permit and Deny Lists
Anti-Relay Settings
Recipient Authentication
Bounce Address Tag Validation
Permit and Deny Lists
Use this page to build a list of IP addresses, networks and users that are permitted, blocked or
temporarily blocked from connecting to the appliance.
Email | Email Configuration | Receiving Email | Permit and Deny Lists
The page has these sections:
Benefits of using the permit and deny lists
Use this information to understand the benefits of using the permit and deny lists.
The permit and deny lists for connections and senders are located on a single page within the user
interface, allowing you to easily configure these settings.
Once set, the permit and deny lists help prevent your users from being swamped by unwanted email
messages, whilst helping ensure that email messages from trusted senders do not accidentally get
blocked.
102
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Configuration overview
Option definitions — Permitted and blocked connections
Use this topic to learn where to specify IP addresses that are always permitted or blocked when
connecting to the appliance.
Table 4-16 Option definitions — Permitted connections
Option
Definition
IP address The appliance accepts email from this address even if a detected threat caused a "Deny
connection" action. This setting ensures that the appliance does not delay email from
trusted senders.
Add
Add IP addresses to the Permitted connections list.
Delete
Remove selected IP addresses from the Permitted connections list.
Import List To prevent you having to enter the permitted connections individually onto each of your
appliances, you can import a list of permitted connections.
Export List Once you have configured the permitted connections list for one of your appliances, you
can export the permitted connections list, to be imported onto other appliances.
The file is created in comma separated values (CSV) format.
Table 4-17 Option definitions — Blocked connections
Option
Definition
Virtual Host
Displays the name of the virtual host that received the connection currently
being blocked by the appliance.
IP address
Displays the IP addresses for connections that the appliance is currently
blocking. Addresses remain in this list for a specified period during which email
is not accepted.
Permitting a connection does not override any time constraints set up by the
policy that blocks the connection. For example, if a policy states that a
connection will be blocked for 600 seconds and you change the connection to
“permitted” within the 600 seconds, the connection continues to be blocked until
the 600 seconds have elapsed. This is why a connection can temporarily appear
in both the Blocked and Permitted connections list.
Domain Name
Displays the domain name associated with the blocked IP address.
Port
Displays the number of the port on which the message was received. This is
typically port 25.
VLAN ID
Displays the ID of the virtual LAN on which the message was received. This is
typically 1 to 4094.
Applicable to Transparent Bridge mode only.
Seconds remaining
Displays the time that must pass before the appliance again allows a connection
from this IP address.
Refresh
When clicked, updates the list of connections. The list is not automatically
updated.
Resolve Addresses
When clicked, the appliance attempts to resolve the IP addresses to show the
relevant domain name.
Unblock
When clicked, enables the selected IP address to try to reconnect.
Store a maximum of
items in the blocked
connections list
If the limit is reached, the appliance can only add more IP addresses to the list
when an existing address expires or is removed manually by clicking Unblock.
Default value is 5000.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
103
4
Overview of Email menu
Email Configuration overview
Option definitions — Permitted and blocked senders
Use the information in this topic to specify senders, networks and domains that are always permitted
or blocked when connecting to the appliance.
Table 4-18 Option definitions
Option
Definition
Value type (Permitted
senders)
If an email is from a permitted sender, Sender Authentication checks are
bypassed, and the sender is accepted.
Value (Permitted senders) Displays the details of the sender:
• Email address — For example, network_user@ example.com
• IP address — For example, 192.168.255.240
• Domain name — For example, www.example.com
Value type (Blocked
senders)
If an email is from a blocked sender, it will be refused unless there is a
corresponding entry in the permitted senders list.
Value (Blocked senders)
Displays the details of the sender (email address, IP address and domain
name).
Response if a sender is in Offers various actions, including:
the block list
• Allow through
• Accept and drop
• Reject and close
• Reject, close and deny
• Reject
Resolve permitted /
blocked host names to IP
addresses
When selected, causes the appliance to use DNS to resolve host names to IP
addresses from a domain name. These lookups take place when the SMTP
proxy is initialized. The default value is Yes.
Reverse lookup sender IP
address
When selected, causes the appliance to use DNS to do a reverse lookup of the
sending IP address to match domains in the list. Because this requires an extra
lookup for each connection, this can affect performance. The default value is
No.
Import List
To prevent you having to enter the permitted or denied senders individually
onto each of your appliances, you can import lists of permitted or denied
senders.
Export List
Once you have configured the permitted or denied senders list for one of your
appliances, you can export the information, to be imported onto other
appliances.
The files are created in comma separated variables (CSV) format.
Task — How do I add a permitted connection?
Use this task to add a permitted connection to your appliance.
To add a permitted connection:
Task
1
Browse to Email | Email Configuration | Receiving Email | Permit and Deny Lists | Permitted and blocked connections |
Permitted connections.
2
Click Add.
3
Type the IP address and the netmask for the connection that you want listed as permitted.
4
Apply the changes.
The specified IP address is added as a new permitted connection.
104
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Configuration overview
Task — How do I export my lists of permitted or denied settings?
Use this task to export your lists of either permitted or denied settings.
Once you have configured your appliance with your permitted or denied settings, you can export a list
of these settings, either as a backup or to import into other appliances.
Task
1
Browse to Email | Email Configuration | Receiving Email | Permit and Deny Lists.
2
Click Export List for the relevant area (Permitted connections, Permitted senders or Blocked senders).
3
Click the displayed link to download it to your local file system.
4
Click Close.
Your list of Permitted connections, Permitted senders or Blocked senders is downloaded to your local file system.
Task — How do I import a list that I exported from another appliance?
Use this task to import a list that was exported from another appliance.
To prevent you having to repeatedly enter the same data into each of your appliances, McAfee Email
Gateway enables you to import a list of permitted or denied senders or permitted connections into
your appliance.
Task
1
Ensure that you have exported the required list, and that it is located where it can be accessed
from your user interface.
2
Browse to Email | Email Configuration | Receiving Email | Permit and Deny Lists.
3
From the relevant area (Permitted connections, Permitted senders or Blocked senders), click Import List.
4
Browse to the required file.
5
Click OK.
The selected list is imported onto your appliance.
Anti-Relay Settings
Use this page to prevent the appliance from being used as an open relay.
Email | Email Configuration | Receiving Email | Anti-Relay Settings
Benefits of configuring relaying email and anti-relay settings
Understand the importance of preventing the appliance being used as an open relay.
By default, the appliance is configured as an open relay. This means that anyone can send messages
through it. You must specify the domains that can send and receive messages.
Anti-relay settings are required to ensure that the appliance only handles email for authorized users,
and to prevent other people such as spammers from using the appliance to forward their messages.
When you first log on to the appliance, a warning is given in the Services portlet on the Dashboard.
You must create at least one local domain to prevent the appliance from being used as an open relay.
Even if you have a list of domains categorized as permitted domains or denied domains, the lack of a
local domain will still mean that the appliance can be used as an open relay.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
105
4
Overview of Email menu
Email Configuration overview
The page has these sections:
•
Relaying email
•
Anti-relay options
A typical scenario is that the local domain, such as *.local.dom, accepts messages for delivery by
the appliance. You also have a network from which you accept messages, such as 192.168.0.0/24.
The anti-relay feature checks the contents of these lists to determine whether a recipient is
acceptable.
The order in which anti-relay checks take place
Use this information to understand the order in which Email Gateway makes the anti-relay checks.
The appliance makes anti-relay checks at the RCPT TO phase of the SMTP conversation. It is important
to understand the order in which the anti-relay checks take place:
•
•
•
•
Is the local domain list empty?
•
Yes. The appliance operates as an open relay and allows the recipient to receive the message.
•
No. The appliance performs the next check.
Is the recipient or connection in the permitted domains list?
•
Yes. The appliance allows the recipient to receive the message.
•
No. The appliance performs the next check.
Is the recipient or connection in the denied domains list?
•
Yes. The appliance rejects the recipient.
•
No. The appliance performs the next check.
Is the recipient or connection in the local domain list?
•
Yes. The appliance checks whether the recipient matches on a permitted routing character.
•
•
106
Yes. The appliance accepts the recipient.
No. The appliance checks whether the recipient matches on a denied routing character.
•
Yes. The appliance rejects the recipient.
•
No. The appliance accepts the recipient.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Configuration overview
•
No. The appliance rejects the recipient.
Option definitions — Relaying email
Use this information to specify domains and networks that can use the appliance for handling their
email.
Option
Definition
Add Domain
Click to specify the domains that can relay messages through the appliance to the
recipient. Choose from:
• Local domain — These are the domains or networks for which email is accepted for
delivery. For convenience, you can import a list of your local domain names using
the Import Lists and Export Lists options. McAfee recommends that you add all domains
or networks that are allowed to relay messages as local domains.
• Permitted domain — Email is accepted. Use permitted domains to manage exceptions.
• Denied domain — Email is refused. Use denied domains to manage exceptions.
Hold your mouse cursor over the field to see the recommended format.
You must set up at least one local domain.
Add MX Lookup
Click to specify a domain that the appliance will use to identify all mail server IP
addresses from which it will deliver messages.
Delete Selected
Items
Removes the selected item from the table. You must apply the changes before the
item is completely removed from the appliance configuration.
Domain Name/
Network
Address/MX
Record
Displays the domain names, wildcard domain names, network addresses, and MX
lookups from which the appliance will accept or refuse email.
Type
• Domain name — for example, example.dom. The appliance uses this to compare the
recipient's email address and compare the connection against an A record lookup.
• Network Address — for example, 192.168.0.2/32 or 192.168.0.0/24. The appliance
uses this to compare the recipient's IP literal email address such as
user@[192.168.0.2], or the connection.
• MX Record Lookup — for example, example.dom. The appliance uses this to compare
the connection against an MX record lookup.
• Wildcard domain name — for example, *.example.dom. The appliance only uses this
information to compare the recipients email address.
Category
• Local domain
• Permitted domain
• Denied domain
Resolve the
above domain
names to IP
addresses
If selected, allows the appliance to use DNS to resolve the IP addresses of the
domains. These lookups take place only when the SMTP proxy is initialized.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
107
4
Overview of Email menu
Email Configuration overview
Option
Definition
If a sender or
recipient is
rejected
• Reject — sends an SMTP 550 (permanent failure) response and closes the connection.
• Reject the email and close the connection — sends a rejection code, SMTP 550 (permanent
failure) response code or a SMTP 421 (Temporarily unavailable service due to
potential threat message), then closes the connection.
• Accept and ignore the recipient — sends an acceptance code, SMTP 250 (OK). McAfee does
not recommend this option because it suggests to the sender that the message was
received as intended.
Import Lists/
Export Lists
On an appliance from which you want to save a list of domains for anti-relay
specification, click Export Lists to create a comma-separated CSV file that contains
details of all the domains that you specified on this page, whether they are local,
permitted or denied. On an appliance onto which you wish to put the list of domains,
click Import Lists.
To create your own list, see Formats for export lists later on this page.
Option definitions — Anti-relay options
Use this information to understand the options relating to the anti-relay settings.
Using routing characters (such as %, !, and |) is a method of passing messages between computers.
With these characters, unauthorized users can relay email messages (often spam) by using computers
inside your network. To permit or block this form of relaying, you specify the routing characters, which
are in the part of an email address before the final @. By default, the appliance does not support
routing characters in email addresses.
Option
Definition
Permitted routing
characters
Specifies permitted routing characters. Normally you do not need to type any
characters here.
Use the default
(Permitted routing
characters)
When selected, prevents the use of the following routing characters: *!* *%*
*|*
Denied routing
characters
Accepts any of the following characters:
*%* - Right-binding routing character (%-exploit).
*!* — Local or mail gateway routing.
*|* — Pipe is used by some mail servers to execute commands.
*[*]* — Parentheses that encloses a dotted-decimal domain address such as
192.168.254.200.
*:* — Colon for multiple hops.
For example, to block the relaying of addresses of the type
“user@host”@relay.com, add *@* to the list of denied characters.
Use the default (Denied
routing characters)
When selected, prevents the use of the following routing characters: *!* *%*
*|*
Enable routing character
checking for sender
When selected, examines routing characters on outgoing mail.
Protocol preset
Lists any connection-based policies to which the routing characters setting
applies.
Click to open the Protocol Presets screen to assign additional policies, or create
new policies or network groups to which the routing characters setting applies.
108
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Configuration overview
Task — Creating a simple configuration
Use this task to create a simple configuration to allow controlled relaying of incoming and outgoing
messages from your Email Gateway.
To allow relaying of incoming messages to your domain, add a wildcard domain. To allow the relaying
of outgoing messages from your domain, add the IP address or network address of the Message
Transfer Agent (MTA):
Task
1
Go to Email | Email Configuration | Receiving Email | Anti-Relay Settings.
2
Click Add Domain.
3
Type the domain name using a wildcard, such as *example.dom.
4
In Category, select Local domain, and click OK.
5
Click Add Domain, and type the network address or the IP address from which you expect to receive
messages (such as 192.168.0.2/32 or 192.168.0.0/24).
6
In Category, select Local domain, and click OK.
The domains that you specify are allowed to relay incoming or outgoing email traffic.
Task — Creating a permitted subdomain based on a larger denied domain
Use this task to create a new permitted subdomain, using the settings for a larger, denied, domain.
To create a small permitted subdomain within a larger denied domain, create the main domain as a
denied domain, and add the sub domain as a permitted domain.
Task
1
Go to Email | Email Configuration | Receiving Email | Anti-Relay Settings.
2
Click Add Domain.
3
Type the domain name that you want to deny using a wildcard, such as *example.dom to reject all
messages sent to that domain.
4
In Category, select Denied domain, and click OK.
5
Click Add Domain again, and type the name of the subdomain that you want to accept, such as
sub.example.dom.
6
In Category, select Permitted domain, and click OK.
The permitted subdomain is created.
Task — Create a list of domains and export it to another appliance
Use this task to configure the domains on one appliance, generate a list of these domains, and then
import this list onto another appliance.
Task
1
On a master appliance, go to Email | Email Configuration | Receiving Email to set up the local domain, and
any permitted or denied domains.
2
Click Export Lists to create a CSV file that contains a list of all domains displayed in the Relaying
email list.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
109
4
Overview of Email menu
Email Configuration overview
3
Click the link to download the file, and save it onto your local file system.
4
On a secondary appliance, go to Email | Email Configuration | Receiving Email and click Import Lists.
Formats for export lists
Use this information to understand the formats you can use to create an export list.
To create a list of domains for an export list, type the domains into a comma-separated values file
using the following formats:
•
To add a local domain, type LD *<domain name>
•
To add a local network address, type LN <IP address>/<CIDR>
•
To add a permitted domain, type PD *<domain name>
•
To add a denied domain, type DD *<domain name>
For example:
LD *inbri.bs.dom, LN 10.6.1.3/24, PD *qa.ext.bs.dom, DD *ext.bs.dom
Recipient Authentication
Use this page to prevent attacks from zombie networks, bogus recipient names, and directory
harvesting.
Email | Email Configuration | Receiving Email | Recipient Authentication
The page has these sections:
Benefits of using Recipient Authentication
Use this information to understand the benefits of using Recipient Authentication on your McAfee Email
Gateway.
Greylisting email messages from unknown senders causes messages from these senders to be rejected
for a period of time. If the sending email system is legitimate, it will follow the correct protocols for
re-delivering previously rejected messages. However, most "zombie" networks that are used to send
spam messages do not comply with these protocols, and therefore messages from them are blocked.
Recipient checks are useful tools in preventing directory-harvest attacks and flooding attacks (where
large volumes of email messages are directed at your email servers, in the hope that some will get
through to valid email addresses). Recipient checks work by you providing information about your
genuine recipients of email messages within your organization. This information may already be
available from your LDAP servers. You can also import lists of recipient email addresses from a file.
This option is intended for small companies who can easily maintain a list of email recipients. For
larger companies, consider using LDAP directory services to provide email attributes to the appliance
(Email | Group Management | Directory Services.)
Directory harvest prevention compares the number of email messages being sent to known and unknown
email addresses within your organization. From this, the appliance can identify when a directory
harvest is taking place, and can take steps to minimize the impact of the attack.
110
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Configuration overview
Option definitions — Greylisting
Use this information to learn about the options available for configuring greylisting on your McAfee
Email Gateway.
Use this section to create a grey list, which is effective against attacks from unknown senders such as
zombie networks. Greylisting temporarily rejects email from new senders to resist spam attacks.
Option
Definition
Protocol preset
Specifies the policy (and network group) to which these settings apply.
Accept SMTP
callback requests
If selected, overcomes delays caused by devices that use SMTP callbacks to
prevent spam.
Initial retry delay
Specifies how long to reject any early attempt to resend the email. The default
value is 3600 seconds (1 hour). Many mail servers typically try to resend after one
hour. The range is up to 86400 seconds (1 day).
Unretried record
lifetime
Specifies how long to keep a record, where the sender has not tried to send
another message.
After this time, the appliance deletes the record of any triplet that has not be
retried. We recommend a value below 8 hours. The range is up to 96 hours (4
days). Default value is 4 hours.
Greylisted record
lifetime
Specifies how long to keep a greylisted record. The appliance deletes records of
triplets that have not been referenced for some time. The range is up to 2160
hours (90 days). Default value is 864 hours (36 days), which is suitable for
occasional mail like monthly newsletters.
Maximum number of Specifies the maximum number of greylisted records. When the number of records
records
approaches this value, the appliance starts deleting old records. The range is
50,000 to 2,000,000. Default value is 2000000.
Option definitions — Recipient Checks
Use this information to learn about the options available within the user interface for configuring
recipient checks.
Use this section to prevent directory-harvest attacks and attacks that issue large numbers of email
messages (known as flooding). You can provide the appliance with a list of permitted recipients. Your
network might already have this information on its LDAP servers. Alternatively, you can import a list of
email addresses from a text file.
Option
Definition
Protocol preset
Specifies the policy (and network group) to which these settings apply.
If the recipient is not in
the following list
When selected, checks the recipient address against email addresses in the list.
Email address
Lists the acceptable email addresses. You can use wildcards, for example:
user*@example.com. We recommend that you do not overuse wildcards,
because you will defeat the intention. Add or remove addresses as necessary.
Or if the recipient does
not satisfy the query
When selected, checks the recipient address against email addresses in the LDAP.
To connect to an LDAP server, select Email | Group management | Directory Services and
click Add Server.
Take the following
action
• Accept and ignore the recipient — Accepts the email message and ignores it. The
appliance sends an acceptance code (SMTP 250 OK). We do not recommend
this option because it suggests to the sender that the message was received as
intended.
• Reject — Sends a rejection code (SMTP 550 Fail). We recommend this option
because the sender is normally informed that the message was not accepted.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
111
4
Overview of Email menu
Email Configuration overview
Option definitions — Directory harvest prevention
Use this information to learn about the options available within the user interface for configuring
directory harvest prevention.
Use this section to prevent directory harvest attacks. The appliance examines the number of known
and unknown email addresses to determine whether an attack is taking place.
When used with some email servers, Directory Harvest Prevention might not function as expected.
Table 4-19 Option definitions
Option
Definition
Protocol preset
Specifies the policy (and network group) to which these settings apply.
When the appliance is in
transparent mode
• None — Takes no action.
• Tarpit — Delays a response to email that has several recipient addresses.
• Tarpit then deny connection — Delays a response to the email, then adds the
sender to the Denied Connections list.
• Deny connection — Adds the sender to the Denied Connections list.
Default value is Deny connection.
When the appliance is in
proxy mode
• None — takes no action.
• Deny connection — adds the sender to the Denied Connections list.
Default value is Deny connection.
When an email has been
deferred and is being
retried
• None — Takes no action.
• Deny connection — Adds the sender to the Denied Connections list.
• Deny connection and quarantine email — Adds the sender to the Denied Connections
list, then forwards the email to a quarantine area.
Default value is Deny connection and quarantine email.
Response delay
When a tarpit action was selected, specifies the delay in responding to this
email.
Default value is 5 seconds. This is often enough to deter an attack.
Maximum number of
recipients
When a tarpit action was selected, specifies how many recipient addresses
each email may have. Default value is 10.
Applies a delay if there are too many recipient addresses in the email message.
A directory harvesting
attack ...
Defines this type of attack. Default values are 5 failed recipients and 10%
accepted recipients.
Email that falls outside this specification is not considered to be an attack, so
no action is taken.
Task — Block all incoming email where the user does not exist in LDAP
Use this task to block all incoming email messages where the user does not exist in LDAP.
Task
112
1
Go to Email | Email Configuration | Receiving Email | Recipient Authentication | Recipient checks.
2
Select Or if the recipient does not satisfy the query and select the desired Valid recipient query for the LDAP
server.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Configuration overview
3
Select the action that you want to take.
4
Apply the configuration changes to the appliance.
Bounce Address Tag Validation
Use this page to combat backscatter — bounced email that was not originally sent from your
organization.
Email | Email Configuration | Receiving Email | Bounce Address Tag Validation
If an Mail Transfer Agent (MTA) cannot deliver an email message, the MTA returns (or 'bounces') the
message to the sender using a return address in the message. Unfortunately, spam email messages
often have a forged (or spoofed) return address. The bounced email often goes to an innocent
organization. This type of email is known as backscatter. During a spam attack, your organization
might receive many such messages.
Benefits of using Bounce Address Tag Validation
This topic discusses the benefits of using Bounce Address Tag Validation.
Bounce Address Tag Validation (BATV) enables your organization to ignore any backscatter email
message by checking whether your organization was its original sender. The appliance can attach a
encrypted digital signature (or tag) to the SMTP MailFrom address on every outgoing email message.
When a bounced email arrives, the appliance searches for the digital signature, and rejects any
message that has no digital signature or has an invalid digital signature. Such a message cannot be a
genuine, bounced email message.
BATV can be implemented on a per-policy basis, using suitably configured Protocol presets.
For more information about BATV, visit http://mipassoc.org/batv/draft-levine-batv-03.txt.
If email is handled by several appliances — for example, one appliance handles outgoing email, while
another appliance handles incoming email — all the appliances need information about the signature
seeds and signature lifetime. To distribute the information between your appliances, use the import
and export features in the interface.
Option definitions — Bounce Address Tag Validation
Use this information to learn about the controls available within the user interface for configuring
Bounce Address Tag Validation.
Option
Definition
Enable bounce
Select to configure BATV on your appliance.
address tag validation
Signature lifetime
Specifies how long the signature seed will be used to sign outgoing email. Mail
servers typically try to deliver mail for up to four days. McAfee recommend a value
of 4–7 days.
Signature seed
Specifies a seed for signing the sender's address.
Use only letters, numbers and space characters. The acceptable key length is 4–
64 characters. Type a seed that is not easy to guess.
Generate
When clicked, generates a signature seed that has 20 random letters and
numbers. You can use this method instead of typing your own signature seed.
Import settings
When clicked, opens a file browser to import a text file that contains BATV settings
from another appliance.
Export settings
When clicked, opens a file browser to create a text file that contains BATV settings
for use by another appliance.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
113
4
Overview of Email menu
Email Configuration overview
Table 4-20 Option definitions — Bounce Address Tag Validation Actions
Option
Definition
Protocol preset:
Select a Protocol preset to allow you to configure per-policy actions for BATV on
your appliance.
Select Create a new preset if you need to define a new preset.
Click to open a dialog box enabling you to re-order your existing protocol presets.
When validation fails Specifies how the appliance must handle each invalid bounced message. The
available options are:
• Allow through
• Reject
You can assign different actions for each preset.
When you enable BATV tagging, the maximum length of local part of the MAIL FROM address used by
the appliance increases by 16 characters. Adjust your configuration setting to allow up to 80
characters to allow BATV tagged email addresses. To do this, navigate to Email | Email Configuration | Protocol
Configuration | Protocol Settings (SMTP) | Address Parsing Options and change the maximum length.
Sending Email
Use this page to specify how the appliance delivers email messages.
Email | Email Configuration | Sending Email
The page has these sections:
Benefits of using the Sending Email features
This information explains some of the benefits of using the Sending Email features found within
McAfee Email Gateway.
The features and options found within the Sending Emails tab enable you to configure the methods used
by the appliance to send email messages on. These options enable you to select the best options to
suit your existing network and email configuration.
Option definitions — Delivering email
Use this information to understand how the appliance tries to deliver email, based on the domain part
of the recipient's address. In a To field, the domain part of an address such as aaa@example.com is
example.com.
Using the recipient's domain, the appliance uses the following logic to decide how it will deliver
messages:
114
•
If the recipient's domain matches those listed in Domain Routing, it uses those relays to deliver the
message.
•
If the recipient's domain does not match those listed in Domain Routing, it can be configured to use an
MX record lookup to deliver using DNS. If no MX records are available, it attempts to make the
delivery using an A record lookup. MX delivery is attempted to hosts in the order of priority that is
returned by the DNS server.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Email Configuration overview
4
•
If it cannot deliver using one of the previous methods, it uses fallback relays to make the delivery
(providing the recipient's domain matches those listed in the Fallback relays field).
•
If the domain does not exist, the appliance generates a non-delivery report and sends it to the
originator.
•
If the receiving server cannot accept delivery, or there are no IP addresses to complete the
delivery, the message is queued.
Option
Definition
Import Lists
Click the link to open the Import Lists dialog box.
Export Lists
Click the link to open the Export Lists dialog box.
Domain Routing
Displays a list of domains.
This list allows you to specify specific relays/sets of relays to be used to deliver
messages destined for specific domains. Domains can be identified using exact
matches, or using pattern matches such as *.example.com.
Click Add Relay List to populate the Domain Routing table with a list of host names, or IP
addresses for delivery. Delivery will be attempted in the order specified unless you
select the Round-robin the above hosts option which will distribute the load between the
specified hosts.
Host names/IP addresses may include a port number.
Click Add MX Lookup to populate the Domain Routing table with an MX record lookup to
determine the IP addresses for delivery.
Delivery will be attempted to host names returned by the MX lookup in the order of
priority given by the DNS server.
Click Add LDAP Lookup to populate the Domain routing table with an LDAP lookup to
determine the Home Mail Transfer Agent (MTA) to be used for emails to the specified
domain.
Only LDAP servers that have already been set up in Email | Group Management | Directory
Services | Add Server appear on this list.
Use an IPv4 or IPv6 address with optional port number or a fully qualified domain
name. For example, 10.6.1.6, 10.6.1.5:25,
2001:db8:ac10:fe01:205:2cff:fe03:2a45 or mailrelay.mydomain1.dom. If you
specify a fully qualified domain name, the appliance does an A-record lookup to
determine the IP address.
To specify multiple relays for a single domain, separate each with a space.
If the first mail relay is accepting email, all email is delivered to the first relay. If that
relay stops accepting email, subsequent email is delivered to the next relay in the
list.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
115
4
Overview of Email menu
Email Configuration overview
Option
Definition
Enable DNS
lookup for
domains not
listed above
If selected, the appliance uses DNS to route email for other, unspecified domains.
DNS delivery attempts an MX-record lookup. If there are no MX records, it does an
A-record lookup.
If you deselect this checkbox, the appliance delivers email only to the domains that
are specified under Domain Routing.
Fallback relays for Specifies the fallback relays. If delivery is unsuccessful by any other method, and the
unreachable
domain matches an entry in this list, the appliance uses the information in this list to
domains
determine a host to be used for delivery.
Click Add Relay List to populate the Domain Routing table with a list of host names, or IP
addresses for delivery. Delivery will be attempted using the hosts in the order
specified unless you select the Round-robin the above hosts option which will distribute the
load between the specified hosts.
Host names/IP addresses may include a port number.
Click Add MX Lookup to populate the Domain Routing table with an MX record lookup to
determine the IP addresses for delivery.
Delivery will be attempted to host names returned by the MX lookup in the order of
priority given by the DNS server.
Click Add LDAP Lookup to populate the Domain Routing table with an LDAP lookup to
determine the Home Mail Transfer Agent (MTA) to be used for emails to the specified
domain.
Only LDAP servers that have already been set up in Email | Group Management | Directory
Services | Add Server appear on this list.
Option definitions — Postmaster address
Use this information to understand the importance of assigning a postmaster address, and how to do
this.
McAfee recommends that you assign a postmaster, so that queries from your users are handled
promptly. The postmaster must be someone who reads email regularly. You can use the name of a
single user or a distribution list.
Option
Definition
Postmaster
address
Specifies an email address that the appliance uses to deliver email that has a
recipient of postmaster.
We recommend that you specify an email address here, so that any delivery
problems are handled promptly. You can specify a distribution list or a single user
who reads email regularly.
Option definitions — Enable digests
Use this information to understand the options available to allow you to configure quarantine digest
messages.
Option
Definition
Enable digest messages Specifies whether to enable digest messages for the selected protocol preset.
and message
Protocol preset
116
Reminds you that digest messages are enabled for this protocol preset.
Allows you to make settings for any exception to the default setting. For
example, you can specify that some parts of the network do not use digest
messages.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Configuration overview
Option definitions — DKIM signing
Use this information to understand DKIM signing, and to view the available options for configuring
DKIM signing.
The Domain Keys Identified Mail (DKIM) technique uses RSA private and public keys and DNS TXT
records to enable the recipient to verify the identity of an email sender.
The sender signs the email message with a private key, by adding an extra header - the
DKIM-Signature header. The header provides the email message with a cryptographic signature. The
signature is typically derived from the message body and email headers such as From and Subject,
then encrypted by the sender's private key.
Recipients can verify that the message is genuine by making a query on the signer's domain to
retrieve the signer's public key from a DNS TXT record. The recipient then verifies that the email and
its signature match. The recipient can therefore be confident that the email was sent from the stated
sender and was not altered during transit.
The appliance can verify signatures from incoming mail and attach signatures to outgoing mail.
For information about Domain Keys Identified Mail (DKIM), visit the Internet Engineering Task Force
website, http://www.ietf.org and http://www.dkim.org.
Use this section to create a Domain Keys Identified Mail (DKIM) key.
Option
Definition
Enable DKIM
signing
When selected, adds a DKIM header (like a digital signature) to each email message as
it is sent.
You must add a key before you can enable DKIM signing.
Domain name
and Selector
During verification, the recipient extracts your Domain Name and Selector from the
signature to retrieve the public key associated with the appliance’s private signing key.
For example, if your Selector is mail and your Domain Name is example.com, the
recipient must issue a DNS query for the TXT record of mail._domainkey.example.com.
Signing key
Select the key to be used to sign the messages.
DKIM signing
keys
Allows you to create signing keys from numerous parameters.
Export
When clicked, allows you to save the private key to a file, in case the original private
key is lost or erased.
View Public Key Place the public key on your DNS server or give it to your Internet Service Provider, so
that recipients can verify email from your organization.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
117
4
Overview of Email menu
Email Configuration overview
Option
Definition
Import Key
Select this to import an existing DKIM key onto your system.
Advanced
options
This section enables you to select specific advanced options that relate to the way your
appliance carries out DKIM checks.
From this area, you can choose:
• What to sign — either signing All headers or Selected headers. Click the linked text to select
the individual headers to sign.
• Header canonicalization — you can choose either Simple or Relaxed canonicalization for the
headers.
• Body canonicalization — you can choose either Simple or Relaxed canonicalization for the
body text.
• Key expiry — choose to either have a key that does not expire, or to set an expiry date
for the key.
• Signing identity — add an optional signing identity to your DKIM keys.
Option definitions — Queued email delivery
Use this information to understand how to specify the handling of email delivery if the first attempt to
send is not successful. You do not normally need to change these settings.
Use the Per-domain settings section to specify how the appliance delivers email intended for known
domains. The options outside this section apply to email for all other destinations.
Table 4-21 Option definitions
Option
Definition
Maximum number of connections
open at any one time
Default value is 500.
Time before an NDR is issued
Specifies how long the appliance tries to deliver an email message
before sending a non-delivery report (NDR) to its sender. Default value
is 108 hours (4.5 days).
Domain
Specifies a domain to which the appliance delivers many email
messages during a single connection. To organize priority for delivery,
click the icons in the Move column.
An asterisk (*) indicates all domains.
Retry Interval (success) and Retry
Interval (failure)
Specifies how often to retry delivery to the specified domain.
Maximum open connections and
Emails per connection
Specifies other options that control the rate for delivering email to this
domain.
By default, further email is sent every 1 minute if previous email was
sent successfully. If a previous attempt failed, the appliance waits 10
minutes before trying again.
Task — Deliver all email using MX record delivery
Use this task to deliver all email using MX record delivery.
By default, your Email Gateway uses MX records to deliver all email.
Task
•
Use the default settings.
Your Email Gateway uses MX records to deliver all email by default.
118
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Email Configuration overview
4
Task — Deliver all email to a specific domain using round robin delivery
Use this task to deliver all email to a specific domain using round robin delivery.
Task
1
Go to Email | Email Configuration | Sending Email.
2
In Delivering email, click Add Relay List.
3
In Domain name, type example.com.
4
Click Add Host and type internal1.mailserver.com and internal2.mailserver.com.
5
Click Round-robin the above hosts.
Your Email gateway is configured to deliver all email to the specified domain using round robin
delivery.
Task — Use MX to manage your delivery to a specific domain
Use this task to use your own MX environment to deliver email messages to a specific domain.
You can use your own MX environment to manage your infrastructure externally. For example,
mx.mailserver.com could be set up to either have priority or round-robin delivery.
Task
1
Go to Email | Email Configuration | Sending Email.
2
In Delivering email, click Add MX Lookup.
3
In Domain name, type example.com.
4
In MX record, type mx.mailserver.com.
Your email messages sent to the specified domain are delivered using MX lookup.
Task — Use a specified LDAP server to deliver email from a specific domain
Use this task to specify that email messages from a particular domain are handed by a specified LDAP
server.
Before you begin
You must configure your appliance to use the required LDAP server using Email | Group
Management | Directory Services | Add Server before using this feature. You also need ensure that
the Home MTA queries in the Add Server wizard match the configuration for your LDAP directory
services.
Task
1
Go to Email | Email Configuration | Sending Email.
2
In Delivering email, click Add LDAP Lookup.
3
In Domain name, type example.com.
4
In Directory servers, select the LDAP directory server to be used to deliver email messages to the
domain specified in Domain name.
The specified LDAP server is used to handle email messages from the selected domain.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
119
4
Overview of Email menu
Email Configuration overview
Task — Deliver all failed deliveries to a specific server
Use this task to ensure that all failed email message deliveries are sent to a specific server.
Task
1
Go to Email | Email Configuration | Sending Email.
2
In Fallback relays for unreachable domains, click Add Relay List.
3
In Domain name, type *.
4
Click Add Host, and type internal3.mailserver.com.
All failed email message deliveries are now sent to the specified server.
Task - Deliver the email for a user to the Home MTA attribute defined in
LDAP
Use this task to deliver a message for a user to the Home Message Transfer Agent attribute defined in
LDAP.
Task
1
Go to Email | Email Configuration | Sending Email .
2
In the Domain Routing area under Delivering email, select Add LDAP Lookup.
3
In the Domain name field, add the domain name of the email recipients on which you want to perform
the LDAP lookups.
4
Select the server from the list of directory servers, and click OK.
Sending Email — Add Relay List dialog box and Add MX Lookup
dialog box
Add a relay to the lists for sending email, or use MX lookups.
Table 4-22 Add Relay List dialog box
Option
Definition
Domain name
Enter the domain name to which the new relay applies.
Relay host
Shows the relay hosts that are already configured.
Add Host
Click to add a new host to the relay Hosts list.
Delete Selected Hosts
To delete relays listed in the lists, select the relevant relays, and click Delete
Selected Hosts.
Round-robin the above hosts Select this to enable the hosts to be used in a round-robin when sending
email.
Table 4-23 Add MX Lookup dialog box
120
Option
Definition
Domain name
Enter the domain name to which the lookup applies
MX record
Enter the MX lookup information that determines the IP addresses for delivery.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Email Policies
4
Anti-Relay Settings — Add Relay Domain dialog box and Add MX
Lookup dialog box
Add a relay to the lists for receiving email, or use MX lookups.
Table 4-24 Option definitions — Add Domain dialog box
Option
Definition
Domain name
Define the type of domain, either:
Category
• Local domain
• Permitted domain
• Denied domain
Table 4-25 Option definitions — Add MX Lookup dialog box
Option Definition
MX record To have McAfee Email Gateway do a mail exchange record lookup for domain example.dom,
type server1.exmaple.dom where domain name is example.dom, and the MX record is
server1.example.dom.
Define the type of domain, either:
Category
• Local domain
• Permitted domain
• Denied domain
You can only enter one MX record per domain name.
Email Policies
Use this page to view and configure policies relating to your email traffic.
Introduction to policies
The appliance uses policies which describe the actions that the appliance must take against threats
such as viruses, spam, unwanted files, and the loss of confidential information.
Email | Email Policies
Policies are collections of rules or settings that can be applied to specific types of traffic or to groups of
users.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
121
4
Overview of Email menu
Email Policies
SMTP policies
Email Gateway provides the following features when scanning the SMTP protocol:
Email | Email Policies
•
•
•
•
SMTP
Anti-Virus, including:
•
Anti-virus
•
McAfee GTI file reputation
•
McAfee Anti-Spyware
•
Packer detection
Spam, including:
•
Spam
•
Phish
•
Sender Authentication
•
McAfee GTI message reputation
Compliance, including:
•
File filtering
•
Image filtering
•
Data Loss Prevention
•
Signed or encrypted content
•
Mail size filtering
•
McAfee GTI URL reputation
•
Compliance
Policy Options, including:
•
Scanning limits
•
Notification and routing
•
Content handling
•
McAfee GTI feedback
•
Alert settings
•
Encryption
POP3 policies
Email Gateway provides the following features when scanning the POP3 protocol:
Email | Email Policies
•
122
POP3
Anti-Virus, including:
•
Anti-virus
•
McAfee GTI file reputation
•
McAfee Anti-Spyware
•
Packer detection
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
•
•
•
Spam, including:
•
Spam
•
Phish
Compliance, including:
•
Mail size filtering
•
Image filtering
•
Signed or encrypted content
Scanner Options, including:
•
Scanning limits
•
Content handling
•
Alert settings
Secure Web Mail policies
McAfee Email Gateway provides the following policies when using the Secure Web Mail client to send
email messages.
Email | Email Policies (McAfee Secure Web Mail
•
•
•
•
Anti-Virus, including:
•
Anti-virus
•
McAfee GTI file reputation
•
McAfee Anti-Spyware
•
Packer detection
Spam, including:
•
Spam
•
Phish
Compliance, including:
•
File filtering
•
Compliance
•
Data Loss Prevention
•
Image filtering
•
Mail size filtering
•
Signed or encrypted content
Scanner Options, including:
•
Scanning limits
•
Notification and routing
•
Content handling
•
McAfee GTI feedback
•
Alert settings
•
Encryption
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
123
4
Overview of Email menu
Email Policies
About Protocol Presets
Protocol presets enable you to configure your appliance to cater for differences in parts of your
network, or for specific devices on your network.
Normally you design your connection settings to apply to all devices. However some parts of your
network might need some differences because some devices operate differently.
For example:
•
Part of the network can handle larger or smaller files than normal.
•
A slow connection requires a different time-out value.
•
Part of the network must use an alternative authentication service.
By creating a protocol preset, you can cater for this exception to the connection settings.
Where this feature is available, you can click this icon:
.
Primary and secondary actions
McAfee Email Gateway can be configured to apply two levels of actions when a detection is made.
In general, a client MTA sends an email to McAfee Email Gateway. The email message is then scanned.
If no detections are found, the message is delivered to its intended recipients on the server MTAs.
However, if a scanner triggers a detection, McAfee Email Gateway applies the selected primary action
and a number of secondary actions to the message that contains the detection.
When McAfee Email Gateway is configured in hybrid mode, email messages from the inbound client
MTA are scanned by the cloud-based McAfee Email Protection (Hybrid). If no detections are found, the
message is delivered to the McAfee Email Gateway for onward delivery to its intended recipients.
However, the process taken when a scanner triggers a detection varies depending on the scanner.
Primary Action
The primary action is defined as “What happens to the message coming from the client MTA to the
server MTA?":
•
Was it blocked?
•
Was it modified and then delivered?
•
Was it delivered to the recipient without modification?
The message is scanned by all scanners. If multiple scanners trigger, the primary action that has the
highest priority is applied. For example, if the file filtering policy is set to Allow Through (Monitor), and the
anti-spam policy was set to Accept and Drop the data (Block), then the Accept and Drop the data (Block) action
applies.
Table 4-26 Primary actions behavior in top-down priority order
124
Type
Action
Sender perspective
Blocking
Deny Connection
550 — Message Rejected. Might No message is
receive notification that the
received.
message was delivered.
Yes
Blocking
Refuse the data
and return an
error code
550 — Message Rejected. Might No message is
receive notification that the
received.
message was delivered.
No
McAfee® Email Gateway 7.6.0 Appliances
Recipient
perspective
Kernel
mode
blocking
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-26 Primary actions behavior in top-down priority order (continued)
Type
Action
Sender perspective
Recipient
perspective
Kernel
mode
blocking
Blocking
Accept and drop
the data
250 — Message Rejected. Might No message is
receive notification that the
received.
message was delivered.
No
Modify
Replace the
content with an
alert
250 — Message Accepted. It
appears to the sender that the
message is delivered.
Replacement
message (alert
received)
No
Reroute
Reroute
250 - Message Accepted.
Dependent on
action taken by
onward server
No
Monitor
Allow Through
250 — Message Accepted.
Message received
No
Skip
scanning
Allow through,
without scanning
250 — Message Accepted.
Message received
No
This option might allow
viruses and other
unwanted content to pass
through without
detection.
Only one primary action is taken per detection.
Available primary actions
If a scanner triggers a detection, these primary actions are available:
•
Deny Connection (Block) — Blocks the message from being delivered, returns a 550 SMTP code to the
sending MTA, places the connecting IP address in the Kernel Mode Block list.
•
Refuse the data and return an error code (Block) — Blocks the message from being delivered, returns a 550
SMTP code to the sending MTA.
•
Accept and Drop the data (Block) — Accepts the connection, but blocks the message from being delivered,
returning a 250 SMTP code to the sending MTA.
•
Replace the content with an alert (Modify) — Replaces any detected content with a configurable alert and
delivers the modified Email to its intended recipients.
•
Allow Through (Monitor) — Lets the message pass to its intended recipients, but information is retained
within the logs and reports.
•
Skip scanning — No scanning is performed on this action.
This option might allow viruses and other unwanted content to pass through without detection.
•
Tarpit - Delays the response to the email message. By default, the delay is 5 seconds, and is
configurable from the Default Sender Authentication Settings | Cumulative score and other options tab.
•
Add to score — Combines the results of several methods of sender authentication.
•
•
Select the score to be added.
Reject (Block) — Blocks the message from being delivered, and returns the appropriate code to the
sending MTA.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
125
4
Overview of Email menu
Email Policies
•
Reject and close (Block) — Blocks the message from being delivered, returns appropriate code to the
sending MTA and the closes the connection.
•
Reject, close and deny (Block) - Kernel Mode Blocking. This is an effective method of combating spam, as
it deals with the message itself (reject), the connection (close) and adds the sending server to the
deny list.
Not all primary actions are available to all policy areas.
Secondary Action
A secondary action is defined as “What additional actions will happen due to the scanner triggering a
detection?”:
The message is scanned by all scanners. If multiple scanners trigger, the secondary actions are
aggregated together. For example, if the file filtering policy is set to Annotate and deliver original to a list, and
the anti-spam policy is set to Annotate and deliver original to a list, then only one notification is sent.
You can also configure any or all of the following secondary actions:
Quarantine options
•
Quarantine original — Select to have the original message added to the Quarantine database.
•
Quarantine modified — Select to have the modified message added to the Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue into which the email
message is placed. This selection can include custom quarantine queues that you have created.
Notification email options
•
Send one or more notification emails — Use notification templates to customize the notifications send. Click
Manage templates to make changes to the notification options.
•
Annotate and deliver original to sender — Deliver the original email message to the sender, with
annotations added.
•
Deliver a notification email to 'Notification Email List' — Deliver a notification email to all addresses defined
within the notification email list.
•
Deliver a notification email to the original recipient(s) — Deliver a notification email to all the recipients on
the original email message.
•
Deliver a notification email to the sender — Deliver a notification email to the sender of the email
message.
•
Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email message for auditing
purposes to all addresses defined within the auditing email list.
•
Deliver the modified email to the sender — Deliver the email message to the sender, with modifications
made by McAfee Email Gateway included.
•
Show selected/Show all — To help manage the options shown, you can hide unselected notification
templates.
In addition to the pre-defined templates shown above, this list will also include any custom
notification templates that you create.
126
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Other actions
•
Modify subject — McAfee Email Gateway rewrites the subject of the email message using
user-definable templates, and then delivers the message to the intended recipients. Click Manage
templates to change the way the subject is re-written.
•
Modify headers — McAfee Email Gateway modifies the email message headers using user-definable
templates, and then delivers the message to the intended recipients. You can select multiple
header modification templates. Click Manage templates to change the way the headers are re-written.
•
Deliver message using encryption — Attempt delivery of the message using your configured encryption
settings.
Policy exceptions
Use policy exceptions to minimize the number of policies that you need to create and maintain.
By applying exceptions for specific circumstances to standard policies, you avoid the time-consuming
task of changing all of your policies.
Contents
What are policy exceptions?
Benefits of using policy exceptions
Task - Configure a policy exception to allow email messages containing blacklisted URLs to be
received by members of Human Resources
What are policy exceptions?
Policy exceptions are rules that change the behavior of a policy only in certain circumstances.
To simplify the process of creating and maintaining the policies that define the scanning behavior for
McAfee Email Gateway, you can configure policy exceptions. Policy exceptions allow you to create
policies that can be applied to a wide user base, and to then create exceptions to these policies for
specific users or groups of users that might need different scanning criteria.
For example, you might configure a policy that includes mail size filtering, with a corporate-wide size
limit of 100,000 KB. You can now configure a policy exception to this policy that states that members
of your creative services team have a higher email size limit, as they often have a legitimate
requirement to send very large files via email.
Benefits of using policy exceptions
By configuring policy exceptions within McAfee Email Gateway, you can use a small number of
standardized policies, and create exceptions that enable the policies to behave slightly differently in
specific circumstances.
If you do not use policy exceptions, you must create new policies for each different behavior, creating
a complex set of policies that becomes difficult to maintain. By using policy exceptions, you need to
maintain fewer policies, as you can handle different requirements using the policy exceptions. These
exceptions make it much easier if you need to update your global policies, as you will need to make
changes to only a small number of policies.
Policy exceptions can be used for most email scanning policies used within McAfee Email Gateway.
When you configure a policy exception, you cannot configure any inheritance of settings from the
original policy. In order to configure different settings for a policy exception to those in the underlying
policy, inheritance is automatically broken for the policy exception.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
127
4
Overview of Email menu
Email Policies
Task - Configure a policy exception to allow email messages containing
blacklisted URLs to be received by members of Human Resources
You can create exceptions for almost any setting within a policy. This discussion uses URL Reputation
Settings as an example.
You might have added the URLs to your competitors' job vacancy web sites into the URL Reputation
Blacklists in your general policy, so that your workforce cannot receive these links in email messages.
However, you might want to allow your Human Resources team to receive email messages containing
links to these web sites so that they can keep abreast of the current positions and salaries within your
industry. This goal is achieved by creating a policy exception for all members of the Human Resources
team. A policy exception for all members of the Human Resources team has the blacklisted URLs
removed.
Task — Add a policy exception
Create policy exceptions to modify the way specific policies apply. This example shows how to add an
exception to URL reputation scanning for Human Resources.
Task
1
Select Email | Email Policies | Compliance.
2
Click the URL reputation link.
3
In the exceptions box, click Add Exception.
4
Type the initial information about the exception:
a
Type a name for this policy exception.
Example: Type HR Exception1
b
[Optional] Type a description for the exception.
Example: Exception to allow HR to view competitors job/vacancy sites
c
Select the required option to configure the match logic.
Example: Select Match one or more of the following rules.
5
Add at least one rule to the exception.
a
Click Add Rule in the Scanning Policies — New Policy Exception window.
b
In the Rule type list, select the proper entity.
Example: Select Recipient email address.
c
In the Match list, select the proper logic.
Example: Select is like.
d
In the Value field, type the information that identifies the selected entity.
Example: *@hr.example.com.
e
6
Click OK.
Click OK.
The Scanning Policies — New Policy Exception window closes, and the new exception appears in the
exceptions box. An exceptions icon is displayed to the left of the policy area to which it applies.
128
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Email Policies
4
Task - Add a rule to a policy exception
You must add at least one rule to a policy exception to complete it. You can also add rules to existing
exceptions.
Before you begin
You must create an exception before adding rules.
This example shows how to add a rule to an exception to URL reputation settings.
Task
1
Select Email | Email Policies | Compliance | URL Reputation.
2
Click the URL reputation link.
3
In the exceptions box, click the button for the exception to which you want to add a rule.
4
Click Add Rule.
5
In the Match list, select the required matching logic.
6
In the Value field, type the information that identifies the selected entity.
7
Click OK.
8
Click OK.
Task — Change the policy settings only within the exception
So that these changes only apply to a specific scenario, make changes to the policy settings only
within the exception you have created.
Task
1
Navigate to the portion of the policy you want to change.
Example: Select Email | Email Policies | Compliance | URL Reputation.
2
Click the URL reputation link.
3
In the exceptions box, click the button for the exception you want to change.
The configuration page for the policy shows the settings that apply to the exception.
4
Make the required change to the policy settings.
Be sure to highlight the exception, not the original policy.
Example: From the URL Reputation Settings page, select Blacklists and Whitelists. Remove the URLs you
want excluded from the blacklist.
5
Click OK.
Human Resources are allowed to see links to competitor's employment opportunities without other
departments receiving this information within their email messages.
Task — Edit an existing policy exception
You can change the exception logic, and add, change, or delete rules as needed.
Task
1
Select Email | Email Policies | Compliance | URL Reputation.
2
Click the URL reputation link.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
129
4
Overview of Email menu
Email Policies
3
In the exceptions box, click the button for the exception you want to edit.
The Scanning Policies — Edit Policy Exception Details window opens.
4
Make the changes you want.
•
Change the exception name or the optional description.
•
Change the match logic.
•
Add, edit, or delete rules.
•
Change the order of rules.
5
Click OK.
6
[Optional] To delete an exception:
a
Select the exception in the exceptions box.
An X appears beside the exception name.
b
Click the X. Click OK to delete the exception.
Custom Notifications
McAfee Email Gateway allows you to create your own custom notification email messages for any rule
that allows secondary actions.
Custom notifications allow you to send different messages to specific individuals or groups when an
email message triggers the associated rule. You can use custom notification templates along with the
pre-configured templates. You can also have more than one custom notification template for each rule,
and use any of the available templates in combination.
Benefits of using custom notifications
Custom notifications permit administrators to set up specialized email messages to be sent to select
individuals and groups when a message triggers a particular rule.
Email notifications generated by McAfee Email Gateway are based on templates. The system already
includes basic, pre-configured templates. Any custom templates you create become available on the
template list.
Custom email notifications allow you to:
•
Specify the content and other attributes of your notifications.
•
Provide the most relevant information to different individuals about messages that trigger action.
•
Send multiple email notifications for one rule.
Examples — Using custom notifications
Custom notifications are useful in a variety of circumstances. The following scenarios illustrate ways
you might apply them.
130
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
•
Issue: In the Default policy, you have enabled Compliance, and you created five compliance rules.
By default, all five rules use the default compliance notification. You want to send more detailed
notifications to two distinct groups when a message triggers specific rules: the Legal Department,
and a list of other individuals.
Resolution: You create two custom notification templates, one for each of these groups. Then you
can add the notifications to the actions for each rule you want, without affecting the actions for
other rules.
•
Issue: You have created a policy that applies to inbound mail, and you have enabled Image
Filtering. You have created a rule that scans messages for objectionable images. You want to notify
the intended recipient about the message, and you want to inform Human Resources. The
notification to Human Resources contains unique content.
Resolution: You create a custom notification template for Human Resources, then apply it to the
rule. You also apply the pre-configured notification to the recipient.
Task — Create a custom notification
You might want to notify an administrator or group of people if McAfee Email Gateway detects a
specific event. In many policy options, you can now define your own notification message templates.
Before you begin
Notifications result from messages that trigger specific rules. You must have configured a
rule before you can generate notification email messages.
Use the wizard from the Manage Templates page to create a custom notification.
Task
1
Select Email | Email Policies. In the scanner column of your choice, select the link for a rule.
2
Select the option to enable the rule.
3
Set thresholds or other parameters for the rule if required.
4
Under Take the following action, select the main action for the rule.
5
Under And also, scroll to Notification email options and select the check box to Send one or more notification
emails.
6
Select the Manage templates link.
7
On the Notification Templates page, click Add.
8
Use the Add Notification Template wizard to create the custom notification template.
9
When you have completed the wizard, click Finish
10 On the Notification Templates page, click OK.
11 On the options page for the rule you chose, select the new custom notification template from the
list of available templates.
Messages that trigger the rule will generate the custom email notifications.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
131
4
Overview of Email menu
Email Policies
Email Policies
Use this page as a single point where you can access the pages and dialog boxes you need to set up
and configure your policies.
Email | Email Policies | Scanning Policies
Policy settings specify how the appliance handles threats to groups of users or devices. For example, a
policy can apply to all computers on the same subnet, or all users in a department.
Benefits of using the Scanning Policies page
Use this information to gain an understanding of the benefits of using Scanning Policies to configure
your Email Gateway.
The Scanning Policies page enables you to access all the forms you need to configure and manage your
policies for the SMTP and POP3 protocols and for McAfee Secure Web Mail policies.
The user interface provides an overview of your policy settings, giving you information about each
policy such as the action taken when a virus is detected. The page to configure these settings is
displayed when you click the relevant information.
Some of the options described on this help page do not apply to POP3 or McAfee Secure Web Mail
scanning policies. Where options only apply to one protocol, this is highlighted.
Option definitions — Email scanning policies
Learn about the options present within the user interface for configuring email scanning policies.
The following information and controls are available to configure this feature:
Table 4-27 Option definitions
Option
Definition
Select a
protocol:
Use the drop-down list to display, create, or edit your policies for:
• SMTP
• POP3
• McAfee Secure Web Mail
Order
Policies are used in a "top-down" order. When more than one policy has been created,
you can select the order in which they are applied.
Policy Name
Displays the name of each policy.
The appliance always has a default policy, which applies to everything in the network.
You can change the default policy, but you cannot delete it.
To see the users or devices that are affected by a policy, move the cursor over the
policy name and wait for a yellow box to appear.
To change any details of the policy, click the blue link to open another window.
•
•
132
Applies to inbound email traffic (SMTP protocol only)
Applies to outbound email traffic (SMTP protocol only)
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-27 Option definitions (continued)
Option
Anti-Virus
Definition
Displays brief details about the Anti-Virus options settings.
Click any link within the Anti-Virus area of the relevant policy to open the Anti-Virus Settings
page.
From the Anti-Virus Settings page you can access:
• Anti-Virus Settings — Basic Options
• Anti-Virus Settings — Packers
• McAfee GTI file reputation
• Anti-Virus Settings — Custom Malware Options
• Anti-Virus Settings — McAfee Anti-Spyware
Spam
Displays brief details about the Spam settings.
Each link within the Spam area of each policy opens a separate page containing the
features and options you need to configure your policy.
• Anti-Spam Settings including:
• Anti-Spam Settings — Basic Options
• Anti-Spam Settings — Advanced Options
• Anti-Spam Settings — Blacklists and Whitelists
• Anti-Spam Settings — Spam Rules
• Anti-Phish Settings
• Sender Authentication Settings (SMTP protocol only), including:
• Sender Authentication Settings -- Message Reputation
You can enable this option for a higher detection threshold, a lower detection
threshold, or both, based on GTI Message Reputation levels.
• Sender Authentication Settings -- RBL Configuration
• Sender Authentication Settings -- SPF Sender ID and DKIM
• Sender Authentication Settings -- Cumulative Score and Other Options
• McAfee GTI message reputation
Compliance
Displays brief details about the Compliance settings.
Each link within the Compliance area of each policy opens a separate page containing the
features and options you need to configure your policy. You can configure:
• File Filtering Settings (SMTP protocol only)
• Data Loss Prevention Settings (SMTP protocol only)
• Mail Size Filtering Settings, including information on:
• Mail Size Filtering Settings -- Message Size
• Mail Size Filtering Settings -- Attachment Size
• Mail Size Filtering Settings -- Attachment Count
• Compliance Settings
• Image filtering
• Signed or encrypted content
• URL reputation
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
133
4
Overview of Email menu
Email Policies
Table 4-27 Option definitions (continued)
Option
Definition
Policy Options Displays brief details about the Policy Options settings.
Each link within the Policy Options area of each policy opens a separate page containing
the features and options you need to configure your policy. You can configure:
• Scanning Limits, including information on maximum file size, maximum nesting depth
and maximum scan time.
• Alert Settings
• Content Handling Settings, including information on:
• Content Handling Settings — Email Options
• Basic Options
• Text and binary MIME types
• Advanced options
• Character sets
• Missing / Empty Headers
• Content Handling Settings — HTML Options
• Content Handling Settings — Corrupt or Unreadable Content
• Corrupt content
• Protected files
• Partial / external messages
• Unscannable Content
• Policy based action
• Notification and Routing (SMTP protocol only), including information on:
• Notification and Routing — Notification Emails
• Notification and Routing — SMTP Relays
• Notification and Routing — Audit Copies
• Notification and Routing — Email Recipients
• Notification and Routing — Routing
• McAfee GTI feedback
• Encryption Settings, including information on:
• When to Encrypt
• On-box Encryption Options
• On-box Decryption Options
Move
Use the arrow icons to move your policies higher or lower in priority order.
•
Move the policy up
•
Move the policy down
The default policy always appears at the bottom of the list of policies. You cannot change
its position.
134
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-27 Option definitions (continued)
Option
Definition
Delete
After creating policies, you can choose to delete any that you no longer require, by
clicking
.
You cannot delete the default policy.
When clicked, opens the Scanning Options — New Policy dialog box where you can create new
policies, user groups, and network groups.
Add Policy
Task — Delete a scanning policy
Use this task to understand how to delete a scanning policy that is no longer needed.
You cannot delete the default scanning policy.
To delete a previously created policy:
Task
1
Click Email | Email Policies | Scanning Policies.
2
Identify the policy to be deleted.
3
4
Click
.
Confirm that you intend to delete the policy.
The identified policy is deleted.
Task — View policies for SMTP, POP3 or McAfee Secure Web Mail
View the scanning policies that exist for SMTP, POP3 or McAfee Secure Web Mail.
You use this page to create, and manage your SMTP, POP3 or McAfee Secure Web Mail email scanning
policies.
The POP3 protocol limits some of the scanning actions that can be applied to email messages. Options
not available to scan POP3 email messages are hidden from the POP3 protocol view.
Task
1
Click Email | Email Policies | Scanning Policies.
2
Select either SMTP, POP3 or McAfee Secure Web Mail from the Select a protocol: drop-down list.
The Email | Email Policies | Scanning Policies page refreshes to show the policies that have been defined for
the selected protocol.
Task — Change the scanning order of my policies
Use this task to change the order in which your policies are used to scan email traffic.
The appliance uses the order of the policies to evaluate the email messages being scanned. A message
will first be evaluated against the rule with the Order value of 1, and if this does not trigger, it is then
evaluated against policy 2 and so on until it is evaluated by the default scanning policy.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
135
4
Overview of Email menu
Email Policies
If you have created more than two scanning policies, you can change the order that your appliance
uses the policies to evaluate email traffic. This is achieved by moving the relevant policies up or down
the policy list.
The default policy always appears at the bottom of the list of policies. You cannot change its position.
Task
1
Click Email | Email Policies | Scanning Policies.
2
Identify the policy to move in the evaluation order.
3
In the Move column, click
or
to move the policy one step.
If the identified policy is either at the top of the evaluation order, or is next to the default policy,
then one or other of the icons will not be available for selection.
Task — Turn on GTI message reputation for all users in the HR group
defined in LDAP
Use this task to enable GTI message reputation checks for all users in the Human Resources group
defined in LDAP.
Before you begin
Before completing this task, you must do the following:
•
Configure an LDAP server and at least one query (Email | Group Management | Directory Services
•
Define a user group for Human Resources (Email | Group Management | Network Groups
Task
1
Go to Email | Email Policies.
2
Within the desired protocol, click Add Policy.
The Scanning Policies - New Policy dialog box opens.
3
Type a name for the new policy, and add a description if desired.
4
Select the policy from which this policy will inherit settings.
5
Indicate the email direction for messages treated with this policy.
6
Select the match logic to use for this policy.
7
Select Add Rule.
The Add Rule dialog box opens.
8
In the Add Rule dialog box, select the LDAP Query rule type and click OK.
The Add Rule dialog box closes.
9
On the New Policies dialog box, click OK.
The new policy appears on the Policies list.
10 In the Spam section for the new policy (or for the Default policy if you selected that), click the link
for GTI message reputation.
The Sender Authentication Settings dialog box opens.
136
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
11 Enable message reputation, then click OK.
12 Select the green check mark icon in the upper portion of the window to save and apply your
configuration.
Task — Re-write the Subject of all messages matching a policy
Configure McAfee Email Gateway to re-write the Subject line of all email messages that match a
specific policy. To configure your policy to re-write the Subject line of email messages requires that
you follow each of the steps given within this task.
Tasks
•
Task — Create a compliance dictionary to match all subject lines on page 137
Create a compliance dictionary that matches all email messages with a valid subject line.
•
Task — Create a compliance dictionary to match subject lines that have already been
modified on page 138
To prevent the subject line of a message being re-written each time any other process
modifies the subject, create a new compliance dictionary.
•
Task — Configure a policy to use the new compliance dictionaries on page 139
Link the new compliance dictionaries to a policy, so that your McAfee Email Gateway can
re-write the subject of email messages matching the compliance dictionary, unless the
subject line has already been modified.
Task — Create a compliance dictionary to match all subject lines
Create a compliance dictionary that matches all email messages with a valid subject line.
Before you can configure a policy to match all email messages with a valid subject line, create a
compliance dictionary.
Task
1
Browse to Email | DLP and Dictionaries | Compliance Dictionaries.
2
Under Dictionary List, click Add Dictionary.
3
Type a name for the new category. For example, type All Subjects in the Name field.
4
Type a description for the new dictionary.
5
Select Regular expressions from Match type.
6
Click OK.
Under Dictionary details for 'All Subjects', a New term is added.
7
Click the Everything link from within Dictionary details for 'All Subjects'.
8
Unselect Everything.
The File categories and Subcategories areas are enabled.
9
Select E-Mail Messages from within File categories.
10 Select Subject line from within Subcategories
11 Click OK.
The new dictionary, All Subjects, now is applied only to email messages with a valid Subject line.
12
From the New term row of the Dictionary details for 'All Subjects' table, click the edit
McAfee® Email Gateway 7.6.0 Appliances
icon.
Administrators Guide
137
4
Overview of Email menu
Email Policies
13 In the Term field, type .*.
14 Click OK.
15 Apply the new configuration.
The new compliance dictionary is created, and is configured to match any email message with a valid
subject line.
Task — Create a compliance dictionary to match subject lines that have
already been modified
To prevent the subject line of a message being re-written each time any other process modifies the
subject, create a new compliance dictionary.
Before you begin
Ensure that you have already created the compliance dictionary for the initial subject
re-write, and have configured your policies to successfully re-write subject lines for emails
that match the policies.
Task
1
Browse to Email | DLP and Dictionaries | Compliance Dictionaries.
2
Under Dictionary List, click Add Dictionary.
3
Type a name for the new category. For example, type Previously Modified Subjects in the Name
field.
4
Type a description for the new dictionary.
5
Select Regular expressions from Match type.
6
Click OK.
Under Dictionary details for 'Previously Modified Subjects', a New term is added.
7
Click the Everything link form within Dictionary details for 'Previously Modified Subjects'.
8
Unselect Everything.
The File categories and Subcategories areas are enabled.
9
Select E-Mail Messages from within File categories.
10 Select Subject line from within Subcategories
11 Click OK.
The new dictionary, Previously Modified Subjects, now is applied only to email messages with a valid
Subject line.
12
From the New term row of the Dictionary details for 'Previously Modified Subjects' table, click the edit
13 In the Term field, type ^((re|fw):\s*)*policy match:.
Repeat this step for any other modification patterns that you do not want to be re-applied.
14 Click OK.
15 Apply the new configuration.
138
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
icon.
4
Overview of Email menu
Email Policies
The new compliance dictionary is created, and is configured to match any email message with a
subject line that includes re: or fw:
This rule is not case sensitive, so it will match re: Re: RE: fw: Fw: or FW:
Task — Configure a policy to use the new compliance dictionaries
Link the new compliance dictionaries to a policy, so that your McAfee Email Gateway can re-write the
subject of email messages matching the compliance dictionary, unless the subject line has already
been modified.
Before you begin
Ensure that you have created the new compliance dictionaries before following this task.
You can edit an existing policy to use the new compliance dictionaries, or you can create a new policy.
Task
1
Create a new policy, or select the policy to be edited.
2
Click the Compliance link within the Compliance column.
3
Ensure that Compliance is enabled (Select Yes at the top of the dialog box.)
4
Click Create new rule.
You will need to create a new rule for the "All Subjects" compliance dictionary and another new rule
for the "Previously Modified Subjects" compliance dictionary.
5
Type a name for the new rule: (for example:)
•
Match all messages for the All Subjects rule.
•
Previously Modified Subjects for the rule to prevent multiple subject re-writes.
6
Click Next.
7
Search for and select the compliance dictionaries you previously created (in the example, this was
"All Subjects", and "Previously Modified Subjects".)
8
Click Next.
9
Click Next.
10 From the If the compliance rule is triggered drop-down list, select Allow Through (Monitor).
11 From And also, select Modify subject from the Other actions sub-category.
12 Click Manage templates.
13 Click Add from the Subject Templates dialog box.
14 Select or edit the required Subject templates:
•
For the "All Subjects" rule, edit the subject template by adding the text you want to be
displayed in the subject line for email messages matching this policy. For example, type "Policy
Match: " before the %SUBJECT% token.
•
For the "Previously Modified Subjects" rule, select the %SUBJECT% option, and make sure that
it has a higher priority than the "Policy Match: %SUBJECT%" template (by moving this to the
top of the list).
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
139
4
Overview of Email menu
Email Policies
15 Click OK.
16 Click OK.
17 Select the modified subject from the Select a template drop-down list.
18 Click Finish.
19 Click OK.
20 Apply the changes.
The subject line of all email messages matching this policy are re-written, unless the subject lines
have already been modified.
Task — Modify the headers of all messages matching a policy
Configure McAfee Email Gateway to modify the headers of all email messages that match a specific
policy.
Tasks
•
Task — Create a compliance dictionary to match all messages on page 140
Create a compliance dictionary that matches all email messages. One way to achieve this is
to match email messages with a valid subject line.
•
Task — Configure a policy to use the new compliance dictionaries on page 141
Link the new compliance dictionary to a policy, so that your McAfee Email Gateway can add
a custom header to email messages matching the compliance dictionary.
Task — Create a compliance dictionary to match all messages
Create a compliance dictionary that matches all email messages. One way to achieve this is to match
email messages with a valid subject line.
Before you can configure a policy to match all email messages, create a compliance dictionary.
Task
1
Browse to Email | DLP and Dictionaries | Compliance Dictionaries.
2
Under Dictionary List, click Add Dictionary.
3
Type a name for the new category. For example, type All Subjects in the Name field.
4
Type a description for the new dictionary.
5
Select Regular expressions from Match type.
6
Click OK.
Under Dictionary details for 'All Subjects', a New term is added.
7
Click the Everything link from within Dictionary details for 'All Subjects'.
8
Unselect Everything.
The File categories and Subcategories areas are enabled.
9
Select E-Mail Messages from within File categories.
10 Select Subject line from within Subcategories
140
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
11 Click OK.
The new dictionary, All Subjects, now is applied only to email messages with a valid Subject line.
12
From the New term row of the Dictionary details for 'All Subjects' table, click the edit
icon.
13 In the Term field, type .*.
14 Click OK.
15 Apply the new configuration.
The new compliance dictionary is created, and is configured to match any email message with a valid
subject line.
Task — Configure a policy to use the new compliance dictionaries
Link the new compliance dictionary to a policy, so that your McAfee Email Gateway can add a custom
header to email messages matching the compliance dictionary.
Before you begin
Ensure that you have created the new compliance dictionary before following this task.
You can edit an existing policy to use the new compliance dictionary, or you can create a new policy.
Task
1
Create a new policy, or select the policy to be edited.
2
Click the Compliance link within the Compliance column.
3
Ensure that Compliance is enabled (Select Yes at the top of the dialog box.)
4
Click Create new rule.
You will need to create a new rule for the "All Subjects" compliance dictionary.
5
Type a name for the new rule: (for example:) Match all messages for the All Subjects rule.
6
Click Next.
7
Search for and select the compliance dictionary you previously created (in the example, this was
"All Subjects".)
8
Click Next.
9
Click Next.
10 From the If the compliance rule is triggered drop-down list, select Allow Through (Monitor).
11 From And also, select Modify headers from the Other actions sub-category.
12 Click Manage templates.
13 Click Add from the Header Modification Templates dialog box.
14 Select or edit the required header templates, including defining the name for each header and
specifying the tokens applicable to each header.
•
To prevent multiple copies of a defined header being added to a message, select Remove Existing.
15 Click OK.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
141
4
Overview of Email menu
Email Policies
16 Click OK.
17 Select one or more Header Modification Templates from the list of currently configured templates.
18 Click Finish.
19 Click OK.
20 Apply the changes.
Scanning Policies - Add Policy...
Specify a new policy, including defining the group of users or devices to which you can apply the
policy.
Email | Email Policies | Add Policy...
The Add Policy page enables you to specify the parameters that define the policy, add the users or user
groups to which the policy will apply and specify the network groups.
Option definitions — Scanning Policies | New Policy
This information describes the options available on this dialog box.
Option definitions — New Policy dialog box
Option
Definition
Add user group
Click to open the Add User Group dialog box.
Add network group
Click to open the Add Network Group dialog box
Policy name
Type the name of the new policy.
Description
Optionally add a description of the new policy to facilitate identification.
Inherit settings from
Select the policy from which you want this policy to inherit its settings.
Email direction
Choose whether you want the policy to apply to inbound or outbound email traffic
only. By default, policies apply to both inbound and outbound traffic.
Match logic
Choose whether you want the match to be made on one or more of the rules, or all
of the rules in the list.
Add Rule
Opens a new dialog box where you can specify the type and match for the rule
that you want to create, and specify the value.
The network group and user group and LDAP query rules are not available until you
create the items.
Move
Use the arrows to move the rules up and down the list.
The rules are actions from the top of the list downwards.
Delete Selected Rules Click to remove a rule from the list.
Reset
142
Resets the window to the default state.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Option definitions — Add User Group dialog box
Option
Definition
Group name
Type the name of the group
Selected or
unselected
Select a group and click Edit or Delete Selected Rules as appropriate. Use the arrow
icons to move the rules up and down the list.
Rule type
Choose from:
• Sender email address
• Recipient email address
• Sender user group
• Recipient user group
• LDAP Query (if configured)
The LDAP query and user group options become available only when a user
group or LDAP server has been created.
Match
Choose from:
• is
• is not
• is like
• is not like
Value
Type the value that you want to associate with Match.
Add Rule
Click to add a new rule to the list.
Option definitions — Add Network Group dialog box
Option
Definition
Group name
Type the name of the network group
Rule type
Choose from:
• IP address
• VLAN identifier
• Network connection
• Host name
Match
Choose from:
• is
• is not
• is in
• is not in
Value
Type the value associated with the type of rule that you chose
Move
Use the arrows to move the rules up and down the list
The rules are actions from the top of the list downwards.
Add Rule / Delete Selected Rules
Click to add a new rule to the list
Reset
Click Reset to clear all data from this form.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
143
4
Overview of Email menu
Email Policies
Task — Create a new scanning policy
Learn how to create a new scanning policy.
Your appliance uses the policies you create to scan the email messages sent through the appliance.
You can create multiple policies to control the way different users use email, or to specify different
actions based on specific circumstances.
Task
1
Select Email | Email Policies | Scanning Policies.
2
Select the required protocol using steps in Task — View policies for SMTP, POP3 or McAfee Secure
Web Mail.
3
Click Add policy.
4
In the Scanning Policies — New Policy page, enter the following information:
a
Name for the policy.
b
Write an optional description for the new policy.
c
Specify where the new policy inherits its settings from.
If you have a similar policy already set up, select this to allow its settings to be inherited by the
new policy.
5
d
Choose if the policy is to apply to inbound or outbound email traffic. (SMTP only)
e
Select the required Match logic for the policy.
f
Select the type of rule, how it should match, and the value that the rule tests against.
g
If required, add additional rules, and use the
and
buttons to correctly order the rules.
Click OK.
The new policy is added to the top of the list of policies.
Task - add a user group
Use this task to create a user group that can be used in policy selection.
Before you begin
Ensure that you have a valid connection to a Generic LDAP Server, and its queries are
providing output.
Task
1
Go to Email | Group Management | Email Senders and Recipients.
2
Click Add and type a name for the group.
3
Click Add Rule.
4
In Rule type, select LDAP Query.
The Values field is populated with the name of the LDAP group you selected.
144
5
Click OK to close the dialog box.
6
Go to Email | Email Policies | Add Policy....
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Email Policies
7
Click Add Rule. In Rule type, select User group.
8
In Value, select the user group you created, and click OK.
4
Task — Create a policy using a network group
Use this task to create an email policy using a network group of internal email servers. This allows
easy management of your internal network groups without having to change scanning policies.
Task
1
Go to Email | Group Management | Network Groups.
2
Click Add, and type a name for the network group such as Internal Email Servers.
3
Click Add Rule.
4
In Rule type, select IP address.
5
In Match, select is, and type the IP address of one of your mail servers.
6
In Value, type the IP address of one of your email servers, and click OK.
7
Repeat steps 3 through 6 to add the IP address of another email server.
8
Click Email | Email Policies | Add Policy..., and type a name for the policy.
If the network group that you want to use for the policy is not already created, click Add network group.
9
Configure the policy:
•
Select the policy from which you want to inherit settings
•
Select the email direction
•
Set the match logic.
10 Click Add Rule.
11 In Rule type, select Source network group, and in Value, select the Internal mail servers group.
12 Click OK.
Option definitions — Add Rule dialog box and Edit Rule dialog
box
Use this dialog box to set up or edit the type of rules that you want the policy to use.
The options on this dialog box change depending on the rule type you choose.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
145
4
Overview of Email menu
Email Policies
Option Definition
Rule type Choose from:
• Source IP address — use this rule to enforce a policy based on the IP address of the incoming
network connection.
The is match allows you to add a single IP address (for example, 92.168.0.1). The is in
match allows you to add a network address if the incoming connection may be from a
collection of servers on a particular subnet (for example, 192.168.0.0/24).
The source IP address is usually the IP address of the Senders MTA or of the Firewall/NAT
in front of the MTA.
This rule works with proxy or transparent connections.
• Destination IP address — use this rule to enforce a policy based on the IP address of the
outgoing network connection.
The is match allows you to add a single IP address (for example, 92.168.0.1). The is in
match allows you to add a network address if the incoming connection may be from a
collection of servers on a particular subnet (for example, 192.168.0.0/24).
The destination IP address is usually the IP address of the Recipients MTA or of the
Firewall/NAT in front of the MTA.
This rule only works with transparent connections.
• Sender email address — use this rule to enforce a policy based on the email address of the
sender.
The email address to evaluate is taken from the 'MAIL FROM' of the SMTP conversation.
The is match allows you to specify the exact email address to match the rule.
The is like match allows you specify an email address pattern to match the rule. Use the
wildcard character * to match any character in the address.
• Masqueraded sender email address - use this rule to enforce a policy based on an email address
after address masquerading is carried out.
The email address to evaluate is taken from 'MAIL FROM' of the SMTP conversation, after
address masquerading has been applied. If the email address has not been masqueraded
the original Sender email address is used.
The is like match allows you specify an email address pattern to match the rule. Use the
wildcard character * to match any character in the address.
This rule will be used regardless of masquerading has been successful.
• Recipient email address — use this rule to enforce a policy based on the email address of the
recipient of the email.
The email address to evaluate is taken from the 'RCPT TO' of the SMTP conversation.
Since an email may be addressed to more than one recipient, the application of this rule
differs between transparent and proxy connections:
• Proxy connections — application of this rule causes the message to be split if a single
policy does not match all of the recipients of the email (as specified by the Recipient
email address or Aliased recipient email address). The message will be scanned using
each of policies for the recipients that match that policy. It is possible that recipients
who match different policies will receive a different mail to other recipients, if policy
settings cause modification of the mail.
The number of times a message may be split is configured in Email Configuration | Protocol
Configuration | Protocol Settings (SMTP) | Message processing | Advanced options | Maximum number of
policies per email. If the message is split more that the configured number of times, no
message split is performed and the message is scanned with the highest order common
policy.
• Transparent connections — by default a policy with this rule is only triggered if all
recipients match the rules for the policy (as specified by the Recipient email address or
Aliased recipient email address).
146
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Option Definition
When a message has multiple recipients and multiple policies would have matched, the
highest order policy that matched all rules up to the ‘RCPT TO’ phase of the policy will
be used for scanning. This behavior may be overridden in Email Configuration | Protocol
Configuration | Protocol Settings (SMTP) | Transparency options (router and bridge mode only) | Advanced
options | Allow multiple policies per email.
Overriding this behavior will cause the original connection to the onward server to be
ended, and a new mail delivered for each policy.
The is match allows you to specify the exact email address to match the rule.
The is like match allows you specify an email address pattern to match the rule. Use the
wildcard character * to match any character in the address.
If you have multiple policies based on recipient email address and a message is intended
for recipients in different policies, the message will be split and each recipient will get
evaluated using their policy.
A policy will never trigger, if 'Recipient email address' rule type has been used more than
once in the policy with 'Match all of the following rules' match logic.
• Recipient email address list — use this rule to enforce a policy based on the email addresses of
the complete set of recipients included in the email delivery.
This rule is evaluated after the complete set of recipients has been received at the 'RCPT
TO' phase of the SMTP conversation. It will not cause the message to be split for different
policies.
This rule may be used to trigger a policy when you need to consider whether multiple
recipients have been sent a message.
The contains match allows you to specify the exact email address to match the rule.
The contains addresses like match allows you specify an email address pattern to match the
rule. Use the wildcard character * to match any character in the address.
• Aliased recipient email address — use this rule to enforce a policy based on the aliased email
address of the recipient.
The email address to evaluate is taken from 'MAIL FROM' of the SMTP conversation, after
aliasing has been applied. If the email address has not been aliased the original recipient
email address is used.
• Aliased recipient email address list — use this rule to enforce a policy based on a recipient email
address list after the recipient aliasing is carried out.
The email address to evaluate is taken from 'MAIL FROM' of the SMTP conversation, after
aliasing has been applied. If the email address has not been aliased the original recipient
email address is used.
Once the policy is enforced based on the email address list it will stop evaluating the
policies in the later in the order for that email.
• VLAN identifier — use this rule to enforce a policy based on a VLAN identifier which uniquely
identifies the VLAN to which the frame belongs.
You can use a value between 0 4095.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
147
4
Overview of Email menu
Email Policies
Option Definition
This rule applies to transparent connections only.
• Incoming network connection
• Outgoing network connection
• Source host name
• Destination host name
• Source network group
• Destination network group
• User group
• LDAP query
• Policy rules
Operator This option is only available when you select the LDAP query rule type.
Match
Choose from:
• is
• is not
• is in
• is not in
If you select the LDAP query rule type, two additional options appear: Contains and Does not
contain.
Value
Enter the value associated with the type of rule that you chose.
Option Definitions — Scanning Policies — New Policy Exception
Create policy exceptions to exempt specified individuals or groups from configured policies.
Exceptions apply whether you enable the underlying policy or not.
Table 4-28
148
Option definitions — New Policy Exception
Option
Definition
Exception name
Specifies name for the exception.
Description (optional)
Specifies a description that helps to identify the exception, if desired.
Use this exception when
scanning email
(Only visible when editing an existing policy exception)
Match logic
Select the required option to determine how the system applies policy
exception rules.
Rule type
Displays the type of the rule, based on the parameters set when you
created the rule.
Move
Clicking the relevant arrow moves a rule up or down in the list of rules.
Rule priority is determined by the position within the list, with the rules at
the top of the list having a higher priority than those lower down.
Edit
Opens the edit window for the specific rule.
By default, this checkbox is selected, enabling the selected policy exception
within your email scanning. Deselect to disable the policy exception.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-28
Option definitions — New Policy Exception (continued)
Option
Definition
Add user group
Opens the page to allow you to create a new user group.
Add network group
Opens the page to allow you to create a new network group.
Table 4-29 Option definitions — Add Rule
Option
Definition
Rule type
Drop-down list displays the available entity types. The rule applies this type.
Match
The drop down selections determine how the rule applies to the entity.
Value
Specifies the data to identify the specific entity.
Option definitions — Scanning Policies | New Policy | Add user
group
This information describes the options available on this dialog box.
Option
Definition
Group name
Type the name of the group.
Selected or
unselected
Select a group and click Edit or Delete Selected Rules as appropriate. Use the arrow
icons to move the rules up and down the list.
Rule type
Choose from:
• Sender email address
• Recipient email address
• Sender user group
• Recipient user group
• LDAP Query (if configured)
The LDAP query and user group options become available only when a user
group or LDAP server has been created.
Choose from:
Match
• is
• is not
• is like
• is not like
Value
Type the value that you want to associate with Match.
Add Rule
Click to add a new rule to the list.
Task - add a user group
Use this task to create a user group that can be used in policy selection.
Before you begin
Ensure that you have a valid connection to a Generic LDAP Server, and its queries are
providing output.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
149
4
Overview of Email menu
Email Policies
Task
1
Go to Email | Group Management | Email Senders and Recipients.
2
Click Add and type a name for the group.
3
Click Add Rule.
4
In Rule type, select LDAP Query.
The Values field is populated with the name of the LDAP group you selected.
5
Click OK to close the dialog box.
6
Go to Email | Email Policies | Add Policy....
7
Click Add Rule. In Rule type, select User group.
8
In Value, select the user group you created, and click OK.
Option definitions — Scanning Policies | New Policy | Add
network group
This information describes the options available on this dialog box.
Option
Definition
Group name
Type the name of the network group.
Rule type
Choose from:
• IP address
• VLAN identifier
• Network connection
• Host name
Choose from:
Match
• is
• is not
• is in
• is not in
Value
Type the value associated with the type of rule that you chose.
Move
Use the arrows to move the rules up and down the list.
Add Rule / Delete Selected Rules Click to add a new rule to the list.
Use the Reset button to clear the entries you have made in this dialog box.
Reset
Option definitions — Subject Templates
Create or edit Subject templates as part of the subject re-write feature.
150
Option
Definition
Template
Shows the text or tokens that will be used to re-write the subject line.
Priority
Shows the priority of the available templates.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Option
Definition
Move
Use the arrow icons to move your subject template higher or lower in priority order.
•
Move the template up
•
Move the template down
Edit
Click to make changes to the text that is used to re-write the subject line.
Delete
Click to remove the template.
You cannot delete a template that is currently being used by a policy.
Add
Create a new template at the bottom of the template list.
Insert
Create a new template above the currently selected template.
Option definitions — Notification Templates
Use the notification templates page to view details about each available notification template, and to
manage the customized notification templates.
Table 4-30 Option definitions
Option
Definition
Template Name Lists the names for all the pre-defined and custom notification templates.
Email Content
Provides an overview of the content of the notification emails generated from each
notification template.
Sender
Lists the purported sender for the notification email message.
Recipients
Lists the recipients that will receive notifications when each notification template is used
to generate a notification email message.
Subject
View the subject that is added to notification email messages.
Edit
Click to make changes to the settings contained within custom notifications.
You cannot edit the pre-defined notification templates.
Delete
Click to remove the template.
You cannot delete the pre-defined notification templates, or any templates that are
currently being used by a policy.
Add
Create a new notification template. The new template is added at the bottom of the
template list.
Option definitions — Add/Edit Notification Template
Create or edit notification templates as part of the customized notifications feature.
The Add Notification Template pages take the form of a wizard, with the following pages:
•
Email Content
•
Subject
•
Sender
•
Other options
•
Recipients
When editing a pre-configured customized notification template, these same pages are available from
tabs accessed from the Edit Notification Template link.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
151
4
Overview of Email menu
Email Policies
Table 4-31 Option definitions — Add/Edit Notification Template — Email Content
Option
Definition
Template name
Add or edit the name for the template. This name is reflected in the first column of
the Notification Templates dialog box.
Predefined content To use predefined content within the notification, select one of the options:
• Send a default notification email
• Forward the original email
• Send an annotated email
• Forward the modified email
• Send a scanner alert
Selecting either of the forward options does not allow the use of custom subjects, or
allow the forwarding of any attachments contained within the email message.
Custom content
To create a custom notification, choose either:
• Send a custom HTML notification, or
• Send a custom plain text notification
Editing area
When creating custom notification content, use the editing area to create the
notification. Select from the drop down list of available tokens to have McAfee Email
Gateway add the required information at the time the notification is sent. Type any
other message for the intended recipients of the notification.
Table 4-32 Option definitions — Add/Edit Notification Template — Sender
Option
Definition
Predefined sender Select from the list of available, predefined senders.
Custom sender
To have notification emails appear to be from a specific, custom sender, enter the
required email address.
Table 4-33 Option definitions — Add/Edit Notification Template — Recipients
Option
Definition
Predefined recipients
Select from either the recipient (or recipients) for the original email message, or
the sender of the original email message.
Custom recipient
To have notification emails sent to another recipient, enter the required email
address.
Configured recipient lists To have the notification messages sent to a list of recipients, enable One or more
recipient lists, and then select the required list or lists.
Table 4-34 Option definitions — Add/Edit Notification Template — Subject
Option
Definition
Predefined subject Select from the list of available subject options.
Custom subject
Create a custom subject to be used by notification messages generated using this
template. Custom subjects can include tokens selected from the drop-down list that
are populated with data from the McAfee Email Gateway at the time the notification
is generated.
Table 4-35 Option definitions — Add/Edit Notification Template — Other options
Option
Definition
Attachments You can choose to attach the original email message, the modified email message when
available, both types of message or no messages.
152
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Anti-Virus policy settings
Use the Anti-Virus policy settings to specify the files you want to scan and the actions you want to take
when a threat is detected, and create detection policies for viruses, spyware, packers, and malware
threats such as worms and mass mailers.
Anti-virus features
The anti-virus protection within Email Gateway provides many ways to protect your network and
users.
Email | Email Policies | Anti-Virus
The anti-virus software:
•
Detects and cleans viruses.
•
Protects your network from potentially unwanted programs (PUPs). The appliance can be
configured to:
•
•
Enable or disable detection of potentially unwanted programs.
•
Detect specific types of potentially unwanted programs, such as mass mailers and Trojan
horses.
•
Detect named malware.
•
Take specific actions when malware is detected.
Protects your network from named packers. You can add and remove packer names from the list of
packers that will be detected.
Packers compress files and can effectively disguise executable programs. They can also compress
Trojan horses and make them harder to detect. The appliance can be configured to:
•
•
Detect named packers.
•
Exclude named packers from detection.
•
Take specific actions when a packer is detected.
Protects your network from PUPs. A cautious user might want to be informed of PUPs, and might
want to remove them.
McAfee® anti-spyware software detects and, with your permission, removes potentially unwanted
programs. Some purchased or intentionally downloaded programs act as hosts for other potentially
unwanted programs. Removing these potentially unwanted programs may prevent their hosts from
working. Review the license agreement for these host programs for further details. McAfee does not
encourage nor condone breaking any license agreements. Read the details of license agreements
and privacy policies carefully before downloading or installing any software.
•
Automatically scans within compressed files.
•
Automatically decompresses and scans files compressed in the packages that include PKZip, LHA,
and ARJ.
•
Detects macro viruses.
•
Detects polymorphic viruses.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
153
4
Overview of Email menu
Email Policies
•
Detects new viruses in executable files and OLE compound documents, using a technique called
heuristic analysis.
•
Upgrades easily to new anti-virus technology.
Settings for scanning viruses and similar threats
The anti-virus settings in a policy protect the network and its users.
Email | Email Policies | Anti-Virus
Threats to your network and users may be from:
•
Viruses
•
Spyware
•
Adware
•
Various kinds of malware (malicious software) and other potentially unwanted software.
Spyware can steal information and passwords. This category includes potentially unwanted programs
(PUPs), which are any software that a cautious network administrator might want to be informed of,
and possibly remove, such as password crackers. Adware, too is among these nuisances, because it
distracts employees from their normal work.
What is a potentially unwanted program (PUP)?
Potentially unwanted programs (PUPs) are not considered to be malware like viruses and Trojan
horses.
Email | Email Policies | Anti-Virus | McAfee Anti-Spyware
Some software programs written by legitimate companies might alter the security or privacy of the
computer where they are installed. This software can include spyware, adware, and dialers, and might
be downloaded unwittingly with a program that the user wants. Cautious users prefer to know about
such programs, and in some cases, remove them.
Customized anti-virus settings
Besides giving you the levels of scanning (such as default file types, which scans only the most
susceptible files), Email Gateway also allows you to specify various options when scanning for viruses.
Email | Email Policies | Anti-Virus | Basic Options
154
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Although more options can provide greater security, scanning will take longer. The scanning
capabilities are:
•
Detect possible new viruses in programs and documents.
Documents that carry a virus often have distinctive features such as a common technique for
replicating themselves. Using heuristics, the scanner analyzes the document to detect these kinds
of computer instructions. Program file heuristics scans program files and identifies potential new
file viruses. Macro heuristics scans for macros in the attachments (such as those used by Microsoft
Word, Microsoft Excel, and Microsoft Office) and identifies potential new macro viruses.
•
Scan inside archive files.
By default, the scanner does not scan inside file archives such as .zip or .lzh files because any
infected file inside them cannot become active until it has been extracted.
•
Scan default file types.
Normally, the scanner examines only the default file types — it scans only those files that are
susceptible to infection. For example, many popular text and graphic formats are not affected by
viruses. Currently, the scanner examines over 100 file types by default, including .exe and .com.
•
Scan all files.
This option ensures that every file is scanned. Some operating systems, such as Microsoft
Windows, use the extension names of files to identify their type. For example, files with the
extension .exe are programs. However, if an infected file is renamed with a harmless extension
such as .txt, it can escape detection and the operating system can run the file as a program if it is
renamed later.
•
Scan files according to file name extension.
You can specify the types of files you want to scan according to their file name extensions.
•
Treat all macros as viruses.
Macros inside documents are a popular target for virus writers. Therefore, for added security,
consider scanning all files for macro viruses, and optionally removing any macros found, regardless
of whether they are infected.
•
Scan compressed program files.
This is used to scan compressed files such as those compressed using PKLITE. If you are scanning
selected file extensions only, add the appropriate compressed file extensions to the list.
Special actions against packers and PUPs
The appliance handles most detections according to the actions that you specify on the Basic Options
tab.
Email | Email Policies | Anti-Virus | Custom Malware Options
To specify that a scanner on the appliance handles some packers and PUPs differently, use the Custom
Malware Options tab.
Problems with alerts for mass mailers
Normally, the appliance handles all potentially unwanted programs in the same way. However you can
specify that certain types are handled differently.
Email | Email Policies | Anti-Virus | Custom Malware Options
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
155
4
Overview of Email menu
Email Policies
For example, you can configure the appliance to inform the sender, the recipient and an administrator
with an alert message whenever a virus is detected in an email message. This feature is useful
because it shows that the anti-virus detection is working correctly, but it can become a nuisance if a
mass-mailer virus is encountered.
Mass-mailer viruses (for example Melissa and Bubbleboy) propagate themselves rapidly using email.
Numerous alerts are generated, and these can be as annoying as the surge of detected email
messages that has been blocked.
The appliance can handle any mass-mailer virus separately from other types of virus. You example,
you can choose to discard the detected document immediately, and thereby suppress any alert
messages that will otherwise be generated.
Configuring basic Anti-Virus settings
Use the following information to understand the benefits and procedures to configure basic Anti-Virus
settings.
Email | Email Policies | Anti-Virus | Basic Options
The Anti-Virus | Basic Options page enables you to configure options such as the types of files that are
scanned for viruses, the actions to take if a virus is identified, and what to do if an infected file cannot
be cleaned.
Contents
Benefits of configuring basic Anti-Virus options
Benefits of using McAfee Global Threat Intelligence file detection
Option definitions — Anti-Virus — Basic Options
Task — Enabling McAfee Global Threat Intelligence file reputation
Benefits of configuring basic Anti-Virus options
This information describes the benefits associated with setting up the basic Anti-Virus options.
To provide the best combination of performance and detection of viruses, the Anti-Virus | Basic Options
page has settings to enable you to select the types of files that are scanned for viral content, and the
actions to be taken when a viral detection is made.
This page also give you the option of enabling McAfee® Global Threat Intelligence™ file reputation.
Benefits of using McAfee Global Threat Intelligence file detection
This technique reduces the delay between McAfee's detection of a new malware threat and when a
customer receives and installs a detection definitions (DAT) file. The delay can be 24 - 72 hours.
Email | Email Policies | Anti-Virus | Basic Options
156
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Email Policies
4
Using McAfee® Global Threat Intelligence™ file reputation enables your Email Gateway to provide
protection against new threats, before they are included in detection definition (DAT) files.
1
The appliance scans each file, comparing its code against the information (or signatures) in the
current detection definitions (DAT) file.
2
If the code is not recognized and is suspicious, for example, the file is packed or encrypted, the
appliance sends a small definition (or fingerprint) of that code to McAfee Global Threat Intelligence
— an automated analysis system at McAfee. Millions of other computers with McAfee software also
contribute fingerprints.
3
McAfee compares the fingerprint against a database of fingerprints collected worldwide, and
informs the appliance of the likely risk — within seconds. Based on settings in the scanning
policies, the appliance can then block, quarantine, or try to clean the threat.
If McAfee later determines that the code is malicious, a DAT file is published as usual.
Option definitions — Anti-Virus — Basic Options
Use this page to specify basic options for anti-virus scanning.
Table 4-36 Option definitions — Enable anti-virus scanning for "policy name"
Option
Definition
Enable anti-virus scanning
When selected, enables anti-virus scanning of email messages.
Table 4-37 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
Edit exception properties
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
157
4
Overview of Email menu
Email Policies
Table 4-38 Option definitions — Specify which files to scan
Option
Definition
Specify which files to • Scan all files — Offers the highest security. However, scanning takes longer and
scan
might affect performance.
Some operating systems such as Microsoft Windows use the extension name of a
file to identify its type. For example, files with the extension .exe are programs.
However, if an infected file is renamed with a harmless extension such as .txt, it
can escape detection. The operating system cannot run the file as a program
unless it is renamed later. This option ensures that every file is scanned.
• Default file types — The scanner examines only the default file types — in other
words, it concentrates its efforts on scanning those files that are susceptible to
viruses.
For example, many popular text and graphic formats are not affected by viruses.
Currently the scanner examines over 100 types by default, which includes .exe
and .com file types.
• Defined file types — Scans only the types in the list.
Using this option, you can specify the types of files that you want scanned.
Scan archive files
(ZIP, ARJ, RAR ...)
By default, the scanner does not scan inside file archives such as .zip or .lzh files
because any virus-infected file inside them cannot become active until it has been
extracted.
When selected, Email Gateway scans these types of files.
However, scanning takes longer and might affect performance. As the contents of
these files are harmful only when files inside are extracted, they can be scanned by
the on-access scanners on individual computers in your network.
Find unknown file
viruses
An anti-virus scanner typically detects viruses by looking for the virus signature,
which is a binary pattern that is found in a virus-infected file. However, this
approach cannot detect a new virus because its signature is not yet known,
therefore the scanner uses another technique: heuristic analysis. Program file
heuristics scans program files and identify potential new file viruses. Macro
heuristics scans for macros in the attachments (such as those used by Microsoft
Word, Microsoft Excel, and Microsoft Office) and identify potential new macro
viruses.
When selected, does extra analysis to find any virus-like behavior.
Find unknown macro Macros inside documents are a popular target for virus writers.
viruses to Remove When selected, take actions against macros in documents. Macros inside
all macros from
documents are a popular target for virus writers.
document files
Enable McAfee
Global Threat
Intelligence file
reputation with
Sensitivity level
Enables McAfee Global Threat Intelligence file reputation on your appliance.
McAfee Global Threat Intelligence file reputation complements the DAT-based
signatures by providing the appliances access to millions of cloud-based
signatures. This reduces the delay between McAfee detecting a new malware
threat and its inclusion in DAT files, providing broader coverage.
The sensitivity levels enable you to balance the risk of missing potentially harmful
content (low settings) with the risk of false positive detections (high settings).
For gateway appliances, the recommended sensitivity level is Medium.
158
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-39 Option definitions — Actions
Option
Definition
Attempt to clean
When selected, the infection inside the item is removed, if possible. When
deselected, the entire item is removed.
If cleaning
succeeds
Specify the secondary actions to take if the appliance successfully cleans the
infection.
Quarantine options
• Quarantine original — Select to have the original message added to the Quarantine
database.
• Quarantine modified — Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.
Notification email options
• Send one or more notification emails — Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification options.
• Annotate and deliver original to sender — Deliver the original email message to the
sender, with annotations added.
• Deliver a notification email to 'Notification Email List' — Deliver a notification email to all
addresses defined within the notification email list.
• Deliver a notification email to the original recipient(s) — Deliver a notification email to all the
recipients on the original email message.
• Deliver a notification email to the sender — Deliver a notification email to the sender of
the email message.
• Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing email
list.
• Deliver the modified email to the sender — Deliver the email message to the sender, with
modifications made by McAfee Email Gateway included.
• Show selected/Show all — To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include any
custom notification templates that you create.
Other actions
• Modify subject — McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
• Modify headers — McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
Notification and
annotated email
options
When clicked, opens another window where you can specify who the appliance will
notify when a threat is detected.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
159
4
Overview of Email menu
Email Policies
Table 4-39 Option definitions — Actions (continued)
Option
Definition
If cleaning fails
Specify the primary action to take if the appliance cannot clean the infection.
• Deny connection (Block)
• Replace detected item with an alert (Modify)
• Refuse the data and return an error code
(Block)
• Allow Through (Monitor)
• Accept and then drop the data (Block)
160
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-39 Option definitions — Actions (continued)
Option
Definition
And also
Specify the secondary actions to take if the appliance cannot clean the infection.
Quarantine options
• Quarantine original — Select to have the original message added to the Quarantine
database.
• Quarantine modified — Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.
Notification email options
• Send one or more notification emails — Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification options.
• Annotate and deliver original to sender — Deliver the original email message to the
sender, with annotations added.
• Deliver a notification email to 'Notification Email List' — Deliver a notification email to all
addresses defined within the notification email list.
• Deliver a notification email to the original recipient(s) — Deliver a notification email to all the
recipients on the original email message.
• Deliver a notification email to the sender — Deliver a notification email to the sender of
the email message.
• Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing email
list.
• Deliver the modified email to the sender — Deliver the email message to the sender, with
modifications made by McAfee Email Gateway included.
• Show selected/Show all — To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include any
custom notification templates that you create.
Other actions
• Modify subject — McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
• Modify headers — McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
If a file is zero
bytes after
cleaning
Provides an action against a file that is now empty. Zero-byte files cannot carry
threats, but you might prefer to remove the files if they confuse users.
The available options are:
• Keep zero byte file
• Remove zero byte file
• Treat as a failure to clean
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
161
4
Overview of Email menu
Email Policies
Table 4-40 Option definitions — Obfuscated content
Option
Definition
Make deobfuscated content available to other
scanners
When selected, provides extra protection against unwanted
content. The techniques that detect hidden viruses and
malware are made available to content scanning.
Table 4-41 Option definitions — Additional anti-virus engine
Option
Definition
Enable Commtouch
Command anti-virus
When selected, enables the Commtouch Command anti-virus engine within your
policies.
®
Scanning optimization Select how the Commtouch Command anti-virus engine is used:
®
• Perform optimized scanning — Objects are not passed to the Commtouch Command
anti-virus engine if the McAfee® anti-virus engine makes a detection that is then
either replaced with an alert message, or that causes the email message to be
dropped.
®
Depending on the actions configured for the McAfee anti-virus engine, the
additional anti-virus engine might not be used to scan an email message.
• Perform exhaustive scanning — Objects are always passed to the Commtouch
Command anti-virus engine after the McAfee® engine completes its scan.
®
Exhaustive scanning might result in your McAfee Email Gateway reporting
multiple detections for a single email message.
Task — Enabling McAfee Global Threat Intelligence file reputation
Use this task to enable McAfee® Global Threat Intelligence™ file reputation on your McAfee Email
Gateway.
Task
1
Select Email | Email Policies | Anti-Virus | Basic Options.
2
From within Specify which files to scan, select Enable McAfee Global Threat Intelligence file reputation.
3
Select your required Sensitivity level. A low setting means that the McAfee Email Gateway may miss
some potentially harmful content, whereas a high setting means that the McAfee Email Gateway
may detect some harmless files and wrongly label them as potentially harmful.
4
Click OK.
5
Click Apply.
Configuring McAfee Anti-Spyware
Use the following information to understand the benefits and procedures to configure McAfee
Anti-Spyware.
Email | Email Policies | Anti-Virus | McAfee Anti-Spyware
The Anti-Virus | McAfee Anti-Spyware page enables you to configure McAfee Anti-Spyware to detect and take
action against certain types of potentially unwanted programs being transmitted within email
messages.
162
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Contents
Benefits of using McAfee Anti-Spyware
Option definitions — Default Anti-Virus Settings — McAfee Anti-Spyware
Benefits of using McAfee Anti-Spyware
This information describes the benefits associated with setting up the McAfee Anti-Spyware options.
Several types of software programs can be transmitted using email. Some of these programs may be
classed as potentially unwanted programs (PUPs).
You can configure your Email Gateway to scan for potentially unwanted programs.
A PUP (potentially unwanted program) is any program that may be unwanted, even though the user
consented to downloading and installing the software. This may be because the user did not read the
terms and conditions relating to the software, or because it was downloaded in conjunction with
another piece of software that the user did want to install.
Potentially unwanted programs can include spyware, adware, and dialers. To learn more about
potentially unwanted programs, visit McAfee Labs Threat Library(http://vil.nai.com/vil/default.aspx).
Options on the user interface enable you to select the categories of unwanted programs the appliance
should detect.
You can also specify the actions to use when a potentially unwanted program is detected, and some
optional additional actions.
Option definitions — Default Anti-Virus Settings — McAfee Anti-Spyware
Use this page to specify the McAfee Anti-Spyware settings for anti-virus scanning.
Table 4-42 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
Edit exception properties
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
163
4
Overview of Email menu
Email Policies
Table 4-43 Option definitions — Potentially Unwanted Program (PUP) detection
Option
Definition
Enable anti-virus scanning When selected, scans for viruses and other threats such as worms and
spyware. The option is normally set to Yes. Select No only if you have anti-virus
protection elsewhere in your network.
Enable detection
Select to enable potentially unwanted program (PUP) detection.
Read the disclaimer text before enabling PUP detection.
164
Spyware to Other PUPs
Select the types of potentially unwanted programs detected.
Exclude and Include
Build a list of names of programs to scan or ignore.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-44 Option definitions — Actions
Option
Definition
If detected
Provides a main action to take. The available options are:
• Deny connection (Block)
• Replace the content with an alert (Modify)
• Refuse the data and return an error code
(Block)
• Allow Through (Monitor)
• Accept and then drop the data (Block)
And also
Specify the secondary actions to take.
Quarantine options
• Quarantine original — Select to have the original message added to the Quarantine
database.
• Quarantine modified — Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.
Notification email options
• Send one or more notification emails — Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification options.
• Annotate and deliver original to sender — Deliver the original email message to the
sender, with annotations added.
• Deliver a notification email to 'Notification Email List' — Deliver a notification email to all
addresses defined within the notification email list.
• Deliver a notification email to the original recipient(s) — Deliver a notification email to all the
recipients on the original email message.
• Deliver a notification email to the sender — Deliver a notification email to the sender of the
email message.
• Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email message
for auditing purposes to all addresses defined within the auditing email list.
• Deliver the modified email to the sender — Deliver the email message to the sender, with
modifications made by McAfee Email Gateway included.
• Show selected/Show all — To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include any
custom notification templates that you create.
Other actions
• Modify subject — McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
• Modify headers — McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended recipients.
You can select multiple header modification templates. Click Manage templates to
change the way the headers are re-written.
If an action
results in an alert
Select to use the default alert.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
165
4
Overview of Email menu
Email Policies
Table 4-44 Option definitions — Actions (continued)
Option
Definition
Click change the default alert text to view or change this alert message.
Configuring Packer detection
Use this information to understand the threat posed by packers, and how you can configure your Email
Gateway to deal with this threat.
Email | Email Policies | Anti-Virus | Packers
The Anti-Virus | Packers page enables you to configure Email Gateway to detect and take action against
types of packers.
Packers compress files, which changes the binary signature of the executable. Packers can compress
Trojan-horse programs and make them harder to detect.
Contents
Benefits of using Packer detection
Option definitions - Default Anti-Virus Settings - Packers
Benefits of using Packer detection
This information describes the benefits associated with setting up the packer detection options.
Packers compress files, which changes the binary signature of the executable. This can make it harder
to detect Trojan-horse or other potentially unwanted programs, as their true binary signatures are
hidden.
Enabling Packer detection helps defend against this type of threat, by scanning within the compressed
files to check the true binary signatures of the files contained within.
Option definitions - Default Anti-Virus Settings - Packers
Use this page to specify the actions to take against packers.
Table 4-45 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
Edit exception properties
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
166
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Email Policies
4
Table 4-46 Option definitions — Packer detections
Option
Definition
Enable detection
Select to enable detection of packers by the appliance.
Exclude specified names and Include only
specified names
Allows you to build a list of names of packers to scan or
ignore.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
167
4
Overview of Email menu
Email Policies
Table 4-47 Option definitions — Actions
Option
Definition
If detected
Provides a main action to take. The available options are:
• Deny connection (Block)
• Replace the content with an alert (Modify)
• Refuse the data and return an error code
(Block)
• Allow Through (Monitor)
• Accept and then drop the data (Block)
And also
Specify the secondary actions to take.
Quarantine options
• Quarantine original — Select to have the original message added to the Quarantine
database.
• Quarantine modified — Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.
Notification email options
• Send one or more notification emails — Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification options.
• Annotate and deliver original to sender — Deliver the original email message to the
sender, with annotations added.
• Deliver a notification email to 'Notification Email List' — Deliver a notification email to all
addresses defined within the notification email list.
• Deliver a notification email to the original recipient(s) — Deliver a notification email to all the
recipients on the original email message.
• Deliver a notification email to the sender — Deliver a notification email to the sender of the
email message.
• Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email message
for auditing purposes to all addresses defined within the auditing email list.
• Deliver the modified email to the sender — Deliver the email message to the sender, with
modifications made by McAfee Email Gateway included.
• Show selected/Show all — To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include any
custom notification templates that you create.
Other actions
• Modify subject — McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
• Modify headers — McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended recipients.
You can select multiple header modification templates. Click Manage templates to
change the way the headers are re-written.
If an action
results in an alert
168
Select to use the default alert.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-47 Option definitions — Actions (continued)
Option
Definition
Click change the default alert text to view or change this alert message.
Configuring Custom Malware Options
Use the following information to understand the benefits and procedures to configure customer
malware options within Email Gateway.
Email | Email Policies | Anti-Virus | Custom Malware Options
The Anti-Virus | Custom Malware Options page enables you to configure Email Gateway to take different
actions when certain types of malware are detected.
Contents
Benefits of using the Custom Malware options
Option definitions — Default Anti-Virus Settings — Custom Malware Options
Benefits of using the Custom Malware options
This information describes the benefits associated with using the custom malware options.
The custom malware options enable you to select different actions for certain types of malware to
those that you have selected for other detection types.
Option definitions — Default Anti-Virus Settings — Custom Malware Options
Use this page to specify the actions to take when some types of malicious software (“malware”) are
detected.
Table 4-48 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
Edit exception properties
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
169
4
Overview of Email menu
Email Policies
Table 4-49 Option definitions — Apply different actions to certain detection types
Option
Definition
Mass mailers to Trojan horses
When selected, applies the specified action to this type of malware.
If the option is not selected, the malware is handled as described by
the basic options.
170
Specific detection name
When selected, allows you to add names of specific detections. You
can use “*” and “?” to represent multiple and single characters in
the malware names.
Do not perform custom malware check
if the object has already been cleaned.
Enable this to prevent the appliance carrying out the custom
malware checks if the object has already been successfully cleaned.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-50 Option definitions — Custom actions
Option
Definition
If detected
Provides a main action to take. The available options are:
• Deny connection (Block)
• Replace the content with an alert (Modify)
• Refuse the data and return an error code
(Block)
• Allow Through (Monitor)
• Accept and then drop the data (Block)
And also
Specify the secondary actions to take.
Quarantine options
• Quarantine original — Select to have the original message added to the Quarantine
database.
• Quarantine modified — Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.
Notification email options
• Send one or more notification emails — Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification options.
• Annotate and deliver original to sender — Deliver the original email message to the
sender, with annotations added.
• Deliver a notification email to 'Notification Email List' — Deliver a notification email to all
addresses defined within the notification email list.
• Deliver a notification email to the original recipient(s) — Deliver a notification email to all the
recipients on the original email message.
• Deliver a notification email to the sender — Deliver a notification email to the sender of
the email message.
• Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing email
list.
• Deliver the modified email to the sender — Deliver the email message to the sender, with
modifications made by McAfee Email Gateway included.
• Show selected/Show all — To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include any
custom notification templates that you create.
Other actions
• Modify subject — McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
• Modify headers — McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
If a custom
malware action
results in an alert
Select to use the default alert.
Click change the default alert text to view or change this alert message.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
171
4
Overview of Email menu
Email Policies
Handling hybrid scan results
®
When an email message triggers an action during the scan by the cloud-based McAfee SaaS Email
Protection Service, the results of that scan are communicated to your Email Gateway appliance.
You can configure the way hybrid scanning responds when it takes an action.
Benefits of hybrid scanning
Hybrid scanning reduces the workload for the Email Gateway appliances within your network.
Hybrid scanning processes your inbound email messages in the cloud, leaving your appliances free to
scan outbound traffic. You maintain control over the way scan results are used, because you can
configure policies for hybrid scanning like you can for scanning by your Email Gateway appliances.
Option definitions - Hybrid scanning
Use this page to enable and configure hybrid scanning.
Table 4-51 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
Edit exception properties
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-52
Option definitions - Hybrid Scanning
Option
Definition
Hybrid scanning options
Enable hybrid anti-virus
scanning
Enables or disables anti-virus scanning by the SaaS Email Protection Service.
Re-scan the email locally Enables or disables additional scanning by the Email Gateway appliance for any
if it is NOT found to be
email that passes through the SaaS Email Protection Service without triggering
infected
an action.
Actions
If a virus is detected
Sets the action to be taken by the Email Protection Service if it detects a virus.
Options are:
• Deny connection (Block)
• Replace with an alert (Modify)
• Refuse the data and return an error code
(Block)
• Allow through (Monitor)
• Accept and then drop the data (Block)
172
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-52
Option definitions - Hybrid Scanning (continued)
Option
Definition
And also
Sets additional actions to be taken by the Email Protection Service for emails
that were not blocked as the primary action. Options are:
Quarantine options
• Quarantine original — Select to have the original message added to the
Quarantine database.
• Quarantine modified — Select to have the modified message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue
into which the email message is placed. This selection can include custom
quarantine queues that you have created.
Notification email options
• Send one or more notification emails — Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
• Annotate and deliver original to sender — Deliver the original email message to the
sender, with annotations added.
• Deliver a notification email to 'Notification Email List' — Deliver a notification email to all
addresses defined within the notification email list.
• Deliver a notification email to the original recipient(s) — Deliver a notification email to all
the recipients on the original email message.
• Deliver a notification email to the sender — Deliver a notification email to the sender
of the email message.
• Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
• Deliver the modified email to the sender — Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
• Show selected/Show all — To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.
Other actions
• Modify subject — McAfee Email Gateway rewrites the subject of the email
message using user-definable templates, and then delivers the message to
the intended recipients. Click Manage templates to change the way the subject is
re-written.
• Modify headers — McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the
intended recipients. You can select multiple header modification templates.
Click Manage templates to change the way the headers are re-written.
Notification and
annotated email options
Link that opens the Notification Emails page where you can set options.
If an action results in an
alert
Enables or disables use of the default text for virus alerts. If the default is
disabled, the system uses alert text provided by the user.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
173
4
Overview of Email menu
Email Policies
Table 4-52
Option definitions - Hybrid Scanning (continued)
Option
Definition
Change the default alert
text
Opens the Alert Editor page for anti-virus detection alerts.
If a potentially unwanted Sets the action to be taken by the Email Protection Service if it detects a
program is detected
potentially unwanted program. Options are:
• Deny connection (Block)
• Refuse the data and return an error code (Block)
• Accept and then drop the data (Block)
• Replace with an alert (Modify)
• Allow through (Monitor)
174
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-52
Option definitions - Hybrid Scanning (continued)
Option
Definition
And also
Sets additional actions to be taken by the Email Protection Service for emails
that were not blocked as the primary action. Options are:
Quarantine options
• Quarantine original — Select to have the original message added to the
Quarantine database.
• Quarantine modified — Select to have the modified message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue
into which the email message is placed. This selection can include custom
quarantine queues that you have created.
Notification email options
• Send one or more notification emails — Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
• Annotate and deliver original to sender — Deliver the original email message to the
sender, with annotations added.
• Deliver a notification email to 'Notification Email List' — Deliver a notification email to all
addresses defined within the notification email list.
• Deliver a notification email to the original recipient(s) — Deliver a notification email to all
the recipients on the original email message.
• Deliver a notification email to the sender — Deliver a notification email to the sender
of the email message.
• Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
• Deliver the modified email to the sender — Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
• Show selected/Show all — To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.
Other actions
• Modify subject — McAfee Email Gateway rewrites the subject of the email
message using user-definable templates, and then delivers the message to
the intended recipients. Click Manage templates to change the way the subject is
re-written.
• Modify headers — McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the
intended recipients. You can select multiple header modification templates.
Click Manage templates to change the way the headers are re-written.
Notification and
annotated email options
Link that opens the Notification Emails page where you can set options.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
175
4
Overview of Email menu
Email Policies
Table 4-52
Option definitions - Hybrid Scanning (continued)
Option
Definition
If an action results in an
alert
Enables or disables use of the default text for potentially unwanted program
alerts. If the default is disabled, the system uses alert text provided by the user.
Change the default alert
text
Opens the Alert Editor page for potentially unwanted program alerts.
Task - Configure scanning policy
Follow this process to enable and configure hybrid anti-virus scanning policy.
Before you begin
You should register your appliance with McAfee SaaS Email Protection Service (SaaS) and
configure the domains for which email traffic is to be scanned in the cloud.
Task
1
Select Email | Email Policies, then in the Anti-Virus column, click the Viruses: Clean or Replace link.
The Default Anti-Virus Settings (SMTP) page opens.
2
Select the Hybrid Scanning tab.
The Hybrid scanning options tab opens.
3
In the Hybrid scanning options section of the page, select the checkbox to enable hybrid scanning.
4
If you want your Email Gateway appliance to scan any email that passes through the hybrid scan
without triggering an action, select the Rescan the mail locally checkbox.
5
Configure the actions you want the Email Protection Service to take when it detects a virus.
6
a
Select the primary action for virus detection from the drop-down list.
b
Select any secondary action or actions from the scrolling And also menu.
c
Click the Notification and annotated email options link to set options on the Notification Emails page.
d
Specify the use of the default alert text for anti-virus alerts by selecting the Use default text
checkbox.
e
If you want to change the text of the anti-virus alert, click the Change the default alert text link.
Configure the actions you want the Email Protection Service to take when it detects a potentially
unwanted program (PUP).
a
Select the primary action for PUP detection from the drop-down list.
b
Select any secondary action or actions from the scrolling And also menu.
c
Click the Notification and annotated email options link to set options on the Notification Emails page.
d
Specify the use of the default alert text for PUP alerts by selecting the Use default text checkbox.
e
If you want to change the text of the alert, click the Change the default alert text link.
Anti-Spam policy settings
Use the Anti-Spam policies to manage spam and phish detection, and configure any sender
authentication settings you want to apply.
176
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Anti-Spam features
The anti-spam protection within Email Gateway provides many ways to protect your users from
unsolicited email messages.
The anti-spam features include:
•
score-based spam reporting
•
ability to add prefixes to the subject line of emails identified as being unsolicited
•
customizable message size options
•
ability to add custom headers to the identified email messages
•
the use of blacklists and whitelists
•
spam rules that can be disabled if they are incorrectly identifying legitemate emails as spam
In addition, McAfee Email Gateway provides protection against phishing emails. Phishing emails are
messages that proport to come from a users bank or other institution, but, in fact are aimed at
tricking the user into disclosing sensitive financial data about their account and PIN numbers.
Another method of reducing the amount of unsolicited email is to use Sender Authentication to check
that the email messages have actually been sent from the source that it appears to have been sent.
Configuing basic Anti-Spam options
Use the following information to understand the benefits and procedures to configure basic Anti-Spam
options.
Email | Email Policies | Spam | Basic Options
Contents
Benefits of using basic Anti-Spam options
Option definitions — Default Anti-Spam Settings — Basic Options
Benefits of using basic Anti-Spam options
This information describes the benefits associated with setting up the basic Anti-Spam options.
The basic options available within the Default Anti-Spam Settings page allow you to specify settings such as
the spam reporting threshold for messages. This is the accumulated score at which your Email
Gateway marks messages as possibly being spam.
From this dialog box, you can also choose how you want to inform your users that a message could
possibly be spam. You can add a prefix to the subject line of emails suspected of being spam, and can
edit the text that appears within the subject.
You can also configure further spam-based options, including defining stricter actions (monitor, block
or reroute) for messages gaining a higher spam score.
Option definitions — Default Anti-Spam Settings — Basic Options
Use this page to specify how to handle spam email messages.
Table 4-53 Enable anti-spam scanning for "policy name"
Option
Definition
Enable anti-spam scanning
When selected, enables anti-spam scanning of email messages.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
177
4
Overview of Email menu
Email Policies
Table 4-54 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
When you have two or more policy exceptions, you can change the
Move
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Edit exception properties
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-55 Option definitions — Reporting options
Option
Definition
Spam reporting threshold
Specifies a spam threshold. Messages that have a spam score below the
threshold are not treated as spam.
Typically, a spam score of 5 or more indicates spam. You need only change
this threshold if its default value is not effective. You can enter numbers with
decimal fractions, for example 6.25.
Default value is 5.
Add a prefix to the subject
When selected, adds some text that helps users to find suspicious messages
line of spam messages and in their email inbox.
Prefix text
Default value is [spam].
Add a spam score indicator
and Indicator text
When selected, adds an indicator to each message's Internet headers. For
example, a message that has a spam score between 6 and 7 can be given an
indicator of six asterisks. This information is useful for later analysis.
Default value is *.
Attach a spam report
When selected, adds a report to the messages, showing the names of the
anti-spam rules that have triggered.
We recommend that you select a spam report for initial testing only, because
it can affect your server's performance. When you have collected the
information, deselect the option.
Verbose reporting
178
When selected, adds descriptions of the anti-spam rules.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-56 Option definitions — Additional score-based actions
Option
Definition
When the spam
score is at least
Specify the actions to take when the spam score exceeds a user-specified value.
The available actions are:
• Deny connection (Block)
• Route to an alternative relay (reroute)
• Refuse the data and return an error code
(Block)
• Allow Through (Monitor)
• Accept and then drop the data (Block)
If the action to take against email is Route to an alternate relay, you can click a Manage the
list of relays link to a list of other devices that will handle the email instead.
And also
Specify the secondary actions to take.
Quarantine options
• Quarantine original — Select to have the original message added to the Quarantine
database.
• Quarantine modified — Select to have the modified message added to the Quarantine
database.
Notification email options
• Send one or more notification emails — Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
• Annotate and deliver original to sender — Deliver the original email message to the
sender, with annotations added.
• Deliver a notification email to 'Notification Email List' — Deliver a notification email to all
addresses defined within the notification email list.
• Deliver a notification email to the original recipient(s) — Deliver a notification email to all
the recipients on the original email message.
• Deliver a notification email to the sender — Deliver a notification email to the sender of
the email message.
• Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
• Deliver the modified email to the sender — Deliver the email message to the sender, with
modifications made by McAfee Email Gateway included.
• Show selected/Show all — To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.
Other actions
• Modify subject — McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
• Modify headers — McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
179
4
Overview of Email menu
Email Policies
Table 4-56 Option definitions — Additional score-based actions (continued)
Option
Definition
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
• Deliver message using encryption — Attempt delivery of the message using your
configured encryption settings.
When clicked, opens another window where you can specify who the appliance will
notify when a threat is detected.
Notification and
annotated email
options
Table 4-57
Alert settings
Option
Definition
Use the default alert
Select whether to use the default alert text when an anti-spam action triggers.
You can edit the alert text by clicking either:
• change the default alert text, or
• customize the alert text
Configuring advanced Anti-Spam options
Use the following information to understand the benefits and procedures to configure advanced
Anti-Spam options.
Email | Email Policies | Spam | Advanced Options
Contents
Benefits of using the advanced Anti-Spam options
Option definitions — Default Anti-Spam Settings — Advanced Options
Benefits of using the advanced Anti-Spam options
This information describes the benefits associated with setting up the advanced Anti-Spam options.
The advanced options available for configuring Anti-Spam options allow you to set rules for messages
size and header width, as well as configuring the number of rule names that can be included in a spam
report.
You can also enable custom headers for email messages.
Option definitions — Default Anti-Spam Settings — Advanced Options
Use this page to specify advanced settings against spam email. You do not need to change these
settings often.
Table 4-58 Option definitions — Policy exceptions
180
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-58 Option definitions — Policy exceptions (continued)
Option
Definition
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
When you have two or more policy exceptions, you can change the
Move
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Edit exception properties
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Specify limits
Option
Definition
Use the default maximum
message size
Select to use the default message size limits.
The default size is 250 KB.
Deselect to set a custom Maximum message size.
Maximum message size
Specifies the maximum size of the email message. Spam messages are
typically small.
Maximum width of spam
headers
Specifies the maximum width of headers that the appliance adds to email
messages.
We do not recommend that you decrease the value. For example, Verbose
reporting creates header lines, each with the name and description of a rule. A
reduced width will truncate the rule descriptions, making them more difficult to
read.
Default value is 76 bytes.
Maximum number of
reported rules
Specifies the maximum number of anti-spam rule names that can be included
in a spam report.
Default value is 180.
Add a custom header
Option
Definition
Header name and Header
value
Specifies the name and value of an extra email header, that can be used for
later processing.
Add the header
Specifies the type of email message to which to add the email header. For
example, you can add the customized email header to spam messages only.
Default value is Never.
Use alternative header names
when a mail is not spam
If selected, appends the text - Checked to the normal spam header names
when the email message did not contain spam. This option can be useful to
other devices that handle the same email message later.
Configuring Blacklists and Whitelists
Use the following information to understand the benefits and procedures to configure Blacklists and
Whitelists on your Email Gateway.
Email | Email Policies | Spam | Blacklists and Whitelists
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
181
4
Overview of Email menu
Email Policies
Contents
Benefits of using Blacklists and Whitelists
Option definitions — Blacklisted Senders
Option definitions — Blacklisted Recipients
Option definitions — Whitelisted Senders
Option definitions — Whitelisted Recipients
Option definitions — User Submitted
Benefits of using Blacklists and Whitelists
This information describes the benefits associated with using the blacklists and whitelists to help block
spam email messages from reaching your users.
Blacklists and whitelists are useful tools in helping keep your user inboxes free from unsolicited
(spam) email messages.
During email "spam" campaigns, high volumes of email messages can be generated in a short period
of time. If each of these spam emails that reach your email servers have to be individually scanned to
check the content, this can consume scanning resources on your Email Gateway.
Using blacklists, you can block all emails from a specific address, thereby removing the requirement to
scan each of the emails individually.
If you find that people that send legitimate email messages into your organization have their
messagse erroneously tagged as being spam, adding their addresses to the whitelists can prevent the
messages being tagged as spam.
Option definitions — Blacklisted Senders
Use this information to make lists of email addresses that regularly send spam to your organization.
Table 4-59 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
Edit exception properties
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
182
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Option
Definition
Email Address
Use this to make a list of email addresses that often send spam.
Specifies each email address. You can use wildcards, for example: user_?
@example.*
Add Address
Click to add a new row to the list of email addresses that often send spam. Type
the email address that you want added to the list.
Delete Selected
Addresses
If you find that legitimate email sender addresses have been added to the
Blacklisted Senders list, select each legitimate address, and click Delete Selected Addresses.
Option definitions — Blacklisted Recipients
Use this information to make lists of email addresses that regularly receive spam email messages.
Table 4-60 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
Edit exception properties
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Option
Definition
Email Address
Use this to make a list of email addressses that often receive spam.
Specifies each email address. You can use wildcards, for example: user_?
@example.*
Add Address
Click to add a new row to the list of email addresses that often receive spam. Type
the email address that you want added to the list.
Delete Selected
Addresses
If you find that legitimate email addresses have been added to the Blacklisted
Recipients list, select each legitimate address, and click Delete Selected Addresses.
Option definitions — Whitelisted Senders
Use this information to make lists of email addresses that are allowed to send email from within to
your organization.
Table 4-61 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
183
4
Overview of Email menu
Email Policies
Table 4-61 Option definitions — Policy exceptions (continued)
Option
Definition
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
Edit exception properties
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Option
Definition
Email Address
Use this to make a list of users who want to send email messages that the
appliance normally treats as spam.
Specifies each email address. You can use wildcards, for example: user_?
@example.*
Add Address
Click to add a new row to the list of email addresses that are to be allowed to send
email. Type the email address that you want added to the list.
Delete Selected
Addresses
If you find that illegal email sender addresses have been added to the Whitelisted
Senders list, select each illegal address, and click Delete Selected Addresses.
Option definitions — Whitelisted Recipients
Use this information to make lists of users who want to receive email messages that are normally
identified as spam.
Table 4-62 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
Edit exception properties
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
184
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-63 Option definitions
Option
Definition
Email Address
Use this page to make a list of users who want to receive email messages that
are normally identified as spam.
Specifies each email address. You can use wildcards, for example: user_?
@example.*
Add Address
Click to add a new row to the list of email addresses that are to be allowed to
receive email messages. Type the email address that you want added to the list.
Delete Selected
Addresses
If you find that illegal email recipient addresses have been added to the Whitelisted
Recipients list, select each illegal address, and click Delete Selected Addresses.
Option definitions — User Submitted
Use this information to understand how to allow your users to blacklist or whitelist individual senders,
and how to view and manage those lists.
Use this to view and manage lists of blacklists and whitelists that have been submitted by users
through quarantine digests.
If the appliance is configured to use the McAfee Quarantine Manager, you can only view the lists.
Table 4-64 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
When you have two or more policy exceptions, you can change the
Move
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Edit exception properties
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-65 Option definitions
Option
Definition
View
Click to view the lists of user-submitted blacklists and whitelists.
Refresh and Clear
Click to either refresh the information shown on screen, or to clear all
information from the screen.
Filter
Specify the information that you want to filter the list by. Click Apply.
The lists are filtered to only show those entries that match the entered filter
string.
Modify, Add and Delete Use these buttons to add, remove or edit entries within the user-submitted lists.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
185
4
Overview of Email menu
Email Policies
Table 4-65 Option definitions (continued)
Option
Definition
Import Lists
Take a previously exported list of blacklisted and whitelisted email addresses,
and import them onto your Email Gateway.
Export Lists
Create a list of the user submitted blacklisted and whitelisted email addresses,
and export them as an xml file.
Configuring Spam Rules
Use the following information to understand the benefits and procedures available to configure Spam
Rules.
Email | Email Policies | Spam | Spam Rules
Contents
Benefits of configuring Spam Rules
Option definitions — Spam Rules
Benefits of configuring Spam Rules
Use the following information to understand the benefits of configuring Spam Rules.
McAfee Email Gateway uses several methods to catch unsolicited (spam) email messages and prevent
them from reaching your users.
One of these methods is to use a set of regularly-updated rules to detect specific spam campaign
messages.
However, on occasion, one of these rules may wrongly detect legitimate email messages as spam - a
false positive detection. In this situation, you can disable just the rule that is causing the false positive
detections.
Option definitions — Spam Rules
Use this page to remove any spam rules that are causing some email to be wrongly detected as spam.
It is unlikely that you will need to change this list. Make changes only if you understand the
implications.
Table 4-66 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
186
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-66 Option definitions — Policy exceptions (continued)
Option
Definition
Edit exception properties
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Option
Definition
Rule Name
Displays the rule name that is seen in the spam report.
Rule Score
Displays the rule score, which is typically 1-5.
Enabled
Specifies whether a rule is active. To disable a rule, deselect its checkbox.
Apply and Filter When Apply is clicked, the table shows only those numbers specified by Filter. You can
type a regular expression here, for example:
• ^AA — Find all terms that begin with AA.
• BB$ — Find all terms that end with BB.
• CC — Find all terms that contain CC.
To see the full list again, clear Filter and click Apply.
Configuring spam terms
Use spam terms to prevent unsolicited email messages from reaching your users.
Email | Email Policies | Spam | Spam Terms
Contents
Benefits of scoring spam terms
Option definitions — Spam terms
Task — Create a dictionary of spam terms
Task — Create a dictionary of spam term exclusions
Task — Use the spam terms and spam term exclusions dictionaries to modify spam scores
Benefits of scoring spam terms
McAfee Email Gateway uses several methods to catch unsolicited (spam) email messages to prevent
them from reaching your users. One of these methods is to measure the "spam score" of a message,
and to take appropriate actions based on that score.
McAfee Email Gateway can search incoming email messages for terms that appear within either
predefined or custom dictionaries, and then to add to the spam score for that message.
Option definitions — Spam terms
You can specify which dictionaries to use to modify the spam score for incoming messages.
Table 4-67 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
187
4
Overview of Email menu
Email Policies
Table 4-67 Option definitions — Policy exceptions (continued)
Option
Definition
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
Edit exception properties
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-68 Option definitions — Anti-Spam Terms
Option
Definition
Dictionaries Lists the dictionaries that are used to match terms within email messages and to modify
the spam scores for that message.
If you have configured your McAfee Email Gateway to scan for Graymail, the predefined
Graymail dictionary is automatically added to this list. If you have not configured Graymail
from the Setup Wizard, you can manually add this dictionary to the Dictionaries list.
Exclusions
Use a custom dictionary to define a list of terms that cause the email message containing
the terms defined within the configured Dictionaries to be whitelisted.
Score
The value used to modify the total spam score for the message.
For terms to be considered as spam, add a positive value in this field.
For terms to not be considered as spam, add a negative value.
Add Term
Opens a window to define further dictionaries that are used to modify spam scores.
Task — Create a dictionary of spam terms
Create a dictionary for terms that you find in spam messages that your users are receiving.
Task
1
Select Email | DLP and Dictionaries | Compliance Dictionaries.
2
At the bottom of the Dictionaries list, click Add Dictionary.
3
Enter a name for the dictionary; for example, Spam Terms.
Optionally, enter a description for this dictionary.
4
Define whether to use simple string matching or regular expressions for this dictionary.
5
Click OK.
An empty dictionary is created.
6
188
Use the Add OR condition, Add AND Condition, and Insert Term buttons to define the terms to be added to
the new dictionary and to configure the relationships between the terms.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
7
Click OK.
8
Apply the changes.
Task — Create a dictionary of spam term exclusions
Create a dictionary of terms that, when discovered in a message, are used to whitelist that message.
Task
1
Select Email | DLP and Dictionaries | Compliance Dictionaries.
2
At the bottom of the Dictionaries list, click Add Dictionary.
3
Enter a name for the dictionary; for example, Spam Term Exclusions.
Optionally, enter a description for this dictionary.
4
Define whether to use simple string matching, or regular expressions for this dictionary.
5
Click OK.
An empty dictionary is created.
6
Use the Add OR condition, Add AND Condition, and Insert Term buttons to define the exclusion terms to be
added to the new dictionary and to configure the relationships between the terms.
7
Click OK.
8
Apply the changes.
Task — Use the spam terms and spam term exclusions dictionaries to modify spam
scores
Use the dictionaries containing the spam terms and spam term exclusions to modify the spam scores
for the email messages.
Before you begin
Before attempting this task, ensure that you have created suitable dictionaries containing
spam terms and spam term exclusions.
Task
1
Select Email | Email Policies | Spam | Spam Terms.
2
Click Add Term.
3
Click Select a dictionary.
4
Search for the dictionaries containing the required spam terms (in the example, this was Spam
Terms).
5
Select the required dictionaries, then click OK.
6
If needed, in the Exclusions column, click No exclusions.
Exclusions are used to negate the impact of finding a spam term in a message if a further term, that
is included within the exclusions list, is also found.
7
Search for the dictionaries containing the required spam term exclusions .
8
Select the required dictionaries, then click OK.
9
In the Score field, enter the score to be added to the total spam score for each message.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
189
4
Overview of Email menu
Email Policies
10 Click OK.
11 Apply your changes.
Configuring Anti-Phish settings
Use this information to understand how to configure your Email gateway to protect your users from
Phishing emails.
Email | Email Policies | Spam | Phish
Contents
Benefits of Anti-Phish scanning
Option definitions — Anti-Phish
Benefits of Anti-Phish scanning
Learn about the benefits of enabling Anti-Phish scanning on your Email Gateway.
Phishing is the illegal activity of using spoofed email messages to persuade unsuspecting users to
disclose personal identity and financial information. Criminals can use the stolen identity to
fraudulently obtain goods and services and to steal directly from bank accounts.
Configuring the anti-phish settings within your appliance helps to protect your users and your
organization from the illegal phishing activities.
Option definitions — Anti-Phish
Use this page to specify how to handle phishing email.
Enable anti-phish scanning for "policy name"
Option
Definition
Enable anti-phish scanning
When selected, enables anti-phish scanning of email messages.
Table 4-69 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
Edit exception properties
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
190
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Email Policies
4
Reporting options
Option
Definition
Add a prefix to the subject
line of phishing messages
When selected, adds a prefix to help users to see phishing messages in their
email inbox quickly.
Specifies text for the prefix.
We recommend that you do not use characters from multi-byte (extended)
character sets here unless the re-encoding is UTF-8.
Default value is ****Possible Phish****.
Add a phish indicator header
to messages
When selected, adds an indicator in the email X-header, which enables other
software to process or analyze the message further.
Attach a phish report
When selected, attaches a report to the email message, which explains why
the email message was marked as phish.
Verbose reporting
When selected, provides a fuller report, providing descriptions of the names
of the rules that have triggered.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
191
4
Overview of Email menu
Email Policies
Actions
Option
Definition
If a phishing attempt Provides a main action to take against the phish message. The options available
is detected
are:
• Deny connection (Block)
• Replace the content with an alert (Modify)
• Refuse the data and return an error code
(Block)
• Route to an alternate relay (Reroute)
• Accept and then drop the data (Block)
• Allow Through (Monitor)
If the action to take against email is Route to an alternate relay, you can click a Manage the
list of relays link to a list of other devices that will handle the email instead.
And also
Specify the secondary actions to take.
Quarantine options
• Quarantine original — Select to have the original message added to the Quarantine
database.
• Quarantine modified — Select to have the modified message added to the Quarantine
database.
Notification email options
• Send one or more notification emails — Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
• Annotate and deliver original to sender — Deliver the original email message to the
sender, with annotations added.
• Deliver a notification email to 'Notification Email List' — Deliver a notification email to all
addresses defined within the notification email list.
• Deliver a notification email to the original recipient(s) — Deliver a notification email to all
the recipients on the original email message.
• Deliver a notification email to the sender — Deliver a notification email to the sender of
the email message.
• Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
• Deliver the modified email to the sender — Deliver the email message to the sender, with
modifications made by McAfee Email Gateway included.
• Show selected/Show all — To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.
Other actions
• Modify subject — McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
• Modify headers — McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
192
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Option
Definition
• Deliver message using encryption — Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options
When clicked, opens another window where you can specify who the appliance will
notify when a threat is detected.
If an anti-phishing
action results in an
alert
Enables you to use the default anti-phish alert message, or to change the text to
create your own message.
You can also choose the following options:
• Do not attach the original message
• Attach the original message in RFC822 format
• Attach the original message in plain text format
Sender Authentication Settings — McAfee Global Threat Intelligence
message reputation
Use this page to specify the actions to take against known senders of spam.
The appliance uses McAfee Global Threat Intelligence message reputation to identify senders of spam
email messages.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
193
4
Overview of Email menu
Email Policies
Table 4-70 Option definitions — Higher Detection Threshold
Option
Definition
Enable McAfee GTI
Message Reputation at
the higher detection
threshold
The feature is enabled by default.
Detection threshold
Select an appropriate detection threshold for the higher detections. The available
options are:
• Highly suspect
• Suspect
• Custom
The default threshold is Highly Suspect.
When Custom is selected, you also need to enter the appropriate Threshold value.
If the sender fails the
check
Provides actions to take. For example:
• Allow Through (Monitor) — Lets the message pass to its intended recipients, but
information is retained within the logs and reports.
• Tarpit - Delays the response to the email message. By default, the delay is 5
seconds, and is configurable from the Default Sender Authentication Settings | Cumulative
score and other options tab.
• Add to score — Combines the results of several methods of sender authentication.
• Select the score to be added.
• Accept and Drop the data (Block) — Accepts the connection, but blocks the message
from being delivered, returning a 250 SMTP code to the sending MTA.
• Reject (Block) — Blocks the message from being delivered, and returns the
appropriate code to the sending MTA.
• Reject and close (Block) — Blocks the message from being delivered, returns
appropriate code to the sending MTA and the closes the connection.
• Reject, close and deny (Block) - Kernel Mode Blocking. This is an effective method of
combating spam, as it deals with the message itself (reject), the connection
(close) and adds the sending server to the deny list.
The default action is Reject, close and deny (Block)
194
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-71 Option definitions — Lower Detection Threshold
Option
Definition
Enable McAfee GTI
The feature is disabled by default.
Message Reputation at
the lower detection
threshold
Detection threshold
Select an appropriate detection threshold for the lower detections. The available
options are:
• Highly suspect
• Suspect
• Custom
The default threshold is Highly Suspect.
When Custom is selected, you also need to enter the appropriate Threshold value. This
value should be lower than the value set for the Higher Detection Threshold.
If the sender fails the
check
Provides actions to take. For example:
• Allow Through (Monitor) — Lets the message pass to its intended recipients, but
information is retained within the logs and reports.
• Tarpit - Delays the response to the email message. By default, the delay is 5
seconds, and is configurable from the Default Sender Authentication Settings | Cumulative
score and other options tab.
• Add to score — Combines the results of several methods of sender authentication.
• Select the score to be added.
• Accept and Drop the data (Block) — Accepts the connection, but blocks the message
from being delivered, returning a 250 SMTP code to the sending MTA.
• Reject (Block) — Blocks the message from being delivered, and returns the
appropriate code to the sending MTA.
• Reject and close (Block) — Blocks the message from being delivered, returns
appropriate code to the sending MTA and the closes the connection.
• Reject, close and deny (Block) - Kernel Mode Blocking. This is an effective method of
combating spam, as it deals with the message itself (reject), the connection
(close) and adds the sending server to the deny list.
The default action is Accept and drop (Block)
Sender Authentication Settings — RBL Configuration
Use this page to specify the locations of lists of IP addresses that are known to send spam.
By default the appliance is configured to use the McAfee Blackhole list, cidr.bl.mcafee.com.
You are able to add as many RBL servers as you require. The appliance will query each server in the
order they are shown in the user interface until a match is found, when it will take the specified
action. McAfee recommends that you place the RBL servers in the order that they are most likely to
trigger to reduce the number of lookups the appliance carries out for each incoming connection.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
195
4
Overview of Email menu
Email Policies
Table 4-72 Option definitions
Option
Definition
Enable RBL lookup The feature is enabled by default.
Domain name
Specifies locations of servers that maintain real-time blackhole lists.
If the sender fails
the check
Provides actions to take. For example:
• Allow Through (Monitor) — Lets the message pass to its intended recipients, but
information is retained within the logs and reports.
• Tarpit - Delays the response to the email message. By default, the delay is 5
seconds, and is configurable from the Default Sender Authentication Settings | Cumulative
score and other options tab.
• Add to score — Combines the results of several methods of sender authentication.
• Select the score to be added.
• Accept and Drop the data (Block) — Accepts the connection, but blocks the message from
being delivered, returning a 250 SMTP code to the sending MTA.
• Reject (Block) — Blocks the message from being delivered, and returns the
appropriate code to the sending MTA.
• Reject and close (Block) — Blocks the message from being delivered, returns
appropriate code to the sending MTA and the closes the connection.
• Reject, close and deny (Block) - Kernel Mode Blocking. This is an effective method of
combating spam, as it deals with the message itself (reject), the connection
(close) and adds the sending server to the deny list.
The default action is Reject, close and deny (Block)
Sender Authentication Settings — SPF, Sender ID and DKIM
Use this page to specify settings for techniques that determine whether the sender of an email
message is genuine.
These techniques reduce the workload for the appliance, because they reject suspicious email without
the need for scanning.
The appliance can take various actions according to whether the email passes or fails each check. You
can use each type of authentication separately or combine the techniques by using scoring (or
"weighting").
Table 4-73 Option definitions
Option
Definition
Enable SPF or Enable
sender ID
When selected, enables Sender Policy Framework (SPF) or Sender ID on the
appliance.
Add an SPF header to
email, Add a sender ID
header to email, Add a
verification result header
to emails or Add a
FCrDNS header to emails
After verifying an email message, the appliance attaches its own header to the
email message, which indicates to other mail servers in your organization that
the email message has been verified.
If selected, adds an extra header line to the email message.
The headers include:
• Received-SPF header
• Received-PRA header
• X-NAI_DKIM_Results header
196
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-73 Option definitions (continued)
Option
Definition
If the sender fails the
check
Provides actions to take. For example:
• Allow Through (Monitor) — Lets the message pass to its intended recipients, but
information is retained within the logs and reports.
• Tarpit - Delays the response to the email message. By default, the delay is 5
seconds, and is configurable from the Default Sender Authentication Settings |
Cumulative score and other options tab.
• Add to score — Combines the results of several methods of sender
authentication.
• Select the score to be added.
• Accept and Drop the data (Block) — Accepts the connection, but blocks the message
from being delivered, returning a 250 SMTP code to the sending MTA.
• Reject (Block) — Blocks the message from being delivered, and returns the
appropriate code to the sending MTA.
• Reject and close (Block) — Blocks the message from being delivered, returns
appropriate code to the sending MTA and the closes the connection.
• Reject, close and deny (Block) - Kernel Mode Blocking. This is an effective method
of combating spam, as it deals with the message itself (reject), the
connection (close) and adds the sending server to the deny list.
If the sender passes the
check
Provides actions to take. For example:
Allow through (Monitor) - lets the message move to the next stage.
Add to score - combines the results of several methods of sender authentication.
Enable DKIM verification
Select to enable DomainKeys Identified Mail (DKIM) verification of email
messages.
Enable FCrDNS
Select to enable Forward-Confirmed reverse DNS lookups to provide weak
verification of email messages.
Sender Authentication Settings — Cumulative Score and Other Options
Use this page to specify various options, including scoring techniques for authenticating senders.
If no method is entirely effective against untrusted senders, or some methods work better than others
in your network, you can associate scores to each method to refine the overall detection. To ensure
scoring works correctly, select Add to score as the action for every method that is in use.
Table 4-74 Option definitions
Option
Definition
Check the total added score, Score
threshold, If this threshold is reached
Uses scores from several methods of sender authentication to
determine the action to take against an email message when its
sender cannot be authenticated.
Delay period when tarpitting
Specifies a delay when acknowledging the sending of an email. The
default value of 5 seconds is often effective in deterring a
denial-of-service attack.
Parse the email headers for sender
address if behind an MTA and Number
of hops to the MTA
If the appliance is preceded by Mail Transfer Agents (MTAs), specify
the number of hops from the appliance to the MTA. The appliance
can then parse the email headers to find the original sender and
check against that IP address.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
197
4
Overview of Email menu
Email Policies
Task — Apply Sender Policy Framework checks to sub-policies
Configure McAfee® Email Gateway to apply Sender Policy Framework (SPF) checks to sub-policies.
If you create sub-policies that include Sender/Recipient Address, Sender Policy Framework (SPF) is by
default, triggered by the default policy rather than by the sub-policy.
This is because SPF checks are performed during the Mail From phase of the SMTP conversation. To
change this default behavior, you need to force the SPF checks to be carried out after the DATA phase
of the SMTP conversion starts.
Task
1
Navigate to Email | Email Policies | Spam | Sender Authentication | Cumulative Score and Other Options.
Cumulative Score and Other Options is available from the drop-down list on the Default Sender Authentication
Settings (SMTP) window tab bar.
2
Select Parse the email headers for sender address if behind an MTA.
3
Click OK.
4
Apply changes.
SPF checks are now carried out after the DATA phase of the SMTP conversation starts.
Compliance policy settings
Use the Compliance policies to manage file and mail size filtering, configure data loss prevention
settings, ensure message compliance through the use of compliance dictionaries, and detect possible
pornographic images using Image filtering or to specify settings for handling signed or encrypted
content.
Default File Filtering Settings (SMTP)
Use this page to specify actions against different types of file. This is known as file filtering.
Email | Email Policies | Compliance | File filtering
The default policy values are normally suitable, but you might need another policy to allow the
occasional transfer of large, deeply nested files, or to investigate possible attacks.
198
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Benefits of file filtering
Use this topic to gain a better understanding of file filtering.
When creating file filtering rules, you can detect files in many ways: You can configure the appliance
to restrict the use of certain file types:
•
By file name — For example, some graphic file formats such as bitmap (.BMP) use large amounts
of computer memory and can affect network speed when transferred. You might prefer that users
work with other more compact formats such as GIF, PNG or JPEG.
If your organization produces computer software, you might see executable (.exe) files moving
around the network. Within another organization, those files might be games or illegal copies of
software. Similarly, unless your organization regularly handles movie files (MPEG or MPG), they are
probably for entertainment only.
A file filtering rule that examines the file extension name can restrict the movement of these files.
Financial information might have file names like Year2008.xls or 2008Results. A file filter that
matches the text 2008 can detect the movement of these files.
•
By file format — For example, much of your organization's most valuable information — such as
designs and lists of customers — is in databases or other special files, so it is important to control
the movement of these files. The appliance examines files based on their true content.
Any file can be made to masquerade as another. A person with malicious intent might rename an
important database file called CUSTOMERS.MDB to NOTES.TXT and attempt to transfer that file,
believing that it cannot be detected. Fortunately, you can configure the appliance to examine each
file based on its content or file format, and not on its file name extension alone.
•
By file size — For example, although you might allow graphic files to moved around the network,
you can restrict their size to prevent the service running too slowly for other users.
When you create settings to control the use of any file, remember that some departments within your
organization might need fewer constraints. For example, a marketing department might need large
graphic files for advertising.
This feature is not available to the POP3 protocol.
Option definitions — Default File Filtering Settings (SMTP)
This information describes the options available on this page.
Table 4-75 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
199
4
Overview of Email menu
Email Policies
Table 4-75 Option definitions — Policy exceptions (continued)
Option
Definition
Edit exception properties
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Option
Definition
Order
Display the order in which the filters are applied. To change the order, click
icons in the Move column.
Rule Name
Displays the rule name.
If Triggered
Displays the action to take. Click the link to change the primary and
secondary actions associated with the rule.
Create new filtering rule
If clicked, opens a further window where you can specify the types of file you
want to detect.
Change the default alert text If clicked, opens a further window where you can change the alert message
that is issued after a detection.
Data Loss Prevention settings
Use this page to create a policy that assigns data loss prevention actions against the registered
document categories.
Email | Email Policies | Compliance | Data Loss Prevention
Benefits of using Data Loss Prevention (DLP)
You can choose to restrict the flow of sensitive information sent in email messages by SMTP through
the appliance using the Data Loss Prevention feature. For example, by blocking the transmission of a
sensitive document such as a financial report that is to be sent outside of your organization. Detection
occurs whether the original document is sent as an email attachment, or even as just a section of text
taken from the original document.
Configuring DLP takes place in two phases:
•
Registering the documents that you want to protect
•
Setting the DLP policy to action, and control the detection (this topic)
If an uploaded registered document contains embedded documents, their content is also fingerprinted
so the combined content is used when calculating the percentage match at scan time. To have
embedded documents treated individually, they must be registered separately.
Option definitions — Data Loss Prevention
Use this information to understand the controls available from within the Data Loss Prevention dialog
box.
Table 4-76 Option definitions — Policy exceptions
200
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-76 Option definitions — Policy exceptions (continued)
Option
Definition
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
Edit exception properties
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Option
Definition
Yes, No, or Use the
same settings as the
default policy
Select to activate the Data Loss Prevention policy settings
Document match
percentage
The percentage of the original registered document which must be seen in order
to trigger DLP. For example, if you register two documents; one with 100 pages
of content, and another with 10 pages, a setting of 30% would require 30 pages
to match the document with 100 pages, and just 3 pages to match the document
of 10 pages.
The algorithm involved in DLP is sophisticated and involves text normalization,
common word removal, and signature generation. These figures offer a guideline
only.
Number of consecutive Set the number of sequential signatures which will cause a trigger. For example,
signatures (advanced): if you register two documents; one with 100 pages of content, and another with
10 pages, use this feature to detect a small section of the original content,
irrespective of its original size.
The algorithm involved in DLP is sophisticated and involves text normalization,
common word removal, and signature generation. An approximate guide is that 1
signature represents 8 words of text after common words have been removed.
Rules
Select the box to show or hide the list of existing DLP rules.
Create new rule
This list is empty until you set up categories for registered documents. Click the
link to create a new data loss prevention rule based on the categories that you
set in Registered Documents.
This opens a dialog box to allow you to select one or more DLP categories.
Exclusions
Select the box to show or hide the list of existing document exclusions.
Create document
exclusion
This list is empty until you register documents. Click the link to specify registered
documents to exclude from this policy.
This opens a dialog box to allow you to select one or more documents to be
excluded from the rule.
If a Data Loss
Prevention action
results in an alert
When selected, issues the default alert upon detection. When deselected, allows
you to click the link, then change the text of the alert.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
201
4
Overview of Email menu
Email Policies
Task — Prevent a sensitive document from being leaked
Use this task to block sensitive financial documents from being sent outside your organization.
Before you begin
This example assumes that you have already created a Finance category.
Task
1
Select Email | Email Policies | Compliance | Data Loss Prevention.
2
In the Default Data Loss Prevention Settings dialog box, click Yes to enable the policy.
3
Click Create new rule, select the Finance category, and click OK to have the category appear in the Rules
list.
4
Select the action associated with the category, change the primary action to Deny connection (Block),
and click OK.
5
Click OK again, and apply the changes.
Task — Block a section of the document
Use this task to block just a small section of the document from being sent outside your organization.
Task
1
Select Email | Email Policies | Compliance | Data Loss Prevention.
2
In the Default Data Loss Prevention Settings dialog box, click Yes to enable the policy.
3
Enable the consecutive signatures setting, and type the number of consecutive signatures against
which the DLP policy will trigger a detection. The level is set to 10 by default.
4
Click Create new rule, select the Finance category, and click OK to have the category appear in the
Rules list.
5
Select the action associated with the category, change the primary action to Deny connection (Block),
and click OK.
6
Click OK again, and apply the changes.
Task — Exclude a specific document for a policy
Use this task to prevent a specific financial document from triggering the DLP policy settings.
Task
1
Select Email | Email Policies | Compliance | Data Loss Prevention.
2
In the Default Data Loss Prevention Settings dialog box, click Yes to enable the policy.
3
Click Create document exclusion, select the document you want to ignore for this policy, and click OK.
4
Click OK again, and apply the changes.
Mail Size Filtering Settings
Use the Mail Size Filtering Settings to specify maximum message size, attachment size, and number of
attachments that can be scanned in any one message.
Email | Email Policies | Compliance | Mail size filtering
202
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Email Policies
4
Benefits of filtering messages based on their size or attachments
Scanning messages based on their size or attachments can help to alert you to potential
denial-of-service attacks entering your email gateway.
This policy contains the following options:
•
Message Size
•
Attachment Size
•
Attachment Count
•
Options
The default policy values are normally suitable, but you might need another policy to allow the
occasional transfer of large numbers of large email messages, or the occasional transfer of large
attachments within email messages, or the number of attachments within email messages, or to
investigate possible attacks.
Changing these settings can affect scanning performance. If you are not sure about the impact of
making any changes, ask your network expert.
Option definitions — Mail Size Filtering Settings | Message Size
Use this page to specify how to handle large email messages.
Table 4-77 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
Edit exception properties
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
203
4
Overview of Email menu
Email Policies
Option
Definition
If the message size
exceeds
Specifies the limit. The default values are:
Message size - 100000KB (100MB).
Use the message size only as a guide. When encoded, a message can become up to
33% larger. To use the actual size of the message, select Decode email parts for the
purposes of size calculation from the Options tab.
(Menu)
Provides a main action to take. The available options are:
• Deny connection (Block)
• Replace the content with an alert (Modify)
• Refuse the data and return an error code
(Block)
• Allow Through (Monitor)
• Accept and then drop the data (Block)
204
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Option
Definition
And also
Specify the secondary actions to take.
Quarantine options
• Quarantine original — Select to have the original message added to the Quarantine
database.
• Quarantine modified — Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.
Notification email options
• Send one or more notification emails — Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
• Annotate and deliver original to sender — Deliver the original email message to the
sender, with annotations added.
• Deliver a notification email to 'Notification Email List' — Deliver a notification email to all
addresses defined within the notification email list.
• Deliver a notification email to the original recipient(s) — Deliver a notification email to all the
recipients on the original email message.
• Deliver a notification email to the sender — Deliver a notification email to the sender of
the email message.
• Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing email
list.
• Deliver the modified email to the sender — Deliver the email message to the sender, with
modifications made by McAfee Email Gateway included.
• Show selected/Show all — To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include any
custom notification templates that you create.
Other actions
• Modify subject — McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
• Modify headers — McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
• Deliver message using encryption — Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options
Follow the link to configure the options for notification messages and annotated
email messages.
If attachments are
replaced with an
alert
Select to use the default alert.
Click change the default alert text to view or change this alert message.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
205
4
Overview of Email menu
Email Policies
Option definitions — Mail Size Filtering Settings | Attachment Size
Use this page to specify how to handle large attachments within email messages.
Table 4-78 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
Edit exception properties
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-79 Option definitions — Specify a maximum attachment size
Option
Definition
If an attachment size
exceeds
Attachment size - 32000KB (32MB).
Specifies the limit. The default values are:
Use the attachment size only as a guide. When encoded as an attachment, a file
can become up to 33% larger. To use the actual size of the attachments, select
Decode email parts for the purposes of size calculation from the Options tab.
(Menu)
Provides a main action to take. The available options are:
• Deny connection (Block)
• Replace the content with an alert (Modify)
• Refuse the data and return an error code
(Block)
• Allow Through (Monitor)
• Accept and then drop the data (Block)
206
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-79 Option definitions — Specify a maximum attachment size (continued)
Option
Definition
And also
Specify the secondary actions to take.
Quarantine options
• Quarantine original — Select to have the original message added to the Quarantine
database.
• Quarantine modified — Select to have the modified message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.
Notification email options
• Send one or more notification emails — Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
• Annotate and deliver original to sender — Deliver the original email message to the
sender, with annotations added.
• Deliver a notification email to 'Notification Email List' — Deliver a notification email to all
addresses defined within the notification email list.
• Deliver a notification email to the original recipient(s) — Deliver a notification email to all
the recipients on the original email message.
• Deliver a notification email to the sender — Deliver a notification email to the sender of
the email message.
• Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
• Deliver the modified email to the sender — Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
• Show selected/Show all — To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.
Other actions
• Modify subject — McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
• Modify headers — McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
• Deliver message using encryption — Attempt delivery of the message using your
configured encryption settings.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
207
4
Overview of Email menu
Email Policies
Table 4-79 Option definitions — Specify a maximum attachment size (continued)
Option
Definition
Notification and
annotated email
options
Follow the link to configure the options for notification messages and annotated
email messages.
If attachments are
replaced with an alert
Select to use the default alert.
Click change the default alert text to view or change this alert message.
Table 4-80 Option definitions — Specify the maximum size of all attachments
Option
Definition
If the size of all
attachments exceeds
Specifies the limit for the combined size of all attachments. The default values
are:
Size of all attachments - 64000KB (64MB).
Use the attachment size only as a guide. When encoded as an attachment, a file
can become up to 33% larger. To use the actual size of the attachments, select
Decode email parts for the purposes of size calculation from the Options tab.
(Menu)
Provides a main action to take. The available options are:
• Deny connection (Block)
• Refuse the data and return an error code (Block)
• Accept and then drop the data (Block)
• Replace all attachments with a single alert (Modify)
• Remove all attachments (Modify)
• Allow Through (Monitor)
208
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-80 Option definitions — Specify the maximum size of all attachments (continued)
Option
Definition
And also
Specify the secondary actions to take.
Quarantine options
• Quarantine original — Select to have the original message added to the Quarantine
database.
• Quarantine modified — Select to have the modified message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.
Notification email options
• Send one or more notification emails — Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
• Annotate and deliver original to sender — Deliver the original email message to the
sender, with annotations added.
• Deliver a notification email to 'Notification Email List' — Deliver a notification email to all
addresses defined within the notification email list.
• Deliver a notification email to the original recipient(s) — Deliver a notification email to all
the recipients on the original email message.
• Deliver a notification email to the sender — Deliver a notification email to the sender of
the email message.
• Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
• Deliver the modified email to the sender — Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
• Show selected/Show all — To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.
Other actions
• Modify subject — McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
• Modify headers — McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
• Deliver message using encryption — Attempt delivery of the message using your
configured encryption settings.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
209
4
Overview of Email menu
Email Policies
Table 4-80 Option definitions — Specify the maximum size of all attachments (continued)
Option
Definition
Notification and
annotated email
options
Follow the link to configure the options for notification messages and annotated
email messages.
If attachments are
replaced with an alert
Select to use the default alert.
Click change the default alert text to view or change this alert message.
Option definitions — Mail Size Filtering Settings | Attachment Count
Use this page to specify how to handle large numbers of attachments within email messages.
Table 4-81 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
Edit exception properties
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Option
Definition
If the attachment
count exceeds
Specifies the limit. The default values are:
(Menu)
Provides a main action to take. The available options are:
Attachment count - 500.
• Deny connection (Block)
• Refuse the data and return an error code (Block)
• Accept and then drop the data (Block)
• Replace all attachments with a single alert (Modify)
• Remove all attachments (Modify)
• Allow Through (Monitor)
210
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Option
Definition
And also
Specify the secondary actions to take.
Quarantine options
• Quarantine original — Select to have the original message added to the Quarantine
database.
• Quarantine modified — Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.
Notification email options
• Send one or more notification emails — Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
• Annotate and deliver original to sender — Deliver the original email message to the
sender, with annotations added.
• Deliver a notification email to 'Notification Email List' — Deliver a notification email to all
addresses defined within the notification email list.
• Deliver a notification email to the original recipient(s) — Deliver a notification email to all
the recipients on the original email message.
• Deliver a notification email to the sender — Deliver a notification email to the sender of
the email message.
• Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
• Deliver the modified email to the sender — Deliver the email message to the sender, with
modifications made by McAfee Email Gateway included.
• Show selected/Show all — To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.
Other actions
• Modify subject — McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
• Modify headers — McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
• Deliver message using encryption — Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options
Follow the link to configure the options for notification messages and annotated
email messages.
If attachments are
replaced with an
alert
Select to use the default alert.
Click change the default alert text to view or change this alert message.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
211
4
Overview of Email menu
Email Policies
Option definitions — Mail Size Filtering Settings | Options
Specify options relating to Mail Size Filtering.
Table 4-82 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
Edit exception properties
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-83 Option definitions — Options
Option
Definition
Decode email parts for the purposes of size
calculation
When selected, McAfee Email Gateway decodes the
attachments and other parts within email messages so that
their actual size can be calculated.
Compliance Settings
Use this page to create and manage compliance rules.
Email | Email Policies | Compliance | Compliance
Benefits of the compliance settings
Use compliance scanning to assist with conformance to regulatory compliance and corporate operating
compliance. You can choose from a library of predefined compliance rules, or create your own rules
and dictionaries specific to your organization.
Compliance rules can vary in complexity from a straightforward trigger when an individual term within
a dictionary is detected, to building on and combining score-based dictionaries which will only trigger
when a certain threshold is reached. Using the advanced features of compliance rules, dictionaries can
be combined using logical operations of any of, all of, or except.
Option definitions — Default Compliance Settings (SMTP)
This information describes the options available on this page.
Table 4-84 Option definitions — Policy exceptions
212
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-84 Option definitions — Policy exceptions (continued)
Option
Definition
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
Edit exception properties
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Option
Definition
Enable compliance
Select to activate the Compliance policy settings.
Rules
Lists the configured compliance rules.
Create new rule
Click to open a wizard that creates a new compliance rule.
Create new rule from template
Click to open a wizard that lists the predefined compliance rules.
If a compliance action results in an alert When selected, issues the default alert upon detection. When
deselected, allows you to click the link, then change the text of the
alert.
Task — Block messages that violate a policy
Use this to task to block messages that violate a threatening language policy.
Task
1
Select Email | Email Policies | Compliance.
2
In the Default Compliance Settings dialog box, click Yes to enable the policy.
3
Click Create new rule from template to open the Rule Creation Wizard.
4
Select the Acceptable Use - Threatening Language policy, and click Next.
5
Optionally change the name of the rule, and click Next.
6
Change the primary action to Deny connection (Block), and click Finish.
7
Click OK and apply the changes.
Task — Create a simple custom rule
Use this task to create a simple custom rule that blocks messages that contain social security
numbers.
Task
1
Select Email | Email Policies | Compliance.
2
In the Default Compliance Settings dialog box, click Yes to enable the policy.
3
Click Create new rule to open the Rule Creation Wizard.
4
Type a name for the rule, and click Next.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
213
4
Overview of Email menu
Email Policies
5
In the Search field, type social.
6
Select the Social Security Number dictionary, and click Next twice.
7
Select the Deny connection (Block) action, and click Finish.
Task — Create a complex custom rule
Use this task to create a complex rule that triggers when both Dictionary A and Dictionary B are
detected, except when Dictionary C is also detected.
Task
1
Select Email | Email Policies | Scanning Policies and select Compliance.
2
In the Default Compliance Settings dialog box, click Yes to enable the policy.
3
Click Create new rule to open the Rule Creation Wizard.
4
Type a name for the rule, and click Next.
5
Select two dictionaries to include in the rule, and click Next.
6
Select a dictionary that you want to exclude from the rule in the exclusion list.
7
Select the action that you want to take place if the rule triggers.
8
From the And conditionally drop-down list, select All, and click Finish.
Task — Add a dictionary to a rule
Use this task to add a new dictionary to an existing rule.
Task
1
Select Email | Email Policies | Compliance.
2
Expand the rule that you want to edit.
3
Select Add dictionaries.
4
Select the new dictionary that you want to include, and click OK.
Task — Create a rule to monitor or block at a threshold
For score-based dictionaries you might want to monitor triggers that reach a low threshold, and only
block the email when a high threshold is achieved.
Task
214
1
Select Email | Email Policies | Compliance.
2
Click Create new rule, type a name for it such as Discontent - Low, and click Next.
3
Select the Discontent dictionary, and in Threshold, type 20.
4
Click Next, and Next again.
5
In If the compliance rule is triggered, accept the default action.
6
Click Finish.
7
Repeat steps 2 through 4 to create another new rule but name it Discontent - High and assign it
a threshold of 40.
8
In If the compliance rule is triggered, select Deny connection (Block).
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
9
Click Finish.
10 Click OK and apply the changes.
Task — Edit the threshold associated with an existing rule
Use this task to edit the threshold associated with an existing rule.
Before you begin
This task assumes that your rule includes a dictionary which triggers the action based on a
threshold, such as the Compensation and Benefits dictionary.
Task
1
Select Email | Email Policies | Compliance.
2
Expand the rule that you want to edit, then select the Edit icon next to the dictionary whose score
you want to change.
3
In dictionary threshold, type the score on which you want the rule to trigger, and click OK.
Task — Restrict the score contribution of a dictionary term
Use this task to restrict the score contribution of a dictionary term.
Before you begin
This task assumes that your rule includes a dictionary which triggers the action based on a
threshold score, such as the Compensation and Benefits dictionary.
You can restrict how many times a term can contribute to the overall score.
For example, if ’testterm’ within a dictionary has a score of 10 and is seen five times within an email,
it will add 50 to the overall score. Alternatively you can restrict this, for example to contribute only
twice by setting ‘Maximum term count’ to 2.
Task
1
Select Email | Email Policies | Compliance.
2
Expand the rule that you want to edit, then click the Edit icon next to the dictionary whose score
you want to change.
3
In Maximum term count, type the maximum number of times that you want a term to contribute to the
score.
Image Filtering
The Image Filtering scanner analyzes images to determine attributes that indicate the image may be of a
pornographic nature.
Email | Email Policies | Compliance | Image filtering
The Image Filtering feature uses sophisticated, analytical processes that consist of thousands of
algorithms. These include eleven different detection methods to provide enough information to reliably
distinguish between pornographic and non-pornographic images.
The feature use the following techniques:
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
215
4
Overview of Email menu
Email Policies
•
Converts Image to BGR format
•
Multi-layer detection algorithms
•
Advance surface luminosity curvature analysis
•
Negative Curvature Rejection reduces false positives
•
Face detection and body part composition analysis
Benefits of image filtering
This information describes the benefits associated with setting up image filtering on the appliance.
Detecting potential pornographic material enables you, as an administrator, to enforce acceptable use
policies around image content leaving and entering your company, and be able to monitor and block
any deliberate or inadvertent infractions of your policy.
Option definitions — Image Filtering
This information describes the options available in the Image Filtering policy.
Table 4-85 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
Edit exception properties
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-86 Option definitions — Higher Image Detection Threshold
Option
Detection threshold
Definition
Choose from Highly Suspect, Suspect, and Custom. Set to Highly Suspect by default.
Select Custom to set the Confidence level.
Confidence level
In %, the level of confidence that an image is pornographic against each detection.
Set to 75% by default.
Take the following
action
Provides a main action to take. The options are:
• Deny connection (Block)
• Replace the content with an alert (Modify)
• Refuse the data and return an error code
(Block)
• Allow Through (Monitor)
• Accept and then drop the data (Block)
216
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-86 Option definitions — Higher Image Detection Threshold (continued)
Option
Definition
And also
Specify the secondary actions to take.
Quarantine options
• Quarantine original — Select to have the original message added to the Quarantine
database.
• Quarantine modified — Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.
Notification email options
• Send one or more notification emails — Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
• Annotate and deliver original to sender — Deliver the original email message to the
sender, with annotations added.
• Deliver a notification email to 'Notification Email List' — Deliver a notification email to all
addresses defined within the notification email list.
• Deliver a notification email to the original recipient(s) — Deliver a notification email to all
the recipients on the original email message.
• Deliver a notification email to the sender — Deliver a notification email to the sender of
the email message.
• Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
• Deliver the modified email to the sender — Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
• Show selected/Show all — To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.
Other actions
• Modify subject — McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
• Modify headers — McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
• Deliver message using encryption — Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options
When clicked, opens another window where you can specify who the appliance will
notify when a threat is detected.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
217
4
Overview of Email menu
Email Policies
Table 4-87 Option definitions — Lower Image Detection Threshold
Option
Detection threshold
Definition
Choose from Highly Suspect, Suspect, and Custom. Set to Suspect by default.
Select Custom to set the Confidence level %.
Confidence level
In %, the level of confidence that an image is pornographic against each detection.
Set to 50% by default.
Take the following
action
Provides a main action to take. The options are:
• Deny connection (Block)
• Replace the content with an alert (Modify)
• Refuse the data and return an error code
(Block)
• Allow Through (Monitor)
• Accept and then drop the data (Block)
218
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-87 Option definitions — Lower Image Detection Threshold (continued)
Option
Definition
And also
Specify the secondary actions to take.
Quarantine options
• Quarantine original — Select to have the original message added to the Quarantine
database.
• Quarantine modified — Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.
Notification email options
• Send one or more notification emails — Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
• Annotate and deliver original to sender — Deliver the original email message to the
sender, with annotations added.
• Deliver a notification email to 'Notification Email List' — Deliver a notification email to all
addresses defined within the notification email list.
• Deliver a notification email to the original recipient(s) — Deliver a notification email to all
the recipients on the original email message.
• Deliver a notification email to the sender — Deliver a notification email to the sender of
the email message.
• Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
• Deliver the modified email to the sender — Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
• Show selected/Show all — To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.
Other actions
• Deliver message using encryption — Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options
When clicked, opens another window where you can specify who the appliance will
notify when a threat is detected.
Table 4-88 Option definitions — Alert Settings
Option
Definition
If an action results in an alert
Select to specify whether to use the default alert text or not.
Change the default alert text
Click to open the Alert Editor.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
219
4
Overview of Email menu
Email Policies
Task — Block and quarantine highly suspicious images
Use this task to block and quarantine highly suspicious images.
Task
1
Go to Email | Email Policies.
2
In the Compliance policy section, select Image Filtering.
3
Click Yes to enable the Image Filtering policy.
4
In the Higher Image Detection Threshold section, select the Accept and then drop the data (Block) action.
5
In And also, select Quarantine.
Quarantined messages can be viewed in the Message Search feature (Reports | Message Search), in the Image
Filtering category.
Task — Monitor suspicious images and notify an administrator
Use this task to monitor suspicious images and notify an administrator.
Task
1
Go to Email | Email Policies.
2
In the Compliance policy section, select Image Filtering.
3
Click Yes to enable the Image Filtering policy.
4
In the Lower Image Detection threshold section, select the Allow Through (Monitor) action.
5
In And also, select the Forward modified to... notification email option.
The message is sent to any email lists you have created.
a
To change the email recipients who will receive the forwarded message, click Edit.
The Email Recipients dialog box opens.
b
6
Select the lists that you want to receive the message and click OK.
Click OK to activate the policy.
Signed or encrypted content
Specify how you want McAfee Email Gateway to handle content that is either signed or encrypted, or
signed and encrypted, or in plain text.
Email | Email Policies | Compliance | Signed or encrypted content
Benefits of the Encrypted Content Settings options
Find out more about the type of signed or encrypted content settings, and actions that you can take
when that type of content is detected.
The Encrypted Content Settings options are divided into the following categories:
220
•
Signed Content
•
Encrypted Content
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
•
Signed and Encrypted Content
•
Plaintext Content
For each category, you can choose a primary action to take when that type of content is detected, and
optionally choose a secondary action. Additionally, you can set notification and alert actions too.
Option definitions — Signed or encrypted content
Define how you want the encryption settings to work when signed or encrypted content is detected.
Table 4-89 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
Edit exception properties
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
221
4
Overview of Email menu
Email Policies
Table 4-90 Option definitions — Signed Content
Option
Definition
When content that is Select the primary action that you want the appliance to take in this circumstance.
signed but not
The available options are:
encrypted is
• Deny connection (Block)
detected
• Refuse the data and return an error code (Block)
• Accept and then drop the data (Block)
• Allow the changes to break the signed email (Monitor)
• Do not allow the changes to break the signed email (Monitor)
• Replace the content with an alert (Modify)
• Reroute to an alternative relay (Reroute)
And also
Specify the secondary actions to take.
Quarantine options
• Quarantine original — Select to have the original message added to the Quarantine
database.
• Quarantine modified — Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.
Notification email options
• Send one or more notification emails — Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
• Annotate and deliver original to sender — Deliver the original email message to the
sender, with annotations added.
• Deliver a notification email to 'Notification Email List' — Deliver a notification email to all
addresses defined within the notification email list.
• Deliver a notification email to the original recipient(s) — Deliver a notification email to all
the recipients on the original email message.
• Deliver a notification email to the sender — Deliver a notification email to the sender of
the email message.
• Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
• Deliver the modified email to the sender — Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
• Show selected/Show all — To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.
Other actions
222
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-90 Option definitions — Signed Content (continued)
Option
Definition
• Modify subject — McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
• Modify headers — McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
• Deliver message using encryption — Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options
Follow the link to configure the options for notification messages and annotated
email messages.
Alert Settings
Select to use the default alert, or follow the link to make changes to the alert text.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
223
4
Overview of Email menu
Email Policies
Table 4-91 Option definitions — Encrypted Content link
Option
Definition
When content that is
encrypted but not
signed is detected
Select the primary action that you want the appliance to take in this circumstance.
The available options are:
• Deny connection (Block)
• Refuse the data and return an error code (Block)
• Accept and then drop the data (Block)
• Replace the content with an alert (Modify)
• Reroute to an alternative relay (Reroute)
• Allow Through (Monitor)
And also
Specify the secondary actions to take.
Quarantine options
• Quarantine original — Select to have the original message added to the Quarantine
database.
• Quarantine modified — Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.
Notification email options
• Send one or more notification emails — Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
• Annotate and deliver original to sender — Deliver the original email message to the
sender, with annotations added.
• Deliver a notification email to 'Notification Email List' — Deliver a notification email to all
addresses defined within the notification email list.
• Deliver a notification email to the original recipient(s) — Deliver a notification email to all
the recipients on the original email message.
• Deliver a notification email to the sender — Deliver a notification email to the sender of
the email message.
• Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
• Deliver the modified email to the sender — Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
• Show selected/Show all — To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.
Other actions
• Modify subject — McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
224
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Email Policies
4
Table 4-91 Option definitions — Encrypted Content link (continued)
Option
Definition
• Modify headers — McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
• Deliver message using encryption — Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options
Follow the link to configure the options for notification messages and annotated
email messages.
Alert Settings
Select to use the default alert, or follow the link to make changes to the alert text.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
225
4
Overview of Email menu
Email Policies
Table 4-92 Option definitions — Signed and Encrypted Content
Option
Definition
When content that is Select the primary action that you want the appliance to take in this circumstance.
both signed and
The available options are:
encrypted is detected
• Deny connection (Block)
• Refuse the data and return an error code (Block)
• Accept and then drop the data (Block)
• Allow the changes to break the signed email (Monitor)
• Do not allow the changes to break the signed email (Monitor)
• Replace the content with an alert (Modify)
• Reroute to an alternative relay (Reroute)
And also
Specify the secondary actions to take.
Quarantine options
• Quarantine original — Select to have the original message added to the Quarantine
database.
• Quarantine modified — Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.
Notification email options
• Send one or more notification emails — Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
• Annotate and deliver original to sender — Deliver the original email message to the
sender, with annotations added.
• Deliver a notification email to 'Notification Email List' — Deliver a notification email to all
addresses defined within the notification email list.
• Deliver a notification email to the original recipient(s) — Deliver a notification email to all
the recipients on the original email message.
• Deliver a notification email to the sender — Deliver a notification email to the sender of
the email message.
• Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
• Deliver the modified email to the sender — Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
• Show selected/Show all — To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.
Other actions
226
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Email Policies
4
Table 4-92 Option definitions — Signed and Encrypted Content (continued)
Option
Definition
• Modify subject — McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
• Modify headers — McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
• Deliver message using encryption — Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options
Follow the link to configure the options for notification messages and annotated
email messages.
Alert Settings
Select to use the default alert, or follow the link to make changes to the alert text.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
227
4
Overview of Email menu
Email Policies
Table 4-93 Option definitions — Plaintext Content
Option
Definition
When content that is
neither signed nor
encrypted is detected
Select the primary action that you want the appliance to take in this circumstance.
The available options are:
And also
• Deny connection (Block)
• Replace the content with an alert (Modify)
• Refuse the data and return an error code
(Block)
• Reroute to an alternative relay (Reroute)
• Accept and then drop the data (Block)
• Allow Through (Monitor)
Specify the secondary actions to take.
Quarantine options
• Quarantine original — Select to have the original message added to the Quarantine
database.
• Quarantine modified — Select to have the modified message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.
Notification email options
• Send one or more notification emails — Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
• Annotate and deliver original to sender — Deliver the original email message to the
sender, with annotations added.
• Deliver a notification email to 'Notification Email List' — Deliver a notification email to all
addresses defined within the notification email list.
• Deliver a notification email to the original recipient(s) — Deliver a notification email to all
the recipients on the original email message.
• Deliver a notification email to the sender — Deliver a notification email to the sender of
the email message.
• Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
• Deliver the modified email to the sender — Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
• Show selected/Show all — To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.
Other actions
• Modify subject — McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
228
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-93 Option definitions — Plaintext Content (continued)
Option
Definition
• Modify headers — McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
• Deliver message using encryption — Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options
Follow the link to configure the options for notification messages and annotated
email messages.
Alert Settings
Select to use the default alert, or follow the link to make changes to the alert text.
Classifying embedded URLs
McAfee® Global Threat Intelligence™(McAfee GTI) performs lookups on URLs that are embedded in
email messages.
Email | Email Policies | Compliance | URL Reputation
McAfee GTI provides reputation scores to the URL reputation database. Use the reputation scores to
configure actions for suspected security risks. The URL blacklists and whitelists have an impact on the
URL reputation scans.
The URL reputation score has no appreciable effect on the overall score for the message.
Benefits of classifying embedded URLs
Classifying any embedded URLs within email messages sent into your organization helps prevent your
users visiting internet sites that may host malware or other undesirable content.
Email messages can contain links to embedded URLs. Some of these links may be to sites with low
reputation scores. By using your McAfee Email Gateway to classify these URLs, you help protect your
organization from the effects of people following these links.
You can enable URL reputation scanning when you run the Setup Wizard, or you can do it after initial
setup. The URL database is not available until you enable URL reputation scans.
URL scanning appears as a component of the Compliance features on the Email Policies page. The
database appears under System | Component Management | Update Status.
Option definitions - Default URL properties settings
Configure the properties settings to determine how McAfee Email Gateway processes URL reputation
scans.
Table 4-94
URL reputation options
Option
Definition
Enable URL reputation
Select the proper radio button to enable or disable URL scanning.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
229
4
Overview of Email menu
Email Policies
Table 4-95 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
Edit exception properties
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-96
URL reputation options
Option
Definition
Higher URL reputation threshold
Detection threshold
Select threshold level. Options are:
• Highly suspect
• Suspect
• Custom
Confidence level
This field is pre-populated with the proper score to trigger the
higher threshold.
Take the following action
Select the preferred action from the drop down list.
And also
If necessary, select one or more secondary actions from the scrolling
menu.
Notification and annotated email options Click this link to configure default notifications and alerts.
Lower URL reputation threshold
Detection threshold
Select threshold level. Options are:
• Highly suspect
• Suspect
• Custom
Confidence level
This field is pre-populated with the proper score to trigger the lower
threshold.
Take the following action
Select the preferred action from the drop down list.
And also
If necessary, select one or more secondary actions from the scrolling
menu.
Notification and annotated email options Click this link to configure default notifications and alerts.
Alert settings
230
If an action results in an alert
Select the checkbox to generate the default alert.
(change the default alert text)
Click this link to change the text in the default alert.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Email Policies
4
Task - Configure URL reputation settings
Use this page to set up parameters for detecting embedded URLs and taking action on them.
Before you begin
To detect embedded URLs in messages, enable URL reputation scanning.
Task
1
Navigate to Email | Email Policies.
The Email Policies page opens, showing all currently configured policies and the evaluation order.
2
Select your protocol from the drop down list.
3
Under the Compliance column, select the URL reputations link.
The Default URL Reputation Settings page opens.
4
If URL reputation scanning is not already enabled, click the Yes radio button.
5
Select the URL Reputation tab.
6
Configure the Higher URL Threshold.
7
a
Select the threshold designation from the drop down list.
b
Verify the confidence level.
c
Select the primary action for URLs that trigger the higher threshold.
d
Select any secondary actions, if required.
e
Set notification and alert options associated with the higher threshold.
Configure the Lower URL Threshold.
a
Select the threshold designation from the drop down list.
b
Verify the confidence level.
c
Select the primary action for URLs that trigger the lower threshold.
d
Select any secondary actions, if required.
e
Set notification and alert options associated with the lower threshold.
8
[Optional] Enable Alert Settings.
9
Click OK.
The Default URL Reputation Settings page closes, and the URL reputations link shows the primary action.
URL reputation — Blacklists and Whitelists
Configuring blacklists and whitelists for URL classification enables you to fine-tune how McAfee Email
Gateway handles different URLs.
Email | Email Policies | Compliance | URL Reputation | Blacklists and Whitelists
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
231
4
Overview of Email menu
Email Policies
Benefits of using URL reputation blacklists and whitelists
The blacklists and whitelists feature provides a method for handling specific URLs. Whitelisting allows
through URLs that would otherwise be blocked by the URL reputation service. Blacklisting blocks URLs
regardless of their reputation scores.
If you know that a particular URL is not trustworthy, add it to the blacklist. When a URL reputation
scan detects this URL, it will take your specified action immediately. On the other hand, if you know
specific URLs that are always trusted, add them to the whitelist. The URL scan will not take action. In
both cases, URL scans execute more efficiently.
Blacklisting takes precedence over whitelisting.
Parts of the URL
A URL consists of a number of characteristic parts.
The following table reflects these sample URLs:
•
http://user:1234@www.mydomain.com:10443/index.php?id=5678#para1
•
ftp://user:1234@ftp.domain.com:2021/docs/data.rtf;type=a
Table 4-97 URL format
Part
Format
Example
Parsing string
Scheme
Protocol
http://
Ends at '*://'
ftp://
Credentials
User name and password
user:1234
Starts after '*://'
Ends at "@"
Host
Consists of one of the
following:
www.mydomain.com:
10443
Starts after '*://', '@' or
nothing
• Domain name
ftp.domain.com:2021
Ends at '/', '?', '#' or
end of string
index.php
Starts after '*/'
docs/data,rtf
Ends at '?' or '#' or end
of string
type=a
Starts after path, begins
with ';'
• IPv4 address
• IPv6 address
Square brackets are
required.
Can also include TCP port
Path
Type (only for
FTP URLs)
Transfer type (added to
path)
Ends at end of string
232
Query (not valid
for FTP URLs)
id=5678
Anchor (not valid Specifies a location within
for FTP URLs)
the document
para1
McAfee® Email Gateway 7.6.0 Appliances
Starts after '?'
Ends at '#' or end of
string
Starts after '#'
Ends at end of string
Administrators Guide
4
Overview of Email menu
Email Policies
Using expressions
Global Threat Intelligence tests URLs found in emails against regular expressions to determine if the
URL is allowed or forbidden to enter the system.
Email Gateway permits the user to specify patterns for the individual parts of the URL and then
compile these parts into a regular expression that will match a complete URL. If the user does not
enter a value for a part, the compiled expression matches anything or nothing for that part.
You must enter a value for the Host part. A recognizable URL must have, at a minimum, a host name.
You can specify parts as either simple DOS patterns or as regular expressions.
Simple patterns
Simple patterns allow you to enter much less information than regular expressions, but offer much
less flexibility. You can use simple wildcards:
•
'?' — match single character
•
'*' — match any characters
Certain matches are not possible with simple patterns. For example:
•
In the Host field, '*' does not match '.' by design. This prevents possible unwanted matches.
•
The pattern 'www.mcafee.*' matches www.mcafee.com and www.mcafee.fr, but not
www.mcafee.co.uk.
•
You cannot match alternates, such as port 8080 or 8443.
•
You cannot match just IPv4 addresses.
Matching patterns like these requires regular expressions.
Regular expressions
The ability to specify the URL parts of interest as regular expressions overcomes any restrictions of
simple patterns:
•
www\.mcafee\.(?:com|co\.uk)
•
8080|8443
•
(?:[12]?\d{1,2}\.){3}[12]?\d{1,2}
On the URL Expression Builder, each text field is a separate regular expression that follows Perl-compatible
regular expression (PCRE) syntax, and is validated as a regular expression. Regular expressions offer
greater flexibility, but they are more complex than simple patterns. You are allowed to enter nothing
for all fields, resulting in a generated regex that matches anything that sufficiently resembles a URL.
•
You must remember to escape characters that have significant meaning in a regular expression.
These characters are: \.-[]{}()^$|+?*
•
You must not use positional matches, otherwise known as anchors, in regular repressions.
Examples of anchors are: '^', '$', '\A' and '\z'.
Anyone who wants to use regular expressions in this feature should already be comfortable with regular
expressions, due to their complexity.
If you want to specify a regular expression that matches any number or character, avoid using '.* and
'.+' as the expression. Either of these choices is likely to match more characters than you desire and
will result in less efficient pattern matching. Use one of these combinations to 'match any character'
based on the part you want to specify:
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
233
4
Overview of Email menu
Email Policies
•
•
Credentials — '[^@]' (match anything apart from '@' )
•
Host — '[^:/\?#]' (match anything apart from ':', '/', '?' and '#')
•
Path — '[^\?#]' (match anything apart from '?' and '#' )
•
Query string — '[^#]' (match anything apart from '#' )
When you use these patterns, the matches stop at the next part of the URL.
The best approach when constructing regular expressions is to use the URL parser tool which is
regex-aware and will do the necessary escaping for you.
Option definitions — URL reputation blacklists and whitelists
Blacklists and whitelists enable you to fine-tune the list of URLs that are blocked or allowed by McAfee
Email Gateway.
Table 4-98 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
When you have two or more policy exceptions, you can change the
Move
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Edit exception properties
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-99
Blacklist and whitelist options
Option
Definition
URLs that should always be
blocked
The upper table shows all URLs currently configured to be blacklisted.
Search
Type any portions of the URL as search parameters. Applies to the Description
and Pattern columns.
Type
Simple pattern or regular expression
Description
Any descriptive text that identifies the URL.
Pattern
The entire regular expression (all fields concatenated).
Simple patterns show '*' for any unspecified parts. Regular expressions show
the entire pattern.
234
Match Case
Indicates whether the regular expression should evaluate the URL on a
case-sensitive basis.
Edit
Clicking this link opens the URL Expression Builder where you can edit this URL .
Add Simple Pattern
Click this button to open the URL Expression Builder to add a URL by entering a
simple DOS pattern.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-99
Blacklist and whitelist options (continued)
Option
Definition
Add Regular Expression
Click this button to open the URL Expression Builder to add a URL by entering a
regular expression.
Delete Selected Patterns
Click this button to delete any patterns you have checked in this table.
URLs that should always be
allowed
The lower table shows all URLs currently configured to be whitelisted.
Search
Type any portions of the URL as search parameters. Applies to the Description
and Pattern columns.
Type
Simple pattern or regular expression
Description
Any descriptive text that identifies the URL.
Pattern
The entire regular expression (all fields concatenated).
Simple patterns show '*' for any unspecified parts. Regular expressions show
the entire pattern.
Match Case
Indicates whether the regular expression should evaluate the URL on a
case-sensitive basis.
Edit
Clicking this link opens the URL Expression Builder where you can edit this URL .
Add Simple Pattern
Click this button to open the URL Expression Builder to add a URL by entering a
simple DOS pattern.
Add Regular Expression
Click this button to open the URL Expression Builder to add a URL by entering a
regular expression.
Delete Selected Patterns
Click this button to delete any patterns you have checked in this table.
Task - Configure blacklists and whitelists
Follow this process to configure blacklist and whitelists for embedded URLs.
Before you begin
To use URL blacklisting and whitelisting, enable McAfee Global Threat Intelligence.
Task
1
Navigate to Email | Email Policies.
The Email Policies page opens, showing all currently configured policies and the evaluation order.
2
Select your protocol from the drop down list.
3
Under the Compliance column, select the URL reputations link.
The Default URL Reputation Settings page opens.
4
If URL reputation scanning is not already enabled, click the Yes radio button.
5
Select the Blacklists and Whitelists tab.
The page displays tables of URLs that should always be blocked, or always be allowed.
6
To add a URL to either list:
a
Click the Add Simple Pattern button or the Add Regular Expression button.
The URL Expression Builder page appears.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
235
4
Overview of Email menu
Email Policies
b
In the data fields, type the required information.
c
Repeat until you have added all desired URLs.
7
To delete a URL from either list, select the Delete check box associated with the URL.
8
[Optional] To parse a URL into its component parts:
a
Click the Parse a URL link on the URL Expression Builder page.
The URL Parser dialog box opens.
b
Type or paste the URL into the data field, then click OK.
The URL Parser closes, and the component parts of the URL populate the URL Expression Builder.
9
[Optional] To encode or decode a URL:
a
Click the URL encode/decode link on the URL Expression Builder page.
The URL Encode/Decode dialog box opens.
b
Type or paste a URL fragment into the data field.
Encode only individual path segments and individual terms. Do not encode the entire path or
multiple segments at the same time.
c
To encode the fragment to its canonical representation (%-encoded sequence), click the Encode
button.
The encoded fragment appears in the data field.
d
To decode a %-encoded fragment into readable form, click the Decode button.
The decoded fragment appears in the data field.
e
To convert an improperly or partially encoded sequence into its canonical representation, click
the Canonicalize button.
The canonical representation of the sequence appears in the data field.
f
Close the dialog box.
You return to the URL Expression Builder.
10 Click OK.
The URL Expression Builder closes, returning you to Default URL Reputation Settings page which shows the
results of your additions, edits, or deletions.
11 Save your changes before you log off.
12 Click OK.
Option definitions - URL Expression Builder
Use this page to add a URL by entering either a simple DOS pattern or a regular expression. Specify
only the parts you want to match.
Table 4-100
236
URL expression options
Option
Description
Description
Text that helps to define or identify the URL (optional)
Scheme
Protocol
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-100
URL expression options (continued)
Option
Description
Credentials
User name and password
Host
Consists of one of the following:
• Domain name
• IPv4 address
• IPv6 address
Square brackets are required.
TCP port
Port
Path
Query string
Supplies parameters to the server. Not relevant for FTP URLs.
Named anchor
Specifies a location within the document. Not relevant for FTP URLs.
Match the credentials, path, query Selecting the check box causes McAfee GTI to match the URL
string and named anchor
case-sensitively.
case-sensitively.
If you leave this unchecked, whatever you type in the text fields is
converted to lower case when you click OK.
Compiled regular expression
This dynamic table shows the regular expression you create as you enter
one or more parts.
Test a URL
Data field where you can type or paste a URL to test it against the
regular expression. Icons indicate whether the URL matches or not.
Tools: Parse a URL
Link opens an additional dialog box where you can paste or type a URL
and have it parsed into its component parts. If you click OK in this dialog,
the URL will populate the fields in the URL Expression Builder.
The URL is not validated.
Option definitions — URL Count
The URL Count page enables you to fine-tune the way email messages containing large numbers of
URLs are handled by McAfee Email Gateway.
Table 4-101 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
237
4
Overview of Email menu
Email Policies
Table 4-101 Option definitions — Policy exceptions (continued)
Option
Edit exception properties
Definition
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-102 Option definitions — URL Count
Option
Definition
Maximum number of URLs per email
Typing a number in the text field sets the maximum number of URLs
in one email. If the URLs exceed the number, the system takes the
configured action.
If this threshold is exceeded
The scrolling list allows selection of the proper primary action
And also
The list allows selection of secondary actions.
Notification and annotated email options This link opens the Default Notification and Routing Settings page.
If an action results in an alert
Selecting the check box enables use of the default text. Clicking the
associated link permits editing the default text.
Parsing URLs
The URL Expression Builder includes a link that allows you to parse a URL into its component parts.
The parsed URL populates the appropriate fields on the page.
URL normalization
Certain characters, such as ‘/', ‘?’ and ‘#’, serve as delimiters in the URL. Other characters, such as
control codes, are not printable. These characters must be escaped by encoding them as ‘%’ followed
by their hexadecimal ASCII value when they are used in the Credentials, Path, or Query string, or in the
named Anchor field. For example, ‘=’ must be represented by ‘%3B’ so it will not be misinterpreted as a
key-value separator in the Query string.
The ASCII characters A-Z, a-z, 0-9 and -._~ never need to be escaped. Characters outside the ASCII
range must be represented by the %-encoding of their UTF-8 byte values. For example, a ‘€’ character
is encoded as ‘%E2%82%AC’.
Attackers can manipulate the %-encoding rules to obfuscate the URL. Manipulations include:
•
Escaping characters that do not need to be escaped to make part of the URL unreadable to
humans. An example of this would be the sequence “%2E%2E%2F/” in the path.
•
Not escaping characters that should be escaped. For example, the glyph for the Unicode character
U+2215, DIVISION SLASH, looks identical to an ASCII ‘/’ character. If used in un-escaped form in
the path, it would look indistinguishable from a regular path separator. This is called a homograph
attack.
To overcome any issues from ambiguous representation, URLs found in emails are normalized by
decoding the individual parts and reapplying the %-encoding so that it is in strict compliance with the
encoding rules in RFC 3986, Uniform Resource Identifier (URI): Generic Syntax. The path is further
normalized so that ‘.’ (current directory) and ‘..’ (directory above the current directory) sequences are
removed. For example “/a/b/../c” is normalized to the equivalent “/a/c”.
Address normalization
Instead of a domain name in the host field, a URL may contain an IP address.
238
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
An IPv4 address may be represented in many different ways, all of which offer an attacker
opportunities to obscure the host that a URL points to. As well as the familiar a.b.c.d format where a,
b, c and d represent base-10 numbers in the range 0-255, an IPv4 address may be represented by 1
to 4 numbers, each of which may be represented using base 10, octal (base 8) and hexadecimal (base
16). For example, it is not at all obvious that the following URLs point to the same resource:
•
http://7763631671/
•
http://235396898359/
•
http://206.057717067/
When testing URLs found in emails, all variant representations of IPv4 addresses are normalized to the
a.b.c.d format.
IPv6 addresses have stricter rules for representation within a URL. However, the same address can
vary in its representation depending on how empty quads are displayed and how many leading zeroes
are used. Therefore, IPv6 addresses are normalized to their most compact form with hexadecimal
values in uppercase. For example, http://[2001:ea75:0000:0:00:000:0:0001]/ is normalized to
http://[2001:EA75::1]/.
International Domain Names (IDNs)
Some domain registrars allow Unicode characters in domain names that are registered with them.
These domain names are presented to humans in human-readable form but must be encoded into
ASCII form when, for example, they are resolved through DNS. The domain name normalization rules
and ASCII-encoding algorithm are specified in RFC 3490, Internationalizing Domain Names in
Applications (IDNA). An example of an IDN is méxico.icom.museum and its ASCII-encoding is xn-mxico-bsa.icom.museum. The xn-- ACE (ASCII Compatible Encoding) label denotes an encoded IDN.
When an IDN in its encoded form is encountered, it is decoded to its human-readable, Unicode form.
This decoding may fail if the encoded URL fails a TLD check. Top Level Domain (TLD) registrars who
accept IDNs limit the Unicode characters that they will allow. For example, the .no (Norway) TLD will
only allow Unicode characters that are part of the Norwegian alphabet. If the decoding fails, the
domain name is left in its encoded form with a warning message stating why the decoding failed.
If an IDN is encountered in its Unicode form, it is normalized. Without normalization, IDNs are subject
to homograph attacks. For example, if the URL http://www.μετάνοια.gr were blacklisted, an attacker
might try to circumvent this by replacing ‘μ’ (U+03BC, GREEK SMALL LETTER MU) with ‘μ’ (U+00B5,
MICRO SIGN). According to IDN rules these domain names are identical and encode to the same
ASCII form: www.xn--hxakkrmio1b.gr. However, a simple string match would not detect that the URLs
were identical. Therefore, Unicode names are normalized by applying the RFC 3490 Nameprep
algorithm which disambiguates visually identical string values.
URL encoding and decoding
Because URLs are canonicalized before they are checked against the blacklists and whitelists, it may
be unclear what you should use to match a given value.
The URL encode/decode tool provides a text field that you can paste a string into and either encode it
to give its canonical representation or decode it so that you can see what a %-encoded sequence
actually matches. Clicking “Canonicalize” will turn an improperly or partially encoded sequence into its
canonical representation.
Keep the following information in mind when you use the encode/decode tool:
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
239
4
Overview of Email menu
Email Policies
•
The encoded sequences %00 - %1F and %7F are control characters any may render unpredictably
when decoded. Two-byte sequences starting with %C2 followed by %80 - %A0 are also control
characters.
•
Do not use the URL encode tool to encode, for example, the entire path. This will result in a
non-canonical encoding. Encoding “a/b” will result in the string “a%2Fb” which will no longer match
“a/b” in the path. Only encode individual path segments and individual terms (the keys and values
in key-value pairs) in the Query string.
Option definitions — Create new rule (DLP Categories)
This information describes the options available on this dialog box.
Option
Definition
Name
The name of the DLP category.
Documents
Any documents associated with that category.
Option definitions — Create new rule
This information describes the options available on this dialog box.
Option
Definition
Name
The name of the DLP categories available
Documents
The number of documents contained in the category
Option definitions — Create document exclusion
This information describes the options available on this dialog box.
Option
Definition
Search
Search by name for documents that you want to exclude from the policy.
Name
The name of the document.
Size
The size of the document.
Trained on
The date on which the document was trained.
Option definitions — New Rule dialog box
This information describes the options available on this dialog box.
Table 4-103 Category Filtering
Option
Definition
Rule name
Type the name of the rule.
Enable file category filtering
Select to open the list of files categories and subcategories.
Take action when the file category • File categories — Select the file category to which you want the rule to
is:
apply.
• Subcategories — By default, all the subcategories in a file category are
filtered. Use the CTRL key to select multiple subcategories to the file
categories that you chose. The Clear selections link resets the list of
subcategories to "all".
Extend this rule to unrecognized
file categories
240
Select this option to enable this rule to be used for file categories that
are unrecognized.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Email Policies
4
Table 4-104 Files within some of the multimedia subcategories
Multimedia subcategory
Types of file in the subcategory
MP3
MPEG Layer3 ID3 Ver 1.x
MPEG Layer3 ID3 Ver 2.x
MPEG-1 audio - Layer 3
MPEG
MPEG-1 audio - Layer 1
MPEG-1 audio - Layer 2
MPEG-2 audio - Layer 1
MPEG-2 audio - Layer 2
MPEG-2 audio - Layer 3
MPEG-1 video
MPEG-2 video
MPEG-4 file
MPEG-7 file
Windows Sound
Windows Sound (WAV file)
Windows Media Audio (WMA file)
Windows Video
Windows Video (AVI file)
Windows Media Video (WMV file)
Microsoft Digital Video Recording (DVR file)
Table 4-105 Name Filtering
Option
Definition
Enable file name filtering
Enable filtering based on the name of the file.
Take action when the file name matches
Add the file name to match against when filtering.
Table 4-106 Protected File Filtering
Option
Definition
Enable protected file filtering
Enable filtering based on the protected status of the file.
Take action when the file is:
Select either:
• Protected
• Unprotected
Table 4-107 Size Filtering
Option
Definition
Enable file size filtering
Enable filtering based on the size of the file.
Take action when the file size is
Select to either take action when a file is:
• Less than
• Greater than
the configured file size.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
241
4
Overview of Email menu
Email Policies
Option definitions — Actions
This information describes the options available on this dialog box.
Option
Definition
If the file filtering rule is
triggered
Select the primary action to take when the rule triggers. Choose from:
• Deny connection (Block)
• Refuse the data and return an error code (Block)
• Replace the content with an alert (Modify)
• Allow Through (Monitor)
And also
Select the secondary actions to take when the rule triggers on the original
message, and set notification and ecryption options as necessary.
Notification and annotated
email options
When clicked, takes you to the Default Notification and Routing Settings
(SMTP) set of options.
Rule Creation Wizard
Use this wizard to set the dictionaries that you want the rule to use, and the actions that you want the
appliance to take when the rule triggers.
Option definitions — Customize the name for this rule
This information describes the options available on this page of the wizard.
Option
Definition
Rule name
Type the name of the rule that you want to create.
Option definitions — Dictionaries to include
This information describes the options available on this page of the wizard.
Option
Definition
Search
Search the list of dictionaries for the ones that you want to include in the rule.
Name
Displays the dictionary name as it appears in the Compliance Dictionaries list (Email | DLP and
Dictionaries | Compliance Dictionaries).
Threshold
Displays the threshold that will trigger a score-based dictionary. To enable score-based
detection for a dictionary, go to Email | DLP and Dictionaries | Compliance Dictionaries.
Max Term Count Displays the maximum number of times that terms in that dictionary can contribute
towards a threshold score.
Option definitions — Dictionaries to be excluded
This information describes the options available on this page of the wizard.
Option
Definition
Search
Search the list of dictionaries for the ones that you want to exclude from the rule
Name
Displays the dictionary name as it appears in the Compliance Dictionaries list (Email | DLP and
Dictionaries | Compliance Dictionaries).
Threshold
Displays the threshold that will trigger a score-based dictionary. To enable score-based
detection for a dictionary, go to Email | DLP and Dictionaries | Compliance Dictionaries.
Max Term Count Displays the maximum number of times that terms in that dictionary can contribute
towards a threshold score.
242
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Email Policies
4
Option definitions — If the compliance rule is triggered
This information describes the options available on this page of the wizard.
Option
Definition
If the compliance rule is
triggered
Select the primary type of action from the drop-down list that you want the
appliance to take when it triggers a compliance detection.
And also
Optionally, select secondary actions that can be applied to the detection, such
as quarantining the original or modified message, notifying the sender, and
sending the message to other people. The options displayed differ according to
the primary action that you select.
Notification and annotated
email options
Opens the Default Notification and Routing Settings pages. See Email | Email Policies |
Policy Options | Notifications and routing.
And conditionally
Specify whether you want the actions to take place when Any or All of the
dictionaries in the rule trigger a match.
Rule Creation Wizard
Use the wizard to create a new compliance rule based on settings from an existing rule, and the
actions that you want the appliance to take when the rule triggers.
Option definitions — Select a predefined rule to configure
This information describes the options available on this page of the wizard.
Option
Definition
Select a predefined rule to
configure
Expand the rule that contains the settings on which to base the new rule.
Search
Search the list of dictionaries for the rule on which you want to base your
new rule.
Option definitions — Customize the name for this rule
This information describes the options available on this page of the wizard.
Option
Definition
Rule name
Edit the name of the rule.
Option definitions — If the compliance rule is triggered
This information describes the options available on this page of the wizard.
Option
Definition
If the compliance rule is
triggered
Select the primary type of action from the drop-down list that you want the
appliance to take when it triggers a compliance detection.
And also
Optionally, select secondary actions that can be applied to the detection, such
as quarantining the original or modified message, notifying the sender, and
sending the message to other people. The options displayed differ according to
the primary action that you select.
Notification and annotated Opens the Default Notification and Routing Settings pages. See Email | Email Policies |
email options
Policy Options | Notifications and routing | Routing.
And conditionally
Specify whether you want the actions to take place when Any or All of the
dictionaries in the rule trigger a match.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
243
4
Overview of Email menu
Email Policies
Policy Options settings
Use the Policy Options settings to configure scanning limits and how to handle corrupt or unreadable
content, and specify alert settings.
Email | Email Policies | Policy Options
Scanner Limits
Use this page to set limits on scanning to prevent attacks and other performance issues.
Email | Email Policies | Policy Options | Scanning limits
The default policy values are normally suitable, but you might need another policy to allow the
occasional transfer of large, deeply nested files, or to investigate possible attacks.
Table 4-108 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
Edit exception properties
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-109 Option definitions — Maximum file size
Option
Definition
If expanded file size
exceeds
Specifies the limit. The default value is: File size — 500MB
(menu)
Provides a main action to take. The available options are:
• Deny connection (Block)
• Replace all attachments with an alert
(Modify)
• Refuse the data and return an error code
(Block)
• Allow Through (Monitor)
• Accept and then drop the data (Block)
244
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-109 Option definitions — Maximum file size (continued)
Option
Definition
And also
Specify the secondary actions to take.
Quarantine options
• Quarantine original — Select to have the original message added to the Quarantine
database.
• Quarantine modified — Select to have the modified message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.
Notification email options
• Send one or more notification emails — Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
• Annotate and deliver original to sender — Deliver the original email message to the
sender, with annotations added.
• Deliver a notification email to 'Notification Email List' — Deliver a notification email to all
addresses defined within the notification email list.
• Deliver a notification email to the original recipient(s) — Deliver a notification email to all
the recipients on the original email message.
• Deliver a notification email to the sender — Deliver a notification email to the sender
of the email message.
• Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
• Deliver the modified email to the sender — Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
• Show selected/Show all — To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.
Other actions
• Modify subject — McAfee Email Gateway rewrites the subject of the email
message using user-definable templates, and then delivers the message to the
intended recipients. Click Manage templates to change the way the subject is
re-written.
• Modify headers — McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
• Deliver message using encryption — Attempt delivery of the message using your
configured encryption settings.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
245
4
Overview of Email menu
Email Policies
Table 4-109 Option definitions — Maximum file size (continued)
Option
Definition
Notification and
annotated email
options
Follow the link to configure the options for notification messages and annotated
email messages.
If a denial of service
action results in an
alert
Select to use the default alert, or follow the link to make changes to the alert
text.
Table 4-110 Option definitions — Maximum nesting depth
Option
Definition
If nesting depth
exceeds
Specifies the limit. The default value is:
(menu)
Provides a main action to take. The available options are:
Nesting depth — 100
• Deny connection (Block)
• Replace all attachments with an alert
(Modify)
• Refuse the data and return an error code
(Block)
• Allow Through (Monitor)
• Accept and then drop the data (Block)
246
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-110 Option definitions — Maximum nesting depth (continued)
Option
Definition
And also
Specify the secondary actions to take.
Quarantine options
• Quarantine original — Select to have the original message added to the Quarantine
database.
• Quarantine modified — Select to have the modified message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.
Notification email options
• Send one or more notification emails — Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
• Annotate and deliver original to sender — Deliver the original email message to the
sender, with annotations added.
• Deliver a notification email to 'Notification Email List' — Deliver a notification email to all
addresses defined within the notification email list.
• Deliver a notification email to the original recipient(s) — Deliver a notification email to all
the recipients on the original email message.
• Deliver a notification email to the sender — Deliver a notification email to the sender
of the email message.
• Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
• Deliver the modified email to the sender — Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
• Show selected/Show all — To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.
Other actions
• Modify subject — McAfee Email Gateway rewrites the subject of the email
message using user-definable templates, and then delivers the message to the
intended recipients. Click Manage templates to change the way the subject is
re-written.
• Modify headers — McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
• Deliver message using encryption — Attempt delivery of the message using your
configured encryption settings.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
247
4
Overview of Email menu
Email Policies
Table 4-110 Option definitions — Maximum nesting depth (continued)
Option
Definition
Notification and
annotated email
options
Follow the link to configure the options for notification messages and annotated
email messages.
If a denial of service
action results in an
alert
Select to use the default alert, or follow the link to make changes to the alert
text.
Table 4-111 Option definitions — Maximum scan time
Option
Definition
If the scan time
exceeds
Specifies the limit. The default value is:
(menu)
Provides a main action to take. The available options are:
Scanning time — 8 minutes
• Deny connection (Block)
• Replace all attachments with an alert
(Modify)
• Refuse the data and return an error code
(Block)
• Allow Through (Monitor)
• Accept and then drop the data (Block)
248
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-111 Option definitions — Maximum scan time (continued)
Option
Definition
And also
Specify the secondary actions to take.
Quarantine options
• Quarantine original — Select to have the original message added to the Quarantine
database.
• Quarantine modified — Select to have the modified message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.
Notification email options
• Send one or more notification emails — Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
• Annotate and deliver original to sender — Deliver the original email message to the
sender, with annotations added.
• Deliver a notification email to 'Notification Email List' — Deliver a notification email to all
addresses defined within the notification email list.
• Deliver a notification email to the original recipient(s) — Deliver a notification email to all
the recipients on the original email message.
• Deliver a notification email to the sender — Deliver a notification email to the sender
of the email message.
• Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
• Deliver the modified email to the sender — Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
• Show selected/Show all — To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.
Other actions
• Modify subject — McAfee Email Gateway rewrites the subject of the email
message using user-definable templates, and then delivers the message to the
intended recipients. Click Manage templates to change the way the subject is
re-written.
• Modify headers — McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
• Deliver message using encryption — Attempt delivery of the message using your
configured encryption settings.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
249
4
Overview of Email menu
Email Policies
Table 4-111 Option definitions — Maximum scan time (continued)
Option
Definition
Notification and
annotated email
options
Follow the link to configure the options for notification messages and annotated
email messages.
If a denial of service
action results in an
alert
Select to use the default alert, or follow the link to make changes to the alert
text.
Alert Settings
Use this page to control the format and appearance of the alert message that users receive when the
appliance detects a threat.
Email | Email Policies | Scanning Policies [Scanner Options] -- Alert settings
Benefits of configuring Alert Settings
Understand the benefits of configuring the alert settings.
The Alert Settings page enables you to configure extra text (a header and footer), which appears around
the alert text. For example, you can include your company’s name or logo, a legal statement, or
contact information. You might need several alert settings for different groups in your network.
Option definitions — Alert Settings
Understand the options presented on the Alert Settings page.
Table 4-112 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
Edit exception properties
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
250
Option
Definition
Alert format
Provides a choice of formats.
Header text
Specifies the text for the top of each alert message.
Show
Shows the header text as HTML source (showing tags such as <p>) or as users see
the text (WYSIWYG). This option is not applicable for text alerts.
Footer text
Specifies the text for the bottom of each alert message.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Option
Definition
Show
Shows the footer text as HTML source (showing tags such as <p>) or as users see
the text (WYSIWYG). This option is not applicable for text alerts.
Restore Defaults
When clicked, displays the original text of the alert.
Character encoding Offers a choice of encoding for the alert text.
• Numeric character references — enables the use of special characters for alerts in HTML
format.
• Big 5 to UTF-8 — provides character encoding for plain texts.
Default value is Numeric character references.
Specifies the name of the file that contains the alert. Default value is warning.htm or
warning.txt.
Alert filename
Option definitions — Alert Editor
This information describes the options available in each policy's Alert Editor to create and view the
policy's alert notification message.
Option
Definition
Style / Font / Size Select the paragraph style, size, and font that you want to apply to the text.
Tokens
Select the token variables that you want to appear in the message, such as the name
of the attachment and the policy that it infringed.
Show
Choose how you want to view the notification text in the Alert Editor.
Use Default
Select to have the notification appear in the default format.
Content Handling Settings — Email Options — Basic Options
Use this page to specify some basic settings when handling email.
Email | Email Policies | Policy Options | Content handling | Email Options | Basic Options
To cater for the needs of various departments, you might need several policies, each with its own
disclaimer. Alternatively, you can configure policy exceptions, to reduce the total number of policies
you need to maintain.
Table 4-113 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
251
4
Overview of Email menu
Email Policies
Table 4-113 Option definitions — Policy exceptions (continued)
Option
Definition
Edit exception properties
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-114 Option definitions — Content Handling Settings — Email Options — Basic
Options
Option
Definition
Add a prefix to the subject of
modified emails
Specifies a prefix that the appliance adds to the subject line after a major
modification to the message, for example when an alert message replaces
an infected item.
If this prefix is added to the subject line, it precedes other prefixes such as
those that indicate spam or phish detections. If you add a disclaimer to a
message, its subject line is not affected.
Enable the use of disclaimers
When selected, adds extra text to each email message.
The appliance cannot add a disclaimer to an email message that contains
unsupported character sets, such as the Hebrew character set,
ISO-8859-8-I.
Disclaimer text
Specifies the text, which can be a legal disclaimer, or an advertisement, or
general information such as addresses and telephone numbers.
For the HTML disclaimer to appear in an email, the email must be received
in HTML format.
If you refer to an image (using <img>), the recipient will see the image
only if it is publicly available. In other words, the image must be accessible
via the Internet, with a full path such as http://www.example.com/abc.gif.
Placement
Offers a choice of location for the attachment text.
When re-encoding
attachments
Offers a choice of re-encoding if the message was cleaned.
When re-encoding modified
subject lines
Offers a choice of re-encoding.
If there's an error re-encoding Offers a choice of re-encoding.
a modified subject line
Content Handling Settings — Email Options — Advanced Options
Use this page to specify advanced settings for handling email.
Email | Email Policies | Policy Options | Content handling | Email Options | Advanced Options
Changing these settings can affect scanning performance. If you are not sure about the impact of
making any changes, ask your network expert.
Table 4-115 Option definitions — Policy exceptions
252
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-115 Option definitions — Policy exceptions (continued)
Option
Definition
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
Edit exception properties
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-116 Option definitions — Content Handling Settings — Email Options — Advanced
Options
Option
Definition
Preferred transfer encoding for text
Offers a choice of encoding:
• 8-bit - for SMTP servers that support the transport SMTP extension,
8BITMIME.
• Base64 — for non-text data and for messages that do not have
much ASCII text.
• Quoted-printable — for messages that contain mainly ASCII
characters and also some byte values outside that range.
But do not encode if the text is already When selected, prevents encoding of 7-bit data.
7-bit
Default decode character set
Offers a set to use if one is not specified in the MIME headers. To
specify further sets, see the Character Sets tab.
Maximum number of MIME parts
Specifies a maximum, which can help prevent denial-of-service
attacks.
Default value is 10000.
Treat corrupt message headers the
same as corrupt content
If selected, the email message is handled according to the action that
the policy applies to any corrupt content.
Treat NULL characters in message
headers the same as corrupt content
When selected, acts on NULL characters.
Remove any Received-From headers
to obscure..
Select this to obscure any network information displayed in the
Received headers. The Last Received header, added by your
appliance, is not removed.
Enabling Header Stripping prevents emails being blocked due to the
Maximum number of hops, as the Received headers are used to find the
number of hops the email message has taken.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
253
4
Overview of Email menu
Email Policies
Content Handling Settings — Email Options — Missing/Empty Headers
Use this page to specify how the appliance handles an email message that has empty or missing
headers.
Email | Email Policies | Policy Options | Content handling | Email Options | Missing / Empty Headers
In spam and spoofed email, headers are sometimes altered to hide the identity of the sender.
Table 4-117 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
When you have two or more policy exceptions, you can change the
Move
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Edit exception properties
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-118 Option definitions — Content Handling Settings — Email Options — Missing/
Empty Headers
Option
Definition
Take action under the
following circumstances
• Never — Select this option if you do not need the feature.
• When one or more email headers have no value — Select this option to detect any
suspicious headers.
• When one or more of the following headers are missing or empty — Select this option to
specify the headers, such as From, Sender, and Reply-to. For a full list of
headers, see RFC 2822.
Action
Provides a main action to take. The available options are:
• Deny connection (Block)
• Replace all attachments with an alert
(Modify)
• Refuse the data and return an error code
(Block)
• Allow Through (Monitor)
• Accept and then drop the data (Block)
254
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-118 Option definitions — Content Handling Settings — Email Options — Missing/
Empty Headers (continued)
Option
Definition
And also
Specify the secondary actions to take.
Quarantine options
• Quarantine original — Select to have the original message added to the
Quarantine database.
• Quarantine modified — Select to have the modified message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue
into which the email message is placed. This selection can include custom
quarantine queues that you have created.
Notification email options
• Send one or more notification emails — Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
• Annotate and deliver original to sender — Deliver the original email message to the
sender, with annotations added.
• Deliver a notification email to 'Notification Email List' — Deliver a notification email to
all addresses defined within the notification email list.
• Deliver a notification email to the original recipient(s) — Deliver a notification email to
all the recipients on the original email message.
• Deliver a notification email to the sender — Deliver a notification email to the sender
of the email message.
• Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
• Deliver the modified email to the sender — Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
• Show selected/Show all — To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also
include any custom notification templates that you create.
Other actions
• Modify subject — McAfee Email Gateway rewrites the subject of the email
message using user-definable templates, and then delivers the message to
the intended recipients. Click Manage templates to change the way the subject is
re-written.
• Modify headers — McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the
intended recipients. You can select multiple header modification templates.
Click Manage templates to change the way the headers are re-written.
Notification and
annotated email options
Follow the link to configure the options for notification messages and annotated
email messages.
If either of the above
actions results in an alert
Select to use the default alert, or follow the link to make changes to the alert
text.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
255
4
Overview of Email menu
Email Policies
Content Handling Settings — Email Options — Text and binary MIME types
Use this page to specify special MIME types as text or binary to improve the efficiency of the scanning.
Email | Email Policies | Policy Options | Content handling | Email Options | Text and binary MIME types
The appliance handles common MIME types. You need only specify any new or unusual MIME types
here.
Table 4-119 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
Edit exception properties
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-120 Option definitions — Content Handling Settings — Email Options — Text and
binary MIME types
Option
Definition
Treat the following MIME types as text attachments
Allows you to build a list of text MIME types.
Treat the following MIME types as binary attachments
Allows you to build a list of binary MIME types.
About MIME formats
Multipurpose Internet Mail Extensions (MIME) is a communications standard that enables the transfer
of non-ASCII formats over protocols, like SMTP, that support only 7-bit ASCII characters.
Email | Email Policies | Policy Options | Content handling | Email Options | Text and binary MIME types
Examples of non-ASCII formats, include:
•
8-bit audio
•
Video files
•
Character sets of many non-English languages
MIME defines different ways of encoding the non-ASCII formats so that they can be represented using
characters in the 7-bit ASCII character set.
256
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
MIME also defines extra email headers that contain further information:
•
Version of MIME used.
•
Type of content in the MIME message.
•
Type of encoding method used.
•
Content part identifier for multi-part MIME messages.
The resulting MIME message can be "decoded" or "re-encoded" after transmission. We say
"re-encoded", because the MIME messages can be converted into a different character set from the
original message.
Content Handling Settings — Email Options — Character sets
Use this page to specify one or more alternative character sets to try if you have problems decoding
email messages in the given character set.
Email | Email Policies | Policy Options | Content handling | Email Options | Character sets
You can select a fixed mapping (always use the alternative character set) or a list of alternatives to be
used only if decoding fails.
Table 4-121 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
Edit exception properties
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-122 Option definitions — Email Options — Character sets
Option
Definition
Character sets
Specifies the original character set in the email message.
Fixed
If selected, you can choose one alternative character set.
If deselected, provides any number of choices.
To select several items, use Ctrl-click, or click and Shift-click.
Alternatives
Specifies the alternative character encodings.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
257
4
Overview of Email menu
Email Policies
Content Handling Settings — HTML Options
Use this page to specify how the appliance handles certain elements and components embedded in
HTML data.
Email | Email Policies | Policy Options | Content handling | HTML Options
Table 4-123 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
Edit exception properties
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
Table 4-124 Option definitions — HTML Options
Option
Definition
Script elements to ActiveX components When selected, the item is removed.
Flash objects are ActiveX objects, so you can choose to keep them.
Comments to Raw HTML
When selected, the items are scanned for inappropriate content.
Content Handling Settings — Corrupt or Unreadable Content — Corrupt
content
Use this page to specify how to handle corrupt content.
Email | Email Policies | Policy Options | Content handling | Corrupt or Unreadable Content | Corrupt content
Scanners and other applications can have difficulty reading corrupt content. You can specify the action
to take when the appliance detects corrupt content in:
258
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Email Policies
•
Email messages
•
Archives
•
Documents
4
Table 4-125 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
Edit exception properties
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
259
4
Overview of Email menu
Email Policies
Option
Definition
If corrupt content is
detected
Provides a main action to take. The available options are:
• Deny connection (Block)
• Replace all attachments with an alert (Modify)
• Refuse the data and return an error code
(Block)
• Allow Through (Monitor)
• Accept and then drop the data (Block)
And also
Specify the secondary actions to take.
Quarantine options
• Quarantine original — Select to have the original message added to the Quarantine
database.
• Quarantine modified — Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.
Notification email options
• Send one or more notification emails — Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
• Annotate and deliver original to sender — Deliver the original email message to the
sender, with annotations added.
• Deliver a notification email to 'Notification Email List' — Deliver a notification email to all
addresses defined within the notification email list.
• Deliver a notification email to the original recipient(s) — Deliver a notification email to all
the recipients on the original email message.
• Deliver a notification email to the sender — Deliver a notification email to the sender of
the email message.
• Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
• Deliver the modified email to the sender — Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
• Show selected/Show all — To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.
Other actions
• Modify subject — McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
• Modify headers — McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
260
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Email Policies
4
Option
Definition
Notification and
annotated email
options
Follow the link to configure the options for notification messages and annotated
email messages.
If either of the above
actions results in an
alert
Select to use the default alert, or follow the link to make changes to the alert text.
Content Handling Settings — Corrupt or Unreadable Content — Protected
files
Use this page to specify what action to take against files that are protected in some way.
Email | Email Policies | Policy Options | Content handling | Corrupt or Unreadable Content | Protected files
You can specify the action to take when the appliance is unable to scan into an email attachment
(either archive or document) or a file that is being requested from a website, because it has been
password protected. If the content is protected by password, the appliance cannot examine the
contents because they are encrypted.
If you choose to allow such files into your network, you must ensure that their contents can be
scanned later for any threats by an on-access scanner.
Table 4-126 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
Edit exception properties
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
261
4
Overview of Email menu
Email Policies
Table 4-127 Option definitions
Option
Definition
If a read protected document Provides a main action to take. The available options are:
is detected
• Deny connection (Block)
• Replace all attachments with an alert
(Modify)
• Refuse the data and return an error code
(Block)
• Allow Through (Monitor)
• Accept and then drop the data (Block)
The action associated with read protected documents will only trigger when
compliance scanning is enabled, and the contents of the document can not be
extracted.
And also
Specify the secondary actions to take.
Quarantine options
• Quarantine original — Select to have the original message added to the
Quarantine database.
• Quarantine modified — Select to have the modified message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue
into which the email message is placed. This selection can include custom
quarantine queues that you have created.
Notification email options
• Send one or more notification emails — Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
• Annotate and deliver original to sender — Deliver the original email message to
the sender, with annotations added.
• Deliver a notification email to 'Notification Email List' — Deliver a notification email to
all addresses defined within the notification email list.
• Deliver a notification email to the original recipient(s) — Deliver a notification email to
all the recipients on the original email message.
• Deliver a notification email to the sender — Deliver a notification email to the
sender of the email message.
• Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email
message for auditing purposes to all addresses defined within the
auditing email list.
• Deliver the modified email to the sender — Deliver the email message to the
sender, with modifications made by McAfee Email Gateway included.
• Show selected/Show all — To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also
include any custom notification templates that you create.
Other actions
• Modify subject — McAfee Email Gateway rewrites the subject of the email
message using user-definable templates, and then delivers the message to
262
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Email Policies
4
Table 4-127 Option definitions (continued)
Option
Definition
the intended recipients. Click Manage templates to change the way the subject
is re-written.
• Modify headers — McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the
intended recipients. You can select multiple header modification templates.
Click Manage templates to change the way the headers are re-written.
Notification and annotated
email options
Follow the link to configure the options for notification messages and
annotated email messages.
If an action results in an
alert
Select to use the default alert, or follow the link to make changes to the alert
text.
If a password-protected
archive file is detected
Provides a main action to take. The available options are:
• Deny connection (Block)
• Replace all attachments with an alert
(Modify)
• Refuse the data and return an error code
(Block)
• Allow Through (Monitor)
• Accept and then drop the data (Block)
• Reroute to an alternative relay (Reroute)
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
263
4
Overview of Email menu
Email Policies
Table 4-127 Option definitions (continued)
Option
Definition
And also
Specify the secondary actions to take.
Quarantine options
• Quarantine original — Select to have the original message added to the
Quarantine database.
• Quarantine modified — Select to have the modified message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue
into which the email message is placed. This selection can include custom
quarantine queues that you have created.
Notification email options
• Send one or more notification emails — Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
• Annotate and deliver original to sender — Deliver the original email message to
the sender, with annotations added.
• Deliver a notification email to 'Notification Email List' — Deliver a notification email to
all addresses defined within the notification email list.
• Deliver a notification email to the original recipient(s) — Deliver a notification email to
all the recipients on the original email message.
• Deliver a notification email to the sender — Deliver a notification email to the
sender of the email message.
• Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email
message for auditing purposes to all addresses defined within the
auditing email list.
• Deliver the modified email to the sender — Deliver the email message to the
sender, with modifications made by McAfee Email Gateway included.
• Show selected/Show all — To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also
include any custom notification templates that you create.
Other actions
• Modify subject — McAfee Email Gateway rewrites the subject of the email
message using user-definable templates, and then delivers the message to
the intended recipients. Click Manage templates to change the way the subject
is re-written.
• Modify headers — McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the
intended recipients. You can select multiple header modification templates.
Click Manage templates to change the way the headers are re-written.
264
Notification and annotated
email options
Follow the link to configure the options for notification messages and
annotated email messages.
If an action results in an
alert
Select to use the default alert, or follow the link to make changes to the alert
text.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Content Handling Settings — Corrupt or Unreadable Content — Partial/
external messages
Use this page to specify the action to take against two types of message that can be difficult to scan.
Email | Email Policies | Scanning Policies | Scanner Options | Content Handling | Corrupt or Unreadable Content
•
A partial message. If a message has been divided into smaller parts for sending as several separate
email messages, each part is called a partial message.
•
An external-body message. The message contains a reference to an external resource and the
scheme (usually FTP) that retrieves that resource.
Table 4-128 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
Edit exception properties
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
265
4
Overview of Email menu
Email Policies
Table 4-129 Option definitions
Option
Definition
If a message/partial
type is encountered
Provides a main action to take. The available options are:
• Deny connection (Block)
• Replace all attachments with an alert
(Modify)
• Refuse the data and return an error code
(Block)
• Allow Through (Monitor)
• Accept and then drop the data (Block)
And also
Specify the secondary actions to take.
Quarantine options
• Quarantine original — Select to have the original message added to the Quarantine
database.
• Quarantine modified — Select to have the modified message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.
Notification email options
• Send one or more notification emails — Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
• Annotate and deliver original to sender — Deliver the original email message to the
sender, with annotations added.
• Deliver a notification email to 'Notification Email List' — Deliver a notification email to all
addresses defined within the notification email list.
• Deliver a notification email to the original recipient(s) — Deliver a notification email to all
the recipients on the original email message.
• Deliver a notification email to the sender — Deliver a notification email to the sender of
the email message.
• Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
• Deliver the modified email to the sender — Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
• Show selected/Show all — To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.
Other actions
Other actions
• Modify subject — McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
266
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-129 Option definitions (continued)
Option
Definition
• Modify headers — McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
Notification and
annotated email
options
Follow the link to configure the options for notification messages and annotated
email messages.
If a message/
external-body type is
encountered
Provides a main action to take. The available options are:
• Deny connection (Block)
• Replace all attachments with an alert
(Modify)
• Refuse the data and return an error code
(Block)
• Allow Through (Monitor)
• Accept and then drop the data (Block)
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
267
4
Overview of Email menu
Email Policies
Table 4-129 Option definitions (continued)
Option
Definition
And also
Specify the secondary actions to take.
Quarantine options
• Quarantine original — Select to have the original message added to the Quarantine
database.
• Quarantine modified — Select to have the modified message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.
Notification email options
• Send one or more notification emails — Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
• Annotate and deliver original to sender — Deliver the original email message to the
sender, with annotations added.
• Deliver a notification email to 'Notification Email List' — Deliver a notification email to all
addresses defined within the notification email list.
• Deliver a notification email to the original recipient(s) — Deliver a notification email to all
the recipients on the original email message.
• Deliver a notification email to the sender — Deliver a notification email to the sender of
the email message.
• Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
• Deliver the modified email to the sender — Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
• Show selected/Show all — To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.
Other actions
• Modify subject — McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
• Modify headers — McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
268
Notification and
annotated email
options
Follow the link to configure the options for notification messages and annotated
email messages.
If either of the above
actions results in an
alert
Select to use the default alert, or follow the link to make changes to the alert
text.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Email Policies
4
Content handling — Corrupt or Unreadable Content — Unscannable Content
Use this page to specify what action to take against files that cannot be scanned.
Email | Email Policies | Policy Options | Content handling | Corrupt or Unreadable Content | Unscannable Content
You can specify the action to take when the appliance finds a file that is unscannable.
Table 4-130 Option definitions — Policy exceptions
Option
Definition
Number of exceptions
Displays the number of exceptions configured for the specific policy. If no
exceptions exist, the box displays No exceptions.
Policy name
Displays the name of the policy you select.
Exception name
Displays the name of the exception. If more than one exception is
configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies — New Policy Exception window, enabling you to
create a policy exception.
Add exception
Move up and
down
Move
Edit exception properties
When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies — Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.
Delete exception
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
269
4
Overview of Email menu
Email Policies
Table 4-131 Option definitions
Option
Definition
If unscannable content Provides a main action to take. The available options are:
is detected
• Deny connection (Block)
• Replace the content with an alert (Modify)
• Refuse the data and return an error code
(Block)
• Allow Through (Monitor)
• Accept and then drop the data (Block)
And also
Specify the secondary actions to take.
Quarantine options
• Quarantine original — Select to have the original message added to the Quarantine
database.
• Quarantine modified — Select to have the modified message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.
Notification email options
• Send one or more notification emails — Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
• Annotate and deliver original to sender — Deliver the original email message to the
sender, with annotations added.
• Deliver a notification email to 'Notification Email List' — Deliver a notification email to all
addresses defined within the notification email list.
• Deliver a notification email to the original recipient(s) — Deliver a notification email to all
the recipients on the original email message.
• Deliver a notification email to the sender — Deliver a notification email to the sender of
the email message.
• Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
• Deliver the modified email to the sender — Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
• Show selected/Show all — To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.
Other actions
• Modify subject — McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
• Modify headers — McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
270
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-131 Option definitions (continued)
Option
Definition
Notification and
annotated email
options
Follow the link to configure the options for notification messages and annotated
email messages.
If the action results in
an alert
Select to use the default alert, or follow the link to make changes to the alert
text.
Policy-based actions
Policy-based actions execute when an email message matches a configured policy, without needing a
scan to trigger the selected action.
Contents
Benefits of fine-tuning scanning with policy-based actions
Option definitions — Policy-based actions
Scenario - Configure policy-based actions
Benefits of fine-tuning scanning with policy-based actions
A policy is a group of settings that tell the appliance how to scan or process an email. Policy-based
actions provide increased flexibility for administrators when applying policies. You can use
policy-based actions for such things as applying policies to messages that would not trigger an action,
or turning off all scanners for specific messages.
Policy-based actions enable you, for example, to apply policies to messages that would not trigger a
scanner action. For example, you could rewrite the subjects of all messages to a particular recipient or
group. The messages might not require any other action.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
271
4
Overview of Email menu
Email Policies
Option definitions — Policy-based actions
Use these options to configure the default actions triggered by specific policies.
Table 4-132 Option definitions
Option
Definition
If an email
matches this
policy
Drop-down list displays possible primary actions.
Select one of the following:
• Deny connection (Block)
• Refuse the data and return an error code (Block)
• Accept and then drop the data (Block)
• Allow through (Monitor)
• Skip scanning — This action turns off all scanners for specific messages.
Using this setting can allow viruses and other undesirable content to pass through.
If you enable Skip scanning, McAfee Email Gateway will not add disclaimers to the
messages.
And also
Specify the secondary actions to take.
The available secondary actions depend on the selected primary action.
Quarantine options
• Quarantine original — Select to have the original message added to the Quarantine
database.
• Quarantine modified — Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.
Notification email options
• Send one or more notification emails — Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification options.
• Annotate and deliver original to sender — Deliver the original email message to the
sender, with annotations added.
• Deliver a notification email to 'Notification Email List' — Deliver a notification email to all
addresses defined within the notification email list.
• Deliver a notification email to the original recipient(s) — Deliver a notification email to all the
recipients on the original email message.
• Deliver a notification email to the sender — Deliver a notification email to the sender of
the email message.
• Deliver an audit copy to 'Auditing Email List' — Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing email
list.
• Deliver the modified email to the sender — Deliver the email message to the sender, with
modifications made by McAfee Email Gateway included.
272
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-132 Option definitions (continued)
Option
Definition
• Show selected/Show all — To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include any
custom notification templates that you create.
Other actions
• Modify subject — McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
• Modify headers — McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
• Deliver message using encryption — Attempt delivery of the message using your
configured encryption settings.
In the options, n represents the number of lists you select for each related action.
Notification and
annotated email
options
Opens the Default Notification and Routing Settings page.
Scenario - Configure policy-based actions
You can configure policy-based actions for inbound or outbound messages. The messages can still
proceed through configured scanners, if you want them to.
Policy- based actions apply to all messages that do not match any other policies or that match policies
that do not override the settings for policy-based actions.
Scenario — Encrypt all messages sent by the Legal Department
Since messages from the Legal Department usually contain confidential information, using encryption
ensures the security of sensitive content.
Before you begin
If necessary, create a group that includes proper members of the Legal Department with a
rule type of Sender email address. This exercise applies policy based actions to the Legal
Department user group.
You can configure McAfee Email Gateway to scan the messages with any settings you prefer. For this
example, no scanning is needed.
Task
1
Log on to McAfee Email Gateway and select Email | Email Polices.
2
Click Add Policy.
The Scanning Policies — New Policy window appears.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
273
4
Overview of Email menu
Email Policies
3
Create the new policy.
a
Type a policy name, such as Legal Outbound.
b
[Optional] Type a policy description.
A description is useful for explaining the purpose for the policy.
c
From the drop-down list, select the policy from which the new policy inherits settings. In this
case, select Default policy.
d
To set the email direction, select the Outbound option.
e
To set the Match logic, select Match one or more of the following rules.
f
Click Add Rule.
The Add Rule window appears.
g
For Rule type, select User Group.
h
For Match, select is.
i
For Value, select Legal Department.
j
Click OK.
The Add Rule window closes and the new rule appears on the Scanning Policies — New Policy window.
4
Click OK.
The Scanning Policies — New Policy window closes, and the new policy appears at the top of the list on
the Email Policies page.
5
Within the new policy, select the Policy Options | Policy based action link.
Be sure you select options within the new policy, rather than the default or any other configured
policies!
The Policy Based Action Settings window appears.
6
Configure the desired policy-based actions.
a
Ensure that Use the same settings as the default policy is not selected.
b
For the primary action, select Skip scanning from the drop-down list.
c
For the secondary action, select Other Actions | Deliver message using encryption.
d
Click OK.
The Policy Based Action Settings window closes, and the policy-based actions appear under Policy
Options.
7
Confirm your settings are correct, then apply the changes.
Outbound messages from the Legal Department are encrypted, and are not scanned.
Scenario — Review all messages received from a specific sender
Review all messages from a particular competitor, XYZ Corp.
Email Gateway performs configured scans on all messages.
274
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Task
1
Log on to McAfee Email Gateway and select Email | Email Polices.
2
Click Add Policy.
The Scanning Policies — New Policy window appears.
3
Create the new policy.
a
Type a policy name, such as Competitor inquiries.
b
[Optional] Type a policy description.
A description is useful for explaining the purpose for the policy.
c
From the drop-down list, select the policy from which the new policy inherits settings. In this
case, select Default policy.
d
To set the email direction, select the Inbound option.
e
To set the Match logic, select Match one or more of the following rules.
f
Click Add Rule.
The Add Rule window appears.
g
For Rule type, select Sender email address.
h
For Match, select is like.
i
For Value, type *@xyzcorp.com.
j
Click OK.
The Add Rule window closes and the new rule appears on the Scanning Policies — New Policy window.
4
Click OK.
The Scanning Policies — New Policy window closes, and the new policy appears at the top of the list on
the Email Policies page.
5
Within the new policy, select the Policy Options | Policy based action link.
Be sure you select options within the new policy, rather than the default or any other configured
policies!
The Policy Based Action Settings window appears.
6
Configure the desired policy-based actions.
a
Ensure that Use the same settings as the default policy is not checked.
b
For the primary action, select Allow through (Monitor) from the drop-down list.
c
For the secondary action, check Original email options | Forward original to n lists.
d
Click the Edit link associated with the secondary action.
The Email Recipients window appears.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
275
4
Overview of Email menu
Email Policies
e
Select one or more recipient lists.
The Email Recipients window closes.
f
Click OK.
The Policy Based Action Settings window closes, and the policy-based actions appear under Policy
Options.
7
Confirm your settings are correct, then apply the changes.
A designated reviewer receives original email messages from XYZ Corp. and can take further action.
Notification and Routing Settings — Notification Emails
Specify the email addresses for messages from the appliance to users and to administrators.
For example, the appliance can send a notification email if it detects a threat in an email message or it
cannot deliver a message.
Changing these settings can affect scanning performance. If you are not sure about the impact of
making any changes, ask your network expert.
Table 4-133 Option definitions — Notification emails
Option
Definition
Sender
Specifies the From address that the appliance uses when sending a
response to the sender of email that contained a threat.
Subject
Define the subject line to be used in notification emails
Display (including Edit the
alert text and Name:)
Decide how the notification will be displayed:
• As an attachment
• Inline (default)
Click Edit the alert text to make changes to the alert text to be used.
When you select As an attachment, you can also specify the Name: of the
attachment.
Table 4-134 Option definitions — Annotated emails
Option
Definition
Sender
Specifies the From address that the appliance uses when sending a response to
the sender of email that contained a threat.
Subject
Define the subject line to be used in annotated emails.
Content
Decide the content of the notification to be displayed:
• Notification alert text
• Scanner-specific alert
Click Show example to see examples of the currently selected notification.
Display (including
Name:)
Decide how the notification will be displayed:
• As an attachment
• Inline (default)
Click Edit the alert text to make changes to the alert text to be used.
When you select As an attachment, you can also specify the Name: of the
attachment.
276
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Table 4-135 Option definitions — Bounce messages
Option Definition
Sender
Specifies the From address that the appliance uses when sending a response to the sender
bounce email messages.
Subject
Define the subject line to be used in bounced messages.
Table 4-136 Option definitions — Modified messages returned to the sender
Option Definition
Sender
Specifies the From address that the appliance uses when sending a response to the modified
email messages being returned to the sender.
Subject
Define the subject line to be used in modified email messages being returned to the sender.
Table 4-137 Option definitions — Forwarded emails
Option Definition
Sender
Select the sender from whom forwarded emails appear to come from. The options are:
• Original sender (default)
• Notification email sender
Table 4-138 Option definitions — Audit copies
Option
Definition
Sender address Add a sender address for audit copies of messages.
To use the sender information from the original email message, leave this field empty.
Notification and Routing Settings — Routing
Select a device to which the appliance can redirect email.
Email | Email Policies | Policy Options | Notifications and routing | Routing
Table 4-139 Option definitions
Option
Definition
Route the email to an alternative SMTP relay Selects the relay from the list on the SMTP Relays page.
Manage the list of relays
When clicked, opens a window where you can make a list of SMTP
relays.
Notification and Routing Settings — SMTP Relays
Make a list of alternative relays for redirected email.
Email | Email Policies | Policy Options | Notifications and routing | SMTP Relays
Table 4-140 Option definitions
Option
Definition
Relay List
Specifies the relays. To edit the list, click the blue link to open the Edit List window.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
277
4
Overview of Email menu
Email Policies
Notification and Routing Settings — Encryption Servers
Make a list of encryption servers to use.
Email | Email Policies | Policy Options | Notifications and routing | Encryption Servers
Table 4-141 Option definitions
Option
Definition
Server Group Specifies the name of the list of encryption servers. To edit the list, click the blue link to
open the Edit List window.
Notification and Routing Settings — Email Recipients
Build a list of recipients for email that the appliance generates automatically.
Email | Email Policies | Policy Options | Notifications and routing | Email Recipients
For example, you can make lists of email addresses for administration and auditing. The lists are used
by several pages in the interface, for example: Email | Email Policies | Scanning Policies [Scanner Options] |
Notification and routing | Audit Copies
Table 4-142 Option definitions
Option Definition
Email List Specifies the name of the list. To edit the list, click the blue link to open the Edit List window.
McAfee Global Threat Intelligence (GTI) feedback settings
Use this page to submit threat detection feedback, and usage statistics from your product to McAfee.
Email | Email Policies | Scanning Policies | Scanner Options | McAfee GTI feedback
System | Setup Wizard
Dashboard | Services
Encryption settings
Define the encryption settings for this policy.
Benefits of configuring email encryption
This information describes the benefits associated with configuring email encryption.
These options allow you to configure, for this policy, whether a message should be encrypted, and the
encryption method that you want to use.
278
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Email Policies
Option definitions — Encryption Settings (SMTP)
This information describes the options available on this page.
When to Encrypt
Option
Definition
When to Encrypt
Choose from:
• Only when triggered from a scanner action — encrypts all messages that trigger any
compliance scanner that have a secondary action of "encrypt".
• Always — encrypts all messages that trigger this policy.
Encryption server / server
group
Selects where encryption occurs, either on the appliance, or externally.
Manage the server groups
Click to open the Encryption Servers dialog box where you add lists of encryption
servers.
Prioritize encryption over
reroute actions
If a message triggers a reroute action, you can choose to override the reroute
with the encryption action.
Click Manage the server groups to add other encryption servers.
On-box Encryption Options
Option
Definition
Encrypt the message
using one of
Choose from:
• S/MIME
• PGP
• Secure Web Mail
If more than one encryption option is chosen, the encryption methods are
attempted in the order that you see here until one is successful.
Prioritize TLS over
content encryption
If selected, McAfee Email Gateway attempts to use TLS to secure the link. If TLS
is established, the content of the email message is not encrypted.
However, if TLS cannot be established, then the email message content is
encrypted using your chosen encryption methods.
If none of the selected If the selected encryption method(s) fail, specify the action that you want to
encryption methods are take:
possible
• Attempt delivery using TLS and send an NDR if that is not possible — TLS is enforced for
delivery subject to your TLS settings
• Send an NDR without attempting delivery using TLS — the email is not delivered, and a
report is sent to the sender.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
279
4
Overview of Email menu
Email Policies
On-box Decryption Options
Option
Definition
Attempt to decrypt S/MIME-encrypted Enable this to configure your appliance to attempt the decryption of
emails
email messages encrypted using S/MIME.
By default, this option is disabled.
Attempt to decrypt PGP-encrypted
emails
Enable this to configure your appliance to attempt the decryption of
email messages encrypted using PGP.
By default, this option is disabled.
The decryption settings are based on the highest-order policy that applies to all recipients. Decryption
cannot be configured for policies that only apply to a sub-set of users.
If these options are left disabled, or the appliance is unable to decrypt the message, the
Encrypted Content settings are used.
Task — Enabling Secure Web Mail
Enable Secure Web Mail on your McAfee Email Gateway.
Before you begin
If you are using port 443 for management traffic to your McAfee Email Gateway, you
cannot enable Secure Web Mail. If you have the management port set to 443, the user
interface provides a link to System | Appliance Management | Remote Access, where you can change
this.
Task
1
Navigate to Email | Email Policies | Policy Options | Encryption.
2
In On-box Encryption Options, select Secure Web Mail.
3
If required, select Send an NDR if message encryption is not possible.
4
Click OK.
5
Apply the changes.
Once you have enabled Secure Web Mail, you will need to configure your Email Policies to use this feature.
Option definitions — Email Recipients
Use this dialog box to create lists of recipients who will receive notification messages.
Option Definition
Email List Displays the lists of email recipients. three lists come with the appliance by default:
Administration Email List, Notification Email List, and Auditing Email List. The default lists cannot be
removed from the list, even if they are empty.
280
Add
Click to open the Edit List dialog box where you can create a new notification list.
Reset
Click reset to remove the information within all fields in the dialog box .
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
DLP and Dictionaries overview
Option definitions — Edit List
Use this dialog box to edit a list of recipients who will receive notification of a detection.
Option
Definition
List name
Displays the name of the list - either Administration Email List, Notification Email List, or
Auditing Email List, or a list that you created yourself.
Email address A list of email addresses that belong to the list. Use the trashcan icon to remove a
selected address from the list. The trashcan icon becomes active only when more than
one address exists in the list.
Add
Click to open the Edit Email Address dialog box where you can either type or use a template
to add a new email address to the list.
Delete
Deletes the selected user-created notification lists.
You cannot delete the built-in lists provided with the appliance.
Option definitions — Edit Email Address
Use this dialog box to create an email address that will receive notification of a detection.
Option
Definition
Standard
Type in the email address that you want to use.
Template
Use the template fields to create the email address.
Reset
Click to remove all information from the fields in this dialog box.
DLP and Dictionaries overview
The DLP and Dictionaries pages enable you to register documents that you want to prevent from data loss,
create content categories, and set up the compliance dictionaries that you want to adhere to.
Email | DLP and Dictionaries
Contents
Registered Documents
Compliance Dictionaries
Option definitions — Add Dictionary Details
Option definitions — Applicable File Formats
Option definitions — OR Condition
Option definitions — AND Condition
Option definitions — Edit Regular Expression
Registered Documents
Use this page to register documents for inclusion in the Data Loss Prevention policies.
Email | DLP and Dictionaries | Registered Documents
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
281
4
Overview of Email menu
DLP and Dictionaries overview
Benefits of Data Loss Prevention (DLP)
Use this information to understand the benefits of using Data Loss Prevention with your Email
Gateway.
You can restrict the flow of sensitive information sent by email through the appliance. For example,
block the transmission of a sensitive document such as a financial report that is to be sent outside of
your organization. Detection occurs whether the original document is sent as an email attachment, or
even as just a section of text taken from the original document.
Configuring DLP takes place in two phases:
•
Registering the documents that you want to protect (this topic)
•
Setting the DLP policy to action, and control the detection
Sensitive documents can be uploaded where the content is then transformed into a set of signatures
representing the original content. Note that only the signatures are permanently stored on the
appliance, not the original contents. Once the policy is set, these signatures are compared against all
content sent by email through the appliance to prevent data leakage occurring.
If a document is used by a data loss prevention policy, you cannot delete either the document, or any
categories that the document belongs to. To delete either the category, or the document, the document
must first be removed from any associated policies. Hover the cursor over the Used by column to see
the policies that use either the category, or the document.
Option definitions — DLP Registered Documents
Use this information to understand the options available on the DLP Registered Documents pages of
the user interface.
Option
Definition
Categories
Groups of registered documents. Contains the Excluded Content category by default.
Excluded Content is a system category for uploaded standard corporate text (boilerplate
text), and corporate templates that you want the appliance to ignore in its data loss
prevention checks.
Documents in the Excluded Content category have a higher number of signatures than
those in other categories. A document in the Excluded Content category can be copied to
other categories, but retains its higher number of signatures.
Status
•
shows that there are two possible states, with appropriate tool tips:
• The category has been modified (renamed)
• Documents have been added or removed from the category
•
•
indicates that the category is new and does not exist in the Data Loss Prevention
database. This status disappears as soon as the configuration is applied.
indicates that everything is normal
Used by
Displays the number of data loss policies that use this category.
Documents
Displays the number of documents to which this content category applies.
Add
Create a content category.
Clear Selection Click to not have any category selected.
282
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
DLP and Dictionaries overview
Option definitions — Documents
Use this information to understand the options available on the Documents pages of the user
interface.
Option
Definition
Copy selected documents to another category. When you select this option, it opens the
Search feature which will look for categories without that document.
Documents from other categories cannot be copied into the Excluded Content category.
However, you can upload documents from other categories to the Excluded Content
category.
When you upload a document from another category to the Excluded Content category, the
document's signatures increase. The version of the document in the other category has
the same higher number of signatures as the version in the Excluded Content category.
Look for documents by name in all categories, or just a selected category.
Click on Clear Selection first, to select a document in all the categories, or select a category
to search for a document only in that category.
Delete multiple documents by name. When you select this option, it opens the Search
feature which looks for documents by name in all categories or just a selected category.
To delete documents from all the categories click on Clear Selection first. If no category is
selected, the selected documents are deleted in every category so that the document is
removed entirely from the registered documents database.
File Name
Lists all the documents associated with the selected document category.
Status
•
indicates that there is an error in the document. See the tooltip to see the reason,
either:
• an error in the database
• an error occurred while uploading the document
• an error occurred during document training
•
•
•
indicates that there are modifications that have not yet been applied.
indicates that the document is new. Documents are trained when they are
uploaded.
indicates that the document is normal, either:
• the document is unchanged.
• the uploaded document was trained successfully.
Digest
A unique identifier for a file.
Size
The size of a file.
Excluded by
The number of policies that have this file in the exclusion list.
Referenced by The number of categories that contain this document.
Signatures
The number of signatures representing this document.
Trained on
The date the document was registered.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
283
4
Overview of Email menu
DLP and Dictionaries overview
Option
Definition
Upload
Click to register documents against this category, either individually or within an archive.
Supported archive formats are:
• Zip (*.zip)
• Tar (*.tar)
• Gzip (*.gz)
• gzipped tar (*.tar.gz, *.tgz)
• Bzip2 (*.bz2, *.bz)
• bzipped tar (*.tar.bz2, *.tar.bz,
*.tbz2, *.tbz)
The Character Encoding drop-down list allows you to specify the character set used for
filenames.
To upload files in .TXT format, McAfee recommends that you save them using Unicode or
UTF-8 formats.
Copy existing Click to copy an existing document from other categories into the selected category.
When you select this option, it opens the Search feature which will look for documents
that are not currently linked to the selected category, but that exist in other categories.
Documents and Categories behavior
Use this information to understand the behavior of documents and categories used by your Email
Gateway.
You might sometimes find that you are unable to edit or remove a content category, or remove a
document within that category, and the icon appears unavailable. This is because the category or
document is in use by a policy, or the category contains a document that is excluded by a policy. Hold
your cursor over the icon to see why it is unavailable. See the following table to find out what you can
do to edit or remove the category or document.
Tooltip text/reason
Solution
Cannot delete Document because it's
excluded by policy
Identify the policy by hovering over the value in the Excluded by
column, and remove the document from the policies listed in the
tooltip.
Cannot edit/delete Category because it's
non-editable default
This is the default exclusion list.
Cannot edit/delete Category because it's
in use by a policy
Identify the policy by hovering over the value in the Used by column,
and remove the category from the policies listed in the tooltip.
Cannot edit/delete Category because it
contains a document that is excluded by
a policy
1 Select the category to load the documents.
2 Sort the documents in descending order by clicking the column
name.
3 For each document excluded by one or more policies, hover over
the value in the Excluded by column, and remove the document
from the policies listed in the tooltip.
Task — Register a document for the Finance group
Understand how to register a document for the Finance group.
Task
284
1
Go to Email | DLP and Dictionaries | Registered Documents.
2
Click Add, and type Finance.
3
Select the Finance category, and click Upload.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
DLP and Dictionaries overview
4
Browse to the file that you want to register in the Finance category, and click OK.
5
Apply the changes.
4
Task — Register multiple documents at the same time
Understand how to register many documents at a time.
Before you begin
Create a zip file that contains several files that you want to register.
Task
1
Go to Email | Email Policies | Registered Documents.
2
Either select a pre-defined category from the list, or create a new one.
3
Select the category, and click Upload.
4
Browse to the zip file that you created, and click OK.
5
Apply the changes.
Task — Ignore corporate template text in registered documents
Configure your Email Gateway to ignore corporate template text when scanning registered documents.
Task
1
Go to Email | Email Policies | Registered Documents.
2
Select the Excluded Content category, and click Upload.
3
Browse to the template file that you want to ignore, and click OK.
4
Apply the changes.
Task — Put a single document in multiple categories
Register a single document within multiple categories.
Task
1
Go to Email | Email Policies | Registered Documents.
2
In the Documents section, select the document, and click the Copy icon.
3
Select the categories to which you want the document to be associated, and click OK.
4
Apply the changes.
Task — Remove a document that is excluded by a policy
Remove a document that has been excluded by a policy.
Task
1
Go to Email | Email Policies | Registered Documents.
2
In the document list, locate the file that you want to remove as registered document, and try to
click the Delete icon.
3
Hover the mouse cursor over the Excluded by entry for that document to find out which policy
excludes that document.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
285
4
Overview of Email menu
DLP and Dictionaries overview
4
Go to Policy Catalog | McAfee Email Gateway 7.6 | Email Policies and click Edit Settings.
5
In the Compliance area, select the Data Loss Prevention policy.
6
Expand the policy that contains the excluded document.
7
Click the Delete icon next to the appropriate document in the Exclusions list.
Compliance Dictionaries
Use this page to view and edit compliance dictionaries.
Email | DLP and Dictionaries | Compliance Dictionaries
The compliance dictionaries contain words and phrases that might offend some readers.
Benefits of using compliance dictionaries
Use this information to understand the benefits of using compliance dictionaries.
Use Compliance scanning to assist with conformance to regulatory compliance and corporate operating
compliance. You can choose from a library of predefined compliance rules, or create your own rules
and dictionaries specific to your organization.
Compliance rules can vary in complexity from a straightforward trigger when an individual term within
a dictionary is detected, to building on and combining score-based dictionaries which will only trigger
when a certain threshold is reached. Using the advanced features of compliance rules, dictionaries can
be combined using logical operations of "any of", "all of", or "except".
To get information about using dictionaries, see Compliance Settings.
Option definitions — Dictionary list
Use this information to understand the options available from within the user interface for the
Dictionaries.
Option
Definition
Language
Filters the dictionaries by locale.
Selecting a language selects all dictionaries available in that language, and any
language-neutral dictionaries.
Dictionary
Displays the name of the dictionary and a symbol to indicate its type:
• Red book: Non score-based
• Blue book: Score-based
• Green book: User-defined
• Open book: Currently selected item
Category
Dictionaries are grouped into related categories. For example, Profanity and Sex are
in the Acceptable Use category.
Used by
Displays the number of policies that use the dictionary.
Edit
When the icon is clicked, a window opens where you can change the dictionary name
and description.
Delete
286
When the icon is clicked, the dictionary on that row is removed.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
DLP and Dictionaries overview
Option
Definition
Add dictionary
When clicked, adds a new dictionary. Type a name and description for your
dictionary, and select whether the dictionary will match on regular expressions, or
simple strings.
A new row for your dictionary appears at the bottom of the list of dictionaries. You
can add words to the new dictionary later.
Import dictionaries When clicked, imports a file to replace your existing dictionaries.
Export dictionaries When clicked, exports the dictionaries as an XML file. You can send the file to other
appliances, ensuring that content scanning is consistent.
Option definitions — New Condition
Use this dialog box to enter new terms into a dictionary.
Email | DLP and Compliance | Compliance Dictionaries | Dictionary | Add Condition
Option
Definition
Match type
Select how the appliance matches terms within this dictionary.
Applies to
Select what the term applies to.
Click the link and select from the available options.
Term
Enter the term that you want the appliance to search for.
List of terms for selected dictionary
Use this information to understand the supporting information given when you select a dictionary.
Click a row within the dictionary list to display the contents of that dictionary.
Table 4-143 Option definitions
Option
Definition
Opens a Locate a term window, where you can type text to locate in the terms of the
currently selected dictionary.
You can type a regular expression here using Boost Perl Regular Expression Syntax.
Regular expressions are case sensitive; to make a pattern case insensitive, start it with
(?I).
Copy the listed terms within the selected dictionary
Paste the copied terms into the selected dictionary.
Open a window where you can change the description for the currently selected
dictionary. You cannot change the name of dictionaries supplied by McAfee.
Deletes the selected term.
Conditions
(OR)
For dictionaries that are not score-based, you can view lists of terms that are combined
using the logical OR operator. The dictionary will trigger when 'any of' the term lists
trigger.
Individual term lists can apply to different contexts. For example, one term list might
look for terms within message bodies whilst another might look for terms within the
subject line.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
287
4
Overview of Email menu
DLP and Dictionaries overview
Table 4-143 Option definitions (continued)
Option
Definition
Term lists
For dictionaries that are score-based, you can view the individual lists of terms in the
selected dictionary.
Individual term lists can apply to different contexts. For example, one term list might
look for terms within message bodies whilst another might look for terms within the
subject line.
Applies to
Click the link to specify the category and subcategory against which the terms will be
searched for, such as looking for terms within an email message subject line.
Term
Displays the trigger word or phrase. The icon before the term indicates whether it is a
regular expression, simple string or complex term.
Hover your mouse cursor over the icon to see the term type.
Score
Displays the score attributed to the term. To make the dictionary score-based, click Add.
To find out more about using thresholds and scores, see the tasks in Compliance
Settings.
Case sensitive
If selected, the appliance responds only to text that matches the term exactly in letter
case.
Example: If the term is Abc, the appliance responds to the word Abc. However, the
appliance ignores abc or ABC.
Wildcard
When selected, allows the use of “?” and “*” in the term to represent unknown single or
multiple characters.
Example: If the term is ab?, the appliance responds to the word abc or abd. If the term
is ab*f, the appliance responds to the word abcdef or abcf.
Starts with
When selected, matches the term when it appears at the start of a word.
Example: If the term is bc, the appliance responds to the words bc, bcd or bcdef.
However, the appliance ignores abc or abcd.
Ends with
When selected, matches the term when it appears at the end of a word.
Example: If the term is bc, the appliance responds to the words bc or abc. However, the
appliance ignores bcd or abcd.
When used together, Starts with and Ends with match the term when it appears as a whole
word.
Example: If the term is bc, the appliance responds to the words bc. However, the
appliance ignores bcd or abc.
Edit
When clicked, opens a window that allows you to change the basic term properties, or
create a complex term.
• Term details — Edit the basic term properties including the actual text that you are
looking for, as well as case sensitive, wildcard, and starts with and ends with as
defined above.
• Contextual matching (advanced) — Set triggers for terms based on proximity to other terms.
To set these details, click Add Word or Phrase:
• Display string— Sets the display name for the term in the list of dictionary terms.
• Enable near matching — Enable or disable triggers based on proximity.
• Condition — Specify the conditions under which you want the term to trigger.
• Within a block — Set the proximity within which the terms must be found.
• Word or phrase — The list of terms.
288
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
DLP and Dictionaries overview
Table 4-143 Option definitions (continued)
Option
Delete
Add OR
condition
Definition
Removes the term from the dictionary.
For dictionaries that are not score-based, click to add new lists that are combined using
the logical OR operator using the following settings:
• Name — The name that you want to apply to the list of terms.
• Description — A unique description for the list.
• Match type — Specify whether the list contains regular expressions, or simple strings.
• Applies to — Click the link to specify the category and subcategory against which the
terms will be applied, such as looking for terms within an email message subject line.
• Term — Provide the first term in the list.
The dictionary will trigger when 'any of' the term lists trigger.
Individual term lists can apply to different contexts. For example, one term list might
look for terms within message bodies whilst another might look for terms within the
subject line.
Add AND
condition
For dictionaries that are not score-based, click to add new lists that are combined using
the logical AND operator using the following settings:
• Match type — Specify whether the list contains regular expressions, or simple strings.
• Applies to — Click the link to specify the category and subcategory against which the
terms will be applied, such as looking for terms within an email message subject line.
• Term — Provide the first term in the list.
The dictionary will trigger when 'all of' the conditions trigger.
Individual term lists can apply to different contexts. For example, one term list might
look for terms within message bodies whilst another might look for terms within the
subject line.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
289
4
Overview of Email menu
DLP and Dictionaries overview
Table 4-143 Option definitions (continued)
Option
Definition
Add Term List
For dictionaries that are score-based, click to add a list of terms in the selected
dictionary, using the following settings:
• Name — The name that you want to apply to the list of terms.
• Description — A unique description for the list.
• Match type — Specify whether the list contains regular expressions, or simple strings.
• Applies to — Click the link to specify the category and subcategory against which the
terms will be applied, such as looking for terms within an email message subject line.
• Term — Provide the first term in the list.
Individual term lists can apply to different contexts. For example, one term list might
look for terms within message bodies whilst another might look for terms within the
subject line.
Insert term
When clicked, opens a window where you can add a new term using the following
settings:
• Term details — Specify the basic term properties including the actual text that you are
looking for, as well as case sensitive, wildcard, and starts with and ends with as
defined above.
• Contextual matching (advanced) — Set triggers for terms based on proximity to other terms.
To set these details, click Add Word or Phrase:
• Display string— Set the display name for the term in the list of dictionary terms.
• Enable near matching — Enable or disable triggers based on proximity.
• Condition — Specify the conditions under which you want the term to trigger.
• Within a block — Set the proximity within which the terms must be found.
• Word or phrase — The list of terms.
This feature assumes that you have selected a dictionary and one of its terms. When
you click OK in the Term Details window, the appliance adds the term to the dictionary and
next to the selected term. Both terms have the same condition.
Introduction to regular expressions
Use this information to understand how your Email Gateway responds to regular expressions used
when defining dictionary entries.
Characters match themselves except for the following meta-characters:
•
.[{()\*+?|^$
•
. matches any character
•
\. matches a literal "." character
•
\\ matches a literal "\" character
•
(string1|string2) matches either string1 or string2
Anchors require that an expression is found in a particular place within a string, but do not match any
characters (zero width assertions)
290
•
\b matches a word boundary (start or end of a word)
•
^ matches the start of a line
•
$ matches the end of a line
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
DLP and Dictionaries overview
Character classes match a particular type of character
•
\s matches any whitespace character
•
\w matches any word character (a-z, A-Z, 0-9 and "_")
•
\d matches any digit
•
[abc] matches any one character a, b or c
Quantifiers apply to the previous term:
•
* matches 0 or more of the previous term
•
+ matches 1 or more of the previous term
For example:
•
^aa matches lines that start with aa
•
bb$ matches lines that end with bb
•
cc matches ccd, acc, and accd
•
ab*c matches ac, abc and abbc
•
a\d+b matches a2b and a23456b, but not ab
•
a.c matches abc, but not ac or abbc
•
a.*c matches ac, abc and adefghb
•
a[bcd]e matches abe, ace and ade, but not abcde
•
It is (lunch|dinner) time matches "It is lunch time" or "It is dinner time"
Introduction to Graymail
Graymail is bulk email that does not meet the definition of spam.
Graymail messages could be considered either spam or legitimate email, depending upon the opinion
of the recipient.
Characteristics of Graymail
Graymail is email sent to a large number of recipients, but it differs from spam in several ways:
•
The user, at one time or another, requested to receive the messages, by such things as supplying
an email address.
•
Graymail messages come from reputable sources who want a relationship with the recipient, such
as a customer or client relationship.
•
Graymail messages usually offer an unsubscribe option.
•
Graymail typically contains content that might be of value to the recipients, and that might appeal
to their interests.
•
Graymail often includes an element of timeliness, such as an expiration date for an offer of goods
or services.
Requested or solicited email messages become graymail when the recipient becomes less interested in
receiving them.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
291
4
Overview of Email menu
DLP and Dictionaries overview
The Graymail dictionary
In the spam policy settings of the Default policy, McAfee® Email Gateway includes the Graymail
dictionary.
The dictionary contains a static list of terms, and is read-only. It cannot be edited. You can copy terms
from the Graymail dictionary to be used in a new dictionary if necessary. You can find it in the list at
Email | DLP and Dictionaries | Compliance Dictionaries.
Using the Graymail dictionary
When you enable Spam (Email | Email Policies | Spam), the Graymail dictionary is available to be included
in your policies. Treat it as you would any other dictionary. You can enable it in the Default policy, or
create a new policy to apply it.
You can also enable or disable the Graymail feature through the Setup Wizard.
Graymail detections show in reports as Spam detections triggered against the Graymail rule group,
along with the term that triggered the detection.
Task - Configure Graymail in the Setup Wizard
You can enable or disable Graymail protection as part of setting up your appliance.
You can enable Graymail protection in your original setup, or return to the Setup Wizard to enable or
disable it.
Task
1
Navigate to the Setup Wizard (System | Setup Wizard).
The Setup Wizard opens to the first page.
2
Complete the steps, or click Next for each step to leave them unchanged, to step 6, Email Configuration.
3
Click the Enable Graymail Protection check box.
4
•
If you check the box, Graymail is enabled.
•
If you do not check the box, Graymail is disabled.
•
If you leave the check box unchanged from the way you found it, the Graymail configuration is
not updated.
Complete the Setup Wizard to the Summary page.
If you have modified the Graymail action from the default setting to another setting through policy
management, and have left the check box unchanged, the Summary shows one of four status
messages:
•
Graymail is enabled - you checked the check box.
•
Graymail is already configured - you did not check the box, but it was already checked.
•
Graymail is enabled, but it is not using the default action - the box was already checked, but the action has
previously been modified from the default action.
You can navigate back to the Email Configuration page in the Setup Wizard and uncheck then
recheck the checkbox to enable Graymail protection with the default action.
•
5
Graymail is disabled - you unchecked the box, or it was already unchecked.
Review the Summary, then click Finish.
The Setup Wizard completes and the appliance reconfigures.
292
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
DLP and Dictionaries overview
Graymail protection is configured.
Task — Adding a new dictionary
Use this task to add a new dictionary for compliance terms.
Task
1
Go to Email | DLP and Dictionaries | Compliance Dictionaries.
2
Click Add Dictionary and specify its details:
3
•
Type the name of the dictionary
•
Optionally provide a description
•
Select whether you want to match simple strings or regular expressions
Click OK.
The dictionary appears selected in the dictionary list, and its term list appears at the bottom of the
page.
4
Click the edit icon next to the default term ‘new term’, replace it with the text you want to trigger
on, and click OK.
5
Click Insert Term to add new terms to the dictionary.
6
Apply the changes.
Task — Adjust the scores associated with the ‘Discontent’ dictionary
Use this task to fine-tune the scores associated with a specific dictionary.
Task
1
Go to Email | DLP and Dictionaries | Compliance Dictionaries.
2
Select the Discontent dictionary.
3
In the Term List, select the term you want to adjust, and change its score.
4
Apply changes.
Task — Test the social security number regular expressions
Use this task to check that the Email gateway is correctly interpreting the regular expressions used to
identify social security numbers.
Task
1
Go to Email | DLP and Dictionaries | Compliance Dictionaries.
2
Select the Social Security Number dictionary.
3
Select the first regular expression, click the edit icon, and click Test.
4
Type This is a social security number, and click OK.
The Matches area shows the text that matches the regular expression. Click OK or Cancel twice.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
293
4
Overview of Email menu
DLP and Dictionaries overview
5
Select the second regular expression, click the edit icon, and click Test.
6
Type Here is the number 111-22-3333, and click OK.
The Matches area shows the text that matches the regular expression. Click OK or Cancel twice.
Task — Add a complex term to find the word Poker only when it is close to
the word Game
Use this task to add a complex term to the dictionary. A complex term is a word or phrase that had a
dependancy on another word or phrase.
Task
1
Go to Email | DLP and Dictionaries | Compliance Dictionaries.
2
Either create a new or select an existing non-score-based dictionary (indicated by a red book).
3
In the Term List, click Insert Term, and type poker.
4
Select Contextual matching (advanced), and click Add Word or Phrase.
5
Type Game. In Display string, type Poker near Game.
6
In Within a block, change the value to 10.
7
Click OK, and apply the changes.
Option definitions — Add Dictionary Details
Use this dialog box to enter or change details about a dictionary list.
Email | DLP and Compliance | Compliance Dictionaries | Email dictionary list | Add Dictionary
Option
Definition
Name
Enter a name to identify the dictionary list by.
Description
If required, add a description for the dictionary list.
Language
Define the language for the content of the list.
Match type
Select how the appliance matches terms within this dictionary.
Option definitions — Applicable File Formats
This information describes the options available on this dialog box.
Option
Definition
Everything
De-select this to specify specific file categories and subcategories, or leave selected for
all file types to be scanned.
File categories With the Everything check-box de-selected, choose the categories of files to be added into
the DLP Compliance Dictionaries.
Subcategories Within the selected category of files, select the sub-categories that you want included
within each chosen category.
294
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
DLP and Dictionaries overview
Option definitions — OR Condition
This information describes the options available on this dialog box.
Option
Definition
Name
The name of the dictionary to which this condition applies.
Description An optional text field to enable you to enter descriptive information about this condition
and the categories/subcategories it contains.
Match type Choose from:
• Simple strings
• Regular expressions
Applies to
Set to Everything by default. Click to open the Applicable File Formats dialog box to choose the
categories and subcategories to which you want the condition to apply.
Term
The term that you want to use for the condition.
Option definitions — AND Condition
This information describes the options available on this dialog box.
Option
Definition
Match type Choose from:
• Simple strings
• Regular expressions
Applies to Set to Everything by default. Click to open the Applicable File Formats dialog box to choose the
categories and subcategories to which you want the condition to apply.
Term
The term that you want to use for the condition.
Option definitions — Edit Regular Expression
This information describes the options available on this dialog box.
Table 4-144 Option definitions — Edit Regular Expression
Option
Definition
Term
Enter the regular expression to be used to match content within the searched
documents.
Test
Click the Test button to launch the Regular Expression Test Interface (see separate table
below)
Case sensitive Select to make the regular expression search case sensitive.
Description
Enter optional descriptive text for this regular expression.
Table 4-145 Option definitions — Regular Expression Test Interface
Option
Definition
Regular Expression
The regular expression entered in the Edit Regular Expression dialog box
is displayed.
Case sensitive
Select to make the matching case sensitive.
Input text to test the Regular
Expression
Copy and paste, or type in some text that you want to be detected
by the regular expression.
Matches
Information about the way the regular expression finds matches
within the inputted test text is given.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
295
4
Overview of Email menu
Encryption
Encryption
The Encryption pages enable you to set up McAfee Email Gateway to use the supported encryption
methods to securely deliver your email messages.
Email | Encryption
The McAfee Email Gateway includes several encryption methodologies, and can be set up to provide
encryption services to the other scanning features, or can be set up as an encryption-only server used
just to encrypt email messages.
Contents
Types of Encryption
Secure Web Mail
S/MIME
PGP encryption
TLS
Secure Web Mail Branding
Task — Encrypt all email that triggers against the HIPAA compliance dictionaries
Task — Use S/MIME to encrypt all email to a specific target domain
Task — Deliver all email from a specific customer using S/MIME encryption
Task — Use PGP to encrypt all email messages
Task — Deliver all email from a specific customer using PGP encryption
Types of Encryption
Information about the types of encryption methods that are available on the McAfee Email Gateway.
McAfee® Email Gateway includes several different encryption methods to enable you to configure your
appliance to best match your existing email and network topography. These can be divided into the
following groups:
Server-to-server encryption
Server-to-server encryption, as its name suggests uses encryption to secure the transmission of email
messages between email servers. Many different methods of securing the server-to-server traffic are
available. McAfee Email Gateway can be configured to use the following methods to secure the
server-to-server link:
•
Transport Layer Security
•
S/MIME
•
PGP
Secure Web Mail
You cannot always guarantee that the email messages being sent from within your organization will be
going to a secure destination email server.
In this circumstance, you can still send secure messages by using the Secure Web Mail options built
into McAfee Email Gateway.
You can use two methods of Secure Web Mail; push delivery and pull delivery.
Pull delivery
296
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Encryption
With pull delivery, the secure email message is stored on the McAfee Email Gateway, and, after
receiving a notification, the end user must log into their Secure Web Mail account and "pull" the
message from the McAfee Email Gateway.
Advantages of Pull delivery include:
•
Good access to the message from hand-held devices.
•
Works well with low-bandwidth connections.
•
Can be used to transmit files that are larger than many email server limits.
•
Messages only cross the network once.
Disadvantages of Pull delivery include:
•
The McAfee Email Gateway has limited storage space, so the longevity of the message is limited.
•
Messages cannot be accessed if the McAfee Email Gateway is offline.
Push delivery
With push delivery, the end user is sent a notification that contains the encrypted message as an
attachment — the encrypted message is "pushed" to the end users' email system.
To read the message, the user needs to log onto the McAfee Email Gateway. During this process, the
encrypted message is returned to the McAfee Email Gateway where it is decrypted. The decrypted
message is then viewed by the end user in a secure browser.
Advantages of Push delivery include:
•
As the encrypted messages are stored on the end users' email system, the longevity of the
message is unlimited.
•
The McAfee Email Gateway handles all the encryption key and certificate generation for each
recipient.
•
The message is secure, as only the McAfee Email Gateway can decrypt the message.
Disadvantages of Push delivery include:
•
Push delivery of secure email messages does not work well on handheld devices.
•
Messages must cross the network three times to be read.
•
Does not work well on low-bandwidth connections.
•
With a large number of end users concurrently accessing their secure messages, the CPU load on
the McAfee Email Gateway can be high.
•
Messages cannot be accessed if the McAfee Email Gateway is offline.
Secure Web Mail
Use this information to understand Secure Web Mail, and to know how to configure your McAfee Email
Gateway to deliver messages securely.
When a secure server-to-server connection cannot be made, it is still possible to deliver email
messages securely. This can be particularly useful when sending confidential information to end users
that may not be using secure email servers.
McAfee Email Gateway can be configured to use both push and pull delivery methods to securely
deliver email messages.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
297
4
Overview of Email menu
Encryption
Contents
Supported browsers for Secure Web Mail
Secure Web Mail — Basic Settings
Secure Web Mail — User Account Settings
Secure Web Mail — User Management
Secure Web Mail — Password Management
Message Management
Certificates
Supported browsers for Secure Web Mail
Discover the browsers that are supported by the Secure Web Mail Client within McAfee® Email
Gateway.
Within McAfee® Email Gateway, the Secure Web Mail Client supports sending Secure Web Mail to end
users accessing their secure email from several desktop browsers and mobile operating systems
Table 4-146 Compatible desktop browsers for Secure Web Mail
Browser
Version
Microsoft Internet Explorer
7, 8, 9
Mozilla Firefox
3.6, 4, 5, 6
Apple Safari
4, 5
Table 4-147 Compatible operating systems for accessing Secure Web Mail using mobile
devices
Operating System
Version
Android
2.1, 2.2, 2.3
Apple iOS
iPhone 3GS/ iPhone 4
Blackberry OS
6
webOS
1.4
Symbian S60
5th Edition
Windows Phone
7
Secure Web Mail — Basic Settings
Use this information to understand the basic settings needed to configure Secure Web Mail.
Email | Encryption | Secure Web Mail | Basic Settings
Benefits of configuring Secure Web Mail
Learn about the benefits of configuring your McAfee Email Gateway to allow the Secure Web Mail of
email messages.
Depending on the industry in which you engage, you may be bound by particular laws and rules about
the transmitting of private information.
One example of this is the Privacy rule within the Health Insurance Portability and Accountability Act
(HIPAA) in the United States of America. This rule contains regulations relating to the use and
disclosure of Private Health Information (PHI), and care must be taken not to violate this rule by
sending PHI above that required for the specific need, or to send information in a format that could be
easily intercepted and read by unauthorized persons.
298
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Encryption
McAfee Email Gateway assists you by enabling compliance policies that meet the requirements of
many of the laws and rules requiring the safeguarding of data. Having scanned your outgoing email
messages against the in-built compliance libraries to identify if the content of your email message
breaches any of the relevant libraries, the McAfee Email Gateway can take specified actions, such as
using a secure delivery method to attempt the delivery of the message.
Most methods for the secure delivery of email messages rely on both the sending and the receiving
email servers using the same encryption methods, such as S/MIME, PGP or SSL/TLS encryption.
Although your McAfee Email Gateway can be configured to use these encryption methods, these
settings are of no use if the receiving email server is not configured to also use encryption.
In this circumstance, McAfee Email Gateway uses Secure Web Mail to notify the recipient that an
encrypted message has been sent to them, and provides the information that they need in order to
set up a secure connection to the McAfee Email Gateway so that they can retrieve the message using
Secure Web Mail.
Using Secure Web Mail also gives other benefits, including:
•
The messages are formatted so that they can be easily read on handheld devices.
•
The messages are delivered using low bandwidth connections.
•
Large messages can be delivered without hitting the typical email server size limitations.
Option Definitions for Basic Settings
Understand the options available for configuring the basic settings for Secure Web Mail.
Option definitions — Enabled
Option
Definition
Enable the Secure Web Mail
Client
Select this to enable the Secure Web Mail Client on your McAfee Email Gateway.
After enabling the Secure Web Mail Client, configure your Email Policies to set
the triggers for using this feature.
Scan messages composed in
the Secure Web Mail Client
Select to force all messages composed from within the Secure Web Mail Client to
be scanned for malicious content.
Secure Web Mail host name
Enter the hostname for the appliance.
When configuring a cluster of appliances, or when configuring a blade
server, ensure that you use the DNS host name associated with the virtual
IP address that is shared by the master and failover devices.
Option definitions — Locale
Option
Definition
Default locale Select the default language that is to be displayed within the email notifications.
Once the end user receives their Secure Web Mail: Welcome message and clicks to activate
their account, they are able to select their own preferred language.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
299
4
Overview of Email menu
Encryption
Option definitions — Contact Details
Option
Definition
Postmaster name
Use this field to define the email address that is added to the notification
messages received by the end user.
User the postmaster
address as the support
contact
By default, the end user will request support using the postmaster address
details.
Support contact address
If you choose to define a separate support contact for your end users, enter
the Support contact address that the end users will see.
Support contact name
If you choose to define a separate support contact for your end users, enter
the Support contact name that the end users will see.
By de-selecting this option, you can then define a Support contact address and
Support contact name.
Option definitions — Branding
Within Secure Web Mail, you can create themes and notifications based around your company style and
logo, so that the recipients of the email messages are aware of your organization.
Option
Definition
Theme
Select the theme that the und users will see when logging into Secure Web Mail.
Create themes in Email | Encryption | Branding to add them to this drop-down list.
Notification
messages
Select the notification branding that the und users will see when they receive a
Secure Web Mail notification.
Create customized notifications in Email | Encryption | Branding to add them to this
drop-down list.
Secure Web Mail — User Account Settings
Understand the user account settings needed to configure Secure Web Mail.
Email | Encryption | Secure Web Mail | User Account Settings
Benefits of setting up encryption user accounts
This information describes the benefits of creating encryption user accounts.
To provide secure delivery of email messages using the Secure Web Mail Client, you must first
configure the user account settings within your McAfee Email Gateway. These options enable you to
specify if your McAfee Email Gateway digitally signs the notification emails, and if users are allowed to
auto-login to the Secure Web Mail Client.
You can specify parameters relating to both the PULL and PUSH methods of delivering email
messages, including configuring the maximum message sizes and other method-specific parameters.
Additionally, you can configure how you allow the end users to read and compose email messages
using the Secure Web Mail Client.
300
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Encryption
Option Definitions for Secure Web Mail — User Account Settings
This information describes the options available on this page.
Option definitions — Enrolment and Notification
Option
Definition
Enable auto-enrolment
With Enable auto-enrolment selected, a user will automatically have a Secure
Web Mail account created on the McAfee® Email Gateway if an email is
delivered to them through the McAfee® Email Gateway that triggers a rule
that enforced encryption.
Selected by default.
Digitally sign outgoing
notifications
By default, all outgoing Secure Web mail notifications are digitally signed by
the McAfee® Email Gateway.
Use HTML rather than plain
text for notifications
By default, all Secure Web Mail notifications are sent in HTML format.
However, to conserve bandwidth, you can deselect this option to form plain
text notifications.
Option definitions — Message Encryption – PULL Messages
Option
Definition
Allow messages to be
stored on the gateway
(PULL messages)
Set message parameters for messages stored on the gateway:
• Maximum message size. Messages that exceed this size cannot be sent using the
PULL mechanism.
• Expiry time for read messages. Set the time that each message will be stored on the
appliance after it has been read.
• Expiry time for unread messages. Set the time that each message will be stored on the
appliance in its unread state.
• Warning period for expiring messages. Configure when a warning will be sent to the
user informing them that the message is about to expire.
Notify recipients of
unread PULL
messages
Choose whether to notify recipients of unread messages sent using the PULL
method of encryption delivery.
When selected, you can also configure the Interval between notifications in days.
You can also specify a time period between unread message notifications.
Option definitions — Message Encryption – PUSH Messages
Option
Definition
Allow messages to be stored on
end users' systems (PUSH
messages)
Set message parameters for messages stored on end users' systems:
Maximum message size. Messages that exceed this size cannot be sent using
the PUSH mechanism.
Follow the link to configure the encryption and escrow certificates to use
for PUSH messages.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
301
4
Overview of Email menu
Encryption
Option definitions — Reading and Composing Email
Option
Definition
Allow the user to
Set the actions that the user can take on encrypted messages:
• Print messages
• Reply to messages
• Compose new messages
• Bcc messages
• Forward messages
Maximum message size (including
attachments)
Set to 1MB by default.
Restrict the generated Secure Web Mail notifications to plain text rather than
HTML
Use this task to send notification messages in plain text.
Task
1
Click Email | Encryption | Secure Web Mail | User Account Settings.
2
Deselect Use HTML rather than plain text for notifications.
3
Apply the changes.
All Secure Web Mail notification messages are sent in plain text.
Task — Restrict Secure Web Mail encryption to be push only
Use this task to have encrypted messages to be stored on end user's systems.
Task
1
Click Email | Encryption | Secure Web Mail | User Account Settings.
2
In Message Encryption - PULL Messages, deselect Allow messages to be stored on the gateway.
3
In Message Encryption - PUSH Messages, select Allow messages to be stored on end users' systems.
4
Apply the changes.
Secure Web Mail — User Management
Manage the Secure Web Mail end-users accounts on your McAfee Email Gateway.
Email | Encryption | Secure Web Mail | User Management
Benefits of managing end user accounts
Understand the benefits of managing the end user accounts on your McAfee Email Gateway.
When using Secure Web Mail to ensure that your end users can securely receive encrypted messages,
you will need to create, lock, unlock or delete these end user accounts from your McAfee Email
Gateway.
Some of the situations where you need to use these features include:
302
•
Infrequent users of the Secure Web Mail system forgetting their passwords, and contacting the
configured support email address requesting help.
•
Users who have expired passwords, needing to have their accounts reactivated.
•
End users that request that their accounts are removed from your servers.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Encryption
Option definitions — User Management
Manage the Secure Web Mail end user accounts on your McAfee Email Gateway.
User Search
Option
Definition
Email address
To search for a particular Secure Web Mail end user, enter a full or partial email
address, and click Search.
All user accounts matching your search are displayed in the User Search table.
You can refine your search using the options in the Status drop-down menu.
For the selected
users
• Reset account — Sends an Email notification to the recipient so that they can reset
their password and unlock their account
• Lock Account — Prevents the user from accessing their account
• Delete Account — Deletes the account and all the user's messages
Domain
Displays all unique domains that use Secure Web Mail.
Refresh
Refreshes the domain list.
User Creation
Option
Definition
Email address Enter the email address for the end user account you are creating.
Create
After entering and confirming the email address for the end user account, click Create.
The new user account information is displayed in the User Search table.
Task — Manage specific Secure Web Mail user accounts
Use this task to .
Task
1
Email | Encryption | Secure Web Mail | User Management
2
In User Search, add the email address of the user whose account you wish to lock, such as
user@example.domain.com and click Search.
Displays the status of the account, including information such as the number of read and unread
messages, and the last time that user logged in, and provides a status of the account. The number
of read and unread messages is updated every 15 minutes.
3
Select the email address, and in For the selected users, select Lock account, then click Perform action.
The next time you search for this user, the account shows its Status as Locked.
To unlock the account, select it, and click Reset account.
Secure Web Mail — Password Management
Configure your end-user password management settings for Secure Web Mail.
Email | Encryption | Secure Web Mail | User Management
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
303
4
Overview of Email menu
Encryption
Benefits of using passwords to get encrypted messages
Understand why correctly setting the end user password complexity, frequency of change and the
change process is important in maintaining the security of Secure Web Mail.
To ensure that the email messages sent using the Secure Web Mail Client software are only read by
the intended recipient, the end user needs to set up an account on the McAfee Email Gateway. As with
many accounts administered over the internet, this requires that the end user has a username (the
email address) and a password set up.
Using a suitable password ensures that encrypted messages cannot be read by people other than the
intended recipient.
McAfee Email Gateway allows you to define a suitable end user password policy, which includes
specifying how complex you require the chosen passwords to be, how long each password is valid for
and the process required to update existing passwords.
A complex password is more secure than a very simple one, but is more likely to create a greater
volume of "forgotten password" reset requests from your end users. Therefore, you need to decide the
balance between complex passwords that are likely to generate lots of reset requests, and simpler
passwords that will require less maintenance.
Option Definitions for Secure Web Mail — Password Management
This information describes the options available on this page.
Option definitions — Password Complexity
Option
Definition
Minimum length
Select the minimum length that you will allow for end-user passwords. Longer
passwords are more secure, but may result in more calls to your support address as
end users find them more difficult to remember.
Minimum number of Specify the minimum number of alphabetical characters to be used within the end
ALPHA characters
users' passwords.
To increase security, you can also Require a mixture of upper and lowercase characters to be
used.
Minimum number of The more different types of characters that may be used within an end users'
DIGIT characters
password, the more secure that password can be made.
Forcing your end users to use numbers within their passwords improves the
security of the passwords.
Minimum number of The more different types of characters that may be used within an end users'
SPECIAL characters password, the more secure that password can be made.
Forcing your end users to use special characters within their passwords improves
the security of the passwords.
Special characters are non-alphanumeric characters such as underscores (_),
hyphens (-) and other punctuation.
304
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Encryption
Option definitions — Password Change Control
Option
Definition
Enable password expiry
Decide whether your end users will need to periodically renew their
passwords.
Specify the Password lifetime in days, and also the Grace period they are allowed
before the Password lifetime, during which they are allowed to still log into the
Secure Web Mail system, but are then forced to change their password.
Enable password expiry
reminders
Choose if you want your end users to be notified that their passwords are due
to expire. Also, select the required Interval between reminders.
Number of recent
passwords to disallow
Use this field to prevent end users from re-entering their previous passwords.
Minimum interval between
password changes
Specify any limits you want to place on the frequency with which end users
can change their passwords.
Option definitions — Challenge / Response
Option
Definition
Enable challenge / response
Choose whether you want users to reset passwords without going through
any security questions.
Number of answers held
against a user
Set the number of potential answers a user must provide to set up their
challenge response questions.
To provide secure password changing, McAfee recommends at least 5
challenge response questions are used.
Number of questions to ask a When challenge response is enabled, set how many questions each user
user
must answer correctly to pass the security check.
To provide secure password changing, McAfee recommends at least 2
challenge response questions are asked of the end-user.
Message Management
The Message Management options provide information about the number of messages stored on your
system, and the disk space you have available so you can remove some if necessary.
Email | Encryption | Secure Web Mail | Message Management
The page is divided into these sections:
•
Statistics
•
Purge Messages
Benefits of Message Management
Use the Message Management options to find out how many messages are stored and remove any if
necessary.
Messages are categorized into Read, Unread, and Draft, and the amount of available disk space is
shown, allowing you to choose whether you need to remove some messages. Messages can removed
dependent on their type, or their age.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
305
4
Overview of Email menu
Encryption
Option definitions — Message Management
See the number of messages stored by type, and choose any that you want to remove.
Option
Definition
Statistics
Shows the number of read, unread, and draft messages and the amount of available
disk space.
Purge Messages Choose the messages that you want to remove:
Messages to delete:
• All
• One or more of
• Read messages
• Unread messages
• Draft messsages
Older than x number of:
• Days
• Weeks
• Months
Certificates
Use this page to specify the contents of a self-signed digital certificate for the appliance.
Email | Encryption | Secure Web Mail | Certificates
To create a certificate that is signed by a Certification Authority, generate a Certificate Signing
Request, and import the signed certificate.
Useful web sites
ISO 3166: http://www.iso.org/iso/country_codes.htm
Benefits of using certificates with the appliance
This information describes the benefits of using certificates on your McAfee® Email Gateway to transfer
email securely.
Certificates allow the traffic from your McAfee® Email Gateway to be trusted by other systems. They
typically have a lifetime of several months or years, so they do not need to be managed often.
Option definitions — Certificates
View information about certificates stored on your McAfee Email Gateway.
The following information applies to the Web Client HTTPS Certificate and the Notification Signing Certificate.
Option
Definition
Country [C]
Specifies a two-letter code such CN, DE, ES, FR, JP, KR. (See ISO 3166)
Default value is US.
State or province [ST]
Town or city [L]
306
Specifies the location of your organization. Give a full name rather than an
abbreviation.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Encryption
Option
Definition
Organization [O]
Specifies the name of your organization such as Example, Inc.
Organizational unit [OU]
Default value is Email Gateway.
Common name [CN]
Displays the domain name of your appliance such as server1.example.com
Email address [ea]
Specifies an email address, for example aaa@mcafee.com
View
Click to view the certificate details.
Import
When clicked, opens a window where you can specify the file.
To import a password-protected certificate, type the passphrase to unlock the
private key. The appliance stores the decrypted certificate in a secure internal
location.
The appliance only verifies the certificate, and makes it available to use, after
you click the icon to apply your changes:
Export
When clicked, opens a window where you can specify a passphrase, then
download a file. The file name extension is CRT (base-64 encoded) or P12
(PKCS#12). The certificate is in PEM format.
Generate Certificate
Signing Request
When clicked, opens a window where you can request that the Certificate
Signing Request is signed by a Certificate Authority on the appliance or by an
external Certificate Authority. The file name extension is CSR.
Regenerate
When clicked, you are prompted to confirm that you want to regenerate the
certificate and private key.
Entries in the Option fields determine the information that appears in a subsequent certificate signing
request (CSR).
•
For internally self-signed certificates, the information is used to regenerate the certificates.
Subsequent viewing of these certificates reflect the changes, along with new “valid to” and “valid
from” dates.
•
For externally signed certificates, changing the option settings has no immediate effect on the
viewable certificate details. You must regenerate the CSR, have it externally signed, and then
import it in order to see the changed information.
The View link opens the Certificate Details window, containing the detailed information about the
certificate.
S/MIME
Understand how McAfee Email Gateway uses S/MIME to provide encrypted delivery of email messages.
Email | Encryption | S/MIME
Contents
S/MIME — S/MIME Encryption Certificate
S/MIME — Sending Email
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
307
4
Overview of Email menu
Encryption
S/MIME — S/MIME Encryption Certificate
Use this information to understand the settings needed to configure your S/MIME Encryption
Certificate.
Email | Encryption | S/MIME | S/MIME Encryption Certificate
Benefits of using S/MIME certificates
Use S/MIME certificates to send and receive server-based messages when the receiving server will not
accommodate a secure session.
Using S/MIME certificates, McAfee Email Gateway checks each incoming message to see if it is an S/
MIME message. If it is, Email Gateway checks for a key to decrypt the message. If the key exists, the
message is decrypted; if not, it is treated as a normal message.
Before you can use the S/MIME features, you must obtain and install your individual S/MIME certificate.
You can obtain it from either your in-house certificate authority (CA) or a public CA.
Option definitions — S/MIME Encryption Certificate
Information about the encryption certificates used for S/MIME transmission of email messages.
Option
Definition
Country [C]
Specifies a two-letter code such CN, DE, ES, FR, JP, KR. (See ISO 3166)
Default value is US.
Town or city [L]
Specifies the location of your organization. Give a full name rather than an
abbreviation.
Organization [O]
Specifies the name of your organization such as Example, Inc.
Organizational unit [OU]
Default value is Email Gateway.
Common name [CN]
Displays the domain name of your appliance such as server1.example.com
Email address [ea]
Specifies an email address, for example aaa@mcafee.com
Import
When clicked, opens a window where you can specify the file.
State or province [ST]
To import a password-protected certificate, type the passphrase to unlock the
private key. The appliance stores the decrypted certificate in a secure internal
location.
The appliance only verifies the certificate, and makes it available to use, after
you click the icon to apply your changes:
Export
When clicked, opens a window where you can specify a passphrase, then
download a file. The file name extension is CRT (base-64 encoded) or P12
(PKCS#12). The certificate is in PEM format.
Generate Certificate
Signing Request
When clicked, opens a window where you can request that the Certificate
Signing Request is signed by a Certificate Authority on the appliance or by an
external Certificate Authority. The file name extension is CSR.
S/MIME — Sending Email
Understand the settings needed to configure your S/MIME Sending Email options.
Email | Encryption | S/MIME | Sending Email
308
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Encryption
4
Option Definitions — Sending Email
Specify and view the S/MIME information needed for sending email using S/MIME.
Option
Definition
Escrow certificate
Select from the available certificates.
When you have selected a certificate, click View certificate to see the
information within it.
Message encryption
algorithm
Select from the available algorithms.
Selecting a larger key size is more secure, but will be slower each time the
algorithm is used.
S/MIME Encryption
Certificates for External
Domains
See the currently stored S/MIME Encryption Certificates for External Domains.
You can add or delete domains from this list , or view the certificates
provided by each domain.
Use Filter to help find a particular certificate
Domain
Lists the domain to which each S/MIME encryption certificate applies.
S/MIME Certificate
Shows detail about the S/MIME encryption certificate.
Add Domain
Add a new external domain to the list.
View Certificate
View information about the selected S/MIME encryption certificate.
Delete Selected Domains
Delete the selected domains and their S/MIME encryption certificates.
Manage S/MIME Encryption
Certificate
Click to move to Email | Certificate Management | Certificates | S/MIME Encryption
Certificates.
PGP encryption
Understand how McAfee Email Gateway uses PGP to provide encrypted delivery of email messages.
Email | Encryption | PGP
Contents
PGP — PGP Encryption Key
PGP — Sending Email
PGP — PGP Encryption Key
Understand the options available for the PGP encryption keys.
Email | Encryption | PGP | PGP Encryption Key
Benefits of using PGP encryption
PGP encryption is a data encryption/decryption system that provides cryptographic privacy and
authentication for data communication.
PGP is used by many companies to sign, encrypt and decrypt email messages. PGP encryption uses
combinations of methods of cryptography, file compression and other operations, each of which can
use a variety of different algorithms. PGP includes the use of public key encryption, bound to a user
name and/or an email address, and private key encryption, maintained in secret, to encrypt outgoing
messages and decrypt incoming messages.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
309
4
Overview of Email menu
Encryption
Option definitions — PGP Encryption Key
Information about the PGP encryption keys.
Option
Definition
Displayable name A user-editable field, allowing you to choose the name that is displayed for this
encryption key.
Comment
A user-editable field, allowing you to choose a comment for this encryption key.
Email address
The email address associated with this encryption key.
View
Click to display the content of the encryption key.
Import
Click to open the Import Certificate and Key dialog box where you an upload a certificate to
the appliance, and add a passphrase to open a private key.
Export
Click to open the Certificate and Key Export dialog box where you can choose whether you
want to export with no private key, or export a complete chain, and the format of key
that you want to export.
Regenerate
Click to regenerate the PGP public and private keys, using the information on this
page.
PGP — Sending Email
Understand the options available for PGP sending email.
Email | Encryption | PGP | Sending Email
Benefits of using PGP — Sending Email
You can manage the PGP Encryption Keys from external domains that are installed on your McAfee
Email Gateway.
Manage the PGP Encryption Keys stored on your McAfee Email Gateway.
Option definitions — Sending Email
Manage installed PGP keys.
Option
Definition
Escrow key
Select from the available keys.
When you have selected a key, click View key to see the information within it.
PGP Encryption Keys for
External Domains
See the currently stored PGP Encryption Keys for External Domains.
You can add or delete domains from this list , or view the certificates
provided by each domain.
Use Filter to help find a particular key.
310
Domain
Lists the domain to which each PGP encryption key applies.
PGP Key
Shows detail about the PGP key.
Add Domain
Add a new external domain to the list.
View Key
View information about the selected PGP key.
Delete Selected Domains
Delete the selected domains and their PGP Encryption Keys.
Manage PGP keys
Click to move to Email | Certificate Management | Certificates | PGP Encryption Keys
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Encryption
TLS
Use this page to specify how devices use encrypted communications and to manage their digital
certificates.
Email | Encryption | TLS
Import the trusted Certificates Authorities and certificates from the participating organizations before
you begin this configuration. RSA keys can be used both for encryption and for signing. DSA keys can
be used for signing only.
How Transport Layer Security (TLS) works
Use this information to understand how Transport Layer Security (TLS) works.
Transport Layer Security works by communicating a set of parameters — known as the handshake —
at the start of the connection process. Once these parameters have been defined, the communications
that follow within that session are secure, in that they cannot be decoded by servers that did not
partake in the handshake conversation. The process includes steps to discuss the ciphers to be used
during the communications, and also authentication steps to prove the identity of the servers taking
part in the communications.
The handshake process includes the following main steps:
•
The McAfee Email Gateway requests a secure connection to the receiving email server and presents
a list of cipher suites to the receiving email server.
•
The receiving email server then selects the strongest supported cipher from that list, and then
notifies the McAfee Email Gateway of the chosen cipher.
•
The servers then use Public Key Infrastructure (PKI) to establish their authenticity. This is achieved
by the exchanging of digital certificates. On occasions, these digital certificates may be validated
against the Certificate Authority (CA) that issued the certificates.
•
Using the server's public key, McAfee Email Gateway generates a random number as a session key,
and sends it to the receiving email server. The receiving server then decrypts this session key using
its private key.
•
Both the McAfee Email Gateway and the receiving email server then use this encrypted session key
to set up communications, completing the handshake process.
Once the handshake has been completed, the secure connection is used to transfer the email
messages. The connection remains secure until the connection is closed.
Enforcing inbound TLS using the sender address
The Email Gateway appliance can act as the server for inbound email, supporting forced and
opportunistic TLS security. To avoid using the ehlo domain to enforce TLS, configure TLS to user the
sender's envelope address to determine if TLS should be enforced. Select the TLS enforcement option
under TLS Options (Advanced).
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
311
4
Overview of Email menu
Encryption
TLS Connections
Use this area to define hosts that use TLS encryption.
Table 4-148 Option definitions — When receiving email (gateway is acting as server)
Option
Definition
Client Domain / Subnet
Displays the details, such as:
• 192.168.200.254/24
• 192.168.200.254/255.255.255.0
• server1.example.net
• *.example.net
Use TLS
Always — rejects email from participating organizations if their communication
does not try to start encryption.
Never — configure connections to the source server to never use TLS encryption.
When available — if available, the connection uses TLS encryption.
Authenticate Client
Specifies whether the other device must also authenticate.
Server Certificate
Selects the certificate to use for this TLS Connection.
The name is one of the certificate IDs from the Certificate Management section .
Add Domain
Enables you to specify new domains that are to use TLS.
View Certificate
View the TLS certificate for the selected domains.
Delete Selected Domains Remove the selected domains from the list.
Table 4-149 Option definitions — When sending email (gateway is acting as a client)
Option
Definition
Server Domain / Subnet
Displays the details, such as:
• 192.168.200.254/24
• 192.168.200.254/255.255.255.0
• server1.example.net
• *.example.net
Use TLS
Always — rejects email from participating organizations if their communication
does not try to start encryption.
Never — configure connections to the source server to never use TLS encryption.
When available — if available, the connection uses TLS encryption.
Authenticate Self
Specifies whether the client must verify itself to the recipient before sending
email. The client then needs its own certificate.
Client Certificate
Selects the certificate to use for this TLS Connection.
The name is one of the certificate IDs from the Certificate Management section.
Add Domain
Enables you to specify new domains that are to use TLS.
View Certificate
View the TLS certificate for the selected domains.
Delete Selected Domains Remove the selected domains from the list.
Table 4-150 Option definitions — Manage TLS certificates and keys
Option
Definition
Manage TLS certificates and keys Click to jump to Email | Certificate Management | Certificates | TLS Certificates and
Keys.
312
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Encryption
TLS options (advanced)
Use this area to specify the type of ciphers for TLS encryption.
Table 4-151 Option definitions
Option
Definition
Cipher strength
Provides a choice of cipher strengths.
By default, ciphers with a full range of strengths are supported. If necessary, the
range of supported cipher strengths can be limited to 128-bit or greater.
Allow no encryption
If selected, ciphers without encryption are supported. McAfee does not
recommend using unencrypted TLS connections, so this setting is disabled by
default.
Allow anonymous key
exchange
If selected, ciphers without authentication are supported. McAfee does not
recommend using unauthenticated TLS connections, so this setting is disabled
by default.
When unauthenticated ciphers are supported, some destination servers might
choose these ciphers in preference to authenticated ciphers.
If selected, the appliance will enforce TLS using the sender's envelope address
rather than the ehlo address for inbound email.
TLS enforcement
Secure Web Mail Branding
Understand how to configure the branding for the Secure Web Mail features.
Email | Encryption | Branding
Benefits of the Secure Web Mail branding settings
Use the Branding page to define the content and appearance of notification messages and the
appearance of the Secure Web Mail Client user interface.
The default theme cannot be edited. Click Copy Item to to create a customized theme or notification based
on the currently active item.
•
Specify images that appear as the logo for the desktop client, logo for the mobile client, and the
favorites icon icon.
•
View real time changes to the branding that you make in the previews available.
•
Customize the product name that's displayed, or that is presented to the user as either a text
string, or an image.
•
Edit notification messages and view your changes immediately within the right hand screen.
Description of tokens used in Secure Web Mail notifications
When you configure Secure Web Mail, notification messages are sent to customers. Within these
notification messages, tokens are used to provide relevant information.
Table 4-152
Tokens used in Secure Web Mail notifications
Notification
Token
Description
Welcome
GATEWAY
The fully qualified DNS name of the appliance.
ACTIVATE_LINK
URL link used to activate the account.
GATEWAY
The fully qualified DNS name of the appliance.
Account activated
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
313
4
Overview of Email menu
Encryption
Table 4-152
Tokens used in Secure Web Mail notifications (continued)
Notification
Token
Description
LOGIN_LINK
URL link used to sign into the account.
SUBJECT
The original subject of the message.
SENDER
The email address of the sender of the message.
GATEWAY
The fully qualified DNS name of the appliance.
PULL_MESSAGE
A section inserted if this is a PULL (or PUSH/PULL)
message.
PUSH_MESSAGE
A section inserted if this is a PUSH (or PUSH/
PULL) message.
(PULL_MESSAGE
token)
PULL_LINK
URL link used to read a specific "PULL" message.
(PULL_MESSAGE
token)
DAYS_LEFT
The days left for which a PULL message will be
held on the appliance, before being aged out.
(PUSH_MESSAGE
token)
PUSH_FILE
The name of the attached HTML file which is used
to POST the encrypted PUSH message back to the
appliance for reading. This file name is
SecureMessage.html.
Message read
RECIPIENT
The email address of the original message
recipient.
SUBJECT
The original subject of the message.
DATE_SENT
A localized string containing the date and time the
message was sent.
DATE_READ
A localized string containing the date and time the
message was read by the recipient.
REPORT_FILE
The name of the attached report text file. This file
name is report.txt.
GATEWAY
The fully qualified DNS name of the appliance.
NUM_MESSAGES
Numeric count of the number of unread PULL
messages held on the appliance.
GATEWAY
The fully qualified DNS name of the appliance.
Message received
Unread messages
UNREAD_MESSAGE_LIST Inserts a table of unread message details.
Password reset
requested
GATEWAY
The fully qualified DNS name of the appliance.
REQUEST_EMAIL
The email address of the person who has
requested the resetting of the password. (either
the account owner or the support contact)
PASSWORD_RESET_LINK URL link used to reset the account password.
Password reset
GATEWAY
The fully qualified DNS name of the appliance.
LOGIN_LINK
URL link used to sign into the account.
GATEWAY
The fully qualified DNS name of the appliance.
LOGIN_LINK
URL link used to sign into the account.
DAYS_LEFT
Numeric count of the number of days left before
the account gets locked.
Account locked
GATEWAY
The fully qualified DNS name of the appliance.
Disclaimer text
<none>
Password expiring
314
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Encryption
Table 4-152
Tokens used in Secure Web Mail notifications (continued)
Notification
Token
Description
Support contact
SUPPORT_EMAIL
The email address of the support contact.
(configured in email - encryption - basic settings)
Footnote
<none>
Copyright notice
YEAR
Offline notice
<none>
The current year as per the appliance's clock.
Option definitions — Branding
Define the appearance and content of notification messages that users receive regarding their Secure
Web Mail Client account.
The default theme cannot be edited or removed.
Edits are saved when you change selection.
Option
Definition
Name
The name of the theme.
Usage
Displays the number of times a theme or notification message is used.
Notification
messages
Displays the notification messages that you have created. Click Default notification set to
view all default messages.
Click on the notification on the left to get an expanded palette of all the notification
messages, and other available components such as disclaimers. The notification
contains a text area to edit content and a drop down list that allows you to insert
tokens. Some messages contain tokens that can be edited.
On the right hand screen, the content is updated to reflect your current selection. Also
on the right is a language picker to choose a different language. The language is one
of the basic settings of the virtual host. To change language, go to virtual host to
change the language that users will see.
Edits are saved when you change selection.
Copy Item
Click to create a new notification theme based on the currently active theme.
Delete Item
Remove an unused theme.
Desktop
Preview /
Mobile Preview
View the notification as it appears on a user's desktop or through a mobile phone.
Images
Import the logo that you want to use on the notification, and view how it appears on
the desktop, mobile, and through a browser.
Upload new images through a form submission. Supported file formats for logos and
the favorites icon are .JPEG, .PNG, and .BMP. The .ICO format is also supported for the
favorites icon.
Images are scaled to the appropriate size, and converted to .PNG format for the logos,
and .ICO format for the favorites icon.
The favorites icon should be the same height and width.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
315
4
Overview of Email menu
Encryption
Option
Definition
Product Name
Set whether you want to use text or an image to display the product name.
If you choose to use an image to display the product name, the same upload rules and
supported formats apply as those that apply to Images.
Color Palette
Define the appearance of the notification header and text.
Click on a colored square in the palette to edit a color. Using a color picker, you can
choose from a selection of standard colors, or you can specify the standard color as a
six character HTML hexadecimal string, or as a red/green/blue triplet.
Most recently used custom colors are added to a color palette at the bottom.
Task — Encrypt all email that triggers against the HIPAA
compliance dictionaries
A common use of the encryption features is to configure a policy to only use encryption in particular
circumstances.
This group of tasks show how to configure your McAfee Email Gateway so that email messages are
only sent using encryption when they trigger against the HIPPA complinace dictionaries.
Task — Configure the encryption settings
Configure your McAfee Email Gateway to use encryption.
Task
1
Select Email | Encryption | Secure Web Mail | Basic Settings.
2
Select Enable the Secure Web Mail Client.
3
Select Email | Encryption | Secure Web Mail | User Account Settings.
Recipients are automatically enrolled, and receive a digitally signed notification in HTML format. The
administrator chooses whether to do push and/or pull encryption.
4
Select Email | Encryption | Secure Web Mail | Password Management.
The minimum password length is eight characters. The password expires after 365 days.
Task — Enable Encryption for messages matching a compliance rule
Enable the required encryption features on your McAfee Email Gateway for messages that match a
compliance rule.
In this example, email messages that match the HIPAA Compliance rules will be encrypted.
Task
316
1
Select Email | Email Policies | Compliance.
2
Click Enable compliance, and select Create new rule from template.
3
Search for the HIPAA Compliance rule and select it.
4
Click Next to progress through the wizard.
5
Select the primary action to Allow Through (Monitor).
6
In And also, select Deliver message using encryption.
7
Click Finish, and click OK to close the dialog box.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Encryption
8
Select Email | Email Policies | Policy Options | Encryption.
9
In When to Encrypt, select Only when triggered from a scanner action.
4
10 In On-box Encryption Options, select Secure Web Mail, and click OK.
11 Apply the changes.
Task — Use S/MIME to encrypt all email to a specific target
domain
This group of tasks show how to configure your McAfee Email Gateway so that email messages are
only sent using S/MIME encryption to a specific target domain, and set up encryption certificates.
Task — Set up encryption certificates
Use this information to
Task
1
Click Email | Certificate Management | Certificates | CA Certificates.
2
Import any required certificate.
3
Click Email | Certificate Management | Certificates | S/MIME Encryption Certificates.
4
Import your S/MIME certificate, such as example.<domainname>.com.
5
Click Email | Encryption | S/MIME | Sending Email
6
Click Add Domain, and type example.<domainname>.com.
7
In S/MIME Certificate, select the certificate for example.<domainname>.com that you just imported.
Task — Encrypt all email using S/MIME to a specific target domain
Use this task to set up a policy that uses S/MIME encryption certificates.
Task
1
Click Email | Email Policies | Add Policy....
2
In Policy name, type the name of the policy, such as Recipients for example.domainname.com.
3
Click Add Rule.
4
Select Recipient email address in Rule type.
5
In Match select Is like. In Value, type *@example.<domainname>.com and click OK.
6
In Email direction, select Outbound and click OK.
The policy is created.
7
In the new policy, select Encryption.
8
Deselect Use the same settings as the default policy.
9
In When to Encrypt, select Always.
10 In On-box Encryption Options, select S/MIME and click OK.
11 Apply the changes.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
317
4
Overview of Email menu
Encryption
Task — Deliver all email from a specific customer using S/MIME
encryption
Create a policy to deliver all email received from a particular customer using S/MIME encryption.
Before you begin
Ensure that customer <abc> can use S/MIME to encrypt all email messages to your
organization. Let them know that you will be generating an S/MIME encryption certificate
that they will need to install on their email gateway.
Task
1
Click Email | Encryption | S/MIME | S/MIME Encryption Certificate.
2
Click Export.
3
Select Export the certificate only (no private key).
4
Click Next.
This will generate a self signed certificate.
5
Save the file smime_encryptor_<machinename>.crt by right clicking on the link.
6
Click Finish.
7
Click Email | Email Policies | Policy Options | Encryption.
8
Select Attempt to decrypt S/MIME-encrypted emails in On-box Decryption Options.
9
Send the certificate smime_encryptor_<machinename>.crt to customer <abc>, to use for
encrypting all of their email messages to your organization.
Once the customer successfully configures their email system to use S/MIME encryption with the
certificate you provided, McAfee Email Gateway will automatically decrypt all of the incoming S/MIME
emails from this customer using the private key.
Task — Use PGP to encrypt all email messages
Import a PGP key, and use PGP encryption to encrypt all outbound email messages.
This group of tasks show how to configure your McAfee Email Gateway so that email messages are
only sent using S/PGP encryption to a specific target domain, and set up encryption certificates.
Task — Import the PGP key
Use this task to import a PGP for a specific target domain..
Task
318
1
Click Email | Certificate Management | Certificates | PGP Encryption Keys and import your PGP key, such as
example.<domainname>.com.
2
Click Email | Encryption | PGP | Sending Email
3
Click Add Domain, and type example.<domainname>.com.
4
In PGP Key, select the key for example.<domainname>.com that you just imported.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Encryption
4
Specify when to encrypt outgoing email messages to a target domain with
PGP
Use this task to add a policy that encrypts all messages going a to a specific external domain.
Task
1
Click Email --> Email Policies --> Add Policy....
2
In Policy name, type the name of the policy, such as Recipients for example.domainname.com.
3
Click Add Rule. Select Recipient email address in Rule type.
4
In Match, select Is like. In Value, type *@example.<domainname>.com and click OK.
5
In Email direction, select Outbound and click OK.
The policy is created.
6
In the new policy, select Encryption.
7
Deselect Use the same settings as the default policy.
8
In When to Encrypt, select Always.
9
In On-box Encryption Options, select PGP and click OK.
10 Apply the changes.
Task — Deliver all email from a specific customer using PGP
encryption
Create a policy to deliver all email received from a particular customer using PGP encryption.
Before you begin
Ensure that customer <abc> can use PGP to encrypt all email messages sent to your
organization. Let them know that you will be generating an PGP encryption key that they
will need to install on their email gateway.
Task
1
Click Email | Encryption | PGP | PGP Encryption Key.
2
Click Export.
3
Select Export the public key only (no private key).
4
Click Next.
This will generate a PGP public key.
5
Save the file pgp_encryptor_<machinename>.asc by right clicking on the link.
6
Click Finish.
7
Click Email | Email Policies | Policy Options | Encryption.
8
Select Attempt to decrypt PGP-encrypted emails in On-box Decryption Options.
9
Send the public key pgp_encryptor_<machinename>.asc to customer <abc>, to use for encrypting
all of their email messages to your organization.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
319
4
Overview of Email menu
Certificate Management
Once the customer successfully configures their email system to use PGP encryption with the public
key you provided, McAfee Email Gateway will automatically decrypt all of the incoming PGP emails
from this customer using its private key.
Certificate Management
The Certificate Management pages enable you to configure and view certificates for use with your
appliance.
Email | Certificate Management
Contents
Certificates
Option definitions — Certificate Details dialog box
Certificate Revocation Lists (CRLs)
Certificates
Use the linked pages to view and change important information about the certificates relating to your
appliance.
Email | Certificate Management | Certificates
Contents
CA certificates
TLS certificates and keys
S/MIME
PGP encryption
CA certificates
Use this page to manage digital certificates from Certification Authorities.
Email | Certificate Management | Certificates | CA Certificates
If a yellow exclamation point appears next to the certificate after you click the green checkmark to
apply the change, the certificate is not currently trusted. Import the associated CA certificate before you
use the new certificate.
Description of the icons
Icon
Description
Certificate is valid
Certificate is invalid. For example, the certificate has expired.
320
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Certificate Management
Benefits of using CA certificates
This information describes the benefits to using CA certificates to transfer email securely.
Certificates allow the traffic from your appliance to be trusted by other systems. They are needed for
the secure transfer of email. Over 100 popular certificates from certificate authorities such as Thawte
and Verisign are available. Certificates typically have a lifetime of several months or years, so they do
not need to be managed often.
RSA keys can be used both for encryption and for signing. DSA keys can be used for signing only.
Option definitions - CA Certificates
This information describes the options available on this page.
Option
Definition
Certificate ID
Displays the name of the certificate.
Trusted
Specifies whether a certificate is valid. For example, this option is deselected if
the certificate has expired.
Subject
Displays details about the certificate.
Issuer
Displays the certificate-issuing authority, such as Thawte and Verisign.
Expires
Displays the certificate's expiry date, such as May 15 2010 12:15:00. If this date
has passed, the certificate is not valid.
Delete
When clicked, deletes the selected certificate.
View
When clicked, displays details of the selected certificate.
Export Selected or
Export All
When clicked, opens a browser for saving a file. If you export a single certificate,
the file name includes the certificate ID. The file name extension is crt (for
Base64, PEM) or p7b (for PKCS#7).
Mark All Certificates
As Untrusted
Defines all listed certificates as untrusted.
Import CA Certificate
When clicked, opens another window where you can select a file. The imported
certificate can be in one of these formats:
• Binary (or DER-encoded) certificate file
• PEM (Base64) encoded certificates
• Binary PKCS#7 file
• PEM-encoded PKCS#7 file
The appliance can accept certificate chains and certificates with
password-protected private keys.
The appliance only verifies the certificate, and makes it available to use, after you
click the icon to apply your changes:
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
321
4
Overview of Email menu
Certificate Management
TLS certificates and keys
Use this page to manage digital certificates for the secure transfer of email using Transport Layer
Security (TLS).
Email | Certificate Management | Certificates | TLS Certificates and Keys
When requesting that your TLS certificates be created, McAfee recommends that you include the
hostname and the IP address for the appliance that will be decrypting the TLS-encrypted email. If your
appliance is part of a cluster, and is configured in Transparent Router or Explicit Proxy mode, ensure
that you include the virtual hostname and virtual IP address for your cluster, rather than one of the
physical IP addresses.
Import the trusted Certificates Authorities and certificates from the participating organizations before
you begin TLS configuration. RSA keys can be used both for encryption and for signing. DSA keys can
be used for signing only.
Description of the icons
Icon
Description
Certificate is valid
Certificate is invalid. For example, the certificate has expired.
Benefits of using TLS certificates and keys
This information describes the benefits of using TLS certificates and keys to transfer email securely.
Certificates allow the traffic from your appliance to be trusted by other systems. They typically have a
lifetime of several months or years, so they do not need to be managed often.
Option definitions - TLS Certificates and Keys
This information describes the options available on this page.
322
Option
Definition
Certificate ID
Displays the name of the certificate.
Subject
Displays details about the certificate.
Issuer
Displays the certificate-issuing authority such as Thawte or Verisign.
Expires
Displays the certificate's expiry date, such as May 05 2010 12:15:00.
Delete
When clicked, deletes the selected certificate.
View
When clicked, displays details of the selected certificate, such as its version, issuer,
and public key.
Export
When clicked, opens another window, where you can choose to export the
certificate or a complete certificate chain, and specify the certificate format. The file
name extension is typically CRT.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Certificate Management
Option
Definition
Import Certificate
and Key
When clicked, opens another window where you can select a file. The imported
certificate can be in one of these formats:
4
• Binary (or DER-encoded) certificate file
• PEM (Base64) encoded certificates
• Binary PKCS#12 file
• PEM-encoded PKCS#12 file
To import a password-protected certificate, type the passphrase to unlock the
private key. The appliance stores the decrypted certificate in a secure internal
location.
The appliance only verifies the certificate, and makes it available to use, after you
click to apply your changes:
Configure TLS for
SMTP
Click to jump to Email | Encryption | TLS.
If a yellow exclamation point appears next to the certificate after you click the green checkmark to
apply the change, the certificate is not currently trusted. Import the associated CA certificate before you
use the new certificate.
S/MIME
Understand how McAfee Email Gateway uses S/MIME to provide encrypted delivery of email messages.
Email | Encryption | S/MIME
Benefits of using S/MIME certificates
Use S/MIME certificates to send and receive server-based messages when the receiving server will not
accommodate a secure session.
Using S/MIME certificates, McAfee Email Gateway checks each incoming message to see if it is an S/
MIME message. If it is, Email Gateway checks for a key to decrypt the message. If the key exists, the
message is decrypted; if not, it is treated as a normal message.
Before you can use the S/MIME features, you must obtain and install your individual S/MIME certificate.
You can obtain it from either your in-house certificate authority (CA) or a public CA.
Option definitions — S/MIME Encryption Certificates
This information describes the options available on this page.
Option
Definition
Certificate ID
Displays the name of the certificate.
Subject
Displays details about the certificate.
Issuer
Displays the certificate-issuing authority such as Thawte or Verisign.
Expires
Displays the certificate's expiry date, such as May 05 2010 12:15:00.
Delete
When clicked, deletes the selected certificate.
View
When clicked, displays details of the selected certificate, such as its version, issuer,
and public key.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
323
4
Overview of Email menu
Certificate Management
Option
Definition
Export
When clicked, opens another window, where you can choose to export the certificate
or a complete certificate chain, and specify the certificate format. The file name
extension is typically CRT.
Import Certificate When clicked, opens another window where you can select a file. The imported
certificate can be in one of these formats:
• Binary or base-64 (PEM) encoded certificate
• Binary PKCS#7 file
You can choose to import any CA certificates in the file.
The appliance only verifies the certificate, and makes it available to use, after you click
to apply your changes:
PGP encryption
Understand how McAfee Email Gateway uses PGP to provide encrypted delivery of email messages.
Email | Encryption | PGP
Contents
PGP — PGP Encryption Key
PGP — Sending Email
PGP — PGP Encryption Key
Understand the options available for the PGP encryption keys.
Email | Encryption | PGP | PGP Encryption Key
Benefits of using PGP Encryption
PGP encryption is a data encryption/decryption system that provides cryptographic privacy and
authentication for data communication.
PGP is used by many companies to sign, encrypt and decrypt email messages. PGP encryption uses
combinations of methods of cryptography, file compression and other operations, each of which can
use a variety of different algorithms. PGP includes the use of public key encryption, bound to a user
name and/or an email address, and private key encryption, maintained in secret, to encrypt outgoing
messages and decrypt incoming messages.
Option definitions — PGP Encryption Key
Information about the PGP encryption keys.
Option
Definition
Displayable name A user-editable field, allowing you to choose the name that is displayed for this
encryption key.
324
Comment
A user-editable field, allowing you to choose a comment for this encryption key.
Email address
The email address associated with this encryption key.
View
Click to display the content of the encryption key.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Certificate Management
4
Option
Definition
Import
Click to open the Import Certificate and Key dialog box where you an upload a certificate to
the appliance, and add a passphrase to open a private key.
Export
Click to open the Certificate and Key Export dialog box where you can choose whether you
want to export with no private key, or export a complete chain, and the format of key
that you want to export.
PGP — Sending Email
Understand the options available for PGP sending email.
Email | Encryption | PGP | Sending Email
Benefits of using PGP — Sending Email
You can manage the PGP Encryption Keys from external domains that are installed on your McAfee
Email Gateway.
Manage the PGP Encryption Keys stored on your McAfee Email Gateway.
Option definitions — Sending Email
Manage installed PGP keys.
Option
Definition
Escrow key
Select from the available keys.
When you have selected a key, click View key to see the information within it.
PGP Encryption Keys for
External Domains
See the currently stored PGP Encryption Keys for External Domains.
You can add or delete domains from this list , or view the certificates
provided by each domain.
Use Filter to help find a particular key.
Domain
Lists the domain to which each PGP encryption key applies.
PGP Key
Shows detail about the PGP key.
Add Domain
Add a new external domain to the list.
View Key
View information about the selected PGP key.
Delete Selected Domains
Delete the selected domains and their PGP Encryption Keys.
Manage PGP keys
Click to move to Email | Certificate Management | Certificates | PGP Encryption Keys
Option definitions — Certificate Details dialog box
View detailed information about the certificates installed on your McAfee® Email Gateway.
Option
Definition
Details
View the fully detailed information about the selected certificate.
Certification path
View information about the Certificate ID and the Subject of the certificate.
Certificate Revocation Lists (CRLs)
Understand the Certificate Revocation Lists on your appliance.
Email | Certificate Management | Certificate Revocation Lists (CRLs)
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
325
4
Overview of Email menu
Certificate Management
Contents
Installed CRLs
CRL Updates
Installed CRLs
Use this page to manage Certificates Revocation Lists.
Email | Certificate Management | Certificate Revocation Lists (CRLs) | Installed CRLs
Benefits of using Certificate Revocation Lists
This information describes the benefits of using Certificate Revocation Lists (CRLs)
CRLs typically have a lifetime of several months, so they do not need to be managed often.
Option definitions - Installed CRLs
This information describes the options available on this page.
Option
Definition
ID
Displays the name of the Certificate Authority.
Issuer
Displays the certificate-issuing authority, such as Thawte or Verisign.
Last Update and
Next Update
Displays applicable dates for the CRL.
Delete
When clicked, deletes the selected CRL.
You cannot delete a CRL that is still current. When you delete a certificate, its CRL
is deleted automatically.
When clicked, displays the contents of the selected CRL.
View
Some CRLs are large.
Export Selected
When clicked, opens a browser for saving a file. The file name extension is
typically CRL.
Import CRL
When clicked, opens a browser for selecting a file.
The appliance can fetch a local file or a file from a website.
The appliance only verifies the CRL, and makes it available to use, after you click
to apply your changes:
CRL Updates
Use this page to specify how often the appliance fetches updates to its Certificate Revocation Lists.
Email | Certificate Management | Certificate Revocation Lists (CRLs) | CRL Updates
326
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Hybrid configuration
Benefits of the CRL Updates feature
This information describes the benefits of the CRL Updates features.
Certificate Revocation Lists (CRLs) contain information about certificates that should no longer be
relied upon. This may be for one of many reasons, including:
•
The private key used by the certificate may have been compromised.
•
The certificate may have been superceded.
•
The certificate may contain an error.
Being able to regularly update the CRLs on your McAfee® Email Gateway enables you to be confident
that the McAfee Email Gateway will not continue to use certificates that have been revoked.
Option definitions - CRL Updates
This information describes the options available on this page.
Option
Definition
Update now
Update the CRLs immediately.
Specify the frequency
Specifies how often the appliance will collect CRL updates. Choose a time
when your network is least busy.
If you do not want to use this feature, select Never.
Use the default proxy
settings
If you intend to use a HTTP proxy that is not specified on the Default Server
Settings page, deselect this checkbox.
Configure defaults
When clicked, opens the Default Server Settings page, where you can view or
change the default settings for the HTTP proxy.
To view proxy information at any other time, select System | Appliance Management
| Default Server Settings from the navigation bar.
Proxy server to Proxy
password
Specifies the proxy details.
Hybrid configuration
Hybrid email scanning uses the McAfee® Email Gateway to scan your outbound email traffic, and uses
the cloud-based McAfee® Email Protection (Hybrid) to scan your inbound email traffic.
Contents
Benefits of using hybrid email scanning
About the hybrid email registration and configuration process
Registration
Domain Management
Benefits of using hybrid email scanning
Hybrid email scanning uses the McAfee Email Gateway appliances within your network and the
cloud-based McAfee Email Protection (Hybrid) to provide you with comprehensive email scanning.
When McAfee Email Gateway is configured to use hybrid email scanning, your inbound email traffic is
scanned by the cloud-based McAfee Email Protection (Hybrid) service, and your outbound email is
scanned by the McAfee Email Gateway appliance. Your inbound email traffic is scanned within the
cloud, providing a distributed scanning load and reduced bandwidth, as messages can be blocked in
the cloud before they enter your network.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
327
4
Overview of Email menu
Hybrid configuration
Inbound email messages from trusted partners can be send directly to your McAfee Email Gateway for
scanning.
All communications between the cloud service and your McAfee Email Gateway are encrypted. You
configure and optimize the scanning of both inbound and outbound email traffic from a single location
— the user interface of your McAfee Email Gateway.
Figure 4-1 Email flow using Hybrid scanning
When the McAfee Email Protection (Hybrid) makes detections within any email messages, information
about the email message and the detection is sent to your McAfee Email Gateway appliance.
Then, depending on your configuration, the McAfee Email Gateway can request the message data be
sent for further actions or for delivery. If the action is to quarantine the message, the inbound email
messages are quarantined alongside quarantined outbound email messages.
This allows you to use Message Search or other system logging options on your appliance to
investigate each message, regardless of whether it is scanned locally by your McAfee Email Gateway
or by McAfee Email Protection (Hybrid).
The communication between McAfee Email Protection (Hybrid) and the appliance must not pass through
another MTA, as the communication uses a proprietary protocol and will not succeed if another SMTP
gateway is involved in the conversation.
328
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Hybrid configuration
About the hybrid email registration and configuration process
Understanding the end-to-end, purchase-to-final-configuration process will enable you to best set up
hybrid email scanning.
1
The process to register your McAfee Email Gateway appliance and the McAfee Email Protection
(Hybrid) service starts when you purchase hybrid email scanning from McAfee or a McAfee partner.
2
When you purchased your McAfee Email Protection (Hybrid), you were asked for information that is
used to set up a cloud-based account for you. As soon as this information has been entered, you
receive an email message containing the required links and credentials.
3
Install your McAfee Email Gateway appliance. When running through the Setup Wizard, select Use the
McAfee SaaS Email Protection Service to process inbound email on the Email Configuration page.
After applying the Setup Wizard configuration and re-loading the McAfee Email Gateway user
interface, the Email | Hybrid Configuration | Registration page is displayed.
4
Clicking the link in the Email | Hybrid Configuration | Registration page displays information that outlines
the registration process for your appliance and McAfee Email Protection (Hybrid) service.
5
Follow the information given to complete the registration, using the credentials provided by email
message.
After you have successfully completed registration, a new tab appears at
Configuration | Domain Management.
6
Email | Hybrid
Before inbound email traffic can be scanned by the McAfee Email Protection (Hybrid), you must first
configure McAfee Email Protection (Hybrid) to accept email for your domain(s), and then configure
your public MX records for those domain(s) to point to the McAfee Email Protection (Hybrid)
servers.
Registration
To enable and configure hybrid email scanning, you must first register your McAfee Email Gateway
appliances with the McAfee Email Protection (Hybrid) service.
Contents
Benefits of registering hybrid email scanning
Option definitions — Registration
Task — Register with the McAfee Email Protection (Hybrid) service
Task — Cancel your registration with the McAfee Email Protection (Hybrid) service
Benefits of registering hybrid email scanning
Enabling communication between your McAfee® Email Gateway appliances and McAfee® Email
Protection (Hybrid) allows you to then configure settings for hybrid email scanning and benefit from
having your inbound email traffic scanned in the cloud.
With this information entered into the McAfee Email Gateway user interface, the initial communications
between your McAfee Email Gateway and the McAfee Email Protection (Hybrid) can start, allowing the
creation and exchange of the certificates and keys required to ensure secure communications between
your appliance and the cloud-based service.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
329
4
Overview of Email menu
Hybrid configuration
Option definitions — Registration
Use this page to register your McAfee Email Gateway appliances with the McAfee Email Protection
(Hybrid) so they can communicate.
Table 4-153 Option definitions — Registration page
Option
Definition
User name
Enter the user name found in your welcome email.
Password
Specifies the password found in your welcome email.
Configure this appliance to handle email for Configures the appliance you are currently logged onto to act as
the initial domain
the initial McAfee Email Gateway for your McAfee Email Protection
(Hybrid).
Not displayed when your
appliance is ePO-managed.
Address
Not displayed when your
appliance is ePO-managed.
After an email message from your initial domain has been
scanned by the McAfee Email Protection (Hybrid) service,
communication is initiated to the McAfee Email Gateway at this
address.
If your McAfee Email Gateway does not have a publicly
reachable IP address — perhaps because it is behind a network
address translation (NAT) setup — you must configure your
initial domain from the Email | Hybrid Configuration | Domain Management
page.
Specifies the port assigned to your initial McAfee Email Gateway.
Port
Not displayed when your
appliance is ePO-managed.
If the publicly exposed port of the McAfee Email Gateway is not
the same as the port the McAfee Email Gateway is listening on
— perhaps if you are port mapping — go to the Email | Hybrid
Configuration | Domain Management page.
Registers your McAfee Email Gateway with the McAfee Email
Protection (Hybrid).
Register
After registration, a new tab, Email | Hybrid Configuration | Domain
Management appears. Also, a new section, Cancel Registration, is
displayed on this page.
Table 4-154 Option definitions — Cancel Registration
Option
Definition
Cancel Registration Disables your registration and prevents the use of the McAfee Email Protection
(Hybrid) to process your inbound email. You do not need to enter any credentials.
Before cancelling your registration, you should ensure that the MX records for your
managed domains no longer point to the McAfee Email Protection (Hybrid) service.
Task — Register with the McAfee Email Protection (Hybrid) service
You need to register your McAfee Email Gateway appliances with the McAfee Email Protection (Hybrid)
before you can benefit from using hybrid email scanning.
Before you can register with the service, you must have received your welcome email containing the
user name and password you will use.
330
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Hybrid configuration
Task
1
Select Email | Hybrid Configuration.
The hybrid configuration Registration page appears, and the system checks to ensure your appliance
can connect to the McAfee Email Protection (Hybrid).
This is the only page available under Hybrid Configuration before registration is complete. Guidance for
completing your registration appears on the page.
2
Enter the user name and password from your welcome email in the appropriate data fields.
3
(Optional) Configure your initial appliance for inbound email, for use by the McAfee Email
Protection (Hybrid) service.
If your McAfee Email Gateway does not have a public IP address, use the Email | Hybrid Configuration |
Domain Management page.
a
Select the Configure this appliance to handle email for the initial domain checkbox.
b
Select the appliance domain name and IP address from the drop down list.
c
Select the port assigned to the appliance from the drop down list.
You should configure a virtual address for the receiving appliance when the appliance is the cluster
master.
4
Click Register.
Your appliance is registered with McAfee Email Protection (Hybrid), and the Domain Management tab
appears in the Hybrid Configuration window. The Registration window expands to show the Cancel Registration
information.
Task — Cancel your registration with the McAfee Email Protection (Hybrid)
service
You can stop using the McAfee Email Protection (Hybrid) at any time.
Before you begin
Before you cancel your service, ensure that the MX records for any managed domain no
longer point to the service.
Task
1
Select Email | Hybrid Configuration | Registration.
The Registration page appears.
2
Click Cancel Registration.
A confirmation dialog appears.
3
Click OK to confirm your intention to cancel registration.
Your registration is cancelled.
You can re-register with the protection service using your original credentials.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
331
4
Overview of Email menu
Hybrid configuration
Domain Management
You can use the user interface to specify which domains you want scanned by McAfee Email Protection
(Hybrid).
Configure your domains after you have registered McAfee Email Protection (Hybrid).
The Email | Hybrid Configuration | Domain Management tab is only visible after you have registered to use Hybrid
Email scanning.
The Domain Management window shows the list of domains you have configured for McAfee Email
Protection (Hybrid), and their associated appliances. From this window, you can add domains, and edit
or delete existing domains.
Contents
Benefits of using domain management
Option definitions — Domain Management page
Option definitions — Add/Edit domains page
Task — Manage your domains using Hybrid Email protection
Benefits of using domain management
Using hybrid email scanning allows you to enjoy the benefits of both a cloud-based email scanning
system, and an on-site, dedicated email scanning appliance.
The Domain Management page enables you to specify and manage the domains for which inbound email
traffic is to be scanned by the McAfee Email Protection (Hybrid).
By using the Domain Management page, you can quickly specify the domains that are to have inbound
email traffic scanned "in the cloud" from within the McAfee Email Gateway user interface. You do not
need to go to separate interfaces to configure your inbound and outbound email scanning; both are
managed from the same user interface.
As the inbound email settings are transferred to the McAfee Email Protection (Hybrid) service when you
make any changes to this page, these settings are changed in real-time; you do not need to click the
Apply button to save the changes to the McAfee Email Gateway configuration.
Option definitions — Domain Management page
Use this page to manage the domains that you want scanned by McAfee Email Protection (Hybrid)
service. The initial domain you registered for this service cannot be deleted.
Table 4-155 Domain Management option definitions
Option
Definition
Domain
Shows the fully qualified domain names of all domains protected by the McAfee
Email Protection (Hybrid) service.
McAfee Email Gateways Shows the IP addresses for the McAfee Email Gateway appliances associated with
each managed domain.
332
Edit
Opens a window for modifying or deleting this existing domain.
Add Domain
Opens the Edit Domain window, where you can add or modify domains where you
want email scanned.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Hybrid configuration
4
Option definitions — Add/Edit domains page
Use this page to add, edit, or delete domains you want scanned by the McAfee Email Protection
(Hybrid) service. The initial domain you registered for this service cannot be deleted.
Table 4-156
Edit Domain option definitions
Option
Definition
Domain name
Specifies the fully qualified domain name of the server you are adding or editing.
Public addresses of
Lists the McAfee Email Gateway appliances associated with the domain, showing:
McAfee Email Gateways
• IP address or domain name (port optional)
• Current status
• Rank within the list of appliances for this domain
You can rank the appliances on your list to establish a preference order, with
the lowest number being tried first. The McAfee Email Protection (Hybrid)
service will try the appliances in rank order until it succeeds. If all appliances
are ranked equally, the service round-robins amongst them.
Add McAfee Email
Gateways
Opens a window for adding a McAfee Email Gateway to the list.
Test Connection
Tests if the selected host is accessible from McAfee Email Protection (Hybrid)
service. The test verifies:
• A connection can be established to the service.
• The McAfee Email Gateway has been registered with the McAfee Email
Protection (Hybrid) service.
The test button is active when you select a single appliance.
Delete
Deletes selected McAfee Email Gateway appliances from the list.
Task — Manage your domains using Hybrid Email protection
The Domain Management page shows the list of protected domains and their associated appliances. McAfee
Email Protection (Hybrid) will process all inbound email traffic for these domains.
From this page, you can add, edit, or delete protected domains.
Task — Add a managed domain
Add a domain that you want scanned by McAfee Email Protection (Hybrid) service.
The first domain on your list is the initial domain you entered when you registered your appliance with
the service. It cannot be deleted.
Task
1
From the Domain Management window, click Add Domain.
The Edit Domain window appears.
2
Enter the fully qualified domain name for the domain you want to add.
3
Click Add McAfee Email Gateways.
Data fields for the new domain appear in the Public addresses of McAfee Email Gateways portion of the
window.
4
Type the IP address or the fully qualified domain name for the appliance. Optionally, you can
include the port identification.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
333
4
Overview of Email menu
Hybrid configuration
5
To indicate the status of the appliance, select or deselect the Active? checkbox. Click Add McAfee Email
Gateways again and repeat steps 4 and 5 if you want to add more than one appliance.
6
(Optional) If you add more than one appliance, you can indicate their rank (order) by typing a
number in the Rank data field.
7
(Optional) You can test the connection between any single appliance and the McAfee Email
Protection (Hybrid) service by clicking Test Connection.
8
When you have completed the information on this window, click OK.
Your domain appears on the list on the Domain Management page
Task — Edit an existing domain
You can modify the settings of domains that are scanned by McAfee Email Protection (Hybrid) service.
The initial domain on your list is the domain you entered as part of your user name when you
registered your appliance with the service. This domain name appears in boldface type. You can edit
it, but you cannot change the domain name or delete it.
Task
1
On the Domain Management page, click the Edit icon for the domain you want to change.
The Edit Domain window appears, showing the current information about the selected domain.
2
Make your changes to the domain. You can change the domain name, add or delete appliances,
change the status, and — for multiple appliances — change the rank.
3
(Optional) To test the connection between any single appliance and the McAfee Email Protection
(Hybrid) service, click Test Connection.
4
When you have finished editing the domain, click OK.
The changes you made appear on the Domain Management page.
Task — Delete an existing domain
You can remove a domain you no longer want scanned by McAfee Email Protection (Hybrid) service.
The first domain on your list is the initial domain you entered when you registered your appliance with
the service. You cannot delete it.
Task
1
On the Domain Management page, select the check boxes for one or more domains you want to delete.
The Delete Selected Domains button becomes active.
2
Click Delete Selected Domains.
A confirmation dialog appears.
3
Click OK to confirm your intention to delete the domain.
The domain or domains are removed from the Domain Management page.
334
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Group Management
Group Management
The Group Management pages enable you to set up directory services to work with your LDAP servers,
and create network groups, and user groups who relay on the appliances.
Email | Group Management
Directory Services
Use this page to build a group of directory services to work with your LDAP servers.
Email | Group Management | Directory Services
The page has these sections:
•
Directory Services
•
Directory Synchronization
Benefits of the Directory Services options
This information describes the benefits to using the Directory Services features to connect to your
LDAP servers.
Add directory service servers using the Directory Service wizard to set up a connection between the
appliance and an LDAP server so that the attributes in the LDAP server define behavior in your email
flow. You can therefore define policies, and update your LDAP to change email behavior. You can
modify the following features in the appliance to work with LDAP:
•
Recipient Authentication
•
Address Masquerading
•
Policy selection
•
Delivery routes
Custom queries can be created for use in policy selection using the Add Query option in the Add Directory
Service wizard.
The appliance supports the following types of LDAP servers:
•
Microsoft Active Directory
•
Lotus Domino
•
Novell NDS
•
Generic LDAP Server v3
•
Netscape/Sun iPlanet
•
Microsoft Exchange
You can set up groups of LDAP servers to ensure high availability by adding secondary servers to the
primary LDAP server.
The name that you give the primary server Service name in the Add Directory Service wizard is the name of the
group that you see when you come to select the LDAP group in the LDAP-related features in McAfee
Email Gateway, such as Address Masquerading.
Directory Synchronization.
Directory Synchronization is the mechanism to synchronize LDAP data on the appliance with remote
LDAP servers.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
335
4
Overview of Email menu
Group Management
Once LDAP data has been synchronized, the appliance no longer performs LDAP lookups on the
remote server and uses its own on-box database, minimizing loading on the remote LDAP servers.
To enable Directory synchronization, add the LDAP server to which you need to synchronize to the
Directory Services page.
You must also select the queries that need to be synchronized, by selecting Cache Result option on the
Directory Service Queries page of the Add Directory Service wizard.
The advantages of Directory synchronization are more apparent on cluster or blade server
environments because each scanner no longer performs LDAP lookups, but uses the on-box database.
The Master is responsible for synchronizing the database with the remote LDAP servers. Once the
synchronization is finished the database is synchronized with other members of the cluster and is then
used for LDAP checks.
Attributes on the LDAP server can be accessed in real time (allowing for the most up-to-date data to
be available), or be cached on the appliance (a faster option that causes less impact to your network)
by using the Cache Result checkbox in the Add Directory Services wizard.
Use the Synchronization schedule feature to schedule when to update the cache.
McAfee Email Gateway uses queries defined on the Directory Service Queries page to populate the local
LDAP database. The 'List of Groups' and 'Synchronization' queries are mandatory and cannot be
unselected, as they are used to get group and email address information from the LDAP server. You
can choose to cache all other queries. If you choose not to cache the results of any other query,
McAfee Email Gateway will carry out a real-time lookup when the SMTP features that use the query
are used.
By default LDAP caching is on for each query. When you apply configuration changes to the appliance,
the synchronization process updates the local LDAP cache database. If the database has not been
updated for a particular server, the LDAP lookup is done in real time. Additionally, if the query is missing
or has been modified for a particular server, the LDAP lookup is done in real time.
When you configure Directory Synchronization, the following information is stored in the on-box
database:
•
The LDAP queries that you have configured to run against the LDAP servers.
•
All the LDAP groups.
•
User information, stored as a BLOB. This information includes the email addresses of the users, the
group membership of each user and any extra information collected by the LDAP queries.
Running the LDAP synchronization
LDAP synchronization automatically starts when you apply configuration changes that include adding a
new LDAP server, or that include any changes to LDAP queries.
You can manually start the LDAP synchronization process by clicking Email | Group Management | Directory
Services | Directory Synchronization | Update Now. You can also schedule regular LDAP synchronization from
Email | Group Management | Directory Services | Directory Synchronization | Synchronization schedule.
You can check the current status of LDAP synchronization by looking at Email | Group Management |
Directory Services | Directory Synchronization | Update Information. You can also view the LDAP synchronization
data in the log files in /var/log/messages.
Any LDAP synchronization failures are logged and can be sent to administrators by SNMP, Email or
Syslog.
336
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Group Management
Option definitions — Directory Services
This information describes the options available on this page.
Directory Services
This information describes the settings of any LDAP server that you have set up. To add a connection
to an LDAP server, click Add Server.
Option
Definition
Name, Address and
Type
Displays information about each directory server such as a type like Domino or
Active Directory. Click Edit to open the Add Directory Service wizard to change a
server's settings.
Add Server
When clicked, starts the Add Directory Services wizard where you can add details
of a directory service.
The Service name that you give this server is what is shown when you set up features
in the appliance to work with LDAP.
The server at the top of the list is queried first. You can create groups of servers
by using the Add Secondary Server option.
Add Secondary
Server
Use this option to create groups of LDAP servers by adding secondary servers that
are queried should the primary server be unavailable, or not have the required
information. From the features that work with LDAP, you will not see secondary
servers listed, only the primary server in the group.
Delete Server
Remove primary, or secondary servers from the list.
Perform server
certificate verification
on secure
connections
Sets whether the appliance should attempt to validate a remote server certificate
that is used to encrypt a secure connection between the appliance and an LDAP
server.
You can manage the certificates required from Email | Certificate Management.
Directory Synchronization
This information describes the options available in the Directory Synchronization section of the page.
Option
Definition
Update information
Displays the status of the information in the on-box directory:
•
•
— Information is available for query. The time and date shows when the
latest update occurred.
— The on-box directory has no data, or is not up-to-date.
Update Now
When clicked, the appliance immediately copies directory information from the
servers under Directory Services to its own directory.
Synchronization
schedule
Specifies how often the appliance copies directory information from the LDAP
servers to which you have connected to its own directory.
Setting the schedule to Hourly can create a heavy load on your network.
Optimizing the directory synchronization queries
Correctly optimizing the queries improves the response between your McAfee Email Gateway and your
LDAP servers.
All queries against a particular server are accessed from the Directory Service Queries page.
Test each query using the Test button to confirm that it gives you the expected results.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
337
4
Overview of Email menu
Group Management
The queries should only take a few seconds to complete. If the queries do not quickly return a
response, check the following:
•
Make sure that your LDAP queries are valid.
•
Ensure all the LDAP attributes specified in the query are also available within the LDAP schemas on
the server being queried.
•
Make sure all LDAP attributes specified in the query are indexed on the remote LDAP server.
Network Groups
This page enables you to create network groups to use as a policy selection criteria.
Email | Group Management | Network Groups
Benefits of setting up network groups
Creating network groups allows you to apply policies to a group of individuals at one time.
You can define network groups based on any one of several parameters, such as IP addresses, host
names, and so forth. All individuals who share that parameter will be included in policies you define.
Network groups are not based directly on individual email addresses.
You can also define user groups based on sender email addresses, recipient email addresses, or LDAP
queries.
Option definitions — Network Groups
This information describes the options available on this page.
Option
Definition
Group Name , In use?, and
Delete
Displays the name of the group, whether it is in use, and provides the
option to remove the group from the list.
Add
Click to open the Add Network Groups dialog box.
Option definitions — Add Network Group
This information describes the options available in this dialog box.
Option
Definition
Group name
The name of the group.
Selected or unselected Defines whether the group is in use.
Use the arrow icons to move the rules up and down the list. The rules are
applied in a "top-down" order.
Rule type
Choose from:
• IP address
• VLAN identifier
• Network connection
• Host name
338
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Group Management
Option
Definition
Match
Choose from:
4
• is
• is not
• is in
• is not in
Value
Type the value that you want to associate with Match.
Add Rule / Delected
Selected Rules
Adds a new line to the list where you can specify the name, type, and values
to match on for a new network group.
Option definitions — Add Rule
Provide information required to add a new Group Management rule.
This dialog box is used for both Add Network Groups | Add Rule and the Add User Groups | Add Rule.
Option
Definition
Rule Type
Define the type of rule.
For Add Network Groups, options include:
• IP address (default)
• VLAN identifier
• Network connection
• Host name
For Add User Groups, options include:
• Sender email address (default)
• Recipeint email address
• LDAP query
Match
Specify how this rule matches. Options include:
• is (default)
• is not
• is in
• is not in
Value
Enter the Value for this rule.
Email Senders and Recipients
This page enables you to create groups of users who can relay messages on the appliance.
Email | Group Management | Email Senders and Recipients
Benefits of the Email Senders and Recipients options
The email senders and recipient (user group) options allow you to define groups of individuals to
whom you can apply policies at once.
You can define user groups based on several criteria:
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
339
4
Overview of Email menu
Group Management
•
Sender or recipient email address
•
Pre-established sender or recipient user groups
•
LDAP authentication
Option definitions — Email Senders and Recipients
This information describes the options available on this page.
Option
Definition
Group name , In use?, and
Delete
Displays the name of the group, whether it is in use, and provides the
option to remove the group from the list.
Add
Opens the Add User Group dialog box.
Option definitions — Add User Group
This information describes the options available in this dialog box.
Option
Definition
Group name
Type the name of the group.
Selected or
unselected
Select a group and click Edit or Delete Selected Rules as appropriate. Use the arrow
icons to move the rules up and down the list.
Rule type
Choose from:
• Sender email address
• Recipient user group
• Recipient email address
• LDAP Query (if configured)
• Sender user group
The LDAP query and user group options become available only when a user
group or LDAP server has been created.
Choose from:
Match
• is
• is not
• is like
• is not like
Value
Type the value that you want to associate with Match.
Add Rule
Adds a new rule to the list .
Task — Add a user group
Use this task to create a user group that can be used in policy selection.
Before you begin
Ensure that you have a valid connection to a Generic LDAP Server, and its queries are
providing output.
Task
340
1
Go to Email | Group Management | Email Senders and Recipients.
2
Click Add and type a name for the group.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Add Directory Service wizard
3
Click Add Rule.
4
In Rule type, select LDAP Query.
The Values field is populated with the name of the LDAP group you selected.
5
Click OK to close the dialog box.
6
Go to Email | Email Policies | Add Policy....
7
Click Add Rule. In Rule type, select User group.
8
In Value, select the user group you created, and click OK.
Add Directory Service wizard
Use this wizard to add a connection between the appliance and any LDAP servers that you have.
Attributes from the LDAP servers can be used by other features in the appliance such as Recipient
Authentication and Address Masquerading.
The appliance comes with a selection of queries already set up for you. Each query can be customized
and the results tested to ensure that they are what you expect. the following queries are available:
•
List of groups
•
Valid recipient
•
Group membership
•
Delivery MTA
•
Synchronization
•
Address masquerade
Use the Next > and < Back buttons to navigate through the screens. After you have successfully tested
the group and member queries, click Finish to complete the wizard.
Benefits of adding LDAP directory services
This information describes the benefits of adding directory services.
Use the Directory Service wizard to set up a connection between the appliance and an LDAP server so
that the attributes in the LDAP server define behavior in your email flow. You can therefore define
policies, and update your LDAP to change email behavior. You can modify the following features in the
appliance to work with LDAP:
•
Recipient Authentication
•
Address Masquerading
•
Policy selection
•
Delivery routes
Custom queries can be created for use in policy selection using the Add Query option in the Add Directory
Service wizard.
The appliance supports the following types of LDAP servers:
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
341
4
Overview of Email menu
Add Directory Service wizard
•
Microsoft Active Directory
•
Lotus Domino
•
Novell NDS
•
Generic LDAP Server v3
•
Netscape/Sun iPlanet
•
Microsoft Exchange
You can set up groups of LDAP servers to ensure high availability by adding secondary servers to the
primary LDAP server.
The name that you give the primary server Service name in the Add Directory Service wizard will be the
name of the group that you see when you come to select the LDAP group in the features in Email
Gateway that you can use with LDAP, such as Address Masquerading.
Directory Synchronization offers a choice of access. The appliance can query an external directory server in
real-time, or its own ("on-box") cached directory.
Attributes on the LDAP server can be accessed in real time (allowing for the most up-to-date data to
be available), or be cached on the appliance (a faster option that causes less impact to your network)
by using the Cache Result checkbox in the Add Directory Services wizard.
Use the Synchronization schedule feature to schedule when to update the cache.
Option definitions — Directory Service Details page
This information describes the options available on the Directory Service Details page of the wizard.
Option
Definition
Service name
Enter a name for the service you are adding. This name is displayed in the list of
Directory Services
Secure Communication Choose from:
• Off — not a secure connection. Data travels between the LDAP server and the
appliance in clear text.
• Secure LDAP — Encrypts the LDAP communication over SSL. By default this
occurs on port 636.
• Use TLS — Encrypts the LDAP communication over TLS. By default, this occurs
on port 389.
Server address
Enter the address for the server that hosts the directory service you are adding.
Server type
Select the type of LDAP server to which you want to connect:
• Active directory
• Domino
• Novell NDS (eDirectory)
• Generic LDAP Server v3 (RFC2251/RFC2307)
• Netscape/Sun iPlanet
• Exchange
Based on the server type you select, the default queries are modified to match
with the default attributes. Different server types have different attributes
associated with them depending on the schemas that you have specified.
342
Base DN
Enter the base distinguished name to be used by the directory service you are
adding.
Username
Enter the user name needed for the appliance to connect to the directory service.
Password
Enter the password needed for the appliance to connect to the directory service.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Add Directory Service wizard
Option
Definition
Referrals
Select this to allow the appliance to follow LDAP referrals to other servers that
hold a part of the directory tree.
Page Size
Shows the number of results per page. Set to 1000 by default.
Option definitions — Directory Service Queries page
This information describes the options available on the Directory Service Queries page of the wizard.
Query types
Query Name
Description
List of groups
Query to get a list of all groups used for selecting a policy.
When the primary server and the secondary server have different set of groups, and
if Stop on Result is selected on the primary server, only the groups from the primary
server appear on the policy creation page. To avoid this, deselect Stop On Result for
the List of Groups and Group membership queries.
Group membership
Query to get the list of groups that an email address belongs to.
When the primary server and the secondary server have different set of groups, and
if Stop on Result is selected on the primary server, only the groups from the primary
server appear on the policy creation page. To avoid this, deselect Stop On Result for
the List of Groups and Group membership queries.
Synchronization
Query to get all the email addresses on the LDAP server to synchronize to the
appliance.
Valid recipient
Query to find whether an email recipient is valid on your LDAP server.
Delivery MTA
Query to find the Message Transfer Agent (MTA) to which you want to deliver for a
particular email recipient.
Address masquerade Query to find the email address that you want to masquerade.
Directory Service Query options and actions
Each query has the following options and actions associated with it.
Option
Definition
Enabled
Enables or disables the query.
Cache Result
Specify whether you want to cache results on the appliance to reduce the time it takes
to run the query, and reduce network load. Deselecting this option queries the LDAP
server in real time.
Fail Open
Select to query a secondary LDAP server (if set up) if the primary LDAP server fails.
Stop On Result Select to stop a query on a secondary server when a successful result occurs.
When the primary server and the secondary server have different set of groups, and if
Stop on Result is selected on the primary server, only the groups from the primary server
appear on the policy creation page. To avoid this, deselect Stop On Result for the List of Groups
and Group membership queries.
Add Query
Click to open a new page of the wizard that allows you to create a new query in addition
to the queries already set up for you.
Edit Query
Select a query, then click Edit Query to open a new page of the wizard that allows you to
edit the query.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
343
4
Overview of Email menu
Add Directory Service wizard
Option
Definition
Remove Query Delete the selected query. Default queries cannot be removed.
Test Query
Click to open a new page of the wizard that allows you to test whether the query
provides the results that you want before you apply the configuration to the appliance.
When the results are returned, click Next to return to this page.
Finish
Completes the wizard. The query becomes available to select in areas of the appliance
that can work with LDAP, such as:
• Address Masquerading
• Recipient Authentication
• Creating a new policy
• Delivering Email
You must apply the changes to the appliance for the LDAP query to register and become
available to create a new policy.
Option definitions — Directory Service Query page
Use this page of the wizard to add or edit directory service queries. It becomes available when you
click Add Query or Edit Query on the Directory Service Queries page.
Option
Definition
Full Query String Displays the default attributes associated with the query.
Query Name
The name of the query. Default query names cannot be edited.
Primary Query
Specify the settings for the primary query:
• Filter — displays the search filters that you want the query to use. Multiple search
filters can be specified to make a request of the LDAP server.
• Identity attribute 1 through 4 — contains the individual attributes that you want the query
to return.
Secondary Query If necessary, create a secondary query as a further query to the first. For example, if a
primary query in the Group membership query is to locate a specific user, you can create a
secondary query to discover which user group the user belongs to.
Option Definitions — Test Directory Service Query page
This information describes the options available on the Test Directory Service Query page of the wizard. This
page becomes available when you click Test Query on the Directory Service Queries page.
To ensure that your query returns the results you want, the wizard provides you with the opportunity
to test the queries that you have defined.
344
Option
Definition
Query Name
The name of the query that you want to test.
Full Query String
Displays the search filters, and the attributes associated with them.
Perform LDAP Query
Click to have the query tested with the LDAP server.
Query Results
The results are displayed within the Query Results area.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of Email menu
Add Directory Service wizard
4
Task — Set up the appliance to use a Microsoft Exchange Server
as an LDAP server
Use this task to get user email attributes from a Microsoft Exchange server.
Before you begin
McAfee recommends that you set up an update interval that is suitable to the amount of
data transmitting. Choosing a too-frequent update interval can impact your network load.
Task
1
Go to Email | Group Management | Directory Services and click Add Server to open the Add Directory Service
wizard.
2
On the Directory Service Details page of the wizard, add the following data:
•
In Service name, type Exchange.
•
In Secure Communication, keep the setting to Off.
•
In Server address, type the IP address of the server to which you want to connect.
•
In Server port, keep the setting to 389.
•
In Server type, select Exchange.
•
In Base DN, where the domain name is test.dom, type dc=test, dc=dom.
3
Type the username and password of the server to which you are connecting, and click Next.
4
On the Directory Service Queries page of the wizard, ensure that the following queries have the
Enabled and Cache Results checkboxes selected:
•
List of groups
•
Group membership
•
Valid recipient
•
Delivery MTA
•
Address masquerade
5
Click Test to verify the query returns the information you want, then click Finish.
6
In the Directory Synchronization section of the page, set the frequency to Hourly.
7
In the Directory Services section of the page, select the service you created, then select Add
Secondary Server to open the Add Directory Service wizard again.
8
Specify the details of the secondary server that you want to add.
Task — Create a sample LDAP query
This task describes how to create a sample LDAP query for use with a Generic LDAP Server v3 server.
Task
1
Go to Email | Group Management | Directory Services.
2
Click Add Server, and type the name of the service such as generic.
3
In Server address, add the server IP address of the LDAP server to which you are connecting.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
345
4
Overview of Email menu
Quarantine Configuration
4
In Server type, select the Generic LDAP Server v3.
5
In Base DN, where the domain name is test.dom, type dc=admin, dc=test, dc=dom.
6
Type the username and password of the server to which you are connecting.
7
Leave the other settings in their default state, and click Next.
8
Click Add Query and type a name for the query.
9
In Filter, add the query filter, such as mail=%email%.
10 In Identity attribute, type the attributes that you want to retrieve, such as cn and click Next.
11 On the Directory Service Queries page, select the query you created, and click Test Query.
12 In Identity for query, type the email address that you want to get the cn for, and click Perform LDAP Query.
The cn of the email address displays in the Query Results area.
The query will be available to that directory service.
Quarantine Configuration
Use this page to set your email quarantine configurations.
From within this page of the user interface, you can access the settings for the quarantine options,
quarantine digest options, the digest message content, and quarantine queue settings.
Contents
Quarantine Options
Quarantine Digest Options
Option definitions — Digest Message Content
Quarantine Queue Settings
Quarantine Options
Use this page to configure your quarantine options.
Email | Quarantine Configuration | Quarantine Options
346
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Quarantine Configuration
Option definitions — Quarantine Options page
Use this information to gain an understanding of the options available from the Quarantine Options
page.
Table 4-157 Option definitions — Quarantine Options page
Option
Definition
Use the on-box
quarantine
With this selected, the appliance uses its own database to hold quarantined email
messages.
Use an off-box McAfee
Quarantine Manager
(MQM) service
Select this to use a McAfee Quarantine Manager (MQM) service hosted on another
server.
When selected, the following fields are made active:
• Appliance ID — Usually, you would use the default ID
• MQM server address — The IP address of the server that is hosting your McAfee
Quarantine Manager service.
• Listening port — the port used by your McAfee Quarantine Manager service.
• Use HTTPS to communicate with the MQM server — When selected, forces secure
communications between the appliance and the McAfee Quarantine Manager
server.
• Verify the MQM server certificate — Configure the appliance so that it verifies the
MQM server certificate before sending quarantined email messages to the
McAfee Quarantine Manager server.
• Enable user submitted blacklists and whitelists — Allow your users to blacklist and
whitelist quarantined email messages from specific senders.
• Update interval — specify the time between updates between the appliance and
your McAfee Quarantine Manager service. The default value is 4 hours.
When you select Use an off-box McAfee Quarantine Manager (MQM) service, the Quarantine Digest
Options and Digest Message Content tabs are removed from the user interface.
The relationship between quarantine categories displayed in Message
Search and MQM
Use this information to understand the differences between the categories used by Message Search
within Email Gateway and McAfee Quarantine Manager.
The following table shows what you will see in the McAfee Quarantine Manager queue for each Email
Gateway category detection:
Table 4-158 The relationship between quarantine categories displayed in Message Search
and MQM
Message Search
McAfee Quarantine Manager
Anti-Phish
Phish
Anti-Spam
Spam
Anti-Virus
Viruses
Anti-Virus (Packer)
Potentially Unwanted Programs | Packers
Anti-Virus (PUP)
Potentially Unwanted Programs | Potentially Unwanted Programs
Compliance
Unwanted Content | Banned Content
Corrupt Content
Unwanted Content | Encrypted or Corrupted
Data Loss Prevention
Data Leakage Prevention
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
347
4
Overview of Email menu
Quarantine Configuration
Table 4-158 The relationship between quarantine categories displayed in Message Search
and MQM (continued)
Message Search
McAfee Quarantine Manager
Encrypted Content
Encryption Compliance
File Filtering
Unwanted Content | Banned File Type
Mail Filtering
Unwanted Content | Mail Format
Mail Size
Unwanted Content | Mail Format
Signed Content
Unwanted Content | Encrypted or Corrupted
Directory Harvesting
Others
Image Filtering
Unwanted Content | Image Analysis
Denial of Service
Unwanted Content | Banned File Type
Quarantine Digest Options
Use this page to specify how users will receive quarantine digests.
Email | Quarantine Configuration | Quarantine Digest Options
Option definitions — Enable digests
Use this information to understand the options available to enable quarantine digests.
A quarantine digest is an email message that the appliance sends to an email user. The digest
describes email messages that have been quarantined for the user because the messages contain
unacceptable content or spam. The digest does not contain information about viruses and other
potentially unwanted program detections.
This page is only available when you have on-box quarantine selected.
Option
Definition
Enable digest messages Specifies whether to enable digest messages for the selected protocol preset.
and message
Protocol preset
Reminds you that digest messages are enabled for this protocol preset.
Allows you to make settings for any exception to the default setting. For
example, you can specify that some parts of the network do not use digest
messages.
Option definitions — Digest message options
Use this information to understand the options available to configure your digest messages.
Option
Definition
or
and
message
Reminds you whether digest messages are enabled for this protocol preset.
Sender address for
digest messages
Specifies an email address for an administrator to handle any queries from
senders about the digest.
We recommend that you assign someone who reads email regularly. You can use
the name of a single user or a distribution list.
348
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Quarantine Configuration
Option
Definition
Message format
Specifies the format of the digest message.
For interactive digests, choose HTML. You can then select:
• Generate interactive messages — When selected, makes each message interactive.
For example, users can release any of their messages that were incorrectly
quarantined as spam.
• Add the digest as an email attachment — When selected, attaches the digest to the
email message as an HTML file. Otherwise the digest is embedded in the email
message.
Message encoding
Specifies the character set encoding for the email message that contains the
digest.
Default value is UTF-8.
Allow users to create
and manage blacklists
and whitelists
To view the settings for user-submitted blacklists and whitelists, select Email |
Email Policies | Scanning Policies [Spam] | Blacklists and Whitelists | User Submitted in the
navigation bar.
To view how quarantine digest messages are displayed when alllowing users to
create and manage blacklists and whitelists, select Allow users to create and manage
blacklists and whitelists and then click Message Preview.
Interaction type
Specifies the type of interaction the user experiences:
• HTML links — Quarantine digests received by your users include links to Delete or
Release quarantined spam email messages.
• HTML forms — When selected, quarantine digests are sent as HTML forms, with
drop-down boxes allowing users to select the required options and an Apply
button to make the changes.
To view examples of the quarantine digest messages seen by your users, click
Message Preview.
Client-server
Specifies the communication method for interactive digests when using HTML
communication method forms:
• HTTP POST — Parameters are hidden, which means internal information is not
visible. However, the users do not receive a response from the appliance when
their requests are received.
• HTTP GET — Works with any mail client. A user can receive a response from the
appliance. However, information is displayed in the action URL, which means
internal information is visible.
Appliance IP address or Specifies an IP address or a domain name, to appear as the sending information
domain name to use in for the digest messages.
digest messages
For example,
• 192.168.254.200
• example.com.
Use the appliance's
fully qualified domain
name
When selected, uses the (FQDN) format (as specified in the appliance's basic
settings) instead of an IP address.
Message Preview
When clicked, displays an example of the digest that users will see.
For example, appliance.example.com
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
349
4
Overview of Email menu
Quarantine Configuration
Option
Definition
Send
When clicked, sends all digests that have not been sent since the last scheduled
time or since you last pressed the Send button.
Specify the frequency
Specifies how often to send the digests, for example Weekly on Monday at 12
o'clock. We recommend that you select a time when the network is less busy.
Default values are Daily at 3 a.m.
If you select Never, you can send the digests by clicking Send.
Quarantine digests might not be delivered exactly at your specified time. The
appliance staggers the delivery times to prevent overloading the mail servers.
Option definitions — Digest Message Content
Use this page to design the appearance of quarantine digests and the responses to users' requests.
Email | Quarantine Configuration | Digest Message Content Options
Option
Definition
Message subject
Specifies the text of the subject line of the email message that carries the
digest.
Default value is Quarantine Summary Digest.
Use the default value
(Several occurrences)
When selected, uses the default value. To change any item such as the
subject line of the email message that carries the digest, deselect its
corresponding Use the default value checkbox.
Edit the stylesheet
When clicked, opens a window that displays the stylesheet that controls the
appearance of the digests when in HTML format. To edit the stylesheet, you
need some knowledge of CSS (Cascading Style Sheets).
Edit the digest report
When clicked, opens a window where you can edit the main text of the
digest.
Edit the body text
When clicked, opens a window where you can edit the first sentence of the
digest.
You can edit the HTML content directly or at source.
Column headings used in the
message body
When Use the default value is deselected, you can change the column headings
that the user sees in the digest.
Select a response type
Selects the type of message that the appliance sends in response to a
user's request. For example, a user can request a release of email that was
quarantined as spam, and will receive a message to acknowledge the
request.
Edit the response body
When clicked, opens a window where you can edit the text of the response
message, if it is in HTML format.
You can edit the HTML content directly or at source.
Quarantine Queue Settings
The Quarantine Queues page displays information about all the quarantine queues configured on your
McAfee Email Gateway appliance. When viewed from within McAfee® ePolicy Orchestrator (McAfee
350
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Quarantine Configuration
ePO) the queues for all managed McAfee Email Gateway appliances are displayed. The list includes the
default quarantine queues as well as any queues that have been added.
Benefits of using multiple quarantine queues
Use multiple quarantine queues to group quarantined messages for analysis.
When you install the Email Gateway software, the system already includes a set of default quarantine
queues:
•
Viruses
•
Other
•
Potentially Unwanted Programs (PUPs)
•
Phish
•
Compliance
•
Spam
All quarantined messages go to at least one of these queues. However, a message may trigger more
than one quarantine action, and be added to more than one quarantine queue.
Role Restrictions
Access to the quarantine queues is role-based, and each queue can have specific roles assigned. The
primary value of configuring multiple quarantine queues is to control the users that are permitted to
access each queue.
Custom quarantine queues
Using custom quarantine queues permits grouping quarantined messages to suit your organization's
needs.
Custom quarantine queues are available only for off-box quarantine, using McAfee Quarantine Manager.
You can add custom quarantine queues to your McAfee Email Gateway appliance. When an email
message triggers a quarantine action, you can direct the message to your custom queue. This action
allows you to track quarantined messages in a more granular manner. You can more easily research
the effectiveness of specific policies by isolating the results of the quarantine actions.
Configuring custom queues requires two components:
•
Creating the queue;
•
Configuring policies to quarantine messages to the queue.
Using custom quarantine queues
If you are using custom queues, then the newly added queue is available for selection in policies
straight away. You do not need to apply changes first.
When you create or edit a policy that includes the Quarantine action, select the queue where McAfee
Email Gateway quarantines messages. When you add a queue and apply your changes, the new queue
appears with the other configured queues.
When you create or edit a policy that includes the Quarantine action, select the queue where the McAfee
Email Gateway appliances quarantine the messages. When you add a queue and apply your changes,
the new queue appears with the other configured queues.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
351
4
Overview of Email menu
Quarantine Configuration
Option definitions - Quarantine queue settings
Use this page to define the settings for each of your configured quarantine queues.
Table 4-159
Quarantine queues settings
Option
Definition
Queue name
Lists the name of each configured quarantine queue.
Description
Explains the purpose or expected content for each queue.
Priority
Shows the queue order that determines where the system quarantines messages that
trigger multiple quarantine actions.
Permitted roles Shows all configured roles that are permitted access to each queue.
Permitted roles do not apply to custom quarantine queues.
Edit
This link allows you to change the properties for the selected queue.
You cannot edit the name of any queue.
Delete
This icon allows you to delete the associated queue.
You cannot delete any of the default queues delivered with McAfee Email Gateway, and
can only delete custom quarantine queues that are not currently in use.
Add
When McAfee Email Gateway is configured to use an off-box McAfee Quarantine
Manager (MQM) service, this button allows you to add a quarantine queue to the
bottom of the list.
Insert
When McAfee Email Gateway is configured to use an off-box McAfee Quarantine
Manager (MQM) service, this button allows you to add a quarantine queue and set the
desired priority at the same time.
Create a custom quarantine queue
Use this process to add a quarantine queue and set its priority.
Task
1
Navigate to Email | Quarantine Configuration | Quarantine Queue Settings.
The window shows the list of quarantine queues on your appliance.
2
At the lower left of the page, click Add.
The Queue Properties dialog appears.
3
Type the queue name and a brief description in the proper text fields.
You cannot configure permitted roles for a custom quarantine queue.
You cannot change the custom queue name after you have applied your changes.
4
Click OK.
The dialog closes and your new quarantine queue appears at the bottom of the Quarantine Queues
table. The queue is assigned the lowest priority.
352
5
If you want to change the assigned priority, use the arrows in the Move column to put the queue in
its proper place.
6
Apply your changes by clicking the green checkmark at the upper right of the page.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
4
Overview of Email menu
Quarantine Configuration
Your new quarantine queue is now ready to receive quarantined messages.
If you select an existing queue from the list and then click Insert instead of Add, you can create a
quarantine queue and set the desired priority.
If you have configured your appliances to quarantine messages to a McAfee Quarantine Manager, the
custom queue appears on the MQM after you apply the changes.
Change the permitted roles for a queue
Use this task to reconfigure the roles associated with a specific quarantine queue.
Before you begin
Completing this task assumes you have defined required roles and have included access to
quarantine configuration and Message Search in the appropriate roles.
Even if the defined roles have the ability to access quarantine configuration, they will not
be able to access the specific queues until permission is granted on this page.
Permitted Roles do not apply to custom quarantine queues.
If an email message has been quarantined to multiple quarantine queues, the user will be able to see
the message within Message Search. However, unless they have the relevant permissions for all queues to
which the message has been quarantined, they will not be able to view or download the message, or
perform any actions (delete, release, forward) on the message.
Task
1
Navigate to Email | Quarantine Configuration | Quarantine Queue Settings.
The Role Restrictions list displays.
2
For the quarantine queue you wish to change, select the Edit link.
The Change Permitted Roles dialog displays, listing all configured roles that have access to Message Search.
The roles assigned to the specific queue are indicated by selection of the check box in the Permitted
column.
3
Make changes to the permitted roles by selecting or deselecting appropriate check boxes.
4
Click OK.
The Change Permitted Roles page closes.
Your reconfigured permissions now appear in the Permitted roles for Message Search on the Role Restrictions
list.
Delete a quarantine queue
When a specific quarantine queue is no longer useful, you can delete it.
You cannot delete any of the default queues included with the McAfee Email Gateway software. Only
custom quarantine queues that are not currently in use can be deleted.
Task
1
Navigate to Email | Quarantine Configuration | Quarantine Queue Settings.
The window shows the list of quarantine queues on your appliance.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
353
4
Overview of Email menu
Quarantine Configuration
2
Find the user-defined quarantine queue you want to delete. Click the associated Delete icon to the
far right of the queue name.
A confirmation dialog box appears.
If the queue is in use by one or more policies, the icon is unavailable.
3
To confirm the deletion, click OK.
The selected queue disappears from the page.
4
Complete the deletion by applying your changes.
The quarantine queue is deleted.
354
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
-- Overview topic for the System menu chapter -Contents
Appliance Management
System Administration
Users
Virtual Hosting
Logging, Alerting and SNMP
Component Management
Setup Wizard
Appliance Management
The Appliance Management pages enable you to reset basic and network settings for the appliance,
and specify settings such as remote access, and DNS and Routing.
System | Appliance Management
Use these pages to define settings for the appliance, such as the domain name and default gateway.
General
Use this page to specify basic settings for the appliance like those you defined in the Setup Wizard.
The appliance can handle IP addresses in IPv4 and IPv6 formats.
System | Appliance Management | General
The page has these sections:
•
Basic Settings displays settings such as the default gateway and domain name.
•
Network Interface Settings displays the current network interface settings for NIC 1 and NIC 2.
Some sections are relevant only when the appliance is in the appropriate mode.
Benefits to the appliance settings
Use this page to specify basic settings for the appliance like those you defined in the Setup Wizard,
change the operating mode, and set up the IP address and adapter settings for NIC 1 and NIC 2.
The appliance can handle IP addresses in IPv4 and IPv6 formats.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
355
5
Overview of System menu
Appliance Management
Option definitions — Basic Settings
This information describes each option in this section.
Table 5-1 Option definitions — Basic Settings
Option
Definition
Appliance name
Specifies a name, such as appliance1.
Domain name
Specifies a name, such as domain.example.com
Default gateway (IPv4) Specifies an address, such as 198.168.254.1.
Next hop router (IPv6)
Specifies an address, such as FD4A:A1B2:C3D4::1.
Operational language
Selects the language that will be used for internal reporting and error messages.
Network Settings page
Use these options to view and configure the IP address and network speeds for the appliance. You can
use IPv4 and IPv6 addresses, separately or in combination.
To prevent duplication of IP addresses on your network and to deter hackers, give the appliance new
IP addresses, and disable the default IP addresses. The IP addresses must be unique and suitable for
your network. Specify as many IP addresses as you need.
Option
Definition
<mode>
The operating mode that you set during installation or in the Setup Wizard
Network Interface 1
Expands to show the IP address and netmask associated with Network Interface
1, the auto-negotiation state, and the size of the MTU.
Network Interface 2
Expands to show the IP address and netmask associated with Network Interface
2, the auto-negotiation state, and the size of the MTU
Change Network
Settings
Click to open the Network Interface Wizard to specify the IP address and adapter
settings for NIC 1 and NIC 2, and change the chosen operating mode.
View Network Interface
Layout
Click to see the <?> associated with LAN1, LAN2, and the out of band interface
Network Interfaces Wizard
Use the Network Interfaces Wizard to change the chosen operating mode, and specify the IP address
and adapter settings for NIC 1 and NIC 2.
The options you see in the Network Interfaces Wizard depend on the operating mode. On the first
page of the wizard, you can choose to change the operating mode for the appliance. You can change
the settings by clicking Change Network Settings to start a wizard. Click Next to progress through the wizard.
In Explicit Proxy mode, some network devices send traffic to the appliances. The appliance then
works as a proxy, processing traffic on behalf of the devices.
In Transparent Router or Transparent Bridge mode, other network devices, such as mail servers,
are unaware that the appliance has intercepted and scanned the email before forwarding it. The
appliance's operation is transparent to the devices.
If you have a standalone appliance running in transparent bridge mode, you will have the option to add
a bypass device in case the appliance fails.
356
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Appliance Management
If the appliance is operating in Transparent Bridge mode, and the Spanning Tree Protocol (STP) is
running on your network, make sure that the appliance is configured according to STP rules.
Additionally, you can set up a bypass device in transparent bridge mode.
To configure your McAfee® Email Gateway Blade Server to failover from the management blade to the
failover management blade, you must specify at least one virtual IP address, shared between the
management and failover management blades.
Network Interfaces Wizard — Explicit Proxy mode
Use the Network Interfaces Wizard to change the chosen operating mode, and specify the IP address
and adapter settings for NIC 1 and NIC 2.
This version of the Network Interfaces Wizard becomes available when you select the Explicit Proxy
mode.
Specify the details for Network Interface 1, then use the Next button to set details for Network Interface
2 as necessary.
Network Interface 1 or Network Interface 2 page
Option
Definition
IP Address
Specifies network addresses to enable the appliance to communicate with your
network. You can specify multiple IP addresses for the appliance’s network ports. The
IP address at the top of a list is the primary address. Any IP addresses below it are
aliases.
You must have at least one IP address in both Network Interface 1 and Network
Interface 2. However, you can deselect the Enabled option next to any IP addresses that
you do not wish to listen on.
Network Mask
Specifies the network mask. In IPv4, you can use a format such as 255.255.255.0, or
CIDR notation, such as 24. In IPv6, you must use the prefix length, for example, 64.
Enabled
When selected, the appliance accepts connections on the IP address.
Virtual
When selected, the appliance treats this IP address as a virtual address.
This option only appears in cluster configurations, or on a McAfee Content Security
Blade Server.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
357
5
Overview of System menu
Appliance Management
Option
Definition
New Address/
Delete Selected
Addresses
Add a new address, or remove a selected IP address.
NIC 1 Adapter
Options or NIC
2 Adapter
Options
Expand to set the following options:
• MTU size — specifies the Maximum Transmission Unit (MTU) size. The MTU is the
maximum size (expressed in bytes) of a single unit of data (for example, an
Ethernet Frame) that can be sent over the connection. The default value is 1500
bytes.
• Autonegotiation state — either:
• On — allows the appliance to negotiate the speed and duplex state for
communicating with other network devices.
• Off — allows you to select the speed and duplex state.
• Connection speed — provides a range of speeds. Default value is 100MB.
This value is fixed at 1GB for fiber-connected systems.
• Duplex state — provides duplex states. Default value is Full duplex.
• Enable IPv6 auto-configuration — Select this option to allow the appliance to automatically
configure its IPv6 addresses and IPv6 default next-hop router, by receiving Router
Advertisement messages sent from your IPv6 router.
This option is unavailable by default if your appliance is running in transparent router
mode, or is part of a cluster configuration, or running as part of a Blade Server
installation.
Network Interfaces Wizard — Transparent Router mode
Use the Network Interfaces Wizard to change the chosen operating mode, then specify the IP address
and adapter settings for NIC 1 and NIC 2.
Network Interface 1 or Network Interface 2 pages
358
Option
Definition
IP Address
Specifies network addresses to enable the appliance to communicate with your
network. You can specify multiple IP addresses for the appliance’s ports. The IP
address at the top of a list is the primary address. Any IP addresses below it are
aliases.
Network Mask
Specifies the network mask, for example: 255.255.255.0. In IPv4, you can use a
format such as 255.255.255.0, or CIDR notation, such as 24. In IPv6, you must use
the prefix length, for example, 64.
Enabled
When selected, the appliance accepts connections on that IP address.
Virtual
When selected, the appliance treats this IP address as a virtual address. This option
only appears in cluster configurations, or on a McAfee Content Security Blade Server.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Appliance Management
Option
Definition
New Address/
Delete Selected
Addresses
Add a new address, or remove a selected IP address.
NIC 1 Adapter
Options or NIC
2 Adapter
Options
Expand to set the following options:
• MTU size — Specifies the Maximum Transmission Unit (MTU) size. The MTU is the
maximum size (expressed in bytes) of a single unit of data (for example, an
Ethernet Frame) that can be sent over the connection. The default value is 1500
bytes.
• Autonegotiation state — either:
• On — allows the appliance to negotiate the speed and duplex state for
communicating with other network devices.
• Off — allows you to select the speed and duplex state.
• Connection speed — provides a range of speeds. Default value is 100MB.
This value is fixed at 1GB for fiber-connected systems.
• Duplex state — provides duplex states. Default value is Full duplex.
• Enable IPv6 auto-configuration — Select this option to allow the appliance automatically
configure its IPv6 addresses and IPv6 default next-hop router, by receiving Router
Advertisement messages sent from your IPv6 router.
This option is unavailable by default if your appliance is running in transparent router
mode, or is part of a cluster configuration, or running as part of a Blade Server
installation.
• Enable sending IPv6 router advertisements on this interface — When enabled, allows IPv6 router
advertisements to be sent to machines on the sub-net that require a router
response to complete auto-configuration.
Network Interfaces Wizard — Transparent Bridge mode
Use the Network Interfaces Wizard to change the chosen operating mode, and specify the IP address
and adapter settings for NIC 1 and NIC 2.
Specify the details for the Ethernet Bridge, then use the Next button to set details for the Spanning Tree
Protocol and Bypass Device as necessary.
Option definitions — Ethernet Bridge page
Option
Definition
Select all
Click to select all the IP addresses.
IP Address
Specifies network addresses to enable the appliance to communicate with your
network. You can specify multiple IP addresses for the appliance’s ports. The IP
addresses are combined into one list for both ports. The IP address at the top of a list
is the primary address. Any IP addresses below it are aliases.
Use the Move links to reposition the addresses as necessary.
Network Mask
Specifies the network mask, for example: 255.255.255.0. In IPv4, you can use a
format such as 255.255.255.0, or CIDR notation, such as 24. In IPv6, you must use
the prefix length, for example, 64.
Enabled
When selected, the appliance accepts connections on that IP address.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
359
5
Overview of System menu
Appliance Management
Option
Definition
New Address/
Delete Selected
Addresses
Add a new address, or remove a selected IP address.
NIC Adapter
Options
Expand to set the following options:
• MTU size — specifies the Maximum Transmission Unit (MTU) size. The MTU is the
maximum size (expressed in bytes) of a single unit of data (for example, an Ethernet
Frame) that can be sent over the connection. The default value is 1500 bytes.
• Autonegotiation state — either:
• On — allows the appliance to negotiate the speed and duplex state for
communicating with other network devices.
• Off — allows you to select the speed and duplex state.
• Connection speed — provides a range of speeds. Default value is 100MB.
This value is fixed at 1GB for fiber-connected systems.
• Duplex state — provides duplex states. Default value is Full duplex.
• Enable IPv6 auto-configuration — select this option to allow the appliance to automatically
configure its IPv6 addresses and IPv6 default next-hop router, by receiving Router
Advertisement messages sent from your IPv6 router.
This option is unavailable by default if your appliance is running in transparent router
mode, or is part of a cluster configuration, or running as part of a Blade Server
installation.
Option definitions — Spanning Tree Protocol Settings page
Option
Definition
Enable STP
STP is enabled by default.
Bridge priority
Sets the priority for the STP bridge. Lower numbers have a higher priority. The
maximum number that you can set is 65535.
Advanced parameters Expand to set the following options. Change the settings only if you understand
the possible effects, or you have consulted an expert:
• Forwarding delay
• Garbage collection interval (seconds)
• Hello interval (seconds)
• Ageing time (seconds)
• Maximum age (seconds)
Option definitions — Bypass Device Settings page
Option
Definition
The bypass device inherits settings from those you entered in NIC Adapter Options
.
360
Select bypass device
Choose from two supported devices.
Watchdog timeout
(seconds)
For the bypass device, the time, in seconds, that can elapse before the system
bypasses the appliance.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of System menu
Appliance Management
Option
Definition
Heartbeat interval
(seconds)
Set to monitor heartbeat by default.
5
Advanced parameters This option becomes active when you select a bypass device.
• Mode — choose to monitor the heartbeat or the heartbeat and the link activity.
• Link activity timeout (seconds) — becomes active when you select Monitor heartbeat and link
activity in Mode
• Enable buzzer — enabled by default. If the bypass device fails to detect the
heartbeat signal for the configured Watchdog timeout, the buzzer sounds.
DNS and Routing
Use this page to configure the appliance’s use of DNS and routing.
System | Appliance Management | DNS and Routing
The page has these sections:
•
DNS Servers
•
Routing
Benefits of specifying DNS servers and adding routes
Use this page to understand the benefits of using DNS and routing.
When you first log on to the appliance, the DNS and Routing page displays the servers and routes that you
specified in the Setup Wizard. Use this page to review the entries, add or remove routes and servers,
and change their priority.
Domain Name System (DNS) servers translate or “map” the names of network devices into IP
addresses. Use the arrows to move the servers up and down the list. The first server in the list must
be your nearest, or most reliable server. If the first server cannot resolve the request, the appliance
contacts the second server. If no servers in the list can resolve the request, the appliance forwards the
request to the DNS root name servers on the Internet.
You can set the appliance to use dynamic routing, if:
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
361
5
Overview of System menu
Appliance Management
•
The appliance is in transparent router mode
•
Your network supports it
By default, the appliance uses the common dynamic routing protocol called Routing Information
Protocol (RIP).
Option definitions — DNS Servers
This information describes each option in this section.
Option
Definition
Server Address
Displays the IP addresses of the DNS servers. The first server in the list must be your
fastest or most reliable server. If the first server cannot resolve the request, the
appliance contacts the second server. If no servers in the list can resolve the request,
the appliance forwards the request to the DNS root name servers on the Internet.
If your firewall prevents DNS lookup (typically on port 53), specify the IP address of a
local device that provides name resolution
New Server/
Delete Selected
Servers
Adds a new server to the list, or removes one when, for example, you need to
decommission a server due to network changes. Use the arrows to move the servers
up and down the list.
Only send
Selected by default. McAfee recommends that you leave this option selected because it
queries to these might speed up DNS queries as the appliance sends the queries to the specified DNS
servers
servers only. If they don't know the address, they go to the root DNS servers on the
Internet. When they get a reply, the appliance receives it and caches the response so
that other servers that query that DNS server can get an answer more quickly.
If you deselect this option, the appliance first tries to resolve the requests, or might
query DNS servers outside your network.
Option definitions — Routing
This information describes each option in this section.
Option
Definition
Network Address
Type the network address of the route.
Mask
Specifies how many hosts are on your network, for example, 255.255.255.0.
Gateway
Specifies the IP address of the router used as the next hop out of the network. The
address 0.0.0.0 (IPv4), or :: (IPv6) means that the router has no default gateway.
Metric
Specifies the preference given to the route. A low number indicates a high
preference for that route.
New Route /
Delete Selected
Routes
Add a new route to the table, or remove one. Use the arrows to move the route up
and down the list. The routes are chosen based on their metric value.
Enable dynamic
routing
Use this option in transparent router mode only. When enabled, the appliance can:
• receive broadcast routing information received over RIP (default) that it applies its
routing table so you don't have to duplicate routing information on the appliance
that is already present in the network.
• broadcast routing information if static routes have been configured through the
user interface over RIP.
362
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Appliance Management
Setting up a list of DNS servers
Use this ask to set up a list of DNS servers.
Task
1
Click System | Appliance Management | DNS and Routing.
2
Click New Server and type the IP address. The appliance sends requests to DNS servers in the order
that they are listed.
3
If necessary, click Only send queries to these servers, and choose the servers.
Setting up a static route
Use this task to set up a static route.
Task
1
Go to System | Appliance Management | DNS and Routing.
2
Click New Route, and add the following information:
3
•
Network Address
•
Gateway
•
Metric
Apply the changes.
Time and Date
Use this page to configure time and date settings on the appliance.
System | Appliance Management | Time and Date
Useful websites
•
http://www.ntp.org
•
http://www.worldtimeserver.com/current_time_in_UTC.aspx (for current UTC time)
Benefits to setting the time and date options
This topic describes the benefits of the time and date settings.
Correct time settings are important to ensure the appliance keeps its logs, reports and schedules
accurate.
You can provide the details manually, or from your own computer, or via the Network Time Protocol
(NTP).
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
363
5
Overview of System menu
Appliance Management
Option definitions — Time and Date
This information describes each option on this page.
Option
Definition
Appliance Time
Zone
Specifies the time zone of the appliance. You might need to set this twice each year
if your region observes daylight saving time.
Appliance Time
(UTC)
Specifies the date and UTC time for the appliance. To select the date, click the
calendar icon. You can determine the UTC time from websites such as http://
www.worldtimeserver.com.
Set Now
When clicked, applies the date and UTC time that you specified in this row.
Client Time
Displays the time according to the client computer from which your browser is
currently connected to the appliance.
Synchronize
appliance with
client
When selected, the time in the Appliance Time (UTC) immediately takes its value from
Client Time. You can use this checkbox as an alternative to manual setting of Appliance
Time (UTC). The appliance calculates the UTC time based on the time zone that it finds
on the client's browser.
Ensure that the client computer is aware of any daylight savings adjustments. To find
the setting on Microsoft Windows, right-click the time display in the bottom right
corner of the screen.
Enable NTP
When selected, accepts NTP messages from a specified server or a network
broadcast. NTP synchronizes timekeeping among devices in a network. Some
Internet Service Providers (ISPs) provide a timekeeping service. Because NTP
messages are not sent often, they do not noticeably affect the appliance's
performance.
Enable NTP client
broadcasts
When selected, accepts NTP messages from network broadcasts only. This method
is useful on a busy network but must trust other devices in the network.
When deselected, accepts NTP messages only from servers specified in the list.
NTP Server
Displays the network address or a domain name of one or more NTP servers that
the appliance uses. For example, time.nist.gov.
If you specify several servers, the appliance examines each NTP message in turn to
determine the correct time.
New Server
Type the IP address of a new NTP Server.
Task — Using an NTP Server to set the appliance date and time
Use this task to add an NTP server to manage the appliance time and date.
Task
1
Click System | Appliance Management | Time and Date.
2
Select Enable NTP and click New Server.
3
Type the IP address of the server that you wish to add.
Remote Access
Use this page to provide the methods of accessing the appliance remotely.
System | Appliance Management | Remote Access
364
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of System menu
Appliance Management
5
The page has these sections:
•
Secure Shell Configuration
•
User Interface Access Configuration
•
Out of Band Management
You can still access the user interface using the IP address of the appliance itself.
Benefits of using the remote access feature
This topic describes the benefits of using the remote access feature.
This feature controls the access to the user interface and the secure shell, and provides an extra layer
of protection in addition to that provided by username and password authentication.
Use the out-of-band interface if you do not want the user interface or secure shell to be accessible on
the same network as the data traffic that is being scanned.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
365
5
Overview of System menu
Appliance Management
Option definitions — Secure Shell Configuration
This information describes each option in this section.
Option
Definition
Enable the
Click to enable the use of Secure Shell (SSH) to connect remotely to your appliance. By
secure shell default, when you enable the use of SSH, it allows all hosts or networks that can access
the appliance.
Click Allow permitted hosts / networks listed below, then select New Address to add only the specified
devices access.
You can use your SSH client to access the support account on the appliance. Use the
same password that you use to access the interface from a remote computer.
If you are using out-of-band management and have blocked port 22, change the SSH
configuration to allow Secure Shell access.
Permitted
Host /
Network
Displays details of devices that can access the appliance. By default, access is available to
ALL hosts or networks that can use Secure Shell (SSH).
The entries here are added to the /etc/hosts.allow file, and therefore must follow its
conventions. We recommend that you allow access to known domains or users initially.
Click New Address / Delete Selected Addresses to add or remove permitted hosts or networks
from the list.
To add a network use the following notation formats:
• IPv4: 192.168.5.0/24 or 192.168.5.0/255.255.255.0 (allows every host with a
network address beginning 192.168.5 to access the secure shell)
• IPv6: [3ffe:505:2:1::]/64 (allows every address in the range `3ffe:505:2:1::´
through `3ffe:505:2:1:ffff:ffff:ffff:ffff´)
• domain wildcards: *.example.com (allows all hosts in the example.com domain to
access the secure shell)
To add an individual host, use the following notation formats:
• IPv4: 192.168.0.5 (only allows the particular IP address to access the secure shell)
• IPv6: [2001:470:921b:7896::3c]. The [ ] must be typed.
• hostname: host1.example.com (only allows host1 in the example.com domain to
access the secure shell)
To add individual hosts, netmasks can not be used.
Option definitions — User Interface Access Configuration
This information describes each option in this section.
Option
Definition
Management Port
This field allows you to specify the port used to access the User Interface.
When the McAfee Email Gateway is first installed, port 443 is used. However, during
the configuration process, this value is changed by default to 10443.
If you intend using any of the encryption features within McAfee Email Gateway, you
must change the management port to 10443 and apply these settings.
Allow all hosts/
networks
366
Allows anyone to connect to the user interface
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Appliance Management
Option
Definition
Allow permitted
hosts/networks
listed below
Displays details of devices that can access the appliance through its web-based
interface (IPv4 addresses only). Restricts access to the user interface to the hosts
or networks that you specify here. By default, access is available to ALL devices.
Click New Address / Delete Selected Addresses to add or remove permitted hosts or
networks from the list.
Type the IP addresses or domains carefully, otherwise the appliance can become
inaccessible.
To add a network use the following notation formats:
• IPv4: 192.168.5.0/24 or 192.168.5.0/255.255.255.0 (allows every host with a
network address beginning 192.168.5 to access the secure shell)
• domain wildcards: *.example.com (allows all hosts in the example.com domain to
access the secure shell)
To add an individual host, use the following notation formats:
• IPv4: 192.168.0.5 (only allows the particular IP address to access the secure
shell)
• hostname: host1.example.com (only allows host1 in the example.com domain to
access the secure shell)
Administrator's
Email Address
The email address of the main appliance administrator. This address appears if
someone tries to access an invalid page on the appliance user interface in the form
of the webmaster's email address.
Option definitions — Out of Band Management
This information describes each option in this section.
Normally, the commands you issue to the appliance are part of the network traffic. With out-of-band
management, your commands are directed to a third port on the appliance, and become separate (or
out-of-band) from the other network traffic.
Before enabling out-of-band management, make sure you have first connected the external
USB-Ethernet adapter to your appliance and to a suitable network. Some later appliances have inbuilt
out-of-band management already, and do not need to have it separately enabled. To find out whether
this applies to your appliance, see the Email Gateway Quick Start guide.
Option
Definition
Enable the out of
band interface
When selected, allows you to control the appliance through a direct connection.
Ethernet adapter
Offers a choice of Ethernet adapter, such as Belkin F5D5050 for a USB network
adapter, or Gb4(mb3) for in-built network adapter.
IP Address /
netmask
Specifies the IP address and network mask for the port.
You cannot type an IP address that is on the same subnet as the normal operational
ports.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
367
5
Overview of System menu
Appliance Management
Option
Definition
NIC Adapter Options Specifies various details for the out-of-band connection, which is effectively a third
NIC connection for the appliance.
• MTU size — the maximum size (expressed in bytes) of a single unit of data (for
example, an Ethernet Frame) that can be sent over the connection. Default value
is 1500 bytes.
• Autonegotiation state — on by default.
• Connection speed — 100Mbps by default.
• Duplex state — Full by default.
• Enable IPv6 auto-configuration — Select this option to allow the appliance automatically
configure its IPv6 addresses and IPv6 default next-hop router, by receiving
Router Advertisement messages sent from your IPv6 router.
This option is grayed out by default if your appliance is running in transparent
router mode, or is part of a cluster configuration.
Enable in-band
management
Specifies ports to prevent any attempts to access the appliance via ports over the
main (non-management) interface.
• New Port
• Delete Selected Port
Option definitions — Remote Access Card
This information describes each option in this section.
In 3300 and 3400 versions of the appliance, there is a built-in remote access card installed. This
section of the interface will not appear on other appliance models.
Option
Definition
Enable remote access
card configuration
Select to have the appliance manage the remote access card through the user
interface.
Listening port
Set the listening port. Set to 443 by default.
Obtain an IP address
dynamically using DHCP
Select whether you want the appliance to obtain an IP address dynamically
using DHCP
IP address / netmask
Specifies the IP address and network mask for the port.
You cannot type an IP address that is on the same subnet as the normal
operational ports.
368
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Appliance Management
Option
Definition
DRAC Network Options
Expand this option to:
• Specify the default gateway
• Select whether you want the appliance to obtain DNS information dynamically
using DHCP
• Add the primary and secondary DNS servers
DRAC Adapter Options
Expand this option to:
• See the version of Firmware
• Set the MAC address
• Set the size of the MTU (1500 by default). That is, the maximum size
(expressed in bytes) of a single unit of data (for example, an Ethernet Frame)
that can be sent over the connection.
• Use autonegotiation (on by default)
• Check the connection speed (100 Mb by default)
• Set the duplex state (Full by default)
Task — To manage the appliance from a management network
Use this task to set up a management network to manage the appliance.
Task
1
Go to System | Appliance Management | Remote Access.
2
Click Enable the out of band interface.
3
Use the drop-down box to select the USB driver, or in-built ethernet adapter.
4
Type the IP address and netmask of the out-of-band interface.
5
Expand the NIC Adapter Options area (optional), and change any necessary information .
6
Apply the changes and log off the appliance.
7
Go to the IP address you specified earlier to access the user interface.
Task — Restrict management access to the appliance to the management network
Use this task to restrict access to the appliance from the management network.
Task
1
Access the appliance through the out-of-band interface, and go to System | Appliance Management |
Remote Access.
2
Deselect Enable in-band management. By default, the user interface (port 443), the secure shell (port
22), and SNMP (port 161) are blocked on the appliance IP address.
3
Click New Port to add any new ports that you want to block on the main appliance IP address and
only access through the management network.
4
Apply the changes.
To monitor your appliance using mechanisms such as the off-box syslog feature, go to System |
Logging, Alerting and SNMP, and configure the remote server, ensuring that it can be routed through the
out-of-band network.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
369
5
Overview of System menu
Appliance Management
Email Gateway Certificate
Specify the certificate that is used to verify the administrator appliance login credentials, and the
default certificate that is used with TLS.
System | Appliance Management | Email Gateway Certificate
Benefits of Email Gateway Certificate
Email Gateway Certificates are used to verify the identity of your McAfee® Email Gateway.
By verifying the identity of your McAfee® Email Gateway, other email systems can be used to provide
secure communications to and from your system.
Option definitions — Email Gateway Certificate
This information describes the options available on this page.
Option
Definition
Country [C]
Specifies a two-letter code such CN, DE, ES, FR, JP, KR. (See ISO 3166)
Default value is US.
Town or city [L]
Specifies the location of your organization. Give a full name rather than an
abbreviation.
Organization [O]
Specifies the name of your organization such as Example, Inc.
Organizational unit [OU]
Default value is Email Gateway.
Common name [CN]
Displays the domain name of your appliance such as server1.example.com
Email address [ea]
Specifies an email address, for example aaa@mcafee.com
Import
When clicked, opens a window where you can specify the file.
State or province [ST]
To import a password-protected certificate, type the passphrase to unlock the
private key. The appliance stores the decrypted certificate in a secure internal
location.
The appliance only verifies the certificate, and makes it available to use, after
you click the icon to apply your changes:
370
Export
When clicked, opens a window where you can specify a passphrase, then
download a file. The file name extension is CRT (base-64 encoded) or P12
(PKCS#12). The certificate is in PEM format.
Generate Certificate
Signing Request
When clicked, opens a window where you can request that the Certificate
Signing Request is signed by a Certificate Authority on the appliance or by an
external Certificate Authority. The file name extension is CSR.
Regenerate
When clicked, you are prompted to confirm that you want to regenerate the
certificate and private key.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Appliance Management
Certificate and Key Export wizard
Export the certificate and key from your McAfee Email Gateway.
Table 5-2 Certificate and Key Export wizard — page 1
Option
Definition
Options
Select if you want to export the certificate only, without including your private keys.
Format
Select to export your certificate and keys in:
• Base-64 encoding, or
• as a PKCS#12 secure key file.
By default a Base-64 encoding is used.
This page only appears if you have not selected Export the certificate only (no private keys) on page 1 of this
wizard.
Table 5-3 Certificate and Key Export wizard — page 2
Option
Definition
Protect the private key with the following passphrase Password-protect the private key within the exported file.
Confirm the passphrase
Re-enter the password to ensure it matches your first
attempt.
Table 5-4 Certificate and Key Export wizard — page 3
Option
Definition
Download
To download the exported certificate, click the link provided.
Depending on your browser, you may need to right-click the link and select the option to save the file
locally.
When the file has been downloaded locally, click Finish to close this wizard.
UPS Settings
Understand how to configure your McAfee Email Gateway to work with third-party Uninterruptible
Power Supply (UPS) systems.
System | Appliance Management | UPS Settings
Benefits of specifying UPS
The appliance can monitor the status of any number of UPS systems, allowing a graceful shutdown if
the main power supply fails. The appliance can also notify other devices about the event.
Using a name and password, other devices (called "clients") can access information from the appliance
about the UPS systems, allowing the clients to respond to an imminent loss of power.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
371
5
Overview of System menu
Appliance Management
Option definitions — UPS Device Configuration
This information describes each option in this section.
Option
Definition
Delay before shutting
down the appliance
when switching to UPS
power
Specifies the number of minutes before the appliance shuts down. The default As
long as possible option means that the power stays on until the UPS signals that the
battery is low. If you set the minutes value to zero, the appliance shuts down
immediately.
Status
Displays the status of the device:
— Operating normally.
— Needs attention.
— Needs immediate attention.
Devices and Driver
Displays the type (model) of the UPS device and driver.
Type
Displays the type of connection between the appliance and the UPS — USB
Cable, Serial Cable, or Network.
New Device
When clicked, opens the Add UPS Device wizard where you can specify UPS settings
for the (master) appliance that connects to the UPS, or settings for one or more
appliances (slaves) that connect to the master appliance via the network.
Option definitions — Accept UPS status requests from the following
addresses
This information describes each option in this section.
This section appears when you add a new UPS device.
Option
Definition
Appliance Name or
Address
Displays the IP address of the monitoring device.
Type
Displays the status of the monitoring device. Every added device is defined as
Slave. This list always contains one Master entry.
New Client
When clicked, opens a window, where you can specify the address of the client,
and a user name and password that the client must specify to access the UPS
information. The user name and password are those specified when you set up the
master device.
Task — Add a USB UPS device
Use this task to specify a USB UPS device.
Task
1
Connect the USB UPS to the appliance to ensure the list displays the UPS.
2
Go to System | Appliance Management | UPS Settings.
3
Click Enable UPS support, and click New Device.
4
Select USB Device, then click Next.
5
Select the appropriate values for Vendor Name, UPS Device Model, and Attached USB Device.
To begin with, you can keep the default Off delay and On delay settings.
6
372
Click Finish and apply the changes.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of System menu
Appliance Management
7
5
Click Edit, then click Next to change more configuration options.
These options appear when the UPS is working (shown by a green tick in the Status column).
8
9
Edit the settings for the following options as applicable for more information:
•
Remaining battery level when UPS switches to low battery
•
Remaining battery runtime when UPS switches to low battery
•
Interval to wait after shutdown with delay command
•
Interval to wait before (re)starting the load
Click Finish, then apply the changes.
Task — Add a serial UPS device
Use this task to add a serial UPS device.
Task
1
Connect the serial UPS to the appliance using the serial cable supplied with the UPS.
2
Go to System | Appliance Management | UPS Settings.
3
Click Enable UPS support, and click New Device.
4
Select Serial Device, then click Next.
5
Select appropriate values for Vendor Name, UPS Device Model, and Serial Port.
6
Click Finish, then apply the changes.
7
Click Edit to change the settings for the following options as applicable for more information:
•
Remaining battery level when UPS switches to low battery
•
Remaining battery runtime when UPS switches to low battery
•
Interval to wait after shutdown with delay command
•
Interval to wait before (re)starting the load
These options appear when the UPS is working (shown by a green checkmark in the Status column).
8
Click Finish, then apply the changes.
Task — Configure your appliance to accept UPS status requests from other
appliances
Use this task to have the appliance accept UPS status requests from other appliances.
Task
1
Ensure that your UPS is working (a green checkmark shows in the Status column).
2
Go to System | Appliance Management | UPS Settings.
3
Select New Client.
4
In Client Address, type the IP address of the client that you wish to allow queries from.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
373
5
Overview of System menu
Appliance Management
5
Note the information in the Username and Password fields; you will need them later to enter into
the client machine.
6
Select OK.
Task — Set up a client appliance to monitor a UPS on another appliance
Use this task to have a client appliance to monitor a UPS on another appliance.
Task
1
Complete the steps in Configure your appliance to accept UPS status requests from other
appliances.
2
Go to System | Appliance Management | UPS Settings.
3
Click Enable UPS support, and click New Device.
4
Select Get Power status from another appliance and click Next.
5
Type in the name or IP address of the appliance that has the UPS connected to it.
6
Add the username and password displayed that you made a note of in Configure your appliance to
accept UPS status requests from other appliances.
7
Click Test Authentication to check that the communication is working, then click Finish and apply
changes.
Add UPS Device Wizard
Use this wizard to select the type of UPS device that you want to add, and specify its details.
System | Appliance Management | UPS Settings | New Device
Option definitions — UPS Device Connection
Use this page of the wizard to specify how you are going to connect to the UPS device.
Table 5-5 Option definitions
Option
Definition
USB device
This option is unavailable until you add a USB device
Serial device
Get power status from another appliance
The options you see in the wizard depend on the type of device that you choose.
Option definitions — USB Device Details screen
This information describes the options available on this page of the wizard.
Option
Definition
Vendor name
Lists supported vendors
UPS device model
Select from the list of supported USB models supplied by the vendor you chose
Attached USB device Details of the USB device
374
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Appliance Management
Option
Definition
Off delay
The length of time, in seconds, that the UPS waits before turning off the UPS after
it receives the "turn off" command
On delay
The length of time, in seconds, that the UPS waits before restoring power after the
mains power returns
Option definitions — Serial Device Details screen
This information describes the options available on this page of the wizard.
Option
Definition
Vendor name
Lists supported vendors
UPS device model Select from the list of supported USB models supplied by the vendor you chose
Serial port
Select the serial port that you want to use. COM1 is the built-in serial port on the
appliance
Option definitions — Get power status from another appliance
This information describes the options available on this page of the wizard.
Option
Definition
Appliance name or address The host name or IP address of the master appliance
User name
The username given to the master appliance
Password
The password assigned to the master appliance
Test Authentication
Click to test the connection between the appliance and the master device
defined above
Default Server Settings
Use this page to specify details of HTTP and FTP proxy servers, through which the appliance receives
updates, and to set up a remote backup server.
System | Appliance Management | Default Server Settings
The page has these sections:
•
Default HTTP proxy settings
•
Default FTP proxy settings
•
Default remote backup settings
There are three options to choose from to back up to a remote server:
•
FTP
•
SSH with password authentication
•
SSH with public key authentication
Benefits of configuring default server settings
This information describes the benefits of specifying a remote FTP or HTTP server to get updates, and
set up a remote backup server.
The default remote backup server that you specify here is used by the appliance as the default server
to:
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
375
5
Overview of System menu
Appliance Management
•
get threat detection file updates (anti-virus, and anti-spam)
•
install package updates (patches and hotfixes)
You can set the appliance to use different servers for each of those actions in their related configuration
wizards.
Option definitions — Default HTTP proxy settings
This information describes each option in this section.
Option
Definition
Proxy server
Enter the proxy server address.
Proxy port
Enter the port used to transfer updates over HTTP.
By default, this is port 80.
Proxy username
Enter the username used to log onto the proxy server.
Proxy password
Enter the password used to log onto the proxy server.
Option definitions — Default FTP proxy settings
This information describes each option in this section.
Option
Definition
Proxy server
Enter the proxy server address.
Proxy port
Enter the port used to transfer updates over FTP
By default, this is port 21.
376
Proxy username
Enter the username used to log onto the proxy server.
Proxy password
Enter the password used to log onto the proxy server.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
System Administration
Option definitions — Default remote backup settings
This information describes each option in this section.
Option
Definition
Transfer to FTP
Server
Selected by default:
• Server
• Proxy server
• Port
• Proxy port
• Directory
• Proxy username
• Username (default value is
anonymous)
• Proxy password
• Password (default value is
anonymous)
Transfer via SSH
Click to specify the settings to transfer the backup using SSH:
• Server
• Port
• Directory
• Username (default value is anonymous)
• Password Authentication/Password (default value is anonymous)
• Public Key Authentication/Public key (links to the public key)
If you use either FTP or SSH with password authentication, your passwords are stored in the appliance
configuration files, in plain text format. The most secure option is to use SSH with public key
authentication. To use this feature, you must click the link to generate a key file, which you must then
copy and paste into your authorized keys file so that the appliance can perform the backup.
System Administration
The System Administration pages provide you with the features you need to enable you to set up and
maintain your McAfee Email Gateway.
System | System Administration
From these pages you can backup and restore your configurations, push configurations from one
appliance to others, and set up the cluster management for your groups of McAfee Email Gateway
appliances. You can also carry out database maintenance and access the rescue image features for
your appliance. Use the system administration pages to access the system commands for shutting
down and rebooting your McAfee Email Gateway.
Contents
Configuration Management
Configuration Push
Cluster Management
Option definitions — MAC Addresses
Resilient Mode
Configure Automatic Configuration Backups wizard
Database Maintenance
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
377
5
Overview of System menu
System Administration
Rescue Image
System Commands
Configuration Management
Use this page to back up and restore the information about the appliance’s configuration.
System | System Administration | Configuration Management
The page contains these sections:
•
Backup Configuration
•
Restore Configuration
•
Configuration Report
•
Review Configuration Changes
Benefits of backing up and restoring configuration
Use this page to create immediate and automatic backups of a configuration file, and produce
configuration reports.
You can copy the configuration from one appliance to another, or use the backup copy to restore your
appliance to former settings.
Option definitions — Configuration Management
This information describes each option on this page.
Option
Definition
Backup Configuration
When clicked, puts all the appliance’s configuration settings into a file, and allows
you to download the file.
You can safely store configuration details about the appliance offline, and restore
that information later if the original appliance fails. The system configuration files
are saved to a .zip file, which contains mainly XML files and associated DTD files.
The .zip file size is typically less than 1MB.
Save the config
When clicked, allows you to download the configuration file.
The link is active only after the configuration file has been generated.
Include the Data Loss
Prevention database
When selected, automatically includes information in the backup file about any
DLP categories and file fingerprints. To find the contents of the DLP database, go
to Email | DLP and Dictionaries.
Selecting this option uses large amounts of disk space.
Include TLS
certificates and
private keys
When selected, includes information in the backup file about any digital
certificates and private keys that are stored on the appliance. You need to
consider the security of your private keys.
To find the certificates, go to Email | Certificate Management | Certificates | TLS Certificates
and Keys.
By default, the TLS certificates and private keys are not encrypted when stored in
the backup file.
378
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
System Administration
Option
Definition
Encrypt private keys
When Include TLS certificates and private keys is selected, choose to encrypt the private
keys. You will need to specify the Passphrase.
Include Email Hybrid
configuration
When selected, includes information in the backup file about any digital
certificates and private keys relating to Email Hybrid implementation that are
stored on the appliance.
The Email Hybrid private key is not encrypted when stored in the backup file.
Include Secure Web
Mail user and system
data
When selected, includes information in the backup file about any public
certificates and private keys, as well as configuration details for each domain and
each user that are configured for Secure Web Mail.
Email messages are not included in the configuration backup.
When selected, configuration backups are made periodically and sent to a server
whose details you can specify. If no server is configured already, the Configure
Automatic Configuration Backups wizard starts. Otherwise, click the link next to
Backup Scheduled to specify the server.
Enable automatic
backup
When enabled, you can select the following options:
• Include the Data Loss Prevention database
• Include TLS certificates and private keys
• Include Secure Web Mail user and system data
• Include Email Hybrid configuration
• Automatically backup when you apply configuration
Backup scheduled
Click to open the Configure Automatic Configuration Backups.
Table 5-6 Option definitions — Restore Configuration
Option
Definition
Restore From File When clicked, imports configuration settings from a backup file.
You can choose which details you need. If the file came from an earlier version of the
software, some details are not available.
Table 5-7 Option definitions — Configuration Report
Option
Definition
Produce Report Create an online report that details changes and settings in each area of the appliance
configuration and status pages.
View the report View the online report generated using the Produce Report button.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
379
5
Overview of System menu
System Administration
Table 5-8 Option definitions — Review Configuration Changes
Option
Definition
Review Configuration
Changes
Displays details of changes made to the appliance.
• Date — The date and time that the configuration change was made.
• Comment — The comment is generated automatically by the appliance or is the
text typed at the Configuration change comment window seen after clicking the green
checkmark.
• Client IP address — The default value is 127.0.0. (or “home”).
• User — This is typically admin or other users. To see the list of users, select
System | Users | Users and Roles in the navigation bar.
• Session — A PID is a number that identifies a process.
Show Differences
Select more than one configuration change, and click to display the files that have
been changed. Select a file, and click Show Difference to display the configuration
differences in code view between them.
Rollback Changes
Select a configuration change, and click to select the values to restore. Secure
Web Mail user and system data configuration changes are not rolled back.
Configuration Push
Use this page to copy the settings on one appliance to other appliances.
System | System Administration | Configuration Push
Parameters that are not pushed to other appliances
The following configuration parameters are not pushed to the other appliances:
Network settings:
•
Hostname and domain name
•
Default routes
•
IP addresses
•
Ethernet settings such as MTU and duplex
•
Appliance operating mode; explicit proxy, transparent bridge, transparent router
•
Spanning tree protocol settings (transparent bridge mode only)
•
DNS server addresses
•
DHCP server settings (applies to cluster configurations)
•
Load-balancing settings
•
Static routes
•
Proxy settings
Remote Access Card settings:
•
380
IP address(es) assigned to DRAC
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
System Administration
Management port settings:
•
Whether out-of-band management is enabled (IP address, driver)
Benefits of pushing a configuration
This information describes the benefits to pushing a configuration onto another appliance
If you manage multiple appliances, you can specify that all of your appliances have the same settings
by pushing configuration from one to another.
This can be further automated using one of the following methods:
•
Automatic configuration push
•
Scheduled configuration push
Option definitions — Configuration Push
This information describes each option on this page.
Table 5-9 Option definitions — Managed Appliance List
Option
Definition
Hostname/ Address
Displays the IP address of this appliance.
Push enabled
Check this option to allow configurations to be pushed to this appliance
either automatically or via a schedule.
Platform
Displays information about the appliance.
Last Push
Displays when you last pushed a configuration file to another
appliance.
Update Progress
Displays the status of the configuration update and is updated every
two seconds.
Add Appliance / Remove Appliance
Add or remove an appliance from Managed Appliance List.
Refresh
Refresh the Managed Appliance List after adding or removing an appliance.
Apply Configuration to enabled
appliances
When clicked, sends the settings to the other appliances in the list that
have been enabled (see ‘Push enabled’ above).
Apply Configuration to selected
appliances
When clicked, sends the settings to the appliances in the list that have
been selected.
Table 5-10 Option definitions — Configuration push settings
Option
Definition
Username to use for push
Use this username when pushing configuration to the remote
appliances.
Password to use for push
Use this password when pushing configuration to the remote
appliances.
This password will be stored in plaintext within in the
configuration.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
381
5
Overview of System menu
System Administration
Table 5-10 Option definitions — Configuration push settings (continued)
Option
Definition
Advanced settings
• Push the configuration push setting and the managed appliance list — Push the
managed appliance list and configuration push settings.
By changing the following, it is
possible to alter the settings
that will be pushed across to
the other appliances in the
Managed Appliance List. If the
checkbox is checked then the
settings will be pushed to the
remote appliances.
Do not use this option if you have chosen to automatically push
configuration changes.
• Push Secure Web Mail user and system data — If you have Secure Web
Mail configured select this option to push the user and system
data.
These options apply when
• Push the SNMP monitor name — Push appliance specific settings, for
performing a push by clicking
example, the SNMP monitor name.
the button in the user interface,
and when performing the
• Push the MQM settings — Push the Quarantine Manager system
automatic/scheduled
identifier.
configuration pushes.
• Push the UPS settings — Push the details of any UPS systems
attached to the appliance.
• Push your TLS certificates and private keys — Push the certificates and
private keys used for by your appliance to allow TLS connections.
• Push Email Hybrid configuration — Push configuration settings that
enable your McAfee Email Gateway to operate as a hybrid
solution with the SaaS Email service.
Automatic Configuration push
Check this to automatically push configurations to other appliances
each time you apply configuration changes to this appliance.
Scheduled Configuration push
Specify how often you want this appliance to carry out a scheduled
configuration push. The options are:
• Never
• Hourly
• Daily
• Weekly
Cluster Management
Use this page to specify the cluster and load-balancing requirements for the McAfee Email Gateway
when acting as part of a cluster.
System | System Administration | Cluster Management
When configuring a group of appliances or a McAfee Email Gateway Blade Server the current master
uses a "least used" algorithm to assign connections to the appliances or blades configured to scan
traffic. The scanning appliance or blade that is currently showing the least number of connections, at
that moment in time, is assigned the next connection.
For a cluster of appliances:
382
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
System Administration
•
If you have only a master and a failover appliance, with both configured to scan traffic, the master
will send most connections to the failover appliance for scanning.
•
If you have scanning appliances, and scanning enabled on the master and failover, then the
scanning appliances will receive the most traffic to scan, then the failover, with the master
receiving the least. If you have more than three appliances in a cluster, McAfee recommends that
you do not enable scanning on the master appliance.
You cannot configure the master or the failover blades of the McAfee Email Gateway Blade Server to
scan traffic.
McAfee recommends that when using your appliance in a cluster environment, you use McAfee
Quarantine Manager to quarantine Email messages.
Benefits of configuring Cluster Management
This information describes the benefits of configuring Cluster Management.
By configuring Cluster Management, you enable a group of McAfee Email Gateway appliances, or the
individual blades within a McAfee Email Gateway Blade Server to function as a single scanning system.
Additionally, by setting the cluster features, you are also providing redundancy in the event of
hardware failure; by configuring a master and a failover master appliance, and also by having several
scanning appliances (or blades) your email traffic can still be scanned in the event of a single
appliance or blade failing.
Option definitions - Cluster Management
This information describes the options available in this section. The content of this page can vary.
Depending on the chosen cluster mode, some of the options are not available.
Option definitions — Cluster Mode
Option
Definition
Cluster mode
Specifies the clustering mode of the appliance:
• Off — This is a standard appliance.
• Cluster Scanner — The appliance receives its scanning workload from a master
appliance.
• Cluster Master — The appliance controls the scanning workload for several other
appliances.
• Cluster Failover — If the master fails, this appliance controls the scanning workload
instead.
For a McAfee® Email Gateway Blade Server, this specifies the type of blade as follows:
• Cluster Master — The master management blade controls the scanning workload for
several scanning blades.
• Cluster Failover — If the master management blade fails, this failover management
blade controls the scanning workload instead.
DHCP address
range (Content
Security
Blade Servers
only)
The management blade is responsible for issuing IP addresses to any attached
scanning blades via DHCP (Dynamic Host Configuration Protocol).
Specify the range of address that will be issued to scanning blades. The DHCP range
is limited to a single subnet. The permissible range for the starting address is 1 - 253
while that for the ending address is 2 - 254.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
383
5
Overview of System menu
System Administration
Option definitions — Cluster Configuration
Option
Definition
Cluster identifier
If you have more than one McAfee® Email Gateway cluster or McAfee® Email
Gateway Blade Server on the same subnet, assign each a different Cluster
identifier to ensure the clusters do not conflict.
The allowable range is 0-255.
Address to use for load
balancing
Specify the IP address used for load balancing within the cluster.
Enable scanning on this
appliance (Not
applicable on
Content Security
Blade Servers)
If not selected, this appliance distributes all scanning workload to the scanning
appliances.
Configure New
Management Device
(Content Security
Blade Server only)
Clicking this button allows you to configure another blade as a management
blade.
For a cluster of appliances, if you have only a master and a failover appliance,
with both configured to scan traffic, the master will send most connections to
the failover appliance for scanning.
The available options are:
• Configure next device — the next blade that is PXE booted will be imaged as a
management blade.
• A device with the following MAC address — when the blade with the MAC address you
specify is PXE booted, it will be imaged as a management blade.
Once the chosen blade is imaged as a management blade, this option is reset.
Option definitions — Advanced scanning device settings
Use this area for fine-grained control of attached scanning devices. You can also configure the devices
to share hard disk space for the storage of Secure Web Mail Messages. Devices in a cluster are
identified by their MAC (Media Access Control) addresses. When you add a MAC address to the table
you may opt to disable it, meaning that scanning requests will not be sent to the device, and share
hard disk space.
Option
Definition
MAC Address
Specifies the device's Media Access Control (MAC) address as 12 hexadecimal
digits in the format: A1:B2:C3:D4:E5:F6.
Disabled
Select to remove this device from the pool of scanning devices.
Encryption Storage
If the scanning device is in a ready state, you can choose to include the device in
the Encryption Storage pool.
Add MAC Address
Click to add the MAC address of a new device.
Manage MAC Addresses Opens the MAC Addresses dialog box that enables you to manage the list of
available MAC addresses.
Although you can add the MAC addresses of management and failover devices to this table, they always
contribute hard disk space for Secure Web Mail messages and cannot be disabled.
Network Interfaces Wizard — Cluster Management
Use the Network Interfaces Wizard to specify the IP addresses and adapter settings for setting up
clusters of appliances.
System | System Administration | Cluster Management | Network Interfaces Wizard
384
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
System Administration
This wizard steps you through the process to configure the network interfaces when configuring your
appliance as part of a cluster.
The options that are displayed as you progress through the wizard depend on the operating mode and
other selections that you make. This means that you may not see all the controls and fields detailed in
this topic.
Table 5-11 Operating Mode — Option definitions
Option
Definition
Select operating mode Select the mode of operation for the cluster of appliances, or for your McAfee
Content Security Blade Server.
When configuring a cluster in either explicit proxy mode or transparent router mode, you need to
configure a virtual IP address that is on the same subnet as both the real IP addresses for the master
and the failover appliances. This ensures that traffic is directed to whichever appliance is currently
acting as the master appliance.
Network Interface 1 or Network Interface 2
Network Interface 2 is not shown if you select explicit proxy as your operating mode.
Table 5-12 Option definitions
Option
Definition
IP Address
Specifies network addresses to enable the appliance to communicate with your
network. You can specify multiple IP addresses for the appliance’s network ports. The
IP address at the top of a list is the primary address. Any IP addresses below it are
aliases.
You must have at least one IP address in both Network Interface 1 and Network
Interface 2. However, you can deselect the Enabled option next to any IP addresses that
you do not wish to listen on.
Network Mask
Specifies the network mask. In IPv4, you can use a format such as 255.255.255.0,
or CIDR notation, such as 24. In IPv6, you must use the prefix length, for example,
64.
Enabled
When selected, the appliance accepts connections on the IP address.
Virtual
When selected, the appliance treats this IP address as a virtual address. This option
only appears in cluster configurations, or on a McAfee Content Security Blade Server.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
385
5
Overview of System menu
System Administration
Table 5-12 Option definitions (continued)
Option
Definition
New Address/
Delete Selected
Address
Add a new address, or remove a selected IP address.
NIC 1 Adapter
Options or NIC 2
Adapter Options
Expand to set the following options:
• MTU size — specifies the Maximum Transmission Unit (MTU) size. The MTU is the
maximum size (expressed in bytes) of a single unit of data (for example, an
Ethernet Frame) that can be sent over the connection. The default value is 1500
bytes.
• Autonegotiation state — either:
• On — allows the appliance to negotiate the speed and duplex state for
communicating with other network devices.
• Off — allows you to select the speed and duplex state.
• Connection speed — provides a range of speeds. Default value is 100MB.
• Duplex state — provides duplex states. Default value is Full duplex.
• Enable IPv6 auto-configuration — Select this option to allow the appliance automatically
configure its IPv6 addresses and IPv6 default next-hop router, by receiving Router
Advertisement messages sent from your IPv6 router.
This option is unavailable by default if your appliance is running in transparent router
mode, or is part of a cluster configuration, or running as part of a Blade Server
installation.
Option definitions — MAC Addresses
Add and remove multiple MAC addresses for other appliances within the cluster or blade server.
Option
Definition
Attached devices
The section contains a list of devices that are currently members of the cluster.
Each device is identified by its MAC address and hostname and you can check the
items that you want to be included in the MAC address table.
If you are setting up your cluster, this section will be empty.
Unknown devices
(not available
from within the
Setup Wizard)
The section contains a list of MAC addresses that are not currently in the cluster.
Only the MAC address is shown since the device is unrecognized.
If you are setting up your cluster all MAC addresses will appear in this section.
If the cluster has already been configured, a device may be unknown because the
appliance is currently unreachable over the network. You can check the items that
you want to be removed from the MAC address table.
386
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
System Administration
Option
Definition
Additional devices
The section offers a convenient way of adding the MAC addresses of devices that
you intend to add to the cluster at a future time.
You may enter any number of addresses separated by spaces.
You will not be able to configure the Encryption Storage option for these unless they are
the addresses of devices that are currently members of the cluster.
Lock DHCP server
to MAC addresses
(Content
Security Blade
Servers only)
Check this option to prevent the management blade from acknowledging DHCP
requests sent by arbitrary hosts on its network.
If selected, you should add the MAC addresses of all scanning blades that you
intend adding to your cluster to the MAC address table. Failing to do this will
prevent a scanning blade from acquiring the correct IP address.
Since the state of the cluster updates periodically, it is possible for a device to move from the unknown
section to the attached section (or vice versa) while you are working in this dialog. This may happen if a
device has just rebooted, for example.
Resilient Mode
Use this page of the user interface to enable resiliency mode on your blade server.
System | System Administration | Cluster Management | Resilient Mode
®
This page only applies to the McAfee Content Security Blade Server.
Benefits of setting up resilient mode
This information describes the benefits associated with setting up resilient mode.
In resilient mode, all connections between your network, the McAfee® Email Gateway Blade Server,
and also the connections within the blade server enclosure are made in such a way that multiple paths
are used.
These multiple pathways provide enhanced resiliency to the failure of any one component either within
the blade server, or of the network devices or cabling needed to route traffic between your network
and the blade server.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
387
5
Overview of System menu
System Administration
Option definitions — Resilient Mode
This information describes the options available on this page.
Option
Definition
Enable Resilient
Mode
Within this area, you can check the current status regarding resiliency of your blade
server.
You can also enable or disable resiliency mode.
Ensure that you have downloaded the chassis configuration files before enabling
resiliency mode.
After clicking Enable Resilient Mode or Disable Resilient Mode, and clicking OK on the
warning dialog box, your blade server will automatically be shut down,
allowing you to make the required cabling changes.
Configuration Files From the user interface, you can view or download the interconnect configuration
files for both resilient and non-resilient mode operation for all the interconnects.
To download all the configuration files, click interconnect_config.zip, as this file
contains all the other configuration files.
Configure Automatic Configuration Backups wizard
This information describes the Configure Automatic Configuration Backups wizard.
System | System Administration | Configuration Management | Automatic configuration backup
Benefits of the Configure Automatic Configuration Backups wizard
Use this information to understand the benefits of using automatic configuration backups, and of using
the wizard provided to configure them.
388
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
System Administration
Option definitions — Default remote backup settings
This information describes each option in this section.
Option
Definition
Transfer to FTP
Server
Selected by default:
• Server
• Proxy server
• Port
• Proxy port
• Directory
• Proxy username
• Username (default value is
anonymous)
• Proxy password
• Password (default value is
anonymous)
Transfer via SSH
Click to specify the settings to transfer the backup using SSH:
• Server
• Port
• Directory
• Username (default value is anonymous)
• Password Authentication/Password (default value is anonymous)
• Public Key Authentication/Public key (links to the public key)
If you use either FTP or SSH with password authentication, your passwords are stored in the appliance
configuration files, in plain text format. The most secure option is to use SSH with public key
authentication. To use this feature, you must click the link to generate a key file, which you must then
copy and paste into your authorized keys file so that the appliance can perform the backup.
Option definitions — Configure Updates (Time)
Use this page to schedule automatic configuration backups, and set up scheduled updates to the
detection definitin (DAT) files, anti-spam, and package updates.
System | Component Management | Update Status
System | System Administration | Configuration Management
System | Logging, Alerting and SNMP | System Log Settings
Introduction to Scheduled update settings
You can schedule updates for the following components:
•
Automatic configuration backups
•
Spam rules and anti-spam engine
•
System Log
•
Appliance software updates (HotFixes and
patches)
•
Anti-virus engine and database
McAfee recommends that you update all scanning components on a new appliance using the Update
Now feature, then use the Schedule feature for each component to create regular updates at a time
when traffic is low, such as during the night.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
389
5
Overview of System menu
System Administration
Option
Definition
Hourly to Weekly
Specifies the schedule. If you do not need this feature, select Never.
Next / Finish
Moves to the next page of the wizard , or closes it and applies the settings.
Option definitions — Test Configuration
This information describes the options available on this page of the wizard.
Option
Definition
Test
Checks that the backup configuration works, and provides the desired information.
Database Maintenance
Use this page to manage the number of events contained in the reporting database, and the number
of items identified using the Message Search feature, and to enable external devices to access
information about email events via SQL.
System | System Administration | Database Maintenance
The page has these sections:
•
Retention Limits
•
Event Options
•
External Access
•
Maintenance
Benefits of the database maintenance options
This information describes the benefits of the database maintenance options.
Over time, databases tend to increase in size, consuming available resources and becoming slower to
access to save information or to run reports. Regular maintenance of databases helps to avoid these
problems.
•
Retention Limits — The appliance uses information from this database to display the reports that you
can view from Reports on the navigation bar. Information about earlier events is removed
periodically.
Retention limits are dependent on the type of hardware and the size of the appliance hard disk
space. McAfee recommends that you do not change these values unless directed to do so by your
McAfee Support representative.
•
390
Event Options — You can choose the following options relating to information about events:
•
Insert events into the database. Doing this can provide useful information in reports, but will increase
the amount of data that is written to, or read from the database.
•
Insert only primary events into the database. Allow only the most important events data to be logged to
the database.
•
Pass on events to the logging channels. Select to allow data about events to be available to other
logging methods available from the appliance.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
System Administration
•
•
External Access — External access to a limited set of views in the reports database on an appliance
can be configured.
•
Enable off box sql access. Select to allow access to the appliance' database.
•
Enable external database access for this address range. Limit the systems that can access the external
database to machines within a specified IP address range.
•
Allow external database to user. Select the level of user that can configure external database access.
•
Set Reporting Password. Secure the access to the database.
Maintenance — When run, the maintenance tasks trim the contents of the reporting database and
items identified using the Message Search feature according to the settings in the Retention Limits
area.
McAfee recommends that you clean up the reporting database and message search items regularly
to prevent the database from becoming too large.
Option definitions — Retention Limits
Use this area to set the limits on the maximum time or number of reporting or message items
retained within the database.
Retention limits are dependent on the appliance model, the type of hardware and the amount of
appliance hard disk space. McAfee recommends that you do not change these values unless directed to
do so by your McAfee Support representative.
Option
Definition
Events
Items shown in the reporting database.
Please refer to the user interface for these retention limits.
Quarantined emails
Maximum number or length of time that messages can be held in the quarantine
database.
Please refer to the user interface for these retention limits.
Delivery status
(delivered, blocked,
bounced)
Maximum number or length of time that delivered, blocked or bounced
messages can be stored in the database for use by the Message Search feature.
Please refer to the user interface for these retention limits.
Option definitions — Event Options
Use this area to define the events that are stored in the database.
Option
Definition
Insert events into the
database
Select to add information about reporting events into the database. Be aware
that the database can fill quickly when reporting events are stored.
McAfee recommends that Content Security Blade Server users use the offbox
syslog feature for reporting events and deselect this option.
Insert only primary
Select to add information only about primary reporting events into the database,
events into the database such as virus detections.
A message that triggers both a virus and spam "hit" is logged twice in the
database. If you deselect this option, only the detection that caused the primary
action on the message is logged in the database.
Pass on events to the
logging channels
Select to allow events to be passed to the logging channels from logging and
alerting sources such as syslog, SNMP, and email detections.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
391
5
Overview of System menu
System Administration
Option definitions — External Access
Use this area to configure your appliance to allow limited access from an off box SQL client to view
information about email detections and configuration change events, stored available in three separate
views.
Option
Definition
Enable off box sql access
Select to allow an off box SQL client to access the appliance.
Allow external database access for
this address range
Define the address and subnet mask for the external hosts to which
you want to allow access.
Allow external database access to
user
Define the user that the external client uses to log into the appliance.
This is set to reporter by default.
Set Reporting Password
Define the password that the external database uses to log into the
appliance. This is set to reports by default.
Option definitions — Maintenance
Use this area to configure the frequency of database maintenance tasks, and to manually trigger these
tasks on the appliance.
Option
Definition
Maintenance schedule Select the frequency that the appliance carries out database maintenance tasks.
The default is every 30 minutes.
Reset Database
Enter the password and then click Reset Database to return the database to its default
state.
All information within the database will be lost.
Maintain Database
Click to manually start the database maintenance tasks ever X minutes. The
database checks for items in the reporting database or identified using the
Message Search feature have reached the retention limit that you set.
Task — View information about email detections from an off-box client
using Postgres' PSQL
Use this task to view information about email detections from an off-box client using Postgres' PSQL
interactive application.
Task
392
1
Open the command line on the computer from which you want to view the database.
2
Type psql -U <username> -d reports - h <host address> and press the Enter key.
3
Type the password for the user to whom you gave access.
4
Press the Enter key to see the list of report view that you have available. Choose from:
•
Email_details
•
Configuration_change_view.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
System Administration
Rescue Image
Use this section to force the McAfee Email Gateway to boot from a rescue image stored on a protected
partition on the hard disk. You can also manage your rescue images and create a bootable USB drive
containing the rescue image from here.
System | System Administration | Rescue Image
You can store a rescue image:
•
On a protected partition on the appliances' hard disk
•
On a USB drive:
•
attached to one of the external USB connectors on the appliance
•
mounted internally within the appliance — if you have fitted an optional internal USB drive to
your appliance. (Applies to appliances based on the Dell R610 hardware only.)
Creating a bootable rescue image on a USB drive will result in the loss of all files located on the USB
device.
To prevent tampering or accidental stopping, you must type the appliance password to operate these
features.
Benefits of using the internal rescue image features
Use this page to force the appliance to boot from a rescue image stored on a protected partition on
the hard disk. You can also manage your rescue images and create a bootable USB drive containing
the rescue image from here.
•
When managing your Email Gateway appliances, having the image for each appliance stored on a
protected partition on the hard disk or USB drive for each appliance enables you to remotely
reimage your appliances without needing to locate a CD containing the correct version of the
software.
•
The rescue image negates the requirement for remote access cards to be fitted to your appliance
(if you have suitable appliance models) in order for the appliances to be reimaged from a remote
location.
•
By creating a library of stored rescue images on your local network or on a local FTP or HTTP
server, you can use the rescue images to roll back your appliance to a previous .iso release of the
software, or to upgrade to a newer version. You do this by importing the required image to the
rescue partition on your appliance and then forcing your appliance to boot from the newly imported
rescue image using the Perform a full installation overwriting existing data option. To roll back, you need to
use the option 2 or 3 settings; to upgrade you need to use option 2, 3 or 4 settings.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
393
5
Overview of System menu
System Administration
Option definitions — Manage Internal Rescue Image
This information describes the options in this section.
Option
Definition
Rescue image details
Provides details of the rescue image currently stored within the rescue partition of
your appliance.
Force Boot from
Rescue Image
Provides options to reboot your appliance from a rescue image:
• Boot to menu
If you select Boot to menu, ensure that you are either local to the appliance, or
that you have access to the appliance using a DRAC card.
• Perform a full installation overwriting existing data
• Install software preserving configuration and email messages
• Install software preserving network configuration only
• Install software preserving configuration only
Import Image
Browse to a rescue image stored on your local drive, and copy this image onto
the rescue partition on your appliance.
Download Image from
Server
Browse to a rescue image stored on a local FTP or HTTP server, and copy this
image onto the rescue partition on your appliance.
Export Image
Save a rescue image to a file, or select a USB drive to create a bootable copy of
the rescue image on the USB drive.
Refresh USB Device
List
Click to refresh the USB devices shown in the drop down list on the left of this
option.
Burn Image to USB
Click to copy the rescue image onto a USB.
Task - Checking the current rescue image version
Use this task to verify the version of the currently stored rescue image.
When you install a new version of the software (from an .iso image) onto your appliance, the system
automatically loads this image to the rescue partition on the hard disk of the appliance.
Task
1
Click System | System Administration | Rescue Image.
2
Verify the version information displayed under Rescue image details, or from the About the Appliance
window.
Task — Updating the rescue image held on the appliances' hard disk from a local
network or drive
Use this task to update the rescue image on the appliance hard disk from a local drive.
The software allows you to overwrite the rescue partition with a new image, without re-installing the
software. You can import an image from a local network or drive.
Task
394
1
Click System | System Administration | Rescue Image.
2
Click Import Image.
3
Browse to the relevant file.
4
Click OK.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
System Administration
Task — Updating the rescue image held on the appliances' hard disk from a local
FTP or HTTP server
Use this ask to update the rescue image from a local FTP or HTTP server without re-installing the
software.
You can import an image from a local FTP or HTTP server.
Task
1
Click System | System Administration | Rescue Image.
2
Click Download Image from Server.
3
Specify the server settings, and if required, your proxy settings and passwords.
4
Click OK.
Your appliance saves these server and proxy settings.
Task — Installing from the rescue image on the appliances' hard disk
Use this task to install a rescue image on an appliance.
When you have verified that you have the correct version of the rescue image stored on the protected
partition of the appliances' hard disk, you can use this image to reimage your appliance
Task
1
Click System | System Administration | Rescue Image.
2
Click Force Boot from Rescue Image.
3
Select from:
•
Boot to menu
If you select Boot to menu, ensure that you are either local to the appliance, or that you have
access to the appliance using a DRAC card.
•
Perform a full installation overwriting existing data
•
Perform a full installation overwriting existing date but preserving network settings
If you select either of the full installation options, you will need to take further action to import
saved configurations, or to re-configure the appliance.
•
Install software preserving configuration and email messages
4
Enter the appliance password.
5
Click OK.
The appliance reboots, and uses the rescue image to reimage the appliance, using the installation
options you selected.
Task — Export a rescue image to a USB drive
Use this task to export a rescue image to a USB drive.
Before you begin
To use an external USB drive, it needs to be connected on one of the USB connectors on
the appliance.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
395
5
Overview of System menu
System Administration
To create an image on a USB drive, you can export the image to any suitable USB drive connected to
your appliance.
You cannot export a rescue image to a USB drive from the VMtrial version of the software.
If you have fitted an optional internal USB drive to your appliance, you can select this USB drive.
(Applies to appliances based on the Dell R610 hardware only.)
Task
1
Click System | System Administration | Rescue Image.
2
Click Refresh USB Device List.
3
Select the required USB device from the USB device drop-down list.
4
Click Burn Image to USB.
The rescue image is copied to the USB drive, overwriting any existing files, and creates a bootable
image.
Task — Installing from the rescue image on the appliance USB drive
Use this task to install from the rescue image on the appliance USB drive.
You can use the bootable rescue image stored on an external USB drive, or on an internal USB drive
(hardware dependant) to reimage your appliance.
Task
1
Click System | System Administration | Rescue Image.
2
Ensure that the USB drive with the correct version of the rescue image is attached to your
appliance.
3
Ensure that a monitor and keyboard are connected to the appliance.
4
Enter the appliance password into the text box next to Reboot Appliance in the System Commands section.
5
Click Reboot Appliance from the System Commands area.
6
As the appliance reboots, choose Boot Menu using the appliances' keyboard and monitor.
7
From the menu, select the USB drive to boot from.
The appliance reboots, and uses the rescue image found on the USB drive to reimage the appliance,
using the installation options you select in the standard license and console displayed on the monitor
connected to the appliance.
Task - Create a bootable USB drive rescue image without using the
appliance
Use this task to create a bootable rescue image on a USB drive without using your appliance.
Before you begin
You need a computer that has Internet access, your McAfee Grant Number for your Email
Gateway appliance, and third party software that enables you to create a bootable image
onto a USB drive.
396
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
System Administration
Task
1
Browse to the McAfee download site, and enter your Grant Number.
2
Download the .iso file for the version of the Email Gateway appliance software.
3
Create a bootable image on the USB drive from the downloaded file, using suitable system
commands or disk-imaging software.
System Commands
Use this page to safely turn off the appliance, reboot the appliance, or revert to factory default
settings.
System | System Administration | System Commands
To prevent tampering or accidental stopping, you must type the password to operate these features.
Benefits of using the system commands
This information describes the benefits to using the system commands features.
On occasion, you may need to shut down your appliance, perhaps due to work being carried out on
your power distribution system, or changes to your network topography. You may also need to reboot
the appliance, either as part of a software upgrade, or to restart all services.
Occasionally, you may want to clear all configured options from your appliance, and to revert to the
factory default settings.
Option definitions — System Commands
This information describes each option in this section.
Option
Definition
Shutdown Appliance
When clicked, turns off the power to the appliance or takes the appliance to
a state where you can safely turn off its power.
Reboot Appliance
When clicked, restarts the appliance.
Revert to Default Configuration When clicked, restores all the original out-of-the-box settings to the
appliance.
Task — Shutting down the appliance
Use this task to shut down the appliance.
Before you begin
Before shutting down the appliance, ensure that you have the relevant permissions and
network outage plans in place.
To prevent tampering or accidental stopping, you must type the password to operate this feature.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
397
5
Overview of System menu
System Administration
Task
1
Navigate to System | System Administration | System Commands.
2
Enter the system password next to the Shutdown Appliance button.
3
Click Shutdown Appliance.
The appliance commences its shut down process, and will switch off in a few minutes.
Task — Rebooting the appliance
Use this task to restart the appliance.
Before you begin
Before rebooting your appliance, ensure that you have the relevant permissions and
network outage plans in place.
To prevent tampering or accidental stopping, you must type the password to operate this feature.
Task
1
Navigate to System | System Administration | System Commands.
2
Enter the system password next to the Reboot Appliance button.
3
Click Reboot Appliance.
The appliance commences its shut down process, and reboots after about 5 minutes.
Task — Reverting to the default configuration
Use this task to reapply the default configuration to the appliance.
Before you begin
Before reverting to the factory default settings for your appliance, ensure that you have the
relevant permissions and network outage plans in place. We recommend that you create a
backup of your existing configuration before reverting to the factory settings.
To prevent tampering or accidental stopping, you must type the password to operate this feature.
Task
1
Navigate to System | System Administration | System Commands.
2
Enter the system password next to the Revert to Default Configuration button.
3
Click Revert to Default Configuration
The appliance warns you that your settings will be overwritten and that you will be logged off.
4
398
Click OK to revert your configuration.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Users
Users
The Users pages enable you to set up your users and roles, and perform session management tasks.
System | Users
From these pages you can configure the appliance to set up and administer your role-based user
accounts to perform tasks such as viewing or managing reports, and managing email and system
settings. Additionally, you can tell the appliance how you want to manage session timeouts, and
whether you want your users to see your company email usage policy as they log on. The email policy
notification text can be edited.
Contents
Users and Roles
Option definitions — New Role dialog box
Option definitions — Role Details dialog box
Password Management
Login Services
Add Login Services wizard
Session Management
DoD CAC Authentication
Option definitions — CAC Certificate Attribute Mapping
Option definitions — Custom Text dialog box
Option definitions — User Details
Users and Roles
This information describes the benefits and features of the Users and Roles options.
System | Users | Users and Roles
Benefits of the Users and Roles options
This information describes the benefits of creating roles that have specific access and management
rights associated with them.
Use this feature to create accounts for user who can access the appliance and assign each user
account specific rights. Creating specific user roles allows you to define standard sets of access rights
that can be assigned quickly and easily.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
399
5
Overview of System menu
Users
Option definitions — Users and Roles
This information describes the options available on this page.
Option
Definition
Role
The name of the role. By default, the appliances comes with the following roles already
created:
• Super Administrator has the ability to view and manage all aspects of the appliance's email
and system settings.
• Email Administrator has the ability to view and manage all email-related configuration and
reports settings.
• Reports Administrator has the ability to view and manage the reports settings.
Description Contains any optional description text you entered when you created the role.
Edit
Click to open the Role Details dialog box and view the role's specifications. The Role Details
dialog box is read-only and cannot be saved.
Delete
Remove the selected role from the list.
Add Role
Click to open the New Role dialog box.
Task - Control user access by role
Create a new user category for people who can only create and view reports on the appliance activity.
Task
1
Go to System | Users | Users and Roles.
2
Click Add User.
3
Type the Login ID name for this user.
4
Type the Full name for this user.
5
If required, add a description for this user.
6
From User role, select Reports Administrator.
7
From Account type, select Local user.
8
Enter a password for this user.
9
Confirm the password for this user.
10 Click OK.
The new user is created with the selected privileges.
400
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of System menu
Users
5
Option definitions — New Role dialog box
This information describes the options available on this dialog box.
Option
Definition
Role name /
Description
Type the name of the new role, and optionally add a description to help you identify
it in the User Roles list.
Privileges
Under the type of role that you want to create, select the privileges that you want to
associate with it — for example, to have the rights to view report results, or set the
data that the report contains.
The following role types are available:
• General
• Email Administration
• Dashboard
• System Administration
• Reporting and Queues
Option definitions — Role Details dialog box
This information describes the options available on this dialog box.
Option
Definition
Role name / Description
The name of the role you created.
Privileges
The access, management, and viewing rights associated with the role.
The information in this dialog box is based on the information you entered when you created the role. It
is read-only, and cannot be saved.
Password Management
The Password Management page defines the complexity and change control that you want to apply to
the passwords that can access the appliance.
System | Users | Password Management
The page has these sections:
•
Password Complexity
•
Password Change Control
Benefits of using complex passwords to access the appliance
Understand why correctly setting the end user password complexity, frequency of change and the
change process is important in maintaining the security of McAfee Email Gateway.
Using a suitable password ensures that the appliance cannot be accessed by people other than those
authorized to do so.
McAfee Email Gateway allows you to define a suitable end user password policy, which includes
specifying how complex you require the chosen passwords to be, how long each password is valid for
and the process required to update existing passwords. Rules for reuse and change frequency are only
enforced when you set passwords to expire. If you choose not to use this feature, default passwords
of eight characters can be specified.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
401
5
Overview of System menu
Users
A complex password is more secure than a very simple one, but is more likely to create a greater
volume of "forgotten password" reset requests from your end users. Therefore, you need to decide the
balance between complex passwords that are likely to generate lots of reset requests, and simpler
passwords that will require less maintenance.
When a user changes their password, an expiry date is always set even when password expiry is not
enabled.
This does not apply to resetting the password when the expiry date is set to 0 (zero). If the user
changes the password while completing the Setup Wizard, enabling password expiry will not cause the
password to expire.
If you set the reminder period to >0, the user starts to receive expiry reminders as the expiry date
approaches. A password change is enforced at the login screen when the expiry time is reached.
If you set the minimum period between changes to >0, the user has to wait that many days before
the password can be changed again so that it cannot be immediately changed to be the same
password that has been used for the past six months.
The appliance maintains a history of the past ten password for each user so any reuse policy can be
applied retroactively. When changing their password, a dialog box informs the user that complexity
constraints that are currently in force.
An administrator can still reset passwords for other users. The generated passwords will not
necessarily meet the exact complexity requirements. If password expiry is in force they will only be
good for one login.
Option definitions — Password Management
Set the minimum number of alpha, digit, and special characters you want to include in each password,
and how you want to manage password change control.
Password Complexity
Option
Definition
Minimum length
Select the minimum length that you will allow for end user passwords. Longer
passwords are more secure, but may result in more calls to your support address
as end users fine them more difficult to remember.
Minimum number of
ALPHA characters
Specify the minimum number of alphabetical characters to be used within the end
users passwords. To increase security, you can also Require a mixture of upper and
lowercase characters to be used.
Minimum number of
DIGIT characters
The more different types of characters that may be used within an end users
password, the more secure that password can be made. Forcing your end users to
use numbers within their passwords improves the security of the passwords.
Minimum number of
SPECIAL characters
The more different types of characters that may be used within an end users
password, the more secure that password can be made. Forcing your end users to
use special characters within their passwords improves the security of the
passwords.
Special characters are non-alphanumeric characters such as underscores (_),
hyphens (-) and other punctuation.
Minimum difference
from the previous
password
Specify how different a new password must be from the existing password. This is
based on the minimum number of characters that must change between the
passwords.
This option is case-sensitive, so changing the case of existing characters within the
password is seen as a difference.
402
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Users
Password Change Control
Option
Definition
Enable
password
expiry
Decide whether your end users will need to periodically renew their passwords. Specify
the required password expiry parameters:
• Password lifetime in days — The number of days for which a password is valid.
• Reminder period in days — The time during which the user is reminded about changing
their password.
• Number of recent passwords to disallow — Configure this to prevent your users re-using
passwords.
• Minimum interval between password changes in days — Specify any limits you want to place on
the frequency with which end users can change their passwords.
Login Services
Use the Login Services options to manage user authentication and authorization using either Kerberos or
RADIUS authentication servers.
System | Users | Login Services
The email gateway can integrate with any existing Kerberos or RADIUS authentication management
system.
Kerberos only provides password authentication which means that you will need to define users on the
gateway as well. The RADIUS service can be configured to handle user authorization as well as
password authentication. This means that the gateway can link various attributes to specific roles to
determine access privileges without having to define users on the email gateway.
Contents
Benefits of using the Login Services options
Option definitions — Login Services
Benefits of using the Login Services options
This information describes the benefits to using the Login Services options.
Login Services provides a single place for identity management on the email gateway using either
Kerberos or RADIUS authentication servers. For example, you can change information on the RADIUS
server such as passwords, without having to replicate the change on the gateway as well.
Option definitions — Login Services
This information describes the options available on this page. The information is populated by details
that you specify in the Add Login Service wizard.
Option
Definition
Service Name
The name for the service definition that you create in the Add Login Service wizard.
Service Type
Choose from either Kerberos authentication or RADIUS authentication.
Realm
An authentication realm, such as <companyname-corp>.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
403
5
Overview of System menu
Users
Option
Definition
Role Determination Shows how the user's privileges for managing the gateway are determined. This can
be done either by referencing locally defined users whose name matches the login
name, or for RADIUS, the gateway can examine the attributes in the Access-Accept
response to determine the role that the user assumes.
This contents of this field is determined by the option you choose on the Role Mappings
page of the Add Login Service wizard.
Default Role
If at login time, it is not possible to determine the role from other information
available, this is the role that an authenticated user will assume. The login will fail if
it is not possible to determine the user's role from data returned that is returned
from the authentication server, or from user information defined on the gateway.
Add Service
Starts the Add Login Service wizard. After you have created a service, you can edit its
details using the standard edit button.
Add Login Services wizard
The Add Login Services wizard allows you set up user authentication and authorization using either the
Kerberos or RADIUS authentication servers.
The Add Login Services wizard sets up the following details for your chosen authentication server, and
test that they work as you want them to:
•
The IP address of the authentication server
•
A backup server
•
The TCP port
•
A shared secret
•
The authentication realm, its notation, and delimiter
•
Role mappings
Contents
Option
Option
Option
Option
definitions
definitions
definitions
definitions
—
—
—
—
Basic Settings
Type-Specific Settings
Role Mappings
Test
Option definitions — Basic Settings
This information describes the options available on this page of the wizard.
Option
Definition
Service name
Define the name that you want to give the service.
Description (optional)
Optional field to add further information to identify the service.
Service type
Choose from RADIUS or Kerberos. After defining the service, you cannot change
this value.
Server address
The IP address or domain name of the authentication server.
Backup server (optional) For RADIUS only, the address of a server that can be used if the primary server
is unavailable.
Port
404
The TCP port used by the authentication server. This defaults to port 88 for
Kerberos, or to port 1812 for RADIUS.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Users
Option definitions — Type-Specific Settings
This information describes the options available on this page of the wizard.
Option
Definition
Shared secret
Set the key that will be used for encrypting data sent between the gateway and the
RADIUS server to prevent passwords, for example, from being sent by the RADIUS
server in clear text.
This field does not appear if you chose the Kerberos server type on the Basic Settings page.
The authentication realm - in RADIUS you can use it to partition your users database. If
you are linking to a Kerberos server, this field is mandatory because user names are not
globally unique.
Realm
This field is optional if you chose the RADIUS server type on the Basic Settings page.
Realm notation Choose from either Postfix (such as user@realm), or Prefix (such as realm\user).
This field does not appear if you chose the Kerberos server type.
Typically, this is an @ for postfix notation, or \ for prefix notation. The character that is
used to join the user name and the realm to form a fully qualified user name.
Realm
delimiter
This field does not appear if you chose the Kerberos server type.
Option definitions — Role Mappings
This information describes the options available on this page of the wizard.
Role mapping controls how a user privileges are determined during login. The Kerberos server type does
not support Role Mappings. To allow authentication against an external Kerberos server, either create
locally defined users, or select a default role.
Option
Definition
Use locally defined Select to have the gateway look for a user in its own database with the same name
user details...
as the login name to determine access privileges.
Use data returned
from the server...
Select to have the gateway use data returned by the authentication server to
determine access privileges. A RADIUS server returns name value pairs called
attributes. You can define RADIUS attribute to gateway role mappings.
RADIUS Attribute
For example, Service-Type.
Attribute Value
For example, Administrative-User.
You can use a regular expression to match multiple values.
Role
Includes any role that has been created in Users and Roles, as well as the default roles.
If an attribute with the specified name and value is found in the Access-Accept
response, the authenticated user is assigned that role.
Add Mapping
Opens the RADIUS Attribute Mapping dialog box where you can set a name and value for
the attribute, and select the type of user role that you want to associate with it.
Default role
If it is not possible to determine a user's role through other means (either a user
defined on the gateway, or by examining data from the authentication server), this
is the role that an authenticated user is assigned. You can select any defined role, or
None. If you select None and it is not possible to determine a user's role, login fails
even if authentication is successful.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
405
5
Overview of System menu
Users
Option definitions — Test
This information describes the options available on this page of the wizard.
Option Definition
Username A valid user who can access the authentication server.
Password The password associated with that username.
Status
The result of the last authentication test, either success or failure. If you have not yet
performed a test, the status shows as Unknown.
Output
The response from the authentication server in a readable format.
For RADIUS, some attributes are binary values and are shown using hexadecimal notation.
Test
Click to start the test authentication against the authentication server.
Finish
Click to exit the wizard. The details you entered are displayed on the Login Services page.
Session Management
This information describes the benefits and features of the Session Management options.
System | Users | Session Management
Benefits of the Session Management options
This information describes the benefits of using the Session Management options.
Session management provides the means to control the amount of time a user can remain logged on
to the appliance. This option prevents the user interface from remaining accessible inadvertently,
providing additional security.
Option definitions — Session Management
This information describes the options available on this page.
Option
Definition
Enable session managemnt
Choose whether to allow session management settings to apply to the
appliance. This option is selected by default.
Action to perform after
session timeout
Choose from:
• Prompt for password
• Log off
Timeout
Set the length of time, in minutes, before the appliance times out.
Display custom user
notification
Select to have the appliance display a notification to your users that details
your usage policy. Click Edit to open the Custom Text dialog box and view the
default notification message, or change it.
DoD CAC Authentication
Understand the benefits and features of the DoD CAC Authentication options.
System | Users | DoD CAC Authentication
406
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Users
Benefits of using DoD CAC Authentication
Understand the benefits of configuring DoD CAC Authentication.
The United States Department of Defense use Common Access Card (CAC) technology to access many
of its core IT systems. McAfee Email Gateway can be configured to use this method of authentication.
Once configured to use DoD CAC Authentication, your users will only be able to log onto the McAfee
Email Gateway after inserting their CAC into the reader, and then being authenticated against the
Department of Defense certificate authority.
Option definitions — DoD CAC Authentication
Understand the options relating to DoD CAC Authentication within the user interface.
Table 5-13 DoD CAC Authentication
Option
Definition
Enable DoD CAC authentication
Select to enable CAC authentication.
Once CAC authentication has been configured and applied, you will only
be able to log onto the McAfee Email Gateway user interface after
inserting your CAC into the reader, and being authenticated against the
DoD certificate authority.
Link to import CA
certificates
Click the link to move to Email | Certificate Management | Certificates, to view,
import or export a Department of Defense CA certificate.
Table 5-14 Role Mapping
Option
Definition
CAC Certificate Subject Field Shows the Distinguished Name (DN) component used to map a user to a
specific role.
Field Value
Shows the value used to identify the user.
Role
The role selected for the user.
Add Mapping
Click to open the CAC Certificate Attribute Mapping dialog box, to create a new role
mapping.
Default role
You can configure a default role if a role cannot be established when a user
logs into McAfee Email Gateway using DoD CAC Authentication.
Default value is None.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
407
5
Overview of System menu
Users
Option definitions — CAC Certificate Attribute Mapping
Configure your McAfee Email Gateway to automatically map a DoD CAC authenticated user to a
particular role.
Table 5-15 CAC Certificate Attribute Mapping dialog box
Option
Definition
CAC Certificate Subject DN
Component
To create the roll mapping, select the Distinguished Name (DN) component
to use as the identifier.
Options are:
• C
• O
• CN
• OU
• D
• S
• Email
• ST
• G
• T
• I
• UID
• L
Attribute Value
Enter the Attribute Value to be used to identify the user when mapping them
to a role.
Role
Select the required role.
By default, the options are:
• Email Administrator
• Reports Administrator
• Super Administrator
Option definitions — Custom Text dialog box
This information describes the options available on this dialog box.
Option
Definition
NOTICE TO USERS
Displays the system usage policy text that your users see when
they log on to the appliance.
Use this text as the banner text on the
appliance console
Deselect to edit the NOTICE TO USERS.
Reset
Click to return the text to the default.
Option definitions — User Details
Understand the options available when you are editing user details.
408
Option
Definition
Login ID
Edit the Login ID for this user.
Full name
Change the information displayed in the Full name field for this user.
Description (optional)
Provide or change the optional description field.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Virtual Hosting
Option
Definition
Primary role
Specify the Primary role . The options are:
• Super Administrator.
• Email Administrator.
• Reports Administrator.
Account type
Select the Account type. The options are:
• Local user.
• External user.
Reset password
Click the link to reset the password for this user to the default value.
After a short time, a message displays the new password for that user.
Virtual Hosting
The Virtual Hosting pages enable you to configure the virtual hosts and virtual networks that the
appliance needs to scan.
System | Virtual Hosting
From these pages, you can enable virtual hosting on the appliance, add a new virtual host, edit any
virtual networks.
Contents
Virtual Hosts
Virtual Networks
Option definitions - Edit Virtual Network
Add Virtual Host wizard
Option definitions — New Scanning Policy
Option definition - New Protocol Preset
Virtual Hosts
Use this page to add, edit, or delete virtual hosts and show available virtual hosts.
System | Virtual Hosting | Virtual Hosts
You can specify the addresses where the appliance receives or intercepts traffic on the Inbound
Address Pool. At least one IP address must be present.
These addresses must be unique. They must not be referenced in the Inbound addresses for any other
virtual host. However, they are allowed in the Outbound addresses of any other virtual host.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
409
5
Overview of System menu
Virtual Hosting
An overview of virtual hosting
This information describes the concept of virtual hosting.
Using virtual hosts, a single appliance can appear to behave like several appliances. Each virtual
appliance can manage traffic within specified pools of IP addresses, enabling the appliance to provide
scanning services to traffic from many customers.
This enables you to:
•
Separate each customer's traffic.
•
Create policies for each customer or host, which simplifies configuration and prevents clashes that
might occur in complex policies.
•
Provide reports for each customer or host in the appliance's Favorite reports feature (Reports |
Scheduled Reports | Favorite, which removes the need for complex filtering.
•
If any behavior places the appliance on a reputation black list, only a single virtual host is affected
— not the whole appliance.
There are two types of virtual host:
•
Transparent — This type of virtual host can only be created on an appliance configured for bridge
or router mode. A transparent virtual host intercepts traffic passing through the appliance destined
for an address in the range specified for the virtual host. To configure a transparent virtual host,
simply specify the IP address (or range) of the SMTP servers for which traffic should be
intercepted.
•
Proxy — This type of virtual host configures the appliance to listen for SMTP connections on the IP
address ranges specified for the virtual host. A proxy-mode virtual host can be configured to have
any number of addresses used for delivering mail from the appliance (Outbound address pool).
Configuring a proxy-mode virtual host is more complex, because the appliance needs to have some
knowledge of the routing to the networks for each of the IP addresses it intercepts.
Virtual hosts behave differently depending on whether the virtual host is running in proxy mode which
listens on the inbound addresses, while virtual hosts running in transparent mode intercept traffic
going to the IP addresses listed.
If you create outbound IP address pools on both the LAN1 and LAN2 NICs, the virtual host uses the IP
addresses on the appliance interface as determined by the routing table.
The following constraints apply when you create virtual hosts and virtual networks:
•
Virtual Host IP address ranges must not overlap
•
All Virtual Host IP address ranges must be contained within a Virtual Network
•
Virtual Networks must not overlap
Virtual networks
The concept of a virtual network is used to bind a subnet to a specific interface of the appliance. With
this knowledge the appliance knows to route traffic to or from that subnet via the appropriate network
interface.
Virtual network configuration is handled automatically by the Add Virtual Host wizard, which selects
(or suggests) the appropriate virtual network and populates the Network address field accordingly when
you specify an inbound or outbound address.
410
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Virtual Hosting
Option definitions — Virtual Hosts
This information describes the options available on this page.
Option
Definition
Enable virtual hosting
on this appliance
Click to allow your appliance to have virtual hosting configured.
Name
Displays the name of the virtual host. The name must be unique, and is used in
other locations on the appliance user interface, such as:
• Email Configuration
• Email Policies
• Message Search
• Reports
The icons indicate the type of host:
— Physical host
— Virtual host
The policy name must be unique across all virtual hosts.
Host Name
Displays the host name of the virtual host.
Domain name
Displays the domain name of the virtual host.
Inbound/Intercept
Address Pool
Displays the number of addresses available. The range is shown as a tooltip.
Outbound Address
Pool
Displays the number of addresses available. The range is shown as a tooltip.
Add
When clicked, opens a wizard where you can type the details of a new virtual
host.
This option is available to virtual hosts running in proxy mode. The addresses are
used in a round robin fashion.
Task — Creating a new virtual host
Use this task to create a new virtual host.
Before you begin
Before creating a new virtual host, ensure that you have the relevant information (Host
name, Domain name, IP address ranges) needed to correctly configure the virtual host
available.
Task
1
Go to System | Virtual Hosting | Virtual Hosts.
2
Ensure that Enable virtual hosting on this appliance is checked.
3
Click Add. The Add Virtual Host dialog box appears.
4
Type a Virtual host name.
5
Type a Description for this virtual host. This step is optional, but enables you to quickly identify
further information about this virtual host.
6
Type the Host name.
7
Type the Domain name. This is in the format example.com.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
411
5
Overview of System menu
Virtual Hosting
8
Click Next.
9
Click Add to specify addresses in the Inbound/Intercept Address Pool.
a
Specify the Address range, Network address and Network interface for the Inbound/Intercept Address Pool.
b
Click OK.
c
Click Next.
10 Click Add to specify addresses in the Outbound Address Pool. This step is optional.
a
Specify the Address range, Network address and Network interface for the Outbound Address Pool.
b
Click OK.
11 Click Finish.
Task — Creating a new virtual policy
Use this task to create a new virtual policy.
Virtual policies can be used as a template policy for similar kinds of virtual hosts.
Task
1
Go to System | Virtual Hosting | Virtual Hosts.
2
Ensure that Enable virtual hosting on this appliance is checked.
3
Apply the changes to the appliance.
4
Go to Email | Email policies | Scanning policies.
5
Click Add policies, and type a policy name.
The same policy name cannot be used across virtual hosts.
6
Select the Virtual policy type.
7
Go to System | Virtual Hosting | Virtual Hosts.
8
In Base scanning policy, select the Virtual policy in a new virtual host, or an existing one.
Virtual Networks
Use this page to specify virtual networks.
System | Virtual Hosting | Virtual Networks
Benefits of configuring virtual networks
This information describes the benefits of managing virtual networks, such as deleting virtual networks
that you no longer need.
Virtual networks permit you to subdivide email traffic by allowing a single network to appear as
multiple networks. Virtual hosts assigned to these virtual networks make creating and applying
policies to specific groups much easier.
412
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Virtual Hosting
Option definitions - Virtual Networks
This information describes the options available on this page.
Option
Definition
Network address
Displays a virtual network address such as 192.168.254.0 /24.
Network interface
Displays the network interface for that virtual network address — Bridge, LAN1
or LAN2.
When clicked, opens the Edit Virtual Network dialog box.
Edit
Delete
When clicked, deletes the network in that row. You cannot delete networks that
are in use.
Add
When clicked, opens the Edit Virtual Network dialog box.
Delete Unused Networks Removes unused networks from the list.
Option definitions - Edit Virtual Network
This information describes the options available on this dialog box.
Option
Definition
Network address Enter the required IP address and range for the virtual network, such as
192.168.254.0/24.
Network interface Select the network interface to associate with the virtual network.
Add Virtual Host wizard
Use this wizard to set up a virtual host.
System | Virtual Hosting | Virtual Hosts | Add Virtual Host
Option definitions — Basic Host Settings page
This information describes the options available on this page.
Option
Definition
Virtual host name Specify a unique name and description of the virtual host that is used by other
and Description locations on the appliance user interface, such as:
• Email Configuration
• Email Policies
• Message Search
• Reports
(
— Icon for virtual appliance.)
Host name
This value is used with the domain name to generate the SMTP greeting banner. If
the domain name is a Fully Qualified Domain Name (FQDN), the host name does not
appear in the SMTP greeting banner.
Domain name
The domain name has the form domain.dom and must be unique across all virtual
hosts. If the domain name is a Fully Qualified Domain Name (FQDN), the host name
does not appear in the SMTP greeting banner.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
413
5
Overview of System menu
Virtual Hosting
Option
Mode
Definition
This option is only available when the appliance runs in a transparent mode.
There are two types of Virtual Host:
• Transparent — This type of virtual host can only be created on an appliance
configured for bridge or router mode. A transparent virtual host intercepts traffic
passing through the appliance destined for an address in the range specified for the
virtual host. To configure a transparent virtual host, simply specify the IP address
(or range) of the SMTP servers for which traffic should be intercepted.
• Proxy — This type of virtual host configures the appliance to listen for SMTP
connections on the IP address ranges specified for the virtual host. A proxy-mode
virtual host can be configured to have any number of addresses used for delivering
mail from the appliance (Outbound address pool). Configuring a proxy-mode virtual
host is more complex, because the appliance needs to have some knowledge of the
routing to the networks for each of the IP addresses it intercepts.
Base scanning
policy
Offers a choice of policies from the physical host, or allows you to specify a new
policy.
To view all the policies at any time, select Email | Email Policies | Scanning Policies on the
navigation bar.
Base protocol
preset
Offers a choice of presets from the physical host, or allows you to specify a new
preset. Presets are the connection-based policies.
Base McAfee
Secure Web Mail
policy
Offers a choice of policies from McAfee Secure Web Mail, or allows you to specify a
new policy.
Email relaying
Configures the virtual host domain as a local relay domain.
Enable logical
virtual hosting
Logical virtual hosting allows you to configure virtual hosts on different appliances
with the same policies, but with different network configuration.
When you push a configuration to another appliance within the same cluster:
• If a virtual host with the same logical identifier has not yet been defined, an empty
virtual host entry will be created.
• If a virtual host with the same logical identifier has been defined, then the IP
addresses for the virtual host are preserved.
A logical identifier can be a combination of characters and numbers.
414
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Virtual Hosting
Option definitions — Inbound / Intercept Address Pool
This information describes the options available on this page.
Option
Definition
Address
range
Displays the address range for this virtual host. At least one IP address must be specified.
Add
Click Add to display the Edit IP Address Range dialog box. This enables you to define the
inbound IP address pool for the virtual host. These are the addresses that the appliance
intercepts traffic on.
• Address range — You must specify at least one inbound IP address.
These addresses must be unique, and cannot be used as the inbound addresses for any
other physical or virtual host. The addresses, can, however, be used as outbound
addresses for other virtual hosts.
The range of addresses can be specified in formats such as:
• 192.168.254.1 — a single IP address
• 192.168.254.1-254 — a range of IP addresses from 192.168.254.1 to
192.168.254.254
• 192.168.254.1+9 — a range of IP addresses from 192.168.254.1 to 192.168.254.10
• 192.168.254.0/24 — all host IP addresses in the /24 subnet
The IP addresses are created on the network driver, so you cannot ping or see the IP
address by running the ip addr show commands.
• Network address — Specify the subnet for the address range. The appliance auto-fills this
field, based on the information you enter in Address range. Check that this is appropriate
for your infrastructure, and edit the value if necessary.
• Network interface — Select the interface on which you need to create the IP addresses.
Choose from the available network interfaces.
You cannot ping the IP address externally, or see the address by running the ip addr
show commands. To test that the virtual host is listening on the expected address, telnet
to the configured SMTP port.
Option definitions — Outbound Address Pool page
This information describes the options available on this page.
The outbound address pool feature enables the appliance to deliver mail for a specific Virtual Host (or
the Physical Host) from a range of IP addresses. The IP address selected for the outbound is chosen
using a round-robin.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
415
5
Overview of System menu
Virtual Hosting
Definition
Outbound
address pool
Option
Address range
Displays the address range for this virtual host. At least one IP address must be
specified.
Add
Click Add to display the Edit IP Address Range dialog box. This enables you to define the
outbound IP address pool for the virtual host. These are the addresses on which the
appliance will deliver scanned email.
If you do not specify any outbound IP addresses, the appliance will use the physical
host IP address.
The addresses are used in a round-robin fashion.
The addresses can be used as outbound addresses for other virtual hosts.
• Address range
The range of addresses can be specified in the following formats:
• 192.168.254.1 — a single IP address
• 192.168.254.1-254 — a range of IP addresses from 192.168.254.1 to
192.168.254.254
• 192.168.254.1+9 — a range of IP addresses from 192.168.254.1 to
192.168.254.10
• 192.168.254.0/24 — all host IP addresses in the /24 subnet
The IP addresses are created on the network driver, so you cannot ping or see the
IP address by running the ip addr show commands.
Host name (for
SMTP HELO)
Specifies the name that appears in the SMTP HELO greetings, using one of the
following options:
• Resolve at runtime — This option can impact performance
• Use an IP address literal — The IP address of a host used in place of its domain name.
To indicate that it is an address literal, it is in [square] brackets. Fr example,
[192.168.254.3]. Literal IP addresses are used because no DNS lookup needs to be
done, so it is always ‘correct’.
n
• Use the following value — Click Look Up to resolve the IP address to a name
Network address
Specify the subnet for the address range. The appliance auto-fills this field, based on
the information you enter in Address range. Check that this is appropriate for your
infrastructure, and edit the value if necessary.
Network interface
Select the interface on which you need to create the IP addresses. Choose from the
available network interfaces.
You cannot ping the IP address externally, or see the address by running the ip addr
show commands. To test that the virtual host is listening on the expected address,
telnet to the configured SMTP port.
416
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Virtual Hosting
Option definitions — New Scanning Policy
Use this dialog box to create a new virtual host policy.
Option
Definition
Policy name
Type a name for the virtual host policy
Description
Optionally type a description for the policy to help you identify it.
Inherit settings from
Select the policy from which you want to inherit settings.
Email direction
Apply the policy to either inbound or outbound messages.
Option definition - New Protocol Preset
Use this dialog box to create a protocol preset to apply to a policy.
Some of these options may not be available in all instances of creating a new protocol preset.
Option
Definition
Policy name
Type a name for the virtual host policy
Description
Optionally type a description for the policy to help you identify it.
Inherit settings
from
Select the protocol preset from which you want to inherit the settings, that is, any
settings that are not overridden by this protocol preset will be taken from the
protocol preset specified here.
Policy type
Select either:
• Physical — A standard policy that has rules available. A physical policy can be
triggered when its rules are matched and can also be used for inheritance.
• Virtual — A virtual policy can be considered to be a collection of settings available
for the purposes of inheritance. A virtual policy can never be triggered.
This option is only available when you create a protocol preset from Email | Email
Configuration when virtual hosting has been enabled on the appliance.
Match logic
Select either:
• Match one or more of the following rules — this policy triggers if any of the specified rules
are matched.
• Match all of the following rules — this policy triggers if all of the specified rules are
matched.
This option is only available when you create a protocol preset from Email | Email
Configuration.
Rule type /
Move / Edit
Lists the rules associated with the preset, and allows you to move or edit them as
appropriate.
This option is only available when you create a protocol preset from Email | Email
Configuration.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
417
5
Overview of System menu
Logging, Alerting and SNMP
Option
Definition
Add Rule
Click to specify the type of rule that you want to apply to the preset, and set its
Match and Value.
This option is only available when you create a protocol preset from Email | Email
Configuration.
Add network
group
Click to create a network group to associate with the preset.
This option is only available when you create a protocol preset from Email | Email
Configuration.
Logging, Alerting and SNMP
The Logging, Alerting and SNMP pages help you configure the options within the appliance to log
information, and provide alerts.
System | Logging, Alerting and SNMP
You can configure the appliance to send emails containing information about viruses and other
detected threats, and to use SNMP to transfer information from your appliance.
Contents
Email Alerting
SNMP Alert Settings
SNMP Monitor Settings
System Log Settings
Logging Configuration
Logging Configuration — Override events dialog boxes
Configure System Log Archive wizard
Email Alerting
Use this page to decide who receives an email message when events such as a virus detection occur.
System | Logging, Alerting and SNMP | Email Alerting
See Alert tokens for Email alert messages on page 419 for information on the usage of each
substitution variable.
Benefits of the Email Alerting features
Email alerting is a mechanism by which you can ensure that designated individuals are notified when
specific events occur.
This is particularly helpful when any event warrants immediate attention.
418
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Logging, Alerting and SNMP
Option definitions - Email Alerting
This information describes the options available on this page.
Option
Definition
Anti-virus events to When selected, sends email messages when this type of event occurs. To change
Aggregated data
the message, click Edit to open an email alert window.
events
Specifies the sender name and sender email address that appears in the From field
of the email message. This does not have to be a real email address. Default value
is MEG.
Alert Settings
Subject — Specifies the subject line of the email message. Default value is MEG Alert.
Recipients — Click Add to specify the email addresses of recipients who receive the
alerts. We recommend that you choose people who often read their email and can
respond quickly to these alerts.
Alert tokens for Email alert messages
You can customize alert messages with alert tokens. For example, the message: Virus detected at
%LOCALTIME% might become: Virus detected at 10:31.
System | Logging, Alerting and SNMP | Email Alerting
Alert tokens (also known as replacement tokens or substitution variables) allow you to create
meaningful email alert messages for your users.
The following tables list the available alert tokens for different circumstances.
These tables contain:
•
The alert token — names begin and end with the % character.
•
Description — type of information that replaces the substitution variable.
The following tables provide information on:
•
Alert tokens for Scanner alerts — information about the actions that have been triggered on your
McAfee Email Gateway. For example, these tokens can be used to provide information about why a
message triggered an action or what action was taken.
•
Alert tokens for Email notifications — information that is often used in the notifications that are
sent to your users.
•
Alert tokens for Quarantine digest messages — when you configure Quarantine digest messages
you can select tokens to provide information to your users about the messages being quarantined.
•
Alert tokens for Email alerts (Logging and Alerting) — these tokens are useful when configuring
your logging and alerting messages.
Table 5-16
Alert tokens for Scanner alerts
Token name
Description
%ACTIONNAME%:
The action being taken (AV)
%ACTIVECONTENT%:
The list of active content found in the item (HTML)
%ATTACHMENTCONTEXT%:
A detailed description of the sub contexts that triggered (only
different from %ATTACHMENTNAME% when have multiple
condition rules) (Compliance)
%ATTACHMENTNAME%:
Name of the item being scanned
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
419
5
Overview of System menu
Logging, Alerting and SNMP
Table 5-16
420
Alert tokens for Scanner alerts (continued)
Token name
Description
%AVDATVERSION%:
The DAT version used by the anti-virus engine (AV)
%AVENGINENAME%:
The name of the anti-virus engine (AV)
%AVENGINEVERSION%:
The version of the anti-virus engine (AV)
%BLOCKED_URL%:
The URL that has been requested and blocked by the URL
filtering engine. (URL)
%CONTENTREPORT%:
A detailed report of the rule(s) triggered; including the
term(s), matching text and contextual text (Compliance)
%CORRUPTIONTYPE%:
The type of corruption that has occurred (Corrupt Content)
%DESTINATIONHOST%:
Destination Hostname
%DESTINATIONIP%:
Destination IP address
%DETECTIONS%:
List of detections in the item
%DICTIONARYGROUP%:
The name(s) of the content scanning rule(s) that triggered
(Compliance)
%DLP_FINGERPRINTSOURCE%:
Protected Document Name (DLP)
%DLP_REPORT%:
A detailed report of the rule(s) triggered; including the name,
category, size and digest of the protected documents (DLP)
%DLP_RULE%:
Name of triggered DLP rule (DLP)
%DOSLIMIT%:
The DoS limit value that has been exceeded (DOS)
%FILTERCONTEXT%:
The name(s) of the rule(s) that triggered (Compliance)
%FILTERNAME%:
The name of the file filtering rule that has triggered (File
Filtering)
%FILTERNAME%:
The name(s) of the top level rule(s)/group(s) that triggered (as
per policy statement) (Compliance)
%FORMAT%:
Description of the type of blocked message format. (Mail
Filtering)
%ID%:
Email Gateway unique message ID (SMTP)
%LOCALTIME%:
Local time
%POLICY%:
Policy which triggered the event
%POLICY_ID%:
Policy identity which triggered the event
%PROTOCOL%:
Protocol
%REASON%:
Description of the DoS limit that has been exceeded. E.g. max
nesting depth, file size or AV scanner timeout (DOS)
%RECIPIENTS%:
Envelope Email recipient list. Available in SMTP (SMTP)
%SENDER%:
Envelope Email Sender. Available in SMTP (SMTP)
%SITEADVISOR%:
The SiteAdvisor web reputation of the requested URL. (URL)
%SIZE%:
Size of data
%SOURCEHOST%:
Source host name
%SOURCEIP%:
Source IP address
%SUBJECT%:
Email Subject. Available in SMTP (SMTP)
%TOTALSCORE%:
Total accumulated score for the stream (Compliance)
%URL_CATEGORY%:
The filtered category that has matched the requested URL.
(URL)
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Logging, Alerting and SNMP
Table 5-16
Alert tokens for Scanner alerts (continued)
Token name
Description
%URL_REQUEST_DISPLAY_NAME%: Contact name for queries regarding URL alerts (URL)
%URL_REQUEST_EMAIL_ADDR%:
Contact email address for queries regarding URL alerts (URL)
%UTCTIME%:
UTC time
%WEB_REPUTATION_INFO%:
The SiteAdvisor web reputation of the requested URL. (URL)
%WEBSHIELDIP%:
McAfee Email Gateway IP address
%WEBSHIELDNAME%:
McAfee Email Gateway appliance name
%WEBSHIELDVIRTUALIP%:
Virtual IP address
Table 5-17 Alert tokens for Email notifications
Token name
Description
%ATTACHMENTNAME%:
Name of the item being scanned
%AVDATVERSION%:
The DAT version used by the anti-virus engine
%AVENGINENAME%:
The name of the anti-virus engine
%AVENGINEVERSION%:
The version of the anti-virus engine
%DESTINATIONHOST%:
Destination Hostname
%DESTINATIONIP%:
Destination IP address
%DETECTIONS%:
List of detections in the item
%ID%:
McAfee Email Gateway unique message ID
%LOCALTIME%:
Local time
%POLICY%:
Policy which triggered the event
%POLICY_ID%:
Policy identity which triggered the event
%PROTOCOL%:
Protocol
%RECIPIENTS%:
Envelope Email recipient list. Available in SMTP
%SCANNER%:
Scanner name(s)
%SENDER%:
Envelope Email Sender. Available in SMTP
%SIZE%:
Size of data
%SOURCEHOST%:
Source host name
%SOURCEIP%:
Source IP address
%SPAMENGINEVERSION%:
Spam Engine Version. Available in SMTP
%SPAMSCORE%:
Spam Score. Available in SMTP
%SUBJECT%:
Email Subject. Available in SMTP
%UTCTIME%:
UTC time
%WEBSHIELDIP%:
McAfee Email Gateway IP address
%WEBSHIELDNAME%:
McAfee Email Gateway appliance name
%WEBSHIELDVIRTUALIP%:
Virtual IP address
Table 5-18 Alert tokens for Quarantine digest messages
Token name
Description
Message body:
%SPAM_LIST%:
A list of email messages quarantined as spam since last digest
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
421
5
Overview of System menu
Logging, Alerting and SNMP
Table 5-18 Alert tokens for Quarantine digest messages (continued)
Token name
Description
%FULL_SPAM_LIST%:
A full list of email messages quarantined as spam
%CONTENT_LIST%:
A list of email messages quarantined because of content violations since
the last digest
%FULL_CONTENT_LIST%: A full list of email messages quarantined because of content violations
%WHITE_LIST%:
A list of email addresses in the whitelist
%BLACK_LIST%:
A list of email addresses in the blacklist
%SENDER%:
The email address of the digest sender
%RECIPIENT%:
The email address of the recipient
%EXP_DELAY%:
The user expiration delay in days
%MAX_EXP_DELAY%:
The maximum expiration delay in days
%PRODUCT_NAME%:
The product name of the appliance that generated the digest
%POST_MASTER%:
The email address of the postmaster
%DIGEST_DATE%:
The date on which the digest was generated
%ADD_WHITE_LIST%:
An HTML form for adding email addresses to the whitelist (interactive
HTML)
%ADD_BLACK_LIST%:
An HTML form for adding email addresses to the blacklist (interactive
HTML)
%SET_EXP_DELAY%:
An HTML form for setting the expiration delay (interactive HTML)
Responses:
%REQUEST_RESULTS%:
An HTML table displaying the results of the actions performed
Error response:
%ERR_TEXT%:
Text describing the error
Table 5-19 Alert tokens for Email alerts (Logging and Alerting)
Token name
Description
Anti-Virus:
422
%PRODUCT%:
The product name
%EVENT%:
The name of the event
%REASON%:
The reason for the event
%SOURCEIP%:
Source IP address
%SOURCEHOST%:
Source host name
%DESTINATIONIP%:
Destination IP address
%DESTINATIONHOST%:
Destination host name
%SERVERUSERNAME%:
The login name of the user (POP3)
%LOCALTIME%:
Local time
%UTCTIME%:
UTC time
%WEBSHIELDNAME%:
McAfee Email Gateway appliance name
%WEBSHIELDIP%:
McAfee Email Gateway IP address
%APPLICATION%:
The name of the process that generated the event
%SENDER%:
Envelope Email Sender (SMTP)
%RECIPIENTS%:
Envelope Email recipient list (SMTP)
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Logging, Alerting and SNMP
Table 5-19 Alert tokens for Email alerts (Logging and Alerting) (continued)
Token name
Description
%DETECTIONS%:
List of detections in the item
%POLICY%:
The name of the policy that triggered the event
%POLICY_ID%:
The ID of the policy that triggered the event
%SUBJECT%:
Email Subject (SMTP)
%SIZE%:
Size of data
%LDAP_ADDRESS%
The address queried from LDAP
%LDAP_SYNC_ERROR%
A synchronization error occurred
%LDAP_SYNC_ERROR_TEXT%
The text for the synchronization error
%LDAP_SYNC_SERVER%
The name server that encountered the synchronization error
%AVDATVERSION%:
The DAT version used by the anti-virus engine (AV)
%AVENGINEVERSION%:
The version of the anti-virus engine (AV)
%ATTACHMENTNAME%:
Name of the item being scanned (AV, DLP)
%IASCORE%
The score assigned to an image by Image Analysis scanning
%IATHRESHOLD%
The score that triggers an Image Analysis detection
%DLP_RULE%:
The DLP rule that triggered
%DLP_CATEGORY%
The registered document categories that triggered
%DLP_FILEDIGEST%
Checksum for the trained document that resulted in the DLP
detection
%DLP_FILESIZE%
Size of the trained document
%DLP_FINGERPRINTDATE%
Date when the trained document was fingerprinted
%DLP_FINGERPRINTSOURCE%:
The registered document name
%DLP_REPORT%:
Detailed report containing the document name, the category
name, the size and the digest as per the registered documents
%LB_APPLIANCE_IP_ADDRESS%
IP address of the scanning appliance
%LB_APPLIANCE_IP_NAME%
Domain name of the scanning appliance
%LB_APPLIANCE_MAC_ADDRESS%
MAC address of the scanning appliance
%FILESYSTEM%:
The name of the filesystem on the appliance (system events)
%FILTERCONTEXT%:
The name or names of the rules that triggered (compliance)
%SPAMSCORE%:
Spam score (AS)
%SPAMRULESBROKEN%:
The name or names of the spam rules that triggered the
detection (AS)
%SPAMTHRESHOLD%:
Spam reporting threshold (AS)
Aggregated data:
%PRODUCT%:
The product name
%EVENT%:
The name of the event
%PROTOCOL%
The mail protocol, SMTP or POP3
%SMTPNUMMESSAGES%:
The number of messages received via SMTP
%SMTPVIRUSDETECTED%:
The number of viruses detected (SMTP)
%SMTPPUPSDETECTED%:
The number of PUPs detected (SMTP)
%SMTPANTIRELAYDETECTED%
The number of items that triggered anti-relay measures
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
423
5
Overview of System menu
Logging, Alerting and SNMP
Table 5-19 Alert tokens for Email alerts (Logging and Alerting) (continued)
Token name
Description
%SMTPBATVDETECTED%
The number of messages that failed BATV signature
verification
%SMTPCONTENTDETECTED%:
The total number of content detections
%SMTPCOMPLIANCEDETECTED%
The number of compliance detections (SMTP)
%SMTPDENYSENDERDETECTED%
The number of emails that triggered the denied senders list
%SMTPDHDETECTED%
The number of emails that triggered directory harvest
detections
%SMTPDKIMDETECTED%
The number of emails that included DKIM signature failures
%SMTPDLPDETECTED%
The number of DLP violations detected (SMTP)
%SMTPFILEFILTERDETECTED%
The number of emails that triggered file filtering
%SMTPGREYLISTDETECTED%
The number of emails that triggered Greylisting
%SMTPGTIMSGREPDETECTED%
The number of TrustedSource lookups reported as being
malicious
%SMPTIADETECTED%
The number of emails that triggered Image Analysis
%SMTPLDAPRCPTDETECTED%
The number of recipients that failed LDAP verification
%SMTPMAILFILTERDETECTED%
The number of emails that triggered message/partial,
message/external-body, and missing/empty header detections
%SMTPMAILSIZEFILTERDETECTED% The number of detections based upon email message size
(SMTP)
%SMTPPACKERSDETECTED%
The number of packers detected (SMTP)
%SMTPPHISHDETECTED%
The number of phishing messages (SMTP)
%SMTPRBLDETECTED%
The number of emails that failed to pass testing the origin
against an RBL
%SMTPRECIPIENTDETECTED%
The number of emails that failed recipient ID verification
%SMTPSENDCONNECTDETECTED%
The number of emails failed sender connection verification
%SMTPSENDERIDDETECTED%
The number of emails that failed Sender ID verification
%SMTPSPAMDETECTED%
The number of spam messages detected (SMTP)
%SMTPSPFDETECTED%
The number of messages that failed Sender Policy Framework
(SPF) verification
%SMTPTOTALDETECTED%
The total number of detections (SMTP)
%POP3NUMMESSAGES%:
The number of messages scanned (POP3)
%POP3VIRUSDETECTED%:
The number of viruses detected (POP3)
%POP3PUPSDETECTED%:
The number of PUPs detected (POP3)
%POP3IADETECTED%
The number of Image Analysis detections (POP3)
%POP3MAILSIZEFILTERDETECTED% The number of detections based upon email message size
(POP3)
424
%POP3PACKERSDETECTED%
The number of packers detected (POP3)
%POP3PHISHDETECTED%
The number of phishing messages (POP3)
%POP3SPAMDETECTED%
The number of spam messages (POP3)
%POP3TOTALDETECTED%
The total number of detections (POP3)
%SPAMBLOCKEDRBL%:
The number of spam messages detected using RBLs
%SPAMDETECTED%:
The number of spam messages detected
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Logging, Alerting and SNMP
Table 5-19 Alert tokens for Email alerts (Logging and Alerting) (continued)
Token name
Description
%SPAMBLOCKED%:
The number of spam messages discarded
%SPAMQUAR%:
The number of spam messages quarantined
%CONTENTQUAR%:
The number of messages quarantined through compliance
%VIRUSQUAR%:
The number of viral messages quarantined
%SOURCEIP%:
Source IP address
%SOURCEHOST%:
Source host name
%DESTINATIONIP%:
Destination IP address
%DESTINATIONHOST%:
Destination host name
%LOCALTIME%:
Local time
%UTCTIME%:
UTC time
%WEBSHIELDNAME%:
McAfee Email Gateway appliance name
%WEBSHIELDIP%:
McAfee Email Gateway IP address
%GATEWAYIP%
The gateway IP address
%GATEWAYNAME%
The gateway host name
%APPLICATION%:
The name of the process that generated the event
SNMP Alert Settings
Use this page to configure the SNMP alerts sent by the appliance.
System | Logging, Alerting and SNMP | SNMP Alert Settings
The SNMP alerts are cumulative and are derived by adding data from the real-time logs. The real-time
logs are updated every 24hours.
The page is divided into these sections:
•
SNMP Alert Settings
•
Trap Manager Settings
Benefits of SNMP Alerts
SNMP alerts provide alert messages directly to specified computer workstations.
You can configure one or more workstations to receive the various types of alerts Email Gateway
generates.
Option definitions - SNMP Alert Settings
This information describes the options available on this page.
Option
Definition
Anti-virus events to System events
When selected, specifies the types of events that will be
sent.
Trap manager, Community name, Protocol version Specifies various details for SNMP trap managers.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
425
5
Overview of System menu
Logging, Alerting and SNMP
SNMP Monitor Settings
Use this page for settings that allow other devices to communicate with the appliance via SNMP.
System | Logging, Alerting and SNMP | SNMP Monitor Settings
Benefits of the SNMP Monitor Settings
Use SNMP monitor settings to enable other devices to access your appliance.
You can allow queries from all devices in your network, or restrict access to specific devices.
Option definitions - SNMP Monitor Settings
This information describes the options available on this page.
Basic settings
Option
Definition
Name to Community
name
Versions 1 and 2 of the SNMP protocol use the community name like a password.
The community name is required with each SNMP Get request to allow access to
the appliance. The default Community Name is public.
If you have several appliances, change the default name.
Security Options (v3 only)
Option
Definition
Username for authentication
to Store for configuration
push (plain text)
Version 3 incorporates both authentication and privacy. You need to set the
user name, and the protocols and passwords for authentication and privacy.
These settings will not be included in configuration pushes between your
appliances unless you select Store for configuration push (plain text). Be aware,
however, that if you select this option, the configuration settings for the
SNMP v3 protocol are stored on the appliance in plain text.
Access control list
Option
Definition
Access control list The appliance is set to allow SNMP queries from all devices. We recommend that you
change the settings to allow access from known devices only. Specify the IP address
numbers of the devices that can read the appliance’s MIB parameters.
System Log Settings
Use this page to specify standard or extended system logging and the events to be recorded in the
system log. You can also send logs to off-box servers.
System | Logging, Alerting and SNMP | System Log Settings
Syslog provides log information about the system itself, rather than about messages the system
processes. Extended logging allows you to use external software to generate reports.
426
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of System menu
Logging, Alerting and SNMP
5
Benefits of the System Log Settings
System Log (Syslog) is a method for delivering log information across a network, usually via UDP port
514.
Extended logging creates a structured output log file using the syslog protocol. The extended logging
provides name-value pairs for each logged event.
The syslog protocol and message format are defined in RFC 3164.
Option definitions - System Log Settings
This information describes the options that are available on this page.
Option
Definition
Enable system Enables system logging (syslog) information to be collected and delivered to the
log events
on-appliance logging system, or sent to an off-box solution.
Select the type of logging format that you want to use. This option creates an output
log file that is structured so that it can be easily read by third-party applications and
used to generate custom reports. Due to the amount of data generated, we recommend
that this option is only enabled when using TCP syslog. Choose from:
• Original
• Content Security Reporter
• Splunk
• McAfee Enterprise Security Manager
• Common Event Format
Conversation events and Aggregated data events are not reported in the extended
logging format.
Click View the system logs to see the log files on the appliance.
Log events to
the syslog for
the following
event types:
Specify the events to capture within the syslog. To prevent very large log files, we
recommend that you record only events that you want to monitor closely, and deselect
the events when you have finished.
The appliance cannot store the transport events produced by heavy traffic for long
periods. We recommend that you use the off-box syslog option to forward the transport
events to a central syslog server.
Off-box system Enable off-box system log — To send system logs for storage off-box, enable this setting and
log
define the receiving server parameters:
Receiving server — Specifies the IP address or host name of the server that receives the
syslog information.
Use IPv6 protocol — Check this option when sending system logging information over an
IPv6 network.
Port — Specify the port on the receiving server to be used to transfer the system log
information.
When using off-box system logging, you can specify different ports for each configured
off-box syslog server.
Protocol — Either TCP or UDP. Specifies the packet type. UDP has a limit of 1024 bytes
per packet.
Add Server — You can configure multiple off-box servers.
System Log
Archive
Send archive copies of the mail logs to another server, and set up a schedule for this to
happen. Click Enable log archive to open the Configure System Log Archive wizard. After
the wizard is complete, this section displays a summary of the schedule settings you
entered.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
427
5
Overview of System menu
Logging, Alerting and SNMP
Extended Syslog attributes for Splunk
Using the extended Syslog functions within the appliance, you can use external, third party software
— such as Splunk — to generate Syslog reports.
Table 5-20
Extended Syslog attributes for Splunk
Syslog Entry
Notes
Time and Appliance
Name
Example
Dec 30 10:58:10 Appliance1
app
Protocol
Smtp
name
A description of
the event
Anti-virus engine detection
policy_name
Name of in force
policy
My policy Note: __smtp_master refers to the
default policy
dvc_host
Host responsible
Appliance1
for scanning in a
blade environment
event_id
Event ID
180000
reason_id
Reason ID
145 - Clean
146 - Replace
624 - PuP Detection
625 - Packer Detection
428
direction
Whether inbound
0, 1
(0) or outbound(1)
as defined by the
administrator for
the policy
src_ip
Originating client
IP address of the
host sending the
email
src_host
Originating client
host name if
available
dest_ip
Destination client
IP address of the
host sending the
email
dest_host
Destination client
host name if
available
is_primary_action
Indicates if the
action taken is the
main action
defined for the
event. 1 indicates
primary action
scanner
Which scanner
AV - Anti Virus
detected the event
McAfee® Email Gateway 7.6.0 Appliances
0,1
Administrators Guide
Overview of System menu
Logging, Alerting and SNMP
Table 5-20
5
Extended Syslog attributes for Splunk (continued)
Syslog Entry
Notes
Example
action
The action taken
for the event
ESERVICES:REPLACE - Replace with an alert
WEBSHIELD:REFUSEORIGINAL - Refuse the email
WEBSHIELD:ACCEPTANDDROP - Accept the email
and then drop it ESERVICES:ALLOWTHRU - Allow
the email through
WEBSHIELD:DENYCONNECTION - Refuse the
email and deny the connection for a period of time
status
A descriptive
message for the
event
The content was categorized as uncleanable
content
sender
The sender of the
email
<a@somewhere.com>
recipient
A list of recipient
email addresses
<testuser@domain.com>,
<anotheruser@domain.com>,
<user@domain.com>
msgid
A unique id
assigned to each
mail message
nrcpts
Number of the
recipients for the
mail
3
relay
Address of the
next MTA the mail
would be sent to if
known
10.1.1.108
subject
The subject of the
email
A subject line here
size
Size of the
message in bytes
231
attachments
The attachments
of the email
(optional)
file1.doc, file2.doc
number_attachments
The number of
2
attachments of the
email (optional)
virus_name
The name of the
detected virus
EICAR test file
file_name
Filename in which
the detection
occurred
eicar_com.zip
spamscore
The score this
message achieved
spamthreshold
The threshold it
exceeded
spamrules
A list of the rules
to determine it's
status as spam
URL
Url which caused
the event to be
generated
contentrule
The rule that
caused the event
McAfee® Email Gateway 7.6.0 Appliances
http://www.eicar.org/download/eicar.com
Administrators Guide
429
5
Overview of System menu
Logging, Alerting and SNMP
Table 5-20
430
Extended Syslog attributes for Splunk (continued)
Syslog Entry
Notes
content_terms
The terms that
caused the content
filter event
tz
The timezone
where the event is
generated
tz_offset
The timezone
+0000
offset in use where
the event is
generated
dlpfile
The registered
document file
name that
matched the DLP
trigger
TestSpecTemplate.doc
dlprules
The DLP category
Finance
dlpclassification
The DLP category
Finance
dlpfileuploaded
Upload time in UTC 2010-11-10 10:13:47
dlpfiledigest
The digest of the
registered
document
6e70e63d3dadfc331b917696bda46c04ed2c8de0
dlpfilesize
The file size of the
registered
document in bytes
23040
url_filter_categorization
For a URL
detection, the
category it was
detected for.
Pornography
McAfee® Email Gateway 7.6.0 Appliances
Example
UTC
Administrators Guide
Overview of System menu
Logging, Alerting and SNMP
Table 5-20
5
Extended Syslog attributes for Splunk (continued)
Syslog Entry
Notes
Example
encryption_type
The encryption
type of the email,
shown as a
number:
8
• PG
P
—
2
• Pul
l
del
ive
ry
—
16
• SM
IM
E
—
4
• Bo
th
pu
sh
an
d
pul
l
del
ive
ry
—
32
• Pu
sh
del
ive
ry
—
8
orig_subject
The original
subject of the
email
Meeting report
orig_sender
The original sender exampleuser@example.com
of the email
Table 5-21 Glossary
event_id
Name
Scanner
50006
Email Status
-
180000
Anti-virus engine detection
AV (Anti Virus)
180002
Anti-spam classification
AS (Anti Spam)
180002
Anti-spam classification
AP (Anti Phish)
180003
File format detection
FF (Format Blocking)
180004
MIME format detection
MF (Mime Format)
180008
URL request denied
UF (URL Filtering)
180010
Compliance detection
PX (Compliance)
180011
Data Loss Prevention detection
DL (Data Loss Prevention)
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
431
5
Overview of System menu
Logging, Alerting and SNMP
Table 5-21 Glossary (continued)
event_id
Name
Scanner
180012
Mail Size detection
MS(Mail Size)
180031
URL has been blocked due to categorization
SA (Site Advisor)
reason_id
Text
77
Email Delivered
83
Email Deferred
142
Access to the requested URL is not permitted
145
clean
146
replace
161
Content categorized as spam
206
Content was categorized as non spam
305
Email blocked with SMTP Code 550
306
Email accepted and dropped
420
Email blocked with SMTP Code 550. Connection closed
611
URL categorized by URL filter
623
Phish Detection
624
PuP
625
Packer
689
DLP
728
Compliance
737
The undeliverable email has been bounced
Extended Syslog attributes for Common Event Format
Using the extended Syslog functions within the appliance, you can use external, third party software
to generate Syslog reports.
Table 5-22
432
Events for Common Event Format
Event ID
Event Description
50005
Logging of the email status during processing
50006
Logging of the email status during processing
50022
Logging of the email status during McAfee Quarantine Manager processing
180000
Anti-Virus Engine Detection
180001
Content rule detection
180002
Anti-spam classification
180003
File-format detection
180004
Mail-Filtering detection
180010
Compliance detection
180011
Data Loss Prevention detection
180012
Mail Size detection
180013
Regular expression scanning failure
180014
Image-Filtering detection
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of System menu
Logging, Alerting and SNMP
5
Device Event Mapping to Common Event Format Data Fields
Information contained within vendor-specific event definitions is sent to the Common Event Format
SmartConnector, then mapped to a data field for the third party software.
The following table lists the mappings from Common Event Format data fields to the supported
vendor-specific event definitions.
Table 5-23
McAfee Email Gateway Appliance Connector Field Mappings
McAfee-Specific Event Definition
Third party Event Data Field
The Action taken for the event: ESERVICES:REPLACE Replace with an alert WEBSHIELD:REFUSEORIGINAL Refuse the email WEBSHIELD:ACCEPTANDDROP - Accept
the email and then drop it ESERVICES:ALLOWTHRU Allow the email through WEBSHIELD:DENYCONNECTION Refuse the email and deny the connection for a period of
time
act
Protocol
app
A descriptive message for the event
msg
Host responsible for scanning
dvc
Destination IP address of the connection (if available)
dst
Destination hostname of the connection (if available)
dhost
Originating IP address of the host making the connection
src
Originating hostname of the host making the connection
shost
The sender of the email
suser
A list of recipient email addresses
duser
Whether inbound (0) or outbound(1) as defined by the
administrator for the policy
deviceDirection
Name of active policy
sourceServiceName
Filename in which the detection occurred
filePath
A unique id assigned to each mail message
fileId
Size of the message in bytes
fsize
Time of the event, in milliseconds since epoch
rt
Reason ID for event. See 'msg' field for textual description flexNumber1
'reason-id'
flexNumber1Label
The definition of this field depends on the value of the field cs1
'cs5': If cs5 is 'AV' or 'PA' or 'PU': The name of the
detected virus/packer/PuP. If cs5 is 'AS': The spam rules
that triggered the event If cs5 is 'DL': The file that
triggered the DLP rule If cs5 is 'FF': The file rule that
triggered the event If cs5 is 'PX': The content rule that
triggered the event
The definition of this field depends on the value of the field cs1Label
'cs5': If cs5 is 'AV' or 'PA' or 'PU': 'virus-names' If cs5 is
'AS': 'spam-rules-broken' If cs5 is 'DL': 'dlpfile' If cs5 is
'FF': 'content-rules' If cs5 is 'PX': 'content-rules'
The definition of this field depends on the value of the field cs2
'cs5': If cs5 is 'AV' or 'PA' or 'PU': The version of the
Anti-Virus engine If cs5 is 'AS': The spam score If cs5 is
'DL': The DLP categories that triggered If cs5 is 'PX': The
terms that caused the content filter event
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
433
5
Overview of System menu
Logging, Alerting and SNMP
Table 5-23
McAfee Email Gateway Appliance Connector Field Mappings (continued)
McAfee-Specific Event Definition
Third party Event Data Field
The definition of this field depends on the value of the field cs2Label
'cs5': If cs5 is 'AV' or 'PA' or 'PU': 'av-engine-version' If
cs5 is 'AS': 'spam-score' If cs5 is 'DL': 'dlp-rules' If cs5 is
'PX': 'compliance-terms'
The definition of this field depends on the value of the field cs3
'cs5': If cs5 is 'AS': The threshold the message exceeded
The definition of this field depends on the value of the field cs3Label
'cs5': If cs5 is 'AS': 'spam-threshold-score'
The attachments of the email (if available)
cs4
'email-attachments'
cs4Label
For a detection event, the scanner which triggered the
cs5
event: 'AP' - Anti-Phish 'AS' - Anti-Spam 'AV' - Anti-Virus
'DL' - Data Loss Prevention 'FF' - File Filtering 'MF' - Mail
Filtering 'MS' - Mail Size 'PA' - Packer 'PU' - Potentially
Unwanted Program 'PX' - Compliance 'IA' - Image Filtering
'master-scan-type'
cs5Label
The subject of the email
cs6
'email-subject'
cs6Label
Indicates if the action taken is the main action defined for
the event. 1 indicates primary action
cn1
'is-primary-action'
cn1Label
The number of attachments in the email (if available)
cn2
'num-email-attachments'
cn2Label
The number of recipients of the email
cn3
'num-email-recipients'
cn3Label
The original subject of the email
McafeeEmailgatewayOriginalSubject
The original sender of the email
McafeeEmailgatewayOriginalSender
The original message ID number, such as
5f84_00f8_48fd8314_29f1_472b_9c9f_1adff4733814
McafeeEmailgatewayOriginalMessageId
The encryption type of the email, shown as a number:
McafeeEmailgatewayEmailEncryptionType
• PGP — 2
• Pull delivery — 16
• SMIME — 4
• Both push and pull
delivery — 32
• Push delivery — 8
Logging Configuration
Use this page to specify which events are recorded in the appliance’s logs
System | Logging, Alerting and SNMP | Logging Configuration
Although the appliance can record many types of events in the logs, normally only the most serious
events are needed.
434
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Logging, Alerting and SNMP
Benefits of the Logging Configuration features
Use the logging configuration features to configure and to adjust the kinds of events logged.
You can set logging configuration for both SMTP and POP3 settings.
Option definitions - Logging Configuration
This information describes the options available from the linked pages.
Table 5-24 SMTP Settings
Option
Definition
Protocol events
Provides a list of types of protocol events.
High severity events include a suspected denial-of-service attack.
Communication events Provides a list of types of communication events.
High severity events include failure of a scanner.
Detection events
Provides a choice of events, such as virus detections.
Advanced
When clicked, opens another window where you can examine the settings for
each event and choose which events to log or ignore. The information includes:
Enabled — Whether the event is being recorded in the log now.
ID — The event number, such as 50012, which is recorded in the log with the time
and date of the event.
Level — A symbol that indicates the severity of the event:
•
— High Severity. We recommend that this event is recorded in the log.
•
— Medium Severity
•
— Low Severity.
High Volume — A symbol that indicates how often this event occurs:
•
— The event can generate a high volume of log records.
Description — A description of the event, such as Quarantine.
Table 5-25 POP3 Settings
Option
Definition
Protocol events
Provides a list of types of protocol events.
High severity events include a suspected denial-of-service attack.
Communication events Provides a list of types of communication events.
High severity events include failure of a scanner.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
435
5
Overview of System menu
Logging, Alerting and SNMP
Table 5-25 POP3 Settings (continued)
Option
Definition
Detection events
Provides a choice of events, such as virus detections.
Advanced
When clicked, opens another window where you can examine the settings for
each event and choose which events to log or ignore. The information includes:
Enabled — Whether the event is being recorded in the log now.
ID — The event number, such as 50012, which is recorded in the log with the time
and date of the event.
Level — A symbol that indicates the severity of the event:
•
— High Severity. We recommend that this event is recorded in the log.
•
— Medium Severity
•
— Low Severity.
High Volume — A symbol that indicates how often this event occurs:
•
— The event can generate a high volume of log records.
Description — A description of the event, such as Quarantine.
Table 5-26 Non-proxy Settings
Option
Definition
System events
Provides a list of types of system events.
High severity events include a suspected denial-of-service attack.
User interface
events
Provides a list of types of user interface events.
Advanced
When clicked, opens another window where you can examine the settings for each
event and choose which events to log or ignore. The information includes:
High severity events include failure of a scanner.
Enabled — Whether the event is being recorded in the log now.
ID — The event number, such as 50012, which is recorded in the log with the time and
date of the event.
Level — A symbol that indicates the severity of the event:
•
— High Severity. We recommend that this event is recorded in the log.
•
— Medium Severity
•
— Low Severity.
High Volume — A symbol that indicates how often this event occurs:
•
— The event can generate a high volume of log records.
Description — A description of the event, such as Quarantine.
Logging Configuration — Override events dialog boxes
Use these dialog boxes to edit protocol and communications events for the SMTP and POP3 protocols,
and system and user interface events for the non-proxy settings.
436
Option
Definition
Enabled
Shows whether the event is logged
ID
The ID associated with the event
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Logging, Alerting and SNMP
Option
Definition
Level
Displays the level of severity of the event
High Volume
Displays a warning icon if the event is likely to produce a high volume of alerts
Description
A more detailed description of the event
Restore defaults
Revert the list of events and their status to the original
Configure System Log Archive wizard
Use this wizard to configure the server to which you want to send the system log archive, set up a
regular update schedule, and test the configuration you created.
Option definitions — Default remote backup settings
This information describes each option in this section.
Option
Definition
Transfer to FTP
Server
Selected by default:
• Server
• Proxy server
• Port
• Proxy port
• Directory
• Proxy username
• Username (default value is
anonymous)
• Proxy password
• Password (default value is
anonymous)
Transfer via SSH
Click to specify the settings to transfer the backup using SSH:
• Server
• Port
• Directory
• Username (default value is anonymous)
• Password Authentication/Password (default value is anonymous)
• Public Key Authentication/Public key (links to the public key)
If you use either FTP or SSH with password authentication, your passwords are stored in the appliance
configuration files, in plain text format. The most secure option is to use SSH with public key
authentication. To use this feature, you must click the link to generate a key file, which you must then
copy and paste into your authorized keys file so that the appliance can perform the backup.
Option definitions — Configure Updates (Time)
Use this page to schedule automatic configuration backups, and set up scheduled updates to the
detection definitin (DAT) files, anti-spam, and package updates.
System | Component Management | Update Status
System | System Administration | Configuration Management
System | Logging, Alerting and SNMP | System Log Settings
Introduction to Scheduled update settings
You can schedule updates for the following components:
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
437
5
Overview of System menu
Component Management
•
Automatic configuration backups
•
Spam rules and anti-spam engine
•
System Log
•
Appliance software updates (HotFixes and
patches)
•
Anti-virus engine and database
McAfee recommends that you update all scanning components on a new appliance using the Update
Now feature, then use the Schedule feature for each component to create regular updates at a time
when traffic is low, such as during the night.
Option
Definition
Hourly to Weekly
Specifies the schedule. If you do not need this feature, select Never.
Next / Finish
Moves to the next page of the wizard , or closes it and applies the settings.
Option definitions — Test Configuration
This information describes the options available on this page of the wizard.
Option
Definition
Test
Checks that the backup configuration works, and provides the desired information.
Component Management
The Component Management pages enable you to view the status of your updates, to specify Package
Installer and ePolicy Orchestrator options, and to enable additional anti-virus engines.
System | Component Management
Through the Component Management pages, you can schedule and perform anti-virus and anti-spam
detection file updates, as well as updates to software packages through hotfixes and patches.
Additionally, you can set up how packages are updated, or use ePolicy Orchestrator. You can also
configure your McAfee® Email Gateway to use additional anti-virus engines when scanning your email
traffic.
Contents
Update Status
Package Installer
ePO
Anti-virus engines
Configure Anti-Virus Updates wizard
Configure Anti-Spam Updates wizard
Configure Automatic Package Updates
Edit Preferences (Warning Thresholds)
438
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Component Management
Update Status
Use this page to check that each scanning component is using the most up-to-date threat detection
data to maintain your appliance security.
System | Component Management | Update Status
From the Update Status page, you can manage updates for the following scanning components:
•
Anti-virus engine and database
•
Spam rules and anti-spam engine
•
Appliance software updates (HotFixes and patches)
•
Extra DAT emergency update file
Default anti-virus engine and database update settings
By default, the appliance is set to update the anti-virus engine and database every day at 03:00 hours
using first HTTP to download the update file, then using FTP if the HTTP update failed.
Benefits of using Update Status
This information describes the benefits of using the Update Status features.
You can choose to update scanning components immediately, and create schedules to regularly update
the components when the server traffic is low. Additionally, you can have the appliance import
anti-virus engine and database files from the update server, and export them onto other appliances
that do have Internet access.
®
If you are using the Commtouch Command anti-virus engine, updates for that engine are downloaded
and applied at the same time as those for the McAfee anti-virus engine.
McAfee recommends that you update all scanning components on a new appliance using the Update Now
options, then use the scheduling options for each component to create regular updates at a time when
traffic is low, such as during the night. To update appliance software updates such as HotFixes and
patches, go to System | Component Management | Package Installer.
McAfee Email Gateway no longer supports the v1 detection definition (DAT) files. The appliances now
use the McAfee Agent to handle the updating of the v2 DAT files and scanning engine files — even
without having an ePolicy Orchestrator server configured on your network. When not using an ePolicy
Orchestrator server, you can now configure your appliance to use ftp or http to download the v2 DAT
files and scanning engine files. These DAT files and scanning engine updates can be obtained by ePolicy
Orchestrator and pulled from the ePolicy Orchestrator repository using the McAfee Agent. You can also
manually download the files and install them onto your appliance.
You cannot use the Update Status pages to update the Hardware Acceleration PDB files used by older
hardware fitted with Hardware Acceleration cards.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
439
5
Overview of System menu
Component Management
Option definitions - Update Status
This information describes the options available on this page.
Table 5-27 Version information and updates
Option
Definition
Edit warning
thresholds
When clicked, opens a dialog box where you can specify the warning thresholds for
various component updates.
When applied, these thresholds are used in the Dashboard and within Version information
and updates to bring any missing or failed updates to your attention.
Component name
Displays the component name, preceded by an icon that indicates whether the
component is up-to-date:
•
— Up-to-date.
•
— Out-of-date. We recommend that you update soon.
•
— Out-of-date. We recommend that you update immediately.
Version
Displays the component version.
Update Status
Displays information about the status of each installed component.
Last Updated
Displays the date and time that each installed component was last updated.
Scheduled
Displays the schedule, such as Every day at 03:00.
To change the location where the appliance collects the component and the
schedule, click the link, which opens a wizard.
Action
Update Now — When clicked, updates a component immediately rather than wait for
the scheduled update.
Configure — opens the Configure Anti-Spam Updates dialog box where you can specify a
proxy server from which the appliance downloads the update, or accept any default
server settings that you have already entered.
Import
Click Import to install the Engine and Database files previously exported from this, or
another appliance.
Export
Click Export to create a zip file containing the Engine and Database files currently
installed on the appliance.
You can include:
• Anti-virus engine
• Anti-virus database
• Spam engine
• Spam rules
within the exported file.
When you import the updates zip file, all updates that are contained within it are
imported to your appliance. If you do not want a particular update to be applied,
then McAfee recommends that you do not include that update when you export the
update file.
440
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Component Management
Table 5-28 Automatic package updates
Option
Definition
Update scheduled When clicked, the link opens a wizard, where you can specify the type, source and
schedule for installing packages, such as hot fixes and service packs.
Update now
Installs packages immediately. You can select options about how the package update
is handled.
When first configuring your appliance, using Update now confirms that the user settings
are configured correctly and working. Alternatively, you can browse to Troubleshoot |
Tests and run the System Tests to confirm these settings.
Table 5-29 Anti-virus Extra DAT
Option
Definition
Install Extra DAT
Opens a file browser to install any Extra DAT files.
Remove Extra DAT If you have existing Extra DAT files installed, allows you to remove them once the
additional protection has been added to the standard DATs.
Table 5-30 Anti-virus DAT roll back
Option
Definition
Roll back to previous installed
version
When specifically instructed to do so by McAfee Technical Support, click to
roll back to the previous installed version of the Anti-virus DAT file.
The currently installed version of the Anti-virus DAT file will be removed
from your McAfee Email Gateway. The proxies will also be restarted.
Option definitions — Configure Anti-Spam Updates dialog box
This information describes the options available on this dialog box.
Option
Definition
Use the default proxy settings
Uses the FTP proxy settings set up on the Default Server Settings page (System
| Appliance Management | Default Server Settings).
configure defaults
Opens the Default Server Settings page where you can edit the default FTP
proxy settings.
Proxy Server to Proxy Password Displays the settings of the FTP proxy server.
Task — Update the anti-virus engine and database daily at 04:00 over HTTP
using a proxy server
Use this task to update the anti-virus engine using detailed settings.
Task
1
Go to System | Component Management | Update Status.
2
Click the link in the Scheduled column for the Anti-virus engine component.
3
On the Specify the server settings for downloading the update via HTTP page, keep the default settings, and click
Next.
The update will use the proxy server that you set up in System | Appliance Management | Default Server
Settings.
4
In Select how the McAfee FTP update site should be used, select Not Used, and click Next.
5
In Time to schedule update for, select the Daily option, and set the time to 0400, and click Finish.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
441
5
Overview of System menu
Component Management
Task - Disable updates for the additional anti-virus engine
®
Updates for the Commtouch Command anti-virus engine occur simultaneously with the updates for
the McAfee anti-virus engine. You can choose to disable updates for the additional anti-virus engine.
®
Task
1
Navigate to System | Component Management | Update Status.
2
In the Scheduled column under Version information and updates, click the scheduled update link on the row
with the McAfee anti-virus engine.
A series of Configure Anti-Virus Updates pages opens.
3
Click Next on the first and second pages that appear, to get to the third page labeled Time to schedule
update for.
4
Uncheck the Enable updates for Commtouch Command anti-virus check box, then click Finish.
®
®
Updates for Commtouch Command anti-virus engine are now disabled.
Task — Update the spam engine daily at 05:00
Use this task to update the anti-spam engine files every day at a regular time.
Task
1
Go to System | Component Management | Update Status.
2
Click the link in the Scheduled column for the Spam engine component.
3
Click Next to have the update use the default FTP update server settings.
4
In Time to schedule update for, select the Daily option, and set the time to 0500, and click Finish.
Task — Roll back to the previous installed Anti-virus DAT file
Remove the currently installed Anti-virus DAT file, and use the previously installed version.
If instructed by McAfee Technical Support, use this task to roll back to the previous installed version of
the Anti-virus DAT file, and remove the existing file from your McAfee Email Gateway.
Task
1
Go to System | Component Management | Update Status.
2
Click Roll back to previous installed version, in Anti-virus DAT roll back .
3
Click OK to roll back to the previous installed version of the Anti-virus DAT file.
Package Installer
Use this page to examine and install new software packages.
System | Component Management | Package Installer
McAfee recommends that you update the software packages manually on a new appliance using the
Update From File option, then go to the System | Component Management | Update Status scheduling options in
Automatic package updates to create regular updates at a time when traffic is low, such as during the
night.
442
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Component Management
Benefits of the Package Installer
This information describes the benefits of the Package Installer.
From the Package Installer page, you can view information about installed appliance software packages
such as patches and Hotfixes, and update them immediately to ensure that your appliance remains as
up-to-date as possible.
Option definitions - Package Installer
This information describes the options available on this page.
Option
Definition
Update From file When clicked, opens another window where you can select a file from a local source to
upload to the appliance.
Package Type
Displays the type of package, such as a Service Pack or Hotfix.
Name
Displays a name that uniquely identifies the package.
Severity
Displays information such as whether we recommend that you install the package, or
allow you to decide.
Status
Displays information such as whether the package has been downloaded or installed.
Required Actions Displays information such as whether the appliance needs to be restarted when the
package is installed.
Notes
Describes any dependencies or requirements, for example, whether the patch
supersedes a previous installation.
Click any Details link for more information, such as the resolved issues and
KnowledgeBase information.
Install
When clicked, makes the selected patch ready to install. The patch is installed when
you click Apply.
Download
When clicked, makes the selected patch ready to download. The patch is downloaded
when you click Apply.
Export
When clicked, exports the downloaded file to another location so that another
appliance can use it via Manual Package Install
Refresh
When clicked, sends a request to the FTP server for any changes.
Apply
When clicked, installs or downloads the patches that you specified.
ePO
Use this page to manually set up the appliance to be managed by ePolicy Orchestrator.
System | Component Management | ePO
The information and settings in this page provide similar features to those found in the ePO Managed
Setup pages of the Setup Wizard
Benefits of using ePolicy Orchestrator
This information describes the benefits of using ePolicy Orchestrator to manage your appliances.
McAfee® ePolicy Orchestrator® enables you to unify your security management, making risk and
compliance management simpler and more successful for organizations of all sizes.
Using McAfee ePolicy Orchestrator enables you to manage multiple McAfee® Email Gateway appliances
from a single location; sharing policies across each appliance.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
443
5
Overview of System menu
Component Management
Option definitions — ePO
Understand the options available when configuring your appliance to function with ePolicy
Orchestrator.
ePO Server Configuration
Option
Definition
Export Appliance
Configuration
Use this to create an .xml file containing your McAfee Email Gateway
configuration that you can then load directly into the Policy Catalog within
ePolicy Orchestrator.
Migrate ePO Configuration
Use this to select the configuration file from your ePO server, to import your
ePO settings into McAfee Email Gateway.
Settings for ePO Management
Option
Definition
Import ePO connection
settings
Click to browse to the ePolicy Orchestrator connection settings file, to import the
ePolicy Orchestrator connection information into the appliance.
Enable ePO
management
Select to allow reporting and monitoring of your Email Gateway events to be
sent to your ePolicy Orchestrator server. You can then compile statistics from all
your ePolicy Orchestrator-managed Email Gateway appliances.
You can enable the reporting and monitoring of your Email Gateway appliance
from your ePolicy Orchestrator v4.5 (or higher) software.
Allow configuration to
be applied from ePO
When Enable ePO management is selected, you can use your ePolicy Orchestrator
server to create, edit and manage all policies, and to have them pushed to all
your ePO managed Email Gateway appliances.
To create, edit and manage policies for your Email Gateway appliance, you must
use ePolicy Orchestrator v4.5 (or higher) software.
Task — Configuring the appliance to work with ePolicy Orchestrator
Set up the appliance to be managed by ePolicy Orchestrator.
Task
1
From your McAfee® Email Gateway appliance, select Resources and then click ePO Extensions and ePO
Help Extensions to download the extension files.
2
On the ePO server, install the extensions using Menu | Software | Extensions | Install Extensions.
3
On the ePO server, save the connections settings from Menu | Gateway Protection | Email and Web Gateway |
Actions | Export Connection Settings.
4
Choose one of the following options:
5
444
•
On the McAfee Email Gateway appliance, return to the Settings for ePO Management page in the
appliance Setup Wizard, and click Import ePO connection settings.
•
Click System | Component Management | ePO page, and click Import ePO connection settings.
Browse to the ePO connections settings file and click OK to upload it.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Component Management
6
Choose one of the following options:
•
From the Setup Wizard, click Next to continue to the Basic Settings page and complete the setup.
•
From System | Component Management | ePO, select Enable ePO management and Allow configuration to be
applied from ePO and apply the changes to the appliance.
When a policy is sent from ePolicy Orchestrator and is then enforced on your McAfee Email Gateway,
events are sent back from your McAfee Email Gateway to ePolicy Orchestrator giving indications of
the success or failure of that enforcement, and of any warnings that may have been generated. You
can view these events from within ePolicy Orchestrator by browsing to Menu | Reporting | Threat Event
Log.
When you have configured your appliance to enable it to be managed by ePolicy Orchestrator, you will
be reminded each time that you make a configuration change using the appliance's user interface that
the appliance is under ePolicy Orchestrator management, and that your changes will be overwritten
the next time that ePolicy Orchestrator updates the configuration.
Task — Upgrade from McAfee Email Gateway 7.0.3 appliances managed by
McAfee ePolicy Orchestrator
Use this task to upgrade to the latest version of McAfee Email Gateway from McAfee Email Gateway
7.0.3 appliances managed by McAfee® ePolicy Orchestrator (McAfee ePO).
Before you begin
Before you can upgrade to the latest version of McAfee Email Gateway, your existing
appliance must be running McAfee Email Gateway version 7.0.3 and be correctly configured
and running.
This upgrade process automatically disconnects the appliance from being managed by
McAfee ePO.
The inbuilt McAfee Email Gateway migration tools migrate many of your McAfee Email Gateway 7.0.3
settings for you. However, some settings may need to be recreated.
Task
1
In McAfee ePO, click Policy Catalog and select the McAfee Email Gateway 7.0.3 product.
2
Click Export to export the product policies.
3
Right-click the Policies_for_McAfee_Email_Gateway_7.0.xml link, and save the file.
4
Go to your McAfee Email Gateway appliance.
5
Go to System | Component Management | ePO.
6
Select Migrate ePO Configuration.
7
Import the Policies_for_McAfee_Email_Gateway_7.0.xml file you just created.
The import process can take a few minutes to complete.
8
Select the epo_config_<date_stamp>.xml file produced at the end of this process, and save the file.
9
From the McAfee Email Gateway Resources link, download the ePO Extensions and ePO Help Extensions
files.
10 From McAfee ePO, install the ePO Extensions and ePO Help Extensions files.
11 In McAfee ePO, click Policy Catalog and select the McAfee Email Gateway product.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
445
5
Overview of System menu
Component Management
12 Click Import, and import the epo_config_<date_stamp>.xml you saved in step 8.
The policies and settings within the configuration file are migrated across to your McAfee ePO
server.
After you have imported the settings into McAfee Email Gateway managed by McAfee ePO, you
need to re-assign the migrated policies to the correct groups in the System Tree in McAfee ePO.
13 On McAfee ePO, navigate to Menu | Gateway Protection | Email and Web Gateway.
14 From Actions, select Export Connection Settings. Save the epoConfig<xxxxxxx>.zip file.
15 On your McAfee Email Gateway, navigate to System | Component Management | ePO, click Import ePO
connection settings. Browse to the epoConfig<xxxxxxx>.zip file, and click OK.
Your McAfee ePO configuration settings are imported into your McAfee Email Gateway appliance.
16 Select both Enable ePO management, and Allow configuration to be applied from ePO.
17 Apply changes within your McAfee Email Gateway.
Your upgraded appliance is again under McAfee ePO control.
If you had documents registered for Data Loss Prevention in your McAfee Email Gateway 7.0.3
appliance, the document fingerprints for these are copied to your new McAfee Email Gateway McAfee
ePO installation.
If you chose to create a scheduled task to push your McAfee Email Gateway 7.0.3 DLP database to the
new McAfee Email Gateway version, you will need to create an equivalent scheduled task to push the
new McAfee Email Gateway DLP database to your appliance.
Anti-virus engines
Configure your McAfee® Email Gateway to additionally use the Commtouch Command anti-virus
engine.
System | Component Management | Anti-Virus Engines
The information and settings in this page provide options about how you enable the additional
Commtouch Command anti-virus engine within McAfee® Email Gateway.
®
When enabled, the Commtouch Command anti-virus engine works in series with the McAfee® anti-virus
engine, rather than in place of it.
Benefits of using the additional anti-virus engine
Configuring McAfee® Email Gateway to use an additional anti-virus engine enables you to provide a
further layer of protection to your email traffic.
Many security vendors provide anti-virus engines and signature files to detect a wide range of viruses
and other malware. These anti-virus engines use different methods to identify and detect the
unwanted files. Because of these different methods, anti-virus engines for each vendor have different
strengths and weaknesses when detecting unwanted content.
To provide a stronger and wider level of protection for your email users, McAfee Email Gateway
enables you to enable and configure an additional anti-virus engine.
446
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Component Management
®
This additional anti-virus engine is produced by Commtouch Command.
Although enabling an additional anti-virus engine can provide stronger protection, it will also use more
resources within the McAfee Email Gateway, and might impact overall performance and mail
throughput.
Configure Anti-Virus Updates wizard
Use this wizard to specify how and when you want to update the detection definition (DAT) files.
Benefits of the Configure Anti-Virus Updates wizard
This information describes the benefits of updating anti-virus protection using the Anti-Virus Updates
wizard.
Using the wizard to update your anti-virus database and anti-virus engine ensures updates are applied
correctly and completely.
Option definitions — Configure Updates (HTTP)
Use this page to specify anti-virus engine and anti-virus database update settings over HTTP.
System | Component Management | Update Status
Introduction to the HTTP update settings
You can choose to have the HTTP update server as the primary, or secondary update site, or switch off
HTTP as an update method altogether. If the HTTP update method fails, you can continue to the next
page of the wizard, and set up an FTP update site.
Table 5-31 Option definitions
Option
Definition
How HTTP update site should
be used
Default value is Primary Site. If the appliance receives its updates from an
ePO server, the value is Not Used.
Server
Default value is update.nai.com.
Port
Default value is 80.
Directory
For anti-virus updates, the default value is /virusdef/4.x
For anti-spam updates, the default value is spamdefs/1.x
Products/CommonUpdater
Username
Default value is anonymous.
Password
Default value is anonymous.
Use the default proxy settings
(configure defaults)
The appliance uses information that you type here or the default settings
from another page.
To access that page at any other time, select System | Appliance Management |
Default Server Settings on the navigation bar.
Proxy server to Proxy
Password
If the appliance obtains updates via a proxy server, type the details here.
Option definitions — Configure Updates (FTP)
Use this page to specify anti-virus engine, anti-spam, and package update settings over FTP.
System | Component Management | Update Status
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
447
5
Overview of System menu
Component Management
Introduction to the FTP update settings
You can choose to perform an anti-virus update using an FTP server if an HTTP update fails, or switch
off FTP as an update method altogether.
Table 5-32 Option definitions
Option
Definition
How FTP update site should be
used
Default value is Secondary Site. If the appliance receives its updates
from an ePO server, the value is Not Used.
Server
Default value is ftp.nai.com.
Port
Default value is 21.
Directory
For anti-virus updates, the default value is /virusdef/4.x
Username
Default value is anonymous.
Password
Default value is anonymous.
Use the default proxy settings
(configure defaults)
The appliance uses information that you type here or the default
settings from another page. To access the page at any other time,
select System | Appliance Management | Default Server Settings on the navigation
bar.
Proxy server to Proxy Password
If the appliance obtains updates via a proxy server, type the details
here.
Option definitions — Configure Updates (Time)
Use this page to schedule automatic configuration backups, and set up scheduled updates to the
detection definitin (DAT) files, anti-spam, and package updates.
System | Component Management | Update Status
System | System Administration | Configuration Management
System | Logging, Alerting and SNMP | System Log Settings
Introduction to Scheduled update settings
You can schedule updates for the following components:
•
Automatic configuration backups
•
Spam rules and anti-spam engine
•
System Log
•
Appliance software updates (HotFixes and
patches)
•
Anti-virus engine and database
McAfee recommends that you update all scanning components on a new appliance using the Update
Now feature, then use the Schedule feature for each component to create regular updates at a time
when traffic is low, such as during the night.
Option
Definition
Hourly to Weekly
Specifies the schedule. If you do not need this feature, select Never.
Next / Finish
Moves to the next page of the wizard , or closes it and applies the settings.
Configure Anti-Spam Updates wizard
Use this page to specify anti-spam rules, and anti-spam engine update settings.
448
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of System menu
Component Management
5
Benefits of the Configure Anti-Spam Updates wizard
This information describes the benefits of updating anti-spam protection using the Anti-Spam Updates
wizard.
Using the wizard to update your anti-spam rules and spam engine ensures updates are applied
correctly and completely.
Option definitions — Configure Updates (FTP)
Use this page to specify anti-virus engine, anti-spam, and package update settings over FTP.
System | Component Management | Update Status
Introduction to the FTP update settings
You can choose to perform an anti-virus update using an FTP server if an HTTP update fails, or switch
off FTP as an update method altogether.
Table 5-33 Option definitions
Option
Definition
How FTP update site should be
used
Default value is Secondary Site. If the appliance receives its updates
from an ePO server, the value is Not Used.
Server
Default value is ftp.nai.com.
Port
Default value is 21.
Directory
For anti-virus updates, the default value is /virusdef/4.x
Username
Default value is anonymous.
Password
Default value is anonymous.
Use the default proxy settings
(configure defaults)
The appliance uses information that you type here or the default
settings from another page. To access the page at any other time,
select System | Appliance Management | Default Server Settings on the navigation
bar.
Proxy server to Proxy Password
If the appliance obtains updates via a proxy server, type the details
here.
Option definitions — Configure Updates (Time)
Use this page to schedule automatic configuration backups, and set up scheduled updates to the
detection definitin (DAT) files, anti-spam, and package updates.
System | Component Management | Update Status
System | System Administration | Configuration Management
System | Logging, Alerting and SNMP | System Log Settings
Introduction to Scheduled update settings
You can schedule updates for the following components:
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
449
5
Overview of System menu
Component Management
•
Automatic configuration backups
•
Spam rules and anti-spam engine
•
System Log
•
Appliance software updates (HotFixes and
patches)
•
Anti-virus engine and database
McAfee recommends that you update all scanning components on a new appliance using the Update
Now feature, then use the Schedule feature for each component to create regular updates at a time
when traffic is low, such as during the night.
Option
Definition
Hourly to Weekly
Specifies the schedule. If you do not need this feature, select Never.
Next / Finish
Moves to the next page of the wizard , or closes it and applies the settings.
Configure Automatic Package Updates
Use this wizard to configure update settings for the appliance software package updates.
Benefits of the Configure Automatic Package Updates wizard
This information describes the benefits of the Configure Automatic Package Updates wizard.
You can choose to tell the appliance how you want to retrieve the package, the type of package that
you want to apply, and what you want the appliance to do when it's downloaded the update.
Option definitions — Configure Updates (FTP)
Use this page to specify anti-virus engine, anti-spam, and package update settings over FTP.
System | Component Management | Update Status
Introduction to the FTP update settings
You can choose to perform an anti-virus update using an FTP server if an HTTP update fails, or switch
off FTP as an update method altogether.
Table 5-34 Option definitions
450
Option
Definition
How FTP update site should be
used
Default value is Secondary Site. If the appliance receives its updates
from an ePO server, the value is Not Used.
Server
Default value is ftp.nai.com.
Port
Default value is 21.
Directory
For anti-virus updates, the default value is /virusdef/4.x
Username
Default value is anonymous.
Password
Default value is anonymous.
Use the default proxy settings
(configure defaults)
The appliance uses information that you type here or the default
settings from another page. To access the page at any other time,
select System | Appliance Management | Default Server Settings on the navigation
bar.
Proxy server to Proxy Password
If the appliance obtains updates via a proxy server, type the details
here.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Component Management
Option definitions — Configure Automatic Package Updates (Update action)
This information describes the options available on this page.
Option
Definition
Update action
Choose from:
• Update database
• Download
• Download and install
Allow automatic reboot and Allow
automatic services restart
Specifies the action that the appliance will take on receiving the
new software.
Feature packs to Hotfixes
Specifies the type of new software to download.
Option definitions — Configure Updates (Time)
Use this page to schedule automatic configuration backups, and set up scheduled updates to the
detection definitin (DAT) files, anti-spam, and package updates.
System | Component Management | Update Status
System | System Administration | Configuration Management
System | Logging, Alerting and SNMP | System Log Settings
Introduction to Scheduled update settings
You can schedule updates for the following components:
•
Automatic configuration backups
•
Spam rules and anti-spam engine
•
System Log
•
Appliance software updates (HotFixes and
patches)
•
Anti-virus engine and database
McAfee recommends that you update all scanning components on a new appliance using the Update
Now feature, then use the Schedule feature for each component to create regular updates at a time
when traffic is low, such as during the night.
Option
Definition
Hourly to Weekly
Specifies the schedule. If you do not need this feature, select Never.
Next / Finish
Moves to the next page of the wizard , or closes it and applies the settings.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
451
5
Overview of System menu
Setup Wizard
Edit Preferences (Warning Thresholds)
Edit the time before you are warned or alerted about update files being out of date.
Table 5-35 Option definitions
Option
Definition
Parameter You can configure the warning thresholds for the following updates:
• McAfee anti-virus engine
• McAfee anti-virus database
• Spam
• Spam engine
®
If you have installed the additional Commtouch Command anti-virus engine, the following
rows will appear:
• Commtouch Command anti-virus engine
®
• Commtouch Command anti-virus database
®
Warn After Specify the time between the last update and when an amber warning is shown within the
Dashboard.
Alert After Specify the time between the last update and when a red "critical level" alert is shown
within the Dashboard.
Setup Wizard
The Setup Wizard is available from the user interface to allow you to edit settings that you made in
the configuration console when you first installed the appliance.
System | Setup Wizard
Introducing the Setup Wizard options
The following describe pages that you might see when you complete the Setup Wizard. The options
differ depending on the setup option that you select.
Welcome
Use this page to select the type of installation that you want to follow.
This is the first page of the Setup Wizard. Use this page to select the type of installation you want to
perform.
•
Standard Setup (default) — use this option to set up your device in transparent bridge mode, and
configure it to protect your network. The SMTP protocol is enabled by default. You can choose to
enable scanning of POP3 traffic.
Choosing Standard Setup forces the device to run in transparent bridge mode.
•
452
Custom Setup — use this option to select the operating mode for your device. You can choose to
protect mail traffic using SMTP and POP3 protocols. You should use this if you need to configure
IPv6 and to make other changes to the default configuration.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
Overview of System menu
Setup Wizard
5
•
Restore from a file — (not available from the Configuration Console) use this to set up your device
based on a previously saved configuration. Following the import of the file you will be able to check
the imported settings before finishing the wizard. If the file came from an earlier McAfee Email and
Web Security Appliance, some details are not available.
•
ePolicy Orchestrator Managed Setup — use this to set up your device so that it can be managed by your
ePolicy Orchestrator (McAfee ePO™) server. Only minimal information is needed, as the device will
get most of its configuration information from your ePolicy Orchestrator server.
®
•
Encryption Only Setup — use this option to set up your appliance as a standalone encryption server.
The appliance operates in one of the following modes — transparent bridge, transparent router, or
explicit proxy. The mode affects how you integrate the appliance into your network and how the
appliance handles traffic. You will need to change the mode only if you restructure your network.
Explicit Proxy mode
Use this page to specify the type of installation.
In Explicit Proxy mode, some network devices send traffic to the appliance. The appliance then works as
a proxy, processing traffic on behalf of the devices.
Explicit Proxy mode is best suited to networks where the client devices connect to the appliance
through a single upstream and downstream device. For example, you can configure your network to
have your web cache logically connected on one side of the appliance and a firewall on the other side,
with both physically connected through the LAN1 port. The advantage of this scenario is that you need
to reconfigure only the web cache and firewall. You do not need to reconfigure the clients.
Transparent Router mode
Use this page to specify the type of installation.
In Transparent Router mode, other network devices, such as mail servers, are unaware that the appliance
has intercepted and scanned the email before forwarding it. The appliance's operation is transparent to
the devices.
Transparent Router mode is suitable for networks that have firewall rules, because the firewall still
sees the IP addresses of the clients and can therefore apply the Internet access rules to client traffic.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
453
5
Overview of System menu
Setup Wizard
Transparent Bridge Mode
This information describes the Transparent Bridge appliance operating mode.
In Transparent Bridge mode, other network devices, such as mail servers, are unaware that the appliance
has intercepted and scanned the email before forwarding it. The appliance's operation is transparent to
the devices.
Transparent Bridge mode requires the least configuration. You do not need to reconfigure your clients
or default gateway to send traffic to the appliance. You do not need to update a routing table.
Standard Setup
Use the Standard Setup wizard to set up your appliance in Transparent Bridge mode, and configure it
to protect your network.
The Standard Setup wizard consists of the following pages:
Contents
Benefits of the Standard Setup wizard
Email Configuration page (Standard Setup)
Basic Settings page (Standard Setup)
Summary page (Standard Setup)
Benefits of the Standard Setup wizard
This information describes the benefits to setting up an appliance using the Standard Setup wizard.
Standard Setup enables you to quickly set up your McAfee Email Gateway using the most common
options.
Use this option to set up your device in transparent bridge mode, and configure it to protect your
network. The SMTP protocol is enabled by default. You can choose to enable scanning of POP3 traffic.
Choosing Standard Setup forces the device to run in transparent bridge mode.
Email Configuration page (Standard Setup)
This information describes the options available on this page.
454
Option
Definition
Enable protection
against Potentially
Unwanted Programs
Click to activate protection against Potentially Unwanted Programs. Read the
advice from McAfee about the effects that activating this protection can have.
Enable URL Reputation
checking
Click to activate Global Threat Intelligence scanning of URLs embedded in
messages.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Setup Wizard
Option
Definition
Use McAfee Email
Protection (Hybrid) to
process inbound email
Click to activate hybrid email protection, with McAfee Email Protection (Hybrid)
scanning your inbound email traffic.
After enabling McAfee Email Protection (Hybrid), the configuration pages for this
service are displayed automatically when you next log into the user interface.
Enable Graymail
Protection
Click to enable protection from messages (such as email newsletters) that some
users want, but that others might prefer to block.
When selected, the Graymail dictionary is added to the Anti-Spam Terms list, found
in Email | Email Policies | Spam | Spam Terms.
To view the terms within the Graymail dictionary, select this dictionary from Email
| DLP and Dictionaries | Compliance Dictionaries.
Enable McAfee Global
Threat Intelligence
feedback
Select this option to enable McAfee Global Threat feedback.
Local relay domain
Enter both the IP address and netmask for your local relay domain.
Click What is this? to read about how the feedback is used, and view the McAfee
Privacy Policy.
Ensure that you define your local domains, as well as the domains from which
you want to permit email relaying, and that you want to deny email relaying.
Defining a domain as a Permitted domain ensures that email traffic from that domain
is always allowed to be relayed.
Basic Settings page (Standard Setup)
Use this page in the Standard Setup wizard, to specify basic settings for the appliance in transparent
bridge mode.
Option
Definition
Device name
Specifies a name, such as appliance1.
Domain name
Specifies a name, such as domain1.com.
IP address
Specifies an address, such as 198.168.200.10.
The fully qualified domain name (Device name.Domain name) must resolve to this IP
address when the DNS server (specified here) is called. We recommend that this IP
address resolves to the FQDN in a reverse lookup.
Subnet
Specifies a subnet address, such as 255.255.255.0.
Gateway Address
Specifies an address, such as 198.168.10.1. This is likely to be a router or a
firewall. You can test later that the appliance can communicate with this device.
DNS Server IP
Specifies the address of a Domain Name Server that the appliance uses to convert
website addresses to IP addresses. This can be an Active Directory or a Domain
Name Service server. You can test later that the appliance can communicate with
this server.
Mode
Specifies the mode — Transparent Bridge, Transparent Router or Explicit Proxy.
User ID
The scmadmin user is the super administrator. You cannot change or disable this
account and the account cannot be deleted. However, you can add more login
accounts after installation.
Current
Password/New
Password
The original default password is password. Specify the new password. Change the
password as soon as possible to keep your appliance secure.
You must type the new password twice to confirm it.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
455
5
Overview of System menu
Setup Wizard
Option
Definition
Appliance Time zone Specifies the time zone of the appliance. You might need to set this twice each year
if your region observes daylight saving time. The zones are organized from west to
east to cover mid-Pacific, America, Europe, Asia, Africa, India, Japan, and Australia.
Appliance Time
(UTC)
Specifies the date and UTC time for the appliance. To select the date, click the
calendar icon. You can determine the UTC time from websites such as http://
www.worldtimeserver.com.
Set Now
When clicked, applies the date and UTC time that you specified in this row.
Client Time
Displays the time according to the client computer from which your browser is
currently connected to the appliance.
Synchronize
When selected, the time in the Appliance Time (UTC) immediately takes its value from
appliance with client Client Time. You can use this checkbox as an alternative to manual setting of Appliance
Time (UTC). The appliance calculates the UTC time based on the time zone that it
finds on the client's browser.
Ensure that the client computer is aware of any daylight savings adjustments. To
find the setting on Microsoft Windows, right-click the time display in the bottom
right corner of the screen.
NTP server address
To use Network Time Protocol (NTP) , specify the server address.
Alternatively, you can configure NTP later.
Summary page (Standard Setup)
Use this page in the Standard Setup wizard, to review a summary of the settings that you have made
for the network connections and scanning of the network traffic.
To change any value, click its blue link to display the page where you originally typed the value.
After you click Finish, the setup wizard has completed, and the appliance is configured as a transparent
bridge.
Use the IP address shown here to access the interface. For example https://192.168.200.10.
The address begins with https, not http.
When you first log on to the interface, type the user name, admin and the password that you gave on
the Basic Settings page.
Table 5-36 Basic settings
Option Definition
The value is set according to best practice.
The value is probably not correct. Although the value is valid, it is not set according to best
practice. Check the value before continuing.
No value has been set. The value has not been changed from the default. Check the value
before continuing.
456
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Setup Wizard
Custom Setup
Use the Custom Setup Wizard to choose the operating mode when you set up your appliance. You can
also make other choices, such as setting up IPv6 networking.
The Custom Setup Wizard consists of the following pages:
Contents
Benefits of the Custom Setup wizard
Important considerations for the Custom Setup Wizard
Basic Settings page (Custom Setup)
Network Settings page
Cluster Management page
DNS and Routing page
Email Configuration page (Custom Setup)
Time Settings page
Password page
Summary page
Benefits of the Custom Setup wizard
This information describes the benefits of setting up an appliance using the Custom Setup wizard.
Use the Custom Setup to give you greater control in the options that you can select, including the
operating mode for your device.
You can choose to protect mail traffic using SMTP and POP3 protocols. You should use this
configuration option if you need to configure IPv6 and to make other changes to the default
configuration.
Important considerations for the Custom Setup Wizard
This information describes important considerations before you complete the Custom Setup Wizard
Cluster Management
When configuring a group of appliances or McAfee Content Security Blade Servers, the current master
uses a "least used" algorithm to assign connections to the appliances or blades configured to scan
traffic. The scanning appliance or blade that is currently showing the least number of connections, at
that moment in time, is assigned the next connection.
For a cluster of appliances:
•
If you have only a master and a failover appliance, with both configured to scan traffic, the master
will send most connections to the failover appliance for scanning.
•
If you have scanning appliances, and scanning enabled on the master and failover, then the
scanning appliances will receive the most traffic to scan, then the failover, with the master
receiving the least. If you have more than three appliances in a cluster, McAfee recommends that
you do not enable scanning on the master appliance.
You cannot configure the master or the failover blades of the McAfee Content Security Blade Server to
scan traffic.
McAfee recommends that when using your appliance in a cluster environment, you use McAfee
Quarantine Manager to quarantine email messages.
Delivering email
Using the recipient's domain, the appliance uses the following logic to decide how it will deliver
messages:
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
457
5
Overview of System menu
Setup Wizard
•
If the recipient's domain matches those listed in Known Domains and relay hosts, it uses those relays to
deliver the message.
•
If the recipient's domain does not match those listed in Known Domains and relay hosts, it can be
configured to use an MX record lookup to deliver using DNS. If no MX records are available, it
attempts to make the delivery using an A record lookup. MX delivery is attempted to hosts in the
order of priority that is returned by the DNS server.
•
If it cannot deliver using one of the previous methods, it uses fallback relays to make the delivery
(providing the recipient's domain matches those listed in the Fallback relays field).
•
If the domain does not exist, the appliance generates a non-delivery report and sends it to the
originator.
•
If the receiving server cannot accept delivery, or there are no IP addresses to complete the
delivery, the message is queued.
Basic Settings page (Custom Setup)
Use this page when selecting the Custom Setup wizard, to specify basic settings for the appliance.
The appliance tries to provide some information for you, and shows the information highlighted in
amber. To change the information, click and retype.
Option
Definition
Cluster mode
Defines the options that appear on the Cluster Management page of the Setup Wizard.
• Off — This is a standard appliance.
• Cluster Scanner — The appliance receives its scanning workload from a master
appliance.
• Cluster Master — The appliance controls the scanning workload for several other
appliances.
• Cluster Failover — If the master fails, this appliance controls the scanning workload
instead.
Device name
Specifies a name, such as appliance1.
Domain name
Specifies a name, such as domain1.com.
Default Gateway
Specifies an IPv4 address, such as 198.168.10.1. You can test later that the appliance
can communicate with this server.
Next Hop Router
Specifies an IPv6 address, such as FD4A:A1B2:C3D4::1.
This IPv6 address must be a link-local address.
Network Interface Becomes available when you set the Next Hop Router for IPv6.
Network Settings page
Use these options to view and configure the IP address and network speeds for the appliance. You can
use IPv4 and IPv6 addresses, separately or in combination.
To prevent duplication of IP addresses on your network and to deter hackers, give the appliance new
IP addresses, and disable the default IP addresses. The IP addresses must be unique and suitable for
your network. Specify as many IP addresses as you need.
458
Option
Definition
<mode>
The operating mode that you set during installation or in the Setup Wizard
Network Interface 1
Expands to show the IP address and netmask associated with Network Interface
1, the auto-negotiation state, and the size of the MTU.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Setup Wizard
Option
Definition
Network Interface 2
Expands to show the IP address and netmask associated with Network Interface
2, the auto-negotiation state, and the size of the MTU
Change Network
Settings
Click to open the Network Interface Wizard to specify the IP address and adapter
settings for NIC 1 and NIC 2, and change the chosen operating mode.
View Network Interface
Layout
Click to see the <?> associated with LAN1, LAN2, and the out of band interface
Cluster Management page
Use this page to specify cluster management balancing requirements.
Depending on the cluster mode you selected on the Basic Settings page, the options that appear on the
Cluster Management page change.
Cluster Management Configuration (Standard appliance)
Do not use. Cluster management is disabled.
Table 5-37 Cluster Management (Cluster Scanner)
Option
Definition
Cluster identifier If you have more than one cluster or McAfee Content Security Blade Server on the
same subnet, assign each a different Cluster identifier to ensure the clusters do not
conflict.
The allowable range is 0-255.
Cluster Management (Cluster Master)
In explicit proxy mode or transparent router mode, you can enable failover between two appliances in a
cluster by assigning a virtual IP address to this appliance and configuring another appliance as a Cluster
Failover appliance using the same virtual address. In transparent bridge mode, this is achieved by
setting a high STP priority for this appliance and configuring another appliance as a Cluster Failover
appliance with a lower STP priority.
Option
Definition
Cluster identifier
If you have more than one cluster or McAfee Content Security Blade Server
on the same subnet, assign each a different Cluster identifier to ensure the
clusters do not conflict.
The allowable range is 0-255.
Address to use for load
balancing
Specifies the appliance address.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
459
5
Overview of System menu
Setup Wizard
Option
Definition
Cluster identifier
If you have more than one cluster or McAfee Content Security Blade Server on
the same subnet, assign each a different Cluster identifier to ensure the clusters do
not conflict.
The allowable range is 0-255.
Address to use for load
balancing
Specifies the appliance address.
Enable scanning on this
appliance
If not selected, this appliance distributes all scanning workload to the scanning
appliances.
For a cluster of appliances, if you have only a master and a failover appliance,
with both configured to scan traffic, the master will send most connections to
the failover appliance for scanning.
Option definitions — Advanced scanning device settings
Use this area for fine-grained control of attached scanning devices. You can also configure the devices
to share hard disk space for the storage of Secure Web Mail Messages. Devices in a cluster are
identified by their MAC (Media Access Control) addresses. When you add a MAC address to the table
you may opt to disable it, meaning that scanning requests will not be sent to the device, and share
hard disk space.
Table 5-38 Advanced scanning device settings (appliances)
Option
Definition
MAC Address
Specifies the device's Media Access Control (MAC) address as 12 hexadecimal
digits in the format: A1:B2:C3:D4:E5:F6.
Disabled
Select to remove this device from the pool of scanning devices.
Add MAC Address
Click to add the MAC address of a new device.
Manage MAC Addresses Opens the MAC Addresses dialog box that enables you to manage the list of
available MAC addresses.
Table 5-39 Advanced scanning device settings (blade servers)
Option
Definition
MAC Address
Specifies the device's Media Access Control (MAC) address as 12 hexadecimal
digits in the format: A1:B2:C3:D4:E5:F6.
Disabled
Select to remove this device from the pool of scanning devices.
Add MAC Address
Click to add the MAC address of a new device.
Manage MAC Addresses
Opens the MAC Addresses dialog box that enables you to manage the list of
available MAC addresses.
Lock DHCP server to MAC
addresses
Select to prevent the management blade from acknowledging DHCP requests
sent by arbitrary hosts on its network.
If selected, add the MAC addresses of any scanning blades to be added to
your Content security Blade Server to the MAC address table. Failing to do this
will prevent a scanning blade from acquiring the correct IP address.
Although you can add the MAC addresses of management and failover devices to this table, they always
contribute hard disk space for Secure Web Mail messages and cannot be disabled.
460
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Setup Wizard
Table 5-40 Cluster Management (Cluster Failover)
Option
Definition
Address to use for load
balancing
Specifies the appliance address. Provides a list of all subnets assigned to the
appliance.
Cluster identifier
If you have more than one cluster or McAfee Content Security Blade Server
on the same subnet, assign each a different Cluster identifier to ensure the
clusters do not conflict.
The allowable range is 0-255.
Enable scanning on this
appliance
If not selected, this appliance distributes all scanning workload to the
scanning appliances.
For a cluster of appliances, if you have only a master and a failover appliance,
with both configured to scan traffic, the master will send most connections to
the failover appliance for scanning.
Table 5-41 Cluster Management (Cluster Failover)
Option
Definition
Address to use for load balancing Specifies the appliance address. Provides a list of all subnets assigned to
the appliance.
If you have more than one cluster or McAfee Content Security Blade
Server on the same subnet, assign each a different Cluster identifier to
ensure the clusters do not conflict.
Cluster identifier
The allowable range is 0-255.
DNS and Routing page
Use this page to configure the appliance's use of DNS and routes.
Domain Name System (DNS) servers translate or "map" the names of network devices into IP
addresses (and the reverse operation). The appliance sends requests to DNS servers in the order that
they are listed here.
DNS server addresses
Option
Definition
Server Address
Displays the IP addresses of the DNS servers. The first server in the list must be your
fastest or most reliable server. If the first server cannot resolve the request, the
appliance contacts the second server. If no servers in the list can resolve the request,
the appliance forwards the request to the DNS root name servers on the Internet.
If your firewall prevents DNS lookup (typically on port 53), specify the IP address of a
local device that provides name resolution
New Server/
Delete Selected
Servers
Adds a new server to the list, or removes one when, for example, when you need to
decommission a server due to network changes.
Only send
queries to these
servers
Selected by default. McAfee recommends that you leave this option selected because it
might speed up DNS queries as the appliance sends the queries to the specified DNS
servers only. If they don't know the address, they go to the root DNS servers on the
Internet. When they get a reply, the appliance receives it and caches the response so
that other servers that query that DNS server can get an answer more quickly.
If you deselect this option, the appliance first tries to resolve the requests, or might
query DNS servers outside your network.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
461
5
Overview of System menu
Setup Wizard
Routing Settings
Option
Definition
Network Address
Type the network address of the route.
Mask
Specifies how many hosts are on your network, for example, 255.255.255.0.
Gateway
Specifies the IP address of the router used as the next hop out of the network. The
address 0.0.0.0 (IPv4), or :: (IPv6) means that the router has no default gateway.
Metric
Specifies the preference given to the route. A low number indicates a high
preference for that route.
New Route /
Delete Selected
Routes
Add a new route to the table, ore remove routes. Use the arrows to move routes up
and down the list. The routes are chosen based on their metric value.
Enable dynamic
routing
Use this option in transparent router mode only. When enabled, the appliance can:
• receive broadcast routing information received over RIP (default) that it applies its
routing table so you don't have to duplicate routing information on the appliance
that is already present in the network.
• broadcast routing information if static routes have been configured through the
user interface over RIP.
Email Configuration page (Custom Setup)
This information describes the options available on this page.
Initial email configuration
Option
Definition
Enable protection against
Potentially Unwanted
Programs
Click to activate protection against Potentially Unwanted Programs. Read the
advice from McAfee about the effects that activating this protection can have.
Enable URL Reputation
checking
Click to activate Global Threat Intelligence scanning of URLs embedded in
messages.
Use McAfee Email Protection Click to activate hybrid email protection, with McAfee Email Protection
(Hybrid) to process inbound (Hybrid) scanning your inbound email traffic.
email
After enabling McAfee Email Protection (Hybrid), the configuration pages for
this service are displayed automatically when you next log into the user
interface.
Enable Graymail Protection
Click to enable protection from messages (such as email newsletters) that
some users want, but that others might prefer to block.
When selected, the Graymail dictionary is added to the Anti-Spam Terms list,
found in Email | Email Policies | Spam | Spam Terms.
To view the terms within the Graymail dictionary, select this dictionary from
Email | DLP and Dictionaries | Compliance Dictionaries.
Enable McAfee Global Threat Click What is this? to read about how the feedback is used, and view the McAfee
Intelligence feedback
Privacy Policy.
Scan SMTP traffic / Scan
POP3 traffic
Both protocols are selected by default. Deselect a protocol to prevent
scanning occurring.
Option definitions — Domains for which the appliance will accept or refuse email
Use these options to define how the appliance will relay email. After you complete the Setup Wizard,
you can manage the domains from Email | Email Configuration | Receiving Email.
462
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Setup Wizard
Option
Definition
Domain Name/ Displays the domain names, wildcard domain names, network addresses, and MX
Network
lookups from which the appliance will accept or refuse email.
Address/MX
Record
Type
• Domain name — For example, example.com. The appliance uses this to compare the
recipient's email address and compare the connection against an A record lookup.
• Network Address — For example, 192.168.0.2/32 or 192.168.0.0/24. The appliance
uses this to compare the recipient's IP literal email address such as
user@[192.168.0.2], or the connection.
• MX Record Lookup — For example, example.com. The appliance uses this to compare the
connection against an MX record lookup.
• Wildcard domain name — For example, *.example.com. The appliance only uses this
information to compare the recipient's email address.
Category
• Local domain
• Permitted domain
• Denied domain
Ensure that you define your local domains, as well as the domains from which you want to
permit email relaying, and that you want to deny email relaying. Defining a domain as a
Permitted domain ensures that email traffic from that domain is always allowed to be relayed.
Add Domain
Click to specify the domains that can relay messages through the appliance to the
recipient. Choose from:
• Local domain — These are the domains or networks for which email is accepted for
delivery. For convenience, you can import a list of your local domain names using the
Import Lists and Export Lists options. McAfee recommends that you add all domains or
networks that are allowed to relay messages as local domains.
• Permitted domain — Email is accepted. Use permitted domains to manage exceptions.
• Denied domain — Email is refused. Use denied domains to manage exceptions.
Hold your mouse cursor over the field to see the recommended format.
You must set up at least one local domain.
Add MX
Lookup
Click to specify a domain that the appliance will use to identify all mail server IP
addresses from which it will deliver messages.
Delete
Selected
Items
Remove the selected item from the table. You must apply the changes before the item is
completely removed from the appliance configuration.
Option definitions — Domain Routing
Configure hosts that the appliance will use to route email. After you complete the Setup Wizard, you
can manage the domains from Email | Email Configuration | Sending Email.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
463
5
Overview of System menu
Setup Wizard
Option
Definition
Domain name /
Network
Address / MX
Record
Displays a list of domains.
This list allows you to specify specific relays/sets of relays to be used to deliver
messages destined for specific domains. Domains can be identified using exact
matches, or using pattern matches such as *.example.com.
To specify multiple relays for a single domain, separate each with a space.
If the first mail relay is accepting email, all email is delivered to the first relay. If that
relay stops accepting email, subsequent email is delivered to the next relay in the list.
Type
• Domain name — For example, example.com. The appliance uses this to compare the
recipient's email address and compare the connection against an A record lookup.
• Network Address — For example, 192.168.0.2/32 or 192.168.0.0/24. The appliance
uses this to compare the recipient's IP literal email address such as
user@[192.168.0.2], or the connection.
• MX Record Lookup — For example, example.com. The appliance uses this to compare
the connection against an MX record lookup.
• Wildcard domain name — For example, *.example.com. The appliance only uses this
information to compare the recipient's email address.
Category
• Local domain
• Permitted domain
• Denied domain
Add Relay List
Click to populate the Known domains and relay hosts table with a list of host names or IP
addresses for delivery. Delivery will be attempted in the order specified unless you
select the Round-robin the above hosts option, which will distribute the load between the
specified hosts.
Host names/IP addresses may include a port number.
Add MX Lookup
Click to populate the Known domains and relay hosts table with an MX record lookup to
determine the IP addresses for delivery.
Delivery will be attempted to host names returned by the MX lookup in the order of
priority given by the DNS server.
Delete Selected
Items
Remove the selected item from the table. You must apply the changes before the item
is completely removed from the appliance configuration.
Enable DNS
lookup for
domains not
listed above
If selected, the appliance uses DNS to route email for other, unspecified domains. DNS
delivery attempts an MX-record lookup. If there are no MX records, it does an A-record
lookup.
If you deselect this checkbox, the appliance delivers email only to the domains that are
specified under Known domains and relay hosts.
464
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Setup Wizard
Time Settings page
Use this page to set the time and date, and any details for the use of the Network Time Protocol
(NTP).
Option
Definition
Appliance Time
Zone
Specifies the time zone of the appliance. You might need to set this twice each year
if your region observes daylight saving time.
Appliance Time
(UTC)
Specifies the date and UTC time for the appliance. To select the date, click the
calendar icon. You can determine the UTC time from websites such as http://
www.worldtimeserver.com.
Set Now
When clicked, applies the date and UTC time that you specified in this row.
Client Time
Displays the time according to the client computer from which your browser is
currently connected to the appliance.
Synchronize
appliance with
client
When selected, the time in the Appliance Time (UTC) immediately takes its value from
Client Time. You can use this checkbox as an alternative to manual setting of Appliance
Time (UTC). The appliance calculates the UTC time based on the time zone that it finds
on the client's browser.
Ensure that the client computer is aware of any daylight savings adjustments. To find
the setting on Microsoft Windows, right-click the time display in the bottom right
corner of the screen.
Enable NTP
When selected, accepts NTP messages from a specified server or a network
broadcast. NTP synchronizes timekeeping among devices in a network. Some
Internet Service Providers (ISPs) provide a timekeeping service. Because NTP
messages are not sent often, they do not noticeably affect the appliance's
performance.
Enable NTP client
broadcasts
When selected, accepts NTP messages from network broadcasts only. This method
is useful on a busy network but must trust other devices in the network.
When deselected, accepts NTP messages only from servers specified in the list.
NTP Server
Displays the network address or a domain name of one or more NTP servers that
the appliance uses. For example, time.nist.gov.
If you specify several servers, the appliance examines each NTP message in turn to
determine the correct time.
New Server
Type the IP address of a new NTP Server.
Password page
Use this page to specify a password for the appliance.
For a strong password, include letters and numbers. You can type up to 15 characters.
Option Definition
User ID
This is admin. You can add more users later.
Password Specifies the new password. Change the password as soon as possible to keep your
appliance secure.
You must enter the new password twice to confirm it. The original default password is
password.
Summary page
Review a summary of the settings that you have made for the network connections and scanning of
the email traffic.
To change any value, click its blue link to display the page where you originally typed the value.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
465
5
Overview of System menu
Setup Wizard
After you click Finish, the Setup Wizard has completed.
Use the IP address shown here to access the interface. For example https://192.168.200.10. The
address starts with https, not http.
If you have configured your McAfee® Email Gateway to provide Secure Web Mail, then you need to
access the appliance using port 10443. So, using the example above, you would need to enter https://
192.168.200.10:10443.
When you first log on to the interface, type the user name, admin and the password that you gave on
the Password page.
Table 5-42 Basic settings
Option Definition
The value is set according to best practice.
The value is probably not correct. Although the value is valid, it is not set according to best
practice. Check the value before continuing.
No value has been set. The value has not been changed from the default. Check the value
before continuing.
Network Interfaces Wizard
Use the Network Interfaces Wizard to change the chosen operating mode, and specify the IP address
and adapter settings for NIC 1 and NIC 2.
The options you see in the Network Interfaces Wizard depend on the operating mode. On the first
page of the wizard, you can choose to change the operating mode for the appliance. You can change
the settings by clicking Change Network Settings to start a wizard. Click Next to progress through the wizard.
In Explicit Proxy mode, some network devices send traffic to the appliances. The appliance then
works as a proxy, processing traffic on behalf of the devices.
In Transparent Router or Transparent Bridge mode, other network devices, such as mail servers,
are unaware that the appliance has intercepted and scanned the email before forwarding it. The
appliance's operation is transparent to the devices.
If you have a standalone appliance running in transparent bridge mode, you will have the option to add
a bypass device in case the appliance fails.
If the appliance is operating in Transparent Bridge mode, and the Spanning Tree Protocol (STP) is
running on your network, make sure that the appliance is configured according to STP rules.
Additionally, you can set up a bypass device in transparent bridge mode.
To configure your McAfee® Email Gateway Blade Server to failover from the management blade to the
failover management blade, you must specify at least one virtual IP address, shared between the
management and failover management blades.
Network Interfaces Wizard — Explicit Proxy mode
Use the Network Interfaces Wizard to change the chosen operating mode, and specify the IP address
and adapter settings for NIC 1 and NIC 2.
This version of the Network Interfaces Wizard becomes available when you select the Explicit Proxy
mode.
Specify the details for Network Interface 1, then use the Next button to set details for Network Interface
2 as necessary.
466
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Setup Wizard
Network Interface 1 or Network Interface 2 page
Option
Definition
IP Address
Specifies network addresses to enable the appliance to communicate with your
network. You can specify multiple IP addresses for the appliance’s network ports. The
IP address at the top of a list is the primary address. Any IP addresses below it are
aliases.
You must have at least one IP address in both Network Interface 1 and Network
Interface 2. However, you can deselect the Enabled option next to any IP addresses that
you do not wish to listen on.
Network Mask
Specifies the network mask. In IPv4, you can use a format such as 255.255.255.0, or
CIDR notation, such as 24. In IPv6, you must use the prefix length, for example, 64.
Enabled
When selected, the appliance accepts connections on the IP address.
Virtual
When selected, the appliance treats this IP address as a virtual address.
This option only appears in cluster configurations, or on a McAfee Content Security
Blade Server.
New Address/
Delete Selected
Addresses
Add a new address, or remove a selected IP address.
NIC 1 Adapter
Options or NIC
2 Adapter
Options
Expand to set the following options:
• MTU size — specifies the Maximum Transmission Unit (MTU) size. The MTU is the
maximum size (expressed in bytes) of a single unit of data (for example, an
Ethernet Frame) that can be sent over the connection. The default value is 1500
bytes.
• Autonegotiation state — either:
• On — allows the appliance to negotiate the speed and duplex state for
communicating with other network devices.
• Off — allows you to select the speed and duplex state.
• Connection speed — provides a range of speeds. Default value is 100MB.
This value is fixed at 1GB for fiber-connected systems.
• Duplex state — provides duplex states. Default value is Full duplex.
• Enable IPv6 auto-configuration — Select this option to allow the appliance to automatically
configure its IPv6 addresses and IPv6 default next-hop router, by receiving Router
Advertisement messages sent from your IPv6 router.
This option is unavailable by default if your appliance is running in transparent router
mode, or is part of a cluster configuration, or running as part of a Blade Server
installation.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
467
5
Overview of System menu
Setup Wizard
Network Interfaces Wizard — Transparent Router mode
Use the Network Interfaces Wizard to change the chosen operating mode, then specify the IP address
and adapter settings for NIC 1 and NIC 2.
Network Interface 1 or Network Interface 2 pages
Option
Definition
IP Address
Specifies network addresses to enable the appliance to communicate with your
network. You can specify multiple IP addresses for the appliance’s ports. The IP
address at the top of a list is the primary address. Any IP addresses below it are
aliases.
Network Mask
Specifies the network mask, for example: 255.255.255.0. In IPv4, you can use a
format such as 255.255.255.0, or CIDR notation, such as 24. In IPv6, you must use
the prefix length, for example, 64.
Enabled
When selected, the appliance accepts connections on that IP address.
Virtual
When selected, the appliance treats this IP address as a virtual address. This option
only appears in cluster configurations, or on a McAfee Content Security Blade Server.
New Address/
Delete Selected
Addresses
Add a new address, or remove a selected IP address.
NIC 1 Adapter
Options or NIC
2 Adapter
Options
Expand to set the following options:
• MTU size — Specifies the Maximum Transmission Unit (MTU) size. The MTU is the
maximum size (expressed in bytes) of a single unit of data (for example, an
Ethernet Frame) that can be sent over the connection. The default value is 1500
bytes.
• Autonegotiation state — either:
• On — allows the appliance to negotiate the speed and duplex state for
communicating with other network devices.
• Off — allows you to select the speed and duplex state.
• Connection speed — provides a range of speeds. Default value is 100MB.
This value is fixed at 1GB for fiber-connected systems.
• Duplex state — provides duplex states. Default value is Full duplex.
• Enable IPv6 auto-configuration — Select this option to allow the appliance automatically
configure its IPv6 addresses and IPv6 default next-hop router, by receiving Router
Advertisement messages sent from your IPv6 router.
This option is unavailable by default if your appliance is running in transparent router
mode, or is part of a cluster configuration, or running as part of a Blade Server
installation.
• Enable sending IPv6 router advertisements on this interface — When enabled, allows IPv6 router
advertisements to be sent to machines on the sub-net that require a router
response to complete auto-configuration.
Network Interfaces Wizard — Transparent Bridge mode
Use the Network Interfaces Wizard to change the chosen operating mode, and specify the IP address
and adapter settings for NIC 1 and NIC 2.
Specify the details for the Ethernet Bridge, then use the Next button to set details for the Spanning Tree
Protocol and Bypass Device as necessary.
468
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Setup Wizard
Option definitions — Ethernet Bridge page
Option
Definition
Select all
Click to select all the IP addresses.
IP Address
Specifies network addresses to enable the appliance to communicate with your
network. You can specify multiple IP addresses for the appliance’s ports. The IP
addresses are combined into one list for both ports. The IP address at the top of a list
is the primary address. Any IP addresses below it are aliases.
Use the Move links to reposition the addresses as necessary.
Network Mask
Specifies the network mask, for example: 255.255.255.0. In IPv4, you can use a
format such as 255.255.255.0, or CIDR notation, such as 24. In IPv6, you must use
the prefix length, for example, 64.
Enabled
When selected, the appliance accepts connections on that IP address.
New Address/
Delete Selected
Addresses
Add a new address, or remove a selected IP address.
NIC Adapter
Options
Expand to set the following options:
• MTU size — specifies the Maximum Transmission Unit (MTU) size. The MTU is the
maximum size (expressed in bytes) of a single unit of data (for example, an Ethernet
Frame) that can be sent over the connection. The default value is 1500 bytes.
• Autonegotiation state — either:
• On — allows the appliance to negotiate the speed and duplex state for
communicating with other network devices.
• Off — allows you to select the speed and duplex state.
• Connection speed — provides a range of speeds. Default value is 100MB.
This value is fixed at 1GB for fiber-connected systems.
• Duplex state — provides duplex states. Default value is Full duplex.
• Enable IPv6 auto-configuration — select this option to allow the appliance to automatically
configure its IPv6 addresses and IPv6 default next-hop router, by receiving Router
Advertisement messages sent from your IPv6 router.
This option is unavailable by default if your appliance is running in transparent router
mode, or is part of a cluster configuration, or running as part of a Blade Server
installation.
Option definitions — Spanning Tree Protocol Settings page
Option
Definition
Enable STP
STP is enabled by default.
Bridge priority
Sets the priority for the STP bridge. Lower numbers have a higher priority. The
maximum number that you can set is 65535.
Advanced parameters Expand to set the following options. Change the settings only if you understand
the possible effects, or you have consulted an expert:
• Forwarding delay
• Garbage collection interval (seconds)
• Hello interval (seconds)
• Ageing time (seconds)
• Maximum age (seconds)
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
469
5
Overview of System menu
Setup Wizard
Option definitions — Bypass Device Settings page
Option
Definition
The bypass device inherits settings from those you entered in NIC Adapter Options
.
Select bypass device
Choose from two supported devices.
Watchdog timeout
(seconds)
For the bypass device, the time, in seconds, that can elapse before the system
bypasses the appliance.
Heartbeat interval
(seconds)
Set to monitor heartbeat by default.
Advanced parameters This option becomes active when you select a bypass device.
• Mode — choose to monitor the heartbeat or the heartbeat and the link activity.
• Link activity timeout (seconds) — becomes active when you select Monitor heartbeat and link
activity in Mode
• Enable buzzer — enabled by default. If the bypass device fails to detect the
heartbeat signal for the configured Watchdog timeout, the buzzer sounds.
Network Interface Layout
Look at the detail provided regarding the layout of the Network interfaces.
This dialog box shows the current assignments for the network interfaces. Use it to confirm that the
assignments are as you expect.
Table 5-43 Option definitions
Option
Definition
LAN 1
This shows how LAN 1 is described.
LAN 2
This shows how LAN 2 is described.
Out of band interface
This shows how the Out of band interface is described.
Restore from a file Setup
Use the Restore from a file Setup wizard to configure your appliance based on the settings saved from
another appliance.
The Restore from a file Setup wizard consists of the following pages:
Contents
Import Configuration
Values to Restore
Basic Settings page (Custom Setup)
Cluster Management page
DNS and Routing page
Time Settings page
Password page
Summary page
470
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Setup Wizard
Import Configuration
Use this dialog to import the configuration file containing the details that you want to use to configure
your appliance.
Table 5-44 Option definitions
Option
Definition
Browse
Locate the configuration file to use as a basis for your new settings.
The configuration filename is in the format:
config_<date and time stamp>.zip
Values to Restore
Use this dialog to choose the areas of the configuration that you want to restore.
By default, the setup wizard attempts to restore all settings found within the configuration file onto
your appliance.
You can choose not to restore settings in particular areas by deselecting them before continuing with
the installation.
The setup wizard enables you to review and change all setting before you apply then to the appliance.
Table 5-45 Option definitions
Option
Definition
Protocol configuration
Information about the protocols the appliance uses.
This information is always restored.
Network configuration
Information about the IP addresses, host names and other details that are
specific to your appliance and your network.
The reporting configuration Information about how you have configured your Favorite Reports and Scheduled
Reports.
The user preferences
Information about how you have configured user interface options, such as the
Dashboard configuration.
Role-based user accounts
Selecting this re-installs information about the role-based user accounts that
you have set up.
This does not include the passwords for default accounts.
ePO configuration
If the appliance that generated the configuration file was under ePolicy
Orchestrator management, this option applies these ePO configuration
settings.
Basic Settings page (Custom Setup)
Use this page when selecting the Custom Setup wizard, to specify basic settings for the appliance.
The appliance tries to provide some information for you, and shows the information highlighted in
amber. To change the information, click and retype.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
471
5
Overview of System menu
Setup Wizard
Option
Definition
Cluster mode
Defines the options that appear on the Cluster Management page of the Setup Wizard.
• Off — This is a standard appliance.
• Cluster Scanner — The appliance receives its scanning workload from a master
appliance.
• Cluster Master — The appliance controls the scanning workload for several other
appliances.
• Cluster Failover — If the master fails, this appliance controls the scanning workload
instead.
Device name
Specifies a name, such as appliance1.
Domain name
Specifies a name, such as domain1.com.
Default Gateway
Specifies an IPv4 address, such as 198.168.10.1. You can test later that the appliance
can communicate with this server.
Next Hop Router
Specifies an IPv6 address, such as FD4A:A1B2:C3D4::1.
This IPv6 address must be a link-local address.
Network Interface Becomes available when you set the Next Hop Router for IPv6.
Cluster Management page
Use this page to specify cluster management balancing requirements.
Depending on the cluster mode you selected on the Basic Settings page, the options that appear on the
Cluster Management page change.
Cluster Management Configuration (Standard appliance)
Do not use. Cluster management is disabled.
Table 5-46 Cluster Management (Cluster Scanner)
Option
Definition
Cluster identifier If you have more than one cluster or McAfee Content Security Blade Server on the
same subnet, assign each a different Cluster identifier to ensure the clusters do not
conflict.
The allowable range is 0-255.
Cluster Management (Cluster Master)
In explicit proxy mode or transparent router mode, you can enable failover between two appliances in a
cluster by assigning a virtual IP address to this appliance and configuring another appliance as a Cluster
Failover appliance using the same virtual address. In transparent bridge mode, this is achieved by
setting a high STP priority for this appliance and configuring another appliance as a Cluster Failover
appliance with a lower STP priority.
Option
Definition
Cluster identifier
If you have more than one cluster or McAfee Content Security Blade Server
on the same subnet, assign each a different Cluster identifier to ensure the
clusters do not conflict.
The allowable range is 0-255.
Address to use for load
balancing
472
Specifies the appliance address.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Setup Wizard
Option
Definition
Cluster identifier
If you have more than one cluster or McAfee Content Security Blade Server on
the same subnet, assign each a different Cluster identifier to ensure the clusters do
not conflict.
The allowable range is 0-255.
Address to use for load
balancing
Specifies the appliance address.
Enable scanning on this
appliance
If not selected, this appliance distributes all scanning workload to the scanning
appliances.
For a cluster of appliances, if you have only a master and a failover appliance,
with both configured to scan traffic, the master will send most connections to
the failover appliance for scanning.
Option definitions — Advanced scanning device settings
Use this area for fine-grained control of attached scanning devices. You can also configure the devices
to share hard disk space for the storage of Secure Web Mail Messages. Devices in a cluster are
identified by their MAC (Media Access Control) addresses. When you add a MAC address to the table
you may opt to disable it, meaning that scanning requests will not be sent to the device, and share
hard disk space.
Table 5-47 Advanced scanning device settings (appliances)
Option
Definition
MAC Address
Specifies the device's Media Access Control (MAC) address as 12 hexadecimal
digits in the format: A1:B2:C3:D4:E5:F6.
Disabled
Select to remove this device from the pool of scanning devices.
Add MAC Address
Click to add the MAC address of a new device.
Manage MAC Addresses Opens the MAC Addresses dialog box that enables you to manage the list of
available MAC addresses.
Table 5-48 Advanced scanning device settings (blade servers)
Option
Definition
MAC Address
Specifies the device's Media Access Control (MAC) address as 12 hexadecimal
digits in the format: A1:B2:C3:D4:E5:F6.
Disabled
Select to remove this device from the pool of scanning devices.
Add MAC Address
Click to add the MAC address of a new device.
Manage MAC Addresses
Opens the MAC Addresses dialog box that enables you to manage the list of
available MAC addresses.
Lock DHCP server to MAC
addresses
Select to prevent the management blade from acknowledging DHCP requests
sent by arbitrary hosts on its network.
If selected, add the MAC addresses of any scanning blades to be added to
your Content security Blade Server to the MAC address table. Failing to do this
will prevent a scanning blade from acquiring the correct IP address.
Although you can add the MAC addresses of management and failover devices to this table, they always
contribute hard disk space for Secure Web Mail messages and cannot be disabled.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
473
5
Overview of System menu
Setup Wizard
Table 5-49 Cluster Management (Cluster Failover)
Option
Definition
Address to use for load
balancing
Specifies the appliance address. Provides a list of all subnets assigned to the
appliance.
Cluster identifier
If you have more than one cluster or McAfee Content Security Blade Server
on the same subnet, assign each a different Cluster identifier to ensure the
clusters do not conflict.
The allowable range is 0-255.
Enable scanning on this
appliance
If not selected, this appliance distributes all scanning workload to the
scanning appliances.
For a cluster of appliances, if you have only a master and a failover appliance,
with both configured to scan traffic, the master will send most connections to
the failover appliance for scanning.
Table 5-50 Cluster Management (Cluster Failover)
Option
Definition
Address to use for load balancing Specifies the appliance address. Provides a list of all subnets assigned to
the appliance.
If you have more than one cluster or McAfee Content Security Blade
Server on the same subnet, assign each a different Cluster identifier to
ensure the clusters do not conflict.
Cluster identifier
The allowable range is 0-255.
DNS and Routing page
Use this page to configure the appliance's use of DNS and routes.
Domain Name System (DNS) servers translate or "map" the names of network devices into IP
addresses (and the reverse operation). The appliance sends requests to DNS servers in the order that
they are listed here.
DNS server addresses
Option
Definition
Server Address
Displays the IP addresses of the DNS servers. The first server in the list must be your
fastest or most reliable server. If the first server cannot resolve the request, the
appliance contacts the second server. If no servers in the list can resolve the request,
the appliance forwards the request to the DNS root name servers on the Internet.
If your firewall prevents DNS lookup (typically on port 53), specify the IP address of a
local device that provides name resolution
New Server/
Delete Selected
Servers
Adds a new server to the list, or removes one when, for example, when you need to
decommission a server due to network changes.
Only send
queries to these
servers
Selected by default. McAfee recommends that you leave this option selected because it
might speed up DNS queries as the appliance sends the queries to the specified DNS
servers only. If they don't know the address, they go to the root DNS servers on the
Internet. When they get a reply, the appliance receives it and caches the response so
that other servers that query that DNS server can get an answer more quickly.
If you deselect this option, the appliance first tries to resolve the requests, or might
query DNS servers outside your network.
474
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Setup Wizard
Routing Settings
Option
Definition
Network Address
Type the network address of the route.
Mask
Specifies how many hosts are on your network, for example, 255.255.255.0.
Gateway
Specifies the IP address of the router used as the next hop out of the network. The
address 0.0.0.0 (IPv4), or :: (IPv6) means that the router has no default gateway.
Metric
Specifies the preference given to the route. A low number indicates a high
preference for that route.
New Route /
Delete Selected
Routes
Add a new route to the table, ore remove routes. Use the arrows to move routes up
and down the list. The routes are chosen based on their metric value.
Enable dynamic
routing
Use this option in transparent router mode only. When enabled, the appliance can:
• receive broadcast routing information received over RIP (default) that it applies its
routing table so you don't have to duplicate routing information on the appliance
that is already present in the network.
• broadcast routing information if static routes have been configured through the
user interface over RIP.
Time Settings page
Use this page to set the time and date, and any details for the use of the Network Time Protocol
(NTP).
Option
Definition
Appliance Time
Zone
Specifies the time zone of the appliance. You might need to set this twice each year
if your region observes daylight saving time.
Appliance Time
(UTC)
Specifies the date and UTC time for the appliance. To select the date, click the
calendar icon. You can determine the UTC time from websites such as http://
www.worldtimeserver.com.
Set Now
When clicked, applies the date and UTC time that you specified in this row.
Client Time
Displays the time according to the client computer from which your browser is
currently connected to the appliance.
Synchronize
appliance with
client
When selected, the time in the Appliance Time (UTC) immediately takes its value from
Client Time. You can use this checkbox as an alternative to manual setting of Appliance
Time (UTC). The appliance calculates the UTC time based on the time zone that it finds
on the client's browser.
Ensure that the client computer is aware of any daylight savings adjustments. To find
the setting on Microsoft Windows, right-click the time display in the bottom right
corner of the screen.
Enable NTP
When selected, accepts NTP messages from a specified server or a network
broadcast. NTP synchronizes timekeeping among devices in a network. Some
Internet Service Providers (ISPs) provide a timekeeping service. Because NTP
messages are not sent often, they do not noticeably affect the appliance's
performance.
Enable NTP client
broadcasts
When selected, accepts NTP messages from network broadcasts only. This method
is useful on a busy network but must trust other devices in the network.
When deselected, accepts NTP messages only from servers specified in the list.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
475
5
Overview of System menu
Setup Wizard
Option
Definition
NTP Server
Displays the network address or a domain name of one or more NTP servers that
the appliance uses. For example, time.nist.gov.
If you specify several servers, the appliance examines each NTP message in turn to
determine the correct time.
Type the IP address of a new NTP Server.
New Server
Password page
Use this page to specify a password for the appliance.
For a strong password, include letters and numbers. You can type up to 15 characters.
Option Definition
User ID
This is admin. You can add more users later.
Password Specifies the new password. Change the password as soon as possible to keep your
appliance secure.
You must enter the new password twice to confirm it. The original default password is
password.
Summary page
Review a summary of the settings that you have made for the network connections and scanning of
the email traffic.
To change any value, click its blue link to display the page where you originally typed the value.
After you click Finish, the Setup Wizard has completed.
Use the IP address shown here to access the interface. For example https://192.168.200.10. The
address starts with https, not http.
If you have configured your McAfee® Email Gateway to provide Secure Web Mail, then you need to
access the appliance using port 10443. So, using the example above, you would need to enter https://
192.168.200.10:10443.
When you first log on to the interface, type the user name, admin and the password that you gave on
the Password page.
Table 5-51 Basic settings
Option Definition
The value is set according to best practice.
The value is probably not correct. Although the value is valid, it is not set according to best
practice. Check the value before continuing.
No value has been set. The value has not been changed from the default. Check the value
before continuing.
ePO Managed Setup
Use the ePO Managed Setup wizard to configure your appliance so that it can be managed from your
ePolicy Orchestrator server.
The ePO Managed Setup wizard consists of the following pages:
Contents
Settings for ePolicy Orchestrator Management
476
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Setup Wizard
Basic Settings page (ePolicy Orchestrator Managed Setup)
Network Settings page
Cluster Management page (ePolicy Orchestrator Managed Setup)
DNS and Routing page
Time Settings page
Password page
Summary — ePolicy Orchestrator Managed Setup
Settings for ePolicy Orchestrator Management
Select ePolicy Orchestrator Managed Setup within the Setup Wizard to configure your appliance for
management by McAfee ePolicy Orchestrator.
Option
Definition
ePO Extensions Download the McAfee ePolicy Orchestrator extensions for McAfee Gateway products,
including McAfee Email Gateway.
The file MEGv7.x_ePOextensions.zip contains both the EWG and the MEG McAfee
ePolicy Orchestrator extensions.
The EWG extension allows reporting from within McAfee ePolicy Orchestrator for the
following products:
• McAfee Email and Web Security appliances
• McAfee Web Gateway appliances
• McAfee Email Gateway appliances
The MEG Extension provides full McAfee ePolicy Orchestrator management for McAfee
Email Gateway versions 7.0 onwards.
For you to use McAfee ePolicy Orchestrator for either reporting or management, the
McAfee ePolicy Orchestrator Extensions need to be installed on your McAfee ePolicy
Orchestrator server.
ePO Help
Extensions
Download the McAfee ePolicy Orchestrator help extensions.
The file MEGv7.x_ePOhelpextensions.zip contains the online help information for the
above McAfee ePolicy Orchestrator Extensions.
This file installs the help extensions relating to the McAfee ePolicy Orchestrator
extensions for McAfee Email and Web Gateway and McAfee Email Gateway appliances
onto your McAfee ePolicy Orchestratorserver.
Import ePO
connection
settings
Click to browse to the McAfee ePolicy Orchestrator connection settings file, to import
the McAfee ePolicy Orchestrator connection information into the appliance.
Task — Configure the appliance to work with ePolicy Orchestrator
Use this task to set up the appliance to be managed by ePolicy Orchestrator:
1
From your McAfee Email Gateway, on Settings for ePO Management, select ePO Extensions and click Save to
download the extension file.
2
From your McAfee Email Gateway, on Settings for ePO Management, select ePO Help Extensions and click Save
to download the help extension file.
3
On your McAfee ePolicy Orchestrator server, install these extensions using Menu | Software | Extensions
| Install Extensions.
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
477
5
Overview of System menu
Setup Wizard
4
On the McAfee ePolicy Orchestrator server, save the connections settings from Menu | Gateway
Protection | Email and Web Gateway | Actions | Export Connection Settings.
5
On the McAfee Email Gateway, return to the Settings for ePO Management page in the Setup Wizard, and
click Import ePO connection settings. Browse to the McAfee ePolicy Orchestrator connections settings file.
6
Click Next to continue to the Basic Settings page in the Setup Wizard.
Basic Settings page (ePolicy Orchestrator Managed Setup)
Use this page to configure the basic settings for the appliance that will be managed by ePolicy
Orchestrator.
Option
Definition
Cluster mode
The options are:
• Off (Standard appliance)
• Cluster scanner
• Cluster Master
• Cluster failover
Device Name
Specifies a name, such as appliance1.
Domain Name
Specifies a name, such as domain1.com.
Default Gateway (IPv4) Specifies an IPv4 address, such as 198.168.10.1. You can test later that the
appliance can communicate with this server.
Next Hop Router (IPv6) Specifies an IPv6 address, such as FD4A:A1B2:C3D4::1.
Network Interface
Becomes available when you set the Next Hop Router for IPv6.
Network Settings page
Use these options to view and configure the IP address and network speeds for the appliance. You can
use IPv4 and IPv6 addresses, separately or in combination.
To prevent duplication of IP addresses on your network and to deter hackers, give the appliance new
IP addresses, and disable the default IP addresses. The IP addresses must be unique and suitable for
your network. Specify as many IP addresses as you need.
Option
Definition
<mode>
The operating mode that you set during installation or in the Setup Wizard
Network Interface 1
Expands to show the IP address and netmask associated with Network Interface
1, the auto-negotiation state, and the size of the MTU.
Network Interface 2
Expands to show the IP address and netmask associated with Network Interface
2, the auto-negotiation state, and the size of the MTU
Change Network
Settings
Click to open the Network Interface Wizard to specify the IP address and adapter
settings for NIC 1 and NIC 2, and change the chosen operating mode.
View Network Interface
Layout
Click to see the <?> associated with LAN1, LAN2, and the out of band interface
Cluster Management page (ePolicy Orchestrator Managed Setup)
Use this page to specify load-balancing requirements that apply to ePolicy Orchestrator Managed
appliances.
Cluster Management Configuration (Standard appliance)
Do not use this page. Cluster management is disabled.
478
McAfee® Email Gateway 7.6.0 Appliances
Administrators Guide
5
Overview of System menu
Setup Wizard
Cluster Management (Cluster Scanner)
Use this page to specify information for a scanning appliance.
Option
Definition
Cluster identifier
Specifies an identifier. Range is 0-255.
Cluster Management (Cluster Master)
Use this page to specify information for a master appliance.
Option
Definition
Address to use for load balancing Specifies the appliance address.
Specifies an identifier. Range is 0-255.
Cluster identifier
Enable scanning on this appliance If not selected, this appliance distributes all scanning workload to the
scanning appliances.
Cluster Management (Cluster Failover)
Use this page to specify information for a failover appliance.
Option
Definition
Address to use for load balancing Specifies the appliance address. Provides a list of all subnets assigned to
the appliance.
Specifies an identifier. Range is 0-255.
Cluster identifier
Enable scanning on this appliance If not selected, this appliance distributes all scanning workload to the
scanning appliances.
DNS and Routing page
Use this page to configure the appliance's use of DNS and routes.
Domain Name System (DNS) servers translate or "map" the names of network devices into IP
addresses (and the reverse operation). The appliance sends requests to DNS servers in the order that
they are listed here.
DNS server addresses
Option
Definition
Server Address
Displays the IP addresses of the DNS servers. The first server in the list must be your
fastest or most reliable server. If the first server cannot resolve the request, the
appliance contacts the second server. If no servers in the list can resolve the request,
the appliance forwards the request to the DNS root name servers on the Internet.
If your firewall prevents DNS lookup (typically on port 53), specify the IP address of a
local device that provides name resolution
New Server/
Delete Selected
Servers
Adds a new server to the list, or removes one when, for example, when you need to
decommission a server due to network changes.
Only send
queries to t
Descargar