eTrust Secure Content Manager Implementation Guide r8

Transcription

eTrust Secure Content Manager
Implementation Guide
r8
This documentation and related computer software program (hereinafter referred to as the "Documentation") is for
the end user's informational purposes only and is subject to change or withdrawal by Computer Associates
International, Inc. ("CA") at any time.
This documentation may not be copied, transferred, reproduced, disclosed or duplicated, in whole or in part,
without the prior written consent of CA. This documentation is proprietary information of CA and protected by the
copyright laws of the United States and international treaties.
Notwithstanding the foregoing, licensed users may print a reasonable number of copies of this documentation for
their own internal use, provided that all CA copyright notices and legends are affixed to each reproduced copy.
Only authorized employees, consultants, or agents of the user who are bound by the confidentiality provisions of
the license for the software are permitted to have access to such copies.
This right to print copies is limited to the period during which the license for the product remains in full force and
effect. Should the license terminate for any reason, it shall be the user's responsibility to return to CA the
reproduced copies or to certify to CA that same have been destroyed.
To the extent permitted by applicable law, CA provides this documentation "as is" without warranty of any kind,
including without limitation, any implied warranties of merchantability, fitness for a particular purpose or
noninfringement. In no event will CA be liable to the end user or any third party for any loss or damage, direct or
indirect, from the use of this documentation, including without limitation, lost profits, business interruption,
goodwill, or lost data, even if CA is expressly advised of such loss or damage.
The use of any product referenced in this documentation and this documentation is governed by the end user's
applicable license agreement.
The manufacturer of this documentation is Computer Associates International, Inc.
Provided with "Restricted Rights" as set forth in 48 C.F.R. Section 12.212, 48 C.F.R. Sections 52.227-19(c)(1) and
(2) or DFARS Section 252.227-7013(c)(1)(ii) or applicable successor provisions.
© 2005 Computer Associates International, Inc.
All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.
Contents
Chapter 1: Introduction
7
Distinctive Features and Functionality ...................................................................................... 8
Comprehensive Protection................................................................................................. 8
Email Anti-Spam and Content Security Filtering ................................................................... 8
Web Content Security and URL Filtering .............................................................................. 8
Phishing and Spyware Prevention....................................................................................... 9
Antivirus Protection.......................................................................................................... 9
Data Confidentiality Monitoring .......................................................................................... 9
Malicious Mobile Code Defense ........................................................................................ 10
Easy Administration ....................................................................................................... 10
Real-time User Self-Management ..................................................................................... 10
Comprehensive Reporting ............................................................................................... 10
Extensive Automated Actions and Alerts............................................................................ 11
Complete Content Management ............................................................................................ 11
Email Content Management............................................................................................. 11
Web Content Management .............................................................................................. 13
The Purpose of This Guide .................................................................................................... 13
Related Documentation ........................................................................................................ 14
Chapter 2: Implementation Planning
15
Security Considerations ....................................................................................................... 15
Establishing Security Guidelines....................................................................................... 15
Establishing an Incident Response Plan ............................................................................. 17
Assessing Your Security Level.......................................................................................... 17
Email and Email Server Considerations................................................................................... 18
Email Delivery............................................................................................................... 18
Email Traffic Direction Rules ............................................................................................ 20
Domain Route List ......................................................................................................... 20
Web Considerations............................................................................................................. 24
DNS Considerations ....................................................................................................... 25
Chaining Proxy Servers .................................................................................................. 26
Firewall Considerations ........................................................................................................ 26
Installing on the Intranet Side ......................................................................................... 27
Installing on the Internet Side ......................................................................................... 28
Network Considerations ....................................................................................................... 29
Content Filtering and Network Load ....................................................................................... 30
Authentication Method Considerations .................................................................................... 30
Contents iii
NTLM Basics ................................................................................................................. 31
How NTLM Works .......................................................................................................... 32
NTLM Considerations and Recommendations...................................................................... 33
Completing the Pre-installation Checklist ................................................................................ 37
Pre-installation Checklist................................................................................................. 39
Determine an Installation Scenario................................................................................... 39
Upgrading from a Previous Release........................................................................................ 42
Known Upgrade Issues ................................................................................................... 43
Chapter 3: Installing eTrust SCM
45
Installation Steps ................................................................................................................ 45
Choose a Language, Read the Terms and Conditions, and Provide User, Drive, and Location
Information .................................................................................................................. 48
Option 1 - The SMB Scenario........................................................................................... 53
Option 2 - Enterprise Scenario......................................................................................... 53
HTTP / SMTP Server Ports ............................................................................................... 56
Email Notification .......................................................................................................... 57
SMTP Relay Configuration ............................................................................................... 58
Fully Qualified Domain.................................................................................................... 62
Traffic Direction Classification .......................................................................................... 63
Select Database ............................................................................................................ 64
eTrust Embedded IAM Server .......................................................................................... 67
Complete the Installation................................................................................................ 68
Licensing and Registering eTrust SCM .................................................................................... 69
Testing the Installation ........................................................................................................ 73
Installing Individual Components Only ................................................................................... 74
Chapter 4: Configuring Your Implementation
75
The Manager Console .......................................................................................................... 75
Starting the Manager Console.......................................................................................... 77
Checking and Adjusting Manager Console Settings ............................................................. 78
Configuring Initial Filtering Settings ....................................................................................... 78
Local Settings ............................................................................................................... 79
Enterprise Settings ........................................................................................................ 87
Configuring eTrust Embedded IAM ......................................................................................... 96
Starting the Embedded IAM Utility ................................................................................... 97
Setting Global Users and Global Group Settings ................................................................. 97
Managing Roles Using eTrust Embedded Identity and Access Management ............................. 98
Configuring eTrust SCM With Your Email Server......................................................................106
Installation on a Dedicated Computer ..............................................................................106
How to Configure eTrust SCM on a Dedicated Computer .....................................................107
iv Implementation Guide
Installing on the Mail Server Computer ............................................................................113
Configuring the Browser Proxy .............................................................................................122
Configuring a Browser for Manual Proxy ...........................................................................123
Chapter 5: Implementation Modes
133
Phase 1 - Alert Mode ..........................................................................................................133
Phase 2 - Notification Mode .................................................................................................134
Phase 3 - User Self Management Mode..................................................................................134
Phase 4 - Blocking Mode .....................................................................................................135
Chapter 6: Troubleshooting the eTrust SCM Installation
137
Correct an Incomplete DNS Configuration ..............................................................................137
Prevent Loop-back Problems................................................................................................139
Manager Console or Quarantine Manager Terminates Suddenly.................................................140
Verify Firewall Ports Are Open ..............................................................................................140
eTrust InoculateIT or eTrust Antivirus Conflicts with Antivirus Realtime Scanner..........................141
Outgoing SMTP Rules Are Also Applied to Incoming Emails .......................................................142
Unblock a Website..............................................................................................................142
Appendix A: ADCP Authentication
143
The ADCP Agent ................................................................................................................144
ADCP DSA ...................................................................................................................144
ADCP RAS/RRAS Universal Source Agent..........................................................................144
ADCP USA ...................................................................................................................144
Installing the ADCP Agent ..............................................................................................145
The ADCP Distributed Source Client ......................................................................................153
Adding DistClient.exe As a Logon Script ...........................................................................155
Adding DistClient.exe As a Logoff Script ...........................................................................157
Installing the ADCP Distributed Source Client....................................................................158
Appendix B: Installing and Configuring Microsoft SQL Server
163
Prerequisites .....................................................................................................................163
Creating the Quarantine and Reports Databases .....................................................................164
Creating an SQL User and Associating It with the Databases ....................................................170
Contents v
Glossary
175
Index
181
vi Implementation Guide
Chapter 1: Introduction
The scope and complexity of IT security has greatly increased in recent years.
Global organizations now depend heavily upon the Internet, intranets and their
network infrastructures to effectively conduct business, so maintaining the
security and integrity of the data shared across these environments is crucial.
The proliferation and diversity of the content entering the workplace, however,
is changing today's enterprise security requirements. Unfortunately, it is now
easier than ever for spam, spyware, phishing attacks, viruses, and malicious
mobile code to plague and potentially cause harm to an enterprise.
eTrust™ Secure Content Manager (eTrust SCM) from Computer Associates
International, Inc. (CA) is the first truly multifaceted solution for enterprise
security, geared to the content revolution. It is a highly scalable, businessdriven, integrated solution that ties content management and security
functions together to resolve and manage virtually every security issue facing
an enterprise today. It addresses the increasing complexity of the content
security challenge, as well as the emergence of new threats such as spyware
and phishing attacks, which requires a more comprehensive security solution.
eTrust SCM builds on the strengths of CA's award-winning antivirus technology
while taking content security to the next level - offering the best all-around
protection for corporate networks.
eTrust SCM provides enterprise policy-based, content security filtering of
Simple Mail Transfer Protocol (SMTP), Hypertext Transfer Protocol (HTTP), and
File Transfer Protocol (FTP) content. eTrust SCM helps prevent virus infections,
spam, browsing of inappropriate or non-productive sites, access to spyware or
phish websites, confidentiality breaches, mobile code threats and computer
resource abuse. In the event of a policy violation, eTrust SCM can respond
automatically with a wide range of customized actions.
In the event of a policy violation, eTrust SCM can respond automatically with a
wide range of customized actions:

Conventional content management actions such as logging, blocking,
alerting, and curing

Actions that work together with other applications such as eTrust Security
Command Center and Unicenter.

Spam prevention actions such as quarantining, parking (to perhaps delay
emailing large messages until off-peak hours), denying, user management
of quarantined email and adding disclaimers to email for protection against
legal liability
The integrated Log Viewer and Reporter tools provide a sophisticated level of
real-time statistics analysis of email and web traffic.
Introduction 7
Distinctive Features and Functionality
eTrust SCM provides a rich set of tools and functionality to provide
comprehensive security for your enterprise.
Comprehensive Protection
eTrust SCM provides intelligent, customizable, policy-driven email (SMTP) and
Web (HTTP, FTP) traffic scanning to meet your business needs and address
virtually every content threat.

Integrated Management Console. Enables you to monitor all content
threats, whether from email or the Web.
Email Anti-Spam and Content Security Filtering
eTrust SCM protects against unwanted, unsolicited, and inappropriate email,
increasing business productivity and network bandwidth.

Comprehensive Email Filtering. eTrust SCM uses a multilayered
approach to differentiate between spam and valid email, providing a high
spam detection rate and a low rate of email falsely identified as spam.
The solution includes sender reputation, Bayesian analysis, embedded URL
filtering, and malformed email detection that help protect you from
unwanted email, while improving business productivity.

Automatic Spam Updates. To protect you against the latest threats,
eTrust SCM provides automatic spam updates.

Incoming and Outgoing Email Traffic Filtering. All email is scanned
using the policies and rules you define to match your business
requirements.
Web Content Security and URL Filtering
eTrust SCM screens outgoing traffic and URL addresses for businessappropriate websites based on the business rules your company defines.

Reduced Liabilities. Policy-based URL filtering reduces the risk of legal
liability should an employee visit an inappropriate website.

Reduced Costs. eTrust SCM improves business productivity and increases
network bandwidth by minimizing non-productive web surfing and file
downloads during business hours.
8 Implementation Guide
Phishing and Spyware Prevention
eTrust SCM provides an added layer of security by preventing employees from
unknowingly accessing known phishing or spyware sites.

Reduced Risks. eTrust SCM provides proactive protection against
phishing and spyware-infested Web sites, ensuring that your confidential
business information stays private and your systems run efficiently.

Reduced Costs. Spyware programs can clog your PCs and slow down
your network, resulting in increased help desk calls. eTrust SCM, protects
against spyware, enabling your IT department to focus on strategic
business initiatives.
Antivirus Protection
eTrust SCM builds on and includes CA's award-winning perimeter antivirus
protection.

Reduced Costs. eTrust SCM scans for viruses at the gateway before they
can enter your network and cause costly damage and downtime.

Easy Administration. Automated signature downloads for the gateway
complement your existing desktop antivirus protection and provide
another layer of security.
Data Confidentiality Monitoring
eTrust SCM screens outgoing email according to your policies and rules in
order to help prevent loss of confidential data.

Reduced Information Leaks. eTrust SCM helps safeguard against the
transmission of proprietary, controlled or company-confidential information
outside your organization. In addition to email, you can filter content in
Microsoft Word and Adobe PDF attachments.

Improved Regulatory Compliance. eTrust SCM helps you comply with
government laws and regulations, such as the Child Internet Protection Act
(CIPA), Health Insurance Portability and Accountability Act (HIPAA),
Gramm-Leach-Bliley Act (GLBA) and California's SB 1386, which mandates
that certain pieces of personal information be proactively protected from
misuse or even suspected compromise.

Reduced Penalties and Reputation Safeguarded. eTrust SCM helps
reduce the risk of costly penalties and possible consumer lawsuits for
failure to implement the necessary protections and policies. In addition, it
safeguards against serious damage to your organization's reputation and
profitability.
Introduction 9
Malicious Mobile Code Defense
eTrust SCM intelligently screens incoming traffic to proactively protect users
against malicious mobile code.

Proactive Protection. eTrust SCM protects against both known and
unknown threats as well as a variety of active code attacks, such as those
based on Java, ActiveX and VBScript, that can automatically execute when
visiting certain websites or using email.

Easy Implementation. eTrust SCM Gateway scans for malicious active
code using predefined threat levels (low, medium and high) - simplifying
administration.
Easy Administration
eTrust SCM is an integrated, comprehensive content solution that enables you
to address all email and Web content threats and manage them remotely, for
complete control over your content protection, enterprise-wide.

Easy Implementation. Implementing one, integrated, solution to
address all email and Web content threats instead of implementing
multiple point solutions considerably eases the workload required.

Flexible Deployment. eTrust SCM is a fully integrated, yet completely
modular solution, enabling you to select the right level of security to meet
your organization's unique business requirements.

Reduces Management Overhead. eTrust SCM provides central policy
management which allows you to write a keyword policy for an email filter
and to reuse it in a filter for website content.
Real-time User Self-Management
This function allows your users to access their quarantined email via a Webbased interface and add senders to their personal allow or deny lists.

False Positive Reduction. eTrust SCM helps reduce the incidence of false
positive matches on spam by allowing end users to manage their
quarantined email.
Comprehensive Reporting
eTrust SCM provides over 30 predefined reports on email and Web filtering
activities, and custom reports can be created from them and saved.
Complete Content Management
Extensive Automated Actions and Alerts
Automated, customizable actions, such as block and quarantine, can be
defined for each policy so that there is an immediate response when an object
matches the policy criteria.
If you attempt to access an inappropriate website, the URL can be immediately
blocked and an email can be automatically generated to the network
administrator.
eTrust SCM provides comprehensive email content management and web
content management as described in the topics that follow.
Email Content Management
The SMTP Content Filtering engine includes the following features:

Spam prevention based on eTrust SCM's Advanced Spam Filter

Spam prevention based on Realtime Blackhole List (RBL) providers

Spam prevention based on embedded web links (URL Filtering)

Aggressive RBL checking where the engine looks for spam servers in the
email header

Spam prevention based on regular expression string search in the email
body, header, and attachments

Spam prevention based on an internal deny list for mail servers, relays,
email users and domains for a configurable time

Spam prevention based on a pre-defined spam dictionary

Allow lists for trusted mail servers, relays, email users and domains for a
configurable time

Profanity prevention

User self management for users to manage and control their personal
quarantine folder and for tuning private email lists

An Industrial strength antivirus scanning engine with the ability to cure
and strip infected attachments
Introduction 11

Hoax virus detection based on a keyword regular-expression dictionary

Extraction of compressed attachments

Email logging activities and content

Attachment type recognition based on attachment extension or content

Attachment size identification with larger, smaller, between, exact settings

Attachment file type identification

Attachment ID number identification

Attachment file name identification

Attachment keyword scan for MS Word and Adobe PDF

Attachment scan for binary patterns

Partial message detection

PGP and S\Mime encrypted message detection

Disclaimer message additions

Large message delay or parking until off-peak hours

Email quarantines

DOS prevention for compressed attachments and nested emails

A wide range of actions, including adding to a deny list, fax, pager, and
email

Long subject or attachment detection and prevention

Spam detection and prevention based on LDAP for avoiding the acceptance
of incoming emails intended for invalid recipients and limiting the number
of invalid recipients on a single SMTP session
The Purpose of This Guide
Web Content Management
The HTTP/FTP content filtering engine and the categories URL filtering feature
include the following web content filtering capabilities:

URL Categories detection with more than 60 predefined categories and 10
user defined categories

Match URL detection

Dynamic mobile code engine for threat prevention and digital certificate
verification of signed objects

Industrial strength antivirus scanning engine

Integration with the ADCP module

NTLM Authentication support

Download logging and logging of other activities

File type recognition based on file extension or file content

Regular expression keyword search in the HTML body, title, and downloads

Compressed type extraction

File size identification with larger, smaller, between, exact settings

File type identification

File name identification

DOS prevention for compressed types

Token based customizable notification of HTML pages upon rule violation

A wide range of actions including fax, pager, and email

Automatic detection of proxy settings (using a PAC file)
The Purpose of This Guide
This guide describes how to implement eTrust SCM. It is designed to help you
plan, install, and make post-installation configuration changes to eTrust SCM
to meet your needs.
Introduction 13
Related Documentation
Related Documentation
For more information, see the following related documentation:

The eTrust SCM Administrator Guide provides information about
maintaining eTrust SCM in your enterprise.

The eTrust SCM online help system provides useful task-related
information for using eTrust SCM.
Chapter 2: Implementation Planning
eTrust SCM provides content security filtering for SMTP and HTTP/FTP data.
eTrust SCM also provides central management of SMTP policies, HTTP/FTP
policies, and remote management of eTrust SCM servers. Before you start
planning the implementation, thoroughly review the concepts and other useful
information in this chapter.
Security Considerations
Planning an eTrust SCM installation requires a review of your organization's
structure, policies and procedures, and security goals.
Establishing Security Guidelines
A security policy is a living document. You will revise it as necessary due to
changes in applicable laws, regulatory requirements, industry guidelines, and
company practices.
The steps for establishing a security policy include:
1.
Determine expectations. Clearly document your expectations for
appropriate and authorized use in a concise and understandable fashion.
2.
Review acceptable risks. Evaluate what are your most important assets
to protect and what are the costs involved.
3.
Study the existing infrastructure. Study your infrastructure to
determine the type of policies you need in place and create an Incident
Response Plan.
4.
Document the procedure and the policy. Acceptable Use Policies (AUP)
are one of the many basic and easily understood standardized policies that
must be in effect in your organization for audit and enforcement purposes.
5.
Test the procedure and the policy. After you have determined the
components of your company’s security policy, you must test the policy in
an Incident Response Plan. One of the most effective methods for testing a
network is to violate the security policy to determine if the network is
protected.
Implementation Planning 15
6.
Secure host servers. Secure all host servers in order to secure the
perimeter of your network.
7.
Enforce the security policy. Enforce the security policy by clearly
defining your strategy. Consider setting up a response team and
determining the responsibilities of each member of the team. Also, define
which members should be notified when security is breached. As a
precaution, deploy technology to aid in compliance and the detection of
violations. You should also create guidelines on how to act on noncompliance and/or violations.
8.
Inform your staff. Create awareness of any new and existing policies for
all levels of employees. Employees need to be aware of your company's
Acceptable Use Policy. Security awareness is an important part of
enforcing the policy.
When training employees on spam avoidance, ensure that they know the
following:

Never reply to spam. If you reply to spam, you are validating your email address to the spammer and they may pass it on to other
spammers.
Avoid placing your e-mail address on public websites. One of the ways
that spammers gather e-mail addresses is by going through message
boards, chatrooms, and online directories.
Do not purchase any product from a spammer. Doing so supports their
business and makes them profitable.
Note: Depending on your organization type, other laws may govern
your business practices (such as CIPA, HIPAA, or ISO17799). Consult
your legal department when creating your Acceptable Use Policy.
Establishing an Incident Response Plan
An incident response plan provides your organization with detailed guidelines
and escalation procedures to follow if an adverse security event or policy
breach occurs.
The plan also identifies response team members and roles and establishes a
chain-of-command for communication with law enforcement, the public, and
the media.
You can categorize incidents according to business operation impact and/or
reputation damage using these severity levels:
Low
Incident impact is minimal.
Medium
Incident significantly impacts business activity. It may, for example, delay
the ability of the enterprise to perform critical functions or provide data.
High
Incident severely impacts the enterprise. It may, for example, disrupt
business processes or compromise the integrity of proprietary or
confidential data.
Assessing Your Security Level
Organizations in highly regulated industries such as the financial and
healthcare fields should establish secure IT environments. In addition to
security guidelines, policies, and procedures, you should also define a basic
level of security for your network environment. You need to continually update
this security baseline as you identify new threats or introduce new technology.
Security assessment tools allow you to determine where you are now and
what steps you need to take to comply with either the regulations that govern
your industry or ensure that you are in line with your guidelines and policies
and procedures. Audits frequently require proof of forward progression toward
protecting your environment and data.
Email and Email Server Considerations
Effectively manage and defend your network by establishing a security policy
that provides parameters for legitimate email use. Afterward, use eTrust SCM
to apply and enforce your security policies.
CA recommends that eTrust SCM and the mail server be installed on separate
computers. This allows the eTrust SCM SMTP filtering engine to review and
forward all acceptable e-mails to the mail server without requiring any
modification to the mail server configuration. For the mail server to forward
inbound traffic to eTrust SCM, you might need to modify the DNS MX records.
Changes must be made to the mail server. You must also modify the mail
server so that it can forward outbound traffic to eTrust SCM.
If you are running eTrust SCM and the mail server on the same computer, a
Denial of Service (DoS) attack on the mail system may affect external mail
and internal mail as well. When eTrust SCM and the mail server are located on
the same machine, you must modify the mail server configuration so that it
does not listen to the default port of 25 on the TCP/IP address that the eTrust
SCM is using.
Email Delivery
Email messages are routed between your organization's computers and the
Internet using the Domain Name System (DNS). The DNS is a dynamic
database for mapping the host name of a computer on the TCP/IP network to
the computer's IP address.
To apply content filtering on outgoing email before delivering the email,
configure your local mail servers to forward all outgoing email to the eTrust
SCM SMTP computer. See your mail server documentation for more
information on how to do this.
Using MX Records for Fail-Over and Load Balancing
Each entry in the DNS table stores a relationship between MX records and host
names and IP addresses. MX records are DNS entries that contain the names
of the mail servers in a given domain.
You can set priorities for multiple mail servers in a domain by using MX record
preference settings: the lower the number, the higher the priority. Two MX
records with the same priority number share email workload equally. A server
with a higher priority number is contacted only when servers with lower
numbers are unavailable. This allows the administrator to build redundancy so
that email can flow automatically through backup systems if primary systems
are unavailable.
Configure your MX records on your local DNS server to point to the eTrust SCM
computer rather than to your local mail servers. This ensures that incoming
email is first delivered to the eTrust SCM computer and then scanned for SMTP
Content Filtering before the mail is delivered to local mail servers.
Using MX Records with Multiple Computers
When installing multiple eTrust SCM computers, you can create or change MX
records to provide a fail-over covering system and basic load balancing
functionality.
For example, you can apply a high numeric MX number to an eTrust SCM
backup computer and apply low numeric MX numbers to all other eTrust SCM
computers. During normal operation, the backup computer processes a
minimal amount of email, and the other computers process most of the email.
When other computers are unavailable, the backup computer processes most
of the email.
You can use the same concept to tune your environment for load balancing.
Simply split the network traffic across several eTrust SCM computers and use
a different MX record for each computer.
Email Traffic Direction Rules
eTrust SCM classifies SMTP rules according to the following email traffic
directions. You can find the configuration menu for this function under
Manager Console, Filtering, Content Manager Rules, SMTP. These rules for
email traffic direction include the following:

Inbound rules specify content filtering for inbound email traffic. These
rules apply to email that originates outside your organization.

Outbound rules specify content filtering for outbound email. These rules
apply to email sent from your organization to addresses outside your
organization.

Internal checking rules apply to email sent to and from users within your
organization. All email that originates from your configured subnets is
processed as outgoing traffic even if the destination is internal.
Domain Route List
eTrust SCM provides an email routing schema that distinguishes between
incoming and outgoing email routing based on email address domains. This is
comparable to nslookup MX logic.
For incoming and outgoing email, you can define domain-specific email servers
or email servers for all domains or other domains not explicitly defined. You
can define one or more email (relay) servers for each domain:
If you specify more than one relay server, eTrust SCM processes the list in the
specified order until relaying to a server succeeds.
The following example shows the list of available relay servers defined for the
outgoing domain ca.com:
Email Delivery
Email delivery starts by attempting to connect to email servers defined in the
list. eTrust SCM processes connection attempts in the specified order. When
eTrust SCM establishes a connection to one of the listed servers, the relay
server lookup process is treated as successful and communication continues
according to the SMTP protocol.
The relay list entry MX functions in a different way - instead of connecting to a
specific email server, eTrust SCM tries to determine the actual relay list by MX
lookup and starts to connect to the appropriate servers after the check.
Retry or Return to Sender
Use the Retry check box in the SMTP Relay Configuration dialog to specify how
to handle email that is not delivered in the first attempt.
If you enable retry, eTrust SCM starts additional delivery attempts using TBD
(to be delivered) logic. Instead of using global settings for the retry interval
and number of attempts, you can specify values for each domain. Email that
eTrust SCM cannot deliver based on the retry interval and attempt settings is
sent back to sender.
If you disable retry, eTrust SCM does not start any additional delivery
attempts and immediately sends the email back to the sender. Email that
eTrust SCM cannot return to the sender is placed in the deadmail queue.
Relay Control and Open Relay Prevention
You should not use eTrust SCM as an open relay. If eTrust SCM is accessible
from outside your organization, spammers can use it as a transport server for
spam email. As a result, your organization could be put on Real-time Blackhole
Lists (RBL) as a spam source.
To protect against becoming a spam transport server, define the domains to
which eTrust SCM can route incoming emails so that any incoming emails not
intended for these domains are rejected. This can be done during installation
or post installation. Post installation from the Manager Console, navigate to
Filtering, Settings, <Engine>, SMTP Engine, Relay Servers Configuration.
You can establish open relay protection by not specifying a domain (*) entry
for incoming email. The incoming domain list should contain only domains
belonging to the intranet with appropriate relay servers or MX entries in the
relay list.
The following example shows a typical open relay protected intranet with the
domain ca.com:
In this configuration, relay control blocks all incoming email for domains other
than email from ca.com.
The following example shows an open relay configuration, which is not
recommended:
Web Considerations
Multiple Email Recipients
eTrust SCM processes multiple recipient email using the following logic:
1.
eTrust SCM groups recipients by domain.
2.
eTrust SCM then sends a copy of the original email to each recipient
group. In other words, each email is duplicated as necessary for further
processing if recipients belong to more than one domain.
3.
If eTrust SCM cannot deliver these duplicated emails, the retry logic
described in Retry or Return to Sender (see page 22) is activated.
Web Considerations
When planning your implementation, carefully consider a variety of DNS,
proxy server, and firewall issues.
Web Considerations
DNS Considerations
Good DNS security is paramount to a secure network. Use the following to
address DNS-related security concerns:
Cache Poisoning
This occurs when a name server makes a recursive query and caches
false/forged data for a domain name. This can result in a Denial of Service
(DoS) attack. To prevent this vulnerability, modify DNS server properties
by enabling the Secure cache against pollution option.
Disabling Recursive Queries
By default, a Windows DNS server performs recursive queries. However, a
recursion can be used as a DoS attack that is used to shut down a name
server to make it inaccessible to users. A recursive query requires that the
queried host attempt and exhaust all means of acquiring the information
being asked of it, until the name query fails.
In contrast, an iterative query asks a server for an answer. If the server
has the answer in its cache, it replies or else provides a referral, which is a
name of another server that may have the answer.
Set local DNS servers to perform iterative requests. In the Command
Prompt, use the following command to disable recursion:
dnscmd <server name> /Config NoRecursion 1
Using a Single Interface
By default, DNS listens and responds to ports on all of the configured
interfaces. If a server is multihomed (multiple NICs), a security breach
might occur on several IP addresses. This also increases the complexity of
your access control lists on your routers and switches.
Configure the DNS server to listen to only one IP address by modifying
your network interface settings according to your OS guidelines. Ensure
that you are only allowing TCP/UDP port 53 traffic to and from your DNS
server.
Firewall Considerations
Chaining Proxy Servers
eTrust SCM is installed as a proxy server. It traps web requests before they
are sent to the remote server. It also traps web content before sending it to
the local end user.
If a proxy server is deployed on your network, you can chain it to the eTrust
SCM proxy server. The most common ways to chain proxies are the Upstream
and Downstream proxy methods:

In the Upstream proxy configuration, eTrust SCM is chained to another
proxy server. This configuration uses the chained proxy as a caching
server. We recommend this implementation. eTrust SCM enforces the
content filtering policies on cached or non-cached content.

In the Downstream proxy configuration, the Downstream proxy server is
chained to the eTrust SCM proxy server. This method is not recommended
because cached objects can be sent directly to the user without having the
content filtering policies applied to them. However, if you use a
Downstream proxy, we recommend that you disable Downstream proxy
caching.
eTrust SCM must communicate through the firewalls deployed on your
network. The perimeter firewall typically performs a static Network Address
Translation (NAT) that associates the eTrust SCM private address with a live
Internet IP address. Depending on the DNS MX method that you use, the
firewall administrator may need to move the static NAT from the corporate
mail system to eTrust SCM.
You must also allow some TCP ports through the firewall to enable
communication between clients to eTrust SCM and between eTrust SCM and its
components.

Port 1882 is used for CA common services

Port 445 is used for Active Directory file sharing
Lock down these ports to the specific machines that need them. Configure
firewall rules for egress filtering to prevent internal users from bypassing
eTrust SCM scanning.
Installing on the Intranet Side
For optimal security, CA recommends that you install eTrust SCM on the
intranet side of your firewall according to your security policies and your
network architecture as shown in the following illustration:
Installing on the Internet Side
If you deploy eTrust SCM on the Internet side of your firewall, you can
configure your firewall to direct the traffic directly to eTrust SCM, as shown in
the following illustration. With this configuration, users do not need to
configure their browser to use an eTrust SCM proxy.
Important! CA does not recommend this implementation because it exposes
the eTrust SCM proxy server to external threats from the Internet.
Network Considerations
Network Considerations
eTrust SCM requires one network interface card (NIC) on the computer on
which it is installed.
eTrust SCM does not need to be a default gateway or a physical buffer
between the external and internal network. eTrust SCM acts as an HTTP and
FTP proxy and is actually a relay server for SMTP. You can install eTrust SCM
on any computer in your organization as long as the computer can access the
following:

DNS for MX queries

Company SMTP mail server

Internet for mail access

User's proxy connections

Antivirus signature updates and all subscription updates (for example URL
filtering and dictionaries)
Note: To enable web updates, your firewall must allow an FTP connection from
the eTrust SCM computer to the Internet to obtain antivirus signature updates
and an HTTPS connection from the eTrust SCM computer to the Internet to
obtain URL filtering updates.
For network connections between eTrust SCM components, consider the
following:

When there is firewall buffering between different components of eTrust
SCM, verify that each eTrust SCM component has access to TCP/IP port
1882. eTrust SCM components use this port for internal communication.

For eTrust SCM components installed on different computers, make sure
that all eTrust SCM computers have a valid reverse name resolution, which
is necessary for internal communication between eTrust SCM components.
This capability is used in a network configuration in which some
components are installed on the DMZ and other components are installed
on your local network.
Content Filtering and Network Load
Content Filtering and Network Load
You typically configure your web content and request filtering using the
settings in your browser. However, when using eTrust SCM as a proxy server,
eTrust SCM traps web requests before forwarding the requests to the remote
server. Likewise, eTrust SCM traps web content before forwarding the content
to the local end user.
Consider the following about content filtering and network load:

Determine the type of content you want to filter and estimate the network
load for each protocol type.

The installation requests a valid mail server address and a valid email user
account on the server. This account is used by the engine as a transport
layer when eTrust SCM invokes the email action.

Install the web content filtering engine to control web content.

Install the Central Reporter option, to generate reports. You should also
install a printer, which can be a dummy printer, on the computer for the
reporter to work properly. You can then generate reports in text or HTML
format. To generate reports in Microsoft Word or Excel format, install
Microsoft Office.
If you are using several content filtering servers, consider the following:

Install Central Quarantine Manager and Central Reporter on a dedicated
computer to better handle the entire organization's quarantine objects and
reports.

The Manager Console connects to the Control Center which allows creating
Content Filtering rules, and distributing them to multiple engines (local
and remote). The real time status of each remote content filtering engine
is also presented in the Manager Console which is connected to the Control
Center.
Authentication Method Considerations
Rule processing for specific users or user groups is part of content filtering
functionality in eTrust SCM. There are two optional methods for filtering by
users: Windows NT standard NTLM (NT LAN Manager) technology or eTrust
Authentication Device Communication Protocol (ADCP). The following sections
provide information that you should consider when implementing NTLM
authentication. Appendix A covers the ADCP method, which is less commonly
used.
NTLM Basics
NTLM uses an encrypted challenge/response protocol to authenticate a user
without sending the user's password over the wire. Instead, the system
requesting authentication must perform a calculation that proves it has access
to the secured NTLM credentials.
A challenge-response mechanism consists of three messages, commonly
referred to as Type 1 (negotiation), Type 2 (challenge) and Type 3
(authentication response).
Here is a summary of the NTLM process:
1.
The client sends a Type 1 message to the server. The message contains
the domain and host name and a list of features supported by the client.
2.
The server responds with a Type 2 message that contains a 16-byte
random number, known as a challenge.
3.
The client encrypts the user's password using server challenge, known as
a response. The client replies with a Type 3 message that contains a
calculated response and several pieces of information about the client,
which includes the domain name and username.
4.
The server sends the user name, server challenge, and client response to
the domain controller.
The domain controller uses the same calculation to decrypt the password. If
the decoded password matches the password obtained from the Security
Account Manager (SAM) database, the client is authenticated.
How NTLM Works
With Integrated Windows authentication, NTLM authentication does not initially
prompt for a user name and password. Instead, Integrated Windows
authentication uses the information for the user currently logged onto the
client computer.
Note: If necessary, you can configure Microsoft Internet Explorer versions 4.0,
5.0, and 6.0 to initially prompt for user information. For more information, see
the Internet Explorer Help.
If the authentication exchange initially fails to identify the user, the browser
prompts the user for a Windows account user name and password, which it
processes using Integrated Windows authentication.
The browser displays prompts until you enter a valid user name and password
or close the prompt dialog.
When configured for NTLM Authentication, eTrust SCM uses the NTLM
authentication method and this protocol for gathering user names and their
domains. eTrust SCM associates the user names and domains to
corresponding Content Filter NTLM rules for the users.
To use NTLM proxy based authentication follow these steps:
1.
Open the Manager Console and select Proxy Server Settings.
The Proxy Server Settings dialog appears.
2.
Select Use NTLM authentication.
NTLM authentication becomes enabled.
3.
Configure a rule that will use a network object based on NTLM. Follow
these steps:

Select Client, Workstation User, NTLM (or ANY)

Click Select or manually provide a user name and domain.
For example:
Type = Any
Domain = My Domain
Name = My User Name
Note: To use an NT User token, add the NT User Name token to the rule
action.
NTLM Considerations and Recommendations
Consider the following when implementing NTLM as an authentication method.
Compatibility
Only Microsoft Internet Explorer, Mozilla version 1.4 and higher, Mozilla Firefox
support NTLM.
Mixed Mode Domains
When implementing NTLM, never use mixed mode domains. Windows NT 4.x
domain controllers are not aware of Windows 2000 transitive trusts and will
not authenticate across transitive trusts in a mixed mode Windows 2000
domain.
Upstream Web Proxy
You cannot use the SCM proxy NTLM when SCM is chained to an upstream
proxy which is configured to require integrated authentication NTLM.
Incorrect Configuration
Browser --> SCM (with NTLM) --> Proxy (with NTLM) --> Internet
Correct Configuration
Browser --> SCM (with an NTLM request) --> Proxy --> Internet

Upstream proxy NTLM authentication:
Configuration:
Browser --> SCM --> Proxy (with an NTLM request) --> Internet
To receive the NT username from a chained upstream proxy that requires
NTLM authentication (e.g. euproxy.ca.com), you need to add to a new
entry to the server.ini file in the HTTP section:
CHAINED_PROXY_MONITOR_AUTH=1
Note: For a situation in which the proxy authenticates using the token
described above, the NT username is not used for applying rules. It is used
only for logging alerts and reporting because of an NTLM protocol
limitation in which the first GET request doesn't contain the NT user
name).

There is a known issue with the web browser when an ISA Server 2000 Is
chained to an upstream web proxy server as described in the following
configuration:
User Browser --> ISA (with NTLM authentication) --> SCM --> Internet
From the Microsoft knowledge base: If the Internet Security and
Acceleration (ISA) Server 2000 is chained to an upstream web proxy
server, you may experience unexpected delays, incomplete pages, random
authentication warning messages, and so forth, when you browse the
Web.
eTrust SCM and Users on Different Domains

When end users and eTrust SCM are logged into different Active Directory
Server (ADS) domains, a trust can be created between the domains.
Trusts between the domains could be established through a Point-to-Point
Tunneling Protocol (PPTP) tunnel, which limits the number of ports that the
firewall needs to open.
Ports that need to be opened for PPTP would be:
Client Ports
1024-65535/TCP
Server Ports
1723/TCP
Protocol
PPTP
You also need to enable IP Protocol 47 (GRE).

When the client sends an authentication request to SCM, SCM queries its
domain. Since a trust is created between both of the domains, the user is
authenticated successfully. As a result, only the following four ports are
kept open on the firewall:

53 (DNS)

1723 (PPTP)

47 (GRE)

135 (msrpc)
NTLM Authentication Across a Firewall
Following is the list ports required to be opened on firewall:

DNS port 53

PPTP port 1723

GRE port 47

HTTP PROXY 8080

HTTP 80 (depending upon HTTP access required through the firewall)
Performing NTLM Authentication Across a Firewall Through SCM
To perform NTLM authentication across a firewall and through SCM, follow
these steps:
1.
Configure two separate Windows domain controllers (for example,
inetrust1.com and inetrust2.com) on two separate servers with each
server on a different network.
Note: This step depends upon the network configuration on the user's
side.
2.
Establish a trust relationship between these two domains and validate the
domain relationships before continuing.
Note: The network configuration required determines the type of trust
relationship used between the domain controllers.
3.
Start Routing and Remote Access service on one of the servers.
The PPTP tunnel between the two domains configured earlier is set up.
4.
Start Routing and Remote Access service on the server. This provides
more security according to the user’s network configuration.
5.
Switch to the other domain controller.
6.
Open the Network Connections window from the Control Panel.
7.
Double click New network connection.
8.
Begin creating a PPTP connection between the two domain controllers.
9.
Click Next. Select the Connect to the network at my workplace radio
button.
10. Click Next. Enter your organization's name or the name of a connection.
11. Click Next. Enter a domain name, host name, or the IP address of another
domain controller.
12. Click Next. Finish creating the PPTP connection.
13. Right click on the newly created connection. Select Properties.
14. Select the Networking tab. Select PPTP VPN from the type of VPN drop
down.
15. Configure other network settings according to the Routing and Remote
Access service on the other domain controller.
16. Double-click on the newly created connection. Enter your user Name and
password and domain name, if required.
17. Click Connect. Confirm that a proper tunnel is established between the two
domains. If you do not confirm this information, the trusts between the
two domain controllers can be affected.
18. The PPTP connection between two domain controllers is now established.
Note: PPTP also requires the GRE port 47 to be opened on the firewall.
Completing the Pre-installation Checklist
This section provides a pre-installation checklist that you can use for guidance
when completing the pre-installation checklist for your eTrust SCM installation.
eTrust SCM provides data analysis engines and management services. The
component architecture is flexible and can accommodate small and medium
size businesses (SMB) and large enterprise installations. You can install all
data analysis engines and management services on one server (SMB) or
distribute the management services and analysis engine installations on as
many servers as necessary (for example, in a large enterprise with high
volumes of data).
The main components of eTrust SCM are as follows:
HTTP/FTP Content Engine
Performs analysis of Web content, FTP over the HTTP proxy, and URL
filtering.
SMTP Content Engine
Performs analysis of SMTP content and spam filtering.
Control Center
The main management service which concentrates data, distributes
policies, and provides connectivity between all SCM components. Typically,
there should be a single instance of the Control Center in an environment.
Quarantine Manager
A tool and service which manage messages that were quarantined based
on the SMTP Content Engine's analysis. There should be a single instance
of the Quarantine Manager in an environment.
Central Reporter
A tool and service which provide over time reporting based on data
collected by the Content Engines. There should be a single instance of the
Central Reporter in an environment.
Manager Console
The main management user interface, which connects to the Control
Center and allows policy and environment settings to be configured on the
Content Engines, and real time monitoring of Engines and Enterprise
activities.
Some of these components depend on additional components which eTrust
SCM either installs automatically or with additional manual input. These
components are the following:
eTrust Embedded IAM (EIAM)
A tool used by the Control Center to connect to an Active Directory, and
associate logged on users to their role-based privileges.
iGateway
Part of the EIAM package. Is used as the web server powering the Self
Managed Quarantine Manager.
Ingres Database
A relational database that is required when installing the Quarantine
Manager, Reporter, and/or eTrust Embedded IAM.
Microsoft SQL Database
A relational database that is required when installing the Quarantine
Manager and/or Reporter in large scale environments.
Pre-installation Checklist
You should identify a scenario which is as similar as possible to your
environment and install eTrust SCM similarly according to the examples
provided in this manual. It is very important that you identify all of the
following environment items before installing eTrust SCM:

Mail Servers

HTTP Proxies (if available)

DNS MX settings, and the process of adjusting them in your organization

Servers that you will use to install eTrust SCM

Individual eTrust SCM components that you will install on each server

Active Directory (AD) in your organization. You must have an AD for the
features that use eTrust Embedded IAM (eTrust SCM Rules, Quarantine
Manager, Role Based Administration) to function properly

LDAP access parameters. LDAP is used through AD for email account
management

NTLM availability. You can create HTTP rules using NTLM user/groups

Networking structure, including the location of the existing servers and
where you will locate the eTrust SCM Servers be located.

Database to use for the Quarantine Manager and the Reporter. You select
use Ingres or Microsoft SQL Server. For sites with more than 500 users,
use MS-SQL Server as the database.
The sections that follow address these two typical installation scenarios:

SMB Installation

Enterprise Installation
Determine an Installation Scenario
When completing the checklist, determine whether you are installing eTrust
SCM as a Small to Medium Business (SMB) installation or as an Enterprise
installation. An SMB installation is designed to fit smaller scale installations.
SMB Installation Scenario
In this scenario, the following components are installed on the same computer.
SMTP Content Engine, HTTP/FTP Content Engine, Central Reporter, Quarantine
Manager, Control Center, and the Manager Console. This computer should be a
dedicated computer, but if necessary, you can install eTrust SCM on the same
computer as the company's mail server. If you do this, be sure to chain the
eTrust SCM server to the local mail server.
The following illustration shows a typical SMB installation:
You should use this scenario in any of the following situations:

1,000 or less users and you are performing mail (SMTP) and Web
(HTTP/FTP) filtering

1,000 or less users and you are performing only Web (HTTP/FTP) filtering

10,000 or less users, you are performing mail (SMTP) filtering only, and do
not have a very high volume of email
Enterprise Installation Scenario
In this scenario, you distribute the eTrust SCM installation across two or more
servers. For example, all of the management components (the Control Center,
Quarantine Manager, and the Reporter) on one server and the Data Analysis
engines on one or more servers. The number of servers that you use depends
on the amount of traffic and the size of your organization.
The following illustration shows a typical Enterprise installation where the
engine components are distributed on separate servers:
You should use this scenario in any of the following situations:

1,000 or more users and you are performing mail (SMTP) and Web
(HTTP/FTP) filtering

Over 5,000 users and you are performing mail filtering for a high traffic
volume
Note: Separating the Management components and Content Engines onto
different machines is always recommended, even in the SMB scenario. This
approach results in the best performance, though in the SMB scenario it is not
mandatory.
Upgrading from a Previous Release
This section explains how to use the BackupRestore utility to upgrade from an
earlier eTrust SCM 1.0 or 1.1 to eTrust SCM r8.
1.
Insert the eTrust SCM r8 installation CD into the computer on which eSCM
1.x is installed.
2.
Navigate to \Support\10_11_BackupRestore. This folder contains 2 files:

BackupRestore10.exe for SCM r1.0

BackupRestore11.exe for SCM r1.1
3.
Copy the appropriate utility based on the installed version into the Bin
folder in the directory in which eSCM 1.x is installed. This directory should
be c:\Program Files\CA\eTrust SCM\Bin.
4.
From the Windows menu bar, select Start, Run.
5.
On the command line, type BackupRestore10 -b, or BackupRestore11 - b,
depending on the installed version.
A success message appears when the process completes. The
BackRestore.exe utility creates an eTrust SCM Backup folder.
6.
Uninstall eSCM 1.x from the computer.
7.
There are two ways to restore and import data from eTrust SCM 1.x into
eTrust SCM r8:
During the SCM r8 Control Center installation
When you install eSCM r8. If the installer finds backup data, you are
provided with an option to restore the data. If you answer yes, the
installer runs the BackupRestore utility.
Note: The restore should be done on the eTrust SCM server running
the Control Center. If there are multiple eTrust SCM computers, only
the Control Center should be upgraded. eTrust SCM distributes the
restored databases later to all eTrust SCM engines.
Manually
After you install eSCM r8 you can run the BackupRestore utility with
the parameter -r. The utility is located in the Bin folder in the directory
in which you installed eSCM r8. The utility displays a success message
when the restore completes successfully. Confirm that the Manager
Console is not running when you perform the restore.
Note: You must perform the backup from eTrust SCM r1.x and and the
restore to eTrust SCM r8 on the same computer.
Known Upgrade Issues
Be aware of the following upgrade issues:
Adding content filters that did not exist in r1.0/1.1
eTrust SCM r8 contains predefined content filters for some of the new
filtering technologies. For instance, you may select using the predefined
content filters for Malformed Content for SMTP, Popup Blocking Filter for
HTTP URL filtering, and others.
The restore utility restores the existing policies, and makes them
operational, but does not add the new filters added. To use these new
capabilities, you need to manually create new Content Filters for the
desired filtering technology, post upgrade, and tie them to the Policy filters
of your choice.
Chapter 3: Installing eTrust SCM
This section explains how to install eTrust SCM. See Installing Individual
Components Only (see page 74) for issues to be aware of when installing only
individual eTrust SCM components.
Note: If you are plan to use Microsoft SQL Server as the database for the
Quarantine and Reporter, you must install and configure MS-SQL Server
databases before starting the eTrust SCM installation. See Installing and
Configuring Microsoft SQL Server and Configuring (see page 163),and then
continue with the steps described in this chapter.
Installation Steps
To begin the installation, follow these steps:
1.
Log onto your computer using administrator or domain administrator
privileges.
2.
Insert the eTrust SCM product CD into your CD-ROM drive.
If autorun is enabled on your computer, the installation procedure begins
automatically and the product installation browser appears.
Note: If autorun is not enabled on your computer, the installation does
not begin automatically. You can start the installation manually by
browsing the CD's root directory and double-clicking the Launch.exe file.
Installing eTrust SCM 45
Installation Steps
The first link leads to a complete eTrust SCM installation. When you select
this option, all eTrust SCM options appear in the next step.
The second link provides the capability to install the eTrust SCM ADCP and
Netload accessories. You can use Netload, which is a utility and not a
product option, for scaling the installation. You should install ADCP if you
eTrust SCM installation uses ADCP-based rules, rather than NTLM rules.
3.
Click Install eTrust Secure Content Manager.
The following menu appears:
Installation Steps
4.
Select Install eTrust SCM (full product).
eTrust SCM provides the following installation options:
eTrust SCM (Full Product)
This is the default installation package. Use this option for most SMB
or Enterprise scenario installations. This package includes all eTrust
SCM management components and all analysis engines.
If you did not purchase the full eTrust SCM gateway solution, or plan
to use only certain analysis engines, select one of the following
packages. These packages include all management components, but
only one of the analysis engines.
eTrust SCM Antivirus Gateway
Includes all management components, the Antivirus Gateway analysis
engine, and mobile code defense.
eTrust SCM Anti-Spam
Includes all management components, SMTP analysis, and Antivirus
Gateway engine.
eTrust SCM Web Filter
Includes all management components, Web URL Filtering, HTTP
Filtering, and Antivirus Gateway engine.
Installation Steps
Choose a Language, Read the Terms and Conditions, and Provide User, Drive,
and Location Information
After you select Install eTrust SCM (Full Gateway Product), the Choose Setup
Language dialog appears. Continue the installation by following these steps:
1.
Select the language for the installation and then click OK.
The InstallShield Wizard starts. The eTrust SCM Installer Welcome dialog
appears:
2.
Click Next.
A terms and conditions dialog appears.
3.
Use the scroll bar to read the agreement, and then click I Agree.
Installation Steps
The Customer Information dialog appears:
4.
Enter your information and click Next.
Installation Steps
The Installation Drive dialog appears suggesting a drive for the installation
based on available disk space. CA recommends using this drive.
5.
Do one of the following:

Click Yes to accept the drive and continue.

Click No and then select an alternate drive.
The Choose Destination Location dialog appears:
6.
Use this dialog to specify the location in which to install the eTrust SCM
components. Do one of the following:

Click Next to accept the default destination folder.
Click Browse, navigate to and select a different folder, click OK, and
then click Next.
Installation Steps
A workspace location dialog appears:
The Workspace is the location in which eTrust SCM stores data files
created while eTrust SCM is in use.
7.
Do one of the following:

Click Next to accept the default destination folder.
Click Browse, navigate to and select a different folder, click OK, and
then click Next.
Installation Steps
The Select Components dialog appears:
This dialog lets you to install eTrust SCM's main components. These are
the same components that you could have specified to install individually
at the beginning of the installation process.
8.
Before proceeding, confirm that you know how you plan to install the
components as follows:
Option 1 - The SMB Installation Scenario - All Components
Installed on One Computer
In an SMB installation scenario, you install all components on the
same computer. Proceed to Option 1 - SMB Installation Scenario (see
page 53), and continue the installation.
Option 2 - Enterprise Installation Scenario - Components
Distributed Across Several Computers
In an Enterprise installation scenario, you can install components
across different computers. Before proceeding, confirm which types of
components you will install on the current computer - management
services or data analysis engines. Proceed to Option 2 - Enterprise
Installation Scenario (see page 53), and continue the installation.
Note: Be sure to determine a scenario and have a clear installation plan in
place before continuing.
Installation Steps
Option 1 - The SMB Scenario
To continue with an SMB installation scenario and install all components on the
same computer, follow these steps:
1.
Check the box for both the HTTP/FTP and SMTP scanning engines.
2.
Check the Install Locally checkboxes for all of the management services.
3.
Click Next.
4.
Proceed to HTTP / SMTP Server Ports (see page 56), and continue the
installation.
Option 2 - Enterprise Scenario
Enterprise installations provide several options. You can install all of the
components as many times as necessary and install as many analysis engines
as you need on multiple computers. You can also install the management
components Central Reporter, Quarantine Manager, and Control Center) on
separate servers.
The following example installs management services on one server and data
analysis services on another server.
First Server
In this step, install all management services on the first server, 10.10.10.1.
1.
Leave the HTTP/FTP and SMTP checkboxes unchecked.
2.
Check the Install Locally checkboxes for all three management services.
Installation Steps
The Select Components dialog should look as follows:
3.
installation on the first server.
Installation Steps
Second Server
After you finish installing on the first server, begin a new installation on the
second server as follows:
1.
Check the checkboxes for the HTTP/FTP and SMTP services.
2.
For each of the three management services, check the Remote IP Address
checkbox and type in the 10.10.10.1 IP address to point to the first server.
The Select Components dialog should look as follows:
3.
installation on the second server.
Installation Steps
HTTP / SMTP Server Ports
After you select the components to install on one or more servers, the
HTTP/SMTP Server Ports dialog appears:
Use this dialog to specify the ports on which SCM listens for the two main
services, HTTP and SMTP.
1.
Use the default ports provided or modify the port numbers.
2.
Click Next.
Installation Steps
Email Notification
After you specify HTTP / SMTP server ports, the Email Notification dialog
appears:
Use this dialog to specify the SMTP server that transports email notifications
and the email address to which to send the email notifications. eTrust SCM
sends notifications when eTrust SCM rules concerning such matters as
inappropriate user activity or spam detection are met.
1.
Enter the SMTP server name.
2.
Enter the Email Account name.
3.
Click Next.
Installation Steps
SMTP Relay Configuration
After you specify email notification information, the SMTP Relay Configuration
dialog appears:
Configure these settings to specify incoming and outgoing email parameters.
Relay configuration settings are also applied to the Quarantine Manager for
notifications and report delivery.
Important! Configure these options carefully to ensure proper mail
communication between eTrust SCM and your organization's mail server. By
default, eTrust SCM provides the Any object which indicates any domain. CA
does not recommend using Any as it allows the email for any domain to be
relayed through eTrust SCM. This condition exposes the eTrust SCM server to
open relay status and might overload eTrust SCM.
Installation Steps
If you choose to use Any, eTrust SCM displays the following warning message:
The proper way to configure mail routing is to configure the settings for each
domain in your company. Any domain not in the list is not allowed to relay
email through eTrust SCM. This is called open relay prevention.
Installation Steps
Configure Incoming Email
To configure incoming email, follow these steps:
1.
Click Add.
The New Domain dialog appears.
2.
Type the name of the domain and configure the email relay servers the
domain will use.
Note: You can also select to use MX as the relay method. If you use a
combination of servers and MX, eTrust SCM tries the servers in the list in
order. If the first server does not respond, SCM tries the second server,
then the third.
Installation Steps
Configure Outgoing Email
To configure outgoing email, follow these steps:
1.
Click Add.
The New Domain dialog appears.
2.
Type the name of the domain and configure the mail relay servers the
domain will use.
Note: You can also select to use MX as the relay method. If you use a
combination of servers and MX, eTrust SCM tries the servers in the list in
order. If the first server does not respond, SCM tries the second server,
then the third.
Adjust Retry Settings
You can adjust mail delivery retry settings if necessary. By default a
message expires if eTrust SCM cannot deliver the message within 24
hours.
Note: After installing and properly configuring email routing settings, you
should modify the DNS MX listing to allow routing of external email to the
eTrust SCM server, rather than to your main mail server. In addition, you
should configure your mail server to forward outgoing email to eTrust
SCM.
When you are finished configuring the mail relay settings, click OK.
Installation Steps
Fully Qualified Domain
After you specify relay configuration settings, the Fully Qualified Domain dialog
appears:
To provide a fully-qualified domain name, follow these steps:
1.
Enter the DNS name of this computer, as it is known on the network.
2.
Click Next.
Installation Steps
Traffic Direction Classification
After you specify the DNS name for the computer, the Traffic Direction
Classification dialog appears:
To the right, eTrust SCM displays a listing of subnets found on the computer.
Selecting subnets that are part of the environment handled by eTrust SCM
allows eTrust SCM to distinguish between internal and external
communications.
To configure traffic direction, follow these steps:
1.
Click a subnet on the left side of the dialog, and then click Add.
eTrust SCM adds the subnets to the list of subnets that determine traffic
location.
2.
Repeat step 1 for all subnets that you want to add.
3.
Click Next.
Installation Steps
Select Database
Select the database to use with the Quarantine and Reporter.
Note: If you prefer to use Ingres, select Ingres Server, click Next, and
proceed to the next installation step, eTrust Embedded IAM Server.
1.
If using MS-SQL Server, select Microsoft SQL Server, and click Next.
Note: If you have selected this option, you are prompted to use the
databases you have created in the pre installation steps.
Installation Steps
2.
The SQL Quarantine Server dialog appears:
3.
Enter the following information for the Quarantine database, and click
Next:
Server
Enter the name of the machine on which the SQL Server resides.
Alternatively, you can use the browse option to view all available SQL
Servers. When SQL resides on the same machine on which you are
installing SCM, select (local).
Username
Enter the database user name you have configured in the SQL
Enterprise Manager.
Password
Enter the password you have configured for the user above, in the SQL
Enterprise Manager.
Database
Enter the database name, or click Browse to select the database from
the server you have defined above. This is the database you have
defined in the SQL Enterprise Manager for usage with the Quarantine.
If connection is successful, the installation wizard prepares the SQL Server
for use with Quarantine.
Installation Steps
The SQL Reporter Server dialog appears:
4.
Enter the information for the Reporter Database. All fields are similar to
those described for the Quarantine Manager, except for the Database. You
should select the Database you have created for the Reports.
The installation wizard connects to the SQL Server and prepares the
database for use with the Reporter.
Installation Steps
eTrust Embedded IAM Server
After you specify database information, the eTrust Embedded IAM Server
dialog appears:
Embedded IAM is required for the eTrust SCM's Role Based Management and
the eTrust SCM Self-Admininistration Web Quarantine features. If you are not
planning to use these features you do not need to install EIAM.
If you choose to install EIAM, continue with the next step. Otherwise, select
Do not use the EIAM Server and continue with the Complete the Installation
step.
To install eTrust Embedded IAM, follow these steps:
1.
Install eTrust Embedded IAM locally, or point to a location on which EIAM
is already installed, and then click Next.
Installation Steps
The eTrust Embedded IAM Password dialog appears:
2.
Enter a new password for the eTrust Embedded IAM administrator or
provide the password for the eTrust Embedded IAM that is already
installed, and then click Next.
eTrust SCM installs the components you have selected. The installation
displays installation progress and messages about the components being
installed. The duration of the process varies by the components selected
for installation:
Note: Because the database installs silently, you do not need to configure
any database settings after the installation.
Complete the Installation
1.
When prompted, license and register the software as described in
Licensing and Registering eTrust SCM (see page 69). You can also perform
these steps post-installation within 30 days.
2.
When prompted, restart the computer. The computer will not function
properly if not restarted.
Licensing and Registering eTrust SCM
For eTrust SCM to function properly, you must license and register eTrust SCM
either during installation or within 30 days following installation.
There are two ways to license and register eTrust SCM:

During installation, using the Licensing and Registration dialogs.

After Installation, using one of these methods:

Run the Licensing utility by selecting Start, Programs, Computer
Associates, eTrust, eTrust SCM, Licensing.
Run the Registration utility by selecting Start, Programs, Computer
Associates, eTrust, eTrust SCM, Registration.
Licensing and Registering During or Post-Installation
License and register eTrust SCM using the License and Registration dialogs.
These dialogs display near the end of the eTrust SCM installation process, and
you can also launch then post-installation.
License Type Dialog
CA products offer the following types of licensing. Depending on how you
purchased the software, a different license type is required. When prompted,
select the type of license you were supplied with:
If this is a trial installation, or if you have purchased but did not receive a
license yet, select Live Trial. This permits 30 days of functionality. At the end
of the 30 days you must license the product, or functionality ceases.
If you select ALP Certificate, you are directed to CA's support site for
downloading and installing the license.
License Verification Dialog
If you select a 25 character key, the following dialog appears:
eTrust SCM provides several license types, depending on the features you
have purchased. These licenses are keycodes that you need to enter into the
Licensing utility. The keycodes are then applied to the software.
Product component options that are each controlled by a separate license
code:
eTrust Secure Content Manager r8
The fully featured product that includes AV Gateway, Anti-Spam, Web URL
filtering and Malicious Mobile Code Defense
eTrust Secure Content Manager Antivirus Gateway Option
AV Gateway and Malicious Mobile Code Defense
eTrust Secure Content Manager Anti-Spam Option
Anti-Virus Gateway and Anti-Spam features
eTrust Secure Content Manager Web Filtering Option
Web URL Filtering, HTTP filtering, and Anti-Virus Gateway
The following subscription update options require separate license codes:
eTrust Secure Content Manager Antivirus Subscription
eTrust Secure Content Manager Spam Subscription
eTrust Secure Content Manager URL Subscription
Registration Dialog
Next, you are prompted to register your software with CA Registration dialog:
Enter your identification information, and click Register.
Testing the Installation
Testing the Installation
Test the installation by opening up the eTrust SCM Manager Console after the
computer on which the Manager Console is installed finishes restarting.
1.
Click the Start, Programs, Computer Associates, eTrust, eTrust SCM,
Manager Console.
The Manager Console Login dialog appears:
2.
Enter Admin into the User Name field.
3.
Enter Admin into the Password field.
Note: By default, eTrust SCM provides Admin as both the user name and
password.
4.
Enter the IP address of the computer on which you are working into the
eTrust SCM Control Center field, and click OK.
Note: This IP address is usually the same as the address in the Local
Machine IP field.
Installing Individual Components Only
The Manager Console appears:
If the Manager Console appears, the installation has completed successfully. If
not, see Troubleshoot the eTrust SCM Installation (see page 137).
Installing Individual Components Only
The beginning of this chapter explained how to install a full version of eTrust
SCM on one server (SMB installation) and on multiple servers (enterprise
installation). This section highlights the activities required when installing only
individual eTrust SCM components.
Installing Only the Spam or Web Options
When you install only the Spam option, you cannot select the HTTP option.
When you install the Web option, you cannot select the SMTP option.
Installing Only the eTrust SCM Manager Console Viewer
You can install the eTrust SCM Manager Console Viewer on any computer.
When you install, you are prompted to identify the location of the Control
Center.
Chapter 4: Configuring Your
Implementation
This section explains how to begin using the Manager Console to specify
parameters for your enterprise. Before running eTrust SCM in production,
ensure that all required settings are configured to allow eTrust SCM to
properly handle your network content
The Manager Console
The Manager Console is the main eTrust SCM GUI and it provides central
access to the content management databases and tools (the Central
Quarantine Manager and the Central Reporter). It allows you to locally view
the analysis of content filtering events, receive real-time alerts, and determine
how the content management engines will run. You can also configure the
local content filtering settings such as spam, URL filtering, and automatic
updates from the Internet.
The settings affect the workload on the engines and, as a result, analysis time.
The optimal settings for your system depend on a number of parameters,
including traffic load, number of rules, type of content filtering, depth of
analysis, and processing power of your computer.
Configuring Your Implementation 75
The Manager Console
The Manager Console handles the content rules and filters, as well as
distributes policies to local and remote machines. The Manager Console lets
you view for Last/Average/Minimum/Maximum statistics for main functionality
points of each analysis engine, including the following:
HTTP

Inbound/Outbound/Internal Files Processed/Min

Total Inbound/Outbound/Internal Files Processed

Inbound/Outbound/Internal Files Blocked

Inbound/Outbound/Internal Viruses Detected

URLs Blocked

URLs Checked and Reported
SMTP

Inbound/Outbound/Internal Messages Processed/Min

Total SMTP Inbound/Outbound/Internal Messages Processed

Inbound/Outbound/Internal Queue Size

Inbound/Outbound Viruses Cured

Total SMTP Messages Infected/Quarantined/Parked/Blocked by RBL
Service
The Manager Console
Starting the Manager Console
To start the Manager Console, click Start/Programs/Computer
Associates/eTrust/eTrust SCM/Manager Console.
The Manager Console appears:
Configuring Initial Filtering Settings
The Manager Console provides four kinds of information:
Engine Protocol Tree (Left Pane)
Displays the name and IP address of the computer running eTrust SCM
and the available content filtering engine protocols. Clicking a protocol
displays realtime protocol statistics in the right pane.
Engine Protocol Status/Statistics (Right Pane)
Displays the statistics for the engine protocol selected in the left pane. If
there is no engine protocol selected in the left pane, the eTrust SCM status
displays in the pane. Engine statistics display in real time.
Realtime Alerts (Bottom Pane)
Displays policy violation incidents as they occur. The HTTP/FTP, URL, and
SMTP rules that you define and activate trigger policy violations. The
violations display in real time.
Realtime Enterprise Activity (Bottom Pane)
Displays a running log of significant activities performed by the user
currently logged into the Manager Console.
Checking and Adjusting Manager Console Settings
After installation, review and modify some of the default settings to meet your
needs. There are two types of settings:
Local Engine Settings
Settings that are specific to one analysis Engine (SMTP or HTTP)
Enterprise Settings
Global settings that are applied to all analysis engines in the eTrust SCM
environment
The topics that follow describe the steps you must modify before you put
eTrust SCM into production.
For more information about the options in any of the dialogs in this chapter,
use the Manager Console to navigate to the dialog and click the Help button.
Local Settings
To modify local settings, follow these steps:
1.
Select Filtering, Settings.
The settings dialog appears:
2.
From the drop-down at the top of the dialog, select the IP address of the
local computer for which you would like to modify settings.
Gateway Settings
If you have selected to use the optional ADCP Agent for User Authentication,
select the Gateway node to define parameters for the ADCP Agents.
For details on how to configure to add ADCP Agents to the list, see ADCP
Authentication (see page 143).
HTTP Engine Settings
Use the HTTP node to define parameters for the HTTP content filtering. If you
want to modify the default settings for General, File Settings, or Advanced, see
the online help for each of the options in the HTTP Engine node.
Proxy Settings
When working with eTrust SCM as an HTTP proxy, you must configure some
settings depending on your implementation. For instance, If you are chaining
eTrust SCM to another proxy (upstream or downstream), you must configure
the chained proxy location and port.
To define proxy server settings, follow these steps:
1.
Click HTTP Engine, Proxy Settings, Proxy Server.
The Proxy Server settings dialog appears:
2.
Modify the default values as appropriate.
Proxy Port
Specify the eTrust SCM Proxy Server listening port. Typically, accept
the default port 8080.
Chained Proxy
To chain one proxy server to another, check Chained Proxy box and
enter the chained proxy's name or IP address and the proxy port.
Authentication
Check the Integrated Windows Authentication (NTLM) box if you want
the HTTP Proxy to perform NTLM (NT-LAN Manager) authentication.
NTLM is a shared secret user challenge-response authentication
protocol that supports pass-through authentication to a domain
controller in the server's domain, or in a domain trusted by the current
domain's domain controller.
When configured to use NTLM authentication, eTrust SCM uses the
NTLM authentication method and this protocol for gathering user
names and their domains. It associates them to corresponding content
filter NTLM rules based (if any are defined) on these specific users.
3.
Click OK to save the proxy server parameters and close the dialog.
LDAP Settings
Use the LDAP (Lightweight Directory Access Protocol) settings to specify all
parameters for identifying and managing LDAP servers for use in SMTP
filtering and quarantined email.
Important! Ensure that all of the following settings are correctly configured.
Test the connection when you are finished.
To define LDAP settings, click LDAP. The LDAP server settings appear:
LDAP Server Settings
To define specific settings for a local engine rather than use the eTrust SCM
default settings defined in the LDAP node of the Enterprise Settings, uncheck
the Use LDAP-Default settings box and then provide LDAP server settings as
appropriate. The settings you provide are set only for this local engine.
Login Account and Password
Enter your login account and password for the LDAP server. Note the
following:

You must provide a valid login account and password. eTrust SCM does
not support Anonymous logins.
Active Directory LDAP server supports the Domain\User format rather
than a full user name.
Note: If you do not uncheck the Use LDAP-Default settings option, eTrust
SCM uses the LDAP settings defined in the LDAP Enterprise Settings.
Testing LDAP Settings
LDAP settings should be tested to verify that all settings are properly defined.
To test the LDAP settings, follow these steps:
1.
Click Test
The LDAP Test page appears:
2.
Enter either a single person email address, or a distribution list email
address.
3.
Click Send Query.
In a few moments the query results appear.
4.
Review the information in the Result pane. If the configuration is correct,
the test was successful. If the results show a failure, repeat the previous
configuration steps and check for any errors.
Subscription Settings
You can request a CA subscription to update subscription lists from the web on
a regular basis. When you subscribe to an update, you receive a license code
that enables the subscriptions.
Subscription settings let you configure automatic updates for subscriptions.
The time and version of the last successful update appears at the top of the
settings for each subscription item.
You can configure subscription updates for the following:
Antivirus
Use these settings to specify how to obtain automatic updates for antivirus
signature files. These files are used by a powerful antivirus engine that
scans both HTTP and SMTP traffic for viruses.
Spam Rules
Use these settings to specify how to obtain automatic updates for spam
rules. Spam rules are used by the SMTP engine to determine whether or
not incoming email contains spam.
URL Filtering
Use these settings to specify how to obtain automatic updates for URL
categories. With URL filtering by category and regular expressions, you
can designate URLs that users should not visit. For example, you can
designate URLs dealing with pornography, gambling, online sales or
merchandising, and so on.
To define subscription settings, click Subscriptions. The Anti-Virus Subscription
settings appear.
Antivirus Settings
Use these settings to define how to handle antivirus rule updates on the local
eTrust SCM computer.
To modify antivirus settings, follow these steps:
1.
Click Antivirus.
The Antivirus settings display:
2.
The only parameters you should change are the proxy settings, if your
traffic passes through a proxy:
Use Proxy Server
Check the Use Proxy Server box if your web traffic passes through a
proxy server and then provide the following information:
3.
a.
Enter the proxy server name or IP address and the port.
b.
If your proxy requires authentication (for example, a user name
and a password are required by the proxy server to grant web
access), check the Authentication box and enter the authentication
user name and password.
Click OK to save the parameters and close the dialog.
If the Distribute Changes command is enabled, a dialog displays for
distributing these parameter settings to other eTrust SCM computers on
your network enterprise.
Spam Rules Settings
Use these settings to define how to handle spam rule updates on the local
To modify spam rule settings, follow these steps:
1.
Click Spam Rules.
The Spam Rules settings appear:
2.
Use Proxy Server
By default, eTrust SCM uses the proxy server provided at installation.
Specify an alternate spam server name if necessary.
Port
Specify the port number for the spam server.
Authentication
Enter authentication information for the server.
Name and Password
By default, eTrust SCM uses the user name and password provided at
installation. Enter an alternate user name or password if necessary.
3.
URL Filtering Settings
Use these settings to define how to handle Web URL updates on the local
To modify Web URL update settings, follow these steps:
1.
Click URL Filtering.
The URL Filtering settings display:
2.
Use Proxy Server
By default, eTrust SCM uses the proxy server provided at installation.
Specify an alternate spam server name if necessary.
Port
Specify the port number for the spam server.
Authentication
Enter authentication information for the server.
Name and Password
By default, eTrust SCM uses the user name and password provided at
installation. Enter an alternate user name or password if necessary.
3.
Enterprise Settings
To modify enterprise settings, follow these steps:
1.
Select Filtering, Settings.
2.
Select Enterprise Settings from the drop down box.
The Enterprise Settings dialog appears:
When you modify these settings, an option appears for you to distribute the
settings to other eTrust SCM computers in your enterprise.
Loop-back Settings
Use these general settings to prevent loop-back scenarios. You should add all
local and remote computers on which eTrust SCM is installed and also include
any firewall or any other network devices.
To define Loop-back settings, follow these steps:
1.
Click Loop-back settings.
The Loop-back settings appear:
To add a computer, firewall, or other network device, follow these steps:
1.
Click Add.
The Server Properties dialog appears.
2.
Enter a server or device name and its port.
3.
Click OK.
Enterprise LDAP Settings
Use the LDAP (Lightweight Directory Access Protocol) Options to set up all
parameters for identifying and managing LDAP servers for use in SMTP
filtering and quarantined email.
Important! Correct LDAP configuration is a key factor for SCM functionality,
you should make sure that all the following settings are configured, and that
the connection is tested.
To define LDAP settings, click LDAP. The LDAP General Settings appear.
Enterprise LDAP General Settings
The settings you provide here will be set for all Enterprise SCM engines. If you
would like to define specific settings for a certain engine, you need to modify
the LDAP settings for the local engine. See Local Engine Settings (see
page 79) for more information.
To define LDAP general settings, follow these steps:
1.
Click General.
The LDAP General Settings appear:
2.
Automatically detect LDAP Servers
Select this option to allow eTrust SCM to auto detect LDAP servers in
your network.
Note: This option works only with Microsoft LDAP servers (Microsoft
Exchange or Microsoft Active Directory).
Port
The port that SCM will use to auto detect LDAP servers.
Server List
Use this list to explicitly define the LDAP server you would like to use:
Enter the LDAP server name and port value. The LDAP server is
usually the MS Exchange computer or an MS Active directory enabled
Domain Controller. For a Microsoft Active directory, set the LDAP
server name to the network domain controller Global Catalog server.
The port number value for a normal domain controller is 389. For the
Global Catalog server, set the port value to 3268.
To allow high availability of LDAP, you may define more than one LDAP
server in the list. eTrust SCM will use the servers in the list from top to
bottom. If the first server is unavailable, eTrust SCM will continue
trying using the second server, and so on.
Requires a Secure Connection (SSL)
Check the Requires a Secure Connection (SSL) check box if you want
to ensure that you connect only through a secure connection.
Login Account and Password
Enter your login account and password for the LDAP server(s). For
Exchange, use one of the account names prefixed with CN=. For
example, CN=admin. You can enter your login account directly without
any prefix.
Enterprise LDAP Dictionary Settings
You can define or update the predefined settings for the LDAP server. The
default settings are for the MS Exchange server.
To define LDAP dictionary settings, follow these steps:
1.
Click Dictionary.
The LDAP Dictionary settings appear:
2.
Modify the default values as appropriate. If the LDAP server definitions
vary from the default values, review the LDAP schema and correct the
values accordingly.
Base DN
The Active Directory server requires a specific company base
distinguished name (base DN). Modify the Base DN field by entering
the base DN name to reflect your company domain. Examples include
the following:

linux.org usually has a base DN equal to dc=linux,cd=org

ca.com has a base DN equal to dc=ca,dc=com
Exchange
Use an account name prefixed with CN=. For example, CN=admin.
Other LDAP servers
Other LDAP servers usually require a complete distinguished name
(DN). Examples include the following:

CN=eTrust Content Control

OU=Groups

OU=Europe Middle East Africa

DC=ca

DC=com
3.
Click Test when you are finished to verify that all settings are correct. You
can test using both a single email address and a distribution list.
4.
Click Load Default Values to specify whether to use Microsoft Exchange or
Microsoft Active Directory (AD) as the LDAP server.
5.
Enterprise LDAP Advanced Settings
Use LDAP advanced settings to fine tune the SMTP engine filter and
Quarantine Manager settings.
To define LDAP advanced settings, follow these steps:
1.
Click Advanced.
The LDAP Dictionary settings appear:
2.
SMTP Engine Filter
To block spam attacks on multiple recipients, configure the threshold
value for the number of invalid recipients.
If the LDAP server(s) is not available, configure the SMTP filter engine
to block all sessions. The default allow value ensures email traffic is
treated as if no LDAP server were configured.
Quarantine Manager
Check the Primary Account box to have Quarantine Manager channel
email from senders with multiple accounts into one primary account.
Check the Distribution List Management by Owner box to have
Quarantine Manager channel email meant for a distribution list to only
the list owner.
Cache
To avoid a costly LDAP query, eTrust SCM uses a cache mechanism.
CA recommends using a cache size and expiration time that can
manage double the expected total user account traffic.
3.
Configuring eTrust Embedded IAM
Testing LDAP Settings
LDAP settings should be tested to verify that all settings are properly defined.
To test the LDAP settings, follow these steps:
1.
Click Test.
The LDAP Test page appears:
2.
Enter either a single person email address, or a distribution list email
address.
3.
Click Send Query.
In a few moments the query results appear.
4.
Review the information in the Result pane. If the configuration is correct,
the test was successful. If the results show a failure, repeat the previous
configuration steps and check for any errors.
The following functionality requires connecting to the Active Directory through
EIAM:

Quarantine Manager self administration authentication

Role based management
You must adjust the following settings to connect EIAM to the Active Directory.
Starting the Embedded IAM Utility
To start eTrust Embedded IAM, follow these steps:
1.
Select Start, Programs, Computer Associates, eTrust, eTrust SCM,
Embedded IAM UI.
The eTrust Embedded Identity and Access Management login web page
appears.
2.
Select the eTrust SCM application from the drop down menu.
3.
Enter the password that you defined when you installed eTrust SCM and
click Login.
The eTrust Embedded Identity and Access Management utility opens.
Setting Global Users and Global Group Settings
To use Embedded IAM with your organization's Active Directory, follow these
steps:
1.
Select the Embedded IAM server link from the Configure tab.
2.
Select Global Users/Global Groups.
3.
Select Reference from an external directory.
4.
Configure the Active Directory properties. The following shows sample
settings for Microsoft Active Directory:
5.
Save your changes, using the Save button, and verify that a green
checkbox status is highlighted next to both Status checks.
Managing Roles Using eTrust Embedded Identity and Access Management
You can use eTrust Embedded Identity and Access Management (Embedded
IAM) to add Active Directory users to an Embedded IAM database, define
users, and assign eTrust SCM access permissions to fit user roles within your
organization.
Create the Embedded IAM Database
You need to create the Embedded IAM database before you can add users and
assign user permissions.
To create the Embedded IAM Database
1.
Open the eTrust SCM Manager Console.
2.
Select Tools, eTrust Embedded IAM, Database Actions.
The eTrust Embedded IAM Database Actions dialog appears:
3.
Enter the Embedded IAM password and Embedded IAM server location that
you defined when you installed eTrust SCM.
4.
Select the Action drop down and select Create Role based database.
5.
Click Execute.
eTrust SCM creates the database. When the process completes, a success
or failure execution status appears in the Result field.
6.
Click Close to complete the process.
Define Users in the Embedded IAM Database
To enable an Active Directory user to log onto the eTrust SCM Manager
Console, you need to define the user in the Embedded IAM database.
Note: Embedded IAM must be able to connect with Active Directory before
you can add an eTrust SCM user. See the eTrust SCM Implementation Guide
r8 for more information on connecting to the Embedded IAM with Active
Directory.
To add Active Directory users to the Embedded IAM database
1.
Select Start, Programs, Computer Associates, eTrust, eTrust SCM,
Embedded IAM UI.
The eTrust Embedded Identity and Access Management logon dialog
appears.
2.
Select Application, eTrust SCM.
3.
Enter the Embedded IAM user name and password that you specified when
installing eTrust SCM, and then click Log In.
The Embedded IAM web interface appears:
4.
Select Manage Identities, Users.
The Manage Identities, Users sub tab appears.
5.
Select a search attribute from the Attribute drop down and enter a
matching value in the Value field. For example, to search by last name,
select Last Name and then enter the user's last name in the Value field.
Note: User Name is the Active Directory UserID, not a combination of a
user's first and last name.
6.
Select an appropriate operator.
7.
Click Go.
The user appears in the Users panel:
8.
Assign permission levels to the user (see page 102) and then click Save.
The user is added to the Active Directory database and the user is ready
for eTrust SCM access.
Note: A user can log onto eTrust SCM with an Active Directory user id only
after you have defined the user in Embedded IAM and have logged out of
the Embedded IAM web interface. eTrust SCM uses Embedded IAM to
validate the user on the domain controller. If authentication is successful,
the user can log onto the Manager Console with the assigned permission
level.
Assign User Permission Levels
To assign a permission level to a user, you add the user to an appropriate
group.
Because eTrust SCM data can be confidential, we recommend defining users
and passwords to grant access to specific Manager Console capabilities.
Administrator permissions provide unlimited access to eTrust SCM for viewing
data, creating rules, and changing parameters.
There are three types of users, each with specific access levels:
User/
Permissions
Configure
Settings
Read
Settings
View
Data
Administrator
Yes
Yes
Yes
Power User
No
Yes
Yes
Standard User
No
No
Yes
To assign a permission level to a user
1.
Click the user name in the Users tree view.
2.
Click Add Application User Details in the right pane.
3.
Click an available user group to which to add the user, then click the right
pointing arrow.
The group is added to the user's list of selected user groups.
4.
Click Save.
The process is complete.
Change User Permission Levels
To change the permission levels for a user, you can remove the user from an
appropriate group or add the user to different groups.
To change the permission levels for a user
1.
Click the user name in the Users tree.
2.
Add or remove the user to or from groups:

Click or Ctrl-click one or more selected user groups from which to
remove the user, then click the left pointing arrow.
Click or Ctrl-click one or more available user groups to which to add
the user, then click the right pointing arrow.
The user is added or removed from the selected groups.
3.
Click Save.
Remove All Permission Levels From a User
To remove all permission levels for a user, effectively removing all of the
user's access rights, you remove the user from all groups.
To remove all permission levels for a user
1.
Click the user name in the Users tree.
2.
Ctrl-click all of the selected user groups, then click the left pointing arrow.
The user is removed from all groups.
3.
Click Save.
Maintain the Embedded IAM Database
You can maintain the Embedded IAM database by purging and rebuilding the
database or by exporting the database for use in another Embedded IAM
installation.
1.
Open the eTrust SCM Manager Console.
2.
Select Tools, eTrust Embedded IAM, Database Actions.
The eTrust Embedded IAM Database Actions dialog appears:
3.
Enter the EIAM password and server location defined during installation.
4.
Select one of the following actions:
Export Role-based database
Exports the Embedded IAM database so you can use it with another
eTrust SCM or Embedded IAM installation.
Import Role-based database
Imports an exported Embedded IAM database.
Delete Role-based database
Permanently deletes the currently installed Embedded IAM database.
Important! Once you delete a database, you cannot recover it.
Create Role-based database
Creates a new empty database if you have deleted the existing
database.
5.
Click Execute.
When the process completes, a success or failure execution status appears
in the Result field:
6.
Click Close to complete the process.
Configuring eTrust SCM With Your Email Server
You can install and configure eTrust SCM with your mail server in two
locations:

On a computer other than your mail server computer

On your mail server computer
The most direct way to configure eTrust SCM is to install it on a computer
other than the mail server. This configuration does not require any
modification to your mail server, although you must modify your DNS
information.
With this configuration, the eTrust SCM SMTP filtering engine receives your
emails, checks them according to rule filters, and forwards them to your mail
server. Users on the Internet connect to your eTrust SCM computer, so the
location of your mail server remains unknown. If you are using a firewall to
route incoming emails to your local mail server, you have to configure your
firewall to forward the incoming emails to the eTrust SCM computer rather
than to your local mail server. With a firewall, you can further protect your
mail server by disallowing any outside connections except to the eTrust SCM
computer.
Installing eTrust SCM and your mail server on the same computer requires
that you modify your mail server configuration so that it does not listen to port
25 on the TCP/IP address that eTrust SCM uses. Your mail server must listen
on a different TCP/IP port so that eTrust SCM can forward email to its port.
Installation on a Dedicated Computer
When installing eTrust SCM on a dedicated computer other than your mail
server, configure eTrust SCM to receive email at the eTrust SCM computer and
configure the mail server to forward outgoing emails to eTrust SCM.
Note: CA recommends that, until you understand your organization's email
traffic patterns, you use only the eTrust SCM default rule filters and alerting
actions.
How to Configure eTrust SCM on a Dedicated Computer
To configure eTrust SCM on a dedicated computer, perform the following steps
for your specific mail server:
For Exchange 5.5
1.
Install eTrust SCM to forward email to the Exchange computer.
2.
Set connectors in Exchange to forward all email to eTrust SCM.
3.
Forward outgoing emails in Exchange 5.5 to eTrust SCM.
For Exchange 2000
1.
2.
3.
Forward outgoing emails in Exchange 2000 to eTrust SCM.
For Domino 6.x
1.
Install eTrust SCM to forward email to the Lotus Domino computer.
2.
Forward outgoing emails in Lotus Domino to eTrust SCM.
Installing eTrust SCM on a Dedicated Computer
This procedure shows how to receive email on your eTrust SCM computer.
To install eTrust SCM on a computer other than your mail server, follow these
steps:
1.
Start the eTrust SCM installation on a dedicated computer that forwards
email to the mail server computer.
During the installation, the Mail Relay Settings dialog appears.
2.
Define relay settings as described in Domain Route List (see page 20).
3.
Change the DNS name for your host so that email for your domains is sent
to your eTrust SCM computer. For example, if your domain name is
company.com and your mail server name is mail.company.com, your
existing DNS entry is probably as follows:
company.com. IN MX mail.company.com
4.
Add an A-record for your eTrust SCM computer that defines the IP address
of the computer on which eTrust SCM is installed. For example:
eTrust SCM.company.com. IN A 10.1.1.5
5.
Change the MX record for your domain from using mail.company.com to
use eTrust SCM.company.com. For example:
company.com. IN MX eTrust SCM.company.com
Forward Email in Exchange 5.5
When eTrust SCM is installed on a computer other than your mail server, you
must forward outgoing email to eTrust SCM. To configure Exchange 5.5 to
forward outgoing email to eTrust SCM, follow these steps:
1.
On the Microsoft Exchange Server, run Microsoft Exchange Administrator.
2.
Select Configuration, Connections, Internet Mail Service.
The Internet Mail Service (STREAM) Properties dialog appears:
3.
Click the Connections tab.
4.
Under Message Delivery, select Forward all messages to host and enter
the IP address of your eTrust SCM server. For example, enter 10.10.10.1.
5.
Click OK.
6.
From the Services Manager in the Control Panel, stop and start the
Microsoft Exchange Internet Mail Service.
Forward Email in Exchange 2000
must forward outgoing email to eTrust SCM. To configure Exchange 2000 to
1.
Open the Exchange System Manager.
2.
Select Servers, Server Name, Protocols, SMTP.
3.
Right-click Virtual Server and choose Properties.
The Default SMTP Virtual Server Properties dialog appears.
4.
Click the Delivery tab and click the Advanced button.
The Advanced Delivery dialog appears:
5.
In the Smart Host field, enter in brackets the IP address of the eTrust SCM
server (for example [10.10.10.1] ).
6.
Uncheck the Attempt direct delivery before sending to smart host
checkbox.
7.
Click OK on both dialogs.
Set Connectors in Exchange
If your site uses SMTP Exchange connectors, you must configure the
connectors to forward email to the eTrust SCM server. To do this, follow these
steps:
1.
Open the Exchange System Manager and select Connectors, SMTP
Connector.
The eTrust SCM Properties dialog appears:
2.
On the General tab, select Forward all mail through this connector to the
following smart hosts.
3.
Enter, within brackets, the IP address of the eTrust SCM server (for
example: [10.10.10.1]), and click OK.
Forward Email in Lotus Domino
must forward outgoing email to eTrust SCM. To configure Lotus Domino r6 to
1.
Open the Notes Administrator.
2.
Click the Configuration tab.
3.
Select Messaging, Messaging Settings, Message settings, Basis.
4.
Specify the IP address of the eTrust SCM machine in Relay Host for
messages leaving the local internet domain:
Note: The next two steps cause the changes to take effect by stopping
and restarting the Domino SMTP service. Instead of performing the next
two steps to restart, you can use a remote session from the Domino
Administrator.
5.
From the Domino server console, enter:
Tell SMTP quit
6.
When the SMTP service stops, enter:
load SMTP
7.
To check the SMTP listening port enter:
sh tasks
Installing on the Mail Server Computer
Most mail servers can be configured to run with eTrust SCM SMTP on the same
computer. However, CA recommends that you install eTrust SCM and your
mail server on different computers. If that is not possible, try at least to
separate the eTrust SCM HTTP/FTP engine, the eTrust SCM quarantine server,
and the report server for installation on a different computer by using the
eTrust SCM distributed management capabilities.
Running eTrust SCM and your mail server on the same computer can be an
easy way to start if you have enough capacity on your mail server. This
configuration only requires one computer and does not require that you modify
your MX information. In an SMB environment, this configuration can work well.
You do not need to change the port number that the mail server listens to,
however.
How to Configure eTrust SCM on Your Email Server
By default, eTrust SCM uses the same port for SMTP email as Microsoft
Exchange and Lotus Domino. To configure eTrust SCM to run on the same
computer as Microsoft Exchange or Lotus Domino, perform the following steps
for your specific mail server:
For Exchange 5.5
1.
Forward outgoing email in Exchange 5.5 to eTrust SCM.
2.
Change the port number in the Exchange 5.5 services file.
3.
4.
For Exchange 2000
1.
Change the port number in Exchange 2000.
2.
Forward outgoing email in Exchange 2000 to eTrust SCM.
3.
4.
For Domino 6.x
1.
Change the port number in Lotus Domino.
2.
Forward outgoing email in Lotus Domino to eTrust SCM.
3.
Install eTrust SCM to forward email to the Exchange/Domino computer.
Forward Email in Exchange 5.5
To configure Exchange 5.5 to forward outgoing emails to eTrust SCM when it is
on the same server as Exchange, follow these steps:
1.
On the Microsoft Exchange Server, run Microsoft Exchange Administrator.
2.
Select Configuration, Connections, Internet Mail Service.
The Internet Mail Service (STREAM) Properties dialog appears:
3.
Click the Connections tab.
4.
Under Message Delivery, select Forward all messages to host and enter
the fully-qualified domain name of the local host or an IP address (do not
use 127.0.0.1).
5.
Click OK.
6.
From the Services Manager in the Control Panel, stop and start the
Microsoft Exchange Internet Mail Service.
Change the Port in the Exchange 5.5 Services File
This procedure changes the default port that Exchange 5.5 uses to listen for
inbound SMTP email. You change the port number in the Windows NT services
file.
To edit the services file and change the default port, follow these steps:
1.
With a text editor (such as notepad) open this file:
Winnt\system32\drivers\etc\services
2.
Locate the following line:
smtp 25/tcp
3.
mail
Change the port number. For example:
smtp 2525/tcp
mail
Note: Be sure that the port number you choose does not conflict with
another service on the same computer.
4.
Save the services file.
5.
From the Services Control Panel, stop and start the Microsoft Exchange
Internet Mail Service.
Change the Port in Exchange 2000
When eTrust SCM is on the same computer as your mail server, you must
change the default port that Exchange 2000 listens to. To change the default
port number, follow these steps:
1.
2.
3.
4.
Click the General tab and click the Advanced button.
The Advanced dialog appears:
5.
Click Edit and change the TCP port to any available port on the local
computer except port 25.
6.
Forward Email in Exchange 2000
forward outgoing email to eTrust SCM in Exchange 2000.
To forward outgoing email, follow these steps:
1.
2.
3.
4.
Click the Delivery tab and click the Advanced button.
The Advanced Delivery dialog appears.
5.
In the Smart Host field, enter the fully-qualified domain name of the local
host or a unique IP address in brackets (do not use [127.0.0.1]).
6.
Clear this option: Attempt direct delivery before sending to smart host.
7.
Set Connectors in Exchange
If your site uses SMTP Exchange connectors, you must configure the
connectors to forward all email to the eTrust SCM server. To do this, follow
these steps:
1.
Open the Exchange System Manager and select Connectors, SMTP
Connector.
The eTrust SCM Properties dialog appears:
2.
On the General tab, select Forward all mail through this connector to the
following smart hosts.
3.
Enter, within brackets, the fully-qualified domain name of the local host or
a unique IP address. Do not use [127.0.0.1].
Change the Port in Lotus Domino
change the default port that Lotus Domino listens to. To change the default
port number, follow these steps:
1.
Open the Domino Server Administrator.
2.
Select a Domino server.
3.
4.
Select Server, Current Server Document.
5.
Click the Ports tab, the Internet Ports tab, and the Mail tab.
6.
Change the Mail SMTP Inbound port to 2525.
Administrator.
7.
Tell SMTP quit
8.
load SMTP
9.
sh tasks or Telnet <IP ADDRESS> 2525
Forward Email in Lotus Domino
When you install eTrust SCM on the same computer as your mail server, you
must forward outgoing email to eTrust SCM in Lotus Domino. To forward
outgoing email, follow these steps:
1.
Open the Notes Administrator.
2.
3.
Select Messaging, Messaging Settings, Message settings, Basis.
4.
Specify the IP address of the eTrust SCM machine, in Relay Host for
messages leaving the local internet domain.
Administrator.
5.
Tell SMTP quit
6.
load SMTP
7.
sh tasks
Install eTrust SCM
1.
Start the eTrust SCM installation on the same computer on which your
mail server is running.
During the installation, the Mail Relay Settings dialog appears.
2.
Configure the mail relay settings as explained in Domain Route List (see
page 20). The Mail Server address is the physical machine’s address, but
you should specify the new port you have defined for your mail server.
(eTrust SCM uses port 25.)
3.
Enter the physical IP address and the port number of your mail server. You
can use any port number except 25, which is the default SMTP port.
4.
Finish the installation wizard.
Configuring the Browser Proxy
To enable eTrust SCM proxy web filtering administrators must instruct the
client browser to run through an eTrust SCM HTTP/FTP proxy server. This
chapter describes various approaches to configuring and distributing client
browser configurations to match updated proxy configurations in your network
environment.
You can configure web browsers to use a web cache in the following ways:
Name
With manual configuration, each browser is configured to route Internet
traffic through the proxy. The proxy hostname/IP and port settings are
entered explicitly for each protocol, with any exclusion for sites that can
always be accessed directly. This option is available with all but the very
early browsers that predated web proxy use and cache servers.
Proxy Automatic Configuration Script
With automatic proxy configuration, an administrator can control browser
settings on client computers from one central location. You can configure a
single URL that identifies a configuration script that tells the browser which
proxy to use for each request; the choice can potentially vary by request
URL. eTrust SCM executes the auto-configuration script file whenever a
network request is made. Within the script, an administrator can configure
multiple proxy servers for each protocol type; if a proxy server connection
fails, the browser automatically attempts to connect to another proxy
server that you have specified. Note that because this functionality
requires browser JavaScript support, very early web browser versions may
not support it.
Automatically Proxy Detection
The automatic detection feature enables automatic configuration and
automatic proxy when a user connects to a network for the first time. With
automatic detection turned on, the browser is automatically configured
when it is started, even if you did not customize the browser. Automatic
detection of browser settings is based on Web Proxy Auto-Discovery
protocol (WPAD) and is supported by both Dynamic Host Configuration
Protocol (DHCP) and Domain Name System (DNS). Microsoft Internet
Explorer 5.0 and 6.0 for Windows are the only widely-used browsers that
support WPAD; as a draft Internet standard, however, WPAD is likely to
become more widely available over time.
Configuring a Browser for Manual Proxy
To specify eTrust SCM proxy server and proxy bypass settings using Internet
Explorer 5.0 or 6.0, follow these steps:
1.
Open Internet Explorer.
2.
From the Internet Explorer menu bar, select Tools, Internet Options.
The Internet Options dialog appears:
3.
Click the Connections tab, and then click LAN Settings.
The LAN Settings dialog appears:
4.
In the Proxy server area, select the Use a proxy server... check box.
5.
Type the Proxy IP Address and Port number for your proxy server:
6.
Click OK and then click OK again.
To use Netscape 7.0 to specify eTrust SCM proxy server and proxy bypass
settings, follow these steps:
1.
Open Netscape.
2.
Select Edit and then click Preferences.
The Navigator Preferences dialog appears:
3.
Double click Advanced (at the bottom of the choice list at far left), and
then select Proxies.
The Proxies dialog appears:
4.
Select Manual Proxy Configuration and type the proxy IP Address and port
number for each protocol (HTTP, FTP, SSL).
Configuring Your Browser for Proxy Automatic Configuration (PAC)
The Proxy Automatic Configuration (PAC) method enables web clients to use
automatic configuration script settings with Netscape and Internet Explorer
browsers. Automatic proxy configuration support provides a form of
transparency so that clients can configure a browser to point to a proxy
automatic configuration (PAC) file rather than to a specific proxy server. As a
result, the system administrator can modify the configuration with little impact
to clients, who update their automatic configuration files and are automatically
directed to the new configuration.
Server administrators can use this capability to reroute requests when servers
are down, to balance workload, to send requests for specific URLs to specific
proxies, or other reasons specific to their installation. Note that new PAC files
are reloaded only when a browser is restarted.
PAC is a browser function that enables dynamic server selection. The PAC file
is a JavaScript file that includes functions that the client browser calls before
retrieving a URL. The functions return values indicating whether a proxy
server, SOCKS server, or a direct connection is used to service the request.
The file can also redirect the request if the initial connection to be used is
down. When a client's browser is set to auto-proxy, it calls the JavaScript PAC
file each time a URL is requested by the user.
The Proxy Auto-Configuration page lets you create a PAC file that contains
some basic functions.
To configure your browser using PAC options, follow these steps:
1.
Create a standard PAC file using WordPad.
2.
Implement the JavaScript function FindProxyForURL (URL, host). You can
use the PAC files in the examples provided below. For more information
about PAC file format, visit
http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html.
3.
Store the file in the document root directory of your web server under a
meaningful name (for example, myfile.pac).
4.
Confirm that a URL such as http://www.mywebsrv.com/myfile.pac displays
the script text in the browser window.
5.
Configure your client browser.
When using Internet Explorer 5.0 or 6.0, follow these steps:
1.
Select Tools, Internet Options.
The Internet Options dialog appears.
2.
3.
In the Automatic configuration area, select the Use automatic
configuration script checkbox and type your proxy auto-configuration file
URL.
When using Netscape 7.0, follow these steps:
1.
Select Edit and then click Preferences.
The Preferences dialog appears.
2.
Double click the Advanced item and then select Proxies.
The Proxies dialog appears:
3.
Select Automatic proxy configuration URL and type your proxy autoconfiguration file URL.
Note: You can use the eTrust SCM proxy engine directory instead of the web
server.
When using the eTrust SCM proxy engine directory be sure to do the following:

Store the configuration file in the engine directory of the eTrust SCM HTTP
proxy (for example, C:\Program Files\CA\Common\ScanGateway) under
the name proxy.pac.

Configure your browser with the auto-configuration URL http://< eTrust
SCM HTTP proxy IP>:< eTrust SCM HTTP proxy port>/proxy.pac.
PAC Files Examples
//All clients through one proxy server for http/ftp requests:
function FindProxyForURL(url, host)
{
//go through the eTrust SCM proxy
if (
url.substring (0, 5) == "http:" ||
url.substring (0, 4) == "ftp:" ||
url.substring (0, 6) == "https:" )
return "<eTrust SCM HTTP/FTP proxy IP>:<proxy port>";
// Otherwise, go directly to the origin server
return "DIRECT";
}
//Some clients through one proxy server for http/ftp requests:
function FindProxyForURL(url, host)
{
// Make 130.119.*.* stations go through eTrust SCM proxy
if (
(url.substring (0, 5) == "http:" ||
url.substring (0, 4) == "ftp:" ||
url.substring (0, 6) == "https:" ) &&
isInNet(myIpAddress(), "130.119.0.0", "255.255.0.0")
)
return "<eTrust SCM HTTP/FTP proxy IP>:<proxy port>";
// Otherwise, go go through another proxy
return "PROXY euproxy.ca.com:80; DIRECT";
}
Configuring Your Browser for Web Proxy Automatic Discovery (WPAD)
Web Proxy Auto-Discovery (WPAD) enables web clients to automatically detect
proxy settings without user intervention. The algorithm used by WPAD
appends the hostname wpad to the fully-qualified domain name and
progressively removes sub domains until it either finds a WPAD server
answering the hostname, or reaches the third-level domain.
For example, web clients in the domain a.b.mydomain.com would query
wpad.a.b.mydomain.com, wpad.b.mydomain.com, and then
wpad.mydomain.com.
To configure your browser for WPAD, follow these steps:
1.
Create a standard PAC file.
2.
Store the file in the document root directory of your web server as
wpad.dat. You should be able to use an HTTP redirect if you want to store
the wpad.dat file in another location.
3.
Ensure that a URL address such as http://www.mydomain.name/wpad.dat
displays the script text in your browser window.
4.
Create, install, or implement a DNS record so that wpad.mydomain.name
resolves to the host above where you have a functioning auto
configuration script running. You can use a Hosts file at your computer to
create mapping, for example, wpad.mydomain.name <IP-address your
web-server>.
5.
Open Internet Explorer and select Tools, Internet Options.
The Internet Options dialog appears:
6.
7.
To test your WPAD settings in the Automatic configuration area, select the
Use automatic configuration script check box and type your WPAD URL, for
example, http://www.mydomain.name/wpad.dat.Verify all working
properly.
8.
As shown in the Local Area network (LAN) Settings dialog, on the
Automatic configuration area, uncheck the Use automatic configuration
script check box and confirm that the Automatically detect settings check
box is the only box checked.
Note: To force proxy configuration settings for individual client browsers,
the administrator can push the browser settings in the login script. To
distribute registry modifications across the network, you can use one of
three methods: imported registration (.reg) files, regini.exe, or group or
system policies. In the registration method, you determine the proper
registry key for your version of IE, export the settings to a .REG file, and
then use REGEDIT in the login script to push the settings to the PC.
For example, create a setprx.reg file that contains the following:
regedit
KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
AutoConfigURL"=http://www.mywebsrv.com/wpad.dat
MigrateProxy"=dword:00000001
"ProxyEnable"=dword:00000001
Chapter 5: Implementation Modes
eTrust SCM is installed with real-time network alerts and email recipient
notification enabled. These settings provide you with the information you need
to learn about content threats identified by eTrust SCM. As you become more
familiar with eTrust SCM, you need to migrate your implementation from Alert,
to Notification, and then to User Self-Management mode. You control the
modes by modifying the default rules, creating new rules, and by specifying
actions in these rules.
The eTrust Secure Content Manager Administrator Guide provides procedures
on how to work with rules. As you get started, you should understand the
following modes and the process of increasing the security level.
Phase 1 - Alert Mode
In Alert mode, eTrust SCM identifies spam and allows it to be delivered to the
user. An alert is displayed on the Manager Console so that you can analyze the
possible content threat. It does not block the content.
The network content alerts are displayed in real time. You can analyze network
activities such as spam email rates, detected viruses, and statistical counters.
Use this mode to learn about your enterprise network activities without
blocking content.
Note: Because the RBL and Spam Filter engines are not run under a restrictive
mode, you may encounter some false-negative alerts.
For websites, eTrust SCM displays an alert on the Manager Console when a
user tries to access a URL that triggers one of the content rules. By monitoring
the alerts, you can decide which URLs to block.
Implementation Modes 133
Phase 2 - Notification Mode
Phase 2 - Notification Mode
In Notification mode, eTrust SCM identifies the spam, and automatically
notifies email users about spam detection. The Disclaimer action positions a
custom message in the top of the email, at the bottom of the email, or as a
new email with the original email "wrapped" as an attachment. You can also
use the text areas to specify a disclaimer message to display as either plain
text or as HTML.
Notification mode lets you receive feedback from email users and tune the
allow list, deny list, RBL provider list, weights and Advanced Spam Filter
accordingly, accordingly. Notifying email users about content detection lets
them know that eTrust SCM is filtering their email.
Notification mode does not apply to websites.
Phase 3 - User Self Management Mode
In User Self Management mode, email recipients have control over
quarantined emails instead of the administrator alone. In this mode, the
Centralized Quarantine Manager controls emails suspected of being spam. At a
configured time, or when the number of quarantined items for an email
recipient exceeds a threshold value, the Centralized Quarantine Manager sends
an email report back to the original email recipient. Depending on the
administrator's preference, the email user can access quarantined email
through a web interface or manage the quarantined email directly from within
the self managed notification message.
If you decide to allow users to manage quarantined email using the web
interface (recommended), they can review email, including the entire content
and attachment, before deciding whether to release the email or delete it.
Users can also manage their allow and deny lists and configure personal
quarantine notification parameters.
Phase 4 - Blocking Mode
For self managed reports, users can configure certain settings (for example,
release, delete, leave, and not spam for RBL quarantine) or refine their private
allow lists and submit the settings. The only limitation is that they cannot
review the messages. This basic email report format consists of a sender
address, subject, reason for quarantine, and expiration date, all followed by an
eTrust SCM action.
When the not spam setting is chosen, the email user's private allow list is
updated. This ensures that future email from the same email sender is not
detected as spam by the RBL engine, which is stored in the Centralized
Quarantine Manager. The not spam setting also instructs the Centralized
Quarantine Manager to release the message to the email user.
Note: CA recommends notifying email end users before operating eTrust SCM
in either of the two self management modes. CA recommends that you tune
the advanced spam filter and RBL thresholds in this mode so the engine
becomes more responsive in detecting spam detection.
User Self Management mode does not apply to websites.
Phase 4 - Blocking Mode
After eTrust SCM has been operating in user self management mode and all
email users have had an opportunity to refine and personalize their private
allow lists, you can consider configuring eTrust SCM to block spam emails. This
capability is useful if you prefer that end users not control the release of spam
emails. You do this by specifying a block action in the rule. However, if the
spam filters are not properly tuned, eTrust SCM may block valid emails.
Similarly, a block action for a URL displays a notification that the website has
been blocked and prevents the user from accessing the site.
Implementation Modes 135
Chapter 6: Troubleshooting the eTrust
SCM Installation
The topics in this section provide procedures to resolve issues when installing
and configuring eTrust SCM.
Correct an Incomplete DNS Configuration
Issues can arise with TCP/IP computer name configuration. For example,
emails can bounce back with an error message indicating an invalid host or
eTrust SCM may be unable to connect to your DNS and SMTP servers even
though you have verified that the servers are up and running.
Issues can arise with TCP/IP computer name configuration. For example,
emails can bounce back with an error message indicating an invalid host or
eTrust SCM may be unable to connect to your DNS and SMTP servers even
though you have verified that the servers are up and running.
An incomplete DNS configuration is usually the cause. For eTrust SCM to relay
emails using MX, the TCP/IP host name on your computer must exist on your
DNS server. Also, the TCP/IP addresses that your computer uses must
themselves have names. This means that you need both forward and reverse
DNS lookups installed on your system.
To correct an incomplete DNS configuration, follow these steps:
1.
Check the host name/domain name that is set in your TCP/IP
configuration. Verify that you can ping this full name, both from your
computer and from another computer. You must have a DNS entry for
your computer on your DNS server.
2.
If you have multiple TCP/IP addresses, make sure that the first TCP/IP
address on your system has a DNS name entry.
Using the program nslookup.exe (nslookup on UNIX computers), check if
the DNS entries are set up correctly. For example, if your computer is
named mail.company.com, enter the following:
nslookup mail.company.com
The nslookup should respond as follows:
Server: imdns.company.com (This is your DNS server name.)
Address: 194.90.1.5 (This is your DNS server address.)
Name: mail.company.com (This is your host name.)
Address: 194.90.18.5 (This is your TCP/IP address.)
Troubleshooting the eTrust SCM Installation 137
Correct an Incomplete DNS Configuration
If your DNS is not set up correctly, nslookup may respond as follows:
*** imdns.company.com can't find mail.company.com: Non-existent host/domain
or nslookup may respond as follows:
Server: imdns.company.com
Address: 194.90.1.5
DNS request timed out.
timeout was 2 seconds.
*** Request to imdns.company.com timed-out
3.
If the DNS problem still occurs and you did not receive an error message,
invoke a reverse lookup action by entering the TCP/IP address of your
computer. For example, if the TCP/IP address of your computer is
194.90.18.5, enter the following:
nslookup 194.90.18.5
If your DNS is not set up correctly, reverse lookup may respond as
follows:
*** imdns.company.com can't find 194.90.18.5: Non-existent host/domain
or nslookup may respond as follows:
Server: imdns.company.com
Address: 194.90.1.5
DNS request timed out.
timeout was 2 seconds.
*** Request to imdns.company.com timed-out
4.
If you have a DNS problem, contact the system administrator or your ISP
provider responsible for your DNS.
Prevent Loop-back Problems
Prevent Loop-back Problems
A loop-back situation can occur when eTrust SCM resolves an IP address
through MX lookup. This can occur when network address translation (NAT)
points back to the same eTrust SCM computer or when MX lookup produces an
address that points back to the same or another eTrust SCM for SMTP
computer.
Here are some possible scenarios:

eTrust SCM is installed at IP address 10.0.0.2 and SomeDomain.com has
only one MX record. This record, Mail.SomeDomain.com, has an A record
that points to 1.2.3.4. The firewall translates 1.2.3.4 back to 10.0.0.2,
which is the eTrust SCM computer address.

eTrust SCM is installed at IP address 10.0.0.0 and is listening on port 25.
It tries to deliver a message, but the mail server rejects the message. This
can happen for two reasons: The eTrust SCM that is running on 10.0.0.0
performs an MX lookup that produces an IP address of 10.0.0.0, or it
produces an address for a remote eTrust SCM SMTP computer (10.0.0.1,
port 25) that eventually causes a loopback.
To prevent loop-back problems, follow these steps:
1.
Open the Manager Console on the Control Center.
2.
Select Filtering, Settings, Enterprise Settings, Loop-back Settings, General.
The Loop-back Prevention pane appears.
3.
Click Add.
A Server Properties dialog appears.
4.
Enter the IP address and corresponding port of an eTrust SCM computer to
use as the SMTP computer.
5.
Repeat the previous step, adding all local and remote eTrust SCM
computers to use as SMTP computers. You can also enter NAT devices that
point to eTrust SCM computers.
For the examples above, add the following:
1.2.3.4, Port 25
10.0.0.0, Port 25
10.0.0.1, Port 25
Manager Console or Quarantine Manager Terminates Suddenly
Manager Console or Quarantine Manager Terminates
Suddenly
The product is probably not licensed. Look for an entry in the Manager Console
or Quarantine Manager log that specifies that the eTrust SCM is not licensed.
To license the eTrust SCM, see Licensing and Registering eTrust SCM (see
page 69).
Verify Firewall Ports Are Open
The following firewall ports must be open during installation:

TCP/IP port 1882 between eTrust SCM modules.

The FTP port and HTTP/HTTPS ports (required for web updates) from
eTrust SCM towards the Internet.

TCP/IP port 8080 from end users toward the Quarantine Manager
computer. If eSCM HTTP is already installed on a port other than 8080,
use the port it is installed on.

(If using ADCP) TCP/IP port 7779 from eTrust SCM toward the domain
controller computer.
eTrust InoculateIT or eTrust Antivirus Conflicts with Antivirus Realtime Scanner
eTrust InoculateIT or eTrust Antivirus Conflicts with Antivirus
Realtime Scanner
Installing eTrust InoculateIT or eTrust Antivirus prior to installing eTrust SCM
causes the Antivirus Realtime Scanner to act on data before eTrust SCM can
analyze or use the data. This may interfere with Content Manager Engine
functionality.
To avoid operational conflicts between eTrust Antivirus and eTrust SCM, be
sure to identify the eTrust SCM processes that are running and add the
processes to the eTrust Antivirus exclusions list.
Use the Windows Task Manager to locate the process names. Add the
processes to the eTrust Antivirus exclusions list by following these steps:
1.
Right click the eTrust Antivirus icon in the Windows task tray.
2.
Select Realtime Options, Filters tab, and then click Process.
3.
Enter the process name and add the name to the exclusions list.
The following list shows all possible eTrust SCM processes that could be
running for your eTrust SCM installation.
Note: The exact list of processes depends upon the options installed when you
installed eTrust SCM.

icihttp.exe

icismtp.exe

DCollSrv.exe

QmgrSrv.exe

CRepSrv.exe

ECSQDMN.exe

ECSSAFMGR.exe

eCCCleaner.exe

QMgr.exe
Outgoing SMTP Rules Are Also Applied to Incoming Emails
Outgoing SMTP Rules Are Also Applied to Incoming Emails
If outgoing SMTP rules are inadvertently being applied to incoming emails, you
must configure the intranet subnet list to exclude the IP address of the firewall
or router which receives incoming email.
You can modify these settings in Subnets by navigating to Filtering , Settings,
<local engine>, Subnets.
Unblock a Website
To unblock a website, follow these steps:
1.
Navigate to Filtering, Settings, Enterprise Settings, URL Customization.
2.
Click Add.
3.
Type in the web address the site being blocked and click OK.
4.
Uncheck the default url category for the site in the Categories assigned to
the URL list.
5.
Scroll down and check <User Defined 1> and click OK.
6.
Click Yes to distribute the changes.
7.
Navigate to the URL rule that contains the blocking action you are trying to
remedy.
8.
Confirm that in the URL rule <User Defined 1> is not checked.
Appendix A: ADCP Authentication
The eTrust Authentication Device Communication Protocol (ADCP) provides a
way to link user names with the IP and MAC addresses of the computer they
are currently logged onto. This provides a way to track network activity and
establish policies by users and groups. The ADCP system works with Active
Directory, mixed-mode, and NT domains. It can also provide logon information
from remote access servers (RASs) and routing and remote access servers
(RRASs). Installation and configuration vary by the type of domain model
used. This is an optional enhancement that is not required for the proper
functioning of eTrust SCM.
This section explains how to install and configure eTrust ADCP. There are two
types of ADCP installations:
ADCP Agents
These are agents that collect the authenticated user and computer
information and send it to the eTrust SCM Engines. This communication is
encrypted and uses a secure handshake to ensure the integrity of the
communication and content.

The ADCP Distributed Source Agent (DSA) is recommended for all
domain types. It is required for Active Directory domains and provides
the best information across WAN links and large multi-domain
environments. The DSA receives the user and computer information
from the DSCs directly, avoiding directory propagation delays.
The ADCP Universal Source Agent (USA) is an older mechanism still
used in smaller NT or mixed-mode domains in which running a client
on the workstations is not preferred.
The Universal Source NT/2000 RAS Agent is installed on RAS/RRAS
servers to provide user information from remote users.
The ADCP Agent Distributed Source Client
You can run this client on the workstation or using a login script. The client
sends the user and computer information to the DSA. You can also run it as a
logoff script to insure that logoff information reaches the eTrust SCM Engines
in a timely fashion.
ADCP Authentication 143
The ADCP Agent
The ADCP Agent
As an optional identification enhancement, eTrust SCM includes an
Authentication Device Communication Protocol (ADCP) agent. The ADCP agent
ties information about the authenticated user (using one of the authenticated
devices) with the address of the host computer, which the authenticated user
uses.
ADCP DSA
The DSA can reside on any computer that has permissions to read the user
directory. You do not need to install it on all of the PDCs and BDCs as the USA
is. If there are many hundreds of users, and especially if they tend to logon to
the domain at roughly the same time of day, we recommend that several
DSAs be installed on dedicated workstations or servers to handle the traffic.
The DSA can connect to the clients in one of two ways. In smaller networks or
WANs where DSAs are installed at each remote site, UDP broadcasts on port
7781 can be used by the DSCs to discover the DSAs. The first DSA to reply is
discovered by the DSC, which will then send the authentication information to
that IP address. This provides a rudimentary form of load balancing and can
also be used to provide some redundancy. A DSC is required in each broadcast
domain. For networks where UDP broadcast is not desired each client can be
configured with the IP address of the DSA it should use and TCP port 7781 is
utilized for the exchange of information.
ADCP RAS/RRAS Universal Source Agent
Install this Agent on all of the RAS/RRAS servers in the organization. It
provides authentication information for remote users.
ADCP USA
Install the USA on every PDC and BDC in the domain. It requires a restart of
the Domain Controller(s), so careful planning is recommended for deployment
and upgrading. The USA does not require the DSC on workstations.
The ADCP Agent
Installing the ADCP Agent
To install the ADCP Agent, perform the following procedure:
1.
Log on with administrator or domain administrator privileges.
2.
Exit any other programs that are running on your computer.
3.
To install the ADCP Agent, insert the distribution CD into the CD ROM
drive.

If autorun is enabled on Windows, the product installation browser
appears.
If autorun is not enabled, perform these steps to display the browser:

On the taskbar, select Start, Run.

On the Run dialog, click Browse.

On the Browse dialog, navigate to your CD-ROM drive and the
Launch.exe file; then click Open.

On the Run dialog, click OK.
The eTrust SCM Product Installation Browser appears:
4.
Click Install eTrust SCM Accessories.
The eTrust Accessories Installation menu appears.
5.
Click Install eTrust ADCP Options.
Installation and documentation options appear.
6.
Click Install eTrust ADCP Agent.
The ADCP Agent
The system displays installation messages and then a welcome dialog
appears:
7.
Click Next.
8.
The ADCP Installer license agreement appears.
9.
Read the agreement, scroll to the bottom, and click I Agree.
The Customer Information dialog appears:
The ADCP Agent
10. Enter your user name and company name and then click Next.
11. Perform one of the following actions:

To accept the default destination folder, click Next.
To select a different destination folder, click Browse, navigate to it,
and click OK; then click Next.
The Select Program Folder dialog appears:
The ADCP Agent
12. In the Program Folders field, enter the default folder name, ADCP Agent;
then click Next.
The wizard program loads and the first Install ADCP Agent dialog appears:
13. Click Next.
The second Install ADCP Agent dialog appears:
14. Select the type of agent to install, and then click Next.
The program copies files to your computer, and the Setup Complete dialog
appears.
15. Select Yes, I want to restart my computer now; then click Finish.
Your computer restarts.
The ADCP Agent
Configuring the ADCP Agent
By default the ADCP Agent installs with TCP port 7779 (for communication
with the eTrust SCM Engines and encryption) disabled for speed and ease of
troubleshooting connections. We recommend that encryption be enabled for
production systems.
1.
Confirm that the service is running.
2.
Open the Start menu and navigate to and select ADCP Agent
Configuration.
The ADCP Agent Configuration dialog appears:
3.
Click Preferences.
The Agent Preferences dialog appears:
4.
Enter TCP port, check the Enforce Encryption checkbox, and click OK.
The port must match the eTrust SCM Engine settings for communication to
be enabled.
The ADCP Agent
Configuring a Windows NT Domain Controller to Catch Events
If you installed an ADCP agent in the source server agent mode on a Windows
NT domain controller, you can perform the following procedure to configure a
PDC to enable the catching of network events.
1.
On the Windows taskbar, select Start, Programs, Administrative Tools,
User Manager for Domains.
The User Manager for Domains dialog appears.
2.
Select Policies, Audit.
The Audit dialog appears.
3.
Select Audit these events.
4.
Select Success next to the logon and logoff option.
Reconfiguring the TCP Port for an ADCP Agent
To change the configuration of a TCP port for an ADCP Agent, perform the
following procedure.
1.
Select Start, Programs, ADCP Agent, Configure.
The ADCP Agent Configuration dialog appears and displays the list of
authentication devices that are operational on the ADCP Agent:
2.
Click Preferences.
The ADCP Agent
The Agent Preferences dialog appears.
3.
Enter a TCP port number and click OK.
Note: The port number must match the port number used to configure
eTrust SCM to work with the ADCP agent.
Configuring eTrust SCM to Use an ADCP Agent
To configure eTrust SCM to use an ADCP Agent, perform the following
procedure to define each domain controller.
1.
From the Manager Console main window menu select Settings, <local
engine>, Gateway, ADCP Agents
The Define ADCP Agents dialog appears:
The ADCP Agent
2.
To add agents, follow these steps:
a.
Click Add.
b.
Enter the domain controller name, or server name on which ADCP is
installed or browse to search for it.
c.
Enter the server port, making sure it matches the port number entered
when configuring the ADCP Agent, and then click OK.
The program adds the name of the controller to the list of Agents
shown under ADCP Agent. The icon indicates whether the Agent is
connected or not.
The ADCP Distributed Source Client
If There is a Problem with the ADCP Agent Installation
eTrust SCM uses ADCP version 2.0. This version does not allow installation on
a computer on which the Terminal Service is installed. If there is a problem
with the installation, the ADCP Agent's installer may be looking for the
following registry key to confirm that the terminal service is installed:
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal
Server\"TSEnabled\"=dword:00000001
To work around this conflict, set the TSEnabled value to 0 and then try the
installation again. If the installation is successful, set the value back to 1 when
the installation is complete.
The ADCP DSC can be installed on each workstation or executed in logon and
logoff scripts. Use of scripts is recommended, as the IP address of the DSA(s)
can be easily modified or assigned by groups and the client cannot be disabled
by users with Administrator privileges as it runs before they have access to the
computer settings.
ADCP Distributed Source Client (DSC) is a new source type that obtains
information about interactive users from software that runs on each station.
The DSC must run at least once under the interactive user account on every
workstation that ADCP monitors. When using DSC, the ADCP Agent can run on
almost any computer on the network.
When running, the DSC gathers all the information ADCP needs. It discovers
the IP address of any ADCP Agent and sends data to it. The discovery process
works by using UDP broadcast on port 7781. Any ADCP Agent that is in
distributed mode answers the broadcast. The first reply read by the DSC
discovers the IP address where the ADCP Agent sends information. This
provides a rudimentary form of load balancing.
After discovering the ADCP Agent location, the DSC connects to the distributed
mode ADCP Agent using TCP port 7781 and sends the usual information to it
(for example, user name, domain, IP, MAC). This information is fully believed
by ADCP. ADCP assumes that the user sent by the DSC is the only user on the
computer that the request came from, therefore no unknown username
situations appear.
You can use DSC in one of these modes:

As a standalone executable, installed on each client computer, that runs
whenever an interactive user logs on. It uses the following registry key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

As a logon script that resides on a domain controller
You can use TCP/IP with the Distributed Client rather than UDP. In the logon
script, instead of sending the path to the distclient, send the path, followed by
the ADCP Agent’s IP address, as shown here:
\\ADCP_AGENT_PC\Distclient\DistClient.exe -a<IP address>
<IP address> can be either the computer name or the IP address.
For example:
\\ADCP1\Distclient\DistClient.exe -a172.24.123.12
Adding DistClient.exe As a Logon Script
Use this procedure to add distclient.exe as a script that runs when you log in.
The script runs using the Group Policy console. To set up a logon script:
1.
Open the Active Directory Users And Computers Microsoft Management
Console by choosing Start, Programs, Administrative Tools, Active
Directory, Users And Computers. Right-click the domain object, click
Properties, and then click Group Policy. The Group Property dialog
appears.
2.
On the Group Policy dialog, select Default Domain Policy from the tree,
and then click Edit. The Group Policy snap-in appears on the tree.
3.
In the Group Policy snap-in, open User Configuration, open Windows
Settings, and then select Scripts (Logon/Logoff). Logon and Logoff appear
in the right pane.
4.
In the right pane, double-click Logon. The Logon Properties dialog
appears.

5.
The Logon Properties dialog displays the list of scripts that run when
users log on. This is an ordered list; the script that runs first appears
at the top of the list. You can change the order by selecting a script
and then using the Up and Down buttons to move it.
Click Show Files. The location of the logon scripts for this policy
appears. Copy DistClient.exe to this folder to have it available to all
computers that execute it.
To add DistClient.exe to the logon scripts, click Add. The Add a Script
dialog appears. You can accept the DistClient.exe located in the
current Group Policy Object (GPO) or use Browse to select another
location for this GPO. The DistClient.exe file must be accessible to the
user at logon (by means of execute permissions) or it does not launch.
In Script Parameters, enter the -a<IP address> switch with the IP
address of the computer on which the ADCP Agent with the Distributed
Source Server is installed.
Click OK to close the Add a Script dialog, and then click OK again to
close the Logon Properties dialog.
Log on from a client workstation that has a user in that domain and verify
that DistClient.exe runs correctly. Look at \Winnt\System32\DistClient.log
(a hidden file) on the client to see if there are any special error messages.
Typical log entries should look like this:
Wed May 28 19:11:16 2003
DistClient Executable Started
Platform is NT
User: JohnDoe
Domain: CompanyDomain
IP 172.24.184.67
Computer COMP1234
MAC 00:b0:d0:ec:5e:cb
DistClient Executable Stopped
Wed May 28 19:11:17 2003
Adding DistClient.exe As a Logoff Script
Use the same procedure outlined in the previous section to set up scripts that
run when a user logs off. There are two differences:

For logoff scripts, double-click Logoff on the right pane.

In Script Parameters, enter the -f and the -a<IP address> switches.
The -f switch causes the DistClient.exe to send the same information (for
example, Platform, domain, IP, MAC) to the ADCP Agent. However, this time
the user name is NOUSER.
Installing the ADCP Distributed Source Client
The ADCP DS client can be installed either on each workstation or executed in
logon and logoff scripts. CA recommends using scripts , as you can easily
modify DS agent IP addresses or assign them by groups. The client cannot be
disabled by users with Administrator privileges as it runs before users have
access to the computer settings.
Note: The following procedure is for use only with ADCP distributed source
mode.
To install the ADCP DS client, perform the following procedure:
1.
Log on with administrator or domain administrator privileges.
2.
Exit any other programs that are running on your computer.
3.
Insert the product CD into your CD-ROM drive.
If autorun is enabled on Windows, the product installation browser
appears.
If autorun is not enabled, perform these steps to display the browser:

On the taskbar, select Start, Run.

On the Run dialog, click Browse.

On the Browse dialog, navigate to your CD-ROM drive and the
Launcher.exe file; then click Open.
On the Run dialog, click OK.
The eTrust SCM Product Installation Browser appears:
4.
Click Install eTrust SCM Accessories.
The eTrust Accessories Installation menu appears:
5.
Click Install eTrust ADCP Options.
The ADCP options installation menu appears:
6.
Click Install eTrust ADCP Distributed Source Client.
The system briefly displays installation messages and then displays the
ADCP Distributed Source Client Installer dialog:
7.
Click Next.
The ADCP source client disclaimer appears.
8.
Read the disclaimer, scroll to the bottom of the dialog, and click I Agree.
The ADCP user and company name dialog appears:
9.
Enter your user and company name and then click Next.
The Setup Type dialog appears:
10. To set up the client to run automatically on client computers, select Client.
To set up the client to run from a user's logon script, select Server and
click Next.
11. Perform one of the following actions:

To accept the default destination folder, click Next.
To select a different destination folder, click Browse, navigate to the
destination, and click OK. Then click Next.
The Setup Status dialog appears.
12. When the installation completes, click Finish.
Appendix B: Installing and Configuring
Microsoft SQL Server
The eTrust SCM Quarantine Manager and Reporter can use MS-SQL Server as
the database layer.
According to your needs, you can install a dedicated SQL Server on a remote
machine, or install SQL Server on the same machine as the Quarantine
Manager and/or Reporter.
Prerequisites
Perform the following installations and checks before installing eTrust SCM:

Install Microsoft SQL Server according to the product's documentation.
Important! Microsoft SQL Server must be installed before you install
eTrust SCM.

Confirm that SQL Server and Windows authentication is enabled in the
SQL Enterprise Manager. To confirm this setting, do the following:

Open the SQL Enterprise Manager.

Right click on the local database, and click the Security tab.

Confirm that the Authentication, SQL Server and Windows radio button
is selected.
Install eTrust SCM after you have confirmed that these prerequisites have
been met.
Installing and Configuring Microsoft SQL Server 163
Creating the Quarantine and Reports Databases
To create the quarantine and reports databases, follow these steps:
Create the Quarantine Database
Perform the following steps to create the Quarantine database:
1.
Open the SQL Enterprise Manager Snap-in and browse to the Database
level:
2.
Choose Database.
The default database appears in the right pane:
3.
Right-click the right pane and select New Database.
The Database Properties dialog appears:
4.
On the Database Properties dialog, enter a name for the container on the
General tab, for example: eSCM_Quarantine_DB.
5.
On the Data Files tab of the Database Properties dialog, adjust the default
parameters if this is a heavily-used database. The defaults are fine for
testing purposes. Click OK.
Create the Reports Database
To create the Reports database, repeat the steps in Create the Quarantine
Database, with the exception of the database name:
1.
On the Database Properties dialog, enter a unique name for the container
on the General tab, for example: eSCM_Reports_DB.
2.
On the Data Files tab of the Database Properties dialog, adjust the default
parameters if this is a heavily-used database. The defaults are fine for
testing purposes. Click OK.
Creating an SQL User and Associating It with the Databases
To create an SQL user and associate it with the databases, follow these steps:
1.
Open the SQL Enterprise Manager Snap-in, browse to the Security level,
and select Logins.
2.
Right-click and select New Login.
The SQL Server Login Properties - New Login dialog appears:
3.
Create a new user using the SQL Server Authentication option. This user
does not require administrative privileges anywhere except than for the
Quarantine and Reports databases.
4.
Click the Database Access tab, and select the databases to be accessed by
this login as follows:
a.
Select the eSCM_Quarantine_DB and specify the roles for the new
database. In the Database roles, both public and db_owner should be
selected, as this user must be the db_owner to create the tables
properly.
b.
Select the eSCM_Reports_DB and specify the roles for the new
database. In the Database roles, both public and db_owner should be
selected, as this user must be the db_owner to create the tables
properly.
c.
Click OK.
The Confirm Password dialog appears:
5.
Enter the password you specified in the General tab again, to confirm it.
Click OK.
You are now set up to use SQL Server with the Quarantine Manager and/or
Reporter. Write down the database names, user and password you have
created, as they will be required during the installation of eTrust SCM.
Notes:
There is no need to tune additional database parameters, create any tables, or
set any ODBC settings. The eTrust SCM installer will do so during the
installation.
If you change the SQL database credentials after the eTrust SCM installation,
use the Manager Console to configure the new credentials. To do so, from the
Manager Console's menu select Settings, Engine settings, Microsoft SQL Tab.
Glossary
ADCP
Authentication Device Communication Protocol. eTrust SCM includes an ADCP
engine that tracks the company domain controller for user activities and
maintains a local, real-time cache table used by the engine to associate the
user IP address to a specific user name.
ADS
Active Directory Server.
Applet
An applet is similar to an application but does not run in standalone mode. It
complies with a set of conventions that allow it to run within a Java-compatible
browser.
Application
An application is a standalone program. It can be executed independently of
any other program.
DMZ
The DMZ is a computer or small subnetwork that sits between a trusted
internal network, such as a corporate private LAN, and an untrusted external
network, such as the public Internet. Typically, the DMZ contains devices
accessible to Internet traffic, such as web (HTTP) servers, FTP servers, SMTP
(email) servers, and DNS servers.
DNS
The Domain Name System is an Internet service that translates domain names
into IP addresses. Because domain names are alphabetic, they are easier to
remember. The Internet, however, is based on IP addresses. Every time you
use a domain name, a DNS service translates the name into its IP address. For
example, the domain name www.example.com might translate to
198.105.232.4. The DNS is its own network. If one DNS server cannot
translate a domain name, it queries other DNS servers to resolve the correct
IP address.
Downloadable
A downloadable is a file that is transmitted into an organization’s computer
system. Downloadables may originate from the Internet, other locations in an
organization’s intranet, or an extranet.
EIAM
eTrust Embedded Identity Access Management
Glossary 175
Executable
A file that contains programs. This is a particular kind of file that is capable of
being executed or run as a program in the computer. In a DOS or Windows
operating system, an executable file usually has a file name extension of .bat,
.com, or .exe.
These types of executables, if downloaded, are executed automatically, often
without the knowledge of the user. The only warning the user may receive is
the regular browser warning that a package is about to be downloaded.
Extranet
A communication network of selected private companies, such as
communications networks shared among banking organizations.
Firewall
A firewall is a set of related programs located at a network gateway server,
which protects the resources of a private network from users in other
networks. (The term also implies the security policy that is used with the
programs.) An enterprise with an intranet that allows its workers access to the
wider Internet installs a firewall to prevent outsiders from accessing its own
private data resources and for controlling what outside resources its own users
have access to.
Basically, a firewall working closely with a router program filters all network
packets to determine whether to forward them toward their destination.
A firewall may also include or work with a device that makes network requests
on behalf of workstation users. A firewall is often installed in a specially
designated computer separate from the rest of the network so that no
incoming request can get directly at private network resources.
FTP
File Transfer Protocol
Gateway
A gateway is a network point that acts as an entrance to another network. On
the Internet, in terms of routing, the network consists of gateway nodes and
host nodes. The computers of network users and the computers that serve
content (such as Web pages) are host nodes. The computers that control
traffic within your company’s network or at your local Internet service provider
(ISP) are gateway nodes.
HTTP
Hypertext Transfer Protocol
HTTPS
Hypertext Transfer Protocol Secure
Hub
A hub is a hardware device that connects two separate LANs. A hub does not
filter traffic moving between the two LANs.
Internet
The global computer communications network that connects independent
networks. The Internet is accessed through a service provider.
Intranet
An intranet is a private network inside a company or organization that uses
the same kinds of software as on the public Internet (for example, private
LANs and WANs). It is only for internal use.
IP Address
An internet protocol (IP) address is a 32-bit number that identifies each sender
or receiver of information that is sent in packets across the Internet.
When you request an HTML page or send email, the IP part of TCP/IP includes
your IP address in the message and sends it to the IP address that is obtained
by looking up the domain name in the URL you requested or in the email
address you're sending a note to. At the other end, the recipient can see the
IP address of the Web page requester or the email sender and can respond by
sending another message using the IP address it received.
ISA
Microsoft Internet Security and Acceleration Server.
LDAP
Lightweight Directory Access Protocol.
Mail Exchange (MX) Record
A mail exchange record is an entry in a DNS database that identifies the mail
server that handles emails for that domain name. When more than one MX
record exists for any single domain name that is using more than one mail
server, the MX record has a preference number that indicates the order in
which to use the mail servers. This enables the use of primary and backup
mail servers.
Message digest algorithm
Digital signatures and other applications, which need unique and unforgettable
identifiers for digital data, frequently make use of digital fingerprints or
message digests. These are produced using cryptographically secure message
digest algorithms, also known as one-way hash algorithms.
A message digest algorithm is a function, which takes arbitrary-sized input
data (the message) and generates a fixed-sized output, known as a digest or
hash.
MIME
Multipurpose Internet Mail Extensions
NIC
Network Interface Card.
Glossary 177
NTLM
Is an abbreviation for Windows NT LAN Manager. NTLM is an authentication
protocol used in various Microsoft network protocol implementations. NTLM
uses a challenge-response mechanism for authentication, in which clients
prove their identities without sending a password to the server.
POP3
Post Office Protocol version 3. A protocol frequently used by email clients to
receive emails that have been received and stored on a mail server.
PPTP
Point to Point Tunneling.
Proxy Server
A proxy server is a server that acts as an intermediary between a workstation
user and the Internet so that the enterprise can ensure security,
administrative control, and caching service. A proxy server is associated with
or part of a gateway server that separates the enterprise network from the
outside network and a firewall server that protects the enterprise network
from outside intrusion.
The proxy server receives a request for an Internet service (such as a Web
page request) from a user. If it passes filtering requirements, the proxy
server, assuming it is also a cache server, looks in its local cache of previously
downloaded Web pages. If it finds the page, it returns it to the user without
forwarding the request to the Internet. If the page is not in the cache, the
proxy server, acting as a client on behalf of the user, uses one of its own IP
addresses to request the page from the server on the Internet. When the page
is returned, the proxy server relates it to the original request and forwards it
to the user.
eTrust SCM acts as a Proxy Server, though it does not have its own cache.
RBL
Real-Time Black-Hole List. The RBL, is a list of TCP/IP addresses that have
sent spam. The RBL bans email sent from a range of TCP/IP addresses.
Relay Server
A relay server uses SMTP to send email messages between mail servers. The
messages can then be retrieved with an email client using POP or IMAP from
the mail management server such as Exchange Mail Server or Lotus Mail
Server.
Router
A router is a hardware item that transfers packets from one network to
another. Every packet has a destination address stored in a header, and the
router filters packets according to the destination address.
SMB
Small to Medium-sized business.
SMTP
Simple Mail Transfer Protocol
SNMP
Simple Network Management Protocol
Subnet Mask
The subnet mask is the part of the IP address that distinguishes other
computers on the same LAN from computers in other departments or outside
of the organization. The subnet mask for your computer network is in the
Network Protocols window under TCP/IP protocol properties.
TCP
Transmission Control Protocol (TCP) works with Internet Protocol (IP) to send
data in the form of message units between computers over the Internet. While
IP handles the delivery of the data, TCP keeps track of the individual units of
data (called packets) that a message is divided into for efficient routing
through the Internet.
URL
A uniform resource locator (URL) is the address of a file (resource) accessible
on the Internet. The type of resource depends on the Internet application
protocol. The URL contains the name of the protocol required to access the
resource, a domain name that identifies a specific computer on the Internet,
and a hierarchical description of a file location on the computer.
ZIP
ZIP is probably the most common archive format for distributing and storing
files. One or more files may be archived in a ZIP file and compressed to save
space and download time. After downloading or receiving a zip file, you can
extract and uncompress the original files.
Glossary 179
Index
A
ADCP • 175
ADCP Authentication • 143
ADCP DSA • 144
ADCP RAS/RRAS Universal Source Agent • 144
ADCP USA • 144
Adding DistClient.exe As a Logoff Script • 157
Adding DistClient.exe As a Logon Script • 155
ADS • 175
Antivirus Protection • 9
Antivirus Settings • 84
Applet • 175
Application • 175
Assessing Your Security Level • 17
Assign User Permission Levels • 102
Authentication Method Considerations • 30
C
Chaining Proxy Servers • 26
Change the Port in Exchange 2000 • 115
Change the Port in Lotus Domino • 119
Change the Port in the Exchange 5.5 Services
File • 115
Change User Permission Levels • 103
Checking and Adjusting Manager Console
Settings • 78
Choose a Language, Read the Terms and
Conditions, and Provide User, Drive, and
Location Information • 48
Compatibility • 33
Complete Content Management • 11
Complete the Installation • 68
Completing the Pre-installation Checklist • 37
Comprehensive Protection • 8
Comprehensive Reporting • 10
Configuring a Browser for Manual Proxy • 123
Configuring a Windows NT Domain Controller
to Catch Events • 150
Configuring eTrust Embedded IAM • 96
Configuring eTrust SCM to Use an ADCP Agent
• 151
• 106
Configuring Initial Filtering Settings • 78
Configuring the ADCP Agent • 149
Configuring the Browser Proxy • 122
Configuring Your Browser for Proxy Automatic
Configuration (PAC) • 127
Configuring Your Browser for Web Proxy
Automatic Discovery (WPAD) • 130
Configuring Your Implementation • 75
Content Filtering and Network Load • 30
Correct an Incomplete DNS Configuration •
137
Create the Embedded IAM Database • 98
Creating an SQL User and Associating It with
the Databases • 170
Creating the Quarantine and Reports
Databases • 164
D
Data Confidentiality Monitoring • 9
Define Users in the Embedded IAM Database •
100
Determine an Installation Scenario • 39
Distinctive Features and Functionality • 8
DMZ • 175
DNS • 175
DNS Considerations • 25
Domain Route List • 20
Downloadable • 175
E
Easy Administration • 10
EIAM • 175
Email and Email Server Considerations • 18
Email Anti-Spam and Content Security Filtering
•8
Email Content Management • 11
Email Delivery • 18, 21
Email Notification • 57
Email Traffic Direction Rules • 20
Enterprise Installation Scenario • 40
Enterprise LDAP Advanced Settings • 94
Enterprise LDAP Dictionary Settings • 92
Enterprise LDAP General Settings • 89
Enterprise LDAP Settings • 89
Enterprise Settings • 87
Establishing an Incident Response Plan • 17
Index 181
Establishing Security Guidelines • 15
eTrust Embedded IAM Server • 67
eTrust InoculateIT or eTrust Antivirus Conflicts
with Antivirus Realtime Scanner • 141
eTrust SCM and Users on Different Domains •
34
Executable • 176
Extensive Automated Actions and Alerts • 11
Extranet • 176
F
Firewall • 176
Firewall Considerations • 26
Forward Email in Exchange 2000 • 109, 117
Forward Email in Exchange 5.5 • 108, 114
Forward Email in Lotus Domino • 111, 120
FTP • 176
Fully Qualified Domain • 62
Installing on the Internet Side • 28
Installing on the Intranet Side • 27
Installing on the Mail Server Computer • 113
Installing the ADCP Agent • 145
Installing the ADCP Distributed Source Client •
158
Internet • 177
Intranet • 177
Introduction • 7
IP Address • 177
ISA • 177
K
Known Upgrade Issues • 43
L
Gateway • 176
Gateway Settings • 79
LDAP • 177
LDAP Server Settings • 82
LDAP Settings • 81
Licensing and Registering eTrust SCM • 69
Local Settings • 79
Loop-back Settings • 88
H
M
How NTLM Works • 32
How to Configure eTrust SCM on a Dedicated
Computer • 107
How to Configure eTrust SCM on Your Email
Server • 113
HTTP • 176
HTTP / SMTP Server Ports • 56
HTTP Engine Settings • 79
HTTPS • 176
Hub • 176
Mail Exchange (MX) Record • 177
Maintain the Embedded IAM Database • 104
Malicious Mobile Code Defense • 10
Manager Console or Quarantine Manager
Terminates Suddenly • 140
Managing Roles Using eTrust Embedded
Identity and Access Management • 98
Message digest algorithm • 177
MIME • 177
Mixed Mode Domains • 33
Multiple Email Recipients • 24
G
I
If There is a Problem with the ADCP Agent
Installation • 153
Implementation Modes • 133
Implementation Planning • 15
Install eTrust SCM • 121
Installation on a Dedicated Computer • 106
Installation Steps • 45
Installing and Configuring Microsoft SQL Server
• 163
Installing eTrust SCM • 45
Installing eTrust SCM on a Dedicated Computer
• 107
Installing Individual Components Only • 74
N
Network Considerations • 29
NIC • 177
NTLM • 178
NTLM Authentication Across a Firewall • 35
NTLM Basics • 31
NTLM Considerations and Recommendations •
33
O
Option 1 - The SMB Scenario • 53
Option 2 - Enterprise Scenario • 53
Outgoing SMTP Rules Are Also Applied to
Incoming Emails • 142
P
PAC Files Examples • 130
Performing NTLM Authentication Across a
Firewall Through SCM • 35
Phase 1 - Alert Mode • 133
Phase 2 - Notification Mode • 134
Phase 3 - User Self Management Mode • 134
Phase 4 - Blocking Mode • 135
Phishing and Spyware Prevention • 9
POP3 • 178
PPTP • 178
Pre-installation Checklist • 39
Prerequisites • 163
Prevent Loop-back Problems • 139
Proxy Server • 178
Proxy Settings • 80
R
RBL • 178
Real-time User Self-Management • 10
Reconfiguring the TCP Port for an ADCP Agent
• 150
Related Documentation • 14
Relay Control and Open Relay Prevention • 22
Relay Server • 178
Remove All Permission Levels From a User •
103
Retry or Return to Sender • 22
Router • 178
S
T
TCP • 179
Testing LDAP Settings • 82, 96
Testing the Installation • 73
The ADCP Agent • 144
The ADCP Distributed Source Client • 153
The Manager Console • 75
The Purpose of This Guide • 13
Traffic Direction Classification • 63
Troubleshooting the eTrust SCM Installation •
137
U
Unblock a Website • 142
Upgrading from a Previous Release • 42
Upstream Web Proxy • 33
URL • 179
URL Filtering Settings • 86
Using MX Records for Fail-Over and Load
Balancing • 19
Using MX Records with Multiple Computers •
19
V
Verify Firewall Ports Are Open • 140
W
Web Considerations • 24
Web Content Management • 13
Web Content Security and URL Filtering • 8
Z
ZIP • 179
Security Considerations • 15
Select Database • 64
Set Connectors in Exchange • 110, 118
Setting Global Users and Global Group Settings
• 97
SMB • 178
SMB Installation Scenario • 39
SMTP • 179
SMTP Relay Configuration • 58
SNMP • 179
Spam Rules Settings • 85
Starting the Embedded IAM Utility • 97
Starting the Manager Console • 77
Subnet Mask • 179
Subscription Settings • 83
Index 183